Rarely fails to join EKS cluster

Thanks for filing this bug @dinggggu and sorry for the extremely delayed response. We are working internally to consistently reproduce and try to identify a root cause. We will update ASAP.

@DinGGu Are you able to provide a bit more information on the topology of your clusters?

> The cluster that frequently scale-in and out sometimes fail to join the cluster.

I take this to mean you have at least one autoscaling cluster that has new nodes fails to join the cluster. Is that correct? If so, could you share your autoscaling deployment configuration (scrubbed if necessary for sensitive details)?

Hello. I'm using Karpenter for auto-scaling. Build server (a.k.a CI) workers are operated in the form of Kubernetes Pods, and Pods are created when a build request is received, and when the Pod is in the Pending state, a new instance is started by Karpenter.
Dozens of build requests are created at once, and in this case, multiple instances are started and when job is done, removed by Karpenter.
Sometimes, instance cannot join to cluster.

Karpenter does not replacing bootstrap.sh and I just give to you instance user-data for you.

--//
Content-Type: text/x-shellscript; charset="us-ascii"

#!/bin/bash -xe
exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1
/etc/eks/bootstrap.sh '#REDACT#' --apiserver-endpoint 'https://#REDACT#.eks.amazonaws.com' --b64-cluster-ca '....' \
--container-runtime containerd \
--kubelet-extra-args '--node-labels=karpenter.sh/capacity-type=on-demand,karpenter.sh/provisioner-name=#REDACT# --register-with-taints=dedicated=#REDACT#:NoSchedule'
--//--

It appears the kubelet daemon is attempting to start before its $SNAP_DATA/args file is present. This is generated by the configure hook, so indeed it seems like a timing issue where 'start' precedes 'configure'.

A potential workaround is to manually restart kubelet-eks on the failing node (by this time, the args file should be present):

sudo systemctl restart snap.kubelet-eks.daemon

It would be good to see some timestamps for the logs.

could you share

- /var/log/cloud-init.log
- /var/log/cloud-init-output.log
- journalctl -u snapd.seeded.service
- journalctl -u snapd.service
- journalctl -u snap.kubelet-eks.daemon.service

please?

Since it's been a while, there are currently no logs for that. I'll let you know if it happens again.

As Kevin said, if I run sudo systemctl restart snap.kubelet-eks.daemon manually, the kubelet runs fine. Running it manually was expected to be a timing issue with the snap happening long after the boot process.

- /var/log/cloud-init.log

2023-04-19 16:22:50,628 - util.py[DEBUG]: Writing to /var/lib/cloud/instances/i-aaaaaaaaaaaaaaaaaa/sem/config_scripts_user - wb: [644] 25 bytes
2023-04-19 16:22:50,628 - helpers.py[DEBUG]: Running config-scripts-user using lock (<FileLock using file '/var/lib/cloud/instances/i-aaaaaaaaaaaaaaaaaa/sem/config_scripts_user'>)
2023-04-19 16:22:50,628 - subp.py[DEBUG]: Running command ['/var/lib/cloud/instance/scripts/part-001'] with allowed return codes [0] (shell=False, capture=False)
2023-04-19 16:23:02,236 - subp.py[DEBUG]: Unexpected error while running command.
Command: ['/var/lib/cloud/instance/scripts/part-001']
Exit code: 1
Reason: -
Stdout: -
Stderr: -
2023-04-19 16:23:02,236 - cc_scripts_user.py[WARNING]: Failed to run module scripts-user (scripts in /var/lib/cloud/instance/scripts)
2023-04-19 16:23:02,237 - handlers.py[DEBUG]: finish: modules-final/config-scripts-user: FAIL: running config-scripts-user with frequency once-per-instance
2023-04-19 16:23:02,237 - util.py[WARNING]: Running module scripts-user (<module 'cloudinit.config.cc_scripts_user' from '/usr/lib/python3/dist-packages/cloudinit/config/cc_scripts_user.py'>) failed
2023-04-19 16:23:02,237 - util.py[DEBUG]: Running module scripts-user (<module 'cloudinit.config.cc_scripts_user' from '/usr/lib/python3/dist-packages/cloudinit/config/cc_scripts_user.py'>) failed
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/cloudinit/config/modules.py", line 246, in _run_modules
    ran, _r = cc.run(
  File "/usr/lib/python3/dist-packages/cloudinit/cloud.py", line 67, in run
    return self._runners.run(name, functor, args, freq, clear_on_fail)
  File "/usr/lib/python3/dist-packages/cloudinit/helpers.py", line 185, in run
    results = functor(*args)
  File "/usr/lib/python3/dist-packages/cloudinit/config/cc_scripts_user.py", line 54, in handle
    subp.runparts(runparts_path)
  File "/usr/lib/python3/dist-packages/cloudinit/subp.py", line 427, in runparts
    raise RuntimeError(
RuntimeError: Runparts: 1 failures (part-001) in 1 attempted commands

- /var/log/cloud-init-output.log
Cloud-init v. 23.1.1-0ubuntu0~20.04.1 running 'modules:config' at Wed, 19 Apr 2023 16:22:49 +0000. Up 19.55 seconds.
+ exec
++ tee /var/log/user-data.log
++ logger -t user-data -s
Cloud-init v. 23.1.1-0ubuntu0~20.04.1 running 'modules:final' at Wed, 19 Apr 2023 16:22:50 +0000. Up 20.32 seconds.
2023-04-19 16:23:02,236 - cc_scripts_user.py[WARNING]: Failed to run module scripts-user (scripts in /var/lib/cloud/instance/scripts)
2023-04-19 16:23:02,237 - util.py[WARNING]: Running module scripts-user (<module 'cloudinit.config.cc_scripts_user' from '/usr/lib/python3/dist-packages/cloudinit/config/cc_scripts_user.py'>) failed
Cloud-init v. 23.1.1-0ubuntu0~20.04.1 finished at Wed, 19 Apr 2023 16:23:02 +0000. Datasource DataSourceEc2Local. Up 32.06 seconds

- journalctl -u snapd.seeded.service
-- Reboot --
Apr 19 16:22:49 ip-*-*-*-* systemd[1]: Starting Wait until snapd is fully seeded...
Apr 19 16:22:49 ip-*-*-*-* systemd[1]: Finished Wait until snapd is fully seeded.

- journalctl -u snapd.service
-- Reboot --
Apr 19 16:22:42 ip-*-*-*-* systemd[1]: Starting Snap ...

Please ignore `kubelet-eks.daemon[935]: cat: /var/snap/kubelet-eks/92/args: No such file or directory` Log output on my post.

This log occurred when creating an image from an EKS Ubuntu image using Packer.

In currently args was set from snap.

> cat /var/snap/kubelet-eks/104/args

--node-labels=instance-lifecycle=mixed,*=*,karpenter.sh/capacity-type=spot,karpenter.sh/provisioner-name=* --register-with-taints=dedicated=*:NoSchedule
--address="0.0.0.0"
--anonymous-auth=false
--authentication-token-webhook
--authorization-mode="Webhook"
--cgroup-driver="cgroupfs"
--client-ca-file="/etc/kubernetes/pki/ca.crt"
--cloud-provider="aws"
--cluster-dns="172.20.0.10"
--cluster-domain="cluster.local"
--config="/etc/kubernetes/kubelet/kubelet-config.json"
--container-runtime="remote"
--container-runtime-endpoint="unix:///run/containerd/containerd.sock"
--feature-gates="RotateKubeletServerCertificate=true"
--kubeconfig="/var/lib/kubelet/kubeconfig"
--max-pods="234"
--node-ip="*"
--pod-infra-container-image="602401143452.dkr.ecr.ap-northeast-2.amazonaws.com/eks/pause:3.5"
--register-node
--resolv-conf="/run/systemd/resolve/resolv.conf"

I'm interesting --register-with-taints was not return per args. However, there are times when it is registered normally, so this is not a problem, right?

---

After run manually "sudo systemctl restart snap.kubelet-eks.daemon", Node was registered normally.

Highlighting the most relevant logs from comment #7. Snapd fails to start the kubelet-eks.daemon service:

Apr 19 16:23:02 ip-*-*-*-* snapd[862]: taskrunner.go:289: [change 12 "Run service command \"start\" for services [\"daemon\"] of snap \"kubelet-eks\"" task] failed: systemctl command [start snap.kubelet-eks.daemon.service] failed with exit status 1: Job for snap.kubelet-eks.daemon.service failed because the control process exited with error code.

And matching that timestamp up with the kubelet-eks.daemon logs:

Apr 19 16:23:02 ip-*-*-*-* systemd[1]: snap.kubelet-eks.daemon.service: Start request repeated too quickly.
Apr 19 16:23:02 ip-*-*-*-* systemd[1]: snap.kubelet-eks.daemon.service: Failed with result 'exit-code'.
Apr 19 16:23:02 ip-*-*-*-* systemd[1]: Failed to start Service for snap application kubelet-eks.daemon.

I think it goes like this: The kubelet-eks snap is initially installed, but hasn't been configured. During this time the service repeatedly crashes because it's missing important configuration. It hits the systemd start rate limit, at which point systemd blocks further start attempts. Later, bootstrap.sh runs `snap set ...` to configure the service, and `snap start kubelet-eks` to start it. The start attempt fails because the service is still being start rate limited by systemd.

Images with serial 20230517 do contain a fix.
Please let us know if that problem still occurs.

We rolled back the primary fix (changing service start timing with the snapcraft definition) because it seems to have caused regressions in existing clusters. We'll revisit this ASAP.

Kevin just linked a MP that is aimed at fully fixing this issue. Once this is merged, the plan is to rebuild all snaps which WILL trigger a refresh again, but we expect it to not result in the same problematic state introduction that was noted in [0].

[0] - https://bugs.launchpad.net/cloud-images/+bug/2020072

Hello. Has the problem been fixed completely? I'm writing here, because my report [0] is marked as a duplicate of this one

[0] - https://bugs.launchpad.net/cloud-images/+bug/2020072

@Nikita - sorry for the delayed confirmation. To the best of my knowledge, the latest AMI and snaps SHOULD resolve this issue. Definitely let us know if you see it happening again on new AMIs/the latest snap.

Now we're seeing strange behaviour when starting new nodes - no arguments are passed to the kubelet args file and we are seeing cloud-init errors (look at screenshots).
But this time I can say that we only see this behaviour on our AMIs that use your AMI as a source and have some additional installations by Packer (I didn't change anything in the packer templates).
It looks like the problem now is a combination of your final fix and our use of Packer. Maybe I should add some delays to Packer scripts?

Thanks Nikita for the screenshots.
could you share your packer config and also share the snapd logs please?

Yes, attached the details above

We've got a similar bug, and think we have the root cause - see https://bugs.launchpad.net/cloud-images/+bug/2023284

It started happening again today with diffrent symptoms.

--- cloud-init.log
2023-06-13 21:03:41,434 - cc_scripts_user.py[WARNING]: Failed to run module scripts-user (scripts in /var/lib/cloud/instance/scripts)
2023-06-13 21:03:41,434 - handlers.py[DEBUG]: finish: modules-final/config-scripts-user: FAIL: running config-scripts-user with frequency once-per-instance
2023-06-13 21:03:41,434 - util.py[WARNING]: Running module scripts-user (<module 'cloudinit.config.cc_scripts_user' from '/usr/lib/python3/dist-packages/cloudinit/config/cc_scripts_user.py'>) failed
2023-06-13 21:03:41,434 - util.py[DEBUG]: Running module scripts-user (<module 'cloudinit.config.cc_scripts_user' from '/usr/lib/python3/dist-packages/cloudinit/config/cc_scripts_user.py'>) failed
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/cloudinit/config/modules.py", line 246, in _run_modules
    ran, _r = cc.run(
  File "/usr/lib/python3/dist-packages/cloudinit/cloud.py", line 67, in run
    return self._runners.run(name, functor, args, freq, clear_on_fail)
  File "/usr/lib/python3/dist-packages/cloudinit/helpers.py", line 185, in run
    results = functor(*args)
  File "/usr/lib/python3/dist-packages/cloudinit/config/cc_scripts_user.py", line 54, in handle
    subp.runparts(runparts_path)
  File "/usr/lib/python3/dist-packages/cloudinit/subp.py", line 427, in runparts
    raise RuntimeError(
RuntimeError: Runparts: 1 failures (part-001) in 1 attempted commands

--- user-data.log
+ /etc/eks/bootstrap.sh REDACTED --apiserver-endpoint REDACTED --b64-cluster-ca REDACTED --container-runtime containerd --kubelet-extra-args '--node-labels=REDACTED --register-with-taints=dedicated=REDACTED:NoSchedule'
Using containerd as the container runtime
Aliasing EKS k8s snap commands
Added:
  - kubelet-eks.kubelet as kubelet
Added:
  - kubectl-eks.kubectl as kubectl
Stopping k8s daemons until configured
error: snap "kubelet-eks" has "auto-refresh" change in progress
Exited with error on line 353

---

And there is no snap.kubelet-eks.daemon jounral logs in system.

I also create custom ami via Packer, the source AMI was latest image that 20230517 serial.

@DingGGu Thanks for the update. As a possible workaround, adding "snap refresh kubelet" to the beginning of your packer build steps (if not already present) should verify if the latest serial will resolve your issue. The latest serial for 1.24 is 20230607. We should also have a new serial later today that includes a fix for the bug Jan listed. I'm not positive it will fix your issue, but if its the same root cause I would expect it to resolve your lingering issues. Thanks for your patience on this!

The timing of that last occurrence coincides with the new wave of kubelet-eks snaps we released yesterday to fix LP:2023284. I suspect this auto-refresh error may happen every time we release updated snaps, and I don't think there's anything we can do within the snap to prevent it. Seems like either AMIs will need to be built with `snap refresh --hold kubelet-eks` to prevent the snap from auto-refreshing, or the bootstrap.sh script will need to catch errors from `snap set` and retry in case an auto-refresh is occurring.

We had discussion around adding `snap refresh --hold`, but felt that keeping the ability to force changes to a channel in times like these was paramount. The general expectation is that a `snap refresh` should never result in downtime for an active service (and if it does, it should be fixable within the snap for most cases). I am still open to the option, but I worry that we would not have enough visibility to advertise critical updates to EKS users with long running clusters.

The suggested bootstrap.sh fix seems perfectly reasonable and I think we could approach that in the near term. I'll make sure it gets prioritized soon.

Thanks for reply.
Setting up `snap refresh --hold kubelet-eks` on initialize script on packer does not work on my sides.

I think, snap was upgrade their package during booting sequence.

Can any ideas for fix this issue before relese new image?

I am still seeing this issue with the 20230518 build of the 1.22 EKS ami, named amazon/ubuntu-eks/k8s_1.22/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20230518, in us-east-1.

@Dave - that makes sense. It looks like we haven't had a build come through of 20.04 since this fix was released. I'll check into that and make sure one is released ASAP. We are tracking additional fallout from this fix in LP:2023284. I've subscribed you, so you should get notifications when I drop an ami list

@Dave - I just noticed your EKS version. 1.22 is past EOL and we no longer build images for it. To fully resolve this issue you will need to upgrade to EKS 1.23

@Robby, I also have 1.22 version. But there were no such problems before, so there is a way to solve them. How can I solve the problem in a short term without upgrading the k8s?

> @Robby, I also have 1.22 version. But there were no such problems before, so there is a way to solve them. How can I solve the problem in a short term without upgrading the k8s?

you can use older images for 1.22 .

@Thomas, should I use older than 2023.05?

> @Thomas, should I use older than 2023.05?

you need to use a version which has a different patch version for kubelet-eks (so it doesn't auto-update itself). Then you have a patch version missmatch between the control plane and the worker node but that might be ok.
try something from 202304 I would say.

ubuntu-eks/k8s_1.22/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20230420, unfortunately also failed (around 1 node from 10). It started with 95 snap revision, but updated (not all nodes) during start to 160

we are seeing issues during startup with the kubectl-eks snap, similar to the issues seen here with kubelet-eks. It is making our nodes fail to boot, we are currently using the latest ubuntu eks 1.26 images.

Facing similar issue, even in ubuntu-eks/k8s_1.22/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20230113. We use custom bootstrap.sh script, so what I have done to fix this is disable auto-refresh temporarily. You can do that by adding this command in bootstrap.sh script `snap set system refresh.metered=hold` and post kubelet starts, you can enable auto-refresh `snap set system refresh.metered=null`

@premsompura's suggestion is still going to be the most consistent workaround for now.

> 1.26 new serials
@sdehaes I just checked and we still don't have a release out. I'll ensure we have eyes on these pipelines today to get 1.26 (and the remaining serials) ushered through today. We also still don't have a release out for 1.24 or 1.25

we have updated images for 1.23, 1.24, 1.25 and 1.26 (serial is 20230623) which hopefully help with this issue. please try those.

Anyone using 1.22 image, can use this command in bootstrap.sh scrip to avoid auto-refresh issue - `snap refresh --hold=1h kubelet-eks kubectl-eks`