© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
Just chiming in here, I contacted Rodrigo off-list and was verging towards that same patch. More below.
I suspect there's two issues here with very similar symptoms. In
particular post #8 which mentions people reporting that 3.14 improves
the situation.
https:/
I've been chasing a bug in 3.13 with docker containers and connection
tracking which is fixed in 3.14, by this patch:
https:/
Note that the commit message for the above commit fixes a different
issue, but I've been able to produce issues of the nature in this thread
(hung docker / ip netns add commands like in post #6) before applying
this patch, but cannot reproduce after.
https:/
In the issue that I face, I can find a kworker thread using up an entire
core, and when I cat /proc/$pid/stack I see this:
<ffffffffbe01e9b6>] ___preempt_
[<ffffffffc0222
[<ffffffffc0223
[nf_conntrack]
[<ffffffffc0224
[<ffffffffbe604
[<ffffffffbe604
[<ffffffffbe084
[<ffffffffbe085
[<ffffffffbe08b
[<ffffffffbe717
[<fffffffffffff
The kworker is looping forever and failing to clean up conntrack state.
All the while, it holds the global netns lock. Given that I've bisected
to the commit linked above which is to do with refcounting, I suspect
that borked refcounting on conntrack entries makes them impossible to
properly free/destroy, which prevents this worker from cleaning up the
namespace, which then goes on to prevent anything else from interacting
with namespaces (add/delete/etc).