Hi @k8s-infra-cherrypick-robot. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

/ok-to-test

/test pull-containerd-node-e2e-1-6

Consistently seeing this error https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/containerd_containerd/10795/pull-containerd-node-e2e-1-6/1843586548746948608#1:build-log.txt%3A9376 in the node-e2e tests.

/test pull-containerd-node-e2e-1-6

/retest

@k8s-infra-cherrypick-robot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

The node-e2e failure does not seem to be flaky, while reverting to runc 1.1.14, the node-e2e presubmit is passing.

runc 1.1.15 contains opencontainers/runc#4392; I'm wondering if we're seeing failures in e2e because of that. There were notes in opencontainers/runc#3973 related to OOMs and 1.2.0-rcs use opencontainers/runc#3987 to mitigate this but that change is not present in 1.1.15.

Also curious why we are seeing this only in 1.6 branch and not on the 1.7 releases.

I can't tell from the log whether cgroup v1 or v2 is in use.

  I1008 13:36:56.448303 1238 dump.go:53] At 2024-10-08 13:36:53 +0000 UTC - event for initcontinar-oomkill-target-pod: {kubelet tmp-node-e2e-75e0da1b-cos-beta-117-18613-0-76} Failed: Error: failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: container init was OOM-killed (memory limit too low?): unknown

  [FAILED] pod: "initcontinar-oomkill-target-pod", container: "oomkill-target-init-container" has unexpected exitCode: '\u0080'
  Expected
      <int32>: 128
  to equal
      <int32>: 137

It looks like the prow jobs for 1.7 and main are setting CONTAINERD_SYSTEMD_CGROUP: 'true' (which ends up influencing config.toml to set:

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
  BinaryName = "${CONTAINERD_HOME}/usr/local/sbin/runc"
  SystemdCgroup = ${systemdCgroup}

But the job for 1.6 does not set the same value.

This is where the cgroup settings get applied to the cos machine. https://github.com/containerd/containerd/blob/release/1.6/test/e2e_node/gci-init.sh#L27 via this env file

I don't see CONTAINERD_CGROUPV2 defined anywhere, so that looks like it defaults to false. The same script in our release/1.7 and main branches uses CONTAINERD_COS_CGROUP_MODE but leaves the VM in its default configuration if it is unset. I believe COS M117 defaults to cgroup v2 (checking that now...).

I can't tell from the log whether cgroup v1 or v2 is in use.

  I1008 13:36:56.448303 1238 dump.go:53] At 2024-10-08 13:36:53 +0000 UTC - event for initcontinar-oomkill-target-pod: {kubelet tmp-node-e2e-75e0da1b-cos-beta-117-18613-0-76} Failed: Error: failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: container init was OOM-killed (memory limit too low?): unknown

  [FAILED] pod: "initcontinar-oomkill-target-pod", container: "oomkill-target-init-container" has unexpected exitCode: '\u0080'
  Expected
      <int32>: 128
  to equal
      <int32>: 137

from the kubelet log, cgroupfs is being used

Confirmed COS M117 defaults to cgroup v2.

from the kubelet log, cgroupfs is being used

Yep, this makes sense because of the absence of CONTAINERD_SYSTEMD_CGROUP: 'true'. But the driver (systemd vs. cgroupfs) is independent of cgroup v1 vs. cgroup v2.

Kubelet log also says "CgroupVersion":2, so I'm not sure. I'll open another test PR to try and debug some of these settings.

/test pull-containerd-node-e2e-1-6-systemd-cgroup

reverted in main; closing and will update when the runc issue is solved