-
Notifications
You must be signed in to change notification settings - Fork 345
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error found when executing sonobuoy in an offline environment. #1109
Comments
Hi @rplanteras. Can you confirm that your kubeconfig file is configured correctly? Looking at the logs, it seems that the server URL is missing, as seen in this log line: You can check your kubeconfig file using kubectl as follows:
If this is successful, you should see output like the following:
|
Hello @zubron . Im sorry for the confusion, in "Get https://[IPv6 Address]:443/api?timeout=32s" , there is an ipv6 address. Sorry it was omitted. Basically, the environment has no internet connection. We tried to test the k8s cluster with sonobuoy that has no internet connection. When checking the pods, sonobuoy pod has been created and is running but the testing was not completed. [root@uhn7klrc6rbms001 ~]# kubectl get pods -A NAMESPACE????? NAME???????????????????????????????????????????????????? READY?? STATUS????????????? RESTARTS?? AGE ... sonobuoy?????? sonobuoy???????????????????????????????????????????????? 1/1???? Running???????????? 0????????? 19h [root@uhn7klrc6rbms001 ~]# kubectl get namespace NAME????????????? STATUS?? AGE ... sonobuoy????????? Active?? 19h |
Can you also enlighten me with this error: [root@uhn7klrc6rbmb001 ~]# sonobuoy status --kubeconfig $HOME/bin/config ERRO[0000] error attempting to run sonobuoy: missing status annotation "sonobuoy.hept.io/status" INFO[0000] created object name=sonobuoy-master namespace=sonobuoy resource=services packet_write_wait: Connection to UNKNOWN port 65535: Broken pipe Is this "Broken pipe" error always occuring? |
Thanks for the explanation, @rplanteras. The error about the status annotation is related to an annotation that is placed on the main sonobuoy pod and is updated during the course of a run with information about the current state of the plugins that are being run. Sonobuoy uses that annotation to determine the overall status for a run so if it is missing, then the sonobuoy CLI will not be able to determine the status which is why it resulted in an error. It is not set when the pod is created, it is only added once the initial set up for the sonobuoy aggregation process has finished. I understand that you omitted the IP address, but even so, that error still indicates that there were issues connecting to the API server. Looking at the logs from your first post, it shows that it happened very early in the running of the sonobuoy process on that pod. Without seeing more logs, my guess is that the connection to the API server failed, and as a result it couldn't create a client to perform actions on the cluster, such as adding the status annotation to the sonobuoy pod. Were there more log entries following the I would try deleting and re-running sonobuoy. If you encounter the same error, it's more likely to indicate an issue with your cluster or kubeconfig file you might want to check (perhaps with some simpler non-sonobuoy workloads). |
Thank you for your reply, @zubron . Im very sorry for disturbing you. Please see sonobuoy logs output below. [root@sonobuoy-host ~]# sonobuoy logs -d --kubeconfig $HOME/bin/config namespace="sonobuoy" pod="sonobuoy" container="kube-sonobuoy" time="2020-04-22T07:22:55Z" level=info msg="Scanning plugins in ./plugins.d (pwd: /)" time="2020-04-22T07:22:55Z" level=info msg="Scanning plugins in /etc/sonobuoy/plugins.d (pwd: /)" time="2020-04-22T07:22:55Z" level=info msg="Directory (/etc/sonobuoy/plugins.d) does not exist" time="2020-04-22T07:22:55Z" level=info msg="Scanning plugins in ~/sonobuoy/plugins.d (pwd: /)" time="2020-04-22T07:22:55Z" level=info msg="Directory (~/sonobuoy/plugins.d) does not exist" time="2020-04-22T07:23:25Z" level=error msg="could not get api group resources: Get https://[ipv6 address]:443/api?timeout=32s: dial tcp [ipv6 address]:443: i/o timeout" time="2020-04-22T07:23:25Z" level=info msg="no-exit was specified, sonobuoy is now blocking" |
"It is not set when the pod is created, it is only added once the initial set up for the sonobuoy aggregation process has finished." -> Does this mean that even though sonobuoy pod was created, it is not an assurance that annotation is set? |
"Without seeing more logs, my guess is that the connection to the API server failed," -> In our case, the environment is an air-gapped environment. We don't expect our server to connect to the internet. |
No need to apologise :) It can be difficult to debug these issues.
Yes, that is correct. The pod is created without the annotation and is only added by the sonobuoy process running in the pod later.
Apologies, when I say API server, I mean the Kubernetes API server in your cluster which should be accessible at the IP address which you omitted in the logs. It is the server in your kubeconfig which is being accessed with the request |
In my understanding, it is sonobuoy pod that makes requests to access Kubernetes API server in the cluster. Is it correct? |
What probably caused the annotation to be missing? |
Yes, that is correct.
The annotation is missing because Sonobuoy could not connect to the Kubernetes API service and so didn't start correctly. It is necessary for Sonobuoy to communicate with the Kubernetes API service to perform its operation so without that it couldn't proceed. It stopped before it could put the annotation on the sonobuoy pod or start any of the the tests. |
Thank you very much for your answers @zubron .
Is my plan okay? or do you have a suggestion how could i confirm sonobuoy can connect to kubernetes api manually? |
Yes, you can verify that you can communicate with the API server from the Sonobuoy pod. Even if you can connect to the API server using |
Hello @zubron. I noticed something in my test environment. I have private registry where images are pushed for sonobuoy to used. I also have sonobuoy server where i want to execute sonobuoy run (sonobuoy commands).
|
Hi @rplanteras. In the failing run, you can see again that it's producing the same error as before "could not get api group resources". It's failing to make a request to the API server at 10.96.0.1 and because that step is failing, the sonobuoy run stops and it does not add the status annotation. How are running sonobuoy on each of these machines? Can you compare the output from If they are the same, it is the same workload being deployed on the cluster and so should behave the same. It won't matter which machine it was deployed from. If they are the same, then that suggests an issue with configuration in your cluster, and is not a Sonobuoy issue. If they are different, it might help us understand what the problem is. |
I run sonobuoy gen default-image-config and both servers (sonobuoy server and private registry server) have the same output.
Yes, i am expecting they should have the same behavior.
|
Can you confirm that the output of If you look at the namespaces that are created, the one with the label is one that is created as part of the e2e tests. The other is the namespaces created by Sonobuoy. If you look in the private-registry-server logs, there are two namespaces created. |
It was a mistak @zubron. A copied wrong line in logs. SOrry for that. As for the output of sonobuoy gen in both servers, they have the same output except for the config.json. |
How do the contents of |
Its only the UUID. |
Its normal right that when executing sonobuoy run, it will pull images for conformance and sonobuoy (in quick mode) in kubernetes master node. |
The default image pull policy is If you are experiencing the error with both servers, when it previously worked with one, then this seems to be an issue with your cluster configuration rather than Sonobuoy, sorry :( |
Are you having issues running any other workloads on your cluster? It might be better to work with something simpler to debug the networking issue. |
For my kubernetes cluster, i just setup the environment based on some resources from internet just for testing. I have not tested kubernetes cluster with other workloads. Below are some details of my kubernetes cluster. [root@master-node ~]# kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE kube-system coredns-66bff467f8-r7nqd 1/1 Running 2 2d kube-system coredns-66bff467f8-srpmb 1/1 Running 2 2d kube-system etcd-master-node 1/1 Running 2 2d kube-system kube-apiserver-master-node 1/1 Running 51 2d kube-system kube-controller-manager-master-node 1/1 Running 3 2d kube-system kube-proxy-75nlb 1/1 Running 2 47h kube-system kube-proxy-9q24v 1/1 Running 2 47h kube-system kube-proxy-pm7vm 1/1 Running 2 2d kube-system kube-scheduler-master-node 1/1 Running 3 2d kube-system weave-net-84dqb 2/2 Running 8 2d kube-system weave-net-9lspj 2/2 Running 5 47h kube-system weave-net-n6zcx 2/2 Running 5 47h [root@master-node ~]# kubectl get namespaces NAME STATUS AGE default Active 2d kube-node-lease Active 2d kube-public Active 2d kube-system Active 2d [root@master-node ~]# |
IN my understanding, he node where sonobuoy is running is referring to the master node of the k8s cluster, right? |
No, Sonobuoy runs as a pod so by default, can run on any node where pods can run on a cluster. Some of the plugins sonobuoy runs may run on specific nodes but that has to be configured. |
Hello @zubron , do you think running on IPv6 environment affects sonobuoy? |
Hi @rplanteras. I'm not aware of any testing that has been done with an IPv6 environment so unfortunately I don't know. Sonobuoy uses the kubernetes client-go package for loading the kubeconfig and creating the client to communicate with the API server so hopefully would be able to take advantage of the IPv6 support there. |
I'm sorry this might be a stupid question, but im not sure about the source code details. "kubernetes client-go package" is included in sonobuoy image? I know client-go is part of kubernetes, but willsonobuoy use it? Basically, i have an air-gapped environment. |
Is it sonobuoy pod that access the kubernetes api or the sonobuoy application (executable file downloaded to execute sonobuoy commands)? |
Error on "could not get api group resources" occurs here at the very early part of the function Run.
|
Hi @rplanteras! Yes, Both the CLI application that you run and the pod will make use of this library. This the same error that you were originally seeing. Are you seeing it when using the CLI or in the pod logs? |
I use the following commands in sonobuoy server. b. sonobuoy logs ( in sonobuoy server) [root@uhn7klrc6rbmb001 ~]# sonobuoy logs --kubeconfig /root/bin/config -n sonobuoy-test namespace="sonobuoy-test" pod="sonobuoy" container="kube-sonobuoy" time="2020-05-01T06:27:40Z" level=info msg="Scanning plugins in ./plugins.d (pwd: /)" time="2020-05-01T06:27:40Z" level=info msg="Scanning plugins in /etc/sonobuoy/plugins.d (pwd: /)" time="2020-05-01T06:27:40Z" level=info msg="Directory (/etc/sonobuoy/plugins.d) does not exist" time="2020-05-01T06:27:40Z" level=info msg="Scanning plugins in ~/sonobuoy/plugins.d (pwd: /)" time="2020-05-01T06:27:40Z" level=info msg="Directory (~/sonobuoy/plugins.d) does not exist" time="2020-05-01T06:28:10Z" level=error msg="could not get api group resources: Get https://[240b:c0e0:101:5dc0:b464:2:0:8001]:443/api?timeout=32s: dial tcp [240b:c0e0:101:5dc0:b464:2:0:8001]:443: i/o timeout" time="2020-05-01T06:28:10Z" level=info msg="no-exit was specified, sonobuoy is now blocking" [root@uhn7klrc6rbmb001 ~]# c. sonobuoy status ( in sonobuoy server) [root@uhn7klrc6rbmb001 ~]# sonobuoy status --kubeconfig /root/bin/config -n sonobuoy-test ERRO[0000] error attempting to run sonobuoy: missing status annotation "sonobuoy.hept.io/status" [root@uhn7klrc6rbmb001 ~]# [root@uhn7klrc6rbms001 ~]# kubectl logs sonobuoy -n sonobuoy time="2020-04-23T10:20:46Z" level=info msg="Scanning plugins in ./plugins.d (pwd: /)" time="2020-04-23T10:20:46Z" level=info msg="Scanning plugins in /etc/sonobuoy/plugins.d (pwd: /)" time="2020-04-23T10:20:46Z" level=info msg="Directory (/etc/sonobuoy/plugins.d) does not exist" time="2020-04-23T10:20:46Z" level=info msg="Scanning plugins in ~/sonobuoy/plugins.d (pwd: /)" time="2020-04-23T10:20:46Z" level=info msg="Directory (~/sonobuoy/plugins.d) does not exist" time="2020-04-23T10:21:16Z" level=error msg="could not get api group resources: Get https://[240b:c0e0:101:5dc0:b464:2:0:8001]:443/api?timeout=32s: dial tcp [240b:c0e0:101:5dc0:b464:2:0:8001]:443: i/o timeout" time="2020-04-23T10:21:16Z" level=info msg="no-exit was specified, sonobuoy is now blocking" |
With this error "time="2020-05-01T06:28:10Z" level=error msg="could not get api group resources: Get https://[240b:c0e0:101:5dc0:b464:2:0:8001]:443/api?timeout=32s: dial tcp [240b:c0e0:101:5dc0:b464:2:0:8001]:443: i/o timeout" i would like to determine who ctried to get the api resources, is it sonobuoy cli execution or sonobuoy pod? based on the logs shown above, pod logs also shows the error, meaning the pod tried to access the api server. I dont quite get the flow of the execution of sonobuoy run command. |
When you run With the error you are seeing, that is coming from the sonobuoy pod. When you use Part of this manifest is to create the main sonobuoy pod. The command run on the sonobuoy pod also creates a client using the client-go library to interact with the cluster. It needs this client to start the plugins (creating Pods or DaemonSets), and also perform actions against the resources in the Sonobuoy namespace such as querying data about the pods, and adding labels and annotations to the pods. |
|
It is a library provided by the Kubernetes project: https://github.com/kubernetes/client-go It is a Golang library and we use it in the sonobuoy project. The |
Is my understanding correct, that sonobuoy pod is included in this resources that will be created in the cluster? Also, in my case, sonobuoy pod was created but was not able to create the necessary resource such as the hept.io/sonobuoy annotation. Is it correct?
Yes, i tried to generate and got the manifest. |
There has not been much activity here. We'll be closing this issue if there are no follow-ups within 15 days. |
I created a procedure based on the information i got from "#1028" to use sonobuoy in an offline environment. Now, i receive information from user of the procedure i created that they encountered an error. But i could not point as to what is the cause.
I would like to ask, what could have caused the following errors below?
The text was updated successfully, but these errors were encountered: