One, foreword
The troubleshooting process and source code were all checked and recorded by my development colleagues; Published here by me, with his consent.
Second, the problem of
One day, WE received feedback from the customer that a large number of warning events occurred in pod events: Readiness probe failed: OCI Runtime exec failed: exec failed: EOF: Unknown. However, customers’ access to the service is not affected.
Three, the environment
Special note: The customer insists on enabling CPU-Manager on the K8S node that is responsible for running services
component | version | |
k8s | X 1.14. |
Four, screening
1. After receiving customer feedback, check the Kubelet log of the node where the POD is located as follows:
I0507 03:43:28.310630 57003 prober.go:112] Readiness probe for "adsfadofadfabdfhaodsfa(d1aab5f0-
ae8f-11eb-a151-080027049c65):c0" failed (failure): OCI runtime exec failed: exec failed: EOF: unknown
I0507 07:08:49.834093 57003 prober.go:112] Readiness probe for "adsfadofadfabdfhaodsfa(a89a158e-
ae8f-11eb-a151-080027049c65):c0" failed (failure): OCI runtime exec failed: exec failed: unexpected EOF: unknown
I0507 10:06:58.307881 57003 prober.go:112] Readiness probe for "adsfadofadfabdfhaodsfa(d1aab5f0-
ae8f-11eb-a151-080027049c65):c0" failed (failure): OCI runtime exec failed: exec failed: EOF: unknown
The error type of Probe is failure, and the corresponding code is as follows:2. Check the docker log as follows:
time="The 2021-05-06 T16: down. 009989451 + 08:00" level=error msg="stream copy error: reading from a closed fifo"
time="The 2021-05-06 T16: down. 010054596 + 08:00" level=error msg="stream copy error: reading from a closed fifo"
time="The 2021-05-06 T16: down. 170676532 + 08:00" level=error msg="Error running exec 8e34e8b910694abe95a467b2936b37635fdabd2f7b7c464d
fef952fa5732aa4e in container: OCI runtime exec failed: exec failed: EOF: unknown"
Although the Docker log shows a Stream copy error, it is actually the underlying RUNC that returns the EOF, causing the error to be returned. 3. The log shows that the probe type is Failure, so the error of binedOutPut() is err! = nil, ExitStatus is not 0, data is OCI Runtime exec failed: exec failed: unexpected of: unknown, RunInContainer is called
ExecSync is a call to Dockershim ExecSync via GRPC
Dockershim eventually calls the ExecInContainer method, which returns an error with exitCode non-zero.
func (*NativeExecHandler) ExecInContainer(client libdocker.Interface, container *dockertypes.ContainerJSON, cmd []string, stdin io.Reader, stdout, stderr io.WriteCloser, tty bool, resize <-chan remotecommand.TerminalSize, timeout time.Duration) error {
execObj, err := client.CreateExec(container.ID, createOpts)
startOpts := dockertypes.ExecStartCheck{Detach: false, Tty: tty}
streamOpts := libdocker.StreamOptions{
InputStream: stdin,
OutputStream: stdout,
ErrorStream: stderr,
RawTerminal: tty,
ExecStarted: execStarted,
err = client.StartExec(execObj.ID, startOpts, streamOpts)
iferr ! =nil {
return err
ticker := time.NewTicker(2 * time.Second)
defer ticker.Stop()
count := 0
for {
inspect, err2 := client.InspectExec(execObj.ID)
iferr2 ! =nil {
return err2
if! inspect.Running {ifinspect.ExitCode ! =0 {
err = &dockerExitError{inspect}
if count == 5 {
klog.Errorf("Exec session %s in container %s terminated but process still running!", execObj.ID, container.ID)
return err
ExecInContainer does a few things:
- Call CreateExec to create the ExecID
- Call StartExec to perform exec, and redirect the input and output via holdText Connection. Write inputStream to connection and redirect Response Stream to stdout, stderr.
- Call InspectExec to obtain the running status of exec and exitCode
Then the error printed in the log is the character stream passed by response Stream. That is, the dockerd response contains an error value.At this point, go to the docker code to find the reason. ExecStart will call the following code in Dockerd:
According to the docker logs, the err error message is: OCI Runtime exec failed: exec failed: EOF: unknown. So ContainerExecStart returns an error. ContainerExecStart calls containerD. Exec, which is the communication between the Dockerd and containerd
// docker/libcontainerd/client_daemon.go
// Exec creates exec process.
// The containerd client calls Exec to register the exec config in the shim side.
// When the client calls Start, the shim will create stdin fifo if needs. But
// for the container main process, the stdin fifo will be created in Create not
// the Start call. stdinCloseSync channel should be closed after Start exec
// process.
func (c *client) Exec(ctx context.Context, containerID, processID string, spec *specs.Process, withStdin bool, attachStdio StdioCallback) (int, error) {
ctr := c.getContainer(containerID)
if ctr == nil {
return - 1, errors.WithStack(newNotFoundError("no such container"))
t := ctr.getTask()
if t == nil {
return - 1, errors.WithStack(newInvalidParameterError("container is not running"))}ifp := ctr.getProcess(processID); p ! =nil {
return - 1, errors.WithStack(newConflictError("id already in use"))}var (
p containerd.Process
rio cio.IO
err error
stdinCloseSync = make(chan struct{})
fifos := newFIFOSet(ctr.bundleDir, processID, withStdin, spec.Terminal)
defer func(a) {
iferr ! =nil {
ifrio ! =nil {
p, err = t.Exec(ctx, processID, spec, func(id string) (cio.IO, error) {
rio, err = c.createIO(fifos, containerID, processID, stdinCloseSync, attachStdio)
return rio, err
iferr ! =nil {
return - 1, wrapError(err)
ctr.addProcess(processID, p)
// Signal c.createIO that it can call CloseIO
// the stdin of exec process will be created after p.Start in containerd
defer close(stdinCloseSync)
iferr = p.Start(ctx); err ! =nil {
// use new context for cleanup because old one may be cancelled by user, but leave a timeout to make sure
// we are not waiting forever if containerd is unresponsive or to work around fifo cancelling issues in
// older containerd-shim
ctx, cancel := context.WithTimeout(context.Background(), 45*time.Second)
defer cancel()
return - 1, wrapError(err)
return int(p.Pid()), nil
A FIFOSet is new, and reading from a closed FIFO is read only when the FIFO is closed. That is, f.close () occurs before F.read (). You can see it on the outer layer
defer func(a) {
iferr ! =nil {
ifrio ! =nil {
rio.Close() // 这里 Close 会导致 fifo close
p, err = t.Exec(ctx, processID, spec, func(id string) (cio.IO, error) {
rio, err = c.createIO(fifos, containerID, processID, stdinCloseSync, attachStdio)
return rio, err
iferr ! =nil {
return - 1, wrapError(err)
ctr.addProcess(processID, p)
// Signal c.createIO that it can call CloseIO
// the stdin of exec process will be created after p.Start in containerd
defer close(stdinCloseSync)
// the reading from a closed FIFO is interrupted
iferr = p.Start(ctx); err ! =nil {
// use new context for cleanup because old one may be cancelled by user, but leave a timeout to make sure
// we are not waiting forever if containerd is unresponsive or to work around fifo cancelling issues in
// older containerd-shim
ctx, cancel := context.WithTimeout(context.Background(), 45*time.Second)
defer cancel()
return - 1, wrapError(err)
P.start calls the following code to communicate with Containerd via GRPC.
// github.com/containerd/containerd/task.go
func (t *task) Start(ctx context.Context) error {
r, err := t.client.TaskService().Start(ctx, &tasks.StartRequest{
ContainerID: t.id,
iferr ! =nil {
return errdefs.FromGRPC(err)
t.pid = r.Pid
return nil
The GRPC call will arrive at containerd with the following code:
func (e *execProcess) start(ctx context.Context) (err error) {
var (
socket *runc.Socket
pidfile = filepath.Join(e.path, fmt.Sprintf("%s.pid", e.id))
if e.stdio.Terminal {
ifsocket, err = runc.NewTempConsoleSocket(); err ! =nil {
return errors.Wrap(err, "failed to create runc console socket")}defer socket.Close()
} else if e.stdio.IsNull() {
ife.io, err = runc.NewNullIO(); err ! =nil {
return errors.Wrap(err, "creating new NULL IO")}}else {
ife.io, err = runc.NewPipeIO(e.parent.IoUID, e.parent.IoGID, withConditionalIO(e.stdio)); err ! =nil {
return errors.Wrap(err, "failed to create runc io pipes")
opts := &runc.ExecOpts{
PidFile: pidfile,
IO: e.io,
Detach: true,}ifsocket ! =nil {
opts.ConsoleSocket = socket
// err returns exec failed: EOF: unknown
// The runtime is the runc binary for executing commands
iferr := e.parent.runtime.Exec(ctx, e.parent.id, e.spec, opts); err ! =nil {
The code for Exec is as follows:
// Exec executres and additional process inside the container based on a full
// OCI Process specification
func (r *Runc) Exec(context context.Context, id string, spec specs.Process, opts *ExecOpts) error {
f, err := ioutil.TempFile(os.Getenv("XDG_RUNTIME_DIR"), "runc-process")
iferr ! =nil {
return err
defer os.Remove(f.Name())
err = json.NewEncoder(f).Encode(spec)
iferr ! =nil {
return err
args := []string{"exec"."--process", f.Name()}
ifopts ! =nil {
oargs, err := opts.args()
iferr ! =nil {
return err
args = append(args, oargs...)
cmd := r.command(context, append(args, id)...)
ifopts ! =nil&& opts.IO ! =nil {
if cmd.Stdout == nil && cmd.Stderr == nil {
data, err := cmdOutput(cmd, true)
iferr ! =nil {
return fmt.Errorf("%s: %s", err, data)
return nil
ec, err := Monitor.Start(cmd)
iferr ! =nil {
return err
ifopts ! =nil&& opts.IO ! =nil {
if c, ok := opts.IO.(StartCloser); ok {
iferr := c.CloseAfterStart(); err ! =nil {
return err
status, err := Monitor.Wait(cmd, ec)
if err == nil&& status ! =0 {
err = fmt.Errorf("%s did not terminate sucessfully", cmd.Args[0])}return err
So runc prints exec failed: EOF: unknown after running.Runc instructions are executed in a loop and can be reproduced in small amounts. When runc exec reads the state. Json of the Container and uses JSON decode, an exception occurs.
When kubelet CPU-manager is enabled, the state. Json file will be updated. Cause RUNc to read part of the CPU-Manager update. As a result, JSON decode fails. Check the time between runC EOF and Kubelet CPU-Manager Update Container (default: every 10 seconds).
Check to see if runc has a fix and find this pr: github.com/opencontain… The fix is to make saveState atomic, so you don’t have unexpected EOF (or EOF) problems when reading state.json and reading part of what was written
/ / the original
func (c *linuxContainer) saveState(s *State) error {
f, err := os.Create(filepath.Join(c.root, stateFilename))
iferr ! =nil {
return err
defer f.Close()
return utils.WriteJSON(f, s)
// After the repair
func (c *linuxContainer) saveState(s *State) (retErr error) {
tmpFile, err := ioutil.TempFile(c.root, "state-")
iferr ! =nil {
return err
defer func(a) {
ifretErr ! =nil {
err = utils.WriteJSON(tmpFile, s)
iferr ! =nil {
return err
err = tmpFile.Close()
iferr ! =nil {
return err
stateFilePath := filepath.Join(c.root, stateFilename)
return os.Rename(tmpFile.Name(), stateFilePath)
Fifth, to solve
- Close the CPU – manager
- Upgrade runc