Intermitent connection issues inside LXC

Question

I am experiencing connection issues inside a LXC that are driving me mad. They are intermitent. They appear during some time, and they suddenly disapear.

Scenario

A lxc inside a host. Both are running Debian GNU/Linux 8.3 In the lxc there is an installation of Piwik (open source PHP software for stats, with apache, mysql) and an ssh server. The lxc apache is reachable through an nginx proxy in the host

The lxc config:

lxc.tty = 6
lxc.pts = 1024
lxc.rootfs = /var/lib/lxc/hammond/rootfs
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm

# mounts point
lxc.mount.entry=proc /var/lib/lxc/hammond/rootfs/proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry=devpts /var/lib/lxc/hammond/rootfs/dev/pts devpts defaults 0 0
lxc.mount.entry=sysfs /var/lib/lxc/hammond/rootfs/sys sysfs defaults  0 0

# networking
lxc.utsname = hammond
lxc.network.type = veth
#lxc.network.macvlan.mode = private
lxc.network.flags = up
lxc.network.link = br-hammond
lxc.network.ipv4 = 192.168.100.2/24
lxc.network.ipv4.gateway = 192.168.100.1
lxc.network.hwaddr = 00:1E:10:C1:6B:C9

lxc.start.auto = 1

# http://serverfault.com/questions/658052/systemd-journal-in-debian-jessie-lxc-container-eats-100-cpu
lxc.autodev = 1
lxc.kmsg = 0

Issues:

1. Cannot connect to local database

Suddenly, Piwik reports:

SQLSTATE[HY000] [2003] Can't connect to MySQL server on '127.0.0.1' (111)

The database is running, of course.

• If I telnet from inside the lxc (127.0.0.1:3306), I can connect to the database
• If I telnet the apache from inside the lxc (127.0.0.1:80), Piwik works fine. It connects to the database, renders the page as usual and doesn't report any error.
• If I telnet the apache from the host (192.168.100.2:80), Piwik reports the database error.

2. SSH freezes

I am tunneling the ssh connection to the lxc using ProxyCommand

ProxyCommand ssh -q host nc -q0 192.168.100.2 22

After the ssh negotiation phase, the connection freezes. If I type keys, they don't show up in the console. Finally, the connection timeouts with

packet_write_wait: Connection to UNKNOWN: Broken pipe

I have sniffed the packets with tcpdump and ssh key exchanges goes fine. Then, the traffic stops after 0.5 seconds

I think this is a bug in last Debian kernel updates. It used to work fine, but I am experiencing these problems since a few weeks ago. As I mention, they are intermitent. Suddenly, everything goes fine.

Suggestions on how to investigate further are welcomed

Answer 1

I've had a problem with the same symptoms. In my case, there was another host with the same IP on the vlan I used in the bridge. Sometimes the other host would be faster to answer to the ARP request (despite being another physical machine), at which point the lxc guest would save the wrong MAC address in its ARP table and continue sending ethernet frames to the wrong address until another ARP request "resolved" the problem.

I diagnosed this with a timestamped ping from host to guest:

# ping -n 10.70.70.10 | perl -nle 'BEGIN {$|++} print scalar(localtime), " ", $_' |tee -a ping10707010.log
[...]
Sun Jul 31 09:18:53 2016 64 bytes from 10.70.70.10: icmp_seq=3389 ttl=64 time=0.035 ms
Sun Jul 31 09:18:54 2016 64 bytes from 10.70.70.10: icmp_seq=3390 ttl=64 time=0.035 ms
Sun Jul 31 09:18:55 2016 64 bytes from 10.70.70.10: icmp_seq=3391 ttl=64 time=0.027 ms
Sun Jul 31 09:19:45 2016 64 bytes from 10.70.70.10: icmp_seq=3441 ttl=64 time=0.064 ms
Sun Jul 31 09:19:46 2016 64 bytes from 10.70.70.10: icmp_seq=3442 ttl=64 time=0.038 ms
Sun Jul 31 09:19:47 2016 64 bytes from 10.70.70.10: icmp_seq=3443 ttl=64 time=0.036 ms

as well as a tcpdump on both host and guest:

# tcpdump -n -i brv3001 # on the host
[...]
09:18:55.724751 IP 10.70.0.1 > 10.70.70.10: ICMP echo request, id 26519, seq 3391, length 64
09:18:55.724768 IP 10.70.70.10 > 10.70.0.1: ICMP echo reply, id 26519, seq 3391, length 64
09:18:56.336109 ARP, Request who-has 10.70.70.10 tell 10.70.0.1, length 42
09:18:56.336147 ARP, Reply 10.70.70.10 is-at 00:16:3e:46:46:0a, length 28
[...]
09:19:44.728738 ARP, Request who-has 10.70.70.10 tell 10.70.0.1, length 28
09:19:44.728769 ARP, Reply 10.70.70.10 is-at 00:16:3e:46:46:0a, length 28
# tcpdump -n -i infra0 # on the guest
[...]
09:18:55.724757 IP 10.70.0.1 > 10.70.70.10: ICMP echo request, id 26519, seq 3391, length 64
09:18:55.724767 IP 10.70.70.10 > 10.70.0.1: ICMP echo reply, id 26519, seq 3391, length 64
09:18:56.336123 ARP, Request who-has 10.70.70.10 tell 10.70.0.1, length 42
09:18:56.336144 ARP, Reply 10.70.70.10 is-at 00:16:3e:46:46:0a, length 28
[...]
09:19:44.728745 ARP, Request who-has 10.70.70.10 tell 10.70.0.1, length 28
09:19:44.728766 ARP, Reply 10.70.70.10 is-at 00:16:3e:46:46:0a, length 28

which allowed me to see that around the point when the network would drop out and when it would reactivate, ARP requests were being issued and answered. The ARP requests seemed to be in order (using the correct MACs), but i decided to check the facts as seen by the OS anyway, so I logged ARP tables on host and guest with timestamps:

# while true; do date; arp -n; sleep 1; done > arp.log 2>&1 # on the host
[...]
Sun Jul 31 09:18:55 CEST 2016
Address                  HWtype  HWaddress           Flags Mask            Iface
10.70.70.10              ether   00:16:3e:46:46:0a   C                     brv3001
Sun Jul 31 09:18:56 CEST 2016
Address                  HWtype  HWaddress           Flags Mask            Iface
10.70.70.10              ether   00:16:3e:46:46:0a   C                     brv3001
# while true; do date; arp -n; sleep 1; done > arp.log 2>&1 # on the guest
Sun Jul 31 09:18:55 CEST 2016
Address                  HWtype  HWaddress           Flags Mask            Iface
10.70.0.1                ether   00:1e:68:4a:03:b0   C                     infra0
Sun Jul 31 09:18:56 CEST 2016
Address                  HWtype  HWaddress           Flags Mask            Iface
10.70.0.1                ether   c4:34:6b:22:b6:7c   C                     infra0

which allowed me to understand that the host did not have a faulty MAC of the guest, but the guest somehow arrived at a faulty MAC of the host. Irritatingly, that was not reflected in the tcpdump information. (NB: there may be a race condition somewhere in libpcap or the ip stack that would benefit from investigating)

After finding the erroneous MAC, I looked up which vendor the erroneous MAC address belonged to, and thus was able to find the offending machine. If that information had been more ambiguous, I'm sure my switch would've had functionality to help me find the right switch port.

I suppose that up/downgrading kernels and certain userland tools would change and maybe even remove all or some of the symptoms through changed timings, slightly different behavior, other network services being active etc. For example, a ping from guest to host would reliably "fix" the problem in my case.

Also, do not forget that the IP addresses you can see with ifconfig are not all of the IP addresses used by the system. ip addr ls will be more comprehensive on linux and maybe even some more advanced iptables configurations could play a role too. If you are in bad luck, the host responding to the arps may even have a broken IP stack. You may even get ARP replies from other customers of your ISP if your network isn't properly isolated.

I realize that this might not be the exact solution to your problem, but I thought I'd leave some pointers for debugging for the next person to look for and find this issue on serverfault.

Answer 2

I think your database problem might be a configuration issue rg. Apache/Piwik/MySQL.

But we observe connectivity issues with SSH (and other applications) from "connection refused" to cases like those you described (connection comes up, prompt shows, then the connection dies silently).

Similarily, several applications (Mail, Web) "feel slow" (for us and at least one of our rootserver customers), and currently I'm guessing the clients (Mailclients, Webbrowsers) are performing multiple connect attempts and/or re-connects, enough to slow them down but not severe enough for error messages to show up (or to trigger alerts from our 3 outside Icange monitors).

The setup is not new, it performed with perfection with Debian Wheezy + OpenVZ-Kernel + OpenVZ (OpenVZ stuff from OpenVZ's debian repo) for 2 years.

We have quite recently (a couple days ago) migrated to Debian Jessie + backports kernel (due to DRBD fixes) + LXC, without changing anything else (same two pairs of oversized server hardware, same housing center, same virtualized guests).

So, as 1st conclusion, we too get the "feeling" that there's something wrong, either a kernel bug or some LXC restrictions related to TCP that nobody is aware of.

"Feeling" is a bit vague, but at the moment it's difficult to pinpoint. But we do know we have a problem that occurs too often for too many different clients to blame anything else.

Btw., the problems seems to hit primarily LXC those guests that have been idle for some time, that do nothing most of time.

It also seems to help to "wake them up" with SSH connections with then LAN/DMZ and WAN network activity like pings.

We use veth/br0 style networking setups with custom MACs for guests' eths.

Once I had a phantom IP from a stopped LXC guest (recognizable from the MAC), but I think I mad the mistake of changing the LXC guest's configuration between start and stop of that guest.

Debian Kernel version is: 4.3.0-0.bpo.1-amd64 #1 SMP Debian 4.3.3-5~bpo8+1 (2016-01-07) x86_64

PS:

Questions @ Antonio Tapiador: What Kernel version do you use? Do you use VLAN?

We were discussing whether this patch we found in the 4.3.4 changelog might help.

PPS: Why do I have to use "answer" to comment?

PPPS, AKA our solution: Downgrading from Kernel 4.3.3 to 4.2.6 (both in jessie-backports) seems to have solved our problem.

Of course it's difficult to be sure when the problem was intermittent. If you use jessie's 3.16 kernel I suggest you try to upgrade to 4.2 from jessie-backports, i.e. Package linux-image-4.2.0-0.bpo.1-amd64.

4.2 hasn't longterm support from kernel.org neither, but at least Canonical maintains that for Ubuntu 15.10, and the Debian based virtualisation distro Proxmox now uses 4.2, too (like us they are swichting from OpenVZ to LXC).

Update 2016-04-07: The problem was not totally gone with 4.3. Upgrading to 4.4 (LTS from Kernel.org and Ubuntu) didn't help totally either. Howerver, we are going to try a temporary LTE line to be 100% sure it's not our access provider ...

Update 2016-08-29: We now are sure there were to problems. The bad 4.3 kernel and the housing provider we are just leaving behind. We have another severe problem with 4.4/4.6 and LXC/DRBD, but that'd be offtopic here.