Fail to deploy pod using kata-qemu on minikube when internetworking_model="tcfilter"

[asaintsever]

Description of problem

Runtime context:

• Minikube 1.1.0 (kubernetes v1.14.2), cri-o 1.14.1, kvm2 driver
• Kata Containers 1.7.0

Minikube started using command line: minikube start -p minikube-k8s114-crio-kata --container-runtime=cri-o --network-plugin=cni --enable-default-cni --cpus 4 --memory 16384 --vm-driver kvm2

Deploying Kata Containers with:

• kubectl apply -f kata-rbac.yaml
• kubectl apply -f kata-deploy.yaml
• kubectl apply -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/k8s-1.14/kata-qemu-runtimeClass.yaml

Deploying test workload:

• kubectl apply -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/examples/test-deploy-kata-qemu.yaml

Pod is stuck with status: ContainerCreating
NAMESPACE NAME READY STATUS RESTARTS AGE
default pod/php-apache-kata-qemu-557fdb9bd6-b5t9h 0/1 ContainerCreating 0

Expected result

Pod should be deployed successfully with final status Running.

Actual result

Pod is always waiting for creating with status ContainerCreating.

SSH into Minikube and running command journalctl -t kata-runtime shows following errors:

• level=error msg="Error bridging virtual endpoint" arch=amd64 command=create container=73fd0653ffca7a79e1209f3e7451465b2702537a3b132567be5a012b48d7fbc0 error="Failed to add filter for index 4 : no such file or directory" name=kata-runtime pid=6504 source=virtcontainers subsystem=network
• level=error msg="Failed to add filter for index 4 : no such file or directory" arch=amd64 command=create container=73fd0653ffca7a79e1209f3e7451465b2702537a3b132567be5a012b48d7fbc0 name=kata-runtime pid=6504 source=runtime

Found following working configuration by editing config file /opt/kata/share/defaults/kata-containers/configuration-qemu.toml:
setting internetworking_model="bridged" instead of default internetworking_model="tcfilter" solves the issue (pod successfully running and no errors in kata-runtime journal)

---

Show kata-collect-data.sh details

Meta details

Running kata-collect-data.sh version 1.7.0 (commit d4f4644312d2acbfed8a150e49831787f8ebdd90) at 2019-05-26.17:09:02.952594046+0000.

---

Runtime is /opt/kata/bin/kata-runtime.

kata-env

Output of "/opt/kata/bin/kata-runtime kata-env":

[Meta]
  Version = "1.0.23"

[Runtime]
  Debug = false
  Trace = false
  DisableGuestSeccomp = true
  DisableNewNetNs = false
  Path = "/opt/kata/bin/kata-runtime"
  [Runtime.Version]
    Semver = "1.7.0"
    Commit = "d4f4644312d2acbfed8a150e49831787f8ebdd90"
    OCI = "1.0.1-dev"
  [Runtime.Config]
    Path = "/opt/kata/share/defaults/kata-containers/configuration-qemu.toml"

[Hypervisor]
  MachineType = "pc"
  Version = "QEMU emulator version 2.11.2(kata-static)\nCopyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers"
  Path = "/opt/kata/bin/qemu-system-x86_64"
  BlockDeviceDriver = "virtio-scsi"
  EntropySource = "/dev/urandom"
  Msize9p = 8192
  MemorySlots = 10
  Debug = false
  UseVSock = false
  SharedFS = "virtio-9p"

[Image]
  Path = "/opt/kata/share/kata-containers/kata-containers-image_clearlinux_1.7.0_agent_43bd707543.img"

[Kernel]
  Path = "/opt/kata/share/kata-containers/vmlinuz-4.19.28-39"
  Parameters = "init=/usr/lib/systemd/systemd systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket systemd.mask=systemd-journald.service systemd.mask=systemd-journald.socket systemd.mask=systemd-journal-flush.service systemd.mask=systemd-journald-dev-log.socket systemd.mask=systemd-udevd.service systemd.mask=systemd-udevd.socket systemd.mask=systemd-udev-trigger.service systemd.mask=systemd-udevd-kernel.socket systemd.mask=systemd-udevd-control.socket systemd.mask=systemd-timesyncd.service systemd.mask=systemd-update-utmp.service systemd.mask=systemd-tmpfiles-setup.service systemd.mask=systemd-tmpfiles-cleanup.service systemd.mask=systemd-tmpfiles-cleanup.timer systemd.mask=tmp.mount systemd.mask=systemd-random-seed.service [email protected]"

[Initrd]
  Path = ""

[Proxy]
  Type = "kataProxy"
  Version = "kata-proxy version 1.7.0-ea2b0bb14ef7906105d9ac808503292096add170"
  Path = "/opt/kata/libexec/kata-containers/kata-proxy"
  Debug = false

[Shim]
  Type = "kataShim"
  Version = "kata-shim version 1.7.0-7f2ab7726d6baf0b82ff2a35bd50c73f6b4a3d3a"
  Path = "/opt/kata/libexec/kata-containers/kata-shim"
  Debug = false

[Agent]
  Type = "kata"
  Debug = false
  Trace = false
  TraceMode = ""
  TraceType = ""

[Host]
  Kernel = "4.15.0"
  Architecture = "amd64"
  VMContainerCapable = true
  SupportVSocks = true
  [Host.Distro]
    Name = "Buildroot"
    Version = "2018.05"
  [Host.CPU]
    Vendor = "GenuineIntel"
    Model = "Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz"

[Netmon]
  Version = "kata-netmon version 1.7.0"
  Path = "/opt/kata/libexec/kata-containers/kata-netmon"
  Debug = false
  Enable = false

---

Runtime config files

Runtime default config files

/etc/kata-containers/configuration.toml
/opt/kata/share/defaults/kata-containers/configuration.toml

Runtime config file contents

Config file /etc/kata-containers/configuration.toml not found
Output of "cat "/opt/kata/share/defaults/kata-containers/configuration.toml"":

# Copyright (c) 2017-2019 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#

# XXX: WARNING: this file is auto-generated.
# XXX:
# XXX: Source file: "cli/config/configuration-qemu.toml.in"
# XXX: Project:
# XXX:   Name: Kata Containers
# XXX:   Type: kata

[hypervisor.qemu]
path = "/opt/kata/bin/qemu-system-x86_64"
kernel = "/opt/kata/share/kata-containers/vmlinuz.container"
image = "/opt/kata/share/kata-containers/kata-containers.img"
machine_type = "pc"

# Optional space-separated list of options to pass to the guest kernel.
# For example, use `kernel_params = "vsyscall=emulate"` if you are having
# trouble running pre-2.15 glibc.
#
# WARNING: - any parameter specified here will take priority over the default
# parameter value of the same name used to start the virtual machine.
# Do not set values here unless you understand the impact of doing so as you
# may stop the virtual machine from booting.
# To see the list of default parameters, enable hypervisor debug, create a
# container and look for 'default-kernel-parameters' log entries.
kernel_params = ""

# Path to the firmware.
# If you want that qemu uses the default firmware leave this option empty
firmware = ""

# Machine accelerators
# comma-separated list of machine accelerators to pass to the hypervisor.
# For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"`
machine_accelerators=""

# Default number of vCPUs per SB/VM:
# unspecified or 0                --> will be set to 1
# < 0                             --> will be set to the actual number of physical cores
# > 0 <= number of physical cores --> will be set to the specified number
# > number of physical cores      --> will be set to the actual number of physical cores
default_vcpus = 1

# Default maximum number of vCPUs per SB/VM:
# unspecified or == 0             --> will be set to the actual number of physical cores or to the maximum number
#                                     of vCPUs supported by KVM if that number is exceeded
# > 0 <= number of physical cores --> will be set to the specified number
# > number of physical cores      --> will be set to the actual number of physical cores or to the maximum number
#                                     of vCPUs supported by KVM if that number is exceeded
# WARNING: Depending of the architecture, the maximum number of vCPUs supported by KVM is used when
# the actual number of physical cores is greater than it.
# WARNING: Be aware that this value impacts the virtual machine's memory footprint and CPU
# the hotplug functionality. For example, `default_maxvcpus = 240` specifies that until 240 vCPUs
# can be added to a SB/VM, but the memory footprint will be big. Another example, with
# `default_maxvcpus = 8` the memory footprint will be small, but 8 will be the maximum number of
# vCPUs supported by the SB/VM. In general, we recommend that you do not edit this variable,
# unless you know what are you doing.
default_maxvcpus = 0

# Bridges can be used to hot plug devices.
# Limitations:
# * Currently only pci bridges are supported
# * Until 30 devices per bridge can be hot plugged.
# * Until 5 PCI bridges can be cold plugged per VM.
#   This limitation could be a bug in qemu or in the kernel
# Default number of bridges per SB/VM:
# unspecified or 0   --> will be set to 1
# > 1 <= 5           --> will be set to the specified number
# > 5                --> will be set to 5
default_bridges = 1

# Default memory size in MiB for SB/VM.
# If unspecified then it will be set 2048 MiB.
default_memory = 2048
#
# Default memory slots per SB/VM.
# If unspecified then it will be set 10.
# This is will determine the times that memory will be hotadded to sandbox/VM.
#memory_slots = 10

# The size in MiB will be plused to max memory of hypervisor.
# It is the memory address space for the NVDIMM devie.
# If set block storage driver (block_device_driver) to "nvdimm",
# should set memory_offset to the size of block device.
# Default 0
#memory_offset = 0

# Disable block device from being used for a container's rootfs.
# In case of a storage driver like devicemapper where a container's 
# root file system is backed by a block device, the block device is passed
# directly to the hypervisor for performance reasons. 
# This flag prevents the block device from being passed to the hypervisor, 
# 9pfs is used instead to pass the rootfs.
disable_block_device_use = false

# Shared file system type:
#   - virtio-9p (default)
#   - virtio-fs
shared_fs = "virtio-9p"

# Path to vhost-user-fs daemon.
virtio_fs_daemon = "/opt/kata/bin/virtiofsd-x86_64"

# Default size of DAX cache in MiB
virtio_fs_cache_size = 1024

# Cache mode:
#
#  - none
#    Metadata, data, and pathname lookup are not cached in guest. They are
#    always fetched from host and any changes are immediately pushed to host.
#
#  - auto
#    Metadata and pathname lookup cache expires after a configured amount of
#    time (default is 1 second). Data is cached while the file is open (close
#    to open consistency).
#
#  - always
#    Metadata, data, and pathname lookup are cached in guest and never expire.
virtio_fs_cache = "always"

# Block storage driver to be used for the hypervisor in case the container
# rootfs is backed by a block device. This is virtio-scsi, virtio-blk
# or nvdimm.
block_device_driver = "virtio-scsi"

# Specifies cache-related options will be set to block devices or not.
# Default false
#block_device_cache_set = true

# Specifies cache-related options for block devices.
# Denotes whether use of O_DIRECT (bypass the host page cache) is enabled.
# Default false
#block_device_cache_direct = true

# Specifies cache-related options for block devices.
# Denotes whether flush requests for the device are ignored.
# Default false
#block_device_cache_noflush = true

# Enable iothreads (data-plane) to be used. This causes IO to be
# handled in a separate IO thread. This is currently only implemented
# for SCSI.
#
enable_iothreads = false

# Enable pre allocation of VM RAM, default false
# Enabling this will result in lower container density
# as all of the memory will be allocated and locked
# This is useful when you want to reserve all the memory
# upfront or in the cases where you want memory latencies
# to be very predictable
# Default false
#enable_mem_prealloc = true

# Enable huge pages for VM RAM, default false
# Enabling this will result in the VM memory
# being allocated using huge pages.
# This is useful when you want to use vhost-user network
# stacks within the container. This will automatically 
# result in memory pre allocation
#enable_hugepages = true

# Enable swap of vm memory. Default false.
# The behaviour is undefined if mem_prealloc is also set to true
#enable_swap = true

# This option changes the default hypervisor and kernel parameters
# to enable debug output where available. This extra output is added
# to the proxy logs, but only when proxy debug is also enabled.
# 
# Default false
#enable_debug = true

# Disable the customizations done in the runtime when it detects
# that it is running on top a VMM. This will result in the runtime
# behaving as it would when running on bare metal.
# 
#disable_nesting_checks = true

# This is the msize used for 9p shares. It is the number of bytes 
# used for 9p packet payload.
#msize_9p = 8192

# If true and vsocks are supported, use vsocks to communicate directly
# with the agent and no proxy is started, otherwise use unix
# sockets and start a proxy to communicate with the agent.
# Default false
#use_vsock = true

# VFIO devices are hotplugged on a bridge by default. 
# Enable hotplugging on root bus. This may be required for devices with
# a large PCI bar, as this is a current limitation with hotplugging on 
# a bridge. This value is valid for "pc" machine type.
# Default false
#hotplug_vfio_on_root_bus = true

# If host doesn't support vhost_net, set to true. Thus we won't create vhost fds for nics.
# Default false
#disable_vhost_net = true
#
# Default entropy source.
# The path to a host source of entropy (including a real hardware RNG)
# /dev/urandom and /dev/random are two main options.
# Be aware that /dev/random is a blocking source of entropy.  If the host
# runs out of entropy, the VMs boot time will increase leading to get startup
# timeouts.
# The source of entropy /dev/urandom is non-blocking and provides a
# generally acceptable source of entropy. It should work well for pretty much
# all practical purposes.
#entropy_source= "/dev/urandom"

# Path to OCI hook binaries in the *guest rootfs*.
# This does not affect host-side hooks which must instead be added to
# the OCI spec passed to the runtime.
#
# You can create a rootfs with hooks by customizing the osbuilder scripts:
# https://github.com/kata-containers/osbuilder
#
# Hooks must be stored in a subdirectory of guest_hook_path according to their
# hook type, i.e. "guest_hook_path/{prestart,postart,poststop}".
# The agent will scan these directories for executable files and add them, in
# lexicographical order, to the lifecycle of the guest container.
# Hooks are executed in the runtime namespace of the guest. See the official documentation:
# https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks
# Warnings will be logged if any error is encountered will scanning for hooks,
# but it will not abort container execution.
#guest_hook_path = "/usr/share/oci/hooks"

[factory]
# VM templating support. Once enabled, new VMs are created from template
# using vm cloning. They will share the same initial kernel, initramfs and
# agent memory by mapping it readonly. It helps speeding up new container
# creation and saves a lot of memory if there are many kata containers running
# on the same host.
#
# When disabled, new VMs are created from scratch.
#
# Note: Requires "initrd=" to be set ("image=" is not supported).
#
# Default false
#enable_template = true

# Specifies the path of template.
#
# Default "/run/vc/vm/template"
#template_path = "/run/vc/vm/template"

# The number of caches of VMCache:
# unspecified or == 0   --> VMCache is disabled
# > 0                   --> will be set to the specified number
#
# VMCache is a function that creates VMs as caches before using it.
# It helps speed up new container creation.
# The function consists of a server and some clients communicating
# through Unix socket.  The protocol is gRPC in protocols/cache/cache.proto.
# The VMCache server will create some VMs and cache them by factory cache.
# It will convert the VM to gRPC format and transport it when gets
# requestion from clients.
# Factory grpccache is the VMCache client.  It will request gRPC format
# VM and convert it back to a VM.  If VMCache function is enabled,
# kata-runtime will request VM from factory grpccache when it creates
# a new sandbox.
#
# Default 0
#vm_cache_number = 0

# Specify the address of the Unix socket that is used by VMCache.
#
# Default /var/run/kata-containers/cache.sock
#vm_cache_endpoint = "/var/run/kata-containers/cache.sock"

[proxy.kata]
path = "/opt/kata/libexec/kata-containers/kata-proxy"

# If enabled, proxy messages will be sent to the system log
# (default: disabled)
#enable_debug = true

[shim.kata]
path = "/opt/kata/libexec/kata-containers/kata-shim"

# If enabled, shim messages will be sent to the system log
# (default: disabled)
#enable_debug = true

# If enabled, the shim will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started).
#
# Note: By default, the shim runs in a separate network namespace. Therefore,
# to allow it to send trace details to the Jaeger agent running on the host,
# it is necessary to set 'disable_new_netns=true' so that it runs in the host
# network namespace.
#
# (default: disabled)
#enable_tracing = true

[agent.kata]
# If enabled, make the agent display debug-level messages.
# (default: disabled)
#enable_debug = true

# Enable agent tracing.
#
# If enabled, the default trace mode is "dynamic" and the
# default trace type is "isolated". The trace mode and type are set
# explicity with the `trace_type=` and `trace_mode=` options.
#
# Notes:
#
# - Tracing is ONLY enabled when `enable_tracing` is set: explicitly
#   setting `trace_mode=` and/or `trace_type=` without setting `enable_tracing`
#   will NOT activate agent tracing.
#
# - See https://github.com/kata-containers/agent/blob/master/TRACING.md for
#   full details.
#
# (default: disabled)
#enable_tracing = true
#
#trace_mode = "dynamic"
#trace_type = "isolated"

[netmon]
# If enabled, the network monitoring process gets started when the
# sandbox is created. This allows for the detection of some additional
# network being added to the existing network namespace, after the
# sandbox has been created.
# (default: disabled)
#enable_netmon = true

# Specify the path to the netmon binary.
path = "/opt/kata/libexec/kata-containers/kata-netmon"

# If enabled, netmon messages will be sent to the system log
# (default: disabled)
#enable_debug = true

[runtime]
# If enabled, the runtime will log additional debug messages to the
# system log
# (default: disabled)
#enable_debug = true
#
# Internetworking model
# Determines how the VM should be connected to the
# the container network interface
# Options:
#
#   - bridged
#     Uses a linux bridge to interconnect the container interface to
#     the VM. Works for most cases except macvlan and ipvlan.
#
#   - macvtap
#     Used when the Container network interface can be bridged using
#     macvtap.
#
#   - none
#     Used when customize network. Only creates a tap device. No veth pair.
#
#   - tcfilter
#     Uses tc filter rules to redirect traffic from the network interface
#     provided by plugin to a tap interface connected to the VM.
#
internetworking_model="tcfilter"

# disable guest seccomp
# Determines whether container seccomp profiles are passed to the virtual
# machine and applied by the kata agent. If set to true, seccomp is not applied
# within the guest
# (default: true)
disable_guest_seccomp=true

# If enabled, the runtime will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started).
# (default: disabled)
#enable_tracing = true

# If enabled, the runtime will not create a network namespace for shim and hypervisor processes.
# This option may have some potential impacts to your host. It should only be used when you know what you're doing.
# `disable_new_netns` conflicts with `enable_netmon`
# `disable_new_netns` conflicts with `internetworking_model=bridged` and `internetworking_model=macvtap`. It works only
# with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge
# (like OVS) directly.
# If you are using docker, `disable_new_netns` only works with `docker run --net=none`
# (default: false)
#disable_new_netns = true

# Enabled experimental feature list, format: ["a", "b"].
# Experimental features are features not stable enough for production,
# They may break compatibility, and are prepared for a big version bump.
# Supported experimental features:
# 1. "newstore": new persist storage driver which breaks backward compatibility,
#				expected to move out of experimental in 2.0.0.
# (default: [])
experimental=[]

Config file /usr/share/defaults/kata-containers/configuration.toml not found

---

KSM throttler

version

Output of " --version":

./kata-collect-data.sh: line 176: --version: command not found

systemd service

Image details

losetup: invalid option -- 'P'
BusyBox v1.28.4 (2019-05-20 23:43:51 UTC) multi-call binary.

Usage: losetup [-r] [-o OFS] {-f|LOOPDEV} FILE - associate loop devices
losetup -d LOOPDEV - disassociate
losetup -a - show status
losetup -f - show next free loop device

-o OFS	Start OFS bytes into FILE
-r	Read-only
-f	Show/use next free loop device

losetup: invalid option -- 'j'
BusyBox v1.28.4 (2019-05-20 23:43:51 UTC) multi-call binary.

Usage: losetup [-r] [-o OFS] {-f|LOOPDEV} FILE - associate loop devices
losetup -d LOOPDEV - disassociate
losetup -a - show status
losetup -f - show next free loop device

-o OFS	Start OFS bytes into FILE
-r	Read-only
-f	Show/use next free loop device

losetup: invalid option -- 'P'
BusyBox v1.28.4 (2019-05-20 23:43:51 UTC) multi-call binary.

Usage: losetup [-r] [-o OFS] {-f|LOOPDEV} FILE - associate loop devices
losetup -d LOOPDEV - disassociate
losetup -a - show status
losetup -f - show next free loop device

-o OFS	Start OFS bytes into FILE
-r	Read-only
-f	Show/use next free loop device

losetup: invalid option -- 'j'
BusyBox v1.28.4 (2019-05-20 23:43:51 UTC) multi-call binary.

Usage: losetup [-r] [-o OFS] {-f|LOOPDEV} FILE - associate loop devices
losetup -d LOOPDEV - disassociate
losetup -a - show status
losetup -f - show next free loop device

-o OFS	Start OFS bytes into FILE
-r	Read-only
-f	Show/use next free loop device

unknown

---

Initrd details

No initrd

---

Logfiles

Runtime logs

Recent runtime problems found in system journal:

time="2019-05-26T17:06:15.355284512Z" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=04863ea042716cf5e605472e2c7a5ce6393165958fe5a5142fd33df4bb000380 error="open /run/vc/sbs/04863ea042716cf5e605472e2c7a5ce6393165958fe5a5142fd33df4bb000380/devices.json: no such file or directory" name=kata-runtime pid=7815 sandbox=04863ea042716cf5e605472e2c7a5ce6393165958fe5a5142fd33df4bb000380 sandboxid=04863ea042716cf5e605472e2c7a5ce6393165958fe5a5142fd33df4bb000380 source=virtcontainers subsystem=sandbox
time="2019-05-26T17:06:15.358623743Z" level=error msg="Error bridging virtual endpoint" arch=amd64 command=create container=04863ea042716cf5e605472e2c7a5ce6393165958fe5a5142fd33df4bb000380 error="Failed to add filter for index 4 : no such file or directory" name=kata-runtime pid=7815 source=virtcontainers subsystem=network
time="2019-05-26T17:06:15.358987082Z" level=error msg="Failed to add filter for index 4 : no such file or directory" arch=amd64 command=create container=04863ea042716cf5e605472e2c7a5ce6393165958fe5a5142fd33df4bb000380 name=kata-runtime pid=7815 source=runtime
time="2019-05-26T17:06:15.388923584Z" level=warning msg="Failed to get container, force will not fail: Container ID (04863ea042716cf5e605472e2c7a5ce6393165958fe5a5142fd33df4bb000380) does not exist" arch=amd64 command=delete container=04863ea042716cf5e605472e2c7a5ce6393165958fe5a5142fd33df4bb000380 name=kata-runtime pid=7831 source=runtime
time="2019-05-26T17:06:30.002025088Z" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=9cb5ee0d5fb4d9ac278286c495f6401b7b10ec7e83540697e3c1b31bb23e5508 error="open /run/vc/sbs/9cb5ee0d5fb4d9ac278286c495f6401b7b10ec7e83540697e3c1b31bb23e5508/devices.json: no such file or directory" name=kata-runtime pid=7976 sandbox=9cb5ee0d5fb4d9ac278286c495f6401b7b10ec7e83540697e3c1b31bb23e5508 sandboxid=9cb5ee0d5fb4d9ac278286c495f6401b7b10ec7e83540697e3c1b31bb23e5508 source=virtcontainers subsystem=sandbox
time="2019-05-26T17:06:30.004269061Z" level=error msg="Error bridging virtual endpoint" arch=amd64 command=create container=9cb5ee0d5fb4d9ac278286c495f6401b7b10ec7e83540697e3c1b31bb23e5508 error="Failed to add filter for index 4 : no such file or directory" name=kata-runtime pid=7976 source=virtcontainers subsystem=network
time="2019-05-26T17:06:30.004584725Z" level=error msg="Failed to add filter for index 4 : no such file or directory" arch=amd64 command=create container=9cb5ee0d5fb4d9ac278286c495f6401b7b10ec7e83540697e3c1b31bb23e5508 name=kata-runtime pid=7976 source=runtime
time="2019-05-26T17:06:30.044316942Z" level=warning msg="Failed to get container, force will not fail: Container ID (9cb5ee0d5fb4d9ac278286c495f6401b7b10ec7e83540697e3c1b31bb23e5508) does not exist" arch=amd64 command=delete container=9cb5ee0d5fb4d9ac278286c495f6401b7b10ec7e83540697e3c1b31bb23e5508 name=kata-runtime pid=7990 source=runtime
time="2019-05-26T17:06:47.421956962Z" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=38f8d6f56214e5119263ba10cbc4be7c1b3365f7365f750620f3f48bf59cee7c error="open /run/vc/sbs/38f8d6f56214e5119263ba10cbc4be7c1b3365f7365f750620f3f48bf59cee7c/devices.json: no such file or directory" name=kata-runtime pid=8124 sandbox=38f8d6f56214e5119263ba10cbc4be7c1b3365f7365f750620f3f48bf59cee7c sandboxid=38f8d6f56214e5119263ba10cbc4be7c1b3365f7365f750620f3f48bf59cee7c source=virtcontainers subsystem=sandbox
time="2019-05-26T17:06:47.423361889Z" level=error msg="Error bridging virtual endpoint" arch=amd64 command=create container=38f8d6f56214e5119263ba10cbc4be7c1b3365f7365f750620f3f48bf59cee7c error="Failed to add filter for index 4 : no such file or directory" name=kata-runtime pid=8124 source=virtcontainers subsystem=network
time="2019-05-26T17:06:47.423666396Z" level=error msg="Failed to add filter for index 4 : no such file or directory" arch=amd64 command=create container=38f8d6f56214e5119263ba10cbc4be7c1b3365f7365f750620f3f48bf59cee7c name=kata-runtime pid=8124 source=runtime
time="2019-05-26T17:06:47.453570213Z" level=warning msg="Failed to get container, force will not fail: Container ID (38f8d6f56214e5119263ba10cbc4be7c1b3365f7365f750620f3f48bf59cee7c) does not exist" arch=amd64 command=delete container=38f8d6f56214e5119263ba10cbc4be7c1b3365f7365f750620f3f48bf59cee7c name=kata-runtime pid=8137 source=runtime
time="2019-05-26T17:07:05.112766632Z" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=2fda7a3a154344741398a5678d3aa06475fb69a6e77e15a0eee2c38994d02614 error="open /run/vc/sbs/2fda7a3a154344741398a5678d3aa06475fb69a6e77e15a0eee2c38994d02614/devices.json: no such file or directory" name=kata-runtime pid=8262 sandbox=2fda7a3a154344741398a5678d3aa06475fb69a6e77e15a0eee2c38994d02614 sandboxid=2fda7a3a154344741398a5678d3aa06475fb69a6e77e15a0eee2c38994d02614 source=virtcontainers subsystem=sandbox
time="2019-05-26T17:07:05.114893049Z" level=error msg="Error bridging virtual endpoint" arch=amd64 command=create container=2fda7a3a154344741398a5678d3aa06475fb69a6e77e15a0eee2c38994d02614 error="Failed to add filter for index 4 : no such file or directory" name=kata-runtime pid=8262 source=virtcontainers subsystem=network
time="2019-05-26T17:07:05.115287413Z" level=error msg="Failed to add filter for index 4 : no such file or directory" arch=amd64 command=create container=2fda7a3a154344741398a5678d3aa06475fb69a6e77e15a0eee2c38994d02614 name=kata-runtime pid=8262 source=runtime
time="2019-05-26T17:07:05.146480909Z" level=warning msg="Failed to get container, force will not fail: Container ID (2fda7a3a154344741398a5678d3aa06475fb69a6e77e15a0eee2c38994d02614) does not exist" arch=amd64 command=delete container=2fda7a3a154344741398a5678d3aa06475fb69a6e77e15a0eee2c38994d02614 name=kata-runtime pid=8274 source=runtime
time="2019-05-26T17:07:19.182331293Z" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=91b9e6955642f5f20627214835631332424c55004a87277128ae5ca7fa663502 error="open /run/vc/sbs/91b9e6955642f5f20627214835631332424c55004a87277128ae5ca7fa663502/devices.json: no such file or directory" name=kata-runtime pid=8677 sandbox=91b9e6955642f5f20627214835631332424c55004a87277128ae5ca7fa663502 sandboxid=91b9e6955642f5f20627214835631332424c55004a87277128ae5ca7fa663502 source=virtcontainers subsystem=sandbox
time="2019-05-26T17:07:19.183796554Z" level=error msg="Error bridging virtual endpoint" arch=amd64 command=create container=91b9e6955642f5f20627214835631332424c55004a87277128ae5ca7fa663502 error="Failed to add filter for index 4 : no such file or directory" name=kata-runtime pid=8677 source=virtcontainers subsystem=network
time="2019-05-26T17:07:19.184094838Z" level=error msg="Failed to add filter for index 4 : no such file or directory" arch=amd64 command=create container=91b9e6955642f5f20627214835631332424c55004a87277128ae5ca7fa663502 name=kata-runtime pid=8677 source=runtime
time="2019-05-26T17:07:19.21179847Z" level=warning msg="Failed to get container, force will not fail: Container ID (91b9e6955642f5f20627214835631332424c55004a87277128ae5ca7fa663502) does not exist" arch=amd64 command=delete container=91b9e6955642f5f20627214835631332424c55004a87277128ae5ca7fa663502 name=kata-runtime pid=8690 source=runtime
time="2019-05-26T17:07:34.031996434Z" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=0e906f68c9957ad251a193b31b1ac56c188fb244a4e29e6dd9d723a9f1a3ddfd error="open /run/vc/sbs/0e906f68c9957ad251a193b31b1ac56c188fb244a4e29e6dd9d723a9f1a3ddfd/devices.json: no such file or directory" name=kata-runtime pid=8803 sandbox=0e906f68c9957ad251a193b31b1ac56c188fb244a4e29e6dd9d723a9f1a3ddfd sandboxid=0e906f68c9957ad251a193b31b1ac56c188fb244a4e29e6dd9d723a9f1a3ddfd source=virtcontainers subsystem=sandbox
time="2019-05-26T17:07:34.033452531Z" level=error msg="Error bridging virtual endpoint" arch=amd64 command=create container=0e906f68c9957ad251a193b31b1ac56c188fb244a4e29e6dd9d723a9f1a3ddfd error="Failed to add filter for index 4 : no such file or directory" name=kata-runtime pid=8803 source=virtcontainers subsystem=network
time="2019-05-26T17:07:34.033784668Z" level=error msg="Failed to add filter for index 4 : no such file or directory" arch=amd64 command=create container=0e906f68c9957ad251a193b31b1ac56c188fb244a4e29e6dd9d723a9f1a3ddfd name=kata-runtime pid=8803 source=runtime
time="2019-05-26T17:07:34.063792704Z" level=warning msg="Failed to get container, force will not fail: Container ID (0e906f68c9957ad251a193b31b1ac56c188fb244a4e29e6dd9d723a9f1a3ddfd) does not exist" arch=amd64 command=delete container=0e906f68c9957ad251a193b31b1ac56c188fb244a4e29e6dd9d723a9f1a3ddfd name=kata-runtime pid=8816 source=runtime
time="2019-05-26T17:07:49.462195713Z" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=c5147ac4afc3dfb0f98e707c8535f6ac907c1e4673282a97265ca4a82500ecc9 error="open /run/vc/sbs/c5147ac4afc3dfb0f98e707c8535f6ac907c1e4673282a97265ca4a82500ecc9/devices.json: no such file or directory" name=kata-runtime pid=8946 sandbox=c5147ac4afc3dfb0f98e707c8535f6ac907c1e4673282a97265ca4a82500ecc9 sandboxid=c5147ac4afc3dfb0f98e707c8535f6ac907c1e4673282a97265ca4a82500ecc9 source=virtcontainers subsystem=sandbox
time="2019-05-26T17:07:49.463681626Z" level=error msg="Error bridging virtual endpoint" arch=amd64 command=create container=c5147ac4afc3dfb0f98e707c8535f6ac907c1e4673282a97265ca4a82500ecc9 error="Failed to add filter for index 4 : no such file or directory" name=kata-runtime pid=8946 source=virtcontainers subsystem=network
time="2019-05-26T17:07:49.464078624Z" level=error msg="Failed to add filter for index 4 : no such file or directory" arch=amd64 command=create container=c5147ac4afc3dfb0f98e707c8535f6ac907c1e4673282a97265ca4a82500ecc9 name=kata-runtime pid=8946 source=runtime
time="2019-05-26T17:07:49.492289932Z" level=warning msg="Failed to get container, force will not fail: Container ID (c5147ac4afc3dfb0f98e707c8535f6ac907c1e4673282a97265ca4a82500ecc9) does not exist" arch=amd64 command=delete container=c5147ac4afc3dfb0f98e707c8535f6ac907c1e4673282a97265ca4a82500ecc9 name=kata-runtime pid=8961 source=runtime
time="2019-05-26T17:08:07.305824977Z" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=fb1ebae880f84aa5ed0da0dcf5a2b2df4ddf0da9e8754ad4e73ebf273281b840 error="open /run/vc/sbs/fb1ebae880f84aa5ed0da0dcf5a2b2df4ddf0da9e8754ad4e73ebf273281b840/devices.json: no such file or directory" name=kata-runtime pid=9392 sandbox=fb1ebae880f84aa5ed0da0dcf5a2b2df4ddf0da9e8754ad4e73ebf273281b840 sandboxid=fb1ebae880f84aa5ed0da0dcf5a2b2df4ddf0da9e8754ad4e73ebf273281b840 source=virtcontainers subsystem=sandbox
time="2019-05-26T17:08:07.307345135Z" level=error msg="Error bridging virtual endpoint" arch=amd64 command=create container=fb1ebae880f84aa5ed0da0dcf5a2b2df4ddf0da9e8754ad4e73ebf273281b840 error="Failed to add filter for index 4 : no such file or directory" name=kata-runtime pid=9392 source=virtcontainers subsystem=network
time="2019-05-26T17:08:07.307648788Z" level=error msg="Failed to add filter for index 4 : no such file or directory" arch=amd64 command=create container=fb1ebae880f84aa5ed0da0dcf5a2b2df4ddf0da9e8754ad4e73ebf273281b840 name=kata-runtime pid=9392 source=runtime
time="2019-05-26T17:08:07.33637281Z" level=warning msg="Failed to get container, force will not fail: Container ID (fb1ebae880f84aa5ed0da0dcf5a2b2df4ddf0da9e8754ad4e73ebf273281b840) does not exist" arch=amd64 command=delete container=fb1ebae880f84aa5ed0da0dcf5a2b2df4ddf0da9e8754ad4e73ebf273281b840 name=kata-runtime pid=9405 source=runtime
time="2019-05-26T17:08:21.122619535Z" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=3bfe3dd56b4539bd9d1fdb446a93d34133c4f83e1b50c3d6fe503faa99dd68b2 error="open /run/vc/sbs/3bfe3dd56b4539bd9d1fdb446a93d34133c4f83e1b50c3d6fe503faa99dd68b2/devices.json: no such file or directory" name=kata-runtime pid=9497 sandbox=3bfe3dd56b4539bd9d1fdb446a93d34133c4f83e1b50c3d6fe503faa99dd68b2 sandboxid=3bfe3dd56b4539bd9d1fdb446a93d34133c4f83e1b50c3d6fe503faa99dd68b2 source=virtcontainers subsystem=sandbox
time="2019-05-26T17:08:21.124719546Z" level=error msg="Error bridging virtual endpoint" arch=amd64 command=create container=3bfe3dd56b4539bd9d1fdb446a93d34133c4f83e1b50c3d6fe503faa99dd68b2 error="Failed to add filter for index 4 : no such file or directory" name=kata-runtime pid=9497 source=virtcontainers subsystem=network
time="2019-05-26T17:08:21.125140221Z" level=error msg="Failed to add filter for index 4 : no such file or directory" arch=amd64 command=create container=3bfe3dd56b4539bd9d1fdb446a93d34133c4f83e1b50c3d6fe503faa99dd68b2 name=kata-runtime pid=9497 source=runtime
time="2019-05-26T17:08:21.154562729Z" level=warning msg="Failed to get container, force will not fail: Container ID (3bfe3dd56b4539bd9d1fdb446a93d34133c4f83e1b50c3d6fe503faa99dd68b2) does not exist" arch=amd64 command=delete container=3bfe3dd56b4539bd9d1fdb446a93d34133c4f83e1b50c3d6fe503faa99dd68b2 name=kata-runtime pid=9511 source=runtime
time="2019-05-26T17:08:35.678731739Z" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=e82a8b05481fb56a6194ff9718dd50f204a727890a239069293bc4ea7b03254b error="open /run/vc/sbs/e82a8b05481fb56a6194ff9718dd50f204a727890a239069293bc4ea7b03254b/devices.json: no such file or directory" name=kata-runtime pid=9623 sandbox=e82a8b05481fb56a6194ff9718dd50f204a727890a239069293bc4ea7b03254b sandboxid=e82a8b05481fb56a6194ff9718dd50f204a727890a239069293bc4ea7b03254b source=virtcontainers subsystem=sandbox
time="2019-05-26T17:08:35.680501536Z" level=error msg="Error bridging virtual endpoint" arch=amd64 command=create container=e82a8b05481fb56a6194ff9718dd50f204a727890a239069293bc4ea7b03254b error="Failed to add filter for index 4 : no such file or directory" name=kata-runtime pid=9623 source=virtcontainers subsystem=network
time="2019-05-26T17:08:35.680754457Z" level=error msg="Failed to add filter for index 4 : no such file or directory" arch=amd64 command=create container=e82a8b05481fb56a6194ff9718dd50f204a727890a239069293bc4ea7b03254b name=kata-runtime pid=9623 source=runtime
time="2019-05-26T17:08:35.712444765Z" level=warning msg="Failed to get container, force will not fail: Container ID (e82a8b05481fb56a6194ff9718dd50f204a727890a239069293bc4ea7b03254b) does not exist" arch=amd64 command=delete container=e82a8b05481fb56a6194ff9718dd50f204a727890a239069293bc4ea7b03254b name=kata-runtime pid=9636 source=runtime
time="2019-05-26T17:08:50.693626855Z" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=10940bc5080c767d1dfe43d376d6c0a3714027128dc60cf031337f5cacd42d51 error="open /run/vc/sbs/10940bc5080c767d1dfe43d376d6c0a3714027128dc60cf031337f5cacd42d51/devices.json: no such file or directory" name=kata-runtime pid=9983 sandbox=10940bc5080c767d1dfe43d376d6c0a3714027128dc60cf031337f5cacd42d51 sandboxid=10940bc5080c767d1dfe43d376d6c0a3714027128dc60cf031337f5cacd42d51 source=virtcontainers subsystem=sandbox
time="2019-05-26T17:08:50.695423002Z" level=error msg="Error bridging virtual endpoint" arch=amd64 command=create container=10940bc5080c767d1dfe43d376d6c0a3714027128dc60cf031337f5cacd42d51 error="Failed to add filter for index 4 : no such file or directory" name=kata-runtime pid=9983 source=virtcontainers subsystem=network
time="2019-05-26T17:08:50.695722993Z" level=error msg="Failed to add filter for index 4 : no such file or directory" arch=amd64 command=create container=10940bc5080c767d1dfe43d376d6c0a3714027128dc60cf031337f5cacd42d51 name=kata-runtime pid=9983 source=runtime
time="2019-05-26T17:08:50.725745625Z" level=warning msg="Failed to get container, force will not fail: Container ID (10940bc5080c767d1dfe43d376d6c0a3714027128dc60cf031337f5cacd42d51) does not exist" arch=amd64 command=delete container=10940bc5080c767d1dfe43d376d6c0a3714027128dc60cf031337f5cacd42d51 name=kata-runtime pid=9996 source=runtime

Proxy logs

No recent proxy problems found in system journal.

Shim logs

No recent shim problems found in system journal.

Throttler logs

No recent throttler problems found in system journal.

---

Container manager details

Have docker

Docker

Output of "docker version":

Client: Docker Engine - Community
 Version:           18.09.6
 API version:       1.39
 Go version:        go1.10.8
 Git commit:        481bc77
 Built:             Sat May  4 02:33:34 2019
 OS/Arch:           linux/amd64
 Experimental:      false
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

Output of "docker info":

Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

Output of "systemctl show docker":

Type=notify
Restart=no
NotifyAccess=main
RestartUSec=100ms
TimeoutStartUSec=infinity
TimeoutStopUSec=1min 30s
RuntimeMaxUSec=infinity
WatchdogUSec=0
WatchdogTimestampMonotonic=0
PermissionsStartOnly=no
RootDirectoryStartOnly=no
RemainAfterExit=no
GuessMainPID=yes
MainPID=0
ControlPID=0
FileDescriptorStoreMax=0
NFileDescriptorStore=0
StatusErrno=0
Result=success
UID=[not set]
GID=[not set]
NRestarts=0
ExecMainStartTimestampMonotonic=0
ExecMainExitTimestampMonotonic=0
ExecMainPID=0
ExecMainCode=0
ExecMainStatus=0
ExecStart={ path=/usr/bin/dockerd ; argv[]=/usr/bin/dockerd -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=kvm2 --insecure-registry 10.96.0.0/12 ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
ExecReload={ path=/bin/kill ; argv[]=/bin/kill -s HUP ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
Slice=system.slice
MemoryCurrent=[not set]
CPUUsageNSec=[not set]
TasksCurrent=[not set]
IPIngressBytes=18446744073709551615
IPIngressPackets=18446744073709551615
IPEgressBytes=18446744073709551615
IPEgressPackets=18446744073709551615
Delegate=yes
DelegateControllers=cpu cpuacct io blkio memory devices pids
CPUAccounting=no
CPUWeight=[not set]
StartupCPUWeight=[not set]
CPUShares=[not set]
StartupCPUShares=[not set]
CPUQuotaPerSecUSec=infinity
IOAccounting=no
IOWeight=[not set]
StartupIOWeight=[not set]
BlockIOAccounting=no
BlockIOWeight=[not set]
StartupBlockIOWeight=[not set]
MemoryAccounting=no
MemoryLow=0
MemoryHigh=infinity
MemoryMax=infinity
MemorySwapMax=infinity
MemoryLimit=infinity
DevicePolicy=auto
TasksAccounting=yes
TasksMax=infinity
IPAccounting=no
Environment=DOCKER_RAMDISK=yes
UMask=0022
LimitCPU=infinity
LimitCPUSoft=infinity
LimitFSIZE=infinity
LimitFSIZESoft=infinity
LimitDATA=infinity
LimitDATASoft=infinity
LimitSTACK=infinity
LimitSTACKSoft=8388608
LimitCORE=infinity
LimitCORESoft=infinity
LimitRSS=infinity
LimitRSSSoft=infinity
LimitNOFILE=infinity
LimitNOFILESoft=infinity
LimitAS=infinity
LimitASSoft=infinity
LimitNPROC=infinity
LimitNPROCSoft=infinity
LimitMEMLOCK=16777216
LimitMEMLOCKSoft=16777216
LimitLOCKS=infinity
LimitLOCKSSoft=infinity
LimitSIGPENDING=60652
LimitSIGPENDINGSoft=60652
LimitMSGQUEUE=819200
LimitMSGQUEUESoft=819200
LimitNICE=0
LimitNICESoft=0
LimitRTPRIO=0
LimitRTPRIOSoft=0
LimitRTTIME=infinity
LimitRTTIMESoft=infinity
OOMScoreAdjust=0
Nice=0
IOSchedulingClass=0
IOSchedulingPriority=0
CPUSchedulingPolicy=0
CPUSchedulingPriority=0
TimerSlackNSec=50000
CPUSchedulingResetOnFork=no
NonBlocking=no
StandardInput=null
StandardInputData=
StandardOutput=journal
StandardError=inherit
TTYReset=no
TTYVHangup=no
TTYVTDisallocate=no
SyslogPriority=30
SyslogLevelPrefix=yes
SyslogLevel=6
SyslogFacility=3
LogLevelMax=-1
SecureBits=0
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend
AmbientCapabilities=
DynamicUser=no
RemoveIPC=no
MountFlags=
PrivateTmp=no
PrivateDevices=no
ProtectKernelTunables=no
ProtectKernelModules=no
ProtectControlGroups=no
PrivateNetwork=no
PrivateUsers=no
ProtectHome=no
ProtectSystem=no
SameProcessGroup=no
UtmpMode=init
IgnoreSIGPIPE=yes
NoNewPrivileges=no
SystemCallErrorNumber=0
LockPersonality=no
RuntimeDirectoryPreserve=no
RuntimeDirectoryMode=0755
StateDirectoryMode=0755
CacheDirectoryMode=0755
LogsDirectoryMode=0755
ConfigurationDirectoryMode=0755
MemoryDenyWriteExecute=no
RestrictRealtime=no
RestrictNamespaces=no
MountAPIVFS=no
KeyringMode=private
KillMode=process
KillSignal=15
SendSIGKILL=yes
SendSIGHUP=no
Id=docker.service
Names=docker.service
Requires=minikube-automount.service docker.socket system.slice sysinit.target
ConsistsOf=docker.socket
Conflicts=shutdown.target
Before=shutdown.target
After=network.target basic.target minikube-automount.service systemd-journald.socket system.slice sysinit.target docker.socket
TriggeredBy=docker.socket
Documentation=https://docs.docker.com
Description=Docker Application Container Engine
LoadState=loaded
ActiveState=inactive
SubState=dead
FragmentPath=/usr/lib/systemd/system/docker.service
UnitFileState=disabled
UnitFilePreset=enabled
StateChangeTimestamp=Sun 2019-05-26 16:58:28 UTC
StateChangeTimestampMonotonic=18425366
InactiveExitTimestampMonotonic=0
ActiveEnterTimestampMonotonic=0
ActiveExitTimestampMonotonic=0
InactiveEnterTimestampMonotonic=0
CanStart=yes
CanStop=yes
CanReload=yes
CanIsolate=no
StopWhenUnneeded=no
RefuseManualStart=no
RefuseManualStop=no
AllowIsolate=no
DefaultDependencies=yes
OnFailureJobMode=replace
IgnoreOnIsolate=no
NeedDaemonReload=no
JobTimeoutUSec=infinity
JobRunningTimeoutUSec=infinity
JobTimeoutAction=none
ConditionResult=no
AssertResult=no
ConditionTimestampMonotonic=0
AssertTimestampMonotonic=0
Transient=no
Perpetual=no
StartLimitIntervalUSec=10s
StartLimitBurst=5
StartLimitAction=none
FailureAction=none
SuccessAction=none
CollectMode=inactive

No kubectl
Have crio

crio

Output of "crio --version":

crio version 1.14.1

Output of "systemctl show crio":

Type=notify
Restart=on-abnormal
NotifyAccess=main
RestartUSec=100ms
TimeoutStartUSec=infinity
TimeoutStopUSec=1min 30s
RuntimeMaxUSec=infinity
WatchdogUSec=0
WatchdogTimestamp=Sun 2019-05-26 16:59:08 UTC
WatchdogTimestampMonotonic=58303676
PermissionsStartOnly=no
RootDirectoryStartOnly=no
RemainAfterExit=no
GuessMainPID=yes
MainPID=4647
ControlPID=0
FileDescriptorStoreMax=0
NFileDescriptorStore=0
StatusErrno=0
Result=success
UID=[not set]
GID=[not set]
NRestarts=0
ExecMainStartTimestamp=Sun 2019-05-26 16:59:07 UTC
ExecMainStartTimestampMonotonic=57885885
ExecMainExitTimestampMonotonic=0
ExecMainPID=4647
ExecMainCode=0
ExecMainStatus=0
ExecStart={ path=/usr/bin/crio ; argv[]=/usr/bin/crio $CRIO_OPTIONS $CRIO_MINIKUBE_OPTIONS ; ignore_errors=no ; start_time=[Sun 2019-05-26 16:59:07 UTC] ; stop_time=[n/a] ; pid=4647 ; code=(null) ; status=0/0 }
ExecReload={ path=/bin/kill ; argv[]=/bin/kill -s HUP $MAINPID ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
Slice=system.slice
ControlGroup=/system.slice/crio.service
MemoryCurrent=[not set]
CPUUsageNSec=[not set]
TasksCurrent=17
IPIngressBytes=18446744073709551615
IPIngressPackets=18446744073709551615
IPEgressBytes=18446744073709551615
IPEgressPackets=18446744073709551615
Delegate=no
CPUAccounting=no
CPUWeight=[not set]
StartupCPUWeight=[not set]
CPUShares=[not set]
StartupCPUShares=[not set]
CPUQuotaPerSecUSec=infinity
IOAccounting=no
IOWeight=[not set]
StartupIOWeight=[not set]
BlockIOAccounting=no
BlockIOWeight=[not set]
StartupBlockIOWeight=[not set]
MemoryAccounting=no
MemoryLow=0
MemoryHigh=infinity
MemoryMax=infinity
MemorySwapMax=infinity
MemoryLimit=infinity
DevicePolicy=auto
TasksAccounting=yes
TasksMax=8192
IPAccounting=no
Environment=GOTRACEBACK=crash
EnvironmentFile=/etc/sysconfig/crio (ignore_errors=yes)
EnvironmentFile=/etc/sysconfig/crio.minikube (ignore_errors=yes)
EnvironmentFile=/var/run/minikube/env (ignore_errors=no)
UMask=0022
LimitCPU=infinity
LimitCPUSoft=infinity
LimitFSIZE=infinity
LimitFSIZESoft=infinity
LimitDATA=infinity
LimitDATASoft=infinity
LimitSTACK=infinity
LimitSTACKSoft=8388608
LimitCORE=infinity
LimitCORESoft=infinity
LimitRSS=infinity
LimitRSSSoft=infinity
LimitNOFILE=1048576
LimitNOFILESoft=1048576
LimitAS=infinity
LimitASSoft=infinity
LimitNPROC=1048576
LimitNPROCSoft=1048576
LimitMEMLOCK=16777216
LimitMEMLOCKSoft=16777216
LimitLOCKS=infinity
LimitLOCKSSoft=infinity
LimitSIGPENDING=60652
LimitSIGPENDINGSoft=60652
LimitMSGQUEUE=819200
LimitMSGQUEUESoft=819200
LimitNICE=0
LimitNICESoft=0
LimitRTPRIO=0
LimitRTPRIOSoft=0
LimitRTTIME=infinity
LimitRTTIMESoft=infinity
OOMScoreAdjust=-999
Nice=0
IOSchedulingClass=0
IOSchedulingPriority=0
CPUSchedulingPolicy=0
CPUSchedulingPriority=0
TimerSlackNSec=50000
CPUSchedulingResetOnFork=no
NonBlocking=no
StandardInput=null
StandardInputData=
StandardOutput=journal
StandardError=inherit
TTYReset=no
TTYVHangup=no
TTYVTDisallocate=no
SyslogPriority=30
SyslogLevelPrefix=yes
SyslogLevel=6
SyslogFacility=3
LogLevelMax=-1
SecureBits=0
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend
AmbientCapabilities=
DynamicUser=no
RemoveIPC=no
MountFlags=
PrivateTmp=no
PrivateDevices=no
ProtectKernelTunables=no
ProtectKernelModules=no
ProtectControlGroups=no
PrivateNetwork=no
PrivateUsers=no
ProtectHome=no
ProtectSystem=no
SameProcessGroup=no
UtmpMode=init
IgnoreSIGPIPE=yes
NoNewPrivileges=no
SystemCallErrorNumber=0
LockPersonality=no
RuntimeDirectoryPreserve=no
RuntimeDirectoryMode=0755
StateDirectoryMode=0755
CacheDirectoryMode=0755
LogsDirectoryMode=0755
ConfigurationDirectoryMode=0755
MemoryDenyWriteExecute=no
RestrictRealtime=no
RestrictNamespaces=no
MountAPIVFS=no
KeyringMode=private
KillMode=control-group
KillSignal=15
SendSIGKILL=yes
SendSIGHUP=no
Id=crio.service
Names=crio.service
Requires=sysinit.target system.slice minikube-automount.service
WantedBy=kubelet.service
Conflicts=shutdown.target
Before=shutdown.target
After=sysinit.target minikube-automount.service basic.target system.slice network-online.target systemd-journald.socket
Documentation=https://github.com/kubernetes-sigs/cri-o
Description=Open Container Initiative Daemon
LoadState=loaded
ActiveState=active
SubState=running
FragmentPath=/usr/lib/systemd/system/crio.service
UnitFileState=disabled
UnitFilePreset=enabled
StateChangeTimestamp=Sun 2019-05-26 16:59:08 UTC
StateChangeTimestampMonotonic=58303677
InactiveExitTimestamp=Sun 2019-05-26 16:59:07 UTC
InactiveExitTimestampMonotonic=57885949
ActiveEnterTimestamp=Sun 2019-05-26 16:59:08 UTC
ActiveEnterTimestampMonotonic=58303677
ActiveExitTimestamp=Sun 2019-05-26 16:59:07 UTC
ActiveExitTimestampMonotonic=57614925
InactiveEnterTimestamp=Sun 2019-05-26 16:59:07 UTC
InactiveEnterTimestampMonotonic=57883572
CanStart=yes
CanStop=yes
CanReload=yes
CanIsolate=no
StopWhenUnneeded=no
RefuseManualStart=no
RefuseManualStop=no
AllowIsolate=no
DefaultDependencies=yes
OnFailureJobMode=replace
IgnoreOnIsolate=no
NeedDaemonReload=no
JobTimeoutUSec=infinity
JobRunningTimeoutUSec=infinity
JobTimeoutAction=none
ConditionResult=yes
AssertResult=yes
ConditionTimestamp=Sun 2019-05-26 16:59:07 UTC
ConditionTimestampMonotonic=57884650
AssertTimestamp=Sun 2019-05-26 16:59:07 UTC
AssertTimestampMonotonic=57884650
Transient=no
Perpetual=no
StartLimitIntervalUSec=10s
StartLimitBurst=5
StartLimitAction=none
FailureAction=none
SuccessAction=none
InvocationID=fa6954a86fdf4c3c9586808fa28e49b1
CollectMode=inactive

Output of "cat /etc/crio/crio.conf":

# The CRI-O configuration file specifies all of the available configuration
# options and command-line flags for the crio(8) OCI Kubernetes Container Runtime
# daemon, but in a TOML format that can be more easily modified and versioned.
#
# Please refer to crio.conf(5) for details of all configuration options.

# CRI-O reads its storage defaults from the containers-storage.conf(5) file
# located at /etc/containers/storage.conf. Modify this storage configuration if
# you want to change the system's defaults. If you want to modify storage just
# for CRI-O, you can change the storage configuration options here.
[crio]

# Path to the "root directory". CRI-O stores all of its data, including
# containers images, in this directory.
root = "/var/lib/containers/storage"

# Path to the "run directory". CRI-O stores all of its state in this directory.
runroot = "/var/run/containers/storage"

# Storage driver used to manage the storage of images and containers. Please
# refer to containers-storage.conf(5) to see all available storage drivers.
storage_driver = "overlay"

# List to pass options to the storage driver. Please refer to
# containers-storage.conf(5) to see all available storage options.
#storage_option = [
#]

# If set to false, in-memory locking will be used instead of file-based locking.
file_locking = true

# Path to the lock file.
file_locking_path = "/run/crio.lock"


# The crio.api table contains settings for the kubelet/gRPC interface.
[crio.api]

# Path to AF_LOCAL socket on which CRI-O will listen.
listen = "/var/run/crio/crio.sock"

# IP address on which the stream server will listen.
stream_address = "127.0.0.1"

# The port on which the stream server will listen.
stream_port = "0"

# Enable encrypted TLS transport of the stream server.
stream_enable_tls = false

# Path to the x509 certificate file used to serve the encrypted stream. This
# file can change, and CRI-O will automatically pick up the changes within 5
# minutes.
stream_tls_cert = ""

# Path to the key file used to serve the encrypted stream. This file can
# change, and CRI-O will automatically pick up the changes within 5 minutes.
stream_tls_key = ""

# Path to the x509 CA(s) file used to verify and authenticate client
# communication with the encrypted stream. This file can change, and CRI-O will
# automatically pick up the changes within 5 minutes.
stream_tls_ca = ""

# Maximum grpc send message size in bytes. If not set or <=0, then CRI-O will default to 16 * 1024 * 1024.
grpc_max_send_msg_size = 16777216

# Maximum grpc receive message size. If not set or <= 0, then CRI-O will default to 16 * 1024 * 1024.
grpc_max_recv_msg_size = 16777216

# The crio.runtime table contains settings pertaining to the OCI runtime used
# and options for how to set up and manage the OCI runtime.
[crio.runtime]
manage_network_ns_lifecycle = true

# A list of ulimits to be set in containers by default, specified as
# "<ulimit name>=<soft limit>:<hard limit>", for example:
# "nofile=1024:2048"
# If nothing is set here, settings will be inherited from the CRI-O daemon
#default_ulimits = [
#]

# default_runtime is the _name_ of the OCI runtime to be used as the default.
# The name is matched against the runtimes map below.
default_runtime = "runc"

# If true, the runtime will not use pivot_root, but instead use MS_MOVE.
no_pivot = true

# Path to the conmon binary, used for monitoring the OCI runtime.
conmon = "/usr/libexec/crio/conmon"

# Environment variable list for the conmon process, used for passing necessary
# environment variables to conmon or the runtime.
conmon_env = [
	"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
]

# If true, SELinux will be used for pod separation on the host.
selinux = false

# Path to the seccomp.json profile which is used as the default seccomp profile
# for the runtime.
seccomp_profile = "/etc/crio/seccomp.json"

# Used to change the name of the default AppArmor profile of CRI-O. The default
# profile name is "crio-default-" followed by the version string of CRI-O.
apparmor_profile = "crio-default"

# Cgroup management implementation used for the runtime.
cgroup_manager = "cgroupfs"

# List of default capabilities for containers. If it is empty or commented out,
# only the capabilities defined in the containers json file by the user/kube
# will be added.
default_capabilities = [
	"CHOWN", 
	"DAC_OVERRIDE", 
	"FSETID", 
	"FOWNER", 
	"NET_RAW", 
	"SETGID", 
	"SETUID", 
	"SETPCAP", 
	"NET_BIND_SERVICE", 
	"SYS_CHROOT", 
	"KILL", 
]

# List of default sysctls. If it is empty or commented out, only the sysctls
# defined in the container json file by the user/kube will be added.
default_sysctls = [
]

# List of additional devices. specified as
# "<device-on-host>:<device-on-container>:<permissions>", for example: "--device=/dev/sdc:/dev/xvdc:rwm".
#If it is empty or commented out, only the devices
# defined in the container json file by the user/kube will be added.
additional_devices = [
]

# Path to OCI hooks directories for automatically executed hooks.
hooks_dir = [
]

# List of default mounts for each container. **Deprecated:** this option will
# be removed in future versions in favor of default_mounts_file.
default_mounts = [
]

# Path to the file specifying the defaults mounts for each container. The
# format of the config is /SRC:/DST, one mount per line. Notice that CRI-O reads
# its default mounts from the following two files:
#
#   1) /etc/containers/mounts.conf (i.e., default_mounts_file): This is the
#      override file, where users can either add in their own default mounts, or
#      override the default mounts shipped with the package.
#
#   2) /usr/share/containers/mounts.conf: This is the default file read for
#      mounts. If you want CRI-O to read from a different, specific mounts file,
#      you can change the default_mounts_file. Note, if this is done, CRI-O will
#      only add mounts it finds in this file.
#
#default_mounts_file = ""

# Maximum number of processes allowed in a container.
pids_limit = 1024

# Maximum sized allowed for the container log file. Negative numbers indicate
# that no size limit is imposed. If it is positive, it must be >= 8192 to
# match/exceed conmon's read buffer. The file is truncated and re-opened so the
# limit is never exceeded.
log_size_max = -1

# Whether container output should be logged to journald in addition to the kuberentes log file
log_to_journald = false

# Path to directory in which container exit files are written to by conmon.
container_exits_dir = "/var/run/crio/exits"

# Path to directory for container attach sockets.
container_attach_socket_dir = "/var/run/crio"

# If set to true, all containers will run in read-only mode.
read_only = false

# Changes the verbosity of the logs based on the level it is set to. Options
# are fatal, panic, error, warn, info, and debug.
log_level = "error"

# The UID mappings for the user namespace of each container. A range is
# specified in the form containerUID:HostUID:Size. Multiple ranges must be
# separated by comma.
uid_mappings = ""

# The GID mappings for the user namespace of each container. A range is
# specified in the form containerGID:HostGID:Size. Multiple ranges must be
# separated by comma.
gid_mappings = ""

# The minimal amount of time in seconds to wait before issuing a timeout
# regarding the proper termination of the container.
ctr_stop_timeout = 0

  # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.
  # The runtime to use is picked based on the runtime_handler provided by the CRI.
  # If no runtime_handler is provided, the runtime will be picked based on the level
  # of trust of the workload.
  
  [crio.runtime.runtimes.runc]
  runtime_path = "/usr/bin/runc"
  runtime_type = "oci"
  


# The crio.image table contains settings pertaining to the management of OCI images.
#
# CRI-O reads its configured registries defaults from the system wide
# containers-registries.conf(5) located in /etc/containers/registries.conf. If
# you want to modify just CRI-O, you can change the registries configuration in
# this file. Otherwise, leave insecure_registries and registries commented out to
# use the system's defaults from /etc/containers/registries.conf.
[crio.image]

# Default transport for pulling images from a remote container storage.
default_transport = "docker://"

# The image used to instantiate infra containers.
pause_image = "k8s.gcr.io/pause:3.1"

# If not empty, the path to a docker/config.json-like file containing credentials
# necessary for pulling the image specified by pause_image above.
pause_image_auth_file = ""

# The command to run to have a container stay in the paused state.
pause_command = "/pause"

# Path to the file which decides what sort of policy we use when deciding
# whether or not to trust an image that we've pulled. It is not recommended that
# this option be used, as the default behavior of using the system-wide default
# policy (i.e., /etc/containers/policy.json) is most often preferred. Please
# refer to containers-policy.json(5) for more details.
signature_policy = ""

# Controls how image volumes are handled. The valid values are mkdir, bind and
# ignore; the latter will ignore volumes entirely.
image_volumes = "mkdir"

# List of registries to be used when pulling an unqualified image (e.g.,
# "alpine:latest"). By default, registries is set to "docker.io" for
# compatibility reasons. Depending on your workload and usecase you may add more
# registries (e.g., "quay.io", "registry.fedoraproject.org",
# "registry.opensuse.org", etc.).
registries = [
	"docker.io"
]


# The crio.network table containers settings pertaining to the management of
# CNI plugins.
[crio.network]

# Path to the directory where CNI configuration files are located.
network_dir = "/etc/cni/net.d/"

# Paths to directories where CNI plugin binaries are located.
plugin_dir = [
	"/opt/cni/bin/",
]

# Path to the Kata Containers runtime binary that uses the QEMU hypervisor.
[crio.runtime.runtimes.kata-qemu]
  runtime_path = "/opt/kata/bin/kata-qemu"

# Path to the Kata Containers runtime binary that uses the NEMU hypervisor.
[crio.runtime.runtimes.kata-nemu]
  runtime_path = "/opt/kata/bin/kata-nemu"

# Path to the Kata Containers runtime binary that uses the firecracker hypervisor.
[crio.runtime.runtimes.kata-fc]
  runtime_path = "/opt/kata/bin/kata-fc"

Have containerd

containerd

Output of "containerd --version":

containerd github.com/containerd/containerd v1.2.5 bb71b10fd8f58240ca47fbb579b9d1028eea7c84

Output of "systemctl show containerd":

Type=simple
Restart=on-abnormal
NotifyAccess=none
RestartUSec=100ms
TimeoutStartUSec=infinity
TimeoutStopUSec=1min 30s
RuntimeMaxUSec=infinity
WatchdogUSec=0
WatchdogTimestampMonotonic=0
PermissionsStartOnly=no
RootDirectoryStartOnly=no
RemainAfterExit=no
GuessMainPID=yes
MainPID=0
ControlPID=0
FileDescriptorStoreMax=0
NFileDescriptorStore=0
StatusErrno=0
Result=success
UID=[not set]
GID=[not set]
NRestarts=0
ExecMainStartTimestampMonotonic=0
ExecMainExitTimestampMonotonic=0
ExecMainPID=0
ExecMainCode=0
ExecMainStatus=0
ExecStartPre={ path=/sbin/modprobe ; argv[]=/sbin/modprobe overlay ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
ExecStart={ path=/usr/bin/containerd ; argv[]=/usr/bin/containerd $CONTAINERD_OPTIONS $CONTAINERD_MINIKUBE_OPTIONS --root ${PERSISTENT_DIR}/var/lib/containerd ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
Slice=system.slice
MemoryCurrent=[not set]
CPUUsageNSec=[not set]
TasksCurrent=[not set]
IPIngressBytes=18446744073709551615
IPIngressPackets=18446744073709551615
IPEgressBytes=18446744073709551615
IPEgressPackets=18446744073709551615
Delegate=yes
DelegateControllers=cpu cpuacct io blkio memory devices pids
CPUAccounting=no
CPUWeight=[not set]
StartupCPUWeight=[not set]
CPUShares=[not set]
StartupCPUShares=[not set]
CPUQuotaPerSecUSec=infinity
IOAccounting=no
IOWeight=[not set]
StartupIOWeight=[not set]
BlockIOAccounting=no
BlockIOWeight=[not set]
StartupBlockIOWeight=[not set]
MemoryAccounting=no
MemoryLow=0
MemoryHigh=infinity
MemoryMax=infinity
MemorySwapMax=infinity
MemoryLimit=infinity
DevicePolicy=auto
TasksAccounting=yes
TasksMax=8192
IPAccounting=no
Environment=GOTRACEBACK=crash
EnvironmentFile=/etc/sysconfig/containerd (ignore_errors=yes)
EnvironmentFile=/etc/sysconfig/containerd.minikube (ignore_errors=yes)
EnvironmentFile=/var/run/minikube/env (ignore_errors=no)
UMask=0022
LimitCPU=infinity
LimitCPUSoft=infinity
LimitFSIZE=infinity
LimitFSIZESoft=infinity
LimitDATA=infinity
LimitDATASoft=infinity
LimitSTACK=infinity
LimitSTACKSoft=8388608
LimitCORE=infinity
LimitCORESoft=infinity
LimitRSS=infinity
LimitRSSSoft=infinity
LimitNOFILE=1048576
LimitNOFILESoft=1048576
LimitAS=infinity
LimitASSoft=infinity
LimitNPROC=infinity
LimitNPROCSoft=infinity
LimitMEMLOCK=16777216
LimitMEMLOCKSoft=16777216
LimitLOCKS=infinity
LimitLOCKSSoft=infinity
LimitSIGPENDING=60652
LimitSIGPENDINGSoft=60652
LimitMSGQUEUE=819200
LimitMSGQUEUESoft=819200
LimitNICE=0
LimitNICESoft=0
LimitRTPRIO=0
LimitRTPRIOSoft=0
LimitRTTIME=infinity
LimitRTTIMESoft=infinity
OOMScoreAdjust=0
Nice=0
IOSchedulingClass=0
IOSchedulingPriority=0
CPUSchedulingPolicy=0
CPUSchedulingPriority=0
TimerSlackNSec=50000
CPUSchedulingResetOnFork=no
NonBlocking=no
StandardInput=null
StandardInputData=
StandardOutput=journal
StandardError=inherit
TTYReset=no
TTYVHangup=no
TTYVTDisallocate=no
SyslogPriority=30
SyslogLevelPrefix=yes
SyslogLevel=6
SyslogFacility=3
LogLevelMax=-1
SecureBits=0
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend
AmbientCapabilities=
DynamicUser=no
RemoveIPC=no
MountFlags=
PrivateTmp=no
PrivateDevices=no
ProtectKernelTunables=no
ProtectKernelModules=no
ProtectControlGroups=no
PrivateNetwork=no
PrivateUsers=no
ProtectHome=no
ProtectSystem=no
SameProcessGroup=no
UtmpMode=init
IgnoreSIGPIPE=yes
NoNewPrivileges=no
SystemCallErrorNumber=0
LockPersonality=no
RuntimeDirectoryPreserve=no
RuntimeDirectoryMode=0755
StateDirectoryMode=0755
CacheDirectoryMode=0755
LogsDirectoryMode=0755
ConfigurationDirectoryMode=0755
MemoryDenyWriteExecute=no
RestrictRealtime=no
RestrictNamespaces=no
MountAPIVFS=no
KeyringMode=private
KillMode=process
KillSignal=15
SendSIGKILL=yes
SendSIGHUP=no
Id=containerd.service
Names=containerd.service
Requires=system.slice sysinit.target minikube-automount.service
Conflicts=shutdown.target
Before=shutdown.target
After=minikube-automount.service basic.target network-online.target sysinit.target system.slice systemd-journald.socket
Documentation=https://containerd.io
Description=containerd container runtime
LoadState=loaded
ActiveState=inactive
SubState=dead
FragmentPath=/usr/lib/systemd/system/containerd.service
UnitFileState=disabled
UnitFilePreset=enabled
StateChangeTimestampMonotonic=0
InactiveExitTimestampMonotonic=0
ActiveEnterTimestampMonotonic=0
ActiveExitTimestampMonotonic=0
InactiveEnterTimestampMonotonic=0
CanStart=yes
CanStop=yes
CanReload=no
CanIsolate=no
StopWhenUnneeded=no
RefuseManualStart=no
RefuseManualStop=no
AllowIsolate=no
DefaultDependencies=yes
OnFailureJobMode=replace
IgnoreOnIsolate=no
NeedDaemonReload=no
JobTimeoutUSec=infinity
JobRunningTimeoutUSec=infinity
JobTimeoutAction=none
ConditionResult=no
AssertResult=no
ConditionTimestampMonotonic=0
AssertTimestampMonotonic=0
Transient=no
Perpetual=no
StartLimitIntervalUSec=10s
StartLimitBurst=5
StartLimitAction=none
FailureAction=none
SuccessAction=none
CollectMode=inactive

Output of "cat /etc/containerd/config.toml":

root = "/var/lib/containerd"
state = "/run/containerd"
oom_score = 0

[grpc]
  address = "/run/containerd/containerd.sock"
  uid = 0
  gid = 0
  max_recv_message_size = 16777216
  max_send_message_size = 16777216

[debug]
  address = ""
  uid = 0
  gid = 0
  level = ""

[metrics]
  address = ""
  grpc_histogram = false

[cgroup]
  path = ""

[plugins]
  [plugins.cgroups]
    no_prometheus = false
  [plugins.cri]
    stream_server_address = ""
    stream_server_port = "10010"
    enable_selinux = false
    sandbox_image = "k8s.gcr.io/pause:3.1"
    stats_collect_period = 10
    systemd_cgroup = false
    enable_tls_streaming = false
    max_container_log_line_size = 16384
    [plugins.cri.containerd]
      snapshotter = "overlayfs"
      no_pivot = true
      [plugins.cri.containerd.default_runtime]
        runtime_type = "io.containerd.runtime.v1.linux"
        runtime_engine = ""
        runtime_root = ""
      [plugins.cri.containerd.untrusted_workload_runtime]
        runtime_type = ""
        runtime_engine = ""
        runtime_root = ""
    [plugins.cri.cni]
      bin_dir = "/opt/cni/bin"
      conf_dir = "/etc/cni/net.d"
      conf_template = ""
    [plugins.cri.registry]
      [plugins.cri.registry.mirrors]
        [plugins.cri.registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io"]
  [plugins.diff-service]
    default = ["walking"]
  [plugins.linux]
    shim = "containerd-shim"
    runtime = "runc"
    runtime_root = ""
    no_shim = false
    shim_debug = false
  [plugins.scheduler]
    pause_threshold = 0.02
    deletion_threshold = 0
    mutation_threshold = 100
    schedule_delay = "0s"
    startup_delay = "100ms"

---

Packages

No dpkg
No rpm

---

[devimc]

cc @grahamwhaley

[grahamwhaley]

Hi @asaintsever - thanks for the report, and the thorough diagnostics - yes, we are aware of this - there is a short term workaround (switch the config file to 'macvtap' networking), and at the end of last week we found the solution in minikube to the issue for 'tcfilter' networking:
kata-containers/documentation#445 (comment)

and, that fix has now been merged into minikube sources: kubernetes/minikube#4340

I don't know when minikube will do a release update though...

[asaintsever]

Great news. Thanks @grahamwhaley for the links to the issues. Did not try macvtap networking as I was successful using internetworking_model="bridged".

[egernst]

@grahamwhaley - can we get insight into minikube release that we can reference here?
Otherwise, seems we should be able to close this issue, and track through documentation?

[grahamwhaley]

Timely it seems. Just checked, and minikube look to have done a release 3 days ago with our required kernel config change in it:
https://github.com/kubernetes/minikube/blob/v1.1.1/CHANGELOG.md#minikube-release-notes

Tomorrow I'll test that and then update my pending minikube PR to see if we can land it.
Yes, we can probably close this Issue, as it is also tracked on the pending docs update PR.

/cc @amshinde

[grahamwhaley]

@asaintsever - OK to close this one now?

[asaintsever]

Yes LGTM!