Please note that we're already in Test Freeze for the release-1.33 branch. This means every merged PR will be automatically fast-forwarded via the periodic ci-fast-forward job to the release branch of the upcoming v1.33.0 release.

Fast forwards are scheduled to happen every 6 hours, whereas the most recent run was: Tue Apr 15 13:35:16 UTC 2025.

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: HirazawaUi
Once this PR has been reviewed and has the lgtm label, please assign random-liu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

/retest

/retest

/triage accepted

This PR will fix a case where a pod has only one container, which seems the most common. I think this fix is worth it. However, if a pod has multiple containers, RemoveContainer() still can be called multiple times for one container due to removeAll.

/retest

This PR will fix a case where a pod has only one container, which seems the most common. I think this fix is worth it. However, if a pod has multiple containers, RemoveContainer() still can be called multiple times for one container due to removeAll.

Yes, I also noticed this issue, and the number of calls to RemoveContainer() is the square of the number of containers in the pod, which I think is unreasonable. I have already made fixes for this behavior in the PR.

/retest

Removing removeAll may delay container deletion on the runtime though I'm not sure how harmful that would be.

We can observe this delay with this pod:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: testpod
  name: testpod
spec:
  containers:
  - image: busybox
    name: container1
    command:
      - sh
      - -c
      - trap "exit 0" SIGTERM; while true; do sleep 1; done
  - image: busybox
    name: container2
    command:
      - sh
      - -c
      - sleep 1d

At pod termination, while container1 exits soon, container2 remains till gracePeriod expires. Then, when a ContainerDied event for container1 is raised, RemoveContainer() is not called because SyncTerminationgPod() has not been completed yet. With this fix, when a ContainerDied event for container2 or the sandbox is raised, container1 is not removed and removed later by the garbage collection.

By the way, when EventedPLEG is enabled, I guess ContainerDied events are usually delivered before SyncTerminatingPod() has completed. This gap with GenericPLEG might be another problem for EventedPLEG feature.

At pod termination, while container1 exits soon, container2 remains till gracePeriod expires. Then, when a ContainerDied event for container1 is raised, RemoveContainer() is not called because SyncTerminationgPod() has not been completed yet. With this fix, when a ContainerDied event for container2 or the sandbox is raised, container1 is not removed and removed later by the garbage collection.

Removing removeAll may delay container deletion on the runtime though I'm not sure how harmful that would be.

Thanks for the reminder. The reason for failing the e2e test also because this. I initially hoped to minimize code changes to fix this issue without adding extra caching or locks, but it seems unfeasible now. I’ll mark this PR as WIP and work on finding a better solution.

@hshiina Can you review my latest changes to see if I’ve missed any scenarios? :) Adding a cache to avoid repeated container cleanup was one of my initial ideas, but I was concerned that modifying too much code would complicate the review and PR process. So, I initially focused on fixing the issue with minimal changes. However, it now seems unavoidable to add this cache.

It seems that RemoveContainer() still can cause NotFound in a case where two containers exit at the almost same time:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: testpod
  name: testpod
spec:
  containers:
  - image: busybox
    name: container1
    command:
      - sh
      - -c
      - trap "exit 0" SIGTERM; while true; do sleep 1; done
  - image: busybox
    name: container2
    command:
      - sh
      - -c
      - trap "exit 0" SIGTERM; while true; do sleep 1; done

When PLEG detects two containers exiting at the same time, it raises two ContainerDied events. By the first event, all containers are removed because all containers in Exited status on the pod cache. Then, single RemoveContainer() triggered by the second event fails with NotFound.

It seems that RemoveContainer() still can cause NotFound in a case where two containers exit at the almost same time:

Just modify the current code so that if a pod exists in the podCleanupTracker cache, the containers in that pod will not be cleaned up again. This way, we can avoid this situation, but I'm concerned that it might break the consistency of podWorker.

Compared to the previous exponentially numerous RemoveContainer calls based on the number of containers, I think the current fix might already be sufficient? Of course, I'm very open to any opinions.

@HirazawaUi: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

CC @haircommander

PR needs rebase.