Investigating pod issues

OKD leverages the Kubernetes concept of a pod, which is one or more containers deployed together on one host. A pod is the smallest compute unit that can be defined, deployed, and managed on OKD 4.

After a pod is defined, it is assigned to run on a node until its containers exit, or until it is removed. Depending on policy and exit code, Pods are either removed after exiting or retained so that their logs can be accessed.

The first thing to check when pod issues arise is the pod’s status. If an explicit pod failure has occurred, observe the pod’s error state to identify specific image, container, or pod network issues. Focus diagnostic data collection according to the error state. Review pod event messages, as well as pod and container log information. Diagnose issues dynamically by accessing running Pods on the command line, or start a debug pod with root access based on a problematic pod’s deployment configuration.

Understanding pod error states

Pod failures return explicit error states that can be observed in the status field in the output of oc get pods. Pod error states cover image, container, and container network related failures.

The following table provides a list of pod error states along with their descriptions.

Table 1. Pod error states
Pod error stateDescription

ErrImagePull

Generic image retrieval error.

ErrImagePullBackOff

Image retrieval failed and is backed off.

ErrInvalidImageName

The specified image name was invalid.

ErrImageInspect

Image inspection did not succeed.

ErrImageNeverPull

PullPolicy is set to NeverPullImage and the target image is not present locally on the host.

ErrRegistryUnavailable

When attempting to retrieve an image from a registry, an HTTP error was encountered.

ErrContainerNotFound

The specified container is either not present or not managed by the kubelet, within the declared pod.

ErrRunInitContainer

Container initialization failed.

ErrRunContainer

None of the pod’s containers started successfully.

ErrKillContainer

None of the pod’s containers were killed successfully.

ErrCrashLoopBackOff

A container has terminated. The kubelet will not attempt to restart it.

ErrVerifyNonRoot

A container or image attempted to run with root privileges.

ErrCreatePodSandbox

Pod sandbox creation did not succeed.

ErrConfigPodSandbox

Pod sandbox configuration was not obtained.

ErrKillPodSandbox

A pod sandbox did not stop successfully.

ErrSetupNetwork

Network initialization failed.

ErrTeardownNetwork

Network termination failed.

Reviewing pod status

You can query pod status and error states. You can also query a pod’s associated deployment configuration and review base image availability.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

  • You have installed the OpenShift CLI (oc).

  • skopeo is installed.

Procedure

  1. Switch into a project:

    1. $ oc project <project_name>
  2. List pods running within the namespace, as well as pod status, error states, restarts, and age:

    1. $ oc get pods
  3. Determine whether the namespace is managed by a deployment configuration:

    1. $ oc status

    If the namespace is managed by a deployment configuration, the output includes the deployment configuration name and a base image reference.

  4. Inspect the base image referenced in the preceding command’s output:

    1. $ skopeo inspect docker://<image_reference>
  5. If the base image reference is not correct, update the reference in the deployment configuration:

    1. $ oc edit deployment/my-deployment
  6. When deployment configuration changes on exit, the configuration will automatically redeploy. Watch pod status as the deployment progresses, to determine whether the issue has been resolved:

    1. $ oc get pods -w
  7. Review events within the namespace for diagnostic information relating to pod failures:

    1. $ oc get events

Inspecting pod and container logs

You can inspect pod and container logs for warnings and error messages related to explicit pod failures. Depending on policy and exit code, pod and container logs remain available after pods have been terminated.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

  • Your API service is still functional.

  • You have installed the OpenShift CLI (oc).

Procedure

  1. Query logs for a specific pod:

    1. $ oc logs <pod_name>
  2. Query logs for a specific container within a pod:

    1. $ oc logs <pod_name> -c <container_name>

    Logs retrieved using the preceding oc logs commands are composed of messages sent to stdout within pods or containers.

  3. Inspect logs contained in /var/log/ within a pod.

    1. List log files and subdirectories contained in /var/log within a pod:

      1. $ oc exec <pod_name> -- ls -alh /var/log

      Example output

      1. total 124K
      2. drwxr-xr-x. 1 root root 33 Aug 11 11:23 .
      3. drwxr-xr-x. 1 root root 28 Sep 6 2022 ..
      4. -rw-rw----. 1 root utmp 0 Jul 10 10:31 btmp
      5. -rw-r--r--. 1 root root 33K Jul 17 10:07 dnf.librepo.log
      6. -rw-r--r--. 1 root root 69K Jul 17 10:07 dnf.log
      7. -rw-r--r--. 1 root root 8.8K Jul 17 10:07 dnf.rpm.log
      8. -rw-r--r--. 1 root root 480 Jul 17 10:07 hawkey.log
      9. -rw-rw-r--. 1 root utmp 0 Jul 10 10:31 lastlog
      10. drwx------. 2 root root 23 Aug 11 11:14 openshift-apiserver
      11. drwx------. 2 root root 6 Jul 10 10:31 private
      12. drwxr-xr-x. 1 root root 22 Mar 9 08:05 rhsm
      13. -rw-rw-r--. 1 root utmp 0 Jul 10 10:31 wtmp
    2. Query a specific log file contained in /var/log within a pod:

      1. $ oc exec <pod_name> cat /var/log/<path_to_log>

      Example output

      1. 2023-07-10T10:29:38+0000 INFO --- logging initialized ---
      2. 2023-07-10T10:29:38+0000 DDEBUG timer: config: 13 ms
      3. 2023-07-10T10:29:38+0000 DEBUG Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, playground, product-id, repoclosure, repodiff, repograph, repomanage, reposync, subscription-manager, uploadprofile
      4. 2023-07-10T10:29:38+0000 INFO Updating Subscription Management repositories.
      5. 2023-07-10T10:29:38+0000 INFO Unable to read consumer identity
      6. 2023-07-10T10:29:38+0000 INFO Subscription Manager is operating in container mode.
      7. 2023-07-10T10:29:38+0000 INFO
    3. List log files and subdirectories contained in /var/log within a specific container:

      1. $ oc exec <pod_name> -c <container_name> ls /var/log
    4. Query a specific log file contained in /var/log within a specific container:

      1. $ oc exec <pod_name> -c <container_name> cat /var/log/<path_to_log>

Accessing running pods

You can review running pods dynamically by opening a shell inside a pod or by gaining network access through port forwarding.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

  • Your API service is still functional.

  • You have installed the OpenShift CLI (oc).

Procedure

  1. Switch into the project that contains the pod you would like to access. This is necessary because the oc rsh command does not accept the -n namespace option:

    1. $ oc project <namespace>
  2. Start a remote shell into a pod:

    1. $ oc rsh <pod_name> (1)
    1If a pod has multiple containers, oc rsh defaults to the first container unless -c <container_name> is specified.
  3. Start a remote shell into a specific container within a pod:

    1. $ oc rsh -c <container_name> pod/<pod_name>
  4. Create a port forwarding session to a port on a pod:

    1. $ oc port-forward <pod_name> <host_port>:<pod_port> (1)
    1Enter Ctrl+C to cancel the port forwarding session.

Starting debug pods with root access

You can start a debug pod with root access, based on a problematic pod’s deployment or deployment configuration. Pod users typically run with non-root privileges, but running troubleshooting pods with temporary root privileges can be useful during issue investigation.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

  • Your API service is still functional.

  • You have installed the OpenShift CLI (oc).

Procedure

  1. Start a debug pod with root access, based on a deployment.

    1. Obtain a project’s deployment name:

      1. $ oc get deployment -n <project_name>
    2. Start a debug pod with root privileges, based on the deployment:

      1. $ oc debug deployment/my-deployment --as-root -n <project_name>
  2. Start a debug pod with root access, based on a deployment configuration.

    1. Obtain a project’s deployment configuration name:

      1. $ oc get deploymentconfigs -n <project_name>
    2. Start a debug pod with root privileges, based on the deployment configuration:

      1. $ oc debug deploymentconfig/my-deployment-configuration --as-root -n <project_name>

You can append — <command> to the preceding oc debug commands to run individual commands within a debug pod, instead of running an interactive shell.

Copying files to and from pods and containers

You can copy files to and from a pod to test configuration changes or gather diagnostic information.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

  • Your API service is still functional.

  • You have installed the OpenShift CLI (oc).

Procedure

  1. Copy a file to a pod:

    1. $ oc cp <local_path> <pod_name>:/<path> -c <container_name> (1)
    1The first container in a pod is selected if the -c option is not specified.
  2. Copy a file from a pod:

    1. $ oc cp <pod_name>:/<path> -c <container_name> <local_path> (1)
    1The first container in a pod is selected if the -c option is not specified.

    For oc cp to function, the tar binary must be available within the container.