OpenShift 3.11 xtables lock errors and slow iptables updates by kube-proxy.

Solution Verified - Updated -

Issue

  • Having network problems, when running iptables commands xtables lock errors are seen.

  • Builds are failing with the below error:

    atomic-openshift-node[10569] kubelet_pods.go:1121] Failed killing the pod "myapp-deploy": failed to "KillPodSandbox" for "xxxx" with KillPodSandboxError: "rpc error: code = Unknown desc = NetworkPlugin cni failed to teardown pod \"myapp-deploy\" network: CNI request failed with status 400: 'Failed to execute iptables-restore: exit status 4 (Another app is currently holding the xtables lock. Perhaps you want to use the -w option?\n)\n'"

  • After idling my deployments in OpenShift xtables lock errors are seen and service fail with "no route to host".

  • The SDN pods have a high CPU utilization.

Environment

  • Red Hat OpenShift Container Platform (OCP)
    • 3.3+

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content