Steps to manually collect heap dump of nsx-config container in support bundle
Article ID: 388450
Updated On:
Products
VMware vDefend Firewall
VMware vDefend Firewall with Advanced Threat Prevention
Issue/Introduction
When nsx-config container is OOMKilled, heap dump is not getting created.
Environment
SSP 5.0
Cause
Some of the reasons for heap dump not getting created are
- Container inside the
nsx-configpod reaches memory limit before java process running inside it reaching the-Xmxlimit and kubernetes kills container leaving heap dump not created. - Due to resource exhaustion(like CPU, memory and other system limits), if the container fails to respond for liveness probe, Kubernetes will restart the container.
- Even if proper
jvmOptionsare defined for heap dump creation in OutOfMemory scenarios, if the container is terminated by Kubernetes too quickly after the OOM event, the heap dump process may not be triggered. - Generating a heap dump requires enough free disk space on worker node's ephemeral disk. If the disk is full or nearly full, the JVM may fail to write the heap dump, even if it’s configured to do so. As the
-Xmxof containers in podsnsx-config-0-0andnsx-config-1-0are3750Mand1500Mrespectively, we need5.7GBand2.3GBrespectively. heap dump size would be 1-1.5x of the defined-Xmx.
Resolution
In scenarios where heap dump is not created automatically, below steps need to be followed to create heap dump manually to collect in support bundle. These steps need to be executed in SSPI VM.
- Output of the healthy
nsx-configpods.
k -n nsxi-platform get pods | grep nsx-confignsx-config-0-0 2/2 Running 0 128mnsx-config-1-0 2/2 Running 0 127mnsx-config-create-kafka-topic-6x729 0/1 Completed 0 3h50mnsx-config-postgres-ids-signature-purge-cronjob-28992960-p972d 0/1 Completed 0 164m
- Output of the unhealthy
nsx-configpods.
k -n nsxi-platform get pods | grep nsx-confignsx-config-0-0 1/2 CrashLoopBackOff 12 (14s ago) 6h27mnsx-config-1-0 2/2 Running 0 6h21mnsx-config-create-kafka-topic-j6lmg. 0/1 Completed 0 6h27mk -n nsxi-platform describe pod nsx-config-0-0Ports: 8080/TCP, 8443/TCPHost Ports: 0/TCP, 0/TCPState: RunningStarted: Thu, 21 Nov 2024 17:28:42 +0000Last State: TerminatedReason: OOMKilledExit Code: 137Started: Thu, 21 Nov 2024 17:26:50 +0000Finished: Thu, 21 Nov 2024 17:28:25 +0000Ready: TrueRestart Count: 2Limits:
- If
nsx-config-0-0pod is having memory issue, execute the below steps below to collect heap dump insidensx-configcontainer of pod.
> exec intonsx-configcontainer ofnsx-config-0-0pod.
> get the PID of the java process running inside the container.root@sspi:~# k exec -it -n nsxi-platform nsx-config-0-0 -c nsx-config -- /bin/bashgroups: cannot find name for group ID 2000nsx-user@nsx-config-0-0:/
> Create the heap dump manually by executing below command. Ensure the same path "nsx-user@nsx-config-0-0:/$ pgrep -f nsx-config7/var/dump/pace" is used to collect the heap dump in support bundle.
>jmap -dump:live,file=/var/dump/pace/<heap_dump_file_name> <PID>
>heap_dump_file_nameis the file name with which heap dump is created. Below is the example,
nsx-user@nsx-config-0-0:/$ jmap -dump:live,file=/var/dump/pace/nsx-config-0.hprof 7Dumping heap to /var/dump/pace/nsx-config-0.hprof ...Heap dump file created [129548512 bytes in 0.868 secs] - Next when creating a support bundle from UI, make sure analytics and Include core files and audit logs options are selected. when a support bundle for SSP is created, heap dump will be found inside it with name having prefix core- to the heap_dump_file_name given above. Like core-nsx-config-0.hprof will be present in the support bundle.
- Execute the below steps, in case the UI is not accessible for any reason. These steps need to be executed outside SSPI, any Linux VM with connectivity to SSP.
> API to collect support bundle.
> API to check the status of support bundle. check the status and wait till status is success("status": "success").curl -sku admin:<PASSWORD> -X POST 'https://<SSP FQDN>:443/ssp/cluster-api/support-bundle/collection?action=collect' -H "Content-Type: application/json" -d '{"dynamic_content_filters":["DATA_STORAGE","CONFIGURATION_DATABASE","METRICS","ANALYTICS","MESSAGING","PLATFORM_SERVICES"],"log_age_limit":7,"content_filters":["ALL"]}'Response:{"failed_nodes": null,"remaining_nodes": [{"node_display_name": "ssp","node_id": "ed5af649-2ba2-484b-8d5e-284fa7a79559","status": "running"}],"remoteTaskID": "937","request_properties": {},"status": "running","success_nodes": null}
> API to download support bundle.curl -sku admin:<PASSWORD> -X GET 'https://<SSP FQDN>:443/ssp/cluster-api/support-bundle/status/<remoteTaskID from collect API response>'Response:{"details": {"failed_nodes": [],"remaining_nodes": [{"node_display_name": "ssp","node_id": "ed5af649-2ba2-484b-8d5e-284fa7a79559","status": "running"}],"success_nodes": []},"request_properties": {"content_filters": ["ALL"],"dynamic_content_filters": ["DATA_STORAGE","CONFIGURATION_DATABASE","METRICS","ANALYTICS","MESSAGING","PLATFORM_SERVICES"],"log_age_limit": 7},"status": "running" <<status field>}
> Verify, it is downloaded.curl -sku admin:<PASSWORD> -X GET 'https://<SSP FQDN>:443/ssp/cluster-api/support-bundle/response/<remoteTaskIDfrom collect API response>' --output ssp.tar.gz
[root@lvn-dvm-10-70-180-45 ~]# ls -lrt ssp*-rw-r--r-- 1 root root 1493202767 Feb 14 18:05 ssp.tar.gz
Additional Information
Note:
- To make sure the process has enough memory to create heap dump, edit nsx-config stateful set and change memory limits. Increase the memory limit by 1GB in the pod having issue.
Example:kubectl -n nsxi-platform edit sts nsx-config-0
For nsx-config-0 stateful set
resources:limits:memory: 6000Mi
- After collecting heap dump in support bundle, remove the heap dump files created from the ephemeral storage
kubectl exec -it -n nsxi-platform nsx-config-0-0 -c nsx-config -- /bin/bashcd /var/dump/pace - remove all files here.
Feedback
Yes
No
Powered by
