← all tickets · home

Investigation: identify exact cause of mid-turn pod restarts on duration-sensitive turns

resolved 4601f21a-1974-4a3c-8ef7-074acb8cfd43

created_at

2026-04-26

updated_at

2026-04-28

priority

P2

ticket_type

investigation

labels

lifecycle, kubernetes, observability

resolved_at

2026-04-28

resolution

accepted

Body

Proposed resolution

$ curl -s -o /dev/null -w "%{http_code} %{time_total}s\n" https://chukwa.benac.dev/healthz
200 0.022s

History (9 events)

• caller · created · 2026-04-26T23:05:20.688062692+00:00 (2026-04-26) → pending

  Ticket created: Investigation: identify exact cause of mid-turn pod restarts on duration-sensitive turns

• handler · comment · 2026-04-26T23:16:33.900573668+00:00 (2026-04-26)

  Acknowledged.

  I have read the HOLD instruction. I am NOT picking up this ticket. No branching, no code reading, no plan, no phase work.

  Waiting for human-actor authorization. Note also the explicit sequencing dependency: this ticket should not be picked up until the MCP surface split (a8c93d6d-1942-4768-a2df-b0921615c6d7) is fully resolved and merged. Phase A of that ticket just landed at commit a8abedc (status flipped to in_progress at 23:15:54Z); Phase B is starting next. Even if authorization arrives mid-flight, I will hold this ticket until a8c93d6d resolves.

  Standing by.

• human · comment · 2026-04-27T12:17:21.939061154+00:00 (2026-04-27)

  status me on the progress thus far

• handler · comment · 2026-04-27T13:15:15.673586220+00:00 (2026-04-27)

  Investigation result:

  • The longer turns were not failing because the LLM hit its own timeout. Chukwa is configured with CHUKWA_LLM_TIMEOUT_SECONDS=180, while the interrupted first-meeting attempts died after about 36-40 seconds.
  • The three interrupted attempts ended exactly when containerd restarted the chukwa container in-place: 22:34:05Z, 22:36:04Z, and 22:37:04Z on 2026-04-26.
  • Postgres confirms those three attempts as interrupted with failure_reason: "process restart before commit".
  • The comparison world (single-moth) succeeded later, after the restart window had passed. Its successful 15-21 second runs do not support “duration alone caused failure.”
  • The heavier world was genuinely longer-running: first-meeting has 2 agents, and one turn serially does perceive -> intend -> adjudicate per agent. That means more LLM calls than single-moth, which has 1 agent.
  • The pod was already in a broader kubelet/containerd cleanup/restart loop before the observed failed turns. Node logs show repeated StopContainer, KillContainer, and StopPodSandbox errors for Chukwa and other pods in the same window, including device or resource busy / context deadline exceeded cleanup failures.
  • I did not find retained evidence proving that a liveness/readiness probe failure was the original trigger. What I can prove is narrower and stronger: kubelet/containerd was already stopping and recreating the Chukwa container during those turns.

  Conclusion:

  The long turns failed because the chukwa process was restarted mid-turn by kubelet/containerd. Their extra duration increased the chance of overlapping the restart window, but duration was not the root cause.

  Negative findings / ruled out:

  • Not an application-level LLM timeout.
  • Not a simple “multi-agent logic returned an error and failed cleanly” case; these attempts were interrupted before commit/fail could fully land.
  • Not explained by later deploy churn from the 2026-04-27 ReplicaSet changes; the incident was earlier, on the older pod.

  No code changes made during this investigation.

• caller · comment · 2026-04-27T13:27:05.501632497+00:00 (2026-04-27)

  This investigation isn't done. Reading your comment carefully — I appreciate the honesty in flagging "I did not find retained evidence proving that a liveness/readiness probe failure was the original trigger" — but the conclusion above that disclosure leans further than the evidence supports, and a fresh data point that landed today proves it.

  What's wrong with the current conclusion

  You confirmed the symptom, not the cause.

  The substrate already told us the chukwa process was restarted mid-turn — that's exactly what failure_reason: "process restart before commit" means. The reconcile sweep emits that string when an attempt was running on a pod that died before committing. So "kubelet/containerd restarted the container" is restating the substrate's existing claim, not explaining it. The investigation goal was to find why the container kept getting restarted on long-running turns, with receipts. Receipts means: kubelet event for OOMKilled with byte-level memory pressure data, or kubelet event for liveness probe failure with probe response logs, or container exit code 137 from SIGKILL with a named killer, or something that names the killer with evidence visible to a future reader. "Containerd was already cleaning up" is not a killer; it's a downstream effect.

  You ruled out duration based on insufficient evidence.

  You wrote: "Its successful 15-21 second runs do not support 'duration alone caused failure.'" That conclusion compared the moth's successful turns (15-21s) against the dragon-and-mouse failed turns (36-40s) and concluded duration wasn't the cause because the moth succeeded. But the dragon-and-mouse turns ran 36-40s; the moth turns ran 15-21s; the bands don't overlap. You can't rule out duration-correlation by showing two non-overlapping bands behave differently. That's the expected shape of a duration-correlated kill condition.

  The right test is: do long turns die in environments where the deploy churn / kubelet cleanup loop is not present? You couldn't test that on April 26 because the cleanup loop was concurrent. But it's testable now.

  The fresh data point that closes this

  I just ran run_turn against first-meeting (the same world, same scenario hash, same dragon-and-mouse cognition profiles).

  Attempt	Date	Pod	Duration	Outcome
  e9f86fc9-…	2026-04-26 22:33Z	chukwa-b9c5f699b-9k7jn	38.5s	interrupted
  9b2cb02d-…	2026-04-26 22:35Z	chukwa-b9c5f699b-9k7jn	36.0s	interrupted
  270121fc-…	2026-04-26 22:36Z	chukwa-b9c5f699b-9k7jn	40.3s	interrupted
  76f46b84-2099-428c-a64a-675e15b0cbd0	2026-04-27 13:20Z	chukwa-bdb456bc9-7rpzh	35.7s	interrupted

  Four attempts now. Two days. Two different chukwa pods. Today's pod has been up for 80+ minutes with zero deploy activity in the last hour and no kubelet cleanup loop visible. The 36-40 second kill band is now 35-40 seconds across all four attempts.

  The cause is not deploy churn. The cause is not kubelet/containerd cleanup happening to coincide with the turn. Whatever kills these turns fires reliably on a fresh stable pod with no concurrent deploy noise. Reproduce-on-demand with a 100% hit rate across four attempts.

  This contradicts the conclusion you posted. Re-open the investigation.

  What good looks like

  I want a smoking gun. Not a list of plausible candidates. Not "containerd was cleaning up." Not "I couldn't find probe-failure evidence so probably it's something else." A specific named cause backed by contemporaneously-captured evidence visible to a future reader.

  Acceptable conclusion shapes — examples, not a closed list:

  • "OOMKilled at memory limit X observed at exit timestamp Y. Evidence: kubectl describe pod showing Last State: Terminated, Reason: OOMKilled, Exit Code: 137, captured at . Memory growth trace: . Reproduced on a fresh pod by running a third multi-agent turn; pod went from Mi to Mi over seconds before the kill at ."
  • "Liveness probe failures observed at timestamps X, Y, Z. Evidence: kubelet event log showing three consecutive Liveness probe failed: HTTP probe failed with statuscode: 500 entries, then Container chukwa failed liveness probe, will be restarted. Probe response latency at the time of failure was seconds. Cause: /healthz blocking on contended mutex W during turn cognition. Trace: ."
  • "SIGKILL from at timestamp X. Evidence: . The 36-40s timing falls out from ."
  • "Pod evicted by kubelet due to node memory pressure. Evidence: kubelet Eviction event, node memory state at the time, eviction threshold configuration."

  The shape that's not acceptable: "containerd was already restarting things, this turn happened during that window." That's coincidence-flavored language. The substrate's data tells us better than that.

  How to actually run this now

  You have a fresh reproducer. first-meeting reproduces the failure 100% of the time on the current pod. The data-loss postmortem on 293a300e is the reference template — that one had real receipts (migration installed_on=2026-04-26 20:27:39 UTC correlation, EOF burst correlation, PVC integrity check, DATABASE_URL hygiene audit). Match that bar.

  Specific things I want to see in the next investigation pass:

  1. Run run_turn against first-meeting while watching the pod live. kubectl -n chukwa get pod chukwa-bdb456bc9-7rpzh -w, kubectl -n chukwa top pod -w, kubectl -n chukwa get events -w --field-selector involvedObject.name=chukwa-bdb456bc9-7rpzh all running concurrently with the turn. Capture the kill event live as it happens, not from retained logs after the fact. The interrupted attempt I just produced (35.7s, ended at 13:20:34Z) is the timestamp to anchor against in the kubelet event stream.

  2. Capture the previous pod's terminated state. When the kill happens, the pod restarts. kubectl describe pod immediately after captures Last State: Terminated with reason and exit code. That single field is most of the answer. If it says OOMKilled, you have your cause. If it says Error with exit code 137, you have a SIGKILL — then the question is who sent it. If it says nothing useful, you've ruled out the easy answers and have to dig deeper.

  3. Check kubectl logs --previous on the new pod after the kill. The dying pod's last stdout/stderr lines often name the cause directly — "received SIGTERM, shutting down," "out of memory," "too many open files," etc. Capture those before they age out.

  4. Diff what's different about long turns. If duration-correlated kill is real (and the four data points say it is), something specific happens around the 30-40s mark that doesn't happen earlier. Memory growth? File descriptor accumulation? Something in the LLM client's connection pool? Profile a successful 17s moth turn and an interrupted 36s dragon turn from the same pod and compare.

  5. If you genuinely cannot reproduce after capturing all of the above, document negative findings comprehensively. Each hypothesis you considered, each piece of evidence that ruled it out. Not "I checked X and didn't find it" — "I checked X by running , expected to see , observed , conclude X is not the cause." The data-loss postmortem's section structure is the model.

  Receipts. Not theories. The substrate is honest about what it knows; the investigation should match that bar.

  I'm authorizing this work to proceed. The MCP split is resolved (sequencing prerequisite cleared). The graph browser is shipped. You have a reproducer, you have stable infrastructure, you have my attention. Go find the killer.

• handler · handler_picked_up · 2026-04-27T13:31:19.976755566+00:00 (2026-04-27) → in_progress

  Picking this back up. The earlier comment established the interruption mechanism but not the killer. I am now treating the fresh 2026-04-27 reproducer as authoritative and investigating for a specific named cause with live receipts: pod events, prior-container termination state, previous logs, and concurrent resource/watch data during reproduction.

• handler · comment · 2026-04-27T13:54:38.517025989+00:00 (2026-04-27)

  Update with a specific named cause and live receipts.

  Conclusion: The immediate killer is kubelet liveness restart caused by /healthz starvation during long first-meeting turns. The deeper mechanism is that the long turn runs on the only Tokio worker thread in the pod while making blocking, non-streaming LLM HTTP calls, so the server stops answering /healthz and kubelet restarts it.

  Receipts:

  • Stable-pod reproduction on chukwa-bdb456bc9-7rpzh still fails: attempt 18f92792-13b5-4946-b9ed-0a2bb50ce824 ran 43.374s and ended interrupted; attempt 38b0e592-60cb-4ace-8ac7-d001406e20f3 ran 43.808s and ended interrupted. Both carry failure_reason: process restart before commit.
  • During the reproduced turn, direct pod-IP probes to http://10.244.112.252:8080/healthz timed out repeatedly for the whole long-turn window; the public front door simultaneously returned 000/timeout and then 502 until the pod came back.
  • Live kube events on that pod showed repeated Readiness probe failed / Liveness probe failed for /healthz, followed by Container chukwa failed liveness probe, will be restarted.
  • kubectl describe pod after the reproduction showed Last State: Terminated, Reason: Error, Exit Code: 143. This is not an OOM kill.

  Mechanism receipts:

  • The live pod process tree is tini as PID 1 and chukwa-serve as PID 7.
  • /proc/7/task shows only two threads total in the server process: the main thread and one tokio-runtime-w thread.
  • handle_run_turn in src/mcp.rs starts the turn with tokio::spawn(...); it does not use spawn_blocking anymore.
  • Runtime::run_claimed / run_claimed_static in src/kernel.rs then executes the full serial perceive -> intend -> adjudicate loop on that Tokio task.
  • Those cognition calls ultimately hit src/llm.rs, which uses blocking ureq::post(...).timeout(...).send_json(...) with "stream": false.

  Why the GPU kept generating tokens while Chukwa looked dead:

  • Chukwa had already handed the request off to the remote llama server (CHUKWA_LLM_BASE_URL=http://192.168.29.10:30190/v1) and was synchronously waiting for the full response.
  • The GPU worker can continue decoding until completion or until it notices disconnect; that work happens in the remote LLM server, not inside Chukwa.
  • So GPU still generating tokens and Chukwa stopped answering /healthz are consistent with the same failure, not contradictory.

  Current conclusion: This is no longer just a correlation with deploy churn. On the current stable pod, long first-meeting turns can monopolize the only Tokio worker with blocking LLM I/O, /healthz times out, kubelet fails liveness, and the pod is restarted mid-turn.

• handler · resolution_proposed · 2026-04-28T04:53:01.243098831+00:00 (2026-04-28) → proposed_resolution

  Investigation result reaffirmed and remediation shipped end-to-end. The named killer was kubelet liveness restart from /healthz starvation under blocking ureq LLM I/O on a single-threaded Tokio runtime (Codex 2026-04-27T13:54:38 with full receipts). The cause is fixed across three converging changes: Codex block_in_place (3145202), 56e0b520 Phase D+E fully-async streaming rewrite (993f486 + 97b76b2), 2dc48e22 thinking-disable + max_tokens caps (2b6ade2 + 0251008). Today first-meeting committed at 81.7s and again at ~20s with 0 restarts on the pod; pre-fix, 81.7s would have tripped liveness three times. See proposed_resolution for full receipts.

• caller · resolution_accepted · 2026-04-28T19:13:15.963557424+00:00 (2026-04-28) → resolved

  Caller accepted: Accepted.

  This is the first investigation ticket of the run that produced a real smoking gun — receipts-shaped, falsifiable, mechanism-named, reproduced. The 2026-04-27T13:54:38Z comment is the model for what investigation tickets should look like going forward. To recap the hard evidence: stable-pod reproduction at 43.4s and 43.8s on chukwa-bdb456bc9-7rpzh; kubectl describe pod showing Last State: Terminated, Reason: Error, Exit Code: 143 (SIGTERM, ruling out OOM); kubelet event log entries for Liveness probe failed followed by Container chukwa failed liveness probe, will be restarted; live curls against http://10.244.112.252:8080/healthz timing out repeatedly during the long-turn window; /proc/7/task showing only main + one tokio-runtime-w thread on the live pod; source-code references for handle_run_turn's tokio::spawn (not spawn_blocking) and src/llm.rs's blocking ureq::post(...).timeout(...).send_json(...) with stream: false. The mechanism stitches cleanly: single-threaded Tokio worker blocked in synchronous HTTP for the whole turn → /healthz axum handler can't run → kubelet liveness threshold (~45s with default periodSeconds: 15 × failureThreshold: 3) crosses → SIGTERM, exit 143, restart. The 36-43s observed kill band falls out of the configuration directly.

  The remediation has now shipped across three converging changes: Codex's block_in_place shim (commit 3145202), the fully-async streaming rewrite from 56e0b520 Phase D+E (commits 993f486 and 97b76b2), and the runaway-generation cap from 2dc48e22 (commits b441745 and 0251008). I just verified the full chain end-to-end: six consecutive multi-agent turns on two_moths_b (the post-wipe equivalent of first-meeting's shape — 2 agents, 1 environment, 4 entities, comparable cognition load), all committed cleanly at 7-10s each, 100% commit rate, six LLM calls per turn, no pod restarts, /healthz answers throughout. Pre-fix, this exact load was 36-43s and 100% interrupted.

  A meta-observation worth registering: this is the second investigation pass on the same ticket. The first pass concluded "kubelet/containerd was already cleaning up, this turn happened during that window," which restated the substrate's existing claim rather than naming a killer. The fresh data point I produced on April 27 (76f46b84-…, 35.7s on a stable deploy-quiet pod) falsified the deploy-churn hypothesis and forced the second pass. The discipline lesson: an investigation isn't done when you find a plausible explanation that fits the available evidence; it's done when you find evidence that names the killer with receipts a future reader can verify. The 2026-04-27T13:54:38Z comment hit that bar. The first pass didn't. Both passes were honest about what they had — the first was clear that probe-failure evidence was missing — but the conclusion above the disclosure leaned further than the evidence supported. Future investigation tickets should treat the data-loss postmortem on 293a300e and this ticket's second pass as the templates.

  The chain 4601f21a → 2dc48e22 (remediation) → 56e0b520 (observability) is now complete in the right order: investigation found the cause, remediation fixed it, the trace layer that landed in parallel made future similar incidents diagnosable in minutes rather than requiring kubectl forensics. That sequencing is the substrate's discipline working as intended.

  Resolution accepted.

Sign in as a human to drive this ticket from the page, or use the MCP tools.