Scaling Containers on Modern CPUs: Addressing Mount Lock Contention

Containerization has become a cornerstone of modern cloud computing, enabling efficient resource utilization and rapid application deployment. In large-scale environments like Netflix, where millions of users expect uninterrupted streaming, the efficient scaling of containers is a mission-critical task. However, as Netflix transitioned to a modernized container runtime, it encountered an unexpected bottleneck tied directly to CPU architecture and mount lock contention. This article delves into the technical challenges faced and the solutions implemented to overcome them.

Understanding the Problem: Scaling and CPU Bottlenecks

Netflix's container scaling process involves dynamically allocating server resources to meet fluctuating application demands. When a new server instance is provisioned, its resources are rapidly allocated by assigning pods to the node. This process, while appearing seamless to users, revealed critical performance issues during its deployment on modern r5metal instances. Specifically, nodes experienced stalling, with health checks timing out after 30 seconds, rendering the system temporarily unresponsive.

Initial diagnostics pointed to a dramatic increase in the length of the mount table during peak container creation periods. The issue was compounded by systemd's inability to process mount events efficiently, leading to complete system lockups. Further analysis indicated that the problems were rooted in the interaction between containerd and the kernel's virtual file system (VFS), particularly during mount and unmount operations.

The crux of the issue revolved around how container images with numerous layers were processed. Each layer required multiple operations, including id mapping, bind mounting, and overlay file system (overlayfs) assembly, all of which relied on acquiring kernel-level locks. When hundreds of containers were started simultaneously, the cumulative lock contention overwhelmed the system, manifesting as severe delays and failures.

Analyzing the Mount Lock Contention Issue

The bottleneck was traced to the sequence of system calls executed by containerd during container initialization. Each container image layer demanded a series of operations: opening a reference to the layer directory, applying id mappings to adjust ownership, and creating bind mounts for the overlayfs root filesystem. These operations were repeated twice per container-once to extract user information and again to construct the final root filesystem.

For instance, starting 100 containers, each with 50 layers, required approximately 20,200 mount-related operations. Each operation involved acquiring global locks within the kernel VFS, creating significant contention as multiple CPUs attempted to perform these tasks simultaneously. Flamegraph analysis highlighted that the majority of the processing time was consumed by locking mechanisms, particularly during the mount and unmount phases.

This lock contention was further exacerbated by the need to clean up temporary bind mounts after the overlayfs root filesystem was created. The sheer volume of operations, combined with the locking requirements, created a cascading effect that crippled node performance under heavy load.

Impact of Mount Table Growth and System Lockups

The rapid growth of the mount table during container creation exacerbated the bottleneck. As more containers were initialized, the mount table expanded, making it increasingly time-consuming for systemd and containerd to process mount events. This led to timeouts and, in extreme cases, complete system unavailability.

Additionally, the frequent timeouts in kubelet's communication with containerd further destabilized the system. Kubelet, responsible for managing container lifecycles, relied on timely responses to maintain node health. The delays in processing mount operations disrupted this communication, triggering cascading failures across the container orchestration framework.

The reliance on r5metal instances, with their specific CPU architecture, brought these issues to the forefront. The interaction between containerd's mount logic and the kernel's locking mechanisms proved particularly problematic on this hardware, necessitating a deeper examination of underlying architectural constraints.

Technical Insights from Flamegraph Analysis

Flamegraph analysis provided critical insights into the root cause of the bottleneck. The visualization revealed that containerd spent the majority of its time attempting to acquire kernel-level locks during mount-related activities. These locks, which are global within the kernel VFS, became a significant point of contention when multiple containers were initialized simultaneously.

Key operations contributing to the contention included opentree for directory references, mount_setattr for id mapping, and move_mount for creating bind mounts. The repeated invocation of these operations for each container layer amplified the contention, particularly on nodes with high-density container deployments.

Overlayfs assembly, while efficient for creating container root filesystems, added to the complexity. The process of constructing the overlayfs required multiple bind mounts to be created and subsequently cleaned up, further straining the kernel's locking mechanisms. These insights underscored the need for optimizations at both the container runtime and kernel levels.

Lessons Learned and Future Considerations

The challenges faced by Netflix in scaling containers on modern CPUs highlight the importance of addressing bottlenecks at the intersection of software and hardware. The reliance on global locks within the kernel VFS emerged as a critical limitation, necessitating architectural improvements to support high-density container deployments.

Future efforts may focus on optimizing containerd's mount logic to reduce the frequency and duration of locking operations. This could involve batching mount-related tasks, rearchitecting overlayfs assembly, or exploring alternative approaches to id mapping and bind mount creation. Additionally, collaboration with kernel developers to address VFS lock contention at the source could yield long-term benefits for the broader container ecosystem.

Ultimately, the lessons learned from this experience underscore the complexity of operating at scale. By identifying and addressing these challenges, Netflix continues to push the boundaries of containerization, ensuring a seamless streaming experience for its global audience.