Troubleshooting¶
There are two target platforms for OpenFaaS, and depending on which you are using, some of the instructions will differ.
faasd¶
The troubleshooting instructions for faasd are only available in the eBook and manual.
OpenFaaS on Kubernetes¶
Kubernetes is a complex distributed system, and there are many things that can cause friction for new OpenFaaS users. This guide is devoted to helping you help yourself.
If you want to ask for help, make sure that you have run all of the commands below before doing so.
The Config Checker¶
We recommend that all users run our automated config-checker tool which will help you to identify common problems with timeouts, function configuration and the core components. The tool is designed for OpenFaaS Standard and OpenFaaS for Enterprises, but should still give some useful output for OpenFaaS CE users.
If we've asked you to run the config-checker via email or Slack, then please also collect the logs and output from kubectl by running our openfaas-diagnostics.sh bash script. Send over the resulting openfaas.tgz file to our team.
OpenFaaS didn't start¶
Look for 0/1
, restarts or errors showing up here:
kubectl get deploy -n openfaas
Next, try to describe one of the deployments such as the gateway
:
kubectl describe -n openfaas deploy/gateway
Next, check the logs for the specific deployment that is failing to start:
kubectl logs -n openfaas deploy/gateway
Next, check the events in the openfaas namespace:
kubectl get events -n openfaas \
--sort-by=.metadata.creationTimestamp
Common issues:
- Have you forgotten to create the password required for the gateway?
- The gateway must be able to talk to nats and prometheus. If these are crashing, you probably have networking issues preventing containers from talking to each over or looking up each other over DNS.
- Have you got enough resources free in your cluster for all the services to start?
kubectl describe nodes
orkubectl top node
should give you some hints here.
My function isn't updating¶
Try using the faas-cli describe
command to check whether the function has been updated.
You can usually view the YAML from Kubernetes for a function with the kubectl get -n openfaas deploy/NAME
command, then check the logs for the two pods in the gateway and for events in the openfaas-fn namespace.
If you are still encountering problems, try publishing to a different image tag for each version of your function. For instance, if you are working on version 0.1.0
, try changing the tag to 0.1.1
or 0.1.0-a
and so forth.
My function didn't start¶
Look for 0/1
, restarts or errors showing up here:
kubectl get deploy -n openfaas-fn
Next, try to describe one of the deployments such as the nodeinfo
:
kubectl describe -n openfaas-fn deploy/nodeinfo
Next, check the logs for the specific deployment that is failing to start:
kubectl logs -n openfaas-fn deploy/nodeinfo
Next, check the events in the openfaas-fn namespace:
kubectl get events -n openfaas-fn \
--sort-by=.metadata.creationTimestamp
Common issues:
- You are using a private registry, but haven't configured any image pull secrets. See: Kubernetes deployment instructions
- You haven't created a secret which is required for your function to start. Check your function request or stack.yml, and create any missing secrets.
- Your function is crashing due to an error in your code, check the logs.
My Function Custom Resource had an error, now it's taking too long to recover¶
If you create a Function Custom Resource that is in an invalid state due to a missing Secret, invalid requests/limits, or some other parsing or validation error, then the .Status will will go into a "stalled" condition.
You can view conditions by running kubectl describe -n openfaas-fn function/nodeinfo
for instance.
Every time the Operator tries to reconcile the Function, it will fail, and then wait for a back-off period before trying again. This is standard behaviour for Kubernetes controllers, in order to prevent a misconfigured resource from blocking or crashing the system.
If you have fixed the error condition by changing the Function's .Spec, then the operator will immediately try to reconcile the Function again, resetting the back-off period at the same time.
However, if the .Spec has not changed, and instead some other condition like a missing Secret is now satisfied, you can either wait until the next back-off period, or you can annotate the Function to force the Operator to try again:
kubectl annotate -n openfaas-fn function/nodeinfo \
--overwrite \
com.openfaas.uid=1
The value of the uid
field can be any value, if you want to force the Operator to try and you already have a value here, then you can just change it to a different value, i.e. 2
or a random string like a UUID.
Is my function's name too long?¶
When using OpenFaaS Standard or OpenFaaS for Enterprises along with the Function CRD, a function's name can be no longer than 63 characters. This is due to a limitation on the length of label selectors within Kubernetes.
If you need longer names for the sake of organisation, then consider using namespaces to partition your functions.
For example:
project-skunkworks-long-function-name
could be shortened to long-function-name
, and then placed in the project-skunkworks
namespace, effectively going longer than the 63 character limit for organisation.
OpenFaaS namespaces are available in faasd and OpenFaaS for Enterprises.
My function is timing out¶
Check the logs of the gateway for signs of a time-out, or non-200 HTTP code:
kubectl logs -n openfaas deploy/gateway -c gateway
Do the same for the provider:
kubectl logs -n openfaas deploy/gateway -c faas-netes
# Or, if you are using the CRD and Operator:
kubectl logs -n openfaas deploy/gateway -c operator
If your function is timing out and you are calling it asynchronously, then check the queue-worker's logs:
kubectl logs -n openfaas deploy/queue-worker
Check the logs of the function
faas-cli logs NAME
Common issues:
- You are using a service mesh, and therefore must set
direct_functions
totrue
so that the gateway uses the name of the function to resolve it - You have not configured a high enough timeout on all the required components. See Expanded timeouts
- You are trying to access the gateway from your function, you must use the string
http://gateway.openfaas:8080
, otherwise it will be unreachable to you. - Your cloud LoadBalancer may have a timeout set of 60 seconds, which could prevent your call from executing successfully, consider increasing the timeout if you can, or execute the function asynchronously.
The queue-worker keeps retrying my function¶
If the queue-worker keeps retrying your function check if ack_wait
is set to a high enough timeout. It should be set to a value higher than your functions timeout.
My function gets a nil or empty body¶
If the body of the HTTP request is empty, the chances are that you are not setting a "Content-type" header in your request to the function.
For example:
curl -s -i http://127.0.0.1:8080/function/node-tester \
-H "Content-type: application/json" \
--data-binary '{"employeeID": 10}'
Some legacy HTTP servers such as WSGI do not supported the default "chunked" transfer encoding. In this case, if you're using the of-watchdog, you should set the environment variable of http_buffer_req_body: true
. This causes the HTTP request to be buffered in memory, then sent in one shot to the upstream function.
My function takes too long to start up¶
Your function is failing because it takes too long to start-up.
- Learn how to configure a custom HTTP health-check that you can respond to from your function
- Learn how to extend the window between your function starting, and its initial health-check run
I want to test my function without deploying it¶
You can usually do one of the following:
- Use unit-testing in the language of your choice (fastest)
- Use
faas-cli build
followed bydocker run
(easy) - Try hot-reloading with docker-compose (advanced)
Example:
faas-cli new --lang go test-this
faas-cli build -f test-this.yml
docker run -p 8081:8080 \
--rm \
--name test-this \
-ti test-this:latest
Then invoke your function via http://127.0.0.1:8081
.
If you need to set environment variable, or to simulate secrets being mounted, you can do so with --env/-e
and -v
to simulate mounting secrets at /var/openfaas/secrets
.
I am getting an incorrect password error or authorized access¶
If you're using ArgoCD to install OpenFaaS, then it may be changing the password continually whenever it synchronises the app that you created. Make sure you turn off the "generateBasicAuth" setting in values.yaml or the flags you pass.
Create a password for the admin user before you create the ArgoCD App.
kubectl create secret generic basic-auth \
-n openfaas \
--from-literal basic-auth-user=admin \
--from-literal basic-auth-password=$(openssl rand -base64 32)
If you're not an ArgoCD user, make sure that nobody has has reinstalled OpenFaaS, and then check the below on "I forgot my credentials"
In the worst case, restart all the components to force them to reload the password from the Kubernetes secret: kubectl rollout restart -n openfaas deploy
I forgot my credentials for the gateway¶
Download arkade.
Now run the following command which will give you the commands you require to retrieve your password.
arkade info openfaas
Alternatively, consider using the Single-Sign On module from OpenFaaS Pro.
How do I call one function from another?¶
See the notes on the asynchronous invocations page under: Making an asynchronous call from another function
Can I manage functions via kubectl?¶
Yes using the Function Custom Resource: Learn how to manage your functions with kubectl
This is required for Flux or ArgoCD. It also lets you deploy functions via Helm.
How to I manage different environments like staging and production?¶
OpenFaaS supports both multiple-namespaces and multiple configuration files for functions. Learn more: Configure your OpenFaaS functions for staging and production
Does OpenFaaS support multi-tenancy?¶
Yes, if configured correctly. Call us to find out more
Traffic is not being spread evenly between functions¶
You will need to ensure that you are doing one of the following:
- Setting
direct_functions
tofalse
, which allows the provider to balance calls randomly between replicas of your functions. - Use a service mesh like Linkerd or Istio, which can do advanced traffic-management such as least-connections
I'm not seeing CPU or RAM data for functions in Grafana with OpenFaaS Pro¶
You can find the dashboard JSON files in the Customer GitHub. Check that you have the latest version of the dashboard. Sometimes Grafana makes breaking changes in its schema between versions, so edit the panels and check the PromQL statements are present. If they are missing, edit the JSON file in a text editor to retrieve the queries.
You may also want to check that your data source is set to the internal OpenFaaS Prometheus instance.
Finally, check that you've installed the OpenFaaS Pro Helm chart with the ClusterRole setting. This is required to access each node in the cluster to retrieve Pod CPU and RAM usage metrics.
How can I use structured logs in my function?¶
By default, the logs will be in the format
<RFC8601 Timestamp> <function name> (<container instance>) <msg>
By setting the environment variable prefix_logs
to false
in your function, this will only send the <msg>
part to the terminal. This allows you to use structured logs that outputs a JSON (or equivalent) payload.
See the Logs documentation for more details.
How do I rotate or change a secret that my function is already using?¶
With either Kubernetes or faasd, you can delete the secret and create it with the new value. Kubernetes also allows you to edit the secret's value using kubectl
, without deleting it.
Then, with Kubernetes, the secret will be updated on disk without needing to restart the Pod. This change could take several minutes before it reflects.
See also: Automatic secret updates in Kubernetes
Example:
faas-cli secret create username \
--from-literal alex
faas-cli store deploy alpine \
--secret username \
--env fprocess="cat /var/openfaas/secrets/username" \
--name print-secret
echo | faas-cli invoke --name print-secret
alex
Then:
faas-cli secret remove username
faas-cli secret create username \
--from-literal ellis
# Wait a few minutes
echo | faas-cli invoke --name print-secret
ellis
If your handler reads and caches the password in memory, then you'll also need to restart the function's Pod:
kubectl rollout restart -n openfaas-fn \
deploy/print-secret
I want to remove OpenFaaS from a cluster¶
See the Helm chart instructions