Troubleshooting Containers: Logs, Events, Connectivity

The triage hierarchy

Common failure patterns and what they mean

The six patterns that cover most container failures on Azure.

Feature	Symptom	Likely cause	First thing to check
ImagePullBackOff (AKS) / pull failed (Container Apps)	No permission, wrong tag, registry unreachable	Did the kubelet/managed identity get AcrPull? Is the tag spelt right?
CrashLoopBackOff	Container starts then exits with non-zero code	kubectl logs --previous, or `az containerapp logs show --previous`
OOMKilled (exit code 137)	Container exceeded memory limit	Bump `resources.limits.memory`, or fix the leak
Liveness probe failing	Probe path returns non-2xx	Try the probe URL from inside the pod with curl
ContainerCannotRun / exec format error	Wrong CPU architecture (ARM image on x86 node, or vice versa)	Rebuild for the right platform; use `--platform=linux/amd64`
Outbound calls timing out	NSG, private endpoint missing, DNS, or wrong identity for managed-identity APIs	kubectl exec / containerapp exec → curl/dig from inside; check effective NSG rules

Container Apps — the troubleshooting toolkit

# Stream logs (live)
az containerapp logs show \
  --name roo-vision \
  --resource-group roo-prod \
  --follow

# Logs from a previous (crashed) revision
az containerapp logs show \
  --name roo-vision -g roo-prod \
  --revision roo-vision--v3-2 \
  --tail 200

# Open a shell inside a running replica
az containerapp exec \
  --name roo-vision -g roo-prod \
  --command "/bin/sh"

# System events (KEDA scale events, image pull events, restarts)
az containerapp logs show \
  --name roo-vision -g roo-prod \
  --type system

In Log Analytics:

// Console logs — your app's stdout/stderr
ContainerAppConsoleLogs_CL
| where ContainerAppName_s == "roo-vision"
| where TimeGenerated > ago(1h)
| project TimeGenerated, RevisionName_s, ContainerName_s, Log_s
| order by TimeGenerated desc

// System logs — image pulls, scale events, container restarts
ContainerAppSystemLogs_CL
| where ContainerAppName_s == "roo-vision"
| where TimeGenerated > ago(1h)
| where Reason_s in ("Pulled", "Failed", "Created", "Started", "Killing", "BackOff")
| project TimeGenerated, Reason_s, Log_s

These two tables (ContainerAppConsoleLogs_CL and ContainerAppSystemLogs_CL) are the spine of Container Apps observability.

💡 Exam tip: 'system' logs vs 'console' logs

Container Apps separates system logs (the platform’s view — image pulls, scale events, container restarts) from console logs (your app’s stdout/stderr). When troubleshooting a startup failure, system logs explain what the platform saw; console logs show what your code printed. Both matter; the exam asks about both.

Match the table name to the question: “the container is restarting in a loop” → system logs to confirm BackOff, console logs to see why each restart fails.

AKS — the kubectl toolkit

# What's actually running?
kubectl get pods -A
kubectl get pod roo-vision-7d4b -o yaml

# Why did this pod misbehave?
kubectl describe pod roo-vision-7d4b
# ↑ Events section at the bottom is the gold — it shows pull, schedule, probe events with timestamps

# Logs from the current container
kubectl logs roo-vision-7d4b -c vision

# Logs from the PREVIOUS crashed container (key for CrashLoopBackOff)
kubectl logs roo-vision-7d4b -c vision --previous

# Shell into the pod
kubectl exec -it roo-vision-7d4b -c vision -- /bin/sh

# Check resources at the node level
kubectl top pods -A
kubectl top nodes

The single most important command on AKS for triage is kubectl describe pod. Its Events: section narrates every state transition — pull, schedule, start, probe, OOMKilled — with timestamps.

Connectivity troubleshooting from inside a container

When the container starts but can’t reach a dependency:

# Open a shell
kubectl exec -it roo-vision-7d4b -- /bin/sh
# OR
az containerapp exec -n roo-vision -g roo-prod --command "/bin/sh"

# Inside the container:
nslookup roo-cosmos.documents.azure.com    # DNS resolution
curl -v https://roo-cosmos.documents.azure.com/   # TLS reachability
nc -vz roo-cosmos.documents.azure.com 443         # Raw TCP reachability

Patterns:

What you see	What it means
DNS lookup fails	No DNS forwarder, private DNS zone not linked, or the name doesn’t exist
DNS resolves to private IP, curl times out	NSG / firewall rule blocking outbound, or private endpoint not deployed
TCP succeeds but TLS handshake fails	Certificate issue, SNI mismatch, or wrong endpoint
403 / 401	App identity correct but no role assignment on the target resource

Probes — readiness, liveness, startup

A probe failure can keep a perfectly good container in the doghouse. Three kinds:

Probe	What it controls	Failure consequence
Liveness	”Is the process healthy?”	Container is killed and restarted
Readiness	”Should traffic be routed here?”	Pod removed from Service endpoints (no traffic)
Startup	”Has the app finished initialising?”	Disables liveness probe until startup passes (good for slow-loading models)

spec:
  containers:
    - name: vision
      startupProbe:
        httpGet: { path: /health, port: 8000 }
        failureThreshold: 30
        periodSeconds: 10        # Allow 5 minutes for startup
      readinessProbe:
        httpGet: { path: /ready, port: 8000 }
        periodSeconds: 5
      livenessProbe:
        httpGet: { path: /health, port: 8000 }
        periodSeconds: 10

For AI workloads where the first inference call loads a multi-GB model, startup probes are essential — without them, the pod’s liveness probe fails during model load and the pod restarts in a loop.

ℹ️ Real-world example: Mira's model-load CrashLoopBackOff

Mira deployed a new vision model. Pods went straight to CrashLoopBackOff. Logs showed the model was still downloading from blob storage when liveness probes started, and after 3 failed probes the pod was killed.

Fix: add a startup probe with failureThreshold: 30 * periodSeconds: 10 — that’s a 5-minute grace window. Once the startup probe passes, the liveness probe takes over.

Lesson: liveness probes assume your app is up. Startup probes acknowledge that AI containers often need a long warm-up.

End-to-end connectivity check — the AKS / Container Apps Network Watcher

Azure Network Watcher’s Connection Troubleshoot can verify reachability from a Container App or AKS node to any Azure resource — Cosmos, Key Vault, Service Bus — and tell you which hop drops the packet.

az network watcher test-connectivity \
  --source-resource $POD_VM_RESOURCE_ID \
  --dest-address roo-kv.vault.azure.net \
  --dest-port 443

Output reports the connection status, latency, and the next hops — a programmatic equivalent of “where exactly does the packet die?”

Key terms

Question

What does CrashLoopBackOff mean?

Click or press Enter to reveal answer

Answer

A container starts, exits with a non-zero status, Kubernetes restarts it, it crashes again, and the platform applies an exponential back-off between restart attempts. Diagnose with `kubectl logs --previous` (AKS) or `az containerapp logs show --previous` (Container Apps) to see the last failure.

Click to flip back

Question

What is exit code 137 / OOMKilled?

Click or press Enter to reveal answer

Answer

The container exceeded its memory limit and the Linux kernel's OOM killer terminated it (signal 9 → exit 137). Fix: increase `resources.limits.memory`, fix a memory leak, or scale out so each replica handles fewer concurrent requests.

Click to flip back

Question

What's the difference between liveness, readiness, and startup probes?

Click or press Enter to reveal answer

Answer

Liveness — is the process healthy? Failure restarts the container. Readiness — should traffic flow here? Failure removes the pod from Service endpoints but doesn't restart. Startup — has init finished? While failing, suppresses liveness probes (key for AI workloads with multi-GB model loads).

Click to flip back

Question

Which Container Apps log table holds your application's stdout/stderr?

Click or press Enter to reveal answer

Answer

`ContainerAppConsoleLogs_CL`. The companion table `ContainerAppSystemLogs_CL` holds platform events — image pulls, scale events, container restarts. Both go to the environment's Log Analytics workspace.

Click to flip back

Question

Where do AKS pod events live, and how do you see them?

Click or press Enter to reveal answer

Answer

`kubectl describe pod <name>` shows the Events section at the bottom — chronological pull, schedule, start, probe events. They're also available in Log Analytics as `KubeEvents` when Container Insights is enabled.

Click to flip back

Knowledge check

Knowledge Check

Theo's clinical assistant pod restarts every 90 seconds in CrashLoopBackOff. The model is large (4 GB) and takes about 3 minutes to load on startup. The pod has a liveness probe but no startup probe. What's the most likely cause and fix?

AContainer is OOMKilled — increase memory limitsBLiveness probe fires while the model is still loading and kills the container; add a startup probe with a long failureThresholdCImage pull is failing — re-run `--attach-acr`DNetwork unreachable — add a DNS forwarder

Check Answer

Knowledge Check

Mira's Container App `roo-vision` started failing yesterday with `ImagePullBackOff`. The image, registry, and tag are all correct. Nothing changed in the manifests. What's the most likely cause?

AThe image was untagged — recreate the tagBThe Container App's managed identity lost its AcrPull role on the registry (or the registry firewall blocked the pull)CThe Container App needs a manual restartDContainer Apps is region-down — open a support ticket

Check Answer

Knowledge Check

Lin shells into a Container Apps replica and runs `curl https://roo-kv.vault.azure.net/secrets/foo`. It returns `Authentication failed`. The Container App has system-assigned managed identity enabled. What's the most likely missing step?

AThe managed identity is not assigned a role on Key Vault — grant it `Key Vault Secrets User`BKey Vault is in a different regionCCurl can't reach Key Vault — open the NSGDUse `kubectl exec` instead — `az containerapp exec` doesn't support curl

Check Answer