New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deleting cilium pods messes with hostport mappings #6499
Labels
kind/bug
This is a bug in the Cilium logic.
kind/community-report
This was reported by a user in the Cilium community, eg via Slack.
Projects
Milestone
Comments
tgraf
added
kind/bug
This is a bug in the Cilium logic.
needs/triage
This issue requires triaging to establish severity and next steps.
kind/community-report
This was reported by a user in the Cilium community, eg via Slack.
labels
Dec 21, 2018
tgraf
removed
the
needs/triage
This issue requires triaging to establish severity and next steps.
label
Dec 26, 2018
The issue has been tracked down to the following logic: |
tgraf
added a commit
that referenced
this issue
Dec 26, 2018
The existing legacy rule removal logic on bootstrap removed all rules which contains the word "cilium". While this removed Cilium relevant rules, it also incorrectly removed rules installed by the portmap/hostport plugin if the plugin was configured with a name that contained the string cilium. Example CNI configuration: ``` { "cniVersion": "0.3.1", "name": "cilium-portmap", "plugins": [ { "type": "cilium-cni" }, { "type": "portmap", "capabilities": { "portMappings": true } } ] } ``` Example of incorrectly removed rule: -A CNI-HOSTPORT-DNAT -m comment --comment "dnat name: \"cilium-portmap\" id: \"95dc537b9152da5f91be3fc5692bf91592bf1871b6e61755aed2056a03e98c4f\"" -j CNI-DN-258a52f03b4b7aa8abdc5 The fix is to be more restrictive in selecting rules to remove and limit it to rules which contain the string "CILIUM_". Fixes: #6499 Signed-off-by: Thomas Graf <thomas@cilium.io>
tgraf
added a commit
that referenced
this issue
Dec 28, 2018
The existing legacy rule removal logic on bootstrap removed all rules which contains the word "cilium". While this removed Cilium relevant rules, it also incorrectly removed rules installed by the portmap/hostport plugin if the plugin was configured with a name that contained the string cilium. Example CNI configuration: ``` { "cniVersion": "0.3.1", "name": "cilium-portmap", "plugins": [ { "type": "cilium-cni" }, { "type": "portmap", "capabilities": { "portMappings": true } } ] } ``` Example of incorrectly removed rule: -A CNI-HOSTPORT-DNAT -m comment --comment "dnat name: \"cilium-portmap\" id: \"95dc537b9152da5f91be3fc5692bf91592bf1871b6e61755aed2056a03e98c4f\"" -j CNI-DN-258a52f03b4b7aa8abdc5 The fix is to be more restrictive in selecting rules to remove and limit it to rules which contain the string "CILIUM_". Fixes: #6499 Signed-off-by: Thomas Graf <thomas@cilium.io>
ianvernon
pushed a commit
that referenced
this issue
Jan 2, 2019
[ upstream commit 36cdd98 ] The existing legacy rule removal logic on bootstrap removed all rules which contains the word "cilium". While this removed Cilium relevant rules, it also incorrectly removed rules installed by the portmap/hostport plugin if the plugin was configured with a name that contained the string cilium. Example CNI configuration: ``` { "cniVersion": "0.3.1", "name": "cilium-portmap", "plugins": [ { "type": "cilium-cni" }, { "type": "portmap", "capabilities": { "portMappings": true } } ] } ``` Example of incorrectly removed rule: -A CNI-HOSTPORT-DNAT -m comment --comment "dnat name: \"cilium-portmap\" id: \"95dc537b9152da5f91be3fc5692bf91592bf1871b6e61755aed2056a03e98c4f\"" -j CNI-DN-258a52f03b4b7aa8abdc5 The fix is to be more restrictive in selecting rules to remove and limit it to rules which contain the string "CILIUM_". Fixes: #6499 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Ian Vernon <ian@cilium.io>
ianvernon
pushed a commit
that referenced
this issue
Jan 2, 2019
[ upstream commit 36cdd98 ] The existing legacy rule removal logic on bootstrap removed all rules which contains the word "cilium". While this removed Cilium relevant rules, it also incorrectly removed rules installed by the portmap/hostport plugin if the plugin was configured with a name that contained the string cilium. Example CNI configuration: ``` { "cniVersion": "0.3.1", "name": "cilium-portmap", "plugins": [ { "type": "cilium-cni" }, { "type": "portmap", "capabilities": { "portMappings": true } } ] } ``` Example of incorrectly removed rule: -A CNI-HOSTPORT-DNAT -m comment --comment "dnat name: \"cilium-portmap\" id: \"95dc537b9152da5f91be3fc5692bf91592bf1871b6e61755aed2056a03e98c4f\"" -j CNI-DN-258a52f03b4b7aa8abdc5 The fix is to be more restrictive in selecting rules to remove and limit it to rules which contain the string "CILIUM_". Fixes: #6499 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Ian Vernon <ian@cilium.io>
tgraf
added a commit
that referenced
this issue
Jan 3, 2019
[ upstream commit 36cdd98 ] The existing legacy rule removal logic on bootstrap removed all rules which contains the word "cilium". While this removed Cilium relevant rules, it also incorrectly removed rules installed by the portmap/hostport plugin if the plugin was configured with a name that contained the string cilium. Example CNI configuration: ``` { "cniVersion": "0.3.1", "name": "cilium-portmap", "plugins": [ { "type": "cilium-cni" }, { "type": "portmap", "capabilities": { "portMappings": true } } ] } ``` Example of incorrectly removed rule: -A CNI-HOSTPORT-DNAT -m comment --comment "dnat name: \"cilium-portmap\" id: \"95dc537b9152da5f91be3fc5692bf91592bf1871b6e61755aed2056a03e98c4f\"" -j CNI-DN-258a52f03b4b7aa8abdc5 The fix is to be more restrictive in selecting rules to remove and limit it to rules which contain the string "CILIUM_". Fixes: #6499 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Ian Vernon <ian@cilium.io>
tgraf
added a commit
that referenced
this issue
Jan 3, 2019
[ upstream commit 36cdd98 ] The existing legacy rule removal logic on bootstrap removed all rules which contains the word "cilium". While this removed Cilium relevant rules, it also incorrectly removed rules installed by the portmap/hostport plugin if the plugin was configured with a name that contained the string cilium. Example CNI configuration: ``` { "cniVersion": "0.3.1", "name": "cilium-portmap", "plugins": [ { "type": "cilium-cni" }, { "type": "portmap", "capabilities": { "portMappings": true } } ] } ``` Example of incorrectly removed rule: -A CNI-HOSTPORT-DNAT -m comment --comment "dnat name: \"cilium-portmap\" id: \"95dc537b9152da5f91be3fc5692bf91592bf1871b6e61755aed2056a03e98c4f\"" -j CNI-DN-258a52f03b4b7aa8abdc5 The fix is to be more restrictive in selecting rules to remove and limit it to rules which contain the string "CILIUM_". Fixes: #6499 Signed-off-by: Thomas Graf <thomas@cilium.io>
tgraf
added a commit
that referenced
this issue
Jan 4, 2019
[ upstream commit 36cdd98 ] The existing legacy rule removal logic on bootstrap removed all rules which contains the word "cilium". While this removed Cilium relevant rules, it also incorrectly removed rules installed by the portmap/hostport plugin if the plugin was configured with a name that contained the string cilium. Example CNI configuration: ``` { "cniVersion": "0.3.1", "name": "cilium-portmap", "plugins": [ { "type": "cilium-cni" }, { "type": "portmap", "capabilities": { "portMappings": true } } ] } ``` Example of incorrectly removed rule: -A CNI-HOSTPORT-DNAT -m comment --comment "dnat name: \"cilium-portmap\" id: \"95dc537b9152da5f91be3fc5692bf91592bf1871b6e61755aed2056a03e98c4f\"" -j CNI-DN-258a52f03b4b7aa8abdc5 The fix is to be more restrictive in selecting rules to remove and limit it to rules which contain the string "CILIUM_". Fixes: #6499 Signed-off-by: Thomas Graf <thomas@cilium.io>
ianvernon
pushed a commit
that referenced
this issue
Jan 9, 2019
[ upstream commit 36cdd98 ] The existing legacy rule removal logic on bootstrap removed all rules which contains the word "cilium". While this removed Cilium relevant rules, it also incorrectly removed rules installed by the portmap/hostport plugin if the plugin was configured with a name that contained the string cilium. Example CNI configuration: ``` { "cniVersion": "0.3.1", "name": "cilium-portmap", "plugins": [ { "type": "cilium-cni" }, { "type": "portmap", "capabilities": { "portMappings": true } } ] } ``` Example of incorrectly removed rule: -A CNI-HOSTPORT-DNAT -m comment --comment "dnat name: \"cilium-portmap\" id: \"95dc537b9152da5f91be3fc5692bf91592bf1871b6e61755aed2056a03e98c4f\"" -j CNI-DN-258a52f03b4b7aa8abdc5 The fix is to be more restrictive in selecting rules to remove and limit it to rules which contain the string "CILIUM_". Fixes: #6499 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Ian Vernon <ian@cilium.io>
ianvernon
pushed a commit
that referenced
this issue
Jan 14, 2019
[ upstream commit 36cdd98 ] The existing legacy rule removal logic on bootstrap removed all rules which contains the word "cilium". While this removed Cilium relevant rules, it also incorrectly removed rules installed by the portmap/hostport plugin if the plugin was configured with a name that contained the string cilium. Example CNI configuration: ``` { "cniVersion": "0.3.1", "name": "cilium-portmap", "plugins": [ { "type": "cilium-cni" }, { "type": "portmap", "capabilities": { "portMappings": true } } ] } ``` Example of incorrectly removed rule: -A CNI-HOSTPORT-DNAT -m comment --comment "dnat name: \"cilium-portmap\" id: \"95dc537b9152da5f91be3fc5692bf91592bf1871b6e61755aed2056a03e98c4f\"" -j CNI-DN-258a52f03b4b7aa8abdc5 The fix is to be more restrictive in selecting rules to remove and limit it to rules which contain the string "CILIUM_". Fixes: #6499 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Ian Vernon <ian@cilium.io>
tgraf
added a commit
that referenced
this issue
Jan 15, 2019
[ upstream commit 36cdd98 ] The existing legacy rule removal logic on bootstrap removed all rules which contains the word "cilium". While this removed Cilium relevant rules, it also incorrectly removed rules installed by the portmap/hostport plugin if the plugin was configured with a name that contained the string cilium. Example CNI configuration: ``` { "cniVersion": "0.3.1", "name": "cilium-portmap", "plugins": [ { "type": "cilium-cni" }, { "type": "portmap", "capabilities": { "portMappings": true } } ] } ``` Example of incorrectly removed rule: -A CNI-HOSTPORT-DNAT -m comment --comment "dnat name: \"cilium-portmap\" id: \"95dc537b9152da5f91be3fc5692bf91592bf1871b6e61755aed2056a03e98c4f\"" -j CNI-DN-258a52f03b4b7aa8abdc5 The fix is to be more restrictive in selecting rules to remove and limit it to rules which contain the string "CILIUM_". Fixes: #6499 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Ian Vernon <ian@cilium.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
kind/bug
This is a bug in the Cilium logic.
kind/community-report
This was reported by a user in the Cilium community, eg via Slack.
Hi guys, we've been using cilium in production for some time now and our kubernetes use case includes a lot of pods that runs with hostPort (using portmap plugin).
We observed today that these pods became unreachable by the hostport after a cilium update, so after some research I found that after I restart cilium pods, iptables rules that are necessary for hostPort to work always get deleted, to be more specific, these are the rules in iptables before deleting cilium pod:
after deleting cilium pods and seeing they be recreated only this two rules exist:
so the chain in being messed up somehow when I delete cilium pods.
General Information
How to reproduce the issue
The text was updated successfully, but these errors were encountered: