-
-
Notifications
You must be signed in to change notification settings - Fork 214
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes on masquerade forwarding mode #812
Conversation
cc @lou-lan for review as well |
pkg/loadbalancer/ipvs.go
Outdated
err = sysctl.WriteProcSys("/proc/sys/net/ipv4/ip_forward", "1") | ||
if err != nil { | ||
log.Errorf("ensure net.ipv4.ip_forward is enabled") | ||
log.Fatalf("Error ensuring net.ipv4.ip_forward enabled [%v]", err) | ||
} | ||
log.Infof("sysctl set net.ipv4.ip_forward to 1") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @thebsdbox @lou-lan please suggest on this part. I can remove this part if both of you think it's not quite making sense. Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @thebsdbox @lou-lan please suggest on this part. I can remove this part if both of you think it's not quite making sense. Thanks.
Adding /proc/sys/net/ipv4/ip_forward
looks suitable to me. I noticed that you moved it out of the if block. It is worth noting that this parameter requires appropriate permissions to be set.
initConfig.LoadBalancerForwardingMethod == "masquerade"
Permissions ref:
kube-vip/pkg/kubevip/config_generator.go
Line 512 in 0cedf6a
Privileged: &privileged,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Let me correct it. I somehow get a wrong impression that only masquerade mode will enable IPVS..
pkg/loadbalancer/ipvs.go
Outdated
i, err := c.Info() | ||
if err != nil { | ||
log.Errorf("ensure IPVS kernel modules are loaded") | ||
log.Fatalf("Error getting IPVS version [%v]", err) | ||
} | ||
log.Infof("IPVS Loadbalancer enabled for %d.%d.%d", i.Version[0], i.Version[1], i.Version[2]) | ||
|
||
err = sysctl.WriteProcSys("/proc/sys/net/ipv4/vs/conntrack", "1") | ||
if err != nil { | ||
log.Errorf("ensure net.ipv4.vs.conntrack is enabled") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this duplicated with next line?
Or you want to add a log before the command
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh that's because I followed format in this file like https://github.com/kube-vip/kube-vip/blob/main/pkg/loadbalancer/ipvs.go#L57-L65
pkg/loadbalancer/ipvs.go
Outdated
|
||
err = sysctl.WriteProcSys("/proc/sys/net/ipv4/ip_forward", "1") | ||
if err != nil { | ||
log.Errorf("ensure net.ipv4.ip_forward is enabled") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment as above
A few linting bugs that need addressing, these can be tested locally with |
6e41c86
to
45349f2
Compare
@@ -466,6 +466,8 @@ func (configurator *network) removeIptablesRulesForMasquerade() error { | |||
return nil | |||
} | |||
|
|||
// TODO: investigate if adding "--vport <port>" would be better or not quite necessary | |||
// After this rule is added, ipvs kernel module is also loaded | |||
func addMasqueradeRuleForVIP(ipt *iptables.IPTables, vip, comment string) error { | |||
err := ipt.InsertUnique(iptables.TableNat, iptables.ChainPOSTROUTING, | |||
1, "-m", "ipvs", "--vaddr", vip, "-j", "MASQUERADE", "-m", "comment", "--comment", comment) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This rule is quite interesting. After this iptables added, ip_vs kernel module will be loaded to current container host automatically like:
sudo lsmod | grep ip_vs
ip_vs 176128 1 xt_ipvs
nf_conntrack 172032 10 xt_conntrack,nf_nat,nfnetlink_cttimeout,xt_nat,openvswitch,nf_conntrack_netlink,xt_CT,nf_conncount,xt_MASQUERADE,ip_vs
nf_defrag_ipv6 24576 3 nf_conntrack,openvswitch,ip_vs
libcrc32c 16384 7 nf_conntrack,nf_nat,openvswitch,btrfs,nf_tables,raid456,ip_vs
Because the AddIP() happens before NewIPVSLB(), kube-vip doesn't require users to load ipvs manually in advance anymore in masquerade mode.
45349f2
to
c7cebc6
Compare
Signed-off-by: Yike Wang <yikew@vmware.com>
c7cebc6
to
5100cd0
Compare
This is passing all of the tests, is it ready to merge? |
yes Dan, waiting for your approvals. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Fixes:
comment
value of masquerade iptables deletion, to be consistent with the adding operation.-d
in the command for masquerade iptables deletion. Otherwise it will raise error:To enable masquerade forwarding mode as control plane LB default mode, there are still things to do:
I will open two new issues regarding on above.