-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kube-proxy sometimes incorrectly chooses a veth as the host interface #4218
Comments
Hmmm... not really sure how to fix this one. Here is the output from a test program:
|
Including addresses this time.... we could eliminate anything without an IPv4 address, but that still leaves an arbitrary choice between cbr0 and eth0:
|
One last comment: this happens when we restart kube-proxy with pods/docker instances running. (It doesn't happen in the more normal scenario when kube-proxy is started before any pods). |
This issue has popped up in a few contexts and I am really stumped on it. On Fri, Feb 6, 2015 at 11:51 AM, Justin Santa Barbara <
|
It's not a perfect solution, but we could also just skip anything that doesn't have an IPv4 address, and anything that starts with "lo", "veth", "br" or "cbr". We should also probably not early-exit from the loop, but instead collect all the candidates. If there is more than one candidate, we should log them all and then make an arbitrary choice. I can put together a strawman patch if that would be useful. |
I'm fine with collecting them all and logging the arbitrary choice. I'm On Fri, Feb 6, 2015 at 3:54 PM, Justin Santa Barbara <
|
Would |
On second thoughts, I have read more about why we actually need hostIP. It is only used in iptablesHostPortalArgs, and only as a workaround for some weirdness around listening on 0.0.0.0 vs DNAT. Based on that comment, it sounds like any IPv4 that isn't loopback would be fine. So I think a good patch for now might be: filter out IPv6 addresses along with loopbacks (they cause an immediate problem); log if there are multiple choices (this seems likely to cause problems in future). I think that's simple, and avoids creating another required parameter. I'm not wild about directly calling hostname -i (or doing something similar); e.g. what do we do if it resolves to a loopback address or if the hostname can't be resolved? (I've had both of these problems while working on AWS) |
I was suggesting doing the equivalent of hostname -i -- is it unreasonable On Fri, Feb 6, 2015 at 4:40 PM, Justin Santa Barbara <
|
I've seen nslookup of self fail in a variety of misconfigured (especially On Fri, Feb 6, 2015, 21:18 Tim Hockin notifications@github.com wrote:
|
Actually, couldn't it also scour the route table for the default gateway On Fri, Feb 6, 2015, 21:32 Zachary Loafman zml@google.com wrote:
|
Ooh, that's good, I like that one.
|
Can folks sanity check this? http://play.golang.org/p/kzib_NygC6 We could have a cascade of modes, if we're not confident in this. First try the default gateway, then DNS lookup os.Hostname(), finally fall On Sat, Feb 7, 2015 at 8:36 AM, Tim Hockin thockin@google.com wrote:
|
hostname -i is kinda unreliable. |
I agree we need a consistent parameter across daemons. But I don't think On Mon, Feb 9, 2015 at 10:27 AM, sub-mod notifications@github.com wrote:
|
Using the default gateway as in @thockin's playground code with fallbacks as needed sounds good to me, for what it's worth. The majority of users (particularly cloud users) shouldn't need to worry about configuring this stuff. The only caveat I'd have is that it'd be nice to verify it works on standard AWS and Azure instances before running with it. |
I just upgraded from 0.7 to 0.9 (kubernetes-0.9.1-0.2.git3623a01 in Fedora 21), and I have been bit by this hard. Specifically, on startup, kube-proxy is selecting an interface that looks like this:
This interface doesn't have any IPv4 addresses (it's a member of a bridge), so kube-proxy takes the IPv6 address and starts trying to create rules that look like:
Of course,
|
the code in #4115 would fix this issue , if proxier.go uses the same method as apiserver.go to fetch an IP based on gateway |
I like #4115 as a heuristic. Once that is in, we can use that for proxy. |
@a-robinson yes |
This is on Ubuntu 14.04 (on AWS, though I think that doesn't matter).
Log output from kube-proxy (with -v2):
I am pretty sure it should be choosing eth0 or similar. veth29028d0 is a particularly bad choice because it only has an IPv6 address which then breaks the iptables logic.
The text was updated successfully, but these errors were encountered: