-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Skip resize of nf_conntrack/parameters/hashsize if not necessary #44919
[WIP] Skip resize of nf_conntrack/parameters/hashsize if not necessary #44919
Conversation
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Hi @robertgzr. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
fa97388
to
b397e16
Compare
How does kube-proxy even work in a different netns? It manipulates
iptables rules that are assumed to be system-wide.
…On Apr 26, 2017 6:27 PM, "Mike Danese" ***@***.***> wrote:
Assigned #44919 <#44919> to
@thockin <https://github.com/thockin>.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#44919 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVP7m140IwwzcTv9fv3Ng75WBOvDDks5rz-8CgaJpZM4NHhM9>
.
|
From linked GitHub project, looks like this is for simulating multinode during local development. |
@thockin From what I know, the kube-proxy's iptables rules work well inside netns - under the condition that this netns is used for simutating a node, not for isolation of kube-proxy process from the other k8s components. @sttts @ivan4th did you have any problems with iptables in dind? Or with anything else than nf_conntrack hashsize? |
|
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: robertgzr, thockin
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Automatic merge from submit-queue |
What this PR does / why we need it:
Linux does not support writing to
/sys/module/nf_conntrack/parameters/hashsize
when the writer process is not in the initial network namespace(https://github.com/torvalds/linux/blob/v4.10/net/netfilter/nf_conntrack_core.c#L1795-L1796).
Usually that's fine. But in some configurations such as with https://github.com/kinvolk/kubeadm-nspawn, kube-proxy is in another netns.
Therefore, check if writing in hashsize is necessary and skip the writing if not.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close that issue when PR gets merged): fixes #Special notes for your reviewer:
Release note: