Make kubelet touch iptables lock file during initialization #47212
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
the
cncf-cla: yes
k8s-github-robot
added
size/S
ericchiang
reviewed
Jun 9, 2017
pkg/kubelet/kubelet.go
Outdated
| if err != nil { | ||
| glog.Warningf("Failed to open iptables lock file: %v", err) | ||
| } | ||
| if err := f.Close(); err != nil { |
There was a problem hiding this comment.
If OpenFile returns an error, f will be nil and this call will panic.
MrHohn
force-pushed
the
kubelet-iptables-lock
branch
from
59e2b7c
to
716f5e2
Compare
k8s-github-robot
added
size/XS
yujuhong
reviewed
Jun 9, 2017
pkg/kubelet/kubelet.go
Outdated
| // TODO(#36485) Remove this workaround once we fix the init-container issue. | ||
| // Touch iptables lock file, which will be shared among all containers. | ||
| f, err := os.OpenFile(utilipt.LockfilePath16x, os.O_CREATE, 0600) | ||
| if f == nil || err != nil { |
There was a problem hiding this comment.
nit: don't think you'll need to check f == nil since you already checked err != nil
pkg/kubelet/kubelet.go
Outdated
| @@ -507,6 +507,15 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Kub | |||
| } | |||
| glog.Infof("Hairpin mode set to %q", hairpinMode) | |||
|
|
|||
| // TODO(#36485) Remove this workaround once we fix the init-container issue. | |||
| // Touch iptables lock file, which will be shared among all containers. | |||
There was a problem hiding this comment.
Shared among all containers or shared among all processes accessing the iptables?
There was a problem hiding this comment.
Thanks, the latter seems more accurate. Applied.
MrHohn
force-pushed
the
kubelet-iptables-lock
branch
from
716f5e2
to
d5c9d27
Compare
k8s-github-robot
added
size/S
|
/lgtm |
k8s-ci-robot
added
the
lgtm
k8s-github-robot
added
the
approved
|
/lgtm I am going to manually merge this to stop serial test failures. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: MrHohn, dchen1107, yujuhong Associated issue: 47186 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
pushed a commit
that referenced
this pull request
Sep 28, 2017
Automatic merge from submit-queue (batch tested with PRs 53157, 52628). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Revert "Make kubelet touch iptables lock file during initialization" **What this PR does / why we need it**: Revert #47212. #36485 is fixed so this is no longer needed. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #NONE **Special notes for your reviewer**: /assign @yujuhong @dchen1107 **Release note**: ```release-note NONE ```
bboreham
added a commit
to weaveworks/weave
that referenced
this pull request
Oct 2, 2017
iptables uses the file `/run/xtables.lock` so that if changes are under way, another instance of the iptables command can wait till it is finished. We need to mount the lock file from the host to the container in order for this mechanism to work at all. Note we rely on kubelet touching the file before running any pods - see kubernetes/kubernetes#47212
bboreham
added a commit
to weaveworks/weave
that referenced
this pull request
Oct 3, 2017
Mount iptables lock file in weave-kube iptables uses the file `/run/xtables.lock` so that if changes are under way, another instance of the iptables command can wait till it is finished. We need to mount the lock file from the host to the container in order for this mechanism to work at all. Note we rely on kubelet touching the file before running any pods - see kubernetes/kubernetes#47212
bboreham
added a commit
to bboreham/kops
that referenced
this pull request
Oct 11, 2017
This adds a volume-mount for the iptables lock file, which avoids collisions between Weave components and kube-proxy that would result in a half-configured Weave network. This is only for version 1.7 and above because it requires the change in kubernetes/kubernetes#47212
bboreham
added a commit
to bboreham/kops
that referenced
this pull request
Oct 12, 2017
This adds a volume-mount for the iptables lock file, which avoids collisions between Weave components and kube-proxy that would result in a half-configured Weave network. This is only for version 1.7 and above because it requires the change in kubernetes/kubernetes#47212
bboreham
added a commit
to bboreham/kops
that referenced
this pull request
Oct 12, 2017
including a Weave Net template for Kubernetes 1.7 and above which adds a volume-mount for the iptables lock file, which avoids collisions between Weave components and kube-proxy that would result in a half-configured Weave network. This is only for version 1.7 and above because it requires the change in kubernetes/kubernetes#47212
bboreham
added a commit
to bboreham/kops
that referenced
this pull request
Oct 12, 2017
including a Weave Net template for Kubernetes 1.7 and above which adds a volume-mount for the iptables lock file, which avoids collisions between Weave components and kube-proxy that would result in a half-configured Weave network. This is only for version 1.7 and above because it requires the change in kubernetes/kubernetes#47212
bboreham
added a commit
to bboreham/kops
that referenced
this pull request
Oct 12, 2017
including a Weave Net template for Kubernetes 1.7 and above which adds a volume-mount for the iptables lock file, which avoids collisions between Weave components and kube-proxy that would result in a half-configured Weave network. This is only for version 1.7 and above because it requires the change in kubernetes/kubernetes#47212
k8s-github-robot
pushed a commit
to kubernetes/kops
that referenced
this pull request
Oct 12, 2017
Automatic merge from submit-queue. Update Weave Net to version 2.0.5 This PR also adds a manifest with a volume-mount for the iptables lock file, which avoids collisions between Weave components and kube-proxy that can sometimes result in a half-configured Weave network. Only do this for Kubernetes 1.7 and above because it requires the change in kubernetes/kubernetes#47212 I don't really know what I'm doing in `bootstrapchannelbuilder.go`; I just followed the pattern I saw. Other relevant updates in Weave Net since version 2.0.1 ([more details](https://github.com/weaveworks/weave/releases)): * Fix race condition in NetworkPolicy Controller which would intermittently block all traffic for a namespace * Add comments to each NetworkPolicy iptables rule and ipset, to help when troubleshooting * Fix netfilter rules to block containers from accessing the Weave Net control endpoint * Remove code that checked for an outdated fallback address for Kubernetes api-server
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #47186.
/assign @freehan @yujuhong
cc @dchen1107 @Q-Lee
Release note: