-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make kubelet touch iptables lock file during initialization #47212
Conversation
pkg/kubelet/kubelet.go
Outdated
if err != nil { | ||
glog.Warningf("Failed to open iptables lock file: %v", err) | ||
} | ||
if err := f.Close(); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If OpenFile returns an error, f
will be nil and this call will panic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, done.
59e2b7c
to
716f5e2
Compare
pkg/kubelet/kubelet.go
Outdated
// TODO(#36485) Remove this workaround once we fix the init-container issue. | ||
// Touch iptables lock file, which will be shared among all containers. | ||
f, err := os.OpenFile(utilipt.LockfilePath16x, os.O_CREATE, 0600) | ||
if f == nil || err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: don't think you'll need to check f == nil
since you already checked err != nil
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
pkg/kubelet/kubelet.go
Outdated
@@ -507,6 +507,15 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Kub | |||
} | |||
glog.Infof("Hairpin mode set to %q", hairpinMode) | |||
|
|||
// TODO(#36485) Remove this workaround once we fix the init-container issue. | |||
// Touch iptables lock file, which will be shared among all containers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shared among all containers
or shared among all processes accessing the iptables?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, the latter seems more accurate. Applied.
716f5e2
to
d5c9d27
Compare
/lgtm |
/lgtm I am going to manually merge this to stop serial test failures. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: MrHohn, dchen1107, yujuhong Associated issue: 47186 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Automatic merge from submit-queue (batch tested with PRs 53157, 52628). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Revert "Make kubelet touch iptables lock file during initialization" **What this PR does / why we need it**: Revert #47212. #36485 is fixed so this is no longer needed. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #NONE **Special notes for your reviewer**: /assign @yujuhong @dchen1107 **Release note**: ```release-note NONE ```
iptables uses the file `/run/xtables.lock` so that if changes are under way, another instance of the iptables command can wait till it is finished. We need to mount the lock file from the host to the container in order for this mechanism to work at all. Note we rely on kubelet touching the file before running any pods - see kubernetes/kubernetes#47212
Mount iptables lock file in weave-kube iptables uses the file `/run/xtables.lock` so that if changes are under way, another instance of the iptables command can wait till it is finished. We need to mount the lock file from the host to the container in order for this mechanism to work at all. Note we rely on kubelet touching the file before running any pods - see kubernetes/kubernetes#47212
This adds a volume-mount for the iptables lock file, which avoids collisions between Weave components and kube-proxy that would result in a half-configured Weave network. This is only for version 1.7 and above because it requires the change in kubernetes/kubernetes#47212
This adds a volume-mount for the iptables lock file, which avoids collisions between Weave components and kube-proxy that would result in a half-configured Weave network. This is only for version 1.7 and above because it requires the change in kubernetes/kubernetes#47212
including a Weave Net template for Kubernetes 1.7 and above which adds a volume-mount for the iptables lock file, which avoids collisions between Weave components and kube-proxy that would result in a half-configured Weave network. This is only for version 1.7 and above because it requires the change in kubernetes/kubernetes#47212
including a Weave Net template for Kubernetes 1.7 and above which adds a volume-mount for the iptables lock file, which avoids collisions between Weave components and kube-proxy that would result in a half-configured Weave network. This is only for version 1.7 and above because it requires the change in kubernetes/kubernetes#47212
including a Weave Net template for Kubernetes 1.7 and above which adds a volume-mount for the iptables lock file, which avoids collisions between Weave components and kube-proxy that would result in a half-configured Weave network. This is only for version 1.7 and above because it requires the change in kubernetes/kubernetes#47212
Automatic merge from submit-queue. Update Weave Net to version 2.0.5 This PR also adds a manifest with a volume-mount for the iptables lock file, which avoids collisions between Weave components and kube-proxy that can sometimes result in a half-configured Weave network. Only do this for Kubernetes 1.7 and above because it requires the change in kubernetes/kubernetes#47212 I don't really know what I'm doing in `bootstrapchannelbuilder.go`; I just followed the pattern I saw. Other relevant updates in Weave Net since version 2.0.1 ([more details](https://github.com/weaveworks/weave/releases)): * Fix race condition in NetworkPolicy Controller which would intermittently block all traffic for a namespace * Add comments to each NetworkPolicy iptables rule and ipset, to help when troubleshooting * Fix netfilter rules to block containers from accessing the Weave Net control endpoint * Remove code that checked for an outdated fallback address for Kubernetes api-server
Fixes #47186.
/assign @freehan @yujuhong
cc @dchen1107 @Q-Lee
Release note: