Be more agressive acquiring the iptables lock

[aojea]

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespace from that line:

/kind api-change
/kind bug
/kind cleanup
/kind deprecation
/kind design
/kind documentation
/kind failing-test
/kind feature

/kind flake

What this PR does / why we need it:

if kube-proxy is not able to get the lock it means a maximum penalty of 35 sec, 5 secs waiting to get the lock and 30 secs to retry

2019-11-30T16:47:27.528166227Z stderr F I1130 16:47:27.526891       1 proxier.go:784] Sync failed; retrying in 30s
2019-11-30T16:47:32.576137313Z stderr F E1130 16:47:32.574934       1 proxier.go:792] Failed to ensure that filter chain KUBE-EXTERNAL-SERVICES exists: error creating chain "KUBE-EXTERNAL-SERVICES": exit status 4: Another app is currently holding the xtables lock. Stopped waiting after 5s.

Currently, kubernetes uses the iptables -w 5 option, waiting 5 seconds to acquire the lock

  --wait        -w [seconds]    maximum wait to acquire xtables lock before give up
  --wait-interval -W [usecs]    wait time to try to acquire xtables lock
                                interval to wait for xtables lock
                                default is 1 second

We can be more aggressive trying to acquire the lock using an smaller interval

We can reproduce this situation using flock to hold the lock

acquire the lock in iptables

exec 3> /run/xtables.lock
flock -x 3

observe iptables behaviour with -W = 100000

root@kind-worker:/# ip6tables -L -w 5 -W 100000
Another app is currently holding the xtables lock; still 4s 100000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 3s 100000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 2s 100000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 1s 100000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 0s 100000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock. Stopped waiting after 5s.

observe iptables behaviour with -W = 10000

root@kind-worker:/# ip6tables -L -w 5 -W 10000
Another app is currently holding the xtables lock; still 4s 910000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 4s 810000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 4s 710000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 4s 610000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 4s 510000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 4s 410000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 4s 310000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 4s 210000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 4s 110000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 4s 10000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 3s 910000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 3s 810000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 3s 710000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 3s 610000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 3s 510000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 3s 410000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 3s 310000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 3s 210000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 3s 110000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 3s 10000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 2s 910000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 2s 810000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 2s 710000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 2s 610000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 2s 510000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 2s 410000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 2s 310000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 2s 210000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 2s 110000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 2s 10000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 1s 910000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 1s 810000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 1s 710000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 1s 610000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 1s 510000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 1s 410000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 1s 310000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 1s 210000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 1s 110000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 1s 10000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 0s 910000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 0s 810000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 0s 710000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 0s 610000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 0s 510000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 0s 410000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 0s 310000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 0s 210000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 0s 110000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 0s 10000us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock. Stopped waiting after 5s.

remove the lock

exec 3>&-

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Seems this was the previous behaviour based on

kubernetes/pkg/util/iptables/iptables_linux.go

Line 74 in 650c797

if err := wait.PollImmediate(200*time.Millisecond, 2*time.Second, func() (bool, error) {

and the one implemented for flushing the chains

kubernetes/pkg/util/iptables/iptables.go

Lines 528 to 533 in 650c797

	const (
	// Max time we wait for an iptables flush to complete after we notice it has started
	iptablesFlushTimeout = 5 * time.Second
	// How often we poll while waiting for an iptables flush to complete
	iptablesFlushPollTime = 100 * time.Millisecond
	)

Does this PR introduce a user-facing change?:

kubernetes will try to acquire the iptables lock every 100 msec during 5 seconds instead of every second. This specially useful for environments using kube-proxy in iptables mode with a high churn rate of services.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[aojea]

/test pull-kubernetes-e2e-kind-ipv6
/test pull-kubernetes-conformance-kind-ipv6
/sig network
/assign @thockin @danwinship

[aojea]

/test pull-kubernetes-e2e-kind-ipv6
/test pull-kubernetes-conformance-kind-ipv6

[aojea]

/test pull-kubernetes-e2e-kind-ipv6
/test pull-kubernetes-conformance-kind-ipv6

[danwinship]

in the original PR you noted:

I wasn't able to reproduce the error and I was thinking that this have fixed it, but 🤔 is still happening with this change
#85727 (comment)

Don't know if this make sense now, just let me know if you consider it useful and I'll reopen it

So what changed?

As I said before, I don't think the kind problem is actually a timeout getting the lock, particularly given that kubelet reliably always acquires the lock successfully and kube-proxy reliably hits the timeout. Something else is going on there. (eg like with #82587 where pkg/util/iptables was grabbing the lock itself and then calling the iptable binary which also tried to grab the lock but was guaranteed to fail since we had already grabbed it).

[aojea]

So what changed?

I was investigating more the kind issue #85727 and as you say has to be something different ... However, I could observe that the values used in this PR are similar to the previous values used in kube-proxy when it didn't have the -w option, so I thought that it can make sense to have them again.

[thockin]

That looks more palatable to me - @danwinship has the final LGTM

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aojea, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/util/iptables/OWNERS [thockin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[aojea]

/test pull-kubernetes-integration
failed only 1 test that seems unrelated "TestPreemption"
/test pull-kubernetes-e2e-g
failed 6 storage tests that seems unrelated too

[aojea]

/test pull-kubernetes-e2e-gce

[aojea]

/test pull-kubernetes-e2e-kind-ipv6
/test pull-kubernetes-conformance-kind-ipv6

[aojea]

/retest

[aojea]

/test pull-kubernetes-e2e-kind-ipv6

[thockin]

@danwinship this is green - you hold LGTM

[danwinship]

/lgtm