-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set conntrack params in kube-proxy #19182
Set conntrack params in kube-proxy #19182
Conversation
GCE e2e build/test failed for commit 68492f066dfa8f75fa322c0495330fc7bad9a470. |
Labelling this PR as size/L |
return ioutil.WriteFile("/sys/module/nf_conntrack/parameters/hashsize", []byte(strconv.Itoa(max/4)), 0640) | ||
} | ||
|
||
func (realConntracker) SetTCPEstablishedTimeout(seconds int) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should the type be Duration instead of int ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I chose seconds because any finer granularity is not respected. I could go either way, but given the very limited exposure of this, I think simpler is better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sounds good
2eede77
to
407c744
Compare
GCE e2e test build/test passed for commit 407c744906ee962039f8b9a6285bc20e0d458acb. |
GCE e2e test build/test passed for commit 2eede77cfeff21e6c21c6ea05cdeffb8dafcf79a. |
407c744
to
5263e26
Compare
GCE e2e test build/test passed for commit 5263e2638fd29eec00755a42ae88c2abad6a20c6. |
Add flags to control max connections (set to 256k vs 64k default) and TCP established timeout (set to 1 day vs 5 day default). Flags can be set to 0 to mean "don't change it". This is only set at startup, and not wrapped in a rectifier loop. Tested manually.
5263e26
to
da0ac31
Compare
GCE e2e test build/test passed for commit da0ac31. |
@k8s-bot unit test this please |
@k8s-bot unit test this please a unit test seems to have failed. re-running test to confirm |
@k8s-bot unit test this please A different test fails every time. This is intolerable |
w00t! Green at last. Green at last! Thank git alrighty it is green at last.' |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
@k8s-bot unit test this please |
GCE e2e test build/test passed for commit da0ac31. |
@k8s-bot unit test this please |
1 similar comment
@k8s-bot unit test this please |
This is hopeless - even if I get it to go green, the chances of it being green again for Jenkins is 0. @k8s-bot unit test this please |
@k8s-bot unit test this please |
1 similar comment
@k8s-bot unit test this please |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
GCE e2e test build/test passed for commit da0ac31. |
@k8s-bot unit test this please |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
GCE e2e test build/test passed for commit da0ac31. |
Automatic merge from submit-queue |
Auto commit by PR queue bot
Kubernetes-Mesos CI smoke tests have been failing on master since this was merged. Guess that CI failure up there wasn't just a red herring! Haven't figured out why this broke the tests, but it didn't just break them, it stopped the JUnit test report from being produced too... |
Mesos smoke tests are fixed by #19277. Kinda stupid that it doesn't work without the new flags specified. |
@thockin @ArtfulCoder sorry to chime in so late on this one. A few words of caution:
|
} | ||
// TODO: generify this and sysctl to a new sysfs.WriteInt() | ||
glog.Infof("Setting conntrack hashsize to %d", max/4) | ||
return ioutil.WriteFile("/sys/module/nf_conntrack/parameters/hashsize", []byte(strconv.Itoa(max/4)), 0640) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this line appears to be the culprit that fails our smoke testing when max
is non-zero.
xref mesosphere/kubernetes-mesos#724
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for posterity: the nf_conntrack module doesn't seem to support setting the value of this hashsize parameter for network namespace other than init_net
; this is strictly incompatible with our mesos/docker-based testing environment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for tracking it - what is the fix? What can we do?
On Wed, Jan 6, 2016 at 8:54 AM, James DeFelice notifications@github.com
wrote:
In cmd/kube-proxy/app/conntrack.go
#19182 (comment)
:
+type Conntracker interface {
- SetMax(max int) error
- SetTCPEstablishedTimeout(seconds int) error
+}
+type realConntracker struct{}
+
+func (realConntracker) SetMax(max int) error {
- glog.Infof("Setting nf_conntrack_max to %d", max)
- if err := sysctl.SetSysctl("net/netfilter/nf_conntrack_max", max); err != nil {
return err
- }
- // TODO: generify this and sysctl to a new sysfs.WriteInt()
- glog.Infof("Setting conntrack hashsize to %d", max/4)
- return ioutil.WriteFile("/sys/module/nf_conntrack/parameters/hashsize", []byte(strconv.Itoa(max/4)), 0640)
for posterity: the nf_conntrack module doesn't seem to support setting the
value of this hashsize parameter for network namespace other than init_net;
this is strictly incompatible with our mesos/docker-based testing
environment.—
Reply to this email directly or view it on GitHub
https://github.com/kubernetes/kubernetes/pull/19182/files#r48979830.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for k8s-mesos I've disabled these tuning parameters by default (read: zero by default). this fixes our CI environment immediately. users can still tweak them if needed/wanted. short of changing the way hashsize is implemented in the kernel module i'm not sure how else to really "fix" this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More links I collected for the context:
-
k8s-mesos issue @jdef mentioned, that might be related to setting hashsize inside nested network namespace
kube-proxy connection tracking adjustments are crashing smoke tests mesosphere/kubernetes-mesos#724 -
more general discussion regarding whether sysctl are namespace safe
Document per namespace sysctl and how to set them in pods #29572 -
initial Linux kernel change, that restrict conntrack hash resize to init_net
https://lwn.net/Articles/375395/
On Tue, Jan 5, 2016 at 9:40 AM, Quinton Hoole notifications@github.com wrote:
I don't disagree. UDP is particularly unpleasant because we just have
We tune the hash size, too, following best practices, though |
Add flags to control max connections (set to 256k vs 64k default) and TCP
established timeout (set to 1 day vs 5 day default). Flags can be set to 0 to
mean "don't change it".
This is only set at startup, and not wrapped in a rectifier loop.
Tested manually.
Fixes #18604