-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add iptables lock-file mount to kube-proxy manifest #46259
Conversation
@k8s-bot pull-kubernetes-federation-e2e-gce test this |
/assign @dcbw |
I don't believe this is the right fix.
There's mentions that netns can be leaked if you mount the entire /run into a container. |
@k8s-bot pull-kubernetes-unit test this |
@cblecker I would find such a leak surprising. Either way, we're in the host netns, so it shouldn't matter. I think the bigger concern is that we're mounting the entire /run directory. Unfortunately, if the file doesn't exist, then docker decides we want a dir.... @thockin Options? Perhaps we mount "/run" in an init container, touch the file, and then mount just the lock file in kube-proxy? Maybe we could touch the file in node-startup.sh, or any other script that executes after a boot, but before the kubelet creates kube-proxy? |
What we need is #34058 Anyone want to scramble an implementation? :) Maybe we can live with mounting all of /run, or initcontainer as you suggest. I don't have a better answer at hand.. |
@thockin - the PR delay for the API alone would exceed remaining time :P I'll try an initcontainer later today, and see if that works well. |
we'll fix that
…On Tue, May 30, 2017 at 8:07 AM, Bryan Boreham ***@***.***> wrote:
What we need is #34058
<#34058>
Note that new-file, the case we need here, was excluded from that
proposal, and is not implemented in #46597
<#46597>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#46259 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVH-leBeiRDIjDX0Cqfrf5N7X38TLks5r_DCugaJpZM4NjFKY>
.
|
@k8s-bot pull-kubernetes-e2e-gce-bazel test this |
1 similar comment
@k8s-bot pull-kubernetes-e2e-gce-bazel test this |
Lots of test failures still on a bazel-built cluster, probably due to #45298, but this does PR does at least get us running tests. (Compare against a test run at HEAD.) |
- hostPath: | ||
path: /run | ||
name: run | ||
- hostPath: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you should not need 2 volumes, just use subPath in the volumeMount
This is hacky but workable |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Q-Lee, thockin The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
#46820 might be an alternate fix |
@ixdy do we have a fix for the version parsing? |
@Q-Lee: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Automatic merge from submit-queue (batch tested with PRs 46734, 46810, 46759, 46259, 46771) |
@Q-Lee half of the fix is bazelbuild/rules_go#505. I haven't yet worked on the changes for Kubernetes, but it should be easy once that's merged. |
We only do this for >= 1.9 so we don't change existing clusters. Equivalent of kubernetes/kubernetes#46259
We only do this for >= 1.9 so we don't change existing clusters. Equivalent of kubernetes/kubernetes#46259
We only do this for >= 1.9 so we don't change existing clusters. Equivalent of kubernetes/kubernetes#46259
What this PR does / why we need it: kube-proxy is broken in make bazel-release. The new iptables binary uses a lockfile in "/run", but the directory doesn't exist. This causes iptables-restore to fail. We need to share the same lock-file amongst all containers, so mount the host /run dir.
This is similar to #46132 but expediency matters, since builds are broken.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close that issue when PR gets merged): fixes #46103Special notes for your reviewer:
Release note: