Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix panic in kube-proxy when iptables-save prints to stderr #78428

Merged
merged 3 commits into from Jun 1, 2019

Conversation

@luksa
Copy link
Member

commented May 28, 2019

What type of PR is this?
/kind bug

What this PR does / why we need it:
Fixes kube-proxy so it doesn't panic when parsing iptables-save output corrupted by warnings printed to stderr.

Which issue(s) this PR fixes:
Fixes #78443

Does this PR introduce a user-facing change?:

Fixed panic in kube-proxy when parsing iptables-save output

@k8s-ci-robot k8s-ci-robot added size/S and removed size/XS labels May 28, 2019

@luksa luksa changed the title Better error message if panic occurs during iptables-save output parsing Fix panic in kube-proxy May 28, 2019

@luksa

This comment has been minimized.

Copy link
Member Author

commented May 28, 2019

/retest

@luksa luksa changed the title Fix panic in kube-proxy Fix panic in kube-proxy when iptables-save prints to stderr May 28, 2019

pkg/util/iptables/iptables.go Outdated Show resolved Hide resolved

err := cmd.Run()
if err != nil {
stderrBuffer.WriteTo(buffer) // ignore error, since we need to return the original error

This comment has been minimized.

Copy link
@dcbw

dcbw May 29, 2019

Member

@luksa do we want a buffer.Reset() here? If we don't, then the error output will be appended to the end of the stdout buffer, right?

This comment has been minimized.

Copy link
@luksa

luksa May 29, 2019

Author Member

I thought it was best to leave anything that came in through stdout intact. I can add the reset if you think it makes more sense. The current callers never use the buffer if an error occurs, so it doesn't matter much right now.

@vllry

This comment has been minimized.

Copy link
Contributor

commented May 30, 2019

/cc @vllry

@k8s-ci-robot k8s-ci-robot requested a review from vllry May 30, 2019

// we need to workaround it by redirecting stdout and stderr to buffer
// and explicitly calling Run() [CombinedOutput() underneath itself
// creates a new buffer, redirects stdout and stderr to it and also
// calls Run()].
cmd.SetStdout(buffer)

This comment has been minimized.

Copy link
@vllry

vllry May 30, 2019

Contributor

It would be nice to explicitly call this stdoutBuffer.

This comment has been minimized.

Copy link
@luksa

luksa May 30, 2019

Author Member

But if the command fails, stderr is written to the buffer, so renaming it would be misleading.

This comment has been minimized.

Copy link
@vllry

vllry May 30, 2019

Contributor

Ah, gotcha.

chain := Chain(line[1:bytes.Index(line, spaceBytes)])
spaceIndex := bytes.Index(line, spaceBytes)
if spaceIndex == -1 {
panic(fmt.Sprintf("Unexpected chain line in iptables-save output: %v", string(line)))

This comment has been minimized.

Copy link
@vllry

vllry May 30, 2019

Contributor

Is a panic preferable to introducing an error return?

This comment has been minimized.

Copy link
@luksa

luksa May 30, 2019

Author Member

The original code panicked, but with a non-useful message. This change keeps the panic, but improves the message, so it's easier to see what the problem with the iptables-save output is.

Returning an error would require a bigger change to all the callers. Plus, it's impossible to know how to handle the error.

@dcbw

This comment has been minimized.

Copy link
Member

commented May 30, 2019

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm label May 30, 2019

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented May 30, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dcbw, luksa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@claurence

This comment has been minimized.

Copy link

commented May 31, 2019

/milestone v1.15

@k8s-ci-robot k8s-ci-robot added this to the v1.15 milestone May 31, 2019

@k8s-ci-robot k8s-ci-robot merged commit 9b14c22 into kubernetes:master Jun 1, 2019

20 checks passed

cla/linuxfoundation luksa authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-csi-serial Skipped.
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gce-storage-slow Skipped.
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.