Use iptables-restore xtables lock #1903
Conversation
- Disable our lock if iptables v1.6.2 is detected. - Re-use our lock timeout and probe interval config.
fasaxc
force-pushed
the
use-iptables-lock
branch
2 times, most recently
from
f0d8aba
to
fe7c37b
Compare
fasaxc
force-pushed
the
use-iptables-lock
branch
from
fe7c37b
to
492187b
Compare
fasaxc
changed the title
iptables/table.go
Outdated
| cmd.SetStdin(&inputBuf) | ||
| cmd.SetStdout(&outputBuf) | ||
| cmd.SetStderr(&errBuf) | ||
| countNumRestoreCalls.Inc() | ||
| t.writeLock.Lock() | ||
| t.calicoXtablesLock.Lock() // Will be a dummy lock if our xtables lock is disabled. |
There was a problem hiding this comment.
I'd prefer "Will be a dummy lock if iptables-restore is acquiring the xtables lock itself."
There was a problem hiding this comment.
There's more than one reason for it to be disabled but probably worth expanding the comment to explain.
iptables/table.go
Outdated
| cmd := t.newCmd(t.iptablesRestoreCmd, "--noflush", "--verbose") | ||
| args := []string{"--noflush", "--verbose"} | ||
| if features.RestoreSupportsLock { | ||
| // Versions of iptables-restore that support the xtables lock also make it mandatory. Make sure |
There was a problem hiding this comment.
By "mandatory", do you mean that iptables-restore will give up if the lock is not available immediately? Because it obviously isn't mandatory in the sense that you still need args to tell it to retry...
Mostly just checking my understanding here; I can't think of an obvious wording improvement to the comment.
There was a problem hiding this comment.
I mean, it won't proceed to do any iptables programming without the lock. Its default behaviour with no args is to quit immediately if it can't acquire the lock.
Will see if I can tighten up the wording.
Use iptables-restore xtables lock
Description
Based on feature-detection work added in #1901
Todos
Release Note