Merge branch '2.6'

.ruby-version

@@ -1 +1 @@
-2.3.0
+2.6.2

Makefile

@@ -25,7 +25,7 @@ ifeq ($(ARCH),amd64)
 	WEAVEEXEC_DOCKER_ARCH?=x86_64
 
 # The name of the alpine baseimage to use as the base for weave images
-	ALPINE_BASEIMAGE?=alpine:3.8
+	ALPINE_BASEIMAGE?=alpine:3.10
 
 # The extension for the made images
 # Specifying none means for example weaveworks/weave:latest

prog/weave-kube/launch.sh

@@ -6,6 +6,34 @@ modprobe_safe() {
     modprobe $1 || echo "Ignore the error if \"$1\" is built-in in the kernel" >&2
 }
 
+# Setup iptables backend to be legacy or nftable
+setup_iptables_backend() {
+    if [ -n "${IPTABLES_BACKEND}" ]; then
+      mode=$IPTABLES_BACKEND
+    else
+      # auto-detect if iptables backend mode to use if not specified explicitly
+      num_legacy_lines=$( (iptables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l)
+      num_nft_lines=$( (iptables-nft-save || true) 2>/dev/null | grep '^-' | wc -l)
+      if [ "${num_legacy_lines}" -ge 10 ]; then
+        mode="legacy"
+      else
+        if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then
+          mode="legacy"
+        else
+          mode="nft"
+        fi
+      fi
+    fi
+    if [ $mode = "nft" ]; then
+      rm /sbin/iptables
+      rm /sbin/iptables-save
+      rm /sbin/iptables-restore
+      ln -s /sbin/iptables-nft /sbin/iptables
+      ln -s /sbin/iptables-nft-save /sbin/iptables-save
+      ln -s /sbin/iptables-nft-restore /sbin/iptables-restore
+    fi
+}
+
 # Check whether xt_set actually exists
 xt_set_exists() {
     # Clean everything up in advance, in case there's leftovers
@@ -24,6 +52,8 @@ xt_set_exists() {
     [ -z "$NOT_EXIST" ] || (echo "\"xt_set\" does not exist" >&2 && return 1)
 }
 
+setup_iptables_backend
+
 # Default if not supplied - same as weave net default
 IPALLOC_RANGE=${IPALLOC_RANGE:-10.32.0.0/12}
 HTTP_ADDR=${WEAVE_HTTP_ADDR:-127.0.0.1:6784}

prog/weave-kube/weave-daemonset-k8s-1.11.yaml

@@ -137,7 +137,7 @@ items:
                   port: 6784
               resources:
                 requests:
-                  cpu: 10m
+                  cpu: 50m
               securityContext:
                 privileged: true
               volumeMounts:
@@ -168,7 +168,7 @@ items:
 #npc-args
               resources:
                 requests:
-                  cpu: 10m
+                  cpu: 50m
               securityContext:
                 privileged: true
               volumeMounts:

prog/weave-kube/weave-daemonset-k8s-1.6.yaml

@@ -117,7 +117,7 @@ items:
                   port: 6784
               resources:
                 requests:
-                  cpu: 10m
+                  cpu: 50m
               securityContext:
                 privileged: true
               volumeMounts:
@@ -144,7 +144,7 @@ items:
               imagePullPolicy: Always
               resources:
                 requests:
-                  cpu: 10m
+                  cpu: 50m
               securityContext:
                 privileged: true
           hostNetwork: true

prog/weave-kube/weave-daemonset-k8s-1.7.yaml

@@ -126,7 +126,7 @@ items:
                   port: 6784
               resources:
                 requests:
-                  cpu: 10m
+                  cpu: 50m
               securityContext:
                 privileged: true
               volumeMounts:
@@ -156,7 +156,7 @@ items:
               imagePullPolicy: Always
               resources:
                 requests:
-                  cpu: 10m
+                  cpu: 50m
               securityContext:
                 privileged: true
               volumeMounts:

prog/weave-kube/weave-daemonset-k8s-1.8.yaml

@@ -134,7 +134,7 @@ items:
                   port: 6784
               resources:
                 requests:
-                  cpu: 10m
+                  cpu: 50m
               securityContext:
                 privileged: true
               volumeMounts:
@@ -165,7 +165,7 @@ items:
 #npc-args
               resources:
                 requests:
-                  cpu: 10m
+                  cpu: 50m
               securityContext:
                 privileged: true
               volumeMounts:

prog/weave-kube/weave-daemonset-k8s-1.9.yaml

@@ -137,7 +137,7 @@ items:
                   port: 6784
               resources:
                 requests:
-                  cpu: 10m
+                  cpu: 50m
               securityContext:
                 privileged: true
               volumeMounts:
@@ -168,7 +168,7 @@ items:
 #npc-args
               resources:
                 requests:
-                  cpu: 10m
+                  cpu: 50m
               securityContext:
                 privileged: true
               volumeMounts:

prog/weave-npc/launch.sh

@@ -2,5 +2,35 @@
 
 set -e
 
+# Setup iptables backend to be legacy or nftable
+setup_iptables_backend() {
+    if [ -n "${IPTABLES_BACKEND}" ]; then
+      mode=$IPTABLES_BACKEND
+    else
+      # auto-detect if iptables backend mode to use if not specified explicitly
+      num_legacy_lines=$( (iptables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l)
+      num_nft_lines=$( (iptables-nft-save || true) 2>/dev/null | grep '^-' | wc -l)
+      if [ "${num_legacy_lines}" -ge 10 ]; then
+        mode="legacy"
+      else
+        if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then
+          mode="legacy"
+        else
+          mode="nft"
+        fi
+      fi
+    fi
+    if [ $mode = "nft" ]; then
+      rm /sbin/iptables
+      rm /sbin/iptables-save
+      rm /sbin/iptables-restore
+      ln -s /sbin/iptables-nft /sbin/iptables
+      ln -s /sbin/iptables-nft-save /sbin/iptables-save
+      ln -s /sbin/iptables-nft-restore /sbin/iptables-restore
+    fi
+}
+
+setup_iptables_backend
+
 # Start weave-npc with any flags specified in $EXTRA_ARGS as well as any flags passed to this container (for backwards compatibility)
 exec /usr/bin/weave-npc $EXTRA_ARGS $@

site/kubernetes/kube-addon.md

@@ -89,23 +89,18 @@ Kubernetes manages
 on each node, and only schedules pods to run on nodes that have enough
 free resources.
 
-The components of a typical Kubernetes installation (with the master
-node running etcd, scheduler, api-server, etc.) take up about 95% of a
-CPU, which leaves little room to run anything else. For all of Weave
-Net's features to work, it must run on every node, including the
-master.
-
-The best way to resolve this issue is to use machines with at least
-two CPU cores. However if you are installing Kubernetes and Weave Net
-for the first time, you may not be aware of this requirement. For this
-reason, Weave Net launches as a DaemonSet with a specification that
-reserves at least 1% CPU for each container. This enables Weave Net to
-start up seamlessly on a single-CPU node.
-
-Depending on the workload, Weave Net may need more than 1% of the
-CPU. The percentage set in the DaemonSet is the minimum and not a
-limit. This minimum setting allows Weave Net to take advantage of
-available CPU and "burst" above that limit if it needs to.
+In the example manifests we request 10% of a CPU, which will be enough
+for small installations, but you should monitor how much it uses in
+your production clusters and adjust the requests to suit.
+
+We do not recommend that you set a CPU or memory _limit_ unless you
+are very experienced in such matters, because the implementation of
+limits in the Linux kernel sometimes behaves in a surprising way.
+
+On a 1-node single-CPU cluster you may find Weave Net does not install
+at all, because other Kubernetes components already take 95% of the
+CPU. The best way to resolve this issue is to use machines with at
+least two CPU cores.
 
 ## <a name="eviction"></a>Pod Eviction
 
@@ -411,6 +406,7 @@ The list of variables you can set is:
 * `NO_MASQ_LOCAL` - set to 1 to preserve the client source IP address when
   accessing Service annotated with `service.spec.externalTrafficPolicy=Local`.
   The feature works only with Weave IPAM (default).
+* `IPTABLES_BACKEND` - set to `nft` to use `nftables` backend for `iptables` (default is `iptables`) 
 
 Example:
 ```