Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug fix. Incoming UDP packets not reach newly deployed services #32561

Merged
merged 1 commit into from
Dec 2, 2016
Merged

Bug fix. Incoming UDP packets not reach newly deployed services #32561

merged 1 commit into from
Dec 2, 2016

Conversation

zreigz
Copy link
Contributor

@zreigz zreigz commented Sep 13, 2016
edited by thockin
Loading

What this PR does / why we need it:

Incoming UDP packets not reach newly deployed services when old connection's state in conntrack is not cleared. When a packet arrives, it will not go through NAT table again, because it is not "the first" packet. The PR fix the issue

Which issue this PR fixes
Fixes #31983
xref moby/moby#8795

This change is Reviewable

@k8s-ci-robot
Copy link
Contributor

Can a kubernetes member verify that this patch is reasonable to test? If so, please reply with "ok to test" on its own line.

Regular contributors should join the org to skip this step.

While we transition away from the Jenkins GitHub PR Builder plugin, "ok to test" commenters will need to be on the admin list defined in this file.

@k8s-github-robot k8s-github-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. release-note-label-needed labels Sep 13, 2016
@zreigz zreigz mentioned this pull request Sep 13, 2016
Closed
@zreigz
Copy link
Contributor Author

zreigz commented Sep 26, 2016

cc @kubernetes/sig-network

@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 1, 2016
@zreigz
Copy link
Contributor Author

zreigz commented Oct 12, 2016

cc @kubernetes/sig-network PTAL

@k8s-github-robot k8s-github-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 12, 2016
@zreigz
Copy link
Contributor Author

zreigz commented Nov 3, 2016

Reviewed 1 of 1 files at r2.
Review status: all files reviewed at latest revision, all discussions resolved.

Comments from Reviewable

@k8s-github-robot k8s-github-robot added the do-not-merge DEPRECATED. Indicates that a PR should not merge. Label can only be manually applied/removed. label Nov 10, 2016
@apelisse apelisse removed the do-not-merge DEPRECATED. Indicates that a PR should not merge. Label can only be manually applied/removed. label Nov 11, 2016
@thockin thockin added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-label-needed labels Nov 21, 2016
@thockin thockin changed the title Bug fix. Incoming UDP packets not reach newly deployed services Clear stale conntrack for incoming UDP packets on nodePorts Nov 21, 2016
@thockin
Copy link
Member

thockin commented Nov 21, 2016

@k8s-bot ok to test

thockin
thockin reviewed Nov 21, 2016
View reviewed changes
pkg/proxy/iptables/proxier.go
@@ -1075,6 +1075,7 @@ func (proxier *Proxier) syncProxyRules() {
glog.V(4).Infof("Port %s was open before and is still needed", lp.String())
replacementPortsMap[lp] = proxier.portsMap[lp]
} else {

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a dead line - remove

pkg/proxy/iptables/proxier.go
// https://github.com/kubernetes/kubernetes/issues/31983
if lp.protocol == "udp" {
glog.V(2).Infof("Deleting conntrack entries for udp connections")
err := proxier.execConntrackTool("-D", "-p", "udp", "--dport", strconv.Itoa(lp.port))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't only happen once - this is going to happen periodically, unless I am mis-readng. I think you want to do this up around line 1077 (OpenLocalPort), when you know that this is a new nodePort, rather than a refresh. You might also do it way at the end of this function when we close nodeports we don't want any more.

But even that is not 100% correct. I think there's a bug here where, if the same nodeport were to be release and reused inside a single refresh loop it would fail. I think that will self-repair, though.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Nov 21, 2016
@zreigz
Copy link
Contributor Author

zreigz commented Nov 21, 2016

@thockin Done. I followed your comments and I've made necessary changes. I've tested it and works
PTAL

@k8s-ci-robot
Copy link
Contributor

Jenkins verification failed for commit f53a2c50e093044d9c6ddc13522b2a021fa749cf. Full PR test history.

The magic incantation to run this job again is @k8s-bot verify test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

@zreigz zreigz force-pushed the fix-incoming-udp branch 2 times, most recently from dffaf3f to cddfd2f Compare November 21, 2016 09:13
@zreigz zreigz changed the title Clear stale conntrack for incoming UDP packets on nodePorts Bug fix. Incoming UDP packets not reach newly deployed services Nov 21, 2016
@k8s-ci-robot
Copy link
Contributor

Jenkins unit/integration failed for commit cddfd2f. Full PR test history.

The magic incantation to run this job again is @k8s-bot unit test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

@thockin thockin self-assigned this Nov 30, 2016
@thockin thockin added this to the v1.5 milestone Nov 30, 2016
@thockin
Copy link
Member

thockin commented Nov 30, 2016

ok for post 1.5.0

@dims
Copy link
Member

dims commented Nov 30, 2016

Is this a real error or a flake?
https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/32561/pull-kubernetes-unit/5897/

@dims
Copy link
Member

dims commented Nov 30, 2016

moving this to post 1.5.0 == 1.6 :)

@dims dims modified the milestones: v1.6, v1.5 Nov 30, 2016
thockin
thockin approved these changes Dec 1, 2016
View reviewed changes
Copy link
Member

@thockin thockin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am going to LGTM and see if you can fix it before the bot merges it. If not, please send a followup :)

pkg/proxy/iptables/proxier.go
glog.V(2).Infof("Deleting conntrack entries for udp connections")
if port > 0 {
err = proxier.execConntrackTool("-D", "-p", "udp", "--dport", strconv.Itoa(port))
} else {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't really need this fallback path any more - would be safer to just log.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@thockin thockin added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 1, 2016
@k8s-github-robot k8s-github-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 1, 2016
@zreigz
Copy link
Contributor Author

zreigz commented Dec 1, 2016

Reviewed 1 of 1 files at r5.
Review status: all files reviewed at latest revision, 5 unresolved discussions.

Comments from Reviewable

@thockin thockin added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 1, 2016
@thockin
Copy link
Member

thockin commented Dec 1, 2016

LGTM!

@zreigz
Copy link
Contributor Author

zreigz commented Dec 1, 2016

Thanks

@zreigz
Copy link
Contributor Author

zreigz commented Dec 1, 2016

Reviewed 1 of 1 files at r5.
Review status: all files reviewed at latest revision, 5 unresolved discussions.

Comments from Reviewable

@k8s-github-robot
Copy link

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit 9defe2c into kubernetes:master Dec 2, 2016
@jfoy
Copy link
Contributor

jfoy commented Jan 13, 2017

I'm confused - how is this different from #22573 ?

@bjoernhaeuser
Copy link

Will this be cherry-picked for 1.5.?

@thockin
Copy link
Member

thockin commented Feb 6, 2017 via email

@efficks efficks mentioned this pull request Feb 6, 2017
Closed
@rfay rfay mentioned this pull request Mar 31, 2017
Closed
@cmluciano cmluciano mentioned this pull request Dec 6, 2017
Closed
@timchenxiaoyu
Copy link
Contributor

why TCP doesn't this problem ?

@andrewsykim andrewsykim mentioned this pull request Oct 31, 2019
Closed
@aojea aojea mentioned this pull request Jun 14, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thockin thockin thockin approved these changes

Assignees

@thockin thockin

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.6
Development

Successfully merging this pull request may close these issues.

Incoming UDP packets not reach newly deployed services