proxy: remove iptables wait interval flag #131961
Conversation
k8s-ci-robot
added
release-note
|
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
needs-priority
|
/assign @aojea @dims @BenTheElder |
cyclinder
force-pushed
the
fix_proxy_unknown_option
branch
from
dfe2c52 to
d0c611b
Compare
|
UT needs an update. still failed for |
|
kubernetes/pkg/proxy/iptables/proxier.go Lines 918 to 922 in 3044a4c */ipvs/proxier.go
|
I think it's a kernel issue? see k3s-io/k3s#11175, Is better to upgrade the kernel to fix it? |
pkg/util/iptables/iptables.go
Outdated
| @@ -703,7 +706,7 @@ func getIPTablesVersion(exec utilexec.Interface, protocol Protocol) (*utilversio | |||
| // Checks if iptables version has a "wait" flag | |||
| func getIPTablesWaitFlag(version *utilversion.Version) []string { | |||
| switch { | |||
| case version.AtLeast(WaitIntervalMinVersion): | |||
| case version.AtLeast(WaitIntervalMinVersion) && version.LessThan(WaitIntervalMaxVersion): | |||
There was a problem hiding this comment.
I think we also need to change getIPTablesRestoreWaitFlag in line 718
ip6tables-legacy-restore -w 5 -W 100000 < save.txt
Ignoring deprecated --wait-interval option.
# ip6tables-legacy -L -w 5 -W 10000
Ignoring deprecated --wait-interval option.
There was a problem hiding this comment.
thanks! I have added it.
yeah, that part will be handled in kubernetes/test-infra#34851 |
|
@cyclinder one last comment https://github.com/kubernetes/kubernetes/pull/131961/files#r2106792344 to fix the restore part too and this lgtm |
cyclinder
force-pushed
the
fix_proxy_unknown_option
branch
from
d0c611b to
858fd5e
Compare
k8s-ci-robot
added
size/L
|
unti test failure looks legit // TestRestoreAllWait tests that the "wait" flag is passed to a compatible iptables-restore
func TestRestoreAllWait(t *testing.T) {
fcmd := fakeexec.FakeCmd{
CombinedOutputScript: []fakeexec.FakeAction{
// iptables version check
func() ([]byte, []byte, error) { return []byte("iptables v1.9.22"), nil, nil },
func() ([]byte, []byte, error) { return []byte{}, nil, nil },
func() ([]byte, []byte, error) { return nil, nil, &fakeexec.FakeExitError{Status: 1} },
}, |
|
/assign @danwinship @aojea |
cyclinder
force-pushed
the
fix_proxy_unknown_option
branch
from
858fd5e to
70e18c2
Compare
cyclinder
changed the title
cyclinder
force-pushed
the
fix_proxy_unknown_option
branch
2 times, most recently
from
cd4b3b2 to
fc881da
Compare
|
Needs |
|
fixes #132006 |
@BenTheElder this is not a problem, is a warning #131961 (comment) |
| waitFlag: []string{"-w", "5", "-W", "100000"}, | ||
| restoreWaitFlag: []string{"-w", "5", "-W", "100000"}, | ||
| waitFlag: []string{"-w", "5"}, | ||
| restoreWaitFlag: []string{"-w", "5"}, | ||
| }, |
There was a problem hiding this comment.
you need to update line 332 to remove the -W since the test panics now
-- FAIL: TestNewDualStack/both_available (0.00s)
=== RUN TestNewDualStack
--- FAIL: TestNewDualStack (0.00s)
panic: command (iptables) received with extra/missing arguments. Expected [iptables -w 5 -W 100000 -S POSTROUTING -t nat], Received [iptables -w 5 -S POSTROUTING -t nat] [recovered]
panic: command (iptables) received with extra/missing arguments. Expected [iptables -w 5 -W 100000 -S POSTROUTING -t nat], Received [iptables -w 5 -S POSTROUTING -t nat]
goroutine 15 [running]:
testing.tRunner.func1.2({0xb1b040, 0xc000063590})
/home/prow/go/src/k8s.io/kubernetes/_output/local/go/cache/mod/golang.org/toolchain@v0.0.1-go1.24.3.linux-amd64/src/testing/testing.go:1734 +0x3eb
testing.tRunner.func1()
/home/prow/go/src/k8s.io/kubernetes/_output/local/go/cache/mod/golang.org/toolchain@v0.0.1-go1.24.3.linux-amd64/src/testing/testing.go:1737 +0x696
panic({0xb1b040?, 0xc000063590?})
/home/prow/go/src/k8s.io/kubernetes/_output/local/go/cache/mod/golang.org/toolchain@v0.0.1-go1.24.3.linux-amd64/src/runtime/panic.go:792 +0x132
k8s.io/utils/exec/testing.(*FakeExec).Command(0xc00029c400, {0xbf748a, 0x8}, {0xc000209c80, 0x6, 0x8})
/home/prow/go/src/k8s.io/kubernetes/vendor/k8s.io/utils/exec/testing/fake_exec.go:65 +0x82e
k8s.io/utils/exec/testing.(*FakeExec).CommandContext(0xc00029c400, {0x6?, 0x8?}, {0xbf748a, 0x8}, {0xc000209c80, 0x6, 0x8})
/home/prow/go/src/k8s.io/kubernetes/vendor/k8s.io/utils/exec/testing/fake_exec.go:90 +0x65
k8s.io/kubernetes/pkg/util/iptables.(*runner).runContext(0xc000209b80, {0xce9be0, 0x1077b40}, {0xbf5d45, 0x2}, {0xc000205d60, 0x3, 0x20?})
/home/prow/go/src/k8s.io/kubernetes/pkg/util/iptables/iptables.go:493 +0x44f
k8s.io/kubernetes/pkg/util/iptables.(*runner).run(...)
/home/prow/go/src/k8s.io/kubernetes/pkg/util/iptables/iptables.go:482
k8s.io/kubernetes/pkg/util/iptables.(*runner).ChainExists(0xc000209b80, {0xbf5eaa, 0x3}, {0xbf9041, 0xb})
/home/prow/go/src/k8s.io/kubernetes/pkg/util/iptables/iptables.go:651 +0x373
k8s.io/kubernetes/pkg/util/iptables.(*runner).Present(0xc000209b80)
/home/prow/go/src/k8s.io/kubernetes/pkg/util/iptables/iptables.go:759 +0x3f
k8s.io/kubernetes/pkg/util/iptables.newDualStackInternal({0xce5ea8, 0xc00029c400})
/home/prow/go/src/k8s.io/kubernetes/pkg/util/iptables/iptables.go:255 +0x78
k8s.io/kubernetes/pkg/util/iptables.TestNewDualStack.func17(0xc000239dc0)
/home/prow/go/src/k8s.io/kubernetes/pkg/util/iptables/iptables_test.go:332 +0x4b
testing.tRunner(0xc000239dc0, 0xc00029c3c0)
/home/prow/go/src/k8s.io/kubernetes/_output/local/go/cache/mod/golang.org/toolchain@v0.0.1-go1.24.3.linux-amd64/src/testing/testing.go:1792 +0x226
created by testing.(*T).Run in goroutine 14
/home/prow/go/src/k8s.io/kubernetes/_output/local/go/cache/mod/golang.org/toolchain@v0.0.1-go1.24.3.linux-amd64/src/testing/testing.go:1851 +0x8f3
}
Check the issue :-) |
|
lol, answering from email so I assumed it was the same issue, |
cyclinder
force-pushed
the
fix_proxy_unknown_option
branch
from
fc881da to
50fb132
Compare
pkg/util/iptables/monitor_test.go
Outdated
| // Find the operation, chain name, and table name in the arguments | ||
| // The command structure can vary based on the iptables version and wait flags | ||
| // but will always have these components | ||
| var op operation | ||
| var chainName, tableName string | ||
| tableIndex := -1 | ||
| opIndex := -1 | ||
|
|
||
| // Find the table argument (-t) | ||
| for i, arg := range mfc.args { | ||
| if arg == "-t" && i+1 < len(mfc.args) { | ||
| tableName = mfc.args[i+1] | ||
| tableIndex = i | ||
| break | ||
| } | ||
| } | ||
|
|
||
| if tableIndex == -1 { | ||
| panic(fmt.Sprintf("no table specified in args %#v", mfc.args)) | ||
| } | ||
| op := operation(mfc.args[4]) | ||
| chainName := mfc.args[5] | ||
| tableName := mfc.args[7] | ||
|
|
||
| // Find the operation (like -N, -X, -F, etc.) | ||
| for i, arg := range mfc.args { | ||
| if i > 0 && strings.HasPrefix(arg, "-") && !strings.HasPrefix(arg, "--") && | ||
| arg != "-t" && arg != "-w" && arg != "-W" && i != tableIndex+1 { | ||
| op = operation(arg) | ||
| opIndex = i | ||
| break | ||
| } | ||
| } | ||
|
|
||
| if opIndex == -1 || opIndex+1 >= len(mfc.args) { | ||
| panic(fmt.Sprintf("no operation found in args %#v", mfc.args)) | ||
| } | ||
|
|
||
| // The chain name typically follows the operation | ||
| chainName = mfc.args[opIndex+1] |
There was a problem hiding this comment.
we move from a statically hardcoded arguments match to a new dynamic logic to find the same parameters, @danwinship already did this for kube-proxy so he'll be the better to judge it, either works for me
/lgtm
There was a problem hiding this comment.
This isn't necessary. monitorFakeExec/monitorFakeCmd isn't intended to handle arbitrary iptables commands, it's intended only to handle the things that Monitor / TestIPTablesMonitor do. (eg, 99% of the monitorFakeCmd methods just panic, because the code "knows" that they won't be called.) All of the commands we have to parse are generated by runContext() from iptables.go, and it always puts the arguments in the same order.
There was a problem hiding this comment.
Ok, I didn't know the contexts. I see some UT fails in the monitorFakeExec/monitorFakeCmd when I removed the -W flag, this function CombinedOutput checks the mfc.args[2] != WaitIntervalString || mfc.args[3] != WaitIntervalUsecondsValue, so I made these changes. I can revert these changes, but I need to find a Linux machine to test it.
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: c00bdddeeb3d38d9c44f6d6bd4f3dbdcc1d70869
|
Signed-off-by: cyclinder <kuocyclinder@gmail.com>
cyclinder
force-pushed
the
fix_proxy_unknown_option
branch
from
50fb132 to
0a96613
Compare
k8s-ci-robot
removed
the
lgtm
| @@ -192,12 +192,6 @@ const WaitString = "-w" | |||
| // WaitSecondsValue a constant for specifying the default wait seconds | |||
| const WaitSecondsValue = "5" | |||
|
|
|||
| // WaitIntervalString a constant for specifying the wait interval flag | |||
There was a problem hiding this comment.
WaitIntervalMinVersion line 180 can also be removed but this can be a follow up, seems we are all set now
/lgtm
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 22f63bd86df41c5405262dbdc8cebbd5056500bf
|
|
/lgtm We can also remove a constant #131961 (comment) |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aojea, cyclinder The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
I will open another PR to fix #131961 (comment) and #131961 (comment) |
What type of PR is this?
/kind bug
What this PR does / why we need it:
Add version check for iptables cli wait interval flag compatibility, see #131948
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: