mirror of https://github.com/k3s-io/k3s
902d53d5e7
Automatic merge from submit-queue (batch tested with PRs 43575, 44672) util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker: "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e which is not yet in a release. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234 @eparis @knobunc @kubernetes/rh-networking @kubernetes/sig-network-misc @freehan @thockin @brendandburns |
||
|---|---|---|
| .. | ||
| testing | ||
| BUILD | ||
| doc.go | ||
| iptables.go | ||
| iptables_test.go | ||
| save_restore.go | ||