Merge pull request #55247 from squeed/kubenet_disable_dad

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. kubenet: disable DAD in the container. Since kubenet externally guarantees that IP address will not conflict, we can short-circuit the kernel's normal wait. This lets us avoid the 1 second network wait. **What this PR does / why we need it**: Fixes the pod startup latency identified in #54651 and #55060 **Release note**: ```release-note NONE ```
2025-07-24 04:06:03 +00:00 · 2017-11-09 00:46:36 -08:00 · 2017-11-09 00:46:36 -08:00 · 0c6e2256b0
commit 0c6e2256b0
parent 0d088609b3 23f4afc463
1 changed files with 45 additions and 0 deletions
--- a/pkg/kubelet/network/kubenet/kubenet_linux.go
+++ b/pkg/kubelet/network/kubenet/kubenet_linux.go
@ -304,6 +304,11 @@ func (plugin *kubenetNetworkPlugin) Capabilities() utilsets.Int {
 // TODO: Don't pass the pod to this method, it only needs it for bandwidth
 // shaping and hostport management.
 func (plugin *kubenetNetworkPlugin) setup(namespace string, name string, id kubecontainer.ContainerID, pod *v1.Pod, annotations map[string]string) error {
+	// Disable DAD so we skip the kernel delay on bringing up new interfaces.
+	if err := plugin.disableContainerDAD(id); err != nil {
+		glog.V(3).Infof("Failed to disable DAD in container: %v", err)
+	}
+
 	// Bring up container loopback interface
 	if _, err := plugin.addContainerToNetwork(plugin.loConfig, "lo", namespace, name, id); err != nil {
 		return err
@ -820,3 +825,43 @@ func (plugin *kubenetNetworkPlugin) syncEbtablesDedupRules(macAddr net.HardwareA
 		return
 	}
 }
+
+// disableContainerDAD disables duplicate address detection in the container.
+// DAD has a negative affect on pod creation latency, since we have to wait
+// a second or more for the addresses to leave the "tentative" state. Since
+// we're sure there won't be an address conflict (since we manage them manually),
+// this is safe. See issue 54651.
+//
+// This sets net.ipv6.conf.default.dad_transmits to 0. It must be run *before*
+// the CNI plugins are run.
+func (plugin *kubenetNetworkPlugin) disableContainerDAD(id kubecontainer.ContainerID) error {
+	key := "net/ipv6/conf/default/dad_transmits"
+
+	sysctlBin, err := plugin.execer.LookPath("sysctl")
+	if err != nil {
+		return fmt.Errorf("Could not find sysctl binary: %s", err)
+	}
+
+	netnsPath, err := plugin.host.GetNetNS(id.ID)
+	if err != nil {
+		return fmt.Errorf("Failed to get netns: %v", err)
+	}
+	if netnsPath == "" {
+		return fmt.Errorf("Pod has no network namespace")
+	}
+
+	// If the sysctl doesn't exist, it means ipv6 is disabled; log and move on
+	if _, err := plugin.sysctl.GetSysctl(key); err != nil {
+		return fmt.Errorf("Ipv6 not enabled: %v", err)
+	}
+
+	output, err := plugin.execer.Command(plugin.nsenterPath,
+		fmt.Sprintf("--net=%s", netnsPath), "-F", "--",
+		sysctlBin, "-w", fmt.Sprintf("%s=%s", key, "0"),
+	).CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("Failed to write sysctl: output: %s error: %s",
+			output, err)
+	}
+	return nil
+}