From d6427cd0d798c1cea8381a9c52de417438f99a1d Mon Sep 17 00:00:00 2001 From: Rudi Chiarito Date: Thu, 28 Jul 2016 16:01:00 -0400 Subject: [PATCH] kubelet: use util/iptables, which uses -w (lock wait) where safe --- pkg/kubelet/container_bridge.go | 31 +++++++++++-------------------- pkg/kubelet/kubelet.go | 4 ++++ pkg/kubelet/kubelet_network.go | 2 +- 3 files changed, 16 insertions(+), 21 deletions(-) diff --git a/pkg/kubelet/container_bridge.go b/pkg/kubelet/container_bridge.go index 52555023088..55a1f4827b0 100644 --- a/pkg/kubelet/container_bridge.go +++ b/pkg/kubelet/container_bridge.go @@ -18,6 +18,7 @@ package kubelet import ( "bytes" + "fmt" "net" "os" "os/exec" @@ -25,6 +26,7 @@ import ( "github.com/golang/glog" "k8s.io/kubernetes/pkg/util" + "k8s.io/kubernetes/pkg/util/iptables" ) var cidrRegexp = regexp.MustCompile(`inet ([0-9a-fA-F.:]*/[0-9]*)`) @@ -140,28 +142,17 @@ func cbr0CidrCorrect(wantCIDR *net.IPNet) bool { return wantCIDR.IP.Equal(cbr0IP) && bytes.Equal(wantCIDR.Mask, cbr0CIDR.Mask) } -// TODO(dawnchen): Using pkg/util/iptables -// nonMasqueradeCIDR is the CIDR for our internal IP range; traffic to IPs outside this range will use IP masquerade. -func ensureIPTablesMasqRule(nonMasqueradeCIDR string) error { - // Check if the MASQUERADE rule exist or not - if err := exec.Command("iptables", - "-t", "nat", - "-C", "POSTROUTING", - "!", "-d", nonMasqueradeCIDR, +// nonMasqueradeCIDR is the CIDR for our internal IP range; traffic to IPs +// outside this range will use IP masquerade. +func ensureIPTablesMasqRule(client iptables.Interface, nonMasqueradeCIDR string) error { + if _, err := client.EnsureRule(iptables.Append, iptables.TableNAT, + iptables.ChainPostrouting, + "-m", "comment", "--comment", "kubelet: SNAT outbound cluster traffic", "-m", "addrtype", "!", "--dst-type", "LOCAL", - "-j", "MASQUERADE").Run(); err == nil { - // The MASQUERADE rule exists - return nil - } - - glog.Infof("MASQUERADE rule doesn't exist, recreate it (with nonMasqueradeCIDR %s)", nonMasqueradeCIDR) - if err := exec.Command("iptables", - "-t", "nat", - "-A", "POSTROUTING", "!", "-d", nonMasqueradeCIDR, - "-m", "addrtype", "!", "--dst-type", "LOCAL", - "-j", "MASQUERADE").Run(); err != nil { - return err + "-j", "MASQUERADE"); err != nil { + return fmt.Errorf("Failed to ensure masquerading for %s chain %s: %v", + iptables.TableNAT, iptables.ChainPostrouting, err) } return nil } diff --git a/pkg/kubelet/kubelet.go b/pkg/kubelet/kubelet.go index 3d2896202fd..ba162ac38dd 100644 --- a/pkg/kubelet/kubelet.go +++ b/pkg/kubelet/kubelet.go @@ -75,10 +75,12 @@ import ( "k8s.io/kubernetes/pkg/types" "k8s.io/kubernetes/pkg/util/bandwidth" "k8s.io/kubernetes/pkg/util/clock" + utildbus "k8s.io/kubernetes/pkg/util/dbus" utilerrors "k8s.io/kubernetes/pkg/util/errors" utilexec "k8s.io/kubernetes/pkg/util/exec" "k8s.io/kubernetes/pkg/util/flowcontrol" kubeio "k8s.io/kubernetes/pkg/util/io" + utilipt "k8s.io/kubernetes/pkg/util/iptables" "k8s.io/kubernetes/pkg/util/mount" "k8s.io/kubernetes/pkg/util/oom" "k8s.io/kubernetes/pkg/util/procfs" @@ -360,6 +362,7 @@ func NewMainKubelet( enableCustomMetrics: enableCustomMetrics, babysitDaemons: babysitDaemons, enableControllerAttachDetach: enableControllerAttachDetach, + iptClient: utilipt.New(utilexec.New(), utildbus.New(), utilipt.ProtocolIpv4), } if klet.flannelExperimentalOverlay { @@ -560,6 +563,7 @@ type Kubelet struct { dockerClient dockertools.DockerInterface runtimeCache kubecontainer.RuntimeCache kubeClient clientset.Interface + iptClient utilipt.Interface rootDirectory string // podWorkers handle syncing Pods in response to events. diff --git a/pkg/kubelet/kubelet_network.go b/pkg/kubelet/kubelet_network.go index 59548dfe9fb..1a34efa5b70 100644 --- a/pkg/kubelet/kubelet_network.go +++ b/pkg/kubelet/kubelet_network.go @@ -255,7 +255,7 @@ func (kl *Kubelet) syncNetworkStatus() { } kl.updatePodCIDR(podCIDR) } - if err := ensureIPTablesMasqRule(kl.nonMasqueradeCIDR); err != nil { + if err := ensureIPTablesMasqRule(kl.iptClient, kl.nonMasqueradeCIDR); err != nil { err = fmt.Errorf("Error on adding ip table rules: %v", err) glog.Error(err) kl.runtimeState.setNetworkState(err)