This patch removes mount.Exec entirely and instead uses the common
utility from k8s.io/utils/exec.
The fake exec implementation found in k8s.io/utils/exec differs a bit
than mount.Exec, with the ability to pre-script expected calls to
Command.CombinedOutput(), so tests that previously relied on a callback
mechanism to produce specific output have been updated to use that
mechanism.
This patch moves fake.go to mount_fake.go, and follows to principle of
always returning a discrete type rather than an Interface. All callers
of "FakeMounter" are changed to instead use "NewFakeMounter()". The
FakeMounter "Log" struct member is changed to not be exported, and
instead only access through a new "GetLog()" method.
The tests were using a fake timer that only ticked when the test cases
told it to, so it would only be correctly testing the
BoundedFrequencyRunner functionality if the test cases made it tick
whenever the BFR timer was supposed to expire, and didn't make it tick
at any other time. But they didn't do that. Fix it to tick
automatically at the correct times, and update the test cases
accordingly (including adding a new helper method for asserting that
the runner did nothing in cases when it's expected to have done
nothing).
Also fix two unrelated minor bugs in fakeTimer.
Kubelet and kube-proxy both had loops to ensure that their iptables
rules didn't get deleted, by repeatedly recreating them. But on
systems with lots of iptables rules (ie, thousands of services), this
can be very slow (and thus might end up holding the iptables lock for
several seconds, blocking other operations, etc).
The specific threat that they need to worry about is
firewall-management commands that flush *all* dynamic iptables rules.
So add a new iptables.Monitor() function that handles this by creating
iptables-flush canaries and only triggering a full rule reload after
noticing that someone has deleted those chains.
The firewalld monitoring code was not well tested (and not easily
testable), would never be triggered on most platforms, and was only
being taken advantage of from one place (kube-proxy), which didn't
need it anyway since it already has its own resync loop.
Since the firewalld monitoring was the only consumer of pkg/util/dbus,
we can also now delete that.
Work around Linux kernel bug that sometimes causes multiple flows to
get mapped to the same IP:PORT and consequently some suffer packet
drops.
Also made the same update in kubelet.
Also added cross-pointers between the two bodies of code, in comments.
Some day we should eliminate the duplicate code. But today is not
that day.
This patch moves the HostUtil functionality from the util/mount package
to the volume/util/hostutil package.
All `*NewHostUtil*` calls are changed to return concrete types instead
of interfaces.
All callers are changed to use the `*NewHostUtil*` methods instead of
directly instantiating the concrete types.
The MakeFile and MakeDir methods in the HostUtil interface only had one
caller -- the Host Path volume plugin. This patch relocates MakeFile and
MakeDir to the Host Path plugin itself.
Increased the number of tries in pkg/util/node/node.go::GetNodeIP by
1, because the kube-proxy was giving up too early.
This is meant to address #81879
This patch takes all the HostUtil functionality currently found in
mount*.go files and copies it into hostutil*.go files. Care was taken to
preserve git history to the fullest extent.
As part of doing this, some common functionality was moved into
mount_helper files in preperation for HostUtils to stay in k/k and Mount
to move out. THe tests for each relevant function were moved to test
files to match the appropriate location.
This patch renames GetFSGroup (a process property) to GetOwner (a file
property), returning both the uid and gid of the given pathname. This
method is only used in one place in the k/k codebase, but having
"GetOwner" instead of "GetGroup" seems to have more utility.
This patch adds comments to exported items that were missing them in
order to make the linter happy. Only code changes that were limited to
the scope of this package were made. There are other linting issues that
will effect callers, and that will be done a seperate patch.
The iptables code was doing version detection on the iptables binary
but feature detection on the iptables-restore binary, to try to
support the version of iptables in RHEL 7, which claims to be 1.4.21
but has certain features from iptables 1.6.
The problem is that this particular set of versions and checks
resulted in the code passing "-w" ("wait forever for the lock") to
iptables, but "-w 5" ("wait at most 5 seconds for the lock") to
iptables-restore. On systems with very very many iptables rules, this
could result in the kubelet periodic resyncs (which use "iptables")
blocking kube-proxy (which uses "iptables-restore") and causing it to
time out.
We already have code to grab the lock file by hand when using a
version of iptables-restore that doesn't support "-w", and it works
fine. So just use that instead, and only pass "-w 5" to
iptables-restore when iptables reports a version that actually
supports it.
ipvs `getProxyMode` test fails on mac as `utilipvs.GetRequiredIPVSMods`
try to reach `/proc/sys/kernel/osrelease` to find version of the running
linux kernel. Linux kernel version is used to determine the list of required
kernel modules for ipvs.
Logic to determine kernel version is moved to GetKernelVersion
method in LinuxKernelHandler which implements ipvs.KernelHandler.
Mock KernelHandler is used in the test cases.
Read and parse file is converted to go function instead of execing cut.
This patch refactors pkg/util/mount to be more usable outside of
Kubernetes. This is done by refactoring mount.Interface to only contain
methods that are not K8s specific. Methods that are not relevant to
basic mount activities but still have OS-specific implementations are
now found in a mount.HostUtils interface.
Since pkg/util/mount is going to move out of k/k, this exported constant
that is Kubernetes specific needed to move somewhere else. Made sense to
move it to pkg/volume/util.
Update GetDeviceNameFromMount in the mount interface to now take a
pluginMountDir argument, which is volume plugin dir with the global
mount path appended to it already.
Kube-proxy must atleast wait for some duration for the node to defined so that it can fetch the node IP. This node IP is currently used in ipvs proxier for the node-port services.
This patch moves the ExecMounter found in pkg/util/mount to
pkg/volume/util/exec. This is done in preparation for pkg/util/mount to
move out of tree. This specific implemention of mount.Interface is only
used internally to K8s and does not need to move out of tree.
* Gentoo has init scripts for kubelet
* Added a new method of the InitSystem Interface
This helps issuing nicer messages when not on systemd.
* OpenRCInitSystem.ServiceExists uses CombinedOutput because
the behaviour of OpenRC is different from systemd.
This is a partial fix for
https://github.com/kubernetes/kubeadm/issues/1295
As part of moving pkg/util/mount out of tree, the NSEnter implementation
of mount.Interface needs to be relocated out of pkg/util/mount, as it is
K8s specific. This patch relocates that mounter implementation to
pkg/volume/util/nsenter.
Since the NSEnter mounter shares a lot of its logic with the Linux
mounter implementation, many of the previously private methods of the
Linux mounter are now made public to maintain that shared code.
Additionaly, it was observed that *all* mount.Interface implemenations
were using the same common method for IsNotMountPoint, so this patch
removes that method from the mount.Interface definition and just exports
the common implementation instead.
As part of wanting to move the mount library into staging and then
k8s.io/utils, there can be no dependencies on k/k code, and that
includes k/apimachinery.
This patch makes a small implementation change to no longer need
k8s.io/apimachinery/pkg/util/sets
fix log warning
use IsCorruptedMnt in GetMountRefs on Windows
use errorno in IsCorruptedMnt check
fix comments: add more error code
add more error no checking
change year
fix comments
Files in pkg/util/mount that contain significant code implementation for
subpaths are moved to a new package at pkg/volume/util/subpath. This
move is done in order to preserve git history.
While running unit tests for perf on a Kube cluster with a memory backed
emptydir as TMPDIR, TestSafeMakeDir failed with:
```
--- FAIL: TestSafeMakeDir (0.01s)
mount_linux_test.go:661: test "directory-exists": expected permissions 20000000750, got 20020000750
```
(TMPDIR set to /tmp/volume, /tmp/volume is EmptyDir with type Memory)
The test doesn't actually care about `os.ModeSetgid`, so specifically mask it out when testing this way.
RequiredIPVSKernelModulesAvailable warning confuses users suggesting
that the IPVS proxier will not be used, which is not always the case.
Made the warning message less confusing:
[WARNING RequiredIPVSKernelModulesAvailable]:
The IPVS proxier may not be used because the following required kernel
modules are not loaded: [ip_vs_rr ip_vs_wrr ip_vs_sh]
or no builtin kernel ipvs support was found: map[ip_vs_wrr:{}
ip_vs_sh:{} nf_conntrack_ipv4:{} ip_vs:{} ip_vs_rr:{}].
However, these modules may be loaded automatically by kube-proxy for you
if they are available on your system.
To verify IPVS support:
Run "lsmod | grep 'ip_vs\|nf_conntrack'" and verify each of the above
modules are listed.
If they are not listed, you can use the following methods to load them:
1. For each missing module run 'modprobe $modulename' (e.g., 'modprobe
ip_vs', 'modprobe ip_vs_rr', ...)
2. If 'modprobe $modulename' returns an error, you will need to install
the missing module support for your kernel.
Fixes: kubernetes/kubeadm#975
Fixes#71730
0 indicates standby, 1 indicates master, label indicates which lease.
Tweaked name and documentation
Factored in Mike Danese feedback.
Removed dependency on prometheus from client-go using adapter.
Centralized adapter import.
Fixed godeps
Fixed boilerplate.
Put in fixes for caesarxuchao
When using NodePort to connect to an endpoint using UDP, if the endpoint is deleted on
restoration of the endpoint traffic does not flow. This happens because conntrack holds
the state of the connection and the proxy does not correctly clear the conntrack entry
for the stale endpoint.
Introduced a new function to conntrack ClearEntriesForPortNAT that uses the endpointIP
and NodePort to remove the stale conntrack entry and allow traffic to resume when
the endpoint is restored.
Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
- Move from the old github.com/golang/glog to k8s.io/klog
- klog as explicit InitFlags() so we add them as necessary
- we update the other repositories that we vendor that made a similar
change from glog to klog
* github.com/kubernetes/repo-infra
* k8s.io/gengo/
* k8s.io/kube-openapi/
* github.com/google/cadvisor
- Entirely remove all references to glog
- Fix some tests by explicit InitFlags in their init() methods
Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
IsNotMountPoint should return no error when the checked directory does not
exists - missing directory can't be mounted. Therefore containerized
kubelet should check if the target exists first before resolving symlinks.
EvalHostSymlinks() returns indistinguishible error in case the path does
not exist.
