-
Notifications
You must be signed in to change notification settings - Fork 797
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix dual-stack support in meta/portmap #379
Fix dual-stack support in meta/portmap #379
Conversation
ceab11c
to
e19c3d9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also rename PR title to something like "Fix dual-stack support in meta/portmap"?
You can also add to commit message "closes #378". Take a look on https://help.github.com/en/articles/closing-issues-using-keywords
eab0a5c
to
e64556a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know the original consideration of this PR, but if we just ignore the error, the users may never know the rules they set are not working, IMO, I think this error should be fatal.
Another suggestion, maybe an admission validation webhook is more proper to do some pre-checks for hostports in dual-stack.
It was a fatal error, in the sense that the container failed to start and also left vestigial iptables rules behind on exit. Given that a user has a choice of populating the HostIP field with either an IPv4 or IPv6 address, it doesn't make sense for portmap to try and map the given HostIP to a ContainerIP of another address family as that is obviously not what the user intended. Edit: |
Ah nuts, this was an error in the design. Thanks for catching this. Clearly we need to support existing users of the Separately, we should add support for a |
Do you wish to still apply the rule when address families mismatch by ignoring the HostIP instead of not applying the rule at all? My idea was to just specify two mapping rules, one for each address family. Sadly this currently does not work with this pull request applied. If I create a deployment with the following specification:
The output of iptables -t nat -S on node shows:
And the output of ip6tables -t nat -S shows:
Notice the missing dnat rule in the CNI-DN-99177cda6128d856b47fb chain. It does work correctly when specifying only one rule of either address family. I'll have a look and see if I can fix this later. |
I've just done a little digging, and it seems as though somewhere upstream the second containerPort: 80 gets filtered out. Below are decoded logs of the portmap inputs for various forwarding configurations. Ports:
Portmap input:
Ports:
Portmap input:
Ports:
Portmap input:
Notice the missing IPv6 entry in the last input. I've checked kubectl get pod $PODID -o yaml and there the ports show up as expected in every scenario. |
I've done some more testing and can confirm the rule is filtered out when there is a duplicate containerPort. Duplicate hostPorts work. |
Ah, good catch - that definitely seems like a dockershim bug. Separately, your change brings this all together: skip the port forwarding rule if the address families don't match. |
I doubt it's a docker-shim bug as I am using containerd/containerd-shim/runc |
I've been digging some more and I'm pretty sure I've identified the upstream issue. Take a look at the MakePortMappings function from https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/container/helpers.go
As you can see it generates a name for the portMapping entry, based on the container name, protocol, and port number. Given that these are identical between my two mapping entries, a duplicate name is generated. After this, a check is done to ensure the generated name is unique. If a duplicate name is found, a log entry is made and the entry is skipped. I've run journalctl -u kubelet | grep 'Port name conflicted' on my host and can confirm the log entries are present. I'll see if I can get a PR going for this at a later date. |
Filed an issue and a PR to get the upstream issue fixed. |
e64556a
to
7905ed2
Compare
…ontainerIP address family. closes containernetworking#378 Signed-off-by: Niels van Oosterom <xcelsion@users.noreply.github.com>
7905ed2
to
e8365e1
Compare
/lgtm |
Fix for issue #378, where when in a dual-stack environment specifying a hostIP would cause an error during container creation.