scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-04 04:08:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

test for and set bridge-nf-call-iptables sysctl

Browse Source
This commit is contained in:
Tim Hockin
2015-08-14 22:36:11 -07:00
parent 9cf33772b4
commit 3a5c23d727
2 changed files with 17 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/kube-proxy/app/server.go
View File

@@ -159,7 +159,8 @@ func (s *ProxyServer) Run(_ []string) error {
if !s.ForceUserspaceProxy && shouldUseIptables { if !s.ForceUserspaceProxy && shouldUseIptables {
glog.V(2).Info("Using iptables Proxier.") glog.V(2).Info("Using iptables Proxier.")
proxierIptables, err := iptables.NewProxier(utiliptables.New(exec.New(), protocol), s.SyncPeriod) execer := exec.New()
proxierIptables, err := iptables.NewProxier(utiliptables.New(execer, protocol), execer, s.SyncPeriod)
if err != nil { if err != nil {
glog.Fatalf("Unable to create proxier: %v", err) glog.Fatalf("Unable to create proxier: %v", err)
} }

20
pkg/proxy/iptables/proxier.go
View File

@@ -100,6 +100,7 @@ func ShouldUseIptablesProxier() (bool, error) {
const sysctlBase = "/proc/sys" const sysctlBase = "/proc/sys"
const sysctlRouteLocalnet = "net/ipv4/conf/all/route_localnet" const sysctlRouteLocalnet = "net/ipv4/conf/all/route_localnet"
const sysctlBridgeCallIptables = "net/bridge/bridge-nf-call-iptables"
func getSysctl(sysctl string) (int, error) { func getSysctl(sysctl string) (int, error) {
data, err := ioutil.ReadFile(path.Join(sysctlBase, sysctl)) data, err := ioutil.ReadFile(path.Join(sysctlBase, sysctl))
@@ -158,16 +159,25 @@ var _ proxy.ProxyProvider = &Proxier{}
// An error will be returned if iptables fails to update or acquire the initial lock. // An error will be returned if iptables fails to update or acquire the initial lock.
// Once a proxier is created, it will keep iptables up to date in the background and // Once a proxier is created, it will keep iptables up to date in the background and
// will not terminate if a particular iptables call fails. // will not terminate if a particular iptables call fails.
func NewProxier(ipt utiliptables.Interface, syncPeriod time.Duration) (*Proxier, error) { func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod time.Duration) (*Proxier, error) {
glog.V(2).Info("Tearing down userspace rules. Errors here are acceptable.")
// remove iptables rules/chains from the userspace Proxier
tearDownUserspaceIptables(ipt)
// Set the route_localnet sysctl we need for // Set the route_localnet sysctl we need for
if err := setSysctl(sysctlRouteLocalnet, 1); err != nil { if err := setSysctl(sysctlRouteLocalnet, 1); err != nil {
return nil, fmt.Errorf("can't set sysctl route_localnet: %v", err) return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlRouteLocalnet, err)
} }
// Load the module. It's OK if this fails (e.g. the module is not present)
// because we'll catch the error on the sysctl, which is what we actually
// care about.
exec.Command("modprobe", "br-netfilter").CombinedOutput()
if err := setSysctl(sysctlBridgeCallIptables, 1); err != nil {
return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err)
}
// No turning back. Remove artifacts that might still exist from the userspace Proxier.
glog.V(2).Info("Tearing down userspace rules. Errors here are acceptable.")
tearDownUserspaceIptables(ipt)
return &Proxier{ return &Proxier{
serviceMap: make(map[proxy.ServicePortName]*serviceInfo), serviceMap: make(map[proxy.ServicePortName]*serviceInfo),
syncPeriod: syncPeriod, syncPeriod: syncPeriod,