Home Explore Help
Sign In
tzeneto
/
custom-kube-scheduler
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: cb14858ef6
Branches Tags
custom-kube-...
/
kubernetes
/
cmd
/
kube-proxy
/
app
/
conntrack.go

conntrack.go 4.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146 
  1. /*
    2. 

  2. Copyright 2015 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package app
    18. 

  18. 

  19. import (
    20. 

  20. 	"errors"
    21. 

  21. 	"io/ioutil"
    22. 

  22. 	"strconv"
    23. 

  23. 	"strings"
    24. 

  24. 

  25. 	"k8s.io/klog"
    26. 

  26. 	"k8s.io/utils/mount"
    27. 

  27. 

  28. 	"k8s.io/kubernetes/pkg/util/sysctl"
    29. 

  29. )
    30. 

  30. 

  31. // Conntracker is an interface to the global sysctl. Descriptions of the various
    32. 

  32. // sysctl fields can be found here:
    33. 

  33. //
    34. 

  34. // https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
    35. 

  35. type Conntracker interface {
    36. 

  36. 	// SetMax adjusts nf_conntrack_max.
    37. 

  37. 	SetMax(max int) error
    38. 

  38. 	// SetTCPEstablishedTimeout adjusts nf_conntrack_tcp_timeout_established.
    39. 

  39. 	SetTCPEstablishedTimeout(seconds int) error
    40. 

  40. 	// SetTCPCloseWaitTimeout nf_conntrack_tcp_timeout_close_wait.
    41. 

  41. 	SetTCPCloseWaitTimeout(seconds int) error
    42. 

  42. }
    43. 

  43. 

  44. type realConntracker struct{}
    45. 

  45. 

  46. var errReadOnlySysFS = errors.New("readOnlySysFS")
    47. 

  47. 

  48. func (rct realConntracker) SetMax(max int) error {
    49. 

  49. 	if err := rct.setIntSysCtl("nf_conntrack_max", max); err != nil {
    50. 

  50. 		return err
    51. 

  51. 	}
    52. 

  52. 	klog.Infof("Setting nf_conntrack_max to %d", max)
    53. 

  53. 

  54. 	// Linux does not support writing to /sys/module/nf_conntrack/parameters/hashsize
    55. 

  55. 	// when the writer process is not in the initial network namespace
    56. 

  56. 	// (https://github.com/torvalds/linux/blob/v4.10/net/netfilter/nf_conntrack_core.c#L1795-L1796).
    57. 

  57. 	// Usually that's fine. But in some configurations such as with github.com/kinvolk/kubeadm-nspawn,
    58. 

  58. 	// kube-proxy is in another netns.
    59. 

  59. 	// Therefore, check if writing in hashsize is necessary and skip the writing if not.
    60. 

  60. 	hashsize, err := readIntStringFile("/sys/module/nf_conntrack/parameters/hashsize")
    61. 

  61. 	if err != nil {
    62. 

  62. 		return err
    63. 

  63. 	}
    64. 

  64. 	if hashsize >= (max / 4) {
    65. 

  65. 		return nil
    66. 

  66. 	}
    67. 

  67. 

  68. 	// sysfs is expected to be mounted as 'rw'. However, it may be
    69. 

  69. 	// unexpectedly mounted as 'ro' by docker because of a known docker
    70. 

  70. 	// issue (https://github.com/docker/docker/issues/24000). Setting
    71. 

  71. 	// conntrack will fail when sysfs is readonly. When that happens, we
    72. 

  72. 	// don't set conntrack hashsize and return a special error
    73. 

  73. 	// errReadOnlySysFS here. The caller should deal with
    74. 

  74. 	// errReadOnlySysFS differently.
    75. 

  75. 	writable, err := isSysFSWritable()
    76. 

  76. 	if err != nil {
    77. 

  77. 		return err
    78. 

  78. 	}
    79. 

  79. 	if !writable {
    80. 

  80. 		return errReadOnlySysFS
    81. 

  81. 	}
    82. 

  82. 	// TODO: generify this and sysctl to a new sysfs.WriteInt()
    83. 

  83. 	klog.Infof("Setting conntrack hashsize to %d", max/4)
    84. 

  84. 	return writeIntStringFile("/sys/module/nf_conntrack/parameters/hashsize", max/4)
    85. 

  85. }
    86. 

  86. 

  87. func (rct realConntracker) SetTCPEstablishedTimeout(seconds int) error {
    88. 

  88. 	return rct.setIntSysCtl("nf_conntrack_tcp_timeout_established", seconds)
    89. 

  89. }
    90. 

  90. 

  91. func (rct realConntracker) SetTCPCloseWaitTimeout(seconds int) error {
    92. 

  92. 	return rct.setIntSysCtl("nf_conntrack_tcp_timeout_close_wait", seconds)
    93. 

  93. }
    94. 

  94. 

  95. func (realConntracker) setIntSysCtl(name string, value int) error {
    96. 

  96. 	entry := "net/netfilter/" + name
    97. 

  97. 

  98. 	sys := sysctl.New()
    99. 

  99. 	if val, _ := sys.GetSysctl(entry); val != value {
    100. 

  100. 		klog.Infof("Set sysctl '%v' to %v", entry, value)
    101. 

  101. 		if err := sys.SetSysctl(entry, value); err != nil {
    102. 

  102. 			return err
    103. 

  103. 		}
    104. 

  104. 	}
    105. 

  105. 	return nil
    106. 

  106. }
    107. 

  107. 

  108. // isSysFSWritable checks /proc/mounts to see whether sysfs is 'rw' or not.
    109. 

  109. func isSysFSWritable() (bool, error) {
    110. 

  110. 	const permWritable = "rw"
    111. 

  111. 	const sysfsDevice = "sysfs"
    112. 

  112. 	m := mount.New("" /* default mount path */)
    113. 

  113. 	mountPoints, err := m.List()
    114. 

  114. 	if err != nil {
    115. 

  115. 		klog.Errorf("failed to list mount points: %v", err)
    116. 

  116. 		return false, err
    117. 

  117. 	}
    118. 

  118. 

  119. 	for _, mountPoint := range mountPoints {
    120. 

  120. 		if mountPoint.Type != sysfsDevice {
    121. 

  121. 			continue
    122. 

  122. 		}
    123. 

  123. 		// Check whether sysfs is 'rw'
    124. 

  124. 		if len(mountPoint.Opts) > 0 && mountPoint.Opts[0] == permWritable {
    125. 

  125. 			return true, nil
    126. 

  126. 		}
    127. 

  127. 		klog.Errorf("sysfs is not writable: %+v (mount options are %v)",
    128. 

  128. 			mountPoint, mountPoint.Opts)
    129. 

  129. 		return false, errReadOnlySysFS
    130. 

  130. 	}
    131. 

  131. 

  132. 	return false, errors.New("no sysfs mounted")
    133. 

  133. }
    134. 

  134. 

  135. func readIntStringFile(filename string) (int, error) {
    136. 

  136. 	b, err := ioutil.ReadFile(filename)
    137. 

  137. 	if err != nil {
    138. 

  138. 		return -1, err
    139. 

  139. 	}
    140. 

  140. 	return strconv.Atoi(strings.TrimSpace(string(b)))
    141. 

  141. }
    142. 

  142. 

  143. func writeIntStringFile(filename string, value int) error {
    144. 

  144. 	return ioutil.WriteFile(filename, []byte(strconv.Itoa(value)), 0640)
    145. 

  145. }
    146. 

  146.