-
Notifications
You must be signed in to change notification settings - Fork 795
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
portmap: delete UDP conntrack entries on teardown #123
Comments
I have found that this bug doesn't seem to only apply to changing pod IPs. It can also apply if there is incoming traffic that is being dropped because there is no pod, and then a pod is added that should start receiving the traffic. Complete details and steps to reproduce: https://github.com/projectcalico/felix/issues/1880 |
We are also affected by this. We lose metrics whenever there's a restart of the Datadog agent. Is there any plans to fix it? any workaround available? Thanks |
Seems like this issue has been opened for a year. Is there any plan to fix this issue? Or, could you let me know how to fix this problem by my hand? |
Hello, I think I am hitting a similar issue. I deploy a pod with
Is this the same issue ? If so, is there a workaround till this issue is fixed ? I am using the following CNI plugins
Thanks |
It seems like this PR aimed to fix the issue: kubernetes/kubernetes#59286 There is a workaround but this is not ideal.
You need to set |
I've experimented a bit with this, and there's some small fixes -- in particular, As to the container, I've used initContainers:
- image: 'gcr.io/google-containers/toolbox:20190523-00'
imagePullPolicy: 'IfNotPresent'
name: 'conntrack'
securityContext:
allowPrivilegeEscalation: true
capabilities:
add: ["NET_ADMIN"]
command: ['sh', '-c', 'conntrack -D -p udp --dport 8125 | true'] I'm having an issue with statsd + datadog, which uses UDP 8125, so I'm only deleting that. I didn't need |
The above does seem to fix things for low-traffic client services, but our high-traffic services seem to get new If I SSH into the machine and manually run the conntrack-command, things come back as expected. |
This issue still exists in the latest. I encountered this issue with DaemonSet for the same scenario mentioned in the description. The workaround does has corner case as mentioned by msiebuhr. Anyone was able to solve it in any alternate way? |
I can work on this issue. Is it okay if we just flush conntrack entries just like it is done in kubernetes/kubernetes#59286? Are there any concerns? |
I have a PR for this, let me check something first, |
nevermind @AnishShah , you deserve the honor, I just see the comment in the k/k issue. |
@AnishShah this is the approach I was taken https://github.com/containernetworking/plugins/compare/master...aojea:conntrack?expand=1 , feel free to reuse it or discard it. |
@aojea Since you have already created the PR, you can go ahead with it |
@aojea I had a brief look at your PR. I think we should delete UDP conntrack entries on teardown and setup both. Even in kubernetes/kubernetes#59286, it seems that we are deleting conntrack entries when we setup hostport iptable rules. I tested your PR with a udp client/server pods
I notice one conntrack entry -
When I deleted udp-server, the conntrack entry changed to
Notice the change in src/dst IP for reply direction. When I created udp-server pod again, I don't see any changes in conntrack entry. It is the same as above. I ensured that the DNAT rules are created. When I deleted this conntrack entry, it started seeing the correct conntrack entry again -
|
@AnishShah I was thinking that, since this is always local traffic, same host, we only care about creation, i.e. when the new pod is created it needs to flush previous conntrack entries to take over that traffic ... flushing the entries on deletion doesn't matter if a new pod is not going to start listening on the exposed port, the traffic will not hit any pod anyway |
I am still facing the issue. I have a service which collects the syslogs and reads from a udp port 514. As soon as I delete the pod I am expecting that conntrack entries for 514 should get deleted but it doesn't delete on pod delete or even on restart. and the incoming traffic gets lost. |
As observed in kubernetes/kubernetes#59033, a quick teardown + spinup of portmappings can cause UDP "flows" to be lost, thanks to stale conntrack entries.
From the original issue:
The text was updated successfully, but these errors were encountered: