Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disabling SourceDestCheck fails on instances with more than one ENI #447

Closed
vaijab opened this issue Jun 9, 2016 · 5 comments
Closed

Disabling SourceDestCheck fails on instances with more than one ENI #447

vaijab opened this issue Jun 9, 2016 · 5 comments
Labels
components/backend/aws kind/bug

Comments

@vaijab
Copy link
Contributor

vaijab commented Jun 9, 2016
edited
Loading

Flannel fails to disable SourceDestCheck on instances with more than one network interface. SourceDestCheck attribute is actually an ENI attribute, but weirdly AWS exposes it as an instance attribute if it only has one network interface.

https://github.com/coreos/flannel/blob/6c95ca9086cf7f5fc6e1d415fb23c50aeec34c04/backend/awsvpc/awsvpc.go#L182

I could do a PR to fix that, if people agree? It'd be something similar to this: https://github.com/UKHomeOffice/smilodon/blob/master/aws.go#L260

Another way this could be fixed is, first we check which network interface flannel is going to use and only disable SourceDestCheck on that one.
@kkirsche
Copy link

kkirsche commented Jun 9, 2016

Just trying to make sure I understand, so the issue here is that Flannel is not disabling the SourceDestCheck on AWS instances with more than one network interface. Specifically, SourceDestCheck is an Elastic Network Interface attribute which AWS exposes instead as part of the instance when the instance has only one interface but does not expose this when the instance has more than one interface. Is this accurate?

@vaijab
Copy link
Contributor Author

vaijab commented Jun 9, 2016

@kkirsche yes, that's correct.

@kkirsche
Copy link

kkirsche commented Jun 9, 2016

Personally, I think a PR would probably be appreciated though I don't want to speak for the Flannel core team as to the solution itself. I'd just want to double check if you had done or if this was still needed in the current version of flannel
image from https://coreos.com/blog/introducing-flannel-0.5.0-with-aws-and-gce/

It seems as though this says to disable it within AWS, so want to make sure that this has been checked

@vaijab
Copy link
Contributor Author

vaijab commented Jun 9, 2016
edited
Loading

from https://coreos.com/blog/introducing-flannel-0.5.0-with-aws-and-gce/

It seems as though this says to disable it within AWS, so want to make sure that this has been checked

That used to be the case, but then I suggested this: #230

I guess there two options here:

  • Flannel knows how to disable SourceDestCheck on either one or all ENIs
  • An option to tell flannel not to try to disable SourceDestCheck

Because what's happening now, is flannel is continuously trying to disable SourceDestCheck on an instance it is running and gets AWS API rate limited which affects other services and processes running in the same AWS account, i.e. nothing else can easily talk to AWS API, because how AWS does rate limiting.

@kkirsche
Copy link

kkirsche commented Jun 9, 2016

Ah, ok. Sorry about that. Just wanted to make sure. I personally think that flannel should know how to disable SourceDestCheck then with an option to override this automatic decision should it have been incorrectly identified. Does that sound reasonable?

Certainly don't want this hitting API Rate Limiting as that can certainly be very problematic

@vaijab vaijab mentioned this issue Nov 2, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
components/backend/aws kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tomdee @kkirsche @vaijab