Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update go-iptables library version #873

Merged
merged 1 commit into from
Jun 29, 2020
Merged

Update go-iptables library version #873

merged 1 commit into from
Jun 29, 2020

Conversation

antoninbas
Copy link
Contributor

From 0.4.1 to 0.4.5.
In version 0.4.1, no error is returned by go-iptables when running
iptables --version or parsing its ouput fails (during
initialization). This leads to the library not being able to correctly
detect whether the iptables version supports --wait, which ultimately
can lead to a deadlock for the Antrea agent.

See coreos/go-iptables#69.

By updating the go-iptables version, we ensure that any such error will
be returned to Antrea, logged, and cause the Antrea agent to fail and
eventually restart.

It is unclear what can cause iptables version detection to fail but
because of the added logging, we will have a better shot at getting to
the root cause if it happens in production again.

Fixes #871

@antrea-bot
Copy link
Collaborator

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

  • /test-e2e: to trigger e2e tests.
  • /skip-e2e: to skip e2e tests.
  • /test-conformance: to trigger conformance tests.
  • /skip-conformance: to skip conformance tests.
  • /test-whole-conformance: to trigger all conformance tests on linux.
  • /skip-whole-conformance: to skip all conformance tests on linux.
  • /test-networkpolicy: to trigger networkpolicy tests.
  • /skip-networkpolicy: to skip networkpolicy tests.
  • /test-windows-conformance: to trigger windows conformance tests.
  • /skip-windows-conformance: to skip windows conformance tests.
  • /test-all: to trigger all tests (except whole conformance).
  • /skip-all: to skip all tests (except whole conformance).

These commands can only be run by members of the vmware-tanzu organization.

@antoninbas antoninbas requested review from tnqn and jianjuns June 26, 2020 02:04
@antoninbas antoninbas force-pushed the update-go-iptables-version branch from 6adad5c to 54da8ee Compare June 26, 2020 02:06
@antoninbas
Update go-iptables library version
0719375 
From 0.4.1 to 0.4.5.
In version 0.4.1, no error is returned by go-iptables when running
`iptables --version` or parsing its ouput fails (during
initialization). This leads to the library not being able to correctly
detect whether the iptables version supports `--wait`, which ultimately
can lead to a deadlock for the Antrea agent.

See coreos/go-iptables#69.

By updating the go-iptables version, we ensure that any such error will
be returned to Antrea, logged, and cause the Antrea agent to fail and
eventually restart.

It is unclear what can cause iptables version detection to fail but
because of the added logging, we will have a better shot at getting to
the root cause if it happens in production again.

Fixes antrea-io#871
@antoninbas antoninbas force-pushed the update-go-iptables-version branch from 54da8ee to 0719375 Compare June 26, 2020 02:13
@antoninbas
Copy link
Contributor Author

/test-all

tnqn
tnqn approved these changes Jun 29, 2020
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch!

@tnqn
Copy link
Member

tnqn commented Jun 29, 2020

But can it fix/close #871 which seems not caused by iptables failure?

@antoninbas
Copy link
Contributor Author

@tnqn #871 is actually caused by an iptables failure, in the sense that we try to acquire the iptables lock twice, which causes the agent to deadlock and initialization never completes (which means that we never start the apiserver and cannot reply to readiness probles).

@antoninbas
Copy link
Contributor Author

/test-conformance

@antoninbas antoninbas merged commit 096195f into antrea-io:master Jun 29, 2020
@antoninbas antoninbas deleted the update-go-iptables-version branch June 29, 2020 20:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jianjuns jianjuns jianjuns approved these changes

@tnqn tnqn tnqn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@antoninbas @antrea-bot @tnqn @jianjuns @vmwclabot