More corner cases with iptables proxy #12764
Conversation
|
Read through current last commit (thockin@23a3ab8). |
|
GCE e2e build/test passed for commit 23a3ab8355eb48317dc2860a394ba76b5001a473. |
thockin
force-pushed
the
proxy-nodeports
branch
2 times, most recently
from
be9a28c to
c4e2c83
Compare
|
GCE e2e build/test passed for commit be9a28ca34ebf46c76fcb6000f96684dfdb4332a. |
|
GCE e2e build/test passed for commit c4e2c83f304966d7042819cd80ab512104856912. |
|
GCE e2e build/test passed for commit 392c340c852747e6f372ab9d82aeeb10e1ba4998. |
thockin
force-pushed
the
proxy-nodeports
branch
from
392c340 to
35dd764
Compare
|
GCE e2e build/test passed for commit 35dd764ce77dbcbc0be77f74775c00bbf0770588. |
thockin
force-pushed
the
proxy-nodeports
branch
from
35dd764 to
e93a734
Compare
|
GCE e2e build/test passed for commit e93a7340c74cef99f7d78c1c5e5d45e84568ca72. |
thockin
force-pushed
the
proxy-nodeports
branch
from
e93a734 to
b55b1b4
Compare
|
GCE e2e build/test passed for commit b55b1b400d34582c0ccf76cad969c4cccad7f1dd. |
| args = append(args, | ||
| "-m", "statistic", | ||
| "--mode", "random", | ||
| "--probability", fmt.Sprintf("%f", 1.0/float64(n-i))) |
There was a problem hiding this comment.
(discussed offline)
we should probably restrict decimal length
There was a problem hiding this comment.
Done in next push
On Mon, Aug 17, 2015 at 4:30 PM, Abhi Shah [email protected] wrote:
In pkg/proxy/iptables/proxier.go
#12764 (comment)
:}
if i < (n - 1) {// Each rule is a probabilistic match.args = append(args,"-m", "statistic","--mode", "random","--probability", fmt.Sprintf("%f", 1.0/float64(n-i)))(discussed offline)
we should probably restrict decimal length—
Reply to this email directly or view it on GitHub
https://github.com/kubernetes/kubernetes/pull/12764/files#r37249463.
thockin
force-pushed
the
proxy-nodeports
branch
from
b55b1b4 to
6f34be3
Compare
|
Issues fixed, new push is up. This needs e2e before it can be activated but I'd like to merge it ASAP. |
|
GCE e2e build/test failed for commit 6f34be3. |
|
@k8s-bot test this please |
|
GCE e2e build/test passed for commit 6f34be3. |
ArtfulCoder
added
the
lgtm
|
LGTM |
More corner cases with iptables proxy
|
Whoo!
|
|
So we still need hairpin mode, anything else? |
|
hairpin mode (hairy) Not sure what else. If you have extra bandwidth, you could do the "always On Tue, Aug 18, 2015 at 9:18 AM, Benjamin Elder [email protected]
|
|
I'll take a look at the always masq flag this afternoon. As far as I know On Tue, Aug 18, 2015 at 12:25 PM, Tim Hockin [email protected]
|
|
yeah, maybe. It's P2 or P3 to me. The other thing we could use is better On Tue, Aug 18, 2015 at 9:32 AM, Benjamin Elder [email protected]
|
|
Yeah, I'll see if I can get a bit more done early this week before i get On Tue, Aug 18, 2015 at 12:36 PM, Tim Hockin [email protected]
|
Node ports
Set sysctls
Cleanup rules code
Faster sync at startup
Better logging
DNAT back to self doesn't quite work yet because we need to enable hairpin mode on the bridge, and that has to be done interface-by-interface (sigh). Will keep hunting for a better answer there.
This needs SERIOUS e2e testing. I have a very manual battery of tests I have been running, which is a good starting place.
@BenTheElder @ArtfulCoder