Merge pull request #3984 from dannyk81/calico_xtables_lock

[calico/canal] mount host's xtables lock and enable calico locking for <v3.2.1
6 years ago · 5a7ac7e5c1
2 changed files with 23 additions and 0 deletions
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@ -76,6 +76,12 @@ spec:
              value: "{{ calico_endpoint_to_host_action|default('RETURN') }}"
            - name: FELIX_HEALTHHOST
              value: "{{ calico_healthhost }}"
+            # Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used,
+            # this is not required in later versions https://github.com/projectcalico/calico/issues/2179
+{% if calico_version is version('v3.2.1', '<') %}
+            - name: FELIX_IPTABLESLOCKTIMEOUTSECS
+              value: "10"
+{% endif %}
 # should be set in etcd before deployment
 #            # Configure the IP Pool from which Pod IPs will be chosen.
 #            - name: CALICO_IPV4POOL_CIDR
@ -170,6 +176,9 @@ spec:
              readOnly: false
            - mountPath: /calico-secrets
              name: etcd-certs
+            - name: xtables-lock
+              mountPath: /run/xtables.lock
+              readOnly: false
      volumes:
        # Used by calico/node.
        - name: lib-modules
@ -192,6 +201,11 @@ spec:
        - name: etcd-certs
          hostPath:
            path: "{{ calico_cert_dir }}"
+        # Mount the global iptables lock file, used by calico/node
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
  updateStrategy:
    rollingUpdate:
      maxUnavailable: {{ serial | default('20%') }}
--- a/roles/network_plugin/canal/templates/canal-node.yaml.j2
+++ b/roles/network_plugin/canal/templates/canal-node.yaml.j2
@ -173,6 +173,12 @@ spec:
                  fieldPath: spec.nodeName
            - name: FELIX_HEALTHENABLED
              value: "true"
+            # Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used,
+            # this is not required in later versions https://github.com/projectcalico/calico/issues/2179
+{% if calico_version is version('v3.2.1', '<') %}
+            - name: FELIX_IPTABLESLOCKTIMEOUTSECS
+              value: "10"
+{% endif %}
            # Etcd SSL vars
            - name: ETCD_CA_CERT_FILE
              valueFrom:
@ -220,6 +226,9 @@ spec:
            - name: "canal-certs"
              mountPath: "{{ canal_cert_dir }}"
              readOnly: true
+            - name: xtables-lock
+              mountPath: /run/xtables.lock
+              readOnly: false
  updateStrategy:
    rollingUpdate:
      maxUnavailable: {{ serial | default('20%') }}