connectivity-check: Reduce chances of port conflict with proxy #15988
+13
−13
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Cilium's DNS proxy listens on a port allocated by the kernel. That port
can however conflict with the port used by echo-c-host-container from
the connectivity checks, leading to CI flakes when run regularly.
A kernel comment on the function allocating the port [1] gives us a way out:
* if snum is zero it means select any available local port.
* We try to allocate an odd port (and leave even ports for connect())
So using an even-numbered port for echo-c-host-container in the
connectivity checks should strongly reduce the likelihood of this flake
happening again. Other hostns pods already use even-numbered ports.
1 - https://elixir.bootlin.com/linux/v5.12.1/source/net/ipv4/inet_connection_sock.c#L354
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
test-me-please |
|
k8s-1.16-kernel-netnext failed with known flake #15455. Team reviews are covered. Marking as ready to merge. |
christarazi
added a commit
to christarazi/cilium
that referenced
this pull request
May 14, 2021
Following the same logic as cilium#15988, we want to use an even-numbered port to reduce the likelihood that the underlying kernel allocates a conflicting port for the nodePort. Fixes: cilium#13071 Signed-off-by: Chris Tarazi <chris@isovalent.com>
nbusseneau
pushed a commit
to nbusseneau/cilium
that referenced
this pull request
May 21, 2021
[ upstream commit c983bd1 ] Following the same logic as cilium#15988, we want to use an even-numbered port to reduce the likelihood that the underlying kernel allocates a conflicting port for the nodePort. Fixes: cilium#13071 Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
nbusseneau
pushed a commit
to nbusseneau/cilium
that referenced
this pull request
May 23, 2021
[ upstream commit c983bd1 ] Following the same logic as cilium#15988, we want to use an even-numbered port to reduce the likelihood that the underlying kernel allocates a conflicting port for the nodePort. Fixes: cilium#13071 Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
kaworu
pushed a commit
that referenced
this pull request
May 27, 2021
[ upstream commit c983bd1 ] Following the same logic as #15988, we want to use an even-numbered port to reduce the likelihood that the underlying kernel allocates a conflicting port for the nodePort. Fixes: #13071 Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
aanm
pushed a commit
that referenced
this pull request
May 28, 2021
[ upstream commit c983bd1 ] Following the same logic as #15988, we want to use an even-numbered port to reduce the likelihood that the underlying kernel allocates a conflicting port for the nodePort. Fixes: #13071 Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cilium's DNS proxy listens on a port allocated by the kernel. That port can however conflict with the port used by echo-c-host-container from the connectivity checks, leading to CI flakes when run regularly.
A kernel comment on the function allocating the port gives us a way out:
So using an even-numbered port for
echo-c-host-containerin the connectivity checks should strongly reduce the likelihood of this flake happening again. Other hostns pods already use even-numbered ports.Fixes: #15459