Skip to content

TProxy mode in 1.6 cause infinite loop #23369

New issue
New issue
Closed
Closed
TProxy mode in 1.6 cause infinite loop#23369
Labels
area/networkinglifecycle/automatically-closedIndicates a PR or issue that has been closed automatically.
@gmemcc

Description

@gmemcc
gmemcc
opened on Apr 29, 2020

Bug description

when running with interception mode TPROXY, requests initiated from outside the Pod will cause Envoy to request itself indefinitely.

workload been tested:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      annotations:
        sidecar.istio.io/interceptionMode: TPROXY
      labels:
        app: nginx
    spec:
      containers:
      - command:
        - nginx
        image: docker.gmem.cc/nginx:1.16-alpine
        imagePullPolicy: Always
        name: nginx
        securityContext:
          privileged: true
      dnsPolicy: ClusterFirst
      restartPolicy: Always

curl from another pod will be blocked, after ctrl + c envoy will keep dumping logs until all ports are used:

[2020-04-29T07:15:44.974Z] "GET / HTTP/1.1" 0 DC "-" "-" 0 0 24101 - "-" "curl/7.67.0" "d203d38c-4e34-4765-8943-aad1ee9f3654" "nginx" "172.27.226.74:80" outbound|80||nginx.default.svc.k8s.gmem.cc 172.27.226.74:49584 172.27.226.74:80 172.27.226.74:49582 - default
[2020-04-29T07:15:44.975Z] "GET / HTTP/1.1" 0 DC "-" "-" 0 0 24101 - "-" "curl/7.67.0" "d203d38c-4e34-4765-8943-aad1ee9f3654" "nginx" "172.27.226.74:80" outbound|80||nginx.default.svc.k8s.gmem.cc 172.27.226.74:49586 172.27.226.74:80 172.27.226.74:49584 - default
[2020-04-29T07:15:44.975Z] "GET / HTTP/1.1" 0 DC "-" "-" 0 0 24101 - "-" "curl/7.67.0" "d203d38c-4e34-4765-8943-aad1ee9f3654" "nginx" "172.27.226.74:80" outbound|80||nginx.default.svc.k8s.gmem.cc 172.27.226.74:49588 172.27.226.74:80 172.27.226.74:49586 - default
[2020-04-29T07:15:44.976Z] "GET / HTTP/1.1" 0 DC "-" "-" 0 0 24105 - "-" "curl/7.67.0" "d203d38c-4e34-4765-8943-aad1ee9f3654" "nginx" "172.27.226.74:80" outbound|80||nginx.default.svc.k8s.gmem.cc 172.27.226.74:49590 172.27.226.74:80 172.27.226.74:49588 - default
[2020-04-29T07:15:44.976Z] "GET / HTTP/1.1" 0 DC "-" "-" 0 0 24105 - "-" "curl/7.67.0" "d203d38c-4e34-4765-8943-aad1ee9f3654" "nginx" "172.27.226.74:80" outbound|80||nginx.default.svc.k8s.gmem.cc 172.27.226.74:49592 172.27.226.74:80 172.27.226.74:49590 - default
[2020-04-29T07:15:44.976Z] "GET / HTTP/1.1" 0 DC "-" "-" 0 0 24104 - "-" "curl/7.67.0" "d203d38c-4e34-4765-8943-aad1ee9f3654" "nginx" "172.27.226.74:80" outbound|80||nginx.default.svc.k8s.gmem.cc 172.27.226.74:49594 172.27.226.74:80 172.27.226.74:49592 - default
[2020-04-29T07:15:44.977Z] "GET / HTTP/1.1" 0 DC "-" "-" 0 0 24104 - "-" "curl/7.67.0" "d203d38c-4e34-4765-8943-aad1ee9f3654" "nginx" "172.27.226.74:80" outbound|80||nginx.default.svc.k8s.gmem.cc 172.27.226.74:49596 172.27.226.74:80 172.27.226.74:49594 - default
[2020-04-29T07:15:44.977Z] "GET / HTTP/1.1" 0 DC "-" "-" 0 0 24104 - "-" "curl/7.67.0" "d203d38c-4e34-4765-8943-aad1ee9f3654" "nginx" "172.27.226.74:80" outbound|80||nginx.default.svc.k8s.gmem.cc 172.27.226.74:49598 172.27.226.74:80 172.27.226.74:49596 - default
[2020-04-29T07:15:44.977Z] "GET / HTTP/1.1" 0 DC "-" "-" 0 0 24109 - "-" "curl/7.67.0" "d203d38c-4e34-4765-8943-aad1ee9f3654" "nginx" "172.27.226.74:80" outbound|80||nginx.default.svc.k8s.gmem.cc 172.27.226.74:49600 172.27.226.74:80 172.27.226.74:49598 - default

Expected behavior

TPROXY mode should work normally.

Steps to reproduce the bug

** Version **

istioctl version --remote

client version: 1.5.1
control plane version: 5f1c6c46fd40655dfe4249a5d288867907fbd704-dirty
data plane version: 1.5-dev (3 proxies), 1.6-dev (1 proxies), 1.7-dev (1 proxies)

kubectl version

Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.12", GitCommit:"a8b52209ee172232b6db7a6e0ce2adc77458829f", GitTreeState:"clean", BuildDate:"2019-10-15T12:12:15Z", GoVersion:"go1.11.13", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.10", GitCommit:"575467a0eaf3ca1f20eb86215b3bde40a5ae617a", GitTreeState:"clean", BuildDate:"2019-12-11T12:32:32Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}

How was Istio installed?

built from branch release-1.6, installed via istioctl

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/networkinglifecycle/automatically-closedIndicates a PR or issue that has been closed automatically.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions