Disable IPv6 dad by default.
Signed-off-by: Lantao Liu <lantaol@google.com>
This commit is contained in:
Lantao Liu
@@ -19,6 +19,7 @@ package server
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"os/exec"
|
||||
"path"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
@@ -36,6 +37,7 @@ import (
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"golang.org/x/net/context"
|
||||
"k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime"
|
||||
"k8s.io/kubernetes/pkg/util/sysctl"
|
||||
|
||||
"github.com/containerd/cri-containerd/pkg/store"
|
||||
imagestore "github.com/containerd/cri-containerd/pkg/store/image"
|
||||
@@ -383,3 +385,35 @@ func newSpecGenerator(spec *runtimespec.Spec) generate.Generator {
|
||||
g.HostSpecific = true
|
||||
return g
|
||||
}
|
||||
|
||||
// disableNetNSDAD disables duplicate address detection in the network namespace.
|
||||
// DAD has a negative affect on sandbox start latency, since we have to wait
|
||||
// a second or more for the addresses to leave the "tentative" state.
|
||||
func disableNetNSDAD(ns string) error {
|
||||
dad := "net/ipv6/conf/default/accept_dad"
|
||||
|
||||
sysctlBin, err := exec.LookPath("sysctl")
|
||||
if err != nil {
|
||||
return fmt.Errorf("could not find sysctl binary: %v", err)
|
||||
}
|
||||
|
||||
nsenterBin, err := exec.LookPath("nsenter")
|
||||
if err != nil {
|
||||
return fmt.Errorf("could not find nsenter binary: %v", err)
|
||||
}
|
||||
|
||||
// If the sysctl doesn't exist, it means ipv6 is disabled.
|
||||
if _, err := sysctl.New().GetSysctl(dad); err != nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
output, err := exec.Command(nsenterBin,
|
||||
fmt.Sprintf("--net=%s", ns), "-F", "--",
|
||||
sysctlBin, "-w", fmt.Sprintf("%s=%s", dad, "0"),
|
||||
).CombinedOutput()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to write sysctl %q - output: %s, error: %s",
|
||||
dad, output, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -102,6 +102,16 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run
|
||||
sandbox.NetNSPath = ""
|
||||
}
|
||||
}()
|
||||
if !c.config.EnableIPv6DAD {
|
||||
// It's a known issue that IPv6 DAD increases sandbox start latency by several seconds.
|
||||
// Disable it when it's not enabled to avoid the latency.
|
||||
// See:
|
||||
// * https://github.com/kubernetes/kubernetes/issues/54651
|
||||
// * https://www.agwa.name/blog/post/beware_the_ipv6_dad_race_condition
|
||||
if err := disableNetNSDAD(sandbox.NetNSPath); err != nil {
|
||||
return nil, fmt.Errorf("failed to disable DAD for sandbox %q: %v", id, err)
|
||||
}
|
||||
}
|
||||
// Setup network for sandbox.
|
||||
podNetwork := ocicni.PodNetwork{
|
||||
Name: config.GetMetadata().GetName(),
|
||||
|
||||
Reference in New Issue
Block a user