An "irresponsible" experience sharing of k8s network troubleshooting

erda_ terminus_ io 2021-06-23 16:08:55
irresponsible experience sharing k8s network

 Insert picture description here

author | Luo Bingli
source | Erda official account

One night , The customer encountered such a problem :K8s The cluster has been failing to expand , All nodes cannot join the cluster normally . After many twists and turns, there is no solution , Customers feed back problems to us , Hope to get technical support . The whole investigation process of this problem is quite interesting , In this paper, the investigation ideas and methods are summarized and shared with you , Hope to be able to help you in the investigation of such problems and reference .

Problem phenomenon

Operation and maintenance students in the customer's K8s When the cluster is expanding the capacity of nodes , It is found that the newly added node has failed to be added all the time . The preliminary investigation results are as follows :

  • On the new node , visit K8s master service vip The Internet is not working .
  • On the new node , Direct access K8s master hostIP + 6443 Normal network .
  • On the new node , Access containers for other nodes IP It's ok ping through .
  • On the new node , visit coredns service vip Normal network .

The customer uses Kubernetes The version is 1.13.10, The kernel version of the host is 4.18(centos 8.2).

Troubleshooting process

Received feedback from the front-line colleagues , We have a preliminary suspicion that ipvs The problem of . According to the past experience of network troubleshooting , We did some routine checks on the scene first :

  • Confirm kernel module ip_tables Whether to load ( normal )
  • confirm iptable forward Default accpet ( normal )
  • Confirm whether the host network is normal ( normal )
  • Confirm if the container network is normal ( normal )
  • ...

After eliminating the usual problems , It can basically narrow the scope , Now let's continue based on ipvs Relevant levels of investigation .

1. adopt ipvsadm Order the investigation It's a customer cluster K8s master service vip.
 Insert picture description here
As shown in the figure above , We can see that there is an abnormal connection , be in SYN_RECV The state of , And it can be observed that , Startup time kubelet + kube-proxy There is a normal connection , The explanation is after starting up ,K8s service There's something wrong with the network .

2. tcpdump Caught analysis

Grab the bag at both ends , And pass telnet 443 Command to confirm .

Conclusion : Find out SYN The packet is not sent out on this machine .

3. A preliminary summary

Through the above investigation , We can narrow it down again : The problem is basically kube-proxy On the body . We used ipvs Pattern , I also rely on iptables Configure some network forwarding 、snat、drop etc. .

According to the above investigation process , We've narrowed it down again , Start analyzing the suspect kube-proxy.

4. see kube-proxy journal

 Insert picture description here
As shown in the figure above : Exception log found ,iptables-restore Command execution exception . adopt Google、 Community view , Identify the problem .

relevant issue For links, please refer to :

5. further

Check... By code (1.13.10 edition pkg/proxy/ipvs/proxier.go:1427), It can be found that this version does not judge KUBE-MARK-DROP Whether there is and creates logic . When the chain does not exist , There will be logical flaws , Lead to iptable Command execution failed .

K8s master service vip no , Related to the actual container ip Yes. , The reason for this situation , And the following iptable The rules are about :

iptable -t nat -A KUBE-SERVICES ! -s -m comment --comment "Kubernetes service cluster ip + port for masquerade purpose" -m set --match-set KUBE-CLUSTER-IP dst,dst -j KUBE-MARK-MASQ

6. Root cause research

We already know that kube-proxy 1.13.10 There is a flaw in the version , Without creating KUBE-MARK-DROP In the case of chains , perform iptables-restore Command configuration rules . But why K8s 1.13.10 The version runs in centos8.2 4.18 An error will be reported on the operating system of the kernel , Run in the centos7.6 3.10 The kernel's operating system is normal ?

Let's look at kube-proxy Source code , You can find kube-proxy Actually, it's execution iptables Command to configure rules . Since the kube-proxy Report errors iptables-restore Command fails , We're looking for one 4.18 The kernel machine , Get into kube-proxy Let's see .

Go to the container and execute iptables-save command , You can find kube-proxy There's really no creation in the container KUBE-MARK-DROP chain ( Meet code expectations ). Continue on the host iptables-save command , But I found that there was KUBE-MARK-DROP chain .

There are two questions :

  • Why? 4.18 The kernel host's iptables Yes KUBE-MARK-DROP chain ?
  • Why? 4.18 The kernel host's iptables Rules and kube-proxy The rules in the container are inconsistent ?

The first doubt , Doubt by feeling, except kube-proxy, There will be other programs operating iptables, Keep rolling K8s Code .
Conclusion : It turns out that except for kube-proxy, also kubelet It will also modify iptables The rules . Specific code can be viewed :pkg/kubelet/kubelet_network_linux.go

The second question , Continue to feel ······Google Let's have a look at why kube-proxy The container mounts the host /run/xtables.lock In the case of documents , Hosts and containers iptables The rules for viewing are inconsistent .
​ Conclusion :CentOS 8 Get rid of... On the Internet iptables, use nftables Framework as the default network packet filter tool .

thus , All the mysteries have been solved .

The team has done a lot of customer project delivery , Here are some more questions to answer :​

  • Question 1 : Why do so many customer environments encounter this situation for the first time ?

Because of the need K8s 1.13.10 + centos 8.2 Operating system of , This combination is rare , And problems will arise . upgrade K8s 1.16.0+ There is no such problem .

  • Question two : Why use K8s 1.13.10 + 5.5 The kernel doesn't have this problem ?

Because with centos 8 Operating system , We manually upgrade 5.5 After version , The default is still used iptables frame .

Can pass iptables -v command , To confirm whether to use nftables.
 Insert picture description here

Digression :nftables Who is holy ? Than iptables Good yao ? This is another point worth further learning , There's no more depth here .

Summary and perception

In view of the above problems , Let's summarize the solutions :

  • Adjust the kernel version to 3.10(centos 7.6+), Or manually upgrade the kernel version to 5.0 +;
  • upgrade Kubernetes edition , The current confirmation 1.16.10+ Version does not have this problem .

That's what we're doing Kubernetes A little experience in network troubleshooting , Hope to be able to effectively check , It helps to pinpoint the cause .

If for Erda There are other things you want to know about the project , welcome Add small assistant wechat (Erda202106) Join the community !

Welcome to open source

Erda As an open source one-stop cloud native PaaS platform , Have DevOps、 Microservice observation governance 、 Platform level capabilities such as multi cloud management and fast data governance . Click the link below to participate in open source , Discuss with many developers 、 communication , Build an open source community . Welcome to pay attention 、 Contribution code and Star!

本文为[erda_ terminus_ io]所创,转载请带上原文链接,感谢

  1. 【计算机网络 12(1),尚学堂马士兵Java视频教程
  2. 【程序猿历程,史上最全的Java面试题集锦在这里
  3. 【程序猿历程(1),Javaweb视频教程百度云
  4. Notes on MySQL 45 lectures (1-7)
  5. [computer network 12 (1), Shang Xuetang Ma soldier java video tutorial
  6. The most complete collection of Java interview questions in history is here
  7. [process of program ape (1), JavaWeb video tutorial, baidu cloud
  8. Notes on MySQL 45 lectures (1-7)
  9. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  10. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  11. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  12. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  13. 【递归,Java传智播客笔记
  14. [recursion, Java intelligence podcast notes
  15. [adhere to painting for 386 days] the beginning of spring of 24 solar terms
  16. K8S系列第八篇(Service、EndPoints以及高可用kubeadm部署)
  17. K8s Series Part 8 (service, endpoints and high availability kubeadm deployment)
  18. 【重识 HTML (3),350道Java面试真题分享
  19. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  20. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  21. [re recognize HTML (3) and share 350 real Java interview questions
  22. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  23. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  24. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  25. RPC 1: how to develop RPC framework from scratch
  26. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  27. RPC 1: how to develop RPC framework from scratch
  28. 一次性捋清楚吧,对乱糟糟的,Spring事务扩展机制
  29. 一文彻底弄懂如何选择抽象类还是接口,连续四年百度Java岗必问面试题
  30. Redis常用命令
  31. 一双拖鞋引发的血案,狂神说Java系列笔记
  32. 一、mysql基础安装
  33. 一位程序员的独白:尽管我一生坎坷,Java框架面试基础
  34. Clear it all at once. For the messy, spring transaction extension mechanism
  35. A thorough understanding of how to choose abstract classes or interfaces, baidu Java post must ask interview questions for four consecutive years
  36. Redis common commands
  37. A pair of slippers triggered the murder, crazy God said java series notes
  38. 1、 MySQL basic installation
  39. Monologue of a programmer: despite my ups and downs in my life, Java framework is the foundation of interview
  40. 【大厂面试】三面三问Spring循环依赖,请一定要把这篇看完(建议收藏)
  41. 一线互联网企业中,springboot入门项目
  42. 一篇文带你入门SSM框架Spring开发,帮你快速拿Offer
  43. 【面试资料】Java全集、微服务、大数据、数据结构与算法、机器学习知识最全总结,283页pdf
  44. 【leetcode刷题】24.数组中重复的数字——Java版
  45. 【leetcode刷题】23.对称二叉树——Java版
  46. 【leetcode刷题】22.二叉树的中序遍历——Java版
  47. 【leetcode刷题】21.三数之和——Java版
  48. 【leetcode刷题】20.最长回文子串——Java版
  49. 【leetcode刷题】19.回文链表——Java版
  50. 【leetcode刷题】18.反转链表——Java版
  51. 【leetcode刷题】17.相交链表——Java&python版
  52. 【leetcode刷题】16.环形链表——Java版
  53. 【leetcode刷题】15.汉明距离——Java版
  54. 【leetcode刷题】14.找到所有数组中消失的数字——Java版
  55. 【leetcode刷题】13.比特位计数——Java版
  56. oracle控制用户权限命令
  57. 三年Java开发,继阿里,鲁班二期Java架构师
  58. Oracle必须要启动的服务
  59. 万字长文!深入剖析HashMap,Java基础笔试题大全带答案
  60. 一问Kafka就心慌?我却凭着这份,图灵学院vip课程百度云