You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@mesos.apache.org by ji...@apache.org on 2018/08/07 00:04:41 UTC

[mesos] branch 1.5.x updated (8a1bd29 -> 3ce0e64)

This is an automated email from the ASF dual-hosted git repository.

jieyu pushed a change to branch 1.5.x
in repository https://gitbox.apache.org/repos/asf/mesos.git.


    from 8a1bd29  Added MESOS-9125 to the 1.5.2 CHANGELOG.
     new d2c5d3a  Fixed the iptables deadlock in CNI port mapper plugin.
     new 3ce0e64  Added MESOS-9127 to 1.5.2 CHANGELOG.

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 CHANGELOG                                          |  1 +
 .../cni/plugins/port_mapper/port_mapper.cpp        | 32 ++++++++++++++++++----
 2 files changed, 28 insertions(+), 5 deletions(-)

[mesos] 02/02: Added MESOS-9127 to 1.5.2 CHANGELOG.

Posted by ji...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

jieyu pushed a commit to branch 1.5.x
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit 3ce0e64ba1d357c0894820f1ced9d51fa68484a7
Author: Jie Yu <yu...@gmail.com>
AuthorDate: Mon Aug 6 17:02:40 2018 -0700

    Added MESOS-9127 to 1.5.2 CHANGELOG.
---
 CHANGELOG | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG b/CHANGELOG
index bc1b62d..70a12fd 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -21,6 +21,7 @@ Release Notes - Mesos - Version 1.5.2 (WIP)
   * [MESOS-9024] - Mesos master segfaults with stack overflow under load.
   * [MESOS-9049] - Agent GC could unmount a dangling persistent volume multiple times.
   * [MESOS-9125] - Port mapper CNI plugin might fail with "Resource temporarily unavailable"
+  * [MESOS-9127] - Port mapper CNI plugin might deadlock iptables on the agent.
 
 
 Release Notes - Mesos - Version 1.5.1

[mesos] 01/02: Fixed the iptables deadlock in CNI port mapper plugin.

Posted by ji...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

jieyu pushed a commit to branch 1.5.x
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit d2c5d3a24a842cc2b447a579f3c4128cb915c598
Author: Jie Yu <yu...@gmail.com>
AuthorDate: Wed Aug 1 21:51:08 2018 -0700

    Fixed the iptables deadlock in CNI port mapper plugin.
    
    It is possible that the port mapping cleanup command will cause iptables
    to deadlock if there are a lot of entires in the iptables, because the
    `sed` won't process the next line while executing `iptables -w -t nat -D
    ...`. But the executing of `iptables -w -t nat -D ...` might get stuck
    if the first command `iptables -w -t nat -S <TAG>` didn't finish
    (because the xtables lock is not released). The first command might not
    finish if it has a lot of output, filling the pipe that `sed` hasn't had
    a chance to process yet. See more details in MESOS-9127.
    
    This patch fixed the issue by writing the commands to a file and then
    executing them.
    
    Review: https://reviews.apache.org/r/68158/
---
 .../cni/plugins/port_mapper/port_mapper.cpp        | 32 ++++++++++++++++++----
 1 file changed, 27 insertions(+), 5 deletions(-)

diff --git a/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp b/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp
index b6a619f..a5216cd 100644
--- a/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp
+++ b/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp
@@ -360,16 +360,38 @@ Try<Nothing> PortMapper::addPortMapping(
 
 Try<Nothing> PortMapper::delPortMapping()
 {
+  // The iptables command searches for the DNAT rules with tag
+  // "container_id: <CNI_CONTAINERID>", and if it exists goes ahead
+  // and deletes it.
+  //
+  // NOTE: We use a temp file here, instead of letting `sed` directly
+  // executing the iptables commands because otherwise, it is possible
+  // that the port mapping cleanup command will cause iptables to
+  // deadlock if there are a lot of entires in the iptables, because
+  // the `sed` won't process the next line while executing `iptables
+  // -w -t nat -D ...`. But the executing of `iptables -w -t nat -D
+  // ...` might get stuck if the first command `iptables -w -t nat -S
+  // <TAG>` didn't finish (because the xtables lock is not released).
+  // The first command might not finish if it has a lot of output,
+  // filling the pipe that `sed` hasn't had a chance to process yet.
+  // See details in MESOS-9127.
   string script = strings::format(
       R"~(
       #!/bin/sh
-      exec 1>&2
       set -x
+      set -e
+
+      FILE=$(mktemp)
+
+      cleanup() {
+        rm -f "$FILE"
+      }
+
+      trap cleanup EXIT
 
-      # The iptables command searches for the DNAT rules with tag
-      # "container_id: <CNI_CONTAINERID>", and if it exists goes ahead
-      # and deletes it.
-      iptables -w -t nat -S %s | sed "/%s/ s/-A/iptables -w -t nat -D/e")~",
+      iptables -w -t nat -S %s | sed -n "/%s/ s/-A/iptables -w -t nat -D/p" > $FILE
+      sh $FILE
+      )~",
       chain,
       getIptablesRuleTag()).get();