diff --git a/master/getting-started/kubernetes/installation/hosted/calico.yaml b/master/getting-started/kubernetes/installation/hosted/calico.yaml index 7272c71a7af..4c1c7a9ec27 100644 --- a/master/getting-started/kubernetes/installation/hosted/calico.yaml +++ b/master/getting-started/kubernetes/installation/hosted/calico.yaml @@ -171,6 +171,9 @@ spec: - mountPath: /var/run/calico name: var-run-calico readOnly: false + - mountPath: /run + name: run + readOnly: false - mountPath: /calico-secrets name: etcd-certs # This container installs the Calico CNI binaries @@ -206,6 +209,11 @@ spec: - name: var-run-calico hostPath: path: /var/run/calico + # /run is required by Felix to access the xtables lockfile. We can't map the individual + # file in because it may not exist, leading to Docker creating a directory instead. + - name: run + hostPath: + path: /run # Used to install CNI. - name: cni-bin-dir hostPath: diff --git a/master/getting-started/kubernetes/installation/hosted/kubeadm/1.5/calico.yaml b/master/getting-started/kubernetes/installation/hosted/kubeadm/1.5/calico.yaml index e4753efdf47..b307e7c2bbb 100644 --- a/master/getting-started/kubernetes/installation/hosted/kubeadm/1.5/calico.yaml +++ b/master/getting-started/kubernetes/installation/hosted/kubeadm/1.5/calico.yaml @@ -191,6 +191,9 @@ spec: - mountPath: /var/run/calico name: var-run-calico readOnly: false + - mountPath: /run + name: run + readOnly: false # This container installs the Calico CNI binaries # and CNI network config file on each node. - name: install-cni @@ -222,6 +225,11 @@ spec: - name: var-run-calico hostPath: path: /var/run/calico + # /run is required by Felix to access the xtables lockfile. We can't map the individual + # file in because it may not exist, leading to Docker creating a directory instead. + - name: run + hostPath: + path: /run # Used to install CNI. - name: cni-bin-dir hostPath: diff --git a/master/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml b/master/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml index 47813489f88..83fc7e230ad 100644 --- a/master/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml +++ b/master/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml @@ -206,6 +206,9 @@ spec: - mountPath: /var/run/calico name: var-run-calico readOnly: false + - mountPath: /run + name: run + readOnly: false # This container installs the Calico CNI binaries # and CNI network config file on each node. - name: install-cni @@ -237,6 +240,11 @@ spec: - name: var-run-calico hostPath: path: /var/run/calico + # /run is required by Felix to access the xtables lockfile. We can't map the individual + # file in because it may not exist, leading to Docker creating a directory instead. + - name: run + hostPath: + path: /run # Used to install CNI. - name: cni-bin-dir hostPath: diff --git a/master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.5/calico.yaml b/master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.5/calico.yaml index 93f66f854b0..fa6a4fa76e5 100644 --- a/master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.5/calico.yaml +++ b/master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.5/calico.yaml @@ -122,6 +122,9 @@ spec: - mountPath: /var/run/calico name: var-run-calico readOnly: false + - mountPath: /run + name: run + readOnly: false # This container installs the Calico CNI binaries # and CNI network config file on each node. - name: install-cni @@ -152,6 +155,11 @@ spec: - name: var-run-calico hostPath: path: /var/run/calico + # /run is required by Felix to access the xtables lockfile. We can't map the individual + # file in because it may not exist, leading to Docker creating a directory instead. + - name: run + hostPath: + path: /run # Used to install CNI. - name: cni-bin-dir hostPath: diff --git a/master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.6/calico.yaml b/master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.6/calico.yaml index 1eff41a7f27..1f04784354f 100644 --- a/master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.6/calico.yaml +++ b/master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.6/calico.yaml @@ -132,6 +132,9 @@ spec: - mountPath: /var/run/calico name: var-run-calico readOnly: false + - mountPath: /run + name: run + readOnly: false # This container installs the Calico CNI binaries # and CNI network config file on each node. - name: install-cni @@ -162,6 +165,11 @@ spec: - name: var-run-calico hostPath: path: /var/run/calico + # /run is required by Felix to access the xtables lockfile. We can't map the individual + # file in because it may not exist, leading to Docker creating a directory instead. + - name: run + hostPath: + path: /run # Used to install CNI. - name: cni-bin-dir hostPath: diff --git a/master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.5/calico.yaml b/master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.5/calico.yaml index af63a8479b5..513973bb5f8 100644 --- a/master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.5/calico.yaml +++ b/master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.5/calico.yaml @@ -119,6 +119,9 @@ spec: - mountPath: /var/run/calico name: var-run-calico readOnly: false + - mountPath: /run + name: run + readOnly: false # This container installs the Calico CNI binaries # and CNI network config file on each node. - name: install-cni @@ -149,6 +152,11 @@ spec: - name: var-run-calico hostPath: path: /var/run/calico + # /run is required by Felix to access the xtables lockfile. We can't map the individual + # file in because it may not exist, leading to Docker creating a directory instead. + - name: run + hostPath: + path: /run # Used to install CNI. - name: cni-bin-dir hostPath: diff --git a/master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.6/calico.yaml b/master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.6/calico.yaml index 65e790ffa5a..b95b8174c0c 100644 --- a/master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.6/calico.yaml +++ b/master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.6/calico.yaml @@ -129,6 +129,9 @@ spec: - mountPath: /var/run/calico name: var-run-calico readOnly: false + - mountPath: /run + name: run + readOnly: false # This container installs the Calico CNI binaries # and CNI network config file on each node. - name: install-cni @@ -159,6 +162,11 @@ spec: - name: var-run-calico hostPath: path: /var/run/calico + # /run is required by Felix to access the xtables lockfile. We can't map the individual + # file in because it may not exist, leading to Docker creating a directory instead. + - name: run + hostPath: + path: /run # Used to install CNI. - name: cni-bin-dir hostPath: diff --git a/master/getting-started/mesos/installation/vagrant-centos/calico.service b/master/getting-started/mesos/installation/vagrant-centos/calico.service index e3e6d58078f..d33d881d36c 100644 --- a/master/getting-started/mesos/installation/vagrant-centos/calico.service +++ b/master/getting-started/mesos/installation/vagrant-centos/calico.service @@ -19,6 +19,7 @@ ExecStart=/usr/bin/docker run \ -v /var/log/calico:/var/log/calico \ -v /run/docker/plugins:/run/docker/plugins \ -v /var/run/docker.sock:/var/run/docker.sock \ +-v /run:/run \ -v /var/run/calico:/var/run/calico quay.io/calico/node:{{site.data.versions[page.version].first.title}} diff --git a/master/getting-started/rkt/installation/manual.md b/master/getting-started/rkt/installation/manual.md index 4c2c1e8ba43..017d58250a8 100644 --- a/master/getting-started/rkt/installation/manual.md +++ b/master/getting-started/rkt/installation/manual.md @@ -73,6 +73,8 @@ sudo rkt run --stage1-path=/usr/share/rkt/stage1-fly.aci \ --mount=volume=mods,target=/lib/modules \ --volume=logs,kind=host,source=/var/log/calico,readOnly=false \ --mount=volume=logs,target=/var/log/calico \ + --volume=run,kind=host,source=/run,readOnly=false \ + --mount=volume=run,target=/run \ --net=host \ quay.io/calico/node:{{site.data.versions[page.version].first.title}} & ``` diff --git a/master/reference/felix/configuration.md b/master/reference/felix/configuration.md index 8890c8a99ba..19f146fb488 100644 --- a/master/reference/felix/configuration.md +++ b/master/reference/felix/configuration.md @@ -62,12 +62,19 @@ The full list of parameters which can be set is as follows. | Setting | Environment variable | Default | Meaning | |-----------------------------------------|-----------------------------------------|--------------------------------------|-----------------------------------------| | DefaultEndpointToHostAction | FELIX_DEFAULTENDPOINTTOHOSTACTION | DROP | This parameter controls what happens to traffic that goes from a workload endpoint to the host itself (after the traffic hits the endpoint egress policy). By default Calico blocks traffic from workload endpoints to the host itself with an iptables "DROP" action. If you want to allow some or all traffic from endpoint to host, set this parameter to "RETURN" or "ACCEPT". Use "RETURN" if you have your own rules in the iptables "INPUT" chain; Calico will insert its rules at the top of that chain, then "RETURN" packets to the "INPUT" chain once it has completed processing workload endpoint egress policy. Use "ACCEPT" to unconditionally accept packets from workloads after processing workload endpoint egress policy. | -| IptablesAllowAction | FELIX_IPTABLESALLOWACTION | ACCEPT | This parameter controls what happens to traffic that is accepted by a felix policy chain. The default will immediately ACCEPT the traffic. Use RETURN to punt the traffic back up to the system chains for further processing. | +| IptablesAllowAction | FELIX_IPTABLESALLOWACTION | ACCEPT | This parameter controls what happens to traffic that is accepted by a felix policy chain. The default will immediately ACCEPT the traffic. Use RETURN to punt the traffic back up to the system chains for further processing. | | IptablesMarkMask | FELIX_IPTABLESMARKMASK | 0xff000000 | Mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. | -| IptablesRefreshInterval | FELIX_IPTABLESREFRESHINTERVAL | 60 | Period, in seconds, at which felix re-applies all iptables state to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable iptables refresh. | +| IptablesRefreshInterval | FELIX_IPTABLESREFRESHINTERVAL | 90 | Period, in seconds, at which felix re-checks all iptables state to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable iptables refresh. | +| IptablesPostWriteCheckIntervalSecs | FELIX_IPTABLESPOSTWRITECHECKINTERVALSECS | 1 | Period, in seconds, after Felix has done a write to the dataplane that it schedules an extra read back in order to check the write was not clobbered by another process. This should only occur if another application on the system doesn't respect the iptables lock. | +| RouteRefreshInterval | FELIX_ROUTEREFRESHINTERVAL | 90 | Period, in seconds, at which felix re-checks the routes in the dataplane to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable route refresh. | +| IpsetsRefreshInterval | FELIX_IPSETSREFRESHINTERVAL | 10 | Period, in seconds, at which felix re-checks the IP sets in the dataplane to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable IP sets refresh. Note: the default for this value is lower than the other refresh intervals as a workaround for a [Linux kernel bug](https://github.com/projectcalico/felix/issues/1347) that was fixed in kernel version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value to reduce Felix CPU usage. | +| MaxIpsetSize | FELIX_MAXIPSETSIZE | 1048576 | Maximum size for the ipsets used by Felix to implement tags. Should be set to a number that is greater than the maximum number of IP addresses that are ever expected in a tag. | | ChainInsertMode | FELIX_CHAININSERTMODE | insert | One of "insert" or "append". Controls whether Felix hooks the kernel's top-level iptables chains by inserting a rule at the top of the chain or by appending a rule at the bottom. "insert" is the safe default since it prevents Calico's rules from being bypassed. If you switch to "append" mode, be sure that the other rules in the chains signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed. | | LogPrefix | FELIX_LOGPREFIX | calico-packet | The log prefix that Felix uses when rendering LOG rules. | -| MaxIpsetSize | FELIX_MAXIPSETSIZE | 1048576 | Maximum size for the ipsets used by Felix to implement tags. Should be set to a number that is greater than the maximum number of IP addresses that are ever expected in a tag. | +| IptablesLockFilePath | FELIX_IPTABLESLOCKFILEPATH | /run/xtables.lock | Location of the iptables lock file. Felix takes the iptables lock while updating iptables state. You may need to change this if the lock file is not in its standard location (for example if you have mapped it into Felix's container at a different path). | +| IptablesLockTimeoutSecs | FELIX_IPTABLESLOCKTIMEOUTSECS | 0 | Time, in seconds, that Felix will wait for the iptables lock, or 0, to disable. | +| IptablesLockProbeIntervalMillis | FELIX_IPTABLESLOCKPROBEINTERVALMILLIS | 50 | Time, in milliseconds, that Felix will wait between attempts to acquire the iptables lock if it is not available. Lower values make Felix more responsive when the lock is contended but use more CPU. | + #### OpenStack specific configuration