[WiP] Update docs and manifests for adding iptables lock support to Felix

master/getting-started/kubernetes/installation/hosted/calico.yaml

@@ -171,6 +171,9 @@ spec:
             - mountPath: /var/run/calico
               name: var-run-calico
               readOnly: false
+            - mountPath: /run
+              name: run
+              readOnly: false
             - mountPath: /calico-secrets
               name: etcd-certs
         # This container installs the Calico CNI binaries
@@ -206,6 +209,11 @@ spec:
         - name: var-run-calico
           hostPath:
             path: /var/run/calico
+        # /run is required by Felix to access the xtables lockfile.  We can't map the individual
+        # file in because it may not exist, leading to Docker creating a directory instead.
+        - name: run
+          hostPath:
+            path: /run
         # Used to install CNI.
         - name: cni-bin-dir
           hostPath:

master/getting-started/kubernetes/installation/hosted/kubeadm/1.5/calico.yaml

@@ -191,6 +191,9 @@ spec:
             - mountPath: /var/run/calico
               name: var-run-calico
               readOnly: false
+            - mountPath: /run
+              name: run
+              readOnly: false
         # This container installs the Calico CNI binaries
         # and CNI network config file on each node.
         - name: install-cni
@@ -222,6 +225,11 @@ spec:
         - name: var-run-calico
           hostPath:
             path: /var/run/calico
+        # /run is required by Felix to access the xtables lockfile.  We can't map the individual
+        # file in because it may not exist, leading to Docker creating a directory instead.
+        - name: run
+          hostPath:
+            path: /run
         # Used to install CNI.
         - name: cni-bin-dir
           hostPath:

master/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml

@@ -206,6 +206,9 @@ spec:
             - mountPath: /var/run/calico
               name: var-run-calico
               readOnly: false
+            - mountPath: /run
+              name: run
+              readOnly: false
         # This container installs the Calico CNI binaries
         # and CNI network config file on each node.
         - name: install-cni
@@ -237,6 +240,11 @@ spec:
         - name: var-run-calico
           hostPath:
             path: /var/run/calico
+        # /run is required by Felix to access the xtables lockfile.  We can't map the individual
+        # file in because it may not exist, leading to Docker creating a directory instead.
+        - name: run
+          hostPath:
+            path: /run
         # Used to install CNI.
         - name: cni-bin-dir
           hostPath:

master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.5/calico.yaml

@@ -122,6 +122,9 @@ spec:
             - mountPath: /var/run/calico
               name: var-run-calico
               readOnly: false
+            - mountPath: /run
+              name: run
+              readOnly: false
         # This container installs the Calico CNI binaries
         # and CNI network config file on each node.
         - name: install-cni
@@ -152,6 +155,11 @@ spec:
         - name: var-run-calico
           hostPath:
             path: /var/run/calico
+        # /run is required by Felix to access the xtables lockfile.  We can't map the individual
+        # file in because it may not exist, leading to Docker creating a directory instead.
+        - name: run
+          hostPath:
+            path: /run
         # Used to install CNI.
         - name: cni-bin-dir
           hostPath:

master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.6/calico.yaml

@@ -132,6 +132,9 @@ spec:
             - mountPath: /var/run/calico
               name: var-run-calico
               readOnly: false
+            - mountPath: /run
+              name: run
+              readOnly: false
         # This container installs the Calico CNI binaries
         # and CNI network config file on each node.
         - name: install-cni
@@ -162,6 +165,11 @@ spec:
         - name: var-run-calico
           hostPath:
             path: /var/run/calico
+        # /run is required by Felix to access the xtables lockfile.  We can't map the individual
+        # file in because it may not exist, leading to Docker creating a directory instead.
+        - name: run
+          hostPath:
+            path: /run
         # Used to install CNI.
         - name: cni-bin-dir
           hostPath:

master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.5/calico.yaml

@@ -119,6 +119,9 @@ spec:
             - mountPath: /var/run/calico
               name: var-run-calico
               readOnly: false
+            - mountPath: /run
+              name: run
+              readOnly: false
         # This container installs the Calico CNI binaries
         # and CNI network config file on each node.
         - name: install-cni
@@ -149,6 +152,11 @@ spec:
         - name: var-run-calico
           hostPath:
             path: /var/run/calico
+        # /run is required by Felix to access the xtables lockfile.  We can't map the individual
+        # file in because it may not exist, leading to Docker creating a directory instead.
+        - name: run
+          hostPath:
+            path: /run
         # Used to install CNI.
         - name: cni-bin-dir
           hostPath:

master/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.6/calico.yaml

@@ -129,6 +129,9 @@ spec:
             - mountPath: /var/run/calico
               name: var-run-calico
               readOnly: false
+            - mountPath: /run
+              name: run
+              readOnly: false
         # This container installs the Calico CNI binaries
         # and CNI network config file on each node.
         - name: install-cni
@@ -159,6 +162,11 @@ spec:
         - name: var-run-calico
           hostPath:
             path: /var/run/calico
+        # /run is required by Felix to access the xtables lockfile.  We can't map the individual
+        # file in because it may not exist, leading to Docker creating a directory instead.
+        - name: run
+          hostPath:
+            path: /run
         # Used to install CNI.
         - name: cni-bin-dir
           hostPath:

master/getting-started/mesos/installation/vagrant-centos/calico.service

@@ -19,6 +19,7 @@ ExecStart=/usr/bin/docker run \
 -v /var/log/calico:/var/log/calico \
 -v /run/docker/plugins:/run/docker/plugins \
 -v /var/run/docker.sock:/var/run/docker.sock \
+-v /run:/run \
 -v /var/run/calico:/var/run/calico quay.io/calico/node:{{site.data.versions[page.version].first.title}}
 
 

master/getting-started/rkt/installation/manual.md

@@ -73,6 +73,8 @@ sudo rkt run --stage1-path=/usr/share/rkt/stage1-fly.aci \
   --mount=volume=mods,target=/lib/modules \
   --volume=logs,kind=host,source=/var/log/calico,readOnly=false \
   --mount=volume=logs,target=/var/log/calico \
+  --volume=run,kind=host,source=/run,readOnly=false \
+  --mount=volume=run,target=/run \
   --net=host \
   quay.io/calico/node:{{site.data.versions[page.version].first.title}} &
 ```

master/reference/felix/configuration.md

@@ -62,12 +62,19 @@ The full list of parameters which can be set is as follows.
 | Setting                                 | Environment variable                    | Default                              | Meaning                                 |
 |-----------------------------------------|-----------------------------------------|--------------------------------------|-----------------------------------------|
 | DefaultEndpointToHostAction             | FELIX_DEFAULTENDPOINTTOHOSTACTION       | DROP                                 | This parameter controls what happens to traffic that goes from a workload endpoint to the host itself (after the traffic hits the endpoint egress policy).  By default Calico blocks traffic from workload endpoints to the host itself with an iptables "DROP" action. If you want to allow some or all traffic from endpoint to host, set this parameter to "RETURN" or "ACCEPT".  Use "RETURN" if you have your own rules in the iptables "INPUT" chain; Calico will insert its rules at the top of that chain, then "RETURN" packets to the "INPUT" chain once it has completed processing workload endpoint egress policy.  Use "ACCEPT" to unconditionally accept packets from workloads after processing workload endpoint egress policy.  |
-| IptablesAllowAction             | FELIX_IPTABLESALLOWACTION       | ACCEPT                                 | This parameter controls what happens to traffic that is accepted by a felix policy chain. The default will immediately ACCEPT the traffic. Use RETURN to punt the traffic back up to the system chains for further processing.  |
+| IptablesAllowAction                     | FELIX_IPTABLESALLOWACTION               | ACCEPT                               | This parameter controls what happens to traffic that is accepted by a felix policy chain. The default will immediately ACCEPT the traffic. Use RETURN to punt the traffic back up to the system chains for further processing.  |
 | IptablesMarkMask                        | FELIX_IPTABLESMARKMASK                  | 0xff000000                           | Mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system.  |
-| IptablesRefreshInterval                 | FELIX_IPTABLESREFRESHINTERVAL           | 60                                   | Period, in seconds, at which felix re-applies all iptables state to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable iptables refresh.  |
+| IptablesRefreshInterval                 | FELIX_IPTABLESREFRESHINTERVAL           | 90                                   | Period, in seconds, at which felix re-checks all iptables state to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable iptables refresh.  |
+| IptablesPostWriteCheckIntervalSecs      | FELIX_IPTABLESPOSTWRITECHECKINTERVALSECS  | 1                                 | Period, in seconds, after Felix has done a write to the dataplane that it schedules an extra read back in order to check the write was not clobbered by another process.  This should only occur if another application on the system doesn't respect the iptables lock.  |
+| RouteRefreshInterval                    | FELIX_ROUTEREFRESHINTERVAL              | 90                                   | Period, in seconds, at which felix re-checks the routes in the dataplane to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable route refresh.  |
+| IpsetsRefreshInterval                   | FELIX_IPSETSREFRESHINTERVAL             | 10                                   | Period, in seconds, at which felix re-checks the IP sets in the dataplane to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable IP sets refresh.  Note: the default for this value is lower than the other refresh intervals as a workaround for a [Linux kernel bug](https://github.com/projectcalico/felix/issues/1347) that was fixed in kernel version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value to reduce Felix CPU usage.  |
+| MaxIpsetSize                            | FELIX_MAXIPSETSIZE                      | 1048576                              | Maximum size for the ipsets used by Felix to implement tags. Should be set to a number that is greater than the maximum number of IP addresses that are ever expected in a tag.  |
 | ChainInsertMode                         | FELIX_CHAININSERTMODE                   | insert                               | One of "insert" or "append".  Controls whether Felix hooks the kernel's top-level iptables chains by inserting a rule at the top of the chain or by appending a rule at the bottom.  "insert" is the safe default since it prevents Calico's rules from being bypassed.  If you switch to "append" mode, be sure that the other rules in the chains signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed.  |
 | LogPrefix                               | FELIX_LOGPREFIX                         | calico-packet                        | The log prefix that Felix uses when rendering LOG rules.  |
-| MaxIpsetSize                            | FELIX_MAXIPSETSIZE                      | 1048576                              | Maximum size for the ipsets used by Felix to implement tags. Should be set to a number that is greater than the maximum number of IP addresses that are ever expected in a tag.  |
+| IptablesLockFilePath                    | FELIX_IPTABLESLOCKFILEPATH              | /run/xtables.lock                    | Location of the iptables lock file.  Felix takes the iptables lock while updating iptables state.  You may need to change this if the lock file is not in its standard location (for example if you have mapped it into Felix's container at a different path).  |
+| IptablesLockTimeoutSecs                 | FELIX_IPTABLESLOCKTIMEOUTSECS           | 0                                    | Time, in seconds, that Felix will wait for the iptables lock, or 0, to disable.  |
+| IptablesLockProbeIntervalMillis         | FELIX_IPTABLESLOCKPROBEINTERVALMILLIS   | 50                                   | Time, in milliseconds, that Felix will wait between attempts to acquire the iptables lock if it is not available.  Lower values make Felix more responsive when the lock is contended but use more CPU.  |
+
 
 #### OpenStack specific configuration