StarlingX

Bug #1817936
Comment #14

Comment 14 for bug 1817936

Revision history for this message

Austin Sun (sunausti) wrote on 2019-07-23:

#14

tcp_test.zip Edit (101.3 KiB, application/zip)

Some more tests are performed based on attached tcp_test.zip
Set-Up K8s with calico CNI On Ubuntu 18.04.1 LTS and CentOS Linux release 7.6.1810
'kubectl create ns policy-demo'
'kubectl apply -f tcp_echo.yaml'
and run test.sh in attached zip.

Ubuntu 18.04.1 result is Good. connected 10000 times.
on CentOS 7.6.1810, connected will failed in 1000 times.
But if readinessProbe was removed from pod in CentOS 7.6.1810. connected 10000 times without any failure.

General info
CentOS Linux release 7.6.1810
docker version:19.03.0
k8s:"v1.15.1"
calico v3.6.4(https://docs.projectcalico.org/v3.6/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml)

Ubuntu 18.04.1 LTS
Docker version 18.09.8, build 0dd43dd87f
k8s:"v1.15.1"
calico v3.6.4(https://docs.projectcalico.org/v3.6/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml)

centos_trace.cap No 211, 10.10.10.188:1024->192.168.102.134:1237, always Retransmission and failure.
kern.log Line 7189 10.10.10.188:1024->10.101.65.100:1237 can not find this package in tcpdump
In Line 7241 SYN Package Source Port is 42934, But in Line 7242 The SYN ACK Destination Port changed to 1237
Line 7241 Jul 22 23:44:17 localhost kernel: [ 8013.941489] TRACE: nat:KUBE-POSTROUTING:rule:1 IN= OUT=calic3dc5321ad4 SRC=10.10.10.188 DST=192.168.102.134 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23843 DF PROTO=TCP SPT=42934 DPT=1237 SEQ=2847795293 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A0075B57E0000000001030307) UID=1000 GID=1000 MARK=0x4000
Line 7242 Jul 22 23:44:17 localhost kernel: [ 8013.941551] TRACE: raw:PREROUTING:policy:4 IN=calic3dc5321ad4 OUT= MAC=ee:ee:ee:ee:ee:ee:e6:bf:5c:54:84:71:08:00 SRC=192.168.102.134 DST=10.10.10.188 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1237 DPT=1024 SEQ=2976603651 ACK=2847795294 WINDOW=27760 RES=0x00 ACK SYN URGP=0 OPT (020405780402080A0075B57F0075B57E01030307) MARK=0x40000

Some more tests are performed based on attached tcp_test.zip 
Set-Up K8s with calico CNI On Ubuntu 18.04.1 LTS and CentOS Linux release 7.6.1810 
'kubectl create ns policy-demo'
'kubectl apply -f tcp_echo.yaml'
and run test.sh in attached zip.

Ubuntu 18.04.1 result is Good. connected 10000 times.
on CentOS 7.6.1810,  connected will failed in 1000 times. 
But if readinessProbe was removed from pod in CentOS 7.6.1810. connected 10000 times without any failure.

General info
CentOS Linux release 7.6.1810 
docker version:19.03.0
k8s:"v1.15.1"
calico v3.6.4(https://docs.projectcalico.org/v3.6/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml)

centos_trace.cap No 211, 10.10.10.188:1024->192.168.102.134:1237, always Retransmission and failure.
kern.log Line 7189 10.10.10.188:1024->10.101.65.100:1237  can not find this package in tcpdump 
In Line 7241 SYN Package Source Port is 42934, But in Line 7242 The SYN ACK Destination Port changed to 1237
Line 7241 Jul 22 23:44:17 localhost kernel: [ 8013.941489] TRACE: nat:KUBE-POSTROUTING:rule:1 IN= OUT=calic3dc5321ad4 SRC=10.10.10.188 DST=192.168.102.134 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23843 DF PROTO=TCP SPT=42934 DPT=1237 SEQ=2847795293 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A0075B57E0000000001030307) UID=1000 GID=1000 MARK=0x4000
Line 7242 Jul 22 23:44:17 localhost kernel: [ 8013.941551] TRACE: raw:PREROUTING:policy:4 IN=calic3dc5321ad4 OUT= MAC=ee:ee:ee:ee:ee:ee:e6:bf:5c:54:84:71:08:00 SRC=192.168.102.134 DST=10.10.10.188 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1237 DPT=1024 SEQ=2976603651 ACK=2847795294 WINDOW=27760 RES=0x00 ACK SYN URGP=0 OPT (020405780402080A0075B57F0075B57E01030307) MARK=0x40000