前言:
kubernetes的网络系统主要由kube-proxy负责,其支持iptables和ipvs以及userspace三种网络负载均衡,在更新负载均衡策略为ipvs后,查看kube-proxy的日志,发现如下警告:
Jul 16 09:32:09 k8s-node1 kube-proxy: I0716 09:32:09.536704 7242 proxier.go:1848] \ Not using `--random-fully` in the MASQUERADE rule for iptables because \ the local version of iptables does not support it
可以看出,此警告仅仅是警告,好像不影响kubernetes集群的运行,但本着万一的原则,还是尽量消除此警告。
此警告表示iptables不支持本地升级,也就是iptables的版本过低,查询iptables的版本如下:
暂无,后面补一个
因此,计划升级iptables到1.6.2,现将iptables的升级过程记录下来,以免后面的人踩坑。
一,安装依赖
配置阿里云epel源(centos7的):
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum install gcc make libnftnl-devel libmnl-devel autoconf automake libtool bison flex libnetfilter_conntrack-devel libnetfilter_queue-devel libpcap-devel
这里要注意一哈,libmnl-devel,libnftnl-devel等等几个包需要配置epel源才可以安装,如果有依赖没有安装,比如libmnl-devel,那么编译的时候会报错:
checking for libmnl... no *** Error: No suitable libmnl found. *** Please install the 'libmnl' package Or consider --disable-nftables to skip iptables-compat over nftables support.
如果libnetfilter_conntrack-devel没有安装,将会报模块connlabel 没找到。
二,解压源码包,并进入解压目录,准备编译
wget https://www.netfilter.org/projects/iptables/files/iptables-1.6.2.tar.bz2 --no-check-certificate tar jxf iptables-1.6.2.tar.bz2 cd iptables-1.6.2 ./autogen.sh #此命令输出如下: #libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `build-aux'. libtoolize: copying file `build-aux/ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'. libtoolize: copying file `m4/libtool.m4' libtoolize: copying file `m4/ltoptions.m4' libtoolize: copying file `m4/ltsugar.m4' libtoolize: copying file `m4/ltversion.m4' libtoolize: copying file `m4/lt~obsolete.m4'
三,开始编译
这里说明一哈,都是使用的默认编译,编译产物在/usr/local/sbin目录下
./configure
输出如下:
config.status: creating include/iptables/internal.h config.status: creating utils/nfnl_osf.8 config.status: creating config.h config.status: executing depfiles commands config.status: executing libtool commands Iptables Configuration: IPv4 support: yes IPv6 support: yes Devel support: yes IPQ support: no Large file support: yes BPF utils support: no nfsynproxy util support: no nftables support: yes connlabel support: yes Build parameters: Put plugins into executable (static): no Support plugins via dlopen (shared): yes Installation prefix (--prefix): /usr/local Xtables extension directory: /usr/local/lib/xtables Pkg-config directory: /usr/local/lib/pkgconfig Xtables lock file: /run/xtables.lock Host: x86_64-unknown-linux-gnu GCC binary: gcc
安装:
make && make install
输出如下:
/usr/bin/mkdir -p '/usr/local/share/man/man1' /usr/bin/install -c -m 644 iptables-xml.1 '/usr/local/share/man/man1' /usr/bin/mkdir -p '/usr/local/share/man/man8' /usr/bin/install -c -m 644 iptables.8 iptables-restore.8 iptables-save.8 ip6tables.8 ip6tables-restore.8 ip6tables-save.8 iptables-extensions.8 '/usr/local/share/man/man8' /usr/bin/mkdir -p '/usr/local/lib/pkgconfig' /usr/bin/install -c -m 644 xtables.pc '/usr/local/lib/pkgconfig' make[3]: Leaving directory `/root/iptables-1.6.2/iptables' make[2]: Leaving directory `/root/iptables-1.6.2/iptables' make[1]: Leaving directory `/root/iptables-1.6.2/iptables' make[1]: Entering directory `/root/iptables-1.6.2' make[2]: Entering directory `/root/iptables-1.6.2' make[2]: Nothing to be done for `install-exec-am'. /usr/bin/mkdir -p '/usr/local/etc' /usr/bin/install -c -m 644 etc/ethertypes '/usr/local/etc' make[2]: Leaving directory `/root/iptables-1.6.2' make[1]: Leaving directory `/root/iptables-1.6.2'
四,拷贝文件并检测成果
[root@master iptables-1.6.2]# cp /usr/local/sbin/{iptables,iptables-restore,iptables-save} /sbin/ cp: overwrite ‘/sbin/iptables’? y cp: overwrite ‘/sbin/iptables-restore’? y cp: overwrite ‘/sbin/iptables-save’? y
[root@master iptables-1.6.2]# lsmod |grep iptable iptable_mangle 16384 1 iptable_filter 16384 1 iptable_nat 16384 1 nf_nat 49152 2 iptable_nat,xt_MASQUERADE ip_tables 28672 3 iptable_filter,iptable_nat,iptable_mangle
重启kubelet和kube-proxy这两个服务,并查看日志,在也没有警告了,完美解决:
systemctl restart kubelet kube-proxy
0926 17:55:30.579345 10995 server_others.go:183] DetectLocalMode: 'ClusterCIDR' I0926 17:55:30.579358 10995 server_others.go:259] Using ipvs Proxier. I0926 17:55:30.580050 10995 proxier.go:426] nodeIP: 192.168.217.16, isIPv6: false I0926 17:55:30.580518 10995 server.go:583] Version: v1.18.3 I0926 17:55:30.581269 10995 conntrack.go:52] Setting nf_conntrack_max to 262144 I0926 17:55:30.581794 10995 config.go:133] Starting endpoints config controller I0926 17:55:30.581882 10995 shared_informer.go:223] Waiting for caches to sync for endpoints config I0926 17:55:30.581882 10995 config.go:315] Starting service config controller I0926 17:55:30.582000 10995 shared_informer.go:223] Waiting for caches to sync for service config I0926 17:55:30.583390 10995 reflector.go:175] Starting reflector *v1.Service (15m0s) from k8s.io/client-go/informers/factory.go:135 I0926 17:55:30.586917 10995 reflector.go:175] Starting reflector *v1.Endpoints (15m0s) from k8s.io/client-go/informers/factory.go:135 I0926 17:55:30.682204 10995 shared_informer.go:230] Caches are synced for endpoints config I0926 17:55:30.682313 10995 proxier.go:997] Not syncing ipvs rules until Services and Endpoints have been received from master I0926 17:55:30.682462 10995 shared_informer.go:230] Caches are synced for service config I0926 17:55:30.683027 10995 service.go:379] Adding new service port "default/kubernetes:https" at 10.0.0.1:443/TCP I0926 17:55:30.683152 10995 service.go:379] Adding new service port "kube-system/coredns:dns-tcp" at 10.0.0.2:53/TCP I0926 17:55:30.683165 10995 service.go:379] Adding new service port "kube-system/coredns:dns" at 10.0.0.2:53/UDP I0926 17:55:30.683246 10995 proxier.go:1028] Stale udp service kube-system/coredns:dns -> 10.0.0.2
