From f6b620a91ee4d082ebe3b5b7f23b5eed680f5530 Mon Sep 17 00:00:00 2001 From: Stephen Kitt Date: Tue, 14 Nov 2023 10:06:31 +0100 Subject: [PATCH] Revert "Create xtables.lock as a file if it doesn't already exist" This reverts commit 93f8d3aa66f1c2f898ef4c6a7a6644fa7a6bf956. The xtables.lock mount was fixed to specify its type: it must exist as a file, or be created as a file. xtables.lock is only used with legacy iptables. On platforms using iptables-nft, the file isn't used and doesn't exist. As a result, previous versions of Submariner created it as a directory (this is the default behaviour for volume mounts in Kubernetes: if the mount doesn't exist, it is created as a directory). When the volume mount type is specified as a file, the existence of a directory causes the mount to fail and the corresponding pod is never scheduled. To avoid this, revert to the default behaviour. On systems where the lock is important, it already exists so the directory isn't created and the correct behaviour is guaranteed. On systems where the lock isn't needed, it is created as a directory but that doesn't matter. Future releases of Submariner will have to deal with this correctly, and handle upgrades, ideally without mounting all of /run permanently. Signed-off-by: Stephen Kitt --- controllers/submariner/globalnet_resources.go | 2 +- controllers/submariner/route_agent_resources.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/controllers/submariner/globalnet_resources.go b/controllers/submariner/globalnet_resources.go index 858c9f1d4..01885e4f9 100644 --- a/controllers/submariner/globalnet_resources.go +++ b/controllers/submariner/globalnet_resources.go @@ -72,7 +72,7 @@ func newGlobalnetDaemonSet(cr *v1alpha1.Submariner, name string) *appsv1.DaemonS Spec: corev1.PodSpec{ Volumes: []corev1.Volume{ {Name: "host-run-xtables-lock", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{ - Path: "/run/xtables.lock", Type: ptr.To(corev1.HostPathFileOrCreate), + Path: "/run/xtables.lock", }}}, }, Containers: []corev1.Container{ diff --git a/controllers/submariner/route_agent_resources.go b/controllers/submariner/route_agent_resources.go index 0923eb6db..0d1eabaec 100644 --- a/controllers/submariner/route_agent_resources.go +++ b/controllers/submariner/route_agent_resources.go @@ -75,7 +75,7 @@ func newRouteAgentDaemonSet(cr *v1alpha1.Submariner, name string) *appsv1.Daemon Volumes: []corev1.Volume{ // Share /run/xtables.lock with the host for iptables {Name: "host-run-xtables-lock", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{ - Path: "/run/xtables.lock", Type: ptr.To(corev1.HostPathFileOrCreate), + Path: "/run/xtables.lock", }}}, // Share /run/openvswitch/db.sock and /run/openvswitch/ovnnb_db.sock with the host for OVS/OVN {Name: "host-run-openvswitch", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{