Mount host's xtable lock and enable calico lokcing for <v3.2.1

2026-03-09 03:37:36 +03:00 · 2019-01-04 11:00:56 -05:00
parent 4959bfc1b3
commit 257019d424
2 changed files with 23 additions and 0 deletions
--- a/roles/network_plugin/canal/templates/canal-node.yaml.j2
+++ b/roles/network_plugin/canal/templates/canal-node.yaml.j2
@@ -173,6 +173,12 @@ spec:
                  fieldPath: spec.nodeName
            - name: FELIX_HEALTHENABLED
              value: "true"
+            # Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used,
+            # this is not required in later versions https://github.com/projectcalico/calico/issues/2179
+{% if calico_version is version('v3.2.1', '<') %}
+            - name: FELIX_IPTABLESLOCKTIMEOUTSECS
+              value: "10"
+{% endif %}
            # Etcd SSL vars
            - name: ETCD_CA_CERT_FILE
              valueFrom:
@@ -220,6 +226,9 @@ spec:
            - name: "canal-certs"
              mountPath: "{{ canal_cert_dir }}"
              readOnly: true
+            - name: xtables-lock
+              mountPath: /run/xtables.lock
+              readOnly: false
  updateStrategy:
    rollingUpdate:
      maxUnavailable: {{ serial | default('20%') }}