New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apiserver: add --permit-address-sharing flag to listen with SO_REUSEADDR #93861
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
it looks fine to me but there seems to be some debate within the apiserver team about the merits of this flag so i'm going to abstain from lgtm'ing it while that is negotiated. |
how does this differ from #88893? |
REUSEADDR has different implications than REUSEPORT does, this is adding the former, not the latter. https://stackoverflow.com/questions/14388706/how-do-so-reuseaddr-and-so-reuseport-differ |
ah, missed that |
@liggitt any objections to add this? |
It seems coherent with the I am a little confused by the help text ("...This allows binding to ... specific IPs in parallel..."). Does that mean that the existing reuse-port option is not sufficient to let two servers both bind to |
@liggitt take a look at https://stackoverflow.com/a/14388707. The behaviour of this flag is anything but trivial. Compare my downstream (openshift#309) comment:
In other words, this cuts down the time only until the socket is released by the existing process after it has closed it. This avoids that the port is blocked up to minutes sometimes (depending on kernel setting afaik) although the process is long terminated. |
If you have a good way to express that in one sentence for release notes, am open for suggestions. I fear that you have to read the actual kernel docs to really understand what's going on. Nevertheless the feature is without workaround if you really need it. |
some verify errors, lgtm otherwise |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Fixed the gofmt error. |
/retest |
1cf41fb
to
a2ddaec
Compare
/lgtm |
@@ -203,6 +207,11 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) { | |||
fs.BoolVar(&s.PermitPortSharing, "permit-port-sharing", s.PermitPortSharing, | |||
"If true, SO_REUSEPORT will be used when binding the port, which allows "+ | |||
"more than one instance to bind on the same address and port. [default=false]") | |||
|
|||
fs.BoolVar(&s.PermitAddressSharing, "permit-address-sharing", s.PermitPortSharing, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be the s.PermitPortSharing
at the end of the line PermitAddressSharing
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, good catch.
/hold
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
/hold cancel
/lgtm
a2ddaec
to
e30adb4
Compare
e30adb4
to
cef2ab7
Compare
/retest Review the full test history for this PR. Silence the bot with an |
5 similar comments
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
cc @jdef |
If true, SO_REUSEADDR will be used when binding the port. This allows binding to wildcard IPs like 0.0.0.0 and specific IPs in parallel, and it avoids waiting for the kernel to release sockets in TIME_WAIT state.
This is useful when restarting kube-apiserver: sockets in TIME_WAIT can take up to some minutes depending on kernel settings to be released, stopping the new kube-apiserver instance to launch, even though the old one has long been terminated.
/kind feature
For reference, https://stackoverflow.com/questions/14388706/how-do-so-reuseaddr-and-so-reuseport-differ/14388707#14388707 is a great discussion about the background of SO_REUSEADDR.