kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Filter xtable wait messages when using firewalld

Browse source 
This gets filtered for raw iptables calls, but not from calls made
through firewalld.   The patch just ensures consistency of operation.
It also adds a warning when xtables contention detected and truncates
the search string slightly as it appears that the suffix will be
changing in the near future.

Signed-off-by: Chris Telfer <ctelfer@docker.com>
This commit is contained in:
Chris Telfer 2018-04-11 11:46:18 -04:00
parent f5aa502856
commit 16e077b884
1 changed files with 24 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

32
libnetwork/iptables/iptables.go
View file

@ -9,6 +9,7 @@ import (
"strconv" "strconv"
"strings" "strings"
"sync" "sync"
"time"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
) )
@ -45,7 +46,7 @@ var (
iptablesPath string iptablesPath string
supportsXlock = false supportsXlock = false
supportsCOpt = false supportsCOpt = false
xLockWaitMsg = "Another app is currently holding the xtables lock; waiting" xLockWaitMsg = "Another app is currently holding the xtables lock"
// used to lock iptables commands if xtables lock is not supported // used to lock iptables commands if xtables lock is not supported
bestEffortLock sync.Mutex bestEffortLock sync.Mutex
// ErrIptablesNotFound is returned when the rule is not found. // ErrIptablesNotFound is returned when the rule is not found.
@ -423,12 +424,31 @@ func existsRaw(table Table, chain string, rule ...string) bool {
return strings.Contains(string(existingRules), ruleString) return strings.Contains(string(existingRules), ruleString)
} }
// Maximum duration that an iptables operation can take
// before flagging a warning.
const opWarnTime = 2 * time.Second
func filterOutput(start time.Time, output []byte, args ...string) []byte {
// Flag operations that have taken a long time to complete
if time.Since(start) > opWarnTime {
logrus.Warnf("xtables contention detected while running [%s]: %q", strings.Join(args, " "), string(output))
}
// ignore iptables' message about xtables lock:
// it is a warning, not an error.
if strings.Contains(string(output), xLockWaitMsg) {
output = []byte("")
}
// Put further filters here if desired
return output
}
// Raw calls 'iptables' system command, passing supplied arguments. // Raw calls 'iptables' system command, passing supplied arguments.
func Raw(args ...string) ([]byte, error) { func Raw(args ...string) ([]byte, error) {
if firewalldRunning { if firewalldRunning {
startTime := time.Now()
output, err := Passthrough(Iptables, args...) output, err := Passthrough(Iptables, args...)
if err == nil || !strings.Contains(err.Error(), "was not provided by any .service files") { if err == nil || !strings.Contains(err.Error(), "was not provided by any .service files") {
return output, err return filterOutput(startTime, output, args...), err
} }
} }
return raw(args...) return raw(args...)
@ -447,17 +467,13 @@ func raw(args ...string) ([]byte, error) {
logrus.Debugf("%s, %v", iptablesPath, args) logrus.Debugf("%s, %v", iptablesPath, args)
startTime := time.Now()
output, err := exec.Command(iptablesPath, args...).CombinedOutput() output, err := exec.Command(iptablesPath, args...).CombinedOutput()
if err != nil { if err != nil {
return nil, fmt.Errorf("iptables failed: iptables %v: %s (%s)", strings.Join(args, " "), output, err) return nil, fmt.Errorf("iptables failed: iptables %v: %s (%s)", strings.Join(args, " "), output, err)
} }
// ignore iptables' message about xtables lock return filterOutput(startTime, output, args...), err
if strings.Contains(string(output), xLockWaitMsg) {
output = []byte("")
}
return output, err
} }
// RawCombinedOutput inernally calls the Raw function and returns a non nil // RawCombinedOutput inernally calls the Raw function and returns a non nil