From 257019d42429fda661af2c24435983f1699f9a9f Mon Sep 17 00:00:00 2001
From: Danny Kulchinsky <dannyk@tuenti.com>
Date: Fri, 4 Jan 2019 11:00:56 -0500
Subject: [PATCH] Mount host's xtable lock and enable calico lokcing for
 <v3.2.1

---
 .../calico/templates/calico-node.yml.j2            | 14 ++++++++++++++
 .../canal/templates/canal-node.yaml.j2             |  9 +++++++++
 2 files changed, 23 insertions(+)

diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2
index d8a433679..747db079b 100644
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@@ -76,6 +76,12 @@ spec:
               value: "{{ calico_endpoint_to_host_action|default('RETURN') }}"
             - name: FELIX_HEALTHHOST
               value: "{{ calico_healthhost }}"
+            # Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used,
+            # this is not required in later versions https://github.com/projectcalico/calico/issues/2179
+{% if calico_version is version('v3.2.1', '<') %}
+            - name: FELIX_IPTABLESLOCKTIMEOUTSECS
+              value: "10"
+{% endif %}
 # should be set in etcd before deployment
 #            # Configure the IP Pool from which Pod IPs will be chosen.
 #            - name: CALICO_IPV4POOL_CIDR
@@ -170,6 +176,9 @@ spec:
               readOnly: false
             - mountPath: /calico-secrets
               name: etcd-certs
+            - name: xtables-lock
+              mountPath: /run/xtables.lock
+              readOnly: false
       volumes:
         # Used by calico/node.
         - name: lib-modules
@@ -192,6 +201,11 @@ spec:
         - name: etcd-certs
           hostPath:
             path: "{{ calico_cert_dir }}"
+        # Mount the global iptables lock file, used by calico/node
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
   updateStrategy:
     rollingUpdate:
       maxUnavailable: {{ serial | default('20%') }}
diff --git a/roles/network_plugin/canal/templates/canal-node.yaml.j2 b/roles/network_plugin/canal/templates/canal-node.yaml.j2
index a46608de8..f144c39ed 100644
--- a/roles/network_plugin/canal/templates/canal-node.yaml.j2
+++ b/roles/network_plugin/canal/templates/canal-node.yaml.j2
@@ -173,6 +173,12 @@ spec:
                   fieldPath: spec.nodeName
             - name: FELIX_HEALTHENABLED
               value: "true"
+            # Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used,
+            # this is not required in later versions https://github.com/projectcalico/calico/issues/2179
+{% if calico_version is version('v3.2.1', '<') %}
+            - name: FELIX_IPTABLESLOCKTIMEOUTSECS
+              value: "10"
+{% endif %}
             # Etcd SSL vars
             - name: ETCD_CA_CERT_FILE
               valueFrom:
@@ -220,6 +226,9 @@ spec:
             - name: "canal-certs"
               mountPath: "{{ canal_cert_dir }}"
               readOnly: true
+            - name: xtables-lock
+              mountPath: /run/xtables.lock
+              readOnly: false
   updateStrategy:
     rollingUpdate:
       maxUnavailable: {{ serial | default('20%') }}
-- 
GitLab