chaos-controller icon indicating copy to clipboard operation
chaos-controller copied to clipboard
verified publisher icon atomix

update for containerd?

Open jgraettinger opened this issue 6 years ago • 3 comments

Hi,

This is a neat tool. I've been trying to get up and running with the network partitioning component, and realized that there's a hard (and silent) dependency on docker -- specifically when running against microk8s w/ containerd, it fails silently as it doesn't match the pod to a docker container / virtual interface, doesn't install any iptables rules, and later throws an error when attempting to heal the partition.

I'm happy to poke at this but was curious if you had particular thoughts on approach? Thx

jgraettinger avatar Jun 13 '19 20:06 jgraettinger

I'm wondering whether the docker dependency could be dropped altogether, and the worker made agnostic to runtime, by using kubectl exec instead of docker exec to pair up the interface iflink and ifindex?

jgraettinger avatar Jun 13 '19 20:06 jgraettinger

Another Q: as I understand, every worker on each node calls Reconcile for every NetworkPartition update. This mostly works as workers not on a node hosting the named pod will match no interfaces, and thus insert no firewall rules.

I'm not sure how heal() could work correctly though, since reconciliation on other nodes results in iptables -D INPUT being run (eg the inline bash expansion returns no rules), which exits with an error, causing the request to be re-queued for reconciliation ad nauseam.

jgraettinger avatar Jun 14 '19 13:06 jgraettinger

I tried to use network partitioning as well, although with docker containers. It was not a great success either, so I think I can join this thread. I set up two pods, with one container in each. Pods were running on two different nodes. I set up the monkey, so it isolates one of the pods on every iteration. First of all, records in iptables were added randomly if at all. I couldn't find anything in the worker's logs regarding these additions, so I have no idea if this is related to some misconfiguration or anything else. Even if new rules are added, they are never removed and each NetworkPartition created remains in running state forever. To make it worse, records in iptables stay there after deleting the monkey. In the worker's logs multiple reconciliation errors can be found.

My main question is whether this project is going to be maintained and developed by you guys (atomix) or was it a one time thing?

Lolash avatar Jun 20 '19 08:06 Lolash