There is a race condition in a netfilter code where one of simultaneous connections to the same dest host/port get rejected. This is visible, when DNS requests are made and searchdomains are configured , then multiple simultaneous DNS requests are done, some of which got rejected and have to be retried.
Workaround seems to be using SNAT --random-fully (unfortunately there seem to be no support for --random-fully flag for MASQUERADE target)
More details:
https://tech.xing.com/a-reason-for-unexplained-connection-timeouts-on-kubernetes-docker-abd041cf7e02
https://blog.quentin-machu.fr/2018/06/24/5-15s-dns-lookups-on-kubernetes/
Hi all,
any update on this? We're seeing the same issue and we'd like to understand if it's something Calico would be happy to pick up
Thanks for the nice article!
According to that, it sounds like we'd need to use a patched version if iptables to set this option?
I don't see why we shouldn't try to fix this, but probably needs some thought into compatibility.
CC @fasaxc
Related flannel PR: https://github.com/coreos/flannel/pull/1040
Most helpful comment
Hi all,
any update on this? We're seeing the same issue and we'd like to understand if it's something Calico would be happy to pick up