[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Socket activation



Can we run socat behind iptables in a massively multiplexed fashion?  I think the hard part here is the handoff - we want to be able to go from idle to active without interrupting a connection.  Can we change iptables midflight to start routing incoming packets to the backend if we had a tcp proxy handling idle connections?

I.e.:

   Client (tcp)
      ^ |
      | v
    iptables   -> tcp proxy (queues packets to idled containers until they start
    on node           | ^
                      v |
                   recently unidled app

We need to anticipate 20-30k ports being proxied, with up to thousands of containers waiting to be unidled.  In that model, can you activate via the tcp proxy, and proxy long enough for iptables to restart and start sending packets to the unidled container?  You don't want your proxy trafficking for longer than a few seconds after the container is unidled, but is there a reliably way to combine iptables + socat/other proxy so that we can hand the initial connection back off to iptables without screwing up the flow of packets back to the client?

----- Original Message -----
> On Wed, Aug 28, 2013 at 9:28 AM, Krishna Raman <kraman gmail com> wrote:
> > So this is the current plan:
> >
> > 1) Idle the container and have sockets for each cartridge listening on a
> > 169.254.*.* address on the container
> > 2) When a SYN request comes in container is unidled and openshift container
> > init process is started
> > 3) Process triggers changes in IPtables which sets up a forwarding rule
> > from the 169.254.*.* to the NAT'd address the cartridge is listening on
> >         - SYN times out, and tcp retry sends another SYN which is sent to
> >         the cartridge
> >         - connection is established as usual
> 
> I just got back from Burning Man, so I can reply now.
> 
> I share Clayton's concern about SYN-based un-idling. I manage the
> network at my office with smart routers and switches, and their
> failure-detection might trip if SYNs consistently get ignored.
> 
> Have you looked into environment-based socket passing with a shim like
> socat? socat already supports specifying a socket using a file
> descriptor, and it can forward to and from sockets in the container's
> network namespace. It seems like it would be equivalent in
> functionality and compatibility with SYN timeout and iptables but
> without breaking the TCP spec or requiring global firewall changes at
> container start-up time.
> 
> --
> David Strauss
>    | david davidstrauss net
>    | +1 512 577 5827 [mobile]
> 
> _______________________________________________
> dev mailing list
> dev lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]