-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issues running on GKE #39
Comments
This one is probably partially my bad :-). But there will still be issues since it cannot even schedule the pod in current state |
Ok on newer GKE version, now I just get:
so the BPF issues are resolved at least. BTW - how can I tell its working? |
Seems clusterrole needs Watch permission on pods |
The following validation ways are possible.
Also, the e2e test example may be helpful: https://github.com/merbridge/merbridge/blob/main/.github/workflows/e2e.yaml |
Also getting On cilium I see in configmap something like |
It seems to me that Merbridge is just emulating the behavior of iptables by forwarding traffic to envoy and doing nothing else, not sure why this is happening. |
Sorry, that problem is in the merbridge pod itself. It has nothing to do with the iptables/ebpf at all. The problem is the daemonset is in host network, and tries to reach cluster IP Service. You cannot do this from a hostnetwork pod |
I have disabled hostnetwork mode: #45 |
Thanks! with latest:
but I do see iptables packets increase...
|
After processing with eBPF, it does not bypass iptables, the traffic will still go through iptables, this is normal. Another way to verify this is to use curl with the |
ah cool. thanks, will try that.
We should probably have a mode to disable iptables in Istio. right now
there isn't a good one I know of
…On Tue, Feb 8, 2022, 5:27 PM Kebe ***@***.***> wrote:
After processing with eBPF, it does not bypass iptables, the traffic will
still go through iptables, this is normal.
Merbridge works in compatibility mode when the iptables rule is present.
You can try disabling iptables(don't run istio init container), or use iptables
-t nat -F to clear out all the rules and make the request again, and it
will work fine.
Another way to verify this is to use curl with the -v parameter and watch
the destination address of the request, if it is 127.128.x.x, then eBPF
is also working properly.
[image: image]
<https://user-images.githubusercontent.com/7303612/153104060-a57cc691-41e9-4af2-92e7-6f9d09c6a759.png>
—
Reply to this email directly, view it on GitHub
<#39 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXI5A2B5BE6M5DYDUNTU2G7JBANCNFSM5NHRHCTA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
+1, would be nice to have a mode to disable iptables. This is the biggest puzzle for me when following the merbridge blog, since there is no modification to Istio. Only after reading comments here, I confirmed that the iptables are still growing with merbridge unless we disable the iptables in init container. Curious if disabling iptables will help with your performance numbers too @hanxiaop @kebe7jun |
Hi @linsun thanks for commenting, we are working this direction as well:) |
We have completed the development of CNI mode, but it is still in beta stage, so try it if you need~ |
Initial install fails with
Move to kube-system
Gets it running but has some errors:
The text was updated successfully, but these errors were encountered: