ipvs proxier doesn't respect graceful termination

[jsravn]

Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug

What happened:
Upon removing an endpoint, the ipvs proxier immediately deletes the ipvs real server, causing all connections to get dropped.

What you expected to happen:
It should allow the terminating pod to gracefully close connections, just like the iptables proxier.

How to reproduce it (as minimally and precisely as possible):

1. Enable ipvs proxier
2. Create a keepalive / long lived connection to a pod (e.g. while :; do echo -e "GET / HTTP/1.1\nhost: $host\n\n"; sleep 5; echo; done | telnet $serviceip 80)
3. Delete that pod - observe the connection gets closed immediately, further requests will fail. On iptables proxier, it will continue to work (until the pod itself stops or closes the connection).

Anything else we need to know?:
The ipvs proxier should instead be setting weight to 0, then reaping the stale real servers after some time period (that should be greater than any pod's graceful termination time). This may also fix the existing bug around UDP connections getting dropped prematurely (#45976).

Environment:

• Kubernetes version (use kubectl version): tested on 1.8, but same issue in 1.9 afaict
• Cloud provider or hardware configuration: AWS
• OS (e.g. from /etc/os-release): Ubuntu 16.04
• Kernel (e.g. uname -a): 4.4.0
• Install tools:
• Others:

[jsravn]

/cc @m1093782566

[k8s-ci-robot]

@jsravn: GitHub didn't allow me to assign the following users: sig-node.

Note that only kubernetes members can be assigned.

Details

In response to this:

/assign sig-node
/cc @m1093782566

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jsravn]

/sig network

[m1093782566]

@jsravn You can assign any IPVS related issue to me directly :)

/assign

/area ipvs

[m1093782566]

@jsravn

I have a question:

The ipvs proxier should instead be setting weight to 0

Why? Currently there is no way to pass the weight to IPVS proxier, so we set weight to 1 by default. What's the advantage of setting weight to 0? Will it resolve this issue?

[jsravn]

@m1093782566 Setting weight to 0 puts the real server into "maintenance mode" so to speak. The scheduler will stop sending new connections to it, but existing connections remain active. It's the correct way to gracefully remove a server from IPVS as far as I know.

So syncEndpoint on endpoint delete should:

1. Set weight to 0 of the real server for the endpoint that is removed
2. Create a delayed task to delete the real server after n seconds, where n > pod grace period (e.g. a sufficiently large enough delay - like 5 minutes or something).

This simulates the same behavior in iptables where TCP connections time out after some period of time rather than being forcefully removed by the proxier.

[m1093782566]

great comment! will try and fix it if works

Thanks

[jsravn]

Hopefully you can fix this for UDP connections too, since iptables proxier suffers from a bug where it drops the udp connection immediately (causing errors when kube-dns is restarted for instance...). It'd be nice if the ipvs proxier could handle that better.