From a6b0d46c8453cbadd8c1ab34e81e6d3caf6268e6 Mon Sep 17 00:00:00 2001 From: Claes Mogren Date: Thu, 1 Oct 2020 09:23:04 -0700 Subject: [PATCH] Ignore error on enabling TCP early demux for old kernels --- README.md | 9 +++++---- scripts/init.sh | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index b4f6f8eef7..e05fc86a9e 100644 --- a/README.md +++ b/README.md @@ -431,10 +431,11 @@ Type: Boolean as a String Default: `false` -If `ENABLE_POD_ENI` is set to `true`, in order for the kubelet on the node to talk to pods using the per pod security group feature, -`DISABLE_TCP_EARLY_DEMUX` should be set to `true`. This will increase the local TCP connection latency slightly, that is why it is not - on by default. Details on why this is needed can be found in this [#1212 comment](https://github.com/aws/amazon-vpc-cni-k8s/pull/1212#issuecomment-693540666). - +If `ENABLE_POD_ENI` is set to `true`, in order for the kubelet on the node to connect via TCP to pods that are using +per pod security groups, `DISABLE_TCP_EARLY_DEMUX` should be set to `true`. This will increase the local TCP connection +latency slightly, that is why it is not on by default. Details on why this is needed can be found in +this [#1212 comment](https://github.com/aws/amazon-vpc-cni-k8s/pull/1212#issuecomment-693540666). +To use this setting, a Linux kernel version of at least 4.6 is needed on the worker node. ### ENI tags related to Allocation diff --git a/scripts/init.sh b/scripts/init.sh index e7f6a2b7bb..df37afaadb 100755 --- a/scripts/init.sh +++ b/scripts/init.sh @@ -34,7 +34,7 @@ cat "/proc/sys/net/ipv4/conf/$PRIMARY_IF/rp_filter" if [ "${DISABLE_TCP_EARLY_DEMUX:-false}" == "true" ]; then sysctl -w "net.ipv4.tcp_early_demux=0" else - sysctl -w "net.ipv4.tcp_early_demux=1" + sysctl -e -w "net.ipv4.tcp_early_demux=1" fi echo "CNI init container done"