*: update kube vendor to v1.7.4

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

vendor/k8s.io/kubernetes/pkg/util/async/bounded_frequency_runner.go

@@ -0,0 +1,239 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package async
+
+import (
+	"fmt"
+	"sync"
+	"time"
+
+	"k8s.io/client-go/util/flowcontrol"
+
+	"github.com/golang/glog"
+)
+
+// BoundedFrequencyRunner manages runs of a user-provided function.
+// See NewBoundedFrequencyRunner for examples.
+type BoundedFrequencyRunner struct {
+	name        string        // the name of this instance
+	minInterval time.Duration // the min time between runs, modulo bursts
+	maxInterval time.Duration // the max time between runs
+
+	run chan struct{} // try an async run
+
+	mu      sync.Mutex  // guards runs of fn and all mutations
+	fn      func()      // function to run
+	lastRun time.Time   // time of last run
+	timer   timer       // timer for deferred runs
+	limiter rateLimiter // rate limiter for on-demand runs
+}
+
+// designed so that flowcontrol.RateLimiter satisfies
+type rateLimiter interface {
+	TryAccept() bool
+	Stop()
+}
+
+type nullLimiter struct{}
+
+func (nullLimiter) TryAccept() bool {
+	return true
+}
+
+func (nullLimiter) Stop() {}
+
+var _ rateLimiter = nullLimiter{}
+
+// for testing
+type timer interface {
+	// C returns the timer's selectable channel.
+	C() <-chan time.Time
+
+	// See time.Timer.Reset.
+	Reset(d time.Duration) bool
+
+	// See time.Timer.Stop.
+	Stop() bool
+
+	// See time.Now.
+	Now() time.Time
+
+	// See time.Since.
+	Since(t time.Time) time.Duration
+
+	// See time.Sleep.
+	Sleep(d time.Duration)
+}
+
+// implement our timer in terms of std time.Timer.
+type realTimer struct {
+	*time.Timer
+}
+
+func (rt realTimer) C() <-chan time.Time {
+	return rt.Timer.C
+}
+
+func (rt realTimer) Now() time.Time {
+	return time.Now()
+}
+
+func (rt realTimer) Since(t time.Time) time.Duration {
+	return time.Since(t)
+}
+
+func (rt realTimer) Sleep(d time.Duration) {
+	time.Sleep(d)
+}
+
+var _ timer = realTimer{}
+
+// NewBoundedFrequencyRunner creates a new BoundedFrequencyRunner instance,
+// which will manage runs of the specified function.
+//
+// All runs will be async to the caller of BoundedFrequencyRunner.Run, but
+// multiple runs are serialized. If the function needs to hold locks, it must
+// take them internally.
+//
+// Runs of the funtion will have at least minInterval between them (from
+// completion to next start), except that up to bursts may be allowed.  Burst
+// runs are "accumulated" over time, one per minInterval up to burstRuns total.
+// This can be used, for example, to mitigate the impact of expensive operations
+// being called in response to user-initiated operations. Run requests that
+// would violate the minInterval are coallesced and run at the next opportunity.
+//
+// The function will be run at least once per maxInterval. For example, this can
+// force periodic refreshes of state in the absence of anyone calling Run.
+//
+// Examples:
+//
+// NewBoundedFrequencyRunner("name", fn, time.Second, 5*time.Second, 1)
+// - fn will have at least 1 second between runs
+// - fn will have no more than 5 seconds between runs
+//
+// NewBoundedFrequencyRunner("name", fn, 3*time.Second, 10*time.Second, 3)
+// - fn will have at least 3 seconds between runs, with up to 3 burst runs
+// - fn will have no more than 10 seconds between runs
+//
+// The maxInterval must be greater than or equal to the minInterval,  If the
+// caller passes a maxInterval less than minInterval, this function will panic.
+func NewBoundedFrequencyRunner(name string, fn func(), minInterval, maxInterval time.Duration, burstRuns int) *BoundedFrequencyRunner {
+	timer := realTimer{Timer: time.NewTimer(0)} // will tick immediately
+	<-timer.C()                                 // consume the first tick
+	return construct(name, fn, minInterval, maxInterval, burstRuns, timer)
+}
+
+// Make an instance with dependencies injected.
+func construct(name string, fn func(), minInterval, maxInterval time.Duration, burstRuns int, timer timer) *BoundedFrequencyRunner {
+	if maxInterval < minInterval {
+		panic(fmt.Sprintf("%s: maxInterval (%v) must be >= minInterval (%v)", name, minInterval, maxInterval))
+	}
+	if timer == nil {
+		panic(fmt.Sprintf("%s: timer must be non-nil", name))
+	}
+
+	bfr := &BoundedFrequencyRunner{
+		name:        name,
+		fn:          fn,
+		minInterval: minInterval,
+		maxInterval: maxInterval,
+		run:         make(chan struct{}, 1),
+		timer:       timer,
+	}
+	if minInterval == 0 {
+		bfr.limiter = nullLimiter{}
+	} else {
+		// allow burst updates in short succession
+		qps := float32(time.Second) / float32(minInterval)
+		bfr.limiter = flowcontrol.NewTokenBucketRateLimiterWithClock(qps, burstRuns, timer)
+	}
+	return bfr
+}
+
+// Loop handles the periodic timer and run requests.  This is expected to be
+// called as a goroutine.
+func (bfr *BoundedFrequencyRunner) Loop(stop <-chan struct{}) {
+	glog.V(3).Infof("%s Loop running", bfr.name)
+	bfr.timer.Reset(bfr.maxInterval)
+	for {
+		select {
+		case <-stop:
+			bfr.stop()
+			glog.V(3).Infof("%s Loop stopping", bfr.name)
+			return
+		case <-bfr.timer.C():
+			bfr.tryRun()
+		case <-bfr.run:
+			bfr.tryRun()
+		}
+	}
+}
+
+// Run the function as soon as possible.  If this is called while Loop is not
+// running, the call may be deferred indefinitely.
+// If there is already a queued request to call the underlying function, it
+// may be dropped - it is just guaranteed that we will try calling the
+// underlying function as soon as possible starting from now.
+func (bfr *BoundedFrequencyRunner) Run() {
+	// If it takes a lot of time to run the underlying function, noone is really
+	// processing elements from <run> channel. So to avoid blocking here on the
+	// putting element to it, we simply skip it if there is already an element
+	// in it.
+	select {
+	case bfr.run <- struct{}{}:
+	default:
+	}
+}
+
+// assumes the lock is not held
+func (bfr *BoundedFrequencyRunner) stop() {
+	bfr.mu.Lock()
+	defer bfr.mu.Unlock()
+	bfr.limiter.Stop()
+	bfr.timer.Stop()
+}
+
+// assumes the lock is not held
+func (bfr *BoundedFrequencyRunner) tryRun() {
+	bfr.mu.Lock()
+	defer bfr.mu.Unlock()
+
+	if bfr.limiter.TryAccept() {
+		// We're allowed to run the function right now.
+		bfr.fn()
+		bfr.lastRun = bfr.timer.Now()
+		bfr.timer.Stop()
+		bfr.timer.Reset(bfr.maxInterval)
+		glog.V(3).Infof("%s: ran, next possible in %v, periodic in %v", bfr.name, bfr.minInterval, bfr.maxInterval)
+		return
+	}
+
+	// It can't run right now, figure out when it can run next.
+
+	elapsed := bfr.timer.Since(bfr.lastRun)    // how long since last run
+	nextPossible := bfr.minInterval - elapsed  // time to next possible run
+	nextScheduled := bfr.maxInterval - elapsed // time to next periodic run
+	glog.V(4).Infof("%s: %v since last run, possible in %v, scheduled in %v", bfr.name, elapsed, nextPossible, nextScheduled)
+
+	if nextPossible < nextScheduled {
+		// Set the timer for ASAP, but don't drain here.  Assuming Loop is running,
+		// it might get a delivery in the mean time, but that is OK.
+		bfr.timer.Stop()
+		bfr.timer.Reset(nextPossible)
+		glog.V(3).Infof("%s: throttled, scheduling run in %v", bfr.name, nextPossible)
+	}
+}

vendor/k8s.io/kubernetes/pkg/util/async/runner.go

@@ -0,0 +1,58 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package async
+
+import (
+	"sync"
+)
+
+// Runner is an abstraction to make it easy to start and stop groups of things that can be
+// described by a single function which waits on a channel close to exit.
+type Runner struct {
+	lock      sync.Mutex
+	loopFuncs []func(stop chan struct{})
+	stop      *chan struct{}
+}
+
+// NewRunner makes a runner for the given function(s). The function(s) should loop until
+// the channel is closed.
+func NewRunner(f ...func(stop chan struct{})) *Runner {
+	return &Runner{loopFuncs: f}
+}
+
+// Start begins running.
+func (r *Runner) Start() {
+	r.lock.Lock()
+	defer r.lock.Unlock()
+	if r.stop == nil {
+		c := make(chan struct{})
+		r.stop = &c
+		for i := range r.loopFuncs {
+			go r.loopFuncs[i](*r.stop)
+		}
+	}
+}
+
+// Stop stops running.
+func (r *Runner) Stop() {
+	r.lock.Lock()
+	defer r.lock.Unlock()
+	if r.stop != nil {
+		close(*r.stop)
+		r.stop = nil
+	}
+}

vendor/k8s.io/kubernetes/pkg/util/chmod/chmod.go

@@ -1,39 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package chmod
-
-import (
-	"os"
-)
-
-// Interface is something that knows how to run the chmod system call.
-// It is non-recursive.
-type Interface interface {
-	// Chmod changes the mode of the given file, implementing the same
-	// semantics as os.Chmod.
-	Chmod(path string, filemode os.FileMode) error
-}
-
-func New() Interface {
-	return &chmodRunner{}
-}
-
-type chmodRunner struct{}
-
-func (_ *chmodRunner) Chmod(path string, mode os.FileMode) error {
-	return os.Chmod(path, mode)
-}

vendor/k8s.io/kubernetes/pkg/util/chown/chown.go

@@ -1,39 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package chown
-
-import (
-	"os"
-)
-
-// Interface is something that knows how to run the chown system call.
-// It is non-recursive.
-type Interface interface {
-	// Chown changes the owning UID and GID of a file, implementing
-	// the exact same semantics as os.Chown.
-	Chown(path string, uid, gid int) error
-}
-
-func New() Interface {
-	return &chownRunner{}
-}
-
-type chownRunner struct{}
-
-func (_ *chownRunner) Chown(path string, uid, gid int) error {
-	return os.Chown(path, uid, gid)
-}

vendor/k8s.io/kubernetes/pkg/util/chown/doc.go

@@ -1,18 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package chown provides utilities to chown a path
-package chown // import "k8s.io/kubernetes/pkg/util/chown"

vendor/k8s.io/kubernetes/pkg/util/exec/exec.go

@@ -41,6 +41,8 @@ type Interface interface {
 // As more functionality is needed, this can grow.  Since Cmd is a struct, we will have
 // to replace fields with get/set method pairs.
 type Cmd interface {
+	// Run runs the command to the completion.
+	Run() error
 	// CombinedOutput runs the command and returns its combined standard output
 	// and standard error.  This follows the pattern of package os/exec.
 	CombinedOutput() ([]byte, error)
@@ -49,6 +51,7 @@ type Cmd interface {
 	SetDir(dir string)
 	SetStdin(in io.Reader)
 	SetStdout(out io.Writer)
+	SetStderr(out io.Writer)
 	// Stops the command by sending SIGTERM. It is not guaranteed the
 	// process will stop before this function returns. If the process is not
 	// responding, an internal timer function will send a SIGKILL to force
@@ -99,6 +102,15 @@ func (cmd *cmdWrapper) SetStdout(out io.Writer) {
 	cmd.Stdout = out
 }
 
+func (cmd *cmdWrapper) SetStderr(out io.Writer) {
+	cmd.Stderr = out
+}
+
+// Run is part of the Cmd interface.
+func (cmd *cmdWrapper) Run() error {
+	return (*osexec.Cmd)(cmd).Run()
+}
+
 // CombinedOutput is part of the Cmd interface.
 func (cmd *cmdWrapper) CombinedOutput() ([]byte, error) {
 	out, err := (*osexec.Cmd)(cmd).CombinedOutput()

vendor/k8s.io/kubernetes/pkg/util/exec/fake_exec.go

@@ -49,9 +49,13 @@ type FakeCmd struct {
 	CombinedOutputScript []FakeCombinedOutputAction
 	CombinedOutputCalls  int
 	CombinedOutputLog    [][]string
+	RunScript            []FakeRunAction
+	RunCalls             int
+	RunLog               [][]string
 	Dirs                 []string
 	Stdin                io.Reader
 	Stdout               io.Writer
+	Stderr               io.Writer
 }
 
 func InitFakeCmd(fake *FakeCmd, cmd string, args ...string) Cmd {
@@ -60,6 +64,7 @@ func InitFakeCmd(fake *FakeCmd, cmd string, args ...string) Cmd {
 }
 
 type FakeCombinedOutputAction func() ([]byte, error)
+type FakeRunAction func() ([]byte, []byte, error)
 
 func (fake *FakeCmd) SetDir(dir string) {
 	fake.Dirs = append(fake.Dirs, dir)
@@ -73,6 +78,30 @@ func (fake *FakeCmd) SetStdout(out io.Writer) {
 	fake.Stdout = out
 }
 
+func (fake *FakeCmd) SetStderr(out io.Writer) {
+	fake.Stderr = out
+}
+
+func (fake *FakeCmd) Run() error {
+	if fake.RunCalls > len(fake.RunScript)-1 {
+		panic("ran out of Run() actions")
+	}
+	if fake.RunLog == nil {
+		fake.RunLog = [][]string{}
+	}
+	i := fake.RunCalls
+	fake.RunLog = append(fake.RunLog, append([]string{}, fake.Argv...))
+	fake.RunCalls++
+	stdout, stderr, err := fake.RunScript[i]()
+	if stdout != nil {
+		fake.Stdout.Write(stdout)
+	}
+	if stderr != nil {
+		fake.Stderr.Write(stderr)
+	}
+	return err
+}
+
 func (fake *FakeCmd) CombinedOutput() ([]byte, error) {
 	if fake.CombinedOutputCalls > len(fake.CombinedOutputScript)-1 {
 		panic("ran out of CombinedOutput() actions")

vendor/k8s.io/kubernetes/pkg/util/iptables/iptables.go

@@ -54,13 +54,11 @@ type Interface interface {
 	DeleteRule(table Table, chain Chain, args ...string) error
 	// IsIpv6 returns true if this is managing ipv6 tables
 	IsIpv6() bool
-	// Save calls `iptables-save` for table.
-	Save(table Table) ([]byte, error)
-	// SaveAll calls `iptables-save`.
-	SaveAll() ([]byte, error)
+	// SaveInto calls `iptables-save` for table and stores result in a given buffer.
+	SaveInto(table Table, buffer *bytes.Buffer) error
 	// Restore runs `iptables-restore` passing data through []byte.
 	// table is the Table to restore
-	// data should be formatted like the output of Save()
+	// data should be formatted like the output of SaveInto()
 	// flush sets the presence of the "--noflush" flag. see: FlushFlag
 	// counters sets the "--counters" flag. see: RestoreCountersFlag
 	Restore(table Table, data []byte, flush FlushFlag, counters RestoreCountersFlag) error
@@ -122,37 +120,56 @@ const MinCheckVersion = "1.4.11"
 const MinWaitVersion = "1.4.20"
 const MinWait2Version = "1.4.22"
 
+const LockfilePath16x = "/run/xtables.lock"
+
 // runner implements Interface in terms of exec("iptables").
 type runner struct {
-	mu       sync.Mutex
-	exec     utilexec.Interface
-	dbus     utildbus.Interface
-	protocol Protocol
-	hasCheck bool
-	waitFlag []string
+	mu              sync.Mutex
+	exec            utilexec.Interface
+	dbus            utildbus.Interface
+	protocol        Protocol
+	hasCheck        bool
+	waitFlag        []string
+	restoreWaitFlag []string
+	lockfilePath    string
 
 	reloadFuncs []func()
 	signal      chan *godbus.Signal
 }
 
-// New returns a new Interface which will exec iptables.
-func New(exec utilexec.Interface, dbus utildbus.Interface, protocol Protocol) Interface {
+// newInternal returns a new Interface which will exec iptables, and allows the
+// caller to change the iptables-restore lockfile path
+func newInternal(exec utilexec.Interface, dbus utildbus.Interface, protocol Protocol, lockfilePath string) Interface {
 	vstring, err := getIPTablesVersionString(exec)
 	if err != nil {
 		glog.Warningf("Error checking iptables version, assuming version at least %s: %v", MinCheckVersion, err)
 		vstring = MinCheckVersion
 	}
-	runner := &runner{
-		exec:     exec,
-		dbus:     dbus,
-		protocol: protocol,
-		hasCheck: getIPTablesHasCheckCommand(vstring),
-		waitFlag: getIPTablesWaitFlag(vstring),
+
+	if lockfilePath == "" {
+		lockfilePath = LockfilePath16x
 	}
+
+	runner := &runner{
+		exec:            exec,
+		dbus:            dbus,
+		protocol:        protocol,
+		hasCheck:        getIPTablesHasCheckCommand(vstring),
+		waitFlag:        getIPTablesWaitFlag(vstring),
+		restoreWaitFlag: getIPTablesRestoreWaitFlag(exec),
+		lockfilePath:    lockfilePath,
+	}
+	// TODO this needs to be moved to a separate Start() or Run() function so that New() has zero side
+	// effects.
 	runner.connectToFirewallD()
 	return runner
 }
 
+// New returns a new Interface which will exec iptables.
+func New(exec utilexec.Interface, dbus utildbus.Interface, protocol Protocol) Interface {
+	return newInternal(exec, dbus, protocol, "")
+}
+
 // Destroy is part of Interface.
 func (runner *runner) Destroy() {
 	if runner.signal != nil {
@@ -287,25 +304,23 @@ func (runner *runner) IsIpv6() bool {
 	return runner.protocol == ProtocolIpv6
 }
 
-// Save is part of Interface.
-func (runner *runner) Save(table Table) ([]byte, error) {
+// SaveInto is part of Interface.
+func (runner *runner) SaveInto(table Table, buffer *bytes.Buffer) error {
 	runner.mu.Lock()
 	defer runner.mu.Unlock()
 
 	// run and return
 	args := []string{"-t", string(table)}
 	glog.V(4).Infof("running iptables-save %v", args)
-	return runner.exec.Command(cmdIPTablesSave, args...).CombinedOutput()
-}
-
-// SaveAll is part of Interface.
-func (runner *runner) SaveAll() ([]byte, error) {
-	runner.mu.Lock()
-	defer runner.mu.Unlock()
-
-	// run and return
-	glog.V(4).Infof("running iptables-save")
-	return runner.exec.Command(cmdIPTablesSave, []string{}...).CombinedOutput()
+	cmd := runner.exec.Command(cmdIPTablesSave, args...)
+	// Since CombinedOutput() doesn't support redirecting it to a buffer,
+	// we need to workaround it by redirecting stdout and stderr to buffer
+	// and explicitly calling Run() [CombinedOutput() underneath itself
+	// creates a new buffer, redirects stdout and stderr to it and also
+	// calls Run()].
+	cmd.SetStdout(buffer)
+	cmd.SetStderr(buffer)
+	return cmd.Run()
 }
 
 // Restore is part of Interface.
@@ -322,6 +337,10 @@ func (runner *runner) RestoreAll(data []byte, flush FlushFlag, counters RestoreC
 	return runner.restoreInternal(args, data, flush, counters)
 }
 
+type iptablesLocker interface {
+	Close()
+}
+
 // restoreInternal is the shared part of Restore/RestoreAll
 func (runner *runner) restoreInternal(args []string, data []byte, flush FlushFlag, counters RestoreCountersFlag) error {
 	runner.mu.Lock()
@@ -334,9 +353,21 @@ func (runner *runner) restoreInternal(args []string, data []byte, flush FlushFla
 		args = append(args, "--counters")
 	}
 
+	// Grab the iptables lock to prevent iptables-restore and iptables
+	// from stepping on each other.  iptables-restore 1.6.2 will have
+	// a --wait option like iptables itself, but that's not widely deployed.
+	if len(runner.restoreWaitFlag) == 0 {
+		locker, err := grabIptablesLocks(runner.lockfilePath)
+		if err != nil {
+			return err
+		}
+		defer locker.Close()
+	}
+
 	// run the command and return the output or an error including the output and error
-	glog.V(4).Infof("running iptables-restore %v", args)
-	cmd := runner.exec.Command(cmdIPTablesRestore, args...)
+	fullArgs := append(runner.restoreWaitFlag, args...)
+	glog.V(4).Infof("running iptables-restore %v", fullArgs)
+	cmd := runner.exec.Command(cmdIPTablesRestore, fullArgs...)
 	cmd.SetStdin(bytes.NewBuffer(data))
 	b, err := cmd.CombinedOutput()
 	if err != nil {
@@ -358,7 +389,7 @@ func (runner *runner) run(op operation, args []string) ([]byte, error) {
 
 	fullArgs := append(runner.waitFlag, string(op))
 	fullArgs = append(fullArgs, args...)
-	glog.V(4).Infof("running iptables %s %v", string(op), args)
+	glog.V(5).Infof("running iptables %s %v", string(op), args)
 	return runner.exec.Command(iptablesCmd, fullArgs...).CombinedOutput()
 	// Don't log err here - callers might not think it is an error.
 }
@@ -519,6 +550,46 @@ func getIPTablesVersionString(exec utilexec.Interface) (string, error) {
 	return match[1], nil
 }
 
+// Checks if iptables-restore has a "wait" flag
+// --wait support landed in v1.6.1+ right before --version support, so
+// any version of iptables-restore that supports --version will also
+// support --wait
+func getIPTablesRestoreWaitFlag(exec utilexec.Interface) []string {
+	vstring, err := getIPTablesRestoreVersionString(exec)
+	if err != nil || vstring == "" {
+		glog.V(3).Infof("couldn't get iptables-restore version; assuming it doesn't support --wait")
+		return nil
+	}
+	if _, err := utilversion.ParseGeneric(vstring); err != nil {
+		glog.V(3).Infof("couldn't parse iptables-restore version; assuming it doesn't support --wait")
+		return nil
+	}
+
+	return []string{"--wait=2"}
+}
+
+// getIPTablesRestoreVersionString runs "iptables-restore --version" to get the version string
+// in the form "X.X.X"
+func getIPTablesRestoreVersionString(exec utilexec.Interface) (string, error) {
+	// this doesn't access mutable state so we don't need to use the interface / runner
+
+	// iptables-restore hasn't always had --version, and worse complains
+	// about unrecognized commands but doesn't exit when it gets them.
+	// Work around that by setting stdin to nothing so it exits immediately.
+	cmd := exec.Command(cmdIPTablesRestore, "--version")
+	cmd.SetStdin(bytes.NewReader([]byte{}))
+	bytes, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", err
+	}
+	versionMatcher := regexp.MustCompile("v([0-9]+(\\.[0-9]+)+)")
+	match := versionMatcher.FindStringSubmatch(string(bytes))
+	if match == nil {
+		return "", fmt.Errorf("no iptables version found in string: %s", bytes)
+	}
+	return match[1], nil
+}
+
 // goroutine to listen for D-Bus signals
 func (runner *runner) dbusSignalHandler(bus utildbus.Connection) {
 	firewalld := bus.Object(firewalldName, firewalldPath)

vendor/k8s.io/kubernetes/pkg/util/iptables/iptables_linux.go

@@ -0,0 +1,93 @@
+// +build linux
+
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package iptables
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"time"
+
+	"golang.org/x/sys/unix"
+	"k8s.io/apimachinery/pkg/util/wait"
+)
+
+type locker struct {
+	lock16 *os.File
+	lock14 *net.UnixListener
+}
+
+func (l *locker) Close() {
+	if l.lock16 != nil {
+		l.lock16.Close()
+	}
+	if l.lock14 != nil {
+		l.lock14.Close()
+	}
+}
+
+func grabIptablesLocks(lockfilePath string) (iptablesLocker, error) {
+	var err error
+	var success bool
+
+	l := &locker{}
+	defer func(l *locker) {
+		// Clean up immediately on failure
+		if !success {
+			l.Close()
+		}
+	}(l)
+
+	// Grab both 1.6.x and 1.4.x-style locks; we don't know what the
+	// iptables-restore version is if it doesn't support --wait, so we
+	// can't assume which lock method it'll use.
+
+	// Roughly duplicate iptables 1.6.x xtables_lock() function.
+	l.lock16, err = os.OpenFile(lockfilePath, os.O_CREATE, 0600)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open iptables lock %s: %v", lockfilePath, err)
+	}
+
+	if err := wait.PollImmediate(200*time.Millisecond, 2*time.Second, func() (bool, error) {
+		if err := grabIptablesFileLock(l.lock16); err != nil {
+			return false, nil
+		}
+		return true, nil
+	}); err != nil {
+		return nil, fmt.Errorf("failed to acquire new iptables lock: %v", err)
+	}
+
+	// Roughly duplicate iptables 1.4.x xtables_lock() function.
+	if err := wait.PollImmediate(200*time.Millisecond, 2*time.Second, func() (bool, error) {
+		l.lock14, err = net.ListenUnix("unix", &net.UnixAddr{Name: "@xtables", Net: "unix"})
+		if err != nil {
+			return false, nil
+		}
+		return true, nil
+	}); err != nil {
+		return nil, fmt.Errorf("failed to acquire old iptables lock: %v", err)
+	}
+
+	success = true
+	return l, nil
+}
+
+func grabIptablesFileLock(f *os.File) error {
+	return unix.Flock(int(f.Fd()), unix.LOCK_EX|unix.LOCK_NB)
+}

vendor/k8s.io/kubernetes/pkg/util/iptables/iptables_unsupported.go

@@ -1,5 +1,7 @@
+// +build !linux
+
 /*
-Copyright 2014 The Kubernetes Authors.
+Copyright 2017 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,6 +16,17 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package chown provides an interface and implementations
-// for things that run run the chmod system call.
-package chmod // import "k8s.io/kubernetes/pkg/util/chmod"
+package iptables
+
+import (
+	"fmt"
+	"os"
+)
+
+func grabIptablesLocks(lockfilePath string) (iptablesLocker, error) {
+	return nil, fmt.Errorf("iptables unsupported on this platform")
+}
+
+func grabIptablesFileLock(f *os.File) error {
+	return fmt.Errorf("iptables unsupported on this platform")
+}

vendor/k8s.io/kubernetes/pkg/util/iptables/save_restore.go

@@ -52,7 +52,9 @@ func GetChainLines(table Table, save []byte) map[Chain]string {
 		} else if strings.HasPrefix(line, "#") {
 			continue
 		} else if strings.HasPrefix(line, ":") && len(line) > 1 {
-			chain := Chain(strings.SplitN(line[1:], " ", 2)[0])
+			// We assume that the <line> contains space - chain lines have 3 fields,
+			// space delimited. If there is no space, this line will panic.
+			chain := Chain(line[1:strings.Index(line, " ")])
 			chainsMap[chain] = line
 		}
 	}

vendor/k8s.io/kubernetes/pkg/util/mount/fake.go

@@ -124,6 +124,14 @@ func (f *FakeMounter) List() ([]MountPoint, error) {
 	return f.MountPoints, nil
 }
 
+func (f *FakeMounter) IsMountPointMatch(mp MountPoint, dir string) bool {
+	return (mp.Path == dir)
+}
+
+func (f *FakeMounter) IsNotMountPoint(dir string) (bool, error) {
+	return IsNotMountPoint(f, dir)
+}
+
 func (f *FakeMounter) IsLikelyNotMountPoint(file string) (bool, error) {
 	f.mutex.Lock()
 	defer f.mutex.Unlock()

vendor/k8s.io/kubernetes/pkg/util/mount/mount.go

@@ -44,8 +44,21 @@ type Interface interface {
 	// it could change between chunked reads). This is guaranteed to be
 	// consistent.
 	List() ([]MountPoint, error)
-	// IsLikelyNotMountPoint determines if a directory is a mountpoint.
+	// IsMountPointMatch determines if the mountpoint matches the dir
+	IsMountPointMatch(mp MountPoint, dir string) bool
+	// IsNotMountPoint determines if a directory is a mountpoint.
 	// It should return ErrNotExist when the directory does not exist.
+	// IsNotMountPoint is more expensive than IsLikelyNotMountPoint.
+	// IsNotMountPoint detects bind mounts in linux.
+	// IsNotMountPoint enumerates all the mountpoints using List() and
+	// the list of mountpoints may be large, then it uses
+	// IsMountPointMatch to evaluate whether the directory is a mountpoint
+	IsNotMountPoint(file string) (bool, error)
+	// IsLikelyNotMountPoint uses heuristics to determine if a directory
+	// is a mountpoint.
+	// It should return ErrNotExist when the directory does not exist.
+	// IsLikelyNotMountPoint does NOT properly detect all mountpoint types
+	// most notably linux bind mounts.
 	IsLikelyNotMountPoint(file string) (bool, error)
 	// DeviceOpened determines if the device is in use elsewhere
 	// on the system, i.e. still mounted.
@@ -199,3 +212,34 @@ func getDeviceNameFromMount(mounter Interface, mountPath, pluginDir string) (str
 
 	return path.Base(mountPath), nil
 }
+
+// IsNotMountPoint determines if a directory is a mountpoint.
+// It should return ErrNotExist when the directory does not exist.
+// This method uses the List() of all mountpoints
+// It is more extensive than IsLikelyNotMountPoint
+// and it detects bind mounts in linux
+func IsNotMountPoint(mounter Interface, file string) (bool, error) {
+	// IsLikelyNotMountPoint provides a quick check
+	// to determine whether file IS A mountpoint
+	notMnt, notMntErr := mounter.IsLikelyNotMountPoint(file)
+	if notMntErr != nil {
+		return notMnt, notMntErr
+	}
+	// identified as mountpoint, so return this fact
+	if notMnt == false {
+		return notMnt, nil
+	}
+	// check all mountpoints since IsLikelyNotMountPoint
+	// is not reliable for some mountpoint types
+	mountPoints, mountPointsErr := mounter.List()
+	if mountPointsErr != nil {
+		return notMnt, mountPointsErr
+	}
+	for _, mp := range mountPoints {
+		if mounter.IsMountPointMatch(mp, file) {
+			notMnt = false
+			break
+		}
+	}
+	return notMnt, nil
+}

vendor/k8s.io/kubernetes/pkg/util/mount/mount_linux.go

@@ -161,6 +161,15 @@ func (*Mounter) List() ([]MountPoint, error) {
 	return listProcMounts(procMountsPath)
 }
 
+func (mounter *Mounter) IsMountPointMatch(mp MountPoint, dir string) bool {
+	deletedDir := fmt.Sprintf("%s\\040(deleted)", dir)
+	return ((mp.Path == dir) || (mp.Path == deletedDir))
+}
+
+func (mounter *Mounter) IsNotMountPoint(dir string) (bool, error) {
+	return IsNotMountPoint(mounter, dir)
+}
+
 // IsLikelyNotMountPoint determines if a directory is not a mountpoint.
 // It is fast but not necessarily ALWAYS correct. If the path is in fact
 // a bind mount from one part of a mount to another it will not be detected.
@@ -168,10 +177,6 @@ func (*Mounter) List() ([]MountPoint, error) {
 // will return true. When in fact /tmp/b is a mount point. If this situation
 // if of interest to you, don't use this function...
 func (mounter *Mounter) IsLikelyNotMountPoint(file string) (bool, error) {
-	return IsNotMountPoint(file)
-}
-
-func IsNotMountPoint(file string) (bool, error) {
 	stat, err := os.Stat(file)
 	if err != nil {
 		return true, err
@@ -386,7 +391,7 @@ func (mounter *SafeFormatAndMount) formatAndMount(source string, target string,
 				return mountErr
 			} else {
 				// Block device is formatted with unexpected filesystem, let the user know
-				return fmt.Errorf("failed to mount the volume as %q, it's already formatted with %q. Mount error: %v", fstype, existingFormat, mountErr)
+				return fmt.Errorf("failed to mount the volume as %q, it already contains %s. Mount error: %v", fstype, existingFormat, mountErr)
 			}
 		}
 	}
@@ -395,19 +400,33 @@ func (mounter *SafeFormatAndMount) formatAndMount(source string, target string,
 
 // diskLooksUnformatted uses 'lsblk' to see if the given disk is unformated
 func (mounter *SafeFormatAndMount) getDiskFormat(disk string) (string, error) {
-	args := []string{"-nd", "-o", "FSTYPE", disk}
+	args := []string{"-n", "-o", "FSTYPE", disk}
 	cmd := mounter.Runner.Command("lsblk", args...)
 	glog.V(4).Infof("Attempting to determine if disk %q is formatted using lsblk with args: (%v)", disk, args)
 	dataOut, err := cmd.CombinedOutput()
-	output := strings.TrimSpace(string(dataOut))
-
-	// TODO (#13212): check if this disk has partitions and return false, and
-	// an error if so.
+	output := string(dataOut)
+	glog.V(4).Infof("Output: %q", output)
 
 	if err != nil {
 		glog.Errorf("Could not determine if disk %q is formatted (%v)", disk, err)
 		return "", err
 	}
 
-	return strings.TrimSpace(output), nil
+	// Split lsblk output into lines. Unformatted devices should contain only
+	// "\n". Beware of "\n\n", that's a device with one empty partition.
+	output = strings.TrimSuffix(output, "\n") // Avoid last empty line
+	lines := strings.Split(output, "\n")
+	if lines[0] != "" {
+		// The device is formatted
+		return lines[0], nil
+	}
+
+	if len(lines) == 1 {
+		// The device is unformatted and has no dependent devices
+		return "", nil
+	}
+
+	// The device has dependent devices, most probably partitions (LVM, LUKS
+	// and MD RAID are reported as FSTYPE and caught above).
+	return "unknown data, probably partitions", nil
 }

vendor/k8s.io/kubernetes/pkg/util/mount/mount_unsupported.go

@@ -34,6 +34,14 @@ func (mounter *Mounter) List() ([]MountPoint, error) {
 	return []MountPoint{}, nil
 }
 
+func (mounter *Mounter) IsMountPointMatch(mp MountPoint, dir string) bool {
+	return (mp.Path == dir)
+}
+
+func (mounter *Mounter) IsNotMountPoint(dir string) (bool, error) {
+	return IsNotMountPoint(mounter, dir)
+}
+
 func (mounter *Mounter) IsLikelyNotMountPoint(file string) (bool, error) {
 	return true, nil
 }
@@ -57,7 +65,3 @@ func (mounter *SafeFormatAndMount) formatAndMount(source string, target string,
 func (mounter *SafeFormatAndMount) diskLooksUnformatted(disk string) (bool, error) {
 	return true, nil
 }
-
-func IsNotMountPoint(file string) (bool, error) {
-	return true, nil
-}

vendor/k8s.io/kubernetes/pkg/util/mount/nsenter_mount.go

@@ -19,6 +19,7 @@ limitations under the License.
 package mount
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
@@ -162,6 +163,15 @@ func (*NsenterMounter) List() ([]MountPoint, error) {
 	return listProcMounts(hostProcMountsPath)
 }
 
+func (m *NsenterMounter) IsNotMountPoint(dir string) (bool, error) {
+	return IsNotMountPoint(m, dir)
+}
+
+func (*NsenterMounter) IsMountPointMatch(mp MountPoint, dir string) bool {
+	deletedDir := fmt.Sprintf("%s\\040(deleted)", dir)
+	return ((mp.Path == dir) || (mp.Path == deletedDir))
+}
+
 // IsLikelyNotMountPoint determines whether a path is a mountpoint by calling findmnt
 // in the host's root mount namespace.
 func (n *NsenterMounter) IsLikelyNotMountPoint(file string) (bool, error) {

vendor/k8s.io/kubernetes/pkg/util/mount/nsenter_mount_unsupported.go

@@ -38,6 +38,14 @@ func (*NsenterMounter) List() ([]MountPoint, error) {
 	return []MountPoint{}, nil
 }
 
+func (m *NsenterMounter) IsNotMountPoint(dir string) (bool, error) {
+	return IsNotMountPoint(m, dir)
+}
+
+func (*NsenterMounter) IsMountPointMatch(mp MountPoint, dir string) bool {
+	return (mp.Path == dir)
+}
+
 func (*NsenterMounter) IsLikelyNotMountPoint(file string) (bool, error) {
 	return true, nil
 }

vendor/k8s.io/kubernetes/pkg/util/sysctl/sysctl.go

@@ -29,12 +29,17 @@ const (
 	VmPanicOnOOM       = "vm/panic_on_oom"
 	KernelPanic        = "kernel/panic"
 	KernelPanicOnOops  = "kernel/panic_on_oops"
+	RootMaxKeys        = "kernel/keys/root_maxkeys"
+	RootMaxBytes       = "kernel/keys/root_maxbytes"
 
 	VmOvercommitMemoryAlways    = 1 // kernel performs no memory over-commit handling
 	VmPanicOnOOMInvokeOOMKiller = 0 // kernel calls the oom_killer function when OOM occurs
 
 	KernelPanicOnOopsAlways  = 1  // kernel panics on kernel oops
 	KernelPanicRebootTimeout = 10 // seconds after a panic for the kernel to reboot
+
+	RootMaxKeysSetting  = 1000000                 // Needed since docker creates a new key per container
+	RootMaxBytesSetting = RootMaxKeysSetting * 25 // allocate 25 bytes per key * number of MaxKeys
 )
 
 // An injectable interface for running sysctl commands.

vendor/k8s.io/kubernetes/pkg/util/term/resize.go

@@ -21,17 +21,12 @@ import (
 
 	"github.com/docker/docker/pkg/term"
 	"k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/client-go/tools/remotecommand"
 )
 
-// Size represents the width and height of a terminal.
-type Size struct {
-	Width  uint16
-	Height uint16
-}
-
 // GetSize returns the current size of the user's terminal. If it isn't a terminal,
 // nil is returned.
-func (t TTY) GetSize() *Size {
+func (t TTY) GetSize() *remotecommand.TerminalSize {
 	outFd, isTerminal := term.GetFdInfo(t.Out)
 	if !isTerminal {
 		return nil
@@ -40,19 +35,19 @@ func (t TTY) GetSize() *Size {
 }
 
 // GetSize returns the current size of the terminal associated with fd.
-func GetSize(fd uintptr) *Size {
+func GetSize(fd uintptr) *remotecommand.TerminalSize {
 	winsize, err := term.GetWinsize(fd)
 	if err != nil {
 		runtime.HandleError(fmt.Errorf("unable to get terminal size: %v", err))
 		return nil
 	}
 
-	return &Size{Width: winsize.Width, Height: winsize.Height}
+	return &remotecommand.TerminalSize{Width: winsize.Width, Height: winsize.Height}
 }
 
 // MonitorSize monitors the terminal's size. It returns a TerminalSizeQueue primed with
 // initialSizes, or nil if there's no TTY present.
-func (t *TTY) MonitorSize(initialSizes ...*Size) TerminalSizeQueue {
+func (t *TTY) MonitorSize(initialSizes ...*remotecommand.TerminalSize) remotecommand.TerminalSizeQueue {
 	outFd, isTerminal := term.GetFdInfo(t.Out)
 	if !isTerminal {
 		return nil
@@ -62,7 +57,7 @@ func (t *TTY) MonitorSize(initialSizes ...*Size) TerminalSizeQueue {
 		t: *t,
 		// make it buffered so we can send the initial terminal sizes without blocking, prior to starting
 		// the streaming below
-		resizeChan:   make(chan Size, len(initialSizes)),
+		resizeChan:   make(chan remotecommand.TerminalSize, len(initialSizes)),
 		stopResizing: make(chan struct{}),
 	}
 
@@ -71,27 +66,20 @@ func (t *TTY) MonitorSize(initialSizes ...*Size) TerminalSizeQueue {
 	return t.sizeQueue
 }
 
-// TerminalSizeQueue is capable of returning terminal resize events as they occur.
-type TerminalSizeQueue interface {
-	// Next returns the new terminal size after the terminal has been resized. It returns nil when
-	// monitoring has been stopped.
-	Next() *Size
-}
-
-// sizeQueue implements TerminalSizeQueue
+// sizeQueue implements remotecommand.TerminalSizeQueue
 type sizeQueue struct {
 	t TTY
 	// resizeChan receives a Size each time the user's terminal is resized.
-	resizeChan   chan Size
+	resizeChan   chan remotecommand.TerminalSize
 	stopResizing chan struct{}
 }
 
-// make sure sizeQueue implements the TerminalSizeQueue interface
-var _ TerminalSizeQueue = &sizeQueue{}
+// make sure sizeQueue implements the resize.TerminalSizeQueue interface
+var _ remotecommand.TerminalSizeQueue = &sizeQueue{}
 
 // monitorSize primes resizeChan with initialSizes and then monitors for resize events. With each
 // new event, it sends the current terminal size to resizeChan.
-func (s *sizeQueue) monitorSize(outFd uintptr, initialSizes ...*Size) {
+func (s *sizeQueue) monitorSize(outFd uintptr, initialSizes ...*remotecommand.TerminalSize) {
 	// send the initial sizes
 	for i := range initialSizes {
 		if initialSizes[i] != nil {
@@ -99,7 +87,7 @@ func (s *sizeQueue) monitorSize(outFd uintptr, initialSizes ...*Size) {
 		}
 	}
 
-	resizeEvents := make(chan Size, 1)
+	resizeEvents := make(chan remotecommand.TerminalSize, 1)
 
 	monitorResizeEvents(outFd, resizeEvents, s.stopResizing)
 
@@ -130,7 +118,7 @@ func (s *sizeQueue) monitorSize(outFd uintptr, initialSizes ...*Size) {
 
 // Next returns the new terminal size after the terminal has been resized. It returns nil when
 // monitoring has been stopped.
-func (s *sizeQueue) Next() *Size {
+func (s *sizeQueue) Next() *remotecommand.TerminalSize {
 	size, ok := <-s.resizeChan
 	if !ok {
 		return nil

vendor/k8s.io/kubernetes/pkg/util/term/resizeevents.go

@@ -24,12 +24,13 @@ import (
 	"syscall"
 
 	"k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/client-go/tools/remotecommand"
 )
 
 // monitorResizeEvents spawns a goroutine that waits for SIGWINCH signals (these indicate the
 // terminal has resized). After receiving a SIGWINCH, this gets the terminal size and tries to send
 // it to the resizeEvents channel. The goroutine stops when the stop channel is closed.
-func monitorResizeEvents(fd uintptr, resizeEvents chan<- Size, stop chan struct{}) {
+func monitorResizeEvents(fd uintptr, resizeEvents chan<- remotecommand.TerminalSize, stop chan struct{}) {
 	go func() {
 		defer runtime.HandleCrash()
 

vendor/k8s.io/kubernetes/pkg/util/term/resizeevents_windows.go

@@ -20,12 +20,13 @@ import (
 	"time"
 
 	"k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/client-go/tools/remotecommand"
 )
 
 // monitorResizeEvents spawns a goroutine that periodically gets the terminal size and tries to send
 // it to the resizeEvents channel if the size has changed. The goroutine stops when the stop channel
 // is closed.
-func monitorResizeEvents(fd uintptr, resizeEvents chan<- Size, stop chan struct{}) {
+func monitorResizeEvents(fd uintptr, resizeEvents chan<- remotecommand.TerminalSize, stop chan struct{}) {
 	go func() {
 		defer runtime.HandleCrash()
 

vendor/k8s.io/kubernetes/pkg/util/term/setsize.go

@@ -20,9 +20,10 @@ package term
 
 import (
 	"github.com/docker/docker/pkg/term"
+	"k8s.io/client-go/tools/remotecommand"
 )
 
 // SetSize sets the terminal size associated with fd.
-func SetSize(fd uintptr, size Size) error {
+func SetSize(fd uintptr, size remotecommand.TerminalSize) error {
 	return term.SetWinsize(fd, &term.Winsize{Height: size.Height, Width: size.Width})
 }

vendor/k8s.io/kubernetes/pkg/util/term/setsize_unsupported.go

@@ -18,7 +18,11 @@ limitations under the License.
 
 package term
 
-func SetSize(fd uintptr, size Size) error {
+import (
+	"k8s.io/client-go/tools/remotecommand"
+)
+
+func SetSize(fd uintptr, size remotecommand.TerminalSize) error {
 	// NOP
 	return nil
 }

vendor/k8s.io/kubernetes/pkg/util/util.go

@@ -84,6 +84,15 @@ func FileExists(filename string) (bool, error) {
 	return true, nil
 }
 
+func FileOrSymlinkExists(filename string) (bool, error) {
+	if _, err := os.Lstat(filename); os.IsNotExist(err) {
+		return false, nil
+	} else if err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
 // ReadDirNoStat returns a string of files/directories contained
 // in dirname without calling lstat on them.
 func ReadDirNoStat(dirname string) ([]string, error) {