@@ -149,7 +149,6 @@ func (c *MasterConfig) RunMinionController() {

 		40*time.Second, // monitor grace

 		1*time.Minute,  // startup grace

 		10*time.Second, // monitor period

-		"openshift",

 		nil,   // clusterCIDR

 		false, // allocateNodeCIDRs

@@ -8,7 +8,7 @@ import (

 	"os"

 	"os/exec"

 	"path/filepath"

-	"reflect"

+	"strings"

 	"time"

 	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"

@@ -31,7 +31,6 @@ import (

 	cmdutil "github.com/openshift/origin/pkg/cmd/util"

 	dockerutil "github.com/openshift/origin/pkg/cmd/util/docker"

 	"github.com/openshift/origin/pkg/kubelet/app"

-	"github.com/openshift/origin/pkg/service"

 )

 type commandExecutor interface {

@@ -220,6 +219,8 @@ func (c *NodeConfig) RunKubelet() {

 		"docker",

 		mount.New(),

 		"", // docker daemon container

+		false,

+		200,

 	)

 	if err != nil {

 		glog.Fatalf("Couldn't run kubelet: %s", err)

@@ -263,12 +264,6 @@ func (c *NodeConfig) RunProxy() {

 	// initialize kube proxy

 	serviceConfig := pconfig.NewServiceConfig()

 	endpointsConfig := pconfig.NewEndpointsConfig()

-	pconfig.NewSourceAPI(

-		c.Client.Services(kapi.NamespaceAll),

-		c.Client.Endpoints(kapi.NamespaceAll),

-		30*time.Second,

-		serviceConfig.Channel("api"),

-		endpointsConfig.Channel("api"))

 	loadBalancer := proxy.NewLoadBalancerRR()

 	endpointsConfig.RegisterHandler(loadBalancer)

@@ -286,15 +281,39 @@ func (c *NodeConfig) RunProxy() {

 		protocol = iptables.ProtocolIpv6

 	}

-	var proxier pconfig.ServiceConfigHandler

-	proxier = proxy.NewProxier(loadBalancer, ip, iptables.New(kexec.New(), protocol))

-	if proxier == nil || reflect.ValueOf(proxier).IsNil() { // explicitly declared interfaces aren't plain nil, you must reflect inside to see if it's really nil or not

-		glog.Errorf("WARNING: Could not modify iptables.  iptables must be mutable by this process to use services.  Do you have root permissions?")

-		proxier = &service.FailingServiceConfigProxy{}

-	}

-	serviceConfig.RegisterHandler(proxier)

+	go util.Forever(func() {

+		proxier, err := proxy.NewProxier(loadBalancer, ip, iptables.New(kexec.New(), protocol))

+		if err != nil {

+			switch {

+			// conflicting use of iptables, retry

+			case proxy.IsProxyLocked(err):

+				glog.Errorf("Unable to start proxy, will retry: %v", err)

+				return

+			// on a system without iptables

+			case strings.Contains(err.Error(), "executable file not found in path"):

+				glog.V(4).Infof("kube-proxy initialization error: %v", err)

+				glog.Warningf("WARNING: Could not find the iptables command. The service proxy requires iptables and will be disabled.")

+			case err == proxy.ErrProxyOnLocalhost:

+				glog.Warningf("WARNING: The service proxy cannot bind to localhost and will be disabled.")

+			case strings.Contains(err.Error(), "you must be root"):

+				glog.Warningf("WARNING: Could not modify iptables. You must run this process as root to use the service proxy.")

+			default:

+				glog.Warningf("WARNING: Could not modify iptables. You must run this process as root to use the service proxy: %v", err)

+			}

+			select {}

+		}

-	glog.Infof("Started Kubernetes Proxy on %s", host)

+		pconfig.NewSourceAPI(

+			c.Client.Services(kapi.NamespaceAll),

+			c.Client.Endpoints(kapi.NamespaceAll),

+			30*time.Second,

+			serviceConfig.Channel("api"),

+			endpointsConfig.Channel("api"))

+

+		serviceConfig.RegisterHandler(proxier)

+		glog.Infof("Started Kubernetes Proxy on %s", host)

+		select {}

+	}, 5*time.Second)

 }

 // TODO: more generic location

@@ -218,7 +218,7 @@ func TestValidateImageStream(t *testing.T) {

 			namespace: "!$",

 			name:      "foo",

 			expected: fielderrors.ValidationErrorList{

-				fielderrors.NewFieldInvalid("metadata.namespace", "!$", `must have at most 253 characters and match regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*`),

+				fielderrors.NewFieldInvalid("metadata.namespace", "!$", `must be a DNS subdomain (at most 253 characters, matching regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*): e.g. "example.com"`),

 			},

 		},

 		"invalid dockerImageRepository": {

@@ -21,7 +21,7 @@ func (*UnknownObject) IsAnAPIObject() {}

 func TestIgnoreThatWhichCannotBeKnown(t *testing.T) {

 	handler := &lifecycle{}

 	unknown := &UnknownObject{}

-	err := handler.Admit(admission.NewAttributesRecord(unknown, "who-cares", "unknown", "what", "CREATE"))

+	err := handler.Admit(admission.NewAttributesRecord(unknown, "who-cares", "unknown", "what", "CREATE", nil))

 	if err != nil {

 		t.Errorf("Admission control should not error if it finds an object it knows nothing about %v", err)

 	}

@@ -54,7 +54,7 @@ func TestAdmissionExists(t *testing.T) {

 		},

 		Status: buildapi.BuildStatusNew,

 	}

-	err := handler.Admit(admission.NewAttributesRecord(build, "Build", "bogus-ns", "builds", "CREATE"))

+	err := handler.Admit(admission.NewAttributesRecord(build, "Build", "bogus-ns", "builds", "CREATE", nil))

 	if err == nil {

 		t.Errorf("Expected an error because namespace does not exist")

 	}

@@ -96,7 +96,7 @@ func TestAdmissionLifecycle(t *testing.T) {

 		},

 		Status: buildapi.BuildStatusNew,

 	}

-	err := handler.Admit(admission.NewAttributesRecord(build, "Build", build.Namespace, "builds", "CREATE"))

+	err := handler.Admit(admission.NewAttributesRecord(build, "Build", build.Namespace, "builds", "CREATE", nil))

 	if err != nil {

 		t.Errorf("Unexpected error returned from admission handler: %v", err)

 	}

@@ -106,19 +106,19 @@ func TestAdmissionLifecycle(t *testing.T) {

 	store.Add(namespaceObj)

 	// verify create operations in the namespace cause an error

-	err = handler.Admit(admission.NewAttributesRecord(build, "Build", build.Namespace, "builds", "CREATE"))

+	err = handler.Admit(admission.NewAttributesRecord(build, "Build", build.Namespace, "builds", "CREATE", nil))

 	if err == nil {

 		t.Errorf("Expected error rejecting creates in a namespace when it is terminating")

 	}

 	// verify update operations in the namespace can proceed

-	err = handler.Admit(admission.NewAttributesRecord(build, "Build", build.Namespace, "builds", "UPDATE"))

+	err = handler.Admit(admission.NewAttributesRecord(build, "Build", build.Namespace, "builds", "UPDATE", nil))

 	if err != nil {

 		t.Errorf("Unexpected error returned from admission handler: %v", err)

 	}

 	// verify delete operations in the namespace can proceed

-	err = handler.Admit(admission.NewAttributesRecord(nil, "Build", build.Namespace, "builds", "DELETE"))

+	err = handler.Admit(admission.NewAttributesRecord(nil, "Build", build.Namespace, "builds", "DELETE", nil))

 	if err != nil {

 		t.Errorf("Unexpected error returned from admission handler: %v", err)

 	}

@@ -99,7 +99,7 @@ func TestPodAdmission(t *testing.T) {

 		project.ObjectMeta.Annotations = map[string]string{"openshift.io/node-selector": test.projectNodeSelector}

 		pod.Spec = kapi.PodSpec{NodeSelector: test.podNodeSelector}

-		err := handler.Admit(admission.NewAttributesRecord(pod, "Pod", project.ObjectMeta.Name, "pods", "CREATE"))

+		err := handler.Admit(admission.NewAttributesRecord(pod, "Pod", project.ObjectMeta.Name, "pods", "CREATE", nil))

 		if test.admit && err != nil {

 			t.Errorf("Test: %s, expected no error but got: %s", test.testName, err)

 		} else if !test.admit && err == nil {

deleted file mode 100644

@@ -1,20 +0,0 @@

-package service

-

-import (

-	"strings"

-

-	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"

-	"github.com/golang/glog"

-)

-

-type FailingServiceConfigProxy struct {

-}

-

-// OnUpdate implements method for kubernetes/pkg/proxy/config/ServiceConfigHandler

-func (proxy *FailingServiceConfigProxy) OnUpdate(services []api.Service) {

-	names := []string{}

-	for i := range services {

-		names = append(names, services[i].Name)

-	}

-	glog.V(4).Infof("Failed to properly wire up services.  This can happen if you forget to launch with permissions to iptables.  Access to the following services will be impaired: %#v\n", strings.Join(names, ", "))

-}