fix tunnel interface name issue #2486
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## main #2486 +/- ##
===========================================
- Coverage 61.70% 47.04% -14.67%
===========================================
Files 276 278 +2
Lines 21317 21364 +47
===========================================
- Hits 13154 10051 -3103
- Misses 6782 9985 +3203
+ Partials 1381 1328 -53
Flags with carried forward coverage won't be shown. Click here to find out more.
|
luolanzone
force-pushed
the
tunnel-bug-fix
branch
from
3a68e51
to
e35417e
Compare
antoninbas
reviewed
Jul 28, 2021
Comment on lines
540
to
543
| if ok && (interfaceConfig.InterfaceName != portName || | ||
| interfaceConfig.PSK != c.networkConfig.IPSecPSK || | ||
| !interfaceConfig.RemoteIP.Equal(nodeIP) || | ||
| interfaceConfig.TunnelInterfaceConfig.Type != c.networkConfig.TunnelType) { |
There was a problem hiding this comment.
this seems to be duplicated from removeStaleTunnelPorts, can we define a separate function for tunnel config comparison?
Comment on lines
547
to
544
| } else { | ||
| stalePortRemoved = true | ||
| } |
There was a problem hiding this comment.
I am curious as to why we don't just return an error here and let the Node be requeued by the controller?
There was a problem hiding this comment.
ok, I will leave it to reconcile
luolanzone
force-pushed
the
tunnel-bug-fix
branch
2 times, most recently
from
17c50ac
to
0e978e4
Compare
luolanzone
added a commit
to luolanzone/antrea
that referenced
this pull request
Jul 29, 2021
this PR is based on antrea-io#2486 and I verified all tunnel modes with IPSec in K8s Cluster, it all works fine now, so I remove the limitation on our docs and the check in the code. Signed-off-by: Lan Luo <luola@vmware.com>
luolanzone
added a commit
to luolanzone/antrea
that referenced
this pull request
Jul 29, 2021
this PR is based on antrea-io#2486 and I verified all tunnel modes with IPSec in K8s Cluster, it all works fine now, so I remove the limitation on our docs and the check in the code. Signed-off-by: Lan Luo <luola@vmware.com>
luolanzone
added a commit
to luolanzone/antrea
that referenced
this pull request
Jul 29, 2021
this PR is based on antrea-io#2486 and I verified all tunnel modes with IPSec in K8s Cluster, it all works fine now, so I remove the limitation on our docs and the check in the code. Signed-off-by: Lan Luo <luola@vmware.com>
abhiraut
reviewed
Jul 29, 2021
| if !c.validateInterfaceConfig(interfaceConfig, nodeIP, portName) { | ||
| return 0, fmt.Errorf("IPSec tunnel interface config mismatched with cached one,stale IPSec tunnel port %s", interfaceConfig.InterfaceName) | ||
| } else { | ||
| klog.V(2).Infof("find cached IPSec tunnel interface %s with port %d for Node %s", interfaceConfig.InterfaceName, interfaceConfig.OFPort, nodeName) |
There was a problem hiding this comment.
Suggested change
| klog.V(2).Infof("find cached IPSec tunnel interface %s with port %d for Node %s", interfaceConfig.InterfaceName, interfaceConfig.OFPort, nodeName) | |
| klog.V(2).Infof("Found cached IPSec tunnel interface %s with port %d for Node %s", interfaceConfig.InterfaceName, interfaceConfig.OFPort, nodeName) |
| return interfaceConfig.OFPort, nil | ||
| if !c.validateInterfaceConfig(interfaceConfig, nodeIP, portName) { | ||
| return 0, fmt.Errorf("IPSec tunnel interface config mismatched with cached one,stale IPSec tunnel port %s", interfaceConfig.InterfaceName) | ||
| } else { |
There was a problem hiding this comment.
else block is not needed since you return in the if statement
luolanzone
force-pushed
the
tunnel-bug-fix
branch
from
0e978e4
to
328af21
Compare
abhiraut
previously approved these changes
Jul 30, 2021
luolanzone
force-pushed
the
tunnel-bug-fix
branch
6 times, most recently
from
bb1581d
to
bfe6f25
Compare
|
@antoninbas @abhiraut Could you help to take a look again? thanks! |
antoninbas
reviewed
Aug 4, 2021
| @@ -258,6 +256,14 @@ func (c *Controller) removeStaleTunnelPorts() error { | |||
| return nil | |||
| } | |||
|
|
|||
| func (c *Controller) validateInterfaceConfig(interfaceConfig *interfacestore.InterfaceConfig, | |||
There was a problem hiding this comment.
s/validateInterfaceConfig/compareInterfaceConfig
| interfaceConfig, ok := c.interfaceStore.GetNodeTunnelInterface(nodeName) | ||
| // check if Node IP, PSK, or tunnel type changes. This can | ||
| // happen if removeStaleTunnelPorts fails to remove a "stale" | ||
| // tunnel port for which the configuration has changed, return error to requeue the node. |
| // happen if removeStaleTunnelPorts fails to remove a "stale" | ||
| // tunnel port for which the configuration has changed. | ||
| if !c.validateInterfaceConfig(interfaceConfig, nodeIP, portName) { | ||
| return 0, fmt.Errorf("IPSec tunnel interface config mismatched with cached one, stale IPSec tunnel port %s", interfaceConfig.InterfaceName) |
There was a problem hiding this comment.
s/mismatched with cached one/doesn't match cached one
| if !c.validateInterfaceConfig(interfaceConfig, nodeIP, portName) { | ||
| return 0, fmt.Errorf("IPSec tunnel interface config mismatched with cached one, stale IPSec tunnel port %s", interfaceConfig.InterfaceName) | ||
| } | ||
| klog.V(2).Infof("Found cached IPSec tunnel interface %s with port %d for Node %s", interfaceConfig.InterfaceName, interfaceConfig.OFPort, nodeName) |
There was a problem hiding this comment.
please use structured logging: klog.V(2).InfoS
| @@ -23,6 +23,7 @@ import ( | |||
| "github.com/containernetworking/plugins/pkg/ip" | |||
| "github.com/golang/mock/gomock" | |||
| "github.com/stretchr/testify/assert" | |||
|
|
|||
There was a problem hiding this comment.
we don't typically split these into 2 separate import groups IIRC
pkg/agent/util/net.go
Outdated
| @@ -38,10 +39,14 @@ func generateInterfaceName(key string, name string, useHead bool) string { | |||
| interfaceKey := hex.EncodeToString(hash.Sum(nil)) | |||
| prefix := name | |||
| if len(name) > interfacePrefixLength { | |||
| // We use Node/Pod name to generate the interface name, | |||
| // valid chars for Node/Pod name are ASCII letters from a to z, | |||
| // the digits from 0 to 9, and the hyphen (-), hyphen (-) is the only char | |||
There was a problem hiding this comment.
should be a new sentence:
Hyphen (-) is the only char which will impact command-line interpretation if the interface name starts with one, so we remove it here.
Comment on lines
237
to
270
| c, closeFn := newController(t, &config.NetworkConfig{ | ||
| TrafficEncapMode: 0, | ||
| TunnelType: ovsconfig.TunnelType("vxlan"), | ||
| EnableIPSecTunnel: true, | ||
| IPSecPSK: "changeme", | ||
| }) | ||
|
|
||
| c.interfaceStore.AddInterface(&interfacestore.InterfaceConfig{ | ||
| Type: interfacestore.TunnelInterface, | ||
| InterfaceName: util.GenerateNodeTunnelInterfaceName("xyz-k8s-0-1"), | ||
| TunnelInterfaceConfig: &interfacestore.TunnelInterfaceConfig{ | ||
| NodeName: "xyz-k8s-0-1", | ||
| Type: ovsconfig.TunnelType("vxlan"), | ||
| PSK: "mismatchpsk", | ||
| RemoteIP: nodeIP1, | ||
| }, | ||
| OVSPortConfig: &interfacestore.OVSPortConfig{ | ||
| PortUUID: "123", | ||
| }, | ||
| }) | ||
|
|
||
| defer closeFn() | ||
| defer c.queue.ShutDown() | ||
| stopCh := make(chan struct{}) | ||
| defer close(stopCh) | ||
| c.informerFactory.Start(stopCh) | ||
| c.informerFactory.WaitForCacheSync(stopCh) |
There was a problem hiding this comment.
maybe unify this set up code in a separate function:
func setup(ifaces ...*interfacestore.InterfaceConfig) cleanupFn {
...
}then in the test:
cleanup := setup(ifaceConfig)
defer cleanup()
Comment on lines
285
to
299
| tests := []struct { | ||
| name string | ||
| wantErr bool | ||
| }{ | ||
| { | ||
| name: "good path with IPSec enabled", | ||
| wantErr: false, | ||
| }, | ||
| } | ||
| for _, tt := range tests { | ||
| t.Run(tt.name, func(t *testing.T) { | ||
| if err := c.removeStaleTunnelPorts(); (err != nil) != tt.wantErr { | ||
| t.Errorf("Controller.removeStaleTunnelPorts() error = %v, wantErr %v", err, tt.wantErr) | ||
| } | ||
| }) |
There was a problem hiding this comment.
do you think there will be more tests added in the future? maybe since you only have one test right now there is no need to use a table pattern
There was a problem hiding this comment.
removed table pattern
luolanzone
force-pushed
the
tunnel-bug-fix
branch
2 times, most recently
from
16a97ce
to
39e711d
Compare
antoninbas
reviewed
Aug 4, 2021
Comment on lines
373
to
380
| if (err != nil) != tt.wantErr { | ||
| t.Errorf("Controller.createIPSecTunnelPort() error = %v, wantErr %v", err, tt.wantErr) | ||
| return | ||
| } | ||
| if got != tt.want { | ||
| t.Errorf("Controller.createIPSecTunnelPort() got %v,want = %v", got, tt.want) | ||
| return | ||
| } |
There was a problem hiding this comment.
can we use testify assertions for these tests like we do in other Antrea unit tests? assert assertions will continue the test on error, while require assertions will abort the test on error
| want int32 | ||
| }{ | ||
| { | ||
| name: "good path", |
There was a problem hiding this comment.
"good path" is not a great name, maybe "create new port"
the purpose of this commit is to fix a tunnel interface issue founded during some IPSec PoC verification: 1. when the node name is like 'lan-k8s-0-0', the IPsec tunnel interface name will be like '-k8s-0-2-e8dbe6', then it will failed to run command like `ipsec up '-k8s-0-2-e8dbe6'` with error `/usr/lib/ipsec/stroke: invalid option -- 'k'` due to the first char is '-', ipsec command interrupted it as an option. so changed the `generateInterfaceName` method to use `strings.TrimLeft()` to remove '-' in left. 2. `createIPSecTunnelPort` method can't handle the case when tunnel interface name changed when there is cache matched for the node. it will reuse the existing tunnel name without creating a new one with new name which means any change in `generateInterfaceName` won't take affect. and also add some unit test cases. Signed-off-by: Lan Luo <luola@vmware.com>
luolanzone
force-pushed
the
tunnel-bug-fix
branch
from
39e711d
to
74e2a6c
Compare
antoninbas
approved these changes
Aug 5, 2021
|
/test-all |
|
/test-ipv6-only-e2e |
abhiraut
approved these changes
Aug 6, 2021
|
@luolanzone please cherry-pick to release-1.2 |
luolanzone
added a commit
to luolanzone/antrea
that referenced
this pull request
Aug 9, 2021
this PR is based on antrea-io#2486 and I verified all tunnel modes with IPSec in K8s Cluster, it all works fine now, so I remove the limitation on our docs and the check in the code. Signed-off-by: Lan Luo <luola@vmware.com>
luolanzone
added a commit
to luolanzone/antrea
that referenced
this pull request
Aug 9, 2021
this PR is based on antrea-io#2486 and I verified all tunnel modes with IPSec in K8s Cluster, it all works fine now, so I remove the limitation on our docs and the check in the code. Signed-off-by: Lan Luo <luola@vmware.com>
luolanzone
added a commit
to luolanzone/antrea
that referenced
this pull request
Aug 10, 2021
this PR is based on antrea-io#2486 and I verified all tunnel modes with IPSec in K8s Cluster, it all works fine now, so I remove the limitation on our docs and the check in the code. Signed-off-by: Lan Luo <luola@vmware.com>
tnqn
reviewed
Aug 10, 2021
| interfaceConfig, ok := c.interfaceStore.GetNodeTunnelInterface(nodeName) | ||
| // check if Node IP, PSK, or tunnel type changes. This can | ||
| // happen if removeStaleTunnelPorts fails to remove a "stale" | ||
| // tunnel port for which the configuration has changed, return error to requeue the Node. |
There was a problem hiding this comment.
Since you removed the TODO, and according to the commit message, I suppose this is fixed. However, how requeuing the Node helps? I think the next attemp will still get here and requeue again?
There was a problem hiding this comment.
Hi @tnqn, I think the TODO is highlighting it doesn't check the configuration change here but return directly. it's an assumption that it's a temporary issue if last remove action failed in removeStaleTunnelPorts, so re-queue will help because removeStaleTunnelPorts also checks configuration difference. but it indeed will go back here if failed again, is there any case in your mind port can't be removed?
There was a problem hiding this comment.
My understanding was that we would call c.ovsBridgeClient.DeletePort and c.interfaceStore.DeleteInterface here, and in case of error during port removal, return an error and let the Node be requeued. removeStaleTunnelPorts is only called on controller start up and transient errors are always possible.
There was a problem hiding this comment.
So the issue is not really fixed. @luolanzone would you have a follow-up PR to fix it? and maybe have a test covering this scenario.
There was a problem hiding this comment.
sure, I will fix this.
annakhm
pushed a commit
to annakhm/antrea
that referenced
this pull request
Aug 16, 2021
The purpose of this commit is to fix a tunnel interface issue founded during some IPSec PoC verification: 1. when the node name is like 'lan-k8s-0-0', the IPsec tunnel interface name will be like '-k8s-0-2-e8dbe6', then it will failed to run command like `ipsec up '-k8s-0-2-e8dbe6'` with error `/usr/lib/ipsec/stroke: invalid option -- 'k'` due to the first char is '-', ipsec command interrupted it as an option. so changed the `generateInterfaceName` method to use `strings.TrimLeft()` to remove '-' in left. 2. `createIPSecTunnelPort` method can't handle the case when tunnel interface name changed when there is cache matched for the node. it will reuse the existing tunnel name without creating a new one with new name which means any change in `generateInterfaceName` won't take affect. and also add some unit test cases. Signed-off-by: Lan Luo <luola@vmware.com>
luolanzone
added a commit
to luolanzone/antrea
that referenced
this pull request
Aug 17, 2021
this PR is based on antrea-io#2486 and I verified all tunnel modes with IPSec in K8s Cluster, it all works fine now, so I remove the limitation on our docs and the check in the code. Signed-off-by: Lan Luo <luola@vmware.com>
luolanzone
added a commit
to luolanzone/antrea
that referenced
this pull request
Aug 18, 2021
this PR is based on antrea-io#2486 and I verified all tunnel modes with IPSec in K8s Cluster, it all works fine now, so I remove the limitation on our docs and the check in the code. Signed-off-by: Lan Luo <luola@vmware.com>
luolanzone
added a commit
to luolanzone/antrea
that referenced
this pull request
Aug 18, 2021
this PR is based on antrea-io#2486 and I verified all tunnel modes with IPSec in K8s Cluster, it all works fine now, so I remove the limitation on our docs and the check in the code. Signed-off-by: Lan Luo <luola@vmware.com>
luolanzone
added a commit
to luolanzone/antrea
that referenced
this pull request
Aug 19, 2021
this PR is based on antrea-io#2486 and I verified all tunnel modes with IPSec in K8s Cluster, it all works fine now, so I remove the limitation on our docs and the check in the code. Signed-off-by: Lan Luo <luola@vmware.com>
luolanzone
added a commit
to luolanzone/antrea
that referenced
this pull request
Sep 13, 2021
this PR is based on antrea-io#2486 and I verified all tunnel modes with IPSec in K8s Cluster, it all works fine now, so I remove the limitation on our docs and the check in the code. Signed-off-by: Lan Luo <luola@vmware.com>
luolanzone
added a commit
to luolanzone/antrea
that referenced
this pull request
Sep 16, 2021
this PR is based on antrea-io#2486 and I verified all tunnel modes with IPSec in K8s Cluster, it all works fine now, so I remove the limitation on our docs and the check in the code. Signed-off-by: Lan Luo <luola@vmware.com>
tnqn
pushed a commit
that referenced
this pull request
Sep 16, 2021
this PR is based on #2486 and I verified all tunnel modes with IPSec in K8s Cluster, it all works fine now, so I remove the limitation on our docs and the check in the code. Signed-off-by: Lan Luo <luola@vmware.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
the purpose of this commit is to fix a tunnel interface issue founded during some IPSec PoC verification:
when the node name is like 'lan-k8s-0-0', the IPsec tunnel interface name will be
like '-k8s-0-2-e8dbe6', then it will failed to run command like
ipsec up '-k8s-0-2-e8dbe6'inside a Antrea agent with error/usr/lib/ipsec/stroke: invalid option -- 'k'due to the first char is '-', ipsec command interrupted it as an
option. so changed the
generateInterfaceNamemethod to usestrings.TrimLeft()to remove '-' in left.createIPSecTunnelPortmethod can't handle the case when tunnelinterface name changed when there is cache matched for the node. it
will reuse the existing tunnel name without creating a new one with new
name which means any change in
generateInterfaceNamewon't takeaffect. so refine it with more checks.
and also add some unit test cases.
Signed-off-by: Lan Luo luola@vmware.com