Fix single rule deletion for NodePortLocal on Linux #6284
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
XinShuYang
reviewed
May 6, 2024
tnqn
previously approved these changes
May 6, 2024
| } | ||
|
|
||
| // If conditionFn is nil, we will assume you are looking for a non-existing annotation. | ||
| // If you want to match all, conditionMatchAll as the conditionFn. |
There was a problem hiding this comment.
Suggested change
| // If you want to match all, conditionMatchAll as the conditionFn. | |
| // If you want to match all, use conditionMatchAll as the conditionFn. |
wenyingd
reviewed
May 6, 2024
The logic for deleting an individual NPL mapping was broken. It incorrectly believed that the protocol socket was still in use, and the mapping could never be deleted, putting the NPL controller in an endless error loop. The State field in ProtocolSocketData was left over from pre Antrea v1.7, back when we would always use the same port number for multiple protocols, for a give Pod IP + port. With the current version of the NPL implementation, this field is not needed and should be removed. By removing the field, we avoid the deletion issue. This patch also ensures that if a rule is only partially cleaned-up, we can attempt to delete it again, by making DeleteRule idempotent. To identify that a prior deletion attempt failed, we introduce a "defunct" field in the NPL rule data. If this field is set, the controller knows that the rule has been partially deleted and deletion needs to be attempted again. Without this, it would be possible for the controller (with the right sequence of updates) to assume that a partially-deleted rule is still valid, which would break the datapath. I plan on improving the NPL code further with a follow-up patch, but in order to keep this patch small (for back-porting), I went with the simplest solution I could think of. Fixes antrea-io#6281 Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
antoninbas
force-pushed
the
fix-npl-rule-deletion
branch
from
86ca00c
to
6386d2c
Compare
antoninbas
commented
May 6, 2024
Comment on lines
+880
to
+901
| // This function will be executed synchronously when DeleteRule is called for the first time | ||
| // and we simulate a failure. It restores the second target port for the Service, which was | ||
| // deleted previously, and waits for the change to be reflected in the informer's | ||
| // store. After that, we know that the next time the NPL controller processes the test Pod, | ||
| // it will need to ensure that both NPL mappings are configured correctly. Because one of | ||
| // the rules will be marked as "defunct", it will first need to delete the rule properly | ||
| // before adding it back. | ||
| restoreServiceTargetPorts := func() { | ||
| testSvc.Spec.Ports = ports | ||
| _, err := testData.k8sClient.CoreV1().Services(defaultNS).Update(context.TODO(), testSvc, metav1.UpdateOptions{}) | ||
| if !assert.NoError(t, err) { | ||
| return | ||
| } | ||
| assert.EventuallyWithT(t, func(c *assert.CollectT) { | ||
| obj, exists, err := testData.svcInformer.GetIndexer().GetByKey(testSvc.Namespace + "/" + testSvc.Name) | ||
| if !assert.NoError(t, err) || !assert.True(t, exists) { | ||
| return | ||
| } | ||
| svc := obj.(*corev1.Service) | ||
| assert.Len(t, svc.Spec.Ports, 2) | ||
| }, 2*time.Second, 50*time.Millisecond) | ||
| } |
There was a problem hiding this comment.
@tnqn do you think this is ok? I couldn't think of an alternative, besides moving these tests to pkg/agent/nodeportlocal/k8s and calling handleAddUpdatePod directly, which would have been a bigger change and I wanted to keep this patch small. I am planning to re-organize some of the NPL code in a subsequent PR (that won't be backported), so maybe I can improve this test as part of the re-org PR.
There was a problem hiding this comment.
The current test works for me. The only way that can makes it simper I can think of is to construct a defunct entry in advance, then verify it won't be reused and will be deleted eventually once iptables succeeds.
There was a problem hiding this comment.
That's a good idea, but it would require a test-specific function (exported) to mark the entry as defunct. I'll keep that in mind for the refactoring.
|
/test-all |
tnqn
approved these changes
May 7, 2024
Comment on lines
+880
to
+901
| // This function will be executed synchronously when DeleteRule is called for the first time | ||
| // and we simulate a failure. It restores the second target port for the Service, which was | ||
| // deleted previously, and waits for the change to be reflected in the informer's | ||
| // store. After that, we know that the next time the NPL controller processes the test Pod, | ||
| // it will need to ensure that both NPL mappings are configured correctly. Because one of | ||
| // the rules will be marked as "defunct", it will first need to delete the rule properly | ||
| // before adding it back. | ||
| restoreServiceTargetPorts := func() { | ||
| testSvc.Spec.Ports = ports | ||
| _, err := testData.k8sClient.CoreV1().Services(defaultNS).Update(context.TODO(), testSvc, metav1.UpdateOptions{}) | ||
| if !assert.NoError(t, err) { | ||
| return | ||
| } | ||
| assert.EventuallyWithT(t, func(c *assert.CollectT) { | ||
| obj, exists, err := testData.svcInformer.GetIndexer().GetByKey(testSvc.Namespace + "/" + testSvc.Name) | ||
| if !assert.NoError(t, err) || !assert.True(t, exists) { | ||
| return | ||
| } | ||
| svc := obj.(*corev1.Service) | ||
| assert.Len(t, svc.Spec.Ports, 2) | ||
| }, 2*time.Second, 50*time.Millisecond) | ||
| } |
There was a problem hiding this comment.
The current test works for me. The only way that can makes it simper I can think of is to construct a defunct entry in advance, then verify it won't be reused and will be deleted eventually once iptables succeeds.
antoninbas
added a commit
to antoninbas/antrea
that referenced
this pull request
May 7, 2024
The logic for deleting an individual NPL mapping was broken. It incorrectly believed that the protocol socket was still in use, and the mapping could never be deleted, putting the NPL controller in an endless error loop. The State field in ProtocolSocketData was left over from pre Antrea v1.7, back when we would always use the same port number for multiple protocols, for a give Pod IP + port. With the current version of the NPL implementation, this field is not needed and should be removed. By removing the field, we avoid the deletion issue. This patch also ensures that if a rule is only partially cleaned-up, we can attempt to delete it again, by making DeleteRule idempotent. To identify that a prior deletion attempt failed, we introduce a "defunct" field in the NPL rule data. If this field is set, the controller knows that the rule has been partially deleted and deletion needs to be attempted again. Without this, it would be possible for the controller (with the right sequence of updates) to assume that a partially-deleted rule is still valid, which would break the datapath. I plan on improving the NPL code further with a follow-up patch, but in order to keep this patch small (for back-porting), I went with the simplest solution I could think of. Fixes antrea-io#6281 Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
antoninbas
added a commit
to antoninbas/antrea
that referenced
this pull request
May 7, 2024
The logic for deleting an individual NPL mapping was broken. It incorrectly believed that the protocol socket was still in use, and the mapping could never be deleted, putting the NPL controller in an endless error loop. The State field in ProtocolSocketData was left over from pre Antrea v1.7, back when we would always use the same port number for multiple protocols, for a give Pod IP + port. With the current version of the NPL implementation, this field is not needed and should be removed. By removing the field, we avoid the deletion issue. This patch also ensures that if a rule is only partially cleaned-up, we can attempt to delete it again, by making DeleteRule idempotent. To identify that a prior deletion attempt failed, we introduce a "defunct" field in the NPL rule data. If this field is set, the controller knows that the rule has been partially deleted and deletion needs to be attempted again. Without this, it would be possible for the controller (with the right sequence of updates) to assume that a partially-deleted rule is still valid, which would break the datapath. I plan on improving the NPL code further with a follow-up patch, but in order to keep this patch small (for back-porting), I went with the simplest solution I could think of. Fixes antrea-io#6281 Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
antoninbas
added
action/backport
antoninbas
added a commit
to antoninbas/antrea
that referenced
this pull request
May 7, 2024
The logic for deleting an individual NPL mapping was broken. It incorrectly believed that the protocol socket was still in use, and the mapping could never be deleted, putting the NPL controller in an endless error loop. The State field in ProtocolSocketData was left over from pre Antrea v1.7, back when we would always use the same port number for multiple protocols, for a give Pod IP + port. With the current version of the NPL implementation, this field is not needed and should be removed. By removing the field, we avoid the deletion issue. This patch also ensures that if a rule is only partially cleaned-up, we can attempt to delete it again, by making DeleteRule idempotent. To identify that a prior deletion attempt failed, we introduce a "defunct" field in the NPL rule data. If this field is set, the controller knows that the rule has been partially deleted and deletion needs to be attempted again. Without this, it would be possible for the controller (with the right sequence of updates) to assume that a partially-deleted rule is still valid, which would break the datapath. I plan on improving the NPL code further with a follow-up patch, but in order to keep this patch small (for back-porting), I went with the simplest solution I could think of. Fixes antrea-io#6281 Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
antoninbas
added a commit
to antoninbas/antrea
that referenced
this pull request
May 7, 2024
The logic for deleting an individual NPL mapping was broken. It incorrectly believed that the protocol socket was still in use, and the mapping could never be deleted, putting the NPL controller in an endless error loop. The State field in ProtocolSocketData was left over from pre Antrea v1.7, back when we would always use the same port number for multiple protocols, for a give Pod IP + port. With the current version of the NPL implementation, this field is not needed and should be removed. By removing the field, we avoid the deletion issue. This patch also ensures that if a rule is only partially cleaned-up, we can attempt to delete it again, by making DeleteRule idempotent. To identify that a prior deletion attempt failed, we introduce a "defunct" field in the NPL rule data. If this field is set, the controller knows that the rule has been partially deleted and deletion needs to be attempted again. Without this, it would be possible for the controller (with the right sequence of updates) to assume that a partially-deleted rule is still valid, which would break the datapath. I plan on improving the NPL code further with a follow-up patch, but in order to keep this patch small (for back-porting), I went with the simplest solution I could think of. Fixes antrea-io#6281 Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
antoninbas
added a commit
that referenced
this pull request
May 8, 2024
The logic for deleting an individual NPL mapping was broken. It incorrectly believed that the protocol socket was still in use, and the mapping could never be deleted, putting the NPL controller in an endless error loop. The State field in ProtocolSocketData was left over from pre Antrea v1.7, back when we would always use the same port number for multiple protocols, for a give Pod IP + port. With the current version of the NPL implementation, this field is not needed and should be removed. By removing the field, we avoid the deletion issue. This patch also ensures that if a rule is only partially cleaned-up, we can attempt to delete it again, by making DeleteRule idempotent. To identify that a prior deletion attempt failed, we introduce a "defunct" field in the NPL rule data. If this field is set, the controller knows that the rule has been partially deleted and deletion needs to be attempted again. Without this, it would be possible for the controller (with the right sequence of updates) to assume that a partially-deleted rule is still valid, which would break the datapath. I plan on improving the NPL code further with a follow-up patch, but in order to keep this patch small (for back-porting), I went with the simplest solution I could think of. Fixes #6281 Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
antoninbas
added a commit
that referenced
this pull request
May 8, 2024
The logic for deleting an individual NPL mapping was broken. It incorrectly believed that the protocol socket was still in use, and the mapping could never be deleted, putting the NPL controller in an endless error loop. The State field in ProtocolSocketData was left over from pre Antrea v1.7, back when we would always use the same port number for multiple protocols, for a give Pod IP + port. With the current version of the NPL implementation, this field is not needed and should be removed. By removing the field, we avoid the deletion issue. This patch also ensures that if a rule is only partially cleaned-up, we can attempt to delete it again, by making DeleteRule idempotent. To identify that a prior deletion attempt failed, we introduce a "defunct" field in the NPL rule data. If this field is set, the controller knows that the rule has been partially deleted and deletion needs to be attempted again. Without this, it would be possible for the controller (with the right sequence of updates) to assume that a partially-deleted rule is still valid, which would break the datapath. I plan on improving the NPL code further with a follow-up patch, but in order to keep this patch small (for back-porting), I went with the simplest solution I could think of. Fixes #6281 Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
antoninbas
added a commit
that referenced
this pull request
May 11, 2024
The logic for deleting an individual NPL mapping was broken. It incorrectly believed that the protocol socket was still in use, and the mapping could never be deleted, putting the NPL controller in an endless error loop. The State field in ProtocolSocketData was left over from pre Antrea v1.7, back when we would always use the same port number for multiple protocols, for a give Pod IP + port. With the current version of the NPL implementation, this field is not needed and should be removed. By removing the field, we avoid the deletion issue. This patch also ensures that if a rule is only partially cleaned-up, we can attempt to delete it again, by making DeleteRule idempotent. To identify that a prior deletion attempt failed, we introduce a "defunct" field in the NPL rule data. If this field is set, the controller knows that the rule has been partially deleted and deletion needs to be attempted again. Without this, it would be possible for the controller (with the right sequence of updates) to assume that a partially-deleted rule is still valid, which would break the datapath. I plan on improving the NPL code further with a follow-up patch, but in order to keep this patch small (for back-porting), I went with the simplest solution I could think of. Fixes #6281 Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
antoninbas
added a commit
that referenced
this pull request
May 13, 2024
The logic for deleting an individual NPL mapping was broken. It incorrectly believed that the protocol socket was still in use, and the mapping could never be deleted, putting the NPL controller in an endless error loop. The State field in ProtocolSocketData was left over from pre Antrea v1.7, back when we would always use the same port number for multiple protocols, for a give Pod IP + port. With the current version of the NPL implementation, this field is not needed and should be removed. By removing the field, we avoid the deletion issue. This patch also ensures that if a rule is only partially cleaned-up, we can attempt to delete it again, by making DeleteRule idempotent. To identify that a prior deletion attempt failed, we introduce a "defunct" field in the NPL rule data. If this field is set, the controller knows that the rule has been partially deleted and deletion needs to be attempted again. Without this, it would be possible for the controller (with the right sequence of updates) to assume that a partially-deleted rule is still valid, which would break the datapath. I plan on improving the NPL code further with a follow-up patch, but in order to keep this patch small (for back-porting), I went with the simplest solution I could think of. Fixes #6281 Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The logic for deleting an individual NPL mapping was broken. It incorrectly believed that the protocol socket was still in use, and the mapping could never be deleted, putting the NPL controller in an endless error loop.
The State field in ProtocolSocketData was left over from pre Antrea v1.7, back when we would always use the same port number for multiple protocols, for a give Pod IP + port. With the current version of the NPL implementation, this field is not needed and should be removed. By removing the field, we avoid the deletion issue.
This patch also ensures that if a rule is only partially cleaned-up, we can attempt to delete it again, by making DeleteRule idempotent. To identify that a prior deletion attempt failed, we introduce a "defunct" field in the NPL rule data. If this field is set, the controller knows that the rule has been partially deleted and deletion needs to be attempted again. Without this, it would be possible for the controller (with the right sequence of updates) to assume that a partially-deleted rule is still valid, which would break the datapath. I plan on improving the NPL code further with a follow-up patch, but in order to keep this patch small (for back-porting), I went with the simplest solution I could think of.
Fixes #6281