From 7bffeeb10c6dfc619a0abf3430e7d7ca00ebda3b Mon Sep 17 00:00:00 2001 From: Laurence Man Date: Wed, 20 May 2020 15:06:54 -0700 Subject: [PATCH 1/3] Disable accept_ra in workloads --- dataplane/linux/endpoint_mgr.go | 13 +++++++++ dataplane/linux/endpoint_mgr_test.go | 42 ++++++++++++++++++++++++++++ dataplane/linux/int_dataplane.go | 2 ++ 3 files changed, 57 insertions(+) diff --git a/dataplane/linux/endpoint_mgr.go b/dataplane/linux/endpoint_mgr.go index e1e6ae060f..5be2b74599 100644 --- a/dataplane/linux/endpoint_mgr.go +++ b/dataplane/linux/endpoint_mgr.go @@ -185,6 +185,7 @@ type endpointManager struct { // Callbacks OnEndpointStatusUpdate EndpointStatusUpdateCallback callbacks endpointManagerCallbacks + openStackActive bool } type EndpointStatusUpdateCallback func(ipVersion uint8, id interface{}, status string) @@ -202,6 +203,7 @@ func newEndpointManager( kubeIPVSSupportEnabled bool, wlInterfacePrefixes []string, onWorkloadEndpointStatusUpdate EndpointStatusUpdateCallback, + openStackActive bool, callbacks *callbacks, ) *endpointManager { return newEndpointManagerWithShims( @@ -216,6 +218,7 @@ func newEndpointManager( wlInterfacePrefixes, onWorkloadEndpointStatusUpdate, writeProcSys, + openStackActive, callbacks, ) } @@ -232,6 +235,7 @@ func newEndpointManagerWithShims( wlInterfacePrefixes []string, onWorkloadEndpointStatusUpdate EndpointStatusUpdateCallback, procSysWriter procSysWriter, + openStackActive bool, callbacks *callbacks, ) *endpointManager { wlIfacesPattern := "^(" + strings.Join(wlInterfacePrefixes, "|") + ").*" @@ -241,6 +245,7 @@ func newEndpointManagerWithShims( ipVersion: ipVersion, wlIfacesRegexp: wlIfacesRegexp, kubeIPVSSupportEnabled: kubeIPVSSupportEnabled, + openStackActive: openStackActive, rawTable: rawTable, mangleTable: mangleTable, @@ -1013,6 +1018,14 @@ func (m *endpointManager) configureInterface(name string) error { "Skipping configuration of interface because it is oper down.") return nil } + + // Try setting accept_ra to 0 and only log if it failed (it might fail if IPv6 + // was disabled). + if !m.openStackActive { + err := m.writeProcSys(fmt.Sprintf("/proc/sys/net/ipv6/conf/%s/accept_ra", name), "0") + log.WithField("ifaceName", name).Warnf("Could not set accept_ra: %v", err) + } + log.WithField("ifaceName", name).Info( "Applying /proc/sys configuration to interface.") if m.ipVersion == 4 { diff --git a/dataplane/linux/endpoint_mgr_test.go b/dataplane/linux/endpoint_mgr_test.go index 6f7ff57a57..dc2e7b0102 100644 --- a/dataplane/linux/endpoint_mgr_test.go +++ b/dataplane/linux/endpoint_mgr_test.go @@ -668,6 +668,7 @@ func endpointManagerTests(ipVersion uint8) func() { []string{"cali"}, statusReportRec.endpointStatusUpdateCallback, mockProcSys.write, + false, newCallbacks(), ) }) @@ -1575,11 +1576,13 @@ func endpointManagerTests(ipVersion uint8) func() { It("should write /proc/sys entries", func() { if ipVersion == 6 { mockProcSys.checkState(map[string]string{ + "/proc/sys/net/ipv6/conf/cali12345-ab/accept_ra": "0", "/proc/sys/net/ipv6/conf/cali12345-ab/proxy_ndp": "1", "/proc/sys/net/ipv6/conf/cali12345-ab/forwarding": "1", }) } else { mockProcSys.checkState(map[string]string{ + "/proc/sys/net/ipv6/conf/cali12345-ab/accept_ra": "0", "/proc/sys/net/ipv4/conf/cali12345-ab/forwarding": "1", "/proc/sys/net/ipv4/conf/cali12345-ab/rp_filter": "1", "/proc/sys/net/ipv4/conf/cali12345-ab/route_localnet": "1", @@ -1723,6 +1726,45 @@ func endpointManagerTests(ipVersion uint8) func() { }) }) }) + + Context("with OpenStack active and updates for the workload's iface", func() { + JustBeforeEach(func() { + epMgr.openStackActive = true + epMgr.OnUpdate(&ifaceUpdate{ + Name: "cali12345-ab", + State: "up", + }) + epMgr.OnUpdate(&ifaceAddrsUpdate{ + Name: "cali12345-ab", + Addrs: set.New(), + }) + err := epMgr.CompleteDeferredWork() + Expect(err).ToNot(HaveOccurred()) + }) + + It("should have expected chains", expectWlChainsFor("cali12345-ab")) + It("should report endpoint up", func() { + Expect(statusReportRec.currentState).To(Equal(map[interface{}]string{ + wlEPID1: "up", + })) + }) + + It("should write /proc/sys entries", func() { + if ipVersion == 6 { + mockProcSys.checkState(map[string]string{ + "/proc/sys/net/ipv6/conf/cali12345-ab/proxy_ndp": "1", + "/proc/sys/net/ipv6/conf/cali12345-ab/forwarding": "1", + }) + } else { + mockProcSys.checkState(map[string]string{ + "/proc/sys/net/ipv4/conf/cali12345-ab/forwarding": "1", + "/proc/sys/net/ipv4/conf/cali12345-ab/route_localnet": "1", + "/proc/sys/net/ipv4/conf/cali12345-ab/proxy_arp": "1", + "/proc/sys/net/ipv4/neigh/cali12345-ab/proxy_delay": "0", + }) + } + }) + }) }) Context("with an inactive workload endpoint", func() { diff --git a/dataplane/linux/int_dataplane.go b/dataplane/linux/int_dataplane.go index 69ed81983f..dbcbb31bdb 100644 --- a/dataplane/linux/int_dataplane.go +++ b/dataplane/linux/int_dataplane.go @@ -444,6 +444,7 @@ func NewIntDataplaneDriver(config Config) *InternalDataplane { config.RulesConfig.KubeIPVSSupportEnabled, config.RulesConfig.WorkloadIfacePrefixes, dp.endpointStatusCombiner.OnEndpointStatusUpdate, + config.RulesConfig.OpenStackSpecialCasesEnabled, callbacks) dp.RegisterManager(epManager) dp.endpointsSourceV4 = epManager @@ -516,6 +517,7 @@ func NewIntDataplaneDriver(config Config) *InternalDataplane { config.RulesConfig.KubeIPVSSupportEnabled, config.RulesConfig.WorkloadIfacePrefixes, dp.endpointStatusCombiner.OnEndpointStatusUpdate, + config.RulesConfig.OpenStackSpecialCasesEnabled, callbacks)) dp.RegisterManager(newFloatingIPManager(natTableV6, ruleRenderer, 6)) dp.RegisterManager(newMasqManager(ipSetsV6, natTableV6, ruleRenderer, config.MaxIPSetSize, 6)) From a162c9f2484f26a8dfcf0ea3a0e5370cc458a246 Mon Sep 17 00:00:00 2001 From: Neil Jerram Date: Thu, 21 May 2020 15:00:22 +0100 Subject: [PATCH 2/3] Revert special-casing for OpenStack --- dataplane/linux/endpoint_mgr.go | 11 ++------ dataplane/linux/endpoint_mgr_test.go | 40 ---------------------------- dataplane/linux/int_dataplane.go | 2 -- 3 files changed, 2 insertions(+), 51 deletions(-) diff --git a/dataplane/linux/endpoint_mgr.go b/dataplane/linux/endpoint_mgr.go index 5be2b74599..6506a9116b 100644 --- a/dataplane/linux/endpoint_mgr.go +++ b/dataplane/linux/endpoint_mgr.go @@ -185,7 +185,6 @@ type endpointManager struct { // Callbacks OnEndpointStatusUpdate EndpointStatusUpdateCallback callbacks endpointManagerCallbacks - openStackActive bool } type EndpointStatusUpdateCallback func(ipVersion uint8, id interface{}, status string) @@ -203,7 +202,6 @@ func newEndpointManager( kubeIPVSSupportEnabled bool, wlInterfacePrefixes []string, onWorkloadEndpointStatusUpdate EndpointStatusUpdateCallback, - openStackActive bool, callbacks *callbacks, ) *endpointManager { return newEndpointManagerWithShims( @@ -218,7 +216,6 @@ func newEndpointManager( wlInterfacePrefixes, onWorkloadEndpointStatusUpdate, writeProcSys, - openStackActive, callbacks, ) } @@ -235,7 +232,6 @@ func newEndpointManagerWithShims( wlInterfacePrefixes []string, onWorkloadEndpointStatusUpdate EndpointStatusUpdateCallback, procSysWriter procSysWriter, - openStackActive bool, callbacks *callbacks, ) *endpointManager { wlIfacesPattern := "^(" + strings.Join(wlInterfacePrefixes, "|") + ").*" @@ -245,7 +241,6 @@ func newEndpointManagerWithShims( ipVersion: ipVersion, wlIfacesRegexp: wlIfacesRegexp, kubeIPVSSupportEnabled: kubeIPVSSupportEnabled, - openStackActive: openStackActive, rawTable: rawTable, mangleTable: mangleTable, @@ -1021,10 +1016,8 @@ func (m *endpointManager) configureInterface(name string) error { // Try setting accept_ra to 0 and only log if it failed (it might fail if IPv6 // was disabled). - if !m.openStackActive { - err := m.writeProcSys(fmt.Sprintf("/proc/sys/net/ipv6/conf/%s/accept_ra", name), "0") - log.WithField("ifaceName", name).Warnf("Could not set accept_ra: %v", err) - } + err := m.writeProcSys(fmt.Sprintf("/proc/sys/net/ipv6/conf/%s/accept_ra", name), "0") + log.WithField("ifaceName", name).Warnf("Could not set accept_ra: %v", err) log.WithField("ifaceName", name).Info( "Applying /proc/sys configuration to interface.") diff --git a/dataplane/linux/endpoint_mgr_test.go b/dataplane/linux/endpoint_mgr_test.go index dc2e7b0102..e25ff41da9 100644 --- a/dataplane/linux/endpoint_mgr_test.go +++ b/dataplane/linux/endpoint_mgr_test.go @@ -668,7 +668,6 @@ func endpointManagerTests(ipVersion uint8) func() { []string{"cali"}, statusReportRec.endpointStatusUpdateCallback, mockProcSys.write, - false, newCallbacks(), ) }) @@ -1726,45 +1725,6 @@ func endpointManagerTests(ipVersion uint8) func() { }) }) }) - - Context("with OpenStack active and updates for the workload's iface", func() { - JustBeforeEach(func() { - epMgr.openStackActive = true - epMgr.OnUpdate(&ifaceUpdate{ - Name: "cali12345-ab", - State: "up", - }) - epMgr.OnUpdate(&ifaceAddrsUpdate{ - Name: "cali12345-ab", - Addrs: set.New(), - }) - err := epMgr.CompleteDeferredWork() - Expect(err).ToNot(HaveOccurred()) - }) - - It("should have expected chains", expectWlChainsFor("cali12345-ab")) - It("should report endpoint up", func() { - Expect(statusReportRec.currentState).To(Equal(map[interface{}]string{ - wlEPID1: "up", - })) - }) - - It("should write /proc/sys entries", func() { - if ipVersion == 6 { - mockProcSys.checkState(map[string]string{ - "/proc/sys/net/ipv6/conf/cali12345-ab/proxy_ndp": "1", - "/proc/sys/net/ipv6/conf/cali12345-ab/forwarding": "1", - }) - } else { - mockProcSys.checkState(map[string]string{ - "/proc/sys/net/ipv4/conf/cali12345-ab/forwarding": "1", - "/proc/sys/net/ipv4/conf/cali12345-ab/route_localnet": "1", - "/proc/sys/net/ipv4/conf/cali12345-ab/proxy_arp": "1", - "/proc/sys/net/ipv4/neigh/cali12345-ab/proxy_delay": "0", - }) - } - }) - }) }) Context("with an inactive workload endpoint", func() { diff --git a/dataplane/linux/int_dataplane.go b/dataplane/linux/int_dataplane.go index dbcbb31bdb..69ed81983f 100644 --- a/dataplane/linux/int_dataplane.go +++ b/dataplane/linux/int_dataplane.go @@ -444,7 +444,6 @@ func NewIntDataplaneDriver(config Config) *InternalDataplane { config.RulesConfig.KubeIPVSSupportEnabled, config.RulesConfig.WorkloadIfacePrefixes, dp.endpointStatusCombiner.OnEndpointStatusUpdate, - config.RulesConfig.OpenStackSpecialCasesEnabled, callbacks) dp.RegisterManager(epManager) dp.endpointsSourceV4 = epManager @@ -517,7 +516,6 @@ func NewIntDataplaneDriver(config Config) *InternalDataplane { config.RulesConfig.KubeIPVSSupportEnabled, config.RulesConfig.WorkloadIfacePrefixes, dp.endpointStatusCombiner.OnEndpointStatusUpdate, - config.RulesConfig.OpenStackSpecialCasesEnabled, callbacks)) dp.RegisterManager(newFloatingIPManager(natTableV6, ruleRenderer, 6)) dp.RegisterManager(newMasqManager(ipSetsV6, natTableV6, ruleRenderer, config.MaxIPSetSize, 6)) From b4521e4e3e46e786e56b1892bfc9c4effca5fa67 Mon Sep 17 00:00:00 2001 From: Laurence Man Date: Thu, 21 May 2020 16:08:47 -0700 Subject: [PATCH 3/3] Only log on err --- dataplane/linux/endpoint_mgr.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dataplane/linux/endpoint_mgr.go b/dataplane/linux/endpoint_mgr.go index 6506a9116b..3f3e9caf41 100644 --- a/dataplane/linux/endpoint_mgr.go +++ b/dataplane/linux/endpoint_mgr.go @@ -1014,10 +1014,12 @@ func (m *endpointManager) configureInterface(name string) error { return nil } - // Try setting accept_ra to 0 and only log if it failed (it might fail if IPv6 + // Try setting accept_ra to 0 and just log if it failed (it might fail if IPv6 // was disabled). err := m.writeProcSys(fmt.Sprintf("/proc/sys/net/ipv6/conf/%s/accept_ra", name), "0") - log.WithField("ifaceName", name).Warnf("Could not set accept_ra: %v", err) + if err != nil { + log.WithField("ifaceName", name).Warnf("Could not set accept_ra: %v", err) + } log.WithField("ifaceName", name).Info( "Applying /proc/sys configuration to interface.")