Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

node-manager: fix race-condition #32606

Merged
merged 1 commit into from
May 27, 2024
Merged

node-manager: fix race-condition #32606

merged 1 commit into from
May 27, 2024

Conversation

marseel
Copy link
Contributor

@marseel marseel commented May 17, 2024
edited

There was potential race-conditions in handling nodes in manager. In background-sync where we were releasing manager mutex before holding entry mutex which would result in updating node information with stale informantion.

This race-condition could cause stale node information up until next background sync or node update, so it was evenually resolved though, but it could take up to 15+ minutes for large clusters, depending on number of nodes.

Follow up from #32577

Edit: seems like this was introduced on main and it's not present on v1.15 branch, so removing release-note.
Regression was introduced by #29415
I've requested review from Fernand, just to make sure I haven't missed anything.

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 17, 2024
@marseel
node-manager: fix race-condition
76d19ca 
There was a potential race-conditions in handling nodes in manager.
In background-sync where we were releasing manager mutex before
holding entry mutex which would result in updating node information
with stale informantion.

This race-condition could cause stale node information up until
next background sync or a node update, so it was evenually resolving,
but it could take up to 15+ minutes for large clusters,
depending on number of nodes.

Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
@marseel
Copy link
Contributor Author

marseel commented May 17, 2024

/test

@marseel marseel added the release-note/bug This PR fixes an issue in a previous release of Cilium. label May 17, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 17, 2024
@marseel marseel requested a review from derailed May 21, 2024 11:52
@marseel marseel added release-note/misc This PR makes changes that have no direct user impact. release-blocker/1.16 This issue will prevent the release of the next version of Cilium. and removed release-note/bug This PR fixes an issue in a previous release of Cilium. labels May 21, 2024
@marseel marseel marked this pull request as ready for review May 21, 2024 11:53
@marseel marseel requested a review from a team as a code owner May 21, 2024 11:53
@marseel marseel requested a review from ldelossa May 21, 2024 11:53
derailed
derailed reviewed May 21, 2024
View reviewed changes
Copy link
Contributor

@derailed derailed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@marseel Thank you for reviewing these Marcel!
I think it make sense but also could entail a dead lock. If someone else has a lock on the entry, the node map could no longer be read. This introduce a dependency and also would prevent the sync from exiting should the context be canceled. Given the reconciliation loop at stake, I think it's safer to read potentially stale state.
Am I wrong about that?

@marseel
Copy link
Contributor Author

marseel commented May 21, 2024

I think it make sense but also could entail a dead lock. If someone else has a lock on the entry, the node map could no longer be read. This introduce a dependency and also would prevent the sync from exiting should the context be canceled. Given the reconciliation loop at stake, I think it's safer to read potentially stale state.
Am I wrong about that?

This is the official way we should be always ordering mutexes of nodeManager:

cilium/pkg/node/manager/manager.go

Lines 88 to 104 in 598209e

// mutex is the lock protecting access to the nodes map. The mutex must
// be held for any access of the nodes map.
//
// The manager mutex works together with the entry mutex in the
// following way to minimize the duration the manager mutex is held:
//
// 1. Acquire manager mutex to safely access nodes map and to retrieve
// node entry.
// 2. Acquire mutex of the entry while the manager mutex is still held.
// This guarantees that no change to the entry has happened.
// 3. Release of the manager mutex to unblock changes or reads to other
// node entries.
// 4. Change of entry data or performing of datapath interactions
// 5. Release of the entry mutex
//
// If both the nodeEntry.mutex and Manager.mutex must be held, then the
// Manager.mutex must *always* be acquired first.

Also, we had it in this order forever. So my question is if that change was intended in #29415 (if yes, what was the reason?) or accidental.

@marseel marseel mentioned this pull request May 21, 2024
Merged
@marseel marseel requested a review from derailed May 22, 2024 11:27
derailed
derailed approved these changes May 22, 2024
View reviewed changes
Copy link
Contributor

@derailed derailed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@marseel Ah I see. Tx for the correction Marcel. This is indeed my mistake ;(

ldelossa
ldelossa approved these changes May 23, 2024
View reviewed changes
Copy link
Contributor

@ldelossa ldelossa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change looks good to me, and now aligns with the comments in the manager 👍

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 23, 2024
@aanm aanm added this pull request to the merge queue May 27, 2024
Merged via the queue into cilium:main with commit 3fc805b May 27, 2024
64 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derailed derailed derailed approved these changes

@ldelossa ldelossa ldelossa approved these changes

Assignees
No one assigned
Labels
ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-blocker/1.16 This issue will prevent the release of the next version of Cilium. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@marseel @derailed @ldelossa @aanm