Add ARP/NDP responders to external IP assigner

[hty690]

Apart from assigning IPs to the dummy interface, this commit will also create
raw sockets and listen for ARP requests packets (IPv4) and Neighbor Solicitation
packets (IPv6). This fixes the issue that Egress cannot work in IPv6 mode
as the system would not reply to Neighbor Advertisement from external
interfaces if the IP is assigned to the dummy interface. The IP assigner
will skip managing the dummy device if dummyDeviceName is empty. This avoids
the kernel creating a local route, which has a higher priority than the routes
installed by antrea-proxy in proxyAll mode.

Signed-off-by: Tianyi Huang hty690@126.com

[jianjuns]

But how if we need both of binding IP to an interface and replying ARP (e.g. to fix Egress IPv6 support)? Should we make binding IP and ARP two configurable feature of a single IP assigner?

[hty690]

I have merged the assigners into one to fix the Egress issue as well.

[wenqiq]

Why do we import those packages as we have implemented some functions in agent/util/arping and agent/util/arping?

[hty690]

This feature does not only need to send GARP or NS over the network interface. We also need to listen to ARP and NS requests and process the queries accordingly. Without these packages, we may need to manage the raw sockets, parse the ethernet headers, etc.

[jianjuns]

In commit message:

if the IP were assigned to the dummy interface.

were -> is

This avoids the kernel creating local routes for the external IP, which have

"creates a local route", "which has"

[jianjuns]

starts ARP responder and NDP responder?

[jianjuns]

As ARP is not always needed, can we pass a boolean to enable ARP responder? We can add another for NDP too.

Or another we do not enable ARP when dummyDeviceName is not "".

[hty690]

updated.

[jianjuns]

I do not see you changed this?

[jianjuns]

ARP -> NDP

[jianjuns]

exist -> exists

ensuring -> checking

[tnqn]

ensureDummyDevice creates the dummy device if it doesn't exist, not just checks its existence

[jianjuns]

Probably rename to "AddIP", "RemoveIP"? It is not really about assignment.

[hty690]

update. thanks.

[jianjuns]

How about naming it Advertise()?

[hty690]

update. thanks.

[jianjuns]

Probably we should send out multiple GARPs. We can do it in another PR.

[hty690]

I am not clear for multiple GARPs. Could you help to provide more context for this?

[tnqn]

Similar to

antrea/pkg/agent/cniserver/interface_configuration_linux.go

Lines 312 to 326 in 15de4cf

	ticker := time.NewTicker(50 * time.Millisecond)
	defer ticker.Stop()
	count := 0
	for {
	// Send gratuitous ARP to network in case of stale mappings for this IP address
	// (e.g. if a previous - deleted - Pod was using the same IP).
	if err := arping.GratuitousARPOverIface(targetIP, iface); err != nil {
	klog.Warningf("Failed to send gratuitous ARP #%d: %v", count, err)
	}
	count++
	if count == 3 {
	break
	}
	<-ticker.C
	}

[hty690]

Thanks for the pointer. Do we need this for external IPs to send multiple GARPs to the transport interface?

[jianjuns]

Need to protect the map?

[jianjuns]

If it is just a set, we can use a thread-safe type. @tnqn might have a recommendation.

[tnqn]

suggested to use sets.String but it's not thread-safe either. It still needs a lock, but it's a common pattern in our code.

[jianjuns]

If we need not a lock for other reasons, we can use sync.Map (which should work well for a set that no need to read the value).

[codecov-commenter]

Codecov Report

Merging #3318 (4918998) into main (15de4cf) will decrease coverage by 7.32%.
The diff coverage is 55.92%.

@@            Coverage Diff             @@
##             main    #3318      +/-   ##
==========================================
- Coverage   60.95%   53.62%   -7.33%     
==========================================
  Files         266      374     +108     
  Lines       26508    51235   +24727     
==========================================
+ Hits        16159    27477   +11318     
- Misses       8597    21345   +12748     
- Partials     1752     2413     +661     

Flag	Coverage Δ
e2e-tests	50.93% <34.04%> (?)
integration-tests	35.79% <ø> (?)
kind-e2e-tests	47.38% <29.08%> (-0.46%)	⬇️
unit-tests	41.76% <60.30%> (+0.12%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/ipassigner/ip_assigner_linux.go	52.55% <43.83%> (-7.72%)	⬇️
pkg/agent/ipassigner/responder/ndp_responder.go	47.05% <47.05%> (ø)
pkg/agent/ipassigner/responder/arp_responder.go	70.58% <70.58%> (ø)
...g/agent/controller/serviceexternalip/controller.go	80.34% <78.78%> (-0.52%)	⬇️
pkg/agent/controller/egress/egress_controller.go	69.16% <100.00%> (+30.35%)	⬆️
pkg/agent/cniserver/pod_configuration_linux.go	26.31% <0.00%> (-40.36%)	⬇️
pkg/controller/ipam/antrea_ipam_controller.go	48.71% <0.00%> (-31.57%)	⬇️
pkg/agent/flowexporter/connections/conntrack.go	45.71% <0.00%> (-30.48%)	⬇️
pkg/controller/networkpolicy/endpoint_querier.go	61.46% <0.00%> (-29.97%)	⬇️
.../agent/flowexporter/priorityqueue/priorityqueue.go	63.29% <0.00%> (-29.31%)	⬇️
... and 339 more

[tnqn]

In Egress, it's possible that multiple Egresses share same static egress IP, then it could happen that two workers are assigning the same IP concurrently. Without the previous lock, the following code may be executed twice for an IP. Is it ok?

[hty690]

As the responders are thread-safe, do you think it is enough by adding checks of the error codes of netlink.AddrAdd/netlink.AddrDel?

[tnqn]

I wonder if the race condition can happen between AssignIP and UnassignIP. When an IP is released from one Resource and reallocated to another Resource.
worker1 wants to remove an IP while worker2 wants to add it. worker1 starts first.

1. worker1 sees IP is assigned and starts removing it without holding the lock.
2. worker2 sees IP is assigned and returns directly.
3. worker1 removes the IP.

But it seems if worker2 starts first, worker1 may still remove the IP even with the lock. This is not an issue when there is an localIPDetector as removing IP could trigger resync. As it's no longer the case for Service external IP, maybe it needs to track reference number for such case, as well as holding the lock. Then:
If worker1 starts first:

1. worker1 sees IP is assigned and starts removing it.
2. worker2 waits for the lock.
3. worker1 removes IP.
4. worker2 gets the lock, and adds the IP back.

If worker2 starts first:

1. worker2 sees IP is assigned and increase reference count, returns.
2. worker1 sees IP is assigned and decrease reference count, returns.

Reference count can be counted from a set of entities names which are associated with the IP.

[hty690]

I have added the reference count mechanism for the agent Service external IP controller.

[tnqn]

The issue could still happen without the lock when it's used in EgressController. When Egress A is removed and its IP is allocated to Egress B. worker1 handles removal of A, worker2 handles sync of B.

1. worker1 sees IP is assigned and starts removing it without holding the lock.
2. worker2 sees IP is already assigned and returns directly.
3. worker1 removes the IP, which triggers resync of B.
4. worker2 resyncs B, sees IP is already assigned and returns directly.

[hty690]

Make sense. I revert the changes to make the assign/unassign operation atomic. Thanks!

[tnqn]

ditto, there may be a race condition between Assign and Unassign as well.

[tnqn]

Should AddIP calls advertise directly since it's by design assigning an IP should advertise it as well, which could make IPAssigner simpler?

[hty690]

Changed accordingly. Thanks.

[tnqn]

Then it can be private? And we can remove the IP version check as it's an internal method whose argument has been checked by public methods.

[tnqn]

Similar to

antrea/pkg/agent/cniserver/interface_configuration_linux.go

Lines 312 to 326 in 15de4cf

	ticker := time.NewTicker(50 * time.Millisecond)
	defer ticker.Stop()
	count := 0
	for {
	// Send gratuitous ARP to network in case of stale mappings for this IP address
	// (e.g. if a previous - deleted - Pod was using the same IP).
	if err := arping.GratuitousARPOverIface(targetIP, iface); err != nil {
	klog.Warningf("Failed to send gratuitous ARP #%d: %v", count, err)
	}
	count++
	if count == 3 {
	break
	}
	<-ticker.C
	}

[tnqn]

I wonder if the race condition can happen between AssignIP and UnassignIP. When an IP is released from one Resource and reallocated to another Resource.
worker1 wants to remove an IP while worker2 wants to add it. worker1 starts first.

1. worker1 sees IP is assigned and starts removing it without holding the lock.
2. worker2 sees IP is assigned and returns directly.
3. worker1 removes the IP.

But it seems if worker2 starts first, worker1 may still remove the IP even with the lock. This is not an issue when there is an localIPDetector as removing IP could trigger resync. As it's no longer the case for Service external IP, maybe it needs to track reference number for such case, as well as holding the lock. Then:
If worker1 starts first:

1. worker1 sees IP is assigned and starts removing it.
2. worker2 waits for the lock.
3. worker1 removes IP.
4. worker2 gets the lock, and adds the IP back.

If worker2 starts first:

1. worker2 sees IP is assigned and increase reference count, returns.
2. worker1 sees IP is assigned and decrease reference count, returns.

Reference count can be counted from a set of entities names which are associated with the IP.

[tnqn]

Then it can be private? And we can remove the IP version check as it's an internal method whose argument has been checked by public methods.

[tnqn]

Why don't log error?

[tnqn]

ditto

[jianjuns]

sync.Map is indeed a simpler choice here, but I know you need a mutex in ndpResponder for other reasons, so maybe you prefer to use the same way for both.

[hty690]

Yes. I think the mutex here is better for consistency.

[jianjuns]

determin -> determine

the arp_ignore sysctl parameter

[hty690]

thanks!

[tnqn]

good test case

[tnqn]

The issue could still happen without the lock when it's used in EgressController. When Egress A is removed and its IP is allocated to Egress B. worker1 handles removal of A, worker2 handles sync of B.

1. worker1 sees IP is assigned and starts removing it without holding the lock.
2. worker2 sees IP is already assigned and returns directly.
3. worker1 removes the IP, which triggers resync of B.
4. worker2 resyncs B, sees IP is already assigned and returns directly.

[tnqn]

LGTM, thanks

[hty690]

/test-ipv6-all
/test-ipv6-only-all

[hty690]

/test-integration

[hty690]

/test-integration

[jianjuns]

/test-e2e

[hty690]

/test-ipv6-e2e
/test-ipv6-only-e2e