Skip to content

NPM v2 Linux IPSet Manager #1029

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 44 commits into from
Oct 15, 2021
Merged

NPM v2 Linux IPSet Manager #1029

merged 44 commits into from
Oct 15, 2021

Conversation

@huntergregory
Copy link
Contributor

@huntergregory huntergregory commented Sep 22, 2021
edited
Loading

Reason for Change:
Linux implementation of new NPM with batch ipset-restore calls and error handling. Flushes anything in the dirty cache and adds all current members instead of calculating a diff.

Includes a tool for creating restore files and handling errors (will use for iptables too).

Also implements ApplyAll mode and introduces a reboot function for ipsetmanager.

Issue Fixed:

Requirements:

Notes:

@huntergregory
Copy link
Contributor Author

huntergregory commented Sep 22, 2021

Adding some notes on changes to generic ipsetmanager in this PR

vakalapa
vakalapa requested changes Sep 23, 2021
View reviewed changes
Copy link
Contributor

@vakalapa vakalapa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will need to abstract files part, and also incorporate some diff calculation logic on deleting existing members

npm/pkg/dataplane/ipsets/ipsetmanager_linux.go Outdated
// DEBUGGING
fmt.Printf("DEBUG-ME\nname: %s\nkind: %s\npodip: \n", set.Name, set.Kind)
fmt.Println(set.IPPodKey)
fmt.Println("members: ")
Copy link
Contributor

@vakalapa vakalapa Sep 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How are we managing deleting existing members of an ipset ?

Copy link
Contributor Author

@huntergregory huntergregory Sep 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in updateMembers(), we flush the set before adding each member

vakalapa
vakalapa reviewed Oct 7, 2021
View reviewed changes
Copy link
Contributor

@vakalapa vakalapa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

initial CR

@huntergregory huntergregory marked this pull request as ready for review October 14, 2021 01:00
@huntergregory huntergregory changed the title Linux IPSet Manager NPM v2 Linux IPSet Manager Oct 14, 2021
@vakalapa vakalapa added enhancement npm Related to NPM. labels Oct 14, 2021
@huntergregory
Copy link
Contributor Author

huntergregory commented Oct 14, 2021

Noting that in a second pass, we need to make 2 changes because ipset restore will commit lines before a line that fails.

  1. change update member logic: we should be deleting members instead of flushing and adding all members (there would be a gap between a flush and a retry if an add fails)
  2. change error handling methods to skip the lines before a failure

vakalapa
vakalapa reviewed Oct 14, 2021
View reviewed changes
npm/pkg/dataplane/ipsets/ipsetmanager_linux.go
// TODO add error handler?
creator.AddLine(sectionID, nil, util.IpsetAppendFlag, set.HashedName, ip) // add IP
}
} else {
Copy link
Contributor

@vakalapa vakalapa Oct 14, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Check if after flush and error occured while adding, will there be an issue or a time gap between flushed state and actual state

Copy link
Contributor Author

@huntergregory huntergregory Oct 14, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wrote a comment above about how we should address this

@huntergregory
Copy link
Contributor Author

huntergregory commented Oct 15, 2021

azp run

@huntergregory
Copy link
Contributor Author

huntergregory commented Oct 15, 2021

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Oct 15, 2021

Azure Pipelines successfully started running 2 pipeline(s).

vakalapa
vakalapa reviewed Oct 15, 2021
View reviewed changes
npm/pkg/dataplane/ioutil/file-creator.go

commandString := cmd + " " + strings.Join(args, " ")
stdErr := string(stdErrBytes)
log.Errorf("on try number %d, failed to run command [%s] with error [%v] and stdErr [%s]. Used file:\n%s", creator.tryCount, commandString, err, stdErr, fileString)
Copy link
Contributor

@vakalapa vakalapa Oct 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should be using klogf since thats the norm in other packages.

Copy link
Contributor Author

@huntergregory huntergregory Oct 15, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO in another PR

vakalapa
vakalapa reviewed Oct 15, 2021
View reviewed changes
vakalapa
vakalapa reviewed Oct 15, 2021
View reviewed changes
@huntergregory
Copy link
Contributor Author

huntergregory commented Oct 15, 2021

Noting that in a second pass, we need to make 2 changes because ipset restore will commit lines before a line that fails.

  1. change update member logic: we should be deleting members instead of flushing and adding all members (there would be a gap between a flush and a retry if an add fails)
  2. change error handling methods to skip the lines before a failure

noting our plan for # 1 to use ipset save to get kernel state and delete the diff

vakalapa
vakalapa approved these changes Oct 15, 2021
View reviewed changes
Copy link
Contributor

@vakalapa vakalapa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 Send it

@huntergregory huntergregory merged commit e692542 into master Oct 15, 2021
@vakalapa vakalapa deleted the linux-ipsetmanager branch October 29, 2021 22:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vakalapa vakalapa vakalapa approved these changes

@JungukCho JungukCho Awaiting requested review from JungukCho

@matmerr matmerr Awaiting requested review from matmerr

Assignees

No one assigned

Labels

enhancement npm Related to NPM.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@huntergregory @vakalapa