NetworkChaos: Add support for ports in external targets

[miedzinski]

Signed-off-by: Dominik Miedziński dominik.miedzinski@allegro.pl

What problem does this PR solve?

This PR adds support for declaring ports in external targets in NetworkChaos experiments.

What's changed and how it works?

Chaos-daemon now creates 3 IP sets in pods: hash:net (same as before), hash:net,port (allowing for testing ip and port pairs) and list:set that combines them. Iptables rules now reference the list:set IP set.

There are changes to PodNetworkChaos, but NetworkChaos remains unchanged and there's no need to update dashboard.

Related changes

• Need to update chaos-mesh/website
• Need to update Dashboard UI
• Need to cheery-pick to release branches
  • release-2.1
  • release-2.0

Checklist

Tests

• Unit test
• E2E test
• No code
• Manual test (add steps below)

Side effects

• Breaking backward compatibility

Release note

Add support for declaring ports in external targets in NetworkChaos experiments.

[ti-chi-bot]

[REVIEW NOTIFICATION]

This pull request has been approved by:

• STRRL
• cwen0

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

[ti-chi-bot]

Welcome @miedzinski!

It looks like this is your first PR to chaos-mesh/chaos-mesh 🎉.

I'm the bot to help you request reviewers, add labels and more, See available commands.

We want to make sure your contribution gets all the attention it needs!



Thank you, and welcome to chaos-mesh/chaos-mesh. 😃

[codecov]

Codecov Report

Merging #2932 (48ed931) into master (96f979a) will increase coverage by 0.27%.
The diff coverage is 48.30%.

@@            Coverage Diff             @@
##           master    #2932      +/-   ##
==========================================
+ Coverage   37.92%   38.19%   +0.27%     
==========================================
  Files         105      105              
  Lines        9108     9182      +74     
==========================================
+ Hits         3454     3507      +53     
- Misses       5344     5366      +22     
+ Partials      310      309       -1     

Impacted Files	Coverage Δ
controllers/podnetworkchaos/controller.go	37.38% <0.00%> (-1.65%)	⬇️
controllers/podnetworkchaos/ipset/ipset.go	2.59% <0.00%> (-2.17%)	⬇️
pkg/chaosdaemon/iptables_server.go	66.11% <50.00%> (ø)
pkg/chaosdaemon/ipset_server.go	90.15% <88.57%> (+3.48%)	⬆️
controllers/podnetworkchaos/netutils/cidr.go	73.07% <89.28%> (+73.07%)	⬆️
pkg/workflow/controllers/utils.go	85.71% <0.00%> (-1.59%)	⬇️
pkg/selector/generic/mode.go	28.20% <0.00%> (+2.56%)	⬆️
... and 1 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 02c0e1d...48ed931. Read the comment docs.

[STRRL]

Hi @miedzinski , thanks for your contribution! That's an awesome feature!

But this PR is really huge, and it would still break the API of Chaos Mesh (with podnetworkchaos). So I am afraid this PR would not be merged recently.

Currently, the design of NetworkChaos does not care about the port thing, it is designed on the Network Layer(IP Layer). If we want to filter the network traffic with ports(actually it's not difficult with iptables and current code base), we should change our design with at least Transport Layer(consider some protocol, TCP/UDP/...). It would make huge changes to the design of NetworkChaos. I think we would better draft an RFC into rfcs before we do that.

How do you think about it? @miedzinski

[miedzinski]

@STRRL, thanks for your response.

You're right there is a problem with backward compatibility of PodNetworkChaos, but I think it's something we can solve:

• There is no need to name all IP sets in PodNetworkChaos. hash:net and hash:net,port names can be derived in daemon from list:set name.
• IP set contents can remain strings and be parsed later.

This way all CRDs are unchanged. There is also a change to protobufs - if you think these shouldn't be changed too, then I can move parsing and resolving external targets to chaos daemon. That would additionally solve a TODO comment.

Regarding the RFC process, this is something I'd rather avoid if possible. Filtering traffic by ports is crucial for adoption of Chaos Mesh in my organization, but we definitely don't intend to make huge changes to design of experiments at this point. I don't think the L3 vs L4 is also an issue, because NetworkChaos already resolves hostnames and that's Application Layer.

Please let me know if you're okay with changes I suggested.

[STRRL]

You're right there is a problem with backward compatibility of PodNetworkChaos, but I think it's something we can solve:

• There is no need to name all IP sets in PodNetworkChaos. hash:net and hash:net,port names can be derived in daemon from list:set name.
• IP set contents can remain strings and be parsed later.

This way all CRDs are unchanged.

We only consider "backward compatibility" now. We could accept appending more fields with default values. But renaming/deleting fields is NOT preferred.

I have another idea based on your suggestion. We could extend v1alpha1.RawIPSet and pb.IPSet to support more type of ipset, instead of using one v1alpha1.RawIPSet to introduce the combination of ipset rules which contains hash:ip, hash:IP,port and list:net.

const (
	IPSetTypeHashIP     IPSetType = "hash:ip"
	IPSetTypeHashIPPort IPSetType = "hash:ip,port"
	IPSetTypeListNet    IPSetType = "list:net"
	// other IPSet types that we need
)

// RawIPSet represents an ipset on specific pod
type RawIPSet struct {
	// The name of set ipset
	Name string `json:"name"`

	IPSetType IPSetType `json:"ipsetType"`

	// The contents of ipset.
	// Only available when IPSetType is IPSetTypeHashIP
	Cidrs []string `json:"cidrs"`

	// The contents of ipset.
	// Only available when IPSetType is IPSetTypeHashIPPort
	CidrAndPorts []CidrAndPort `json:"cidrAndPorts"`

	// The contents of ipset.
	// Only available when IPSetType is IPSetTypeListNet
	SetNames []string `json:"setNames"`

	// The name and namespace of the source network chaos
	RawRuleSource `json:",inline"`
}

We would append three ordered RawIPset not one into PodNetworkChaos.

before:

[{
  "setName": "chaos1_set_tgt",
  "netPortName": "chaos1_netPort_tgt",
  "netName": "chaos1_net_tgt",
  "cidrs": [
    {
      "cidr": "1.1.1.1",
      "port": 53
    },
    {
      "cidr": "1.2.3.4",
      "port": 0
    }
  ]
}]

after:

[
  {
    "name": "chaos1_ipport_tgt",
    "type": "hash:ip,port",
    "cidrAndPorts": [
      {
        "cidr": "1.1.1.1",
        "port": 53
      }
    ]
  },
  {
    "name": "chaos1_ip_tgt",
    "type": "hash:ip",
    "cidrs": [
      "1.2.3.4"
    ]
  },
  {
    "name": "chaos1_set_tgt",
    "type": "list:set",
    "setName": [
      "chaos1_ipport_tgt",
      "chaos1_ip_tgt"
    ]
  }
]

What do you think about it? @miedzinski

[miedzinski]

That's a good solution too. I'll send a patch in the next few days.

[miedzinski]

/cc @STRRL

[miedzinski]

There is still one field removed from protobuf, but I believe this is not an issue, isn't it? If yes, I can remove a oneof and apply a similar layout to PodNetworkChaos.

[STRRL]

There is still one field removed from protobuf, but I believe this is not an issue, isn't it? If yes, I can remove a oneof and apply a similar layout to PodNetworkChaos.

It's not an issue. But I still prefer to keep the same layout to PodNetworkChaos. Please update it. ❤️

[miedzinski]

@STRRL done! Now we're only adding new fields.

[cwen0]

We should print the whole ipset info at this log.

[cwen0]

s/cidrandPorts/cidrAndPorts/g

[STRRL]

We should also append fields to introduce protocol, like tcp, udp or icmp. When specify ipset rule without protocol, it would only specify with tcp.

[STRRL]

example usage like 192.168.1.1,udp:53

[miedzinski]

This is something I'd rather avoid right now for a couple of reasons:

• This PR is already huge. Filtering by protocols needs more changes to IP sets and/or iptables rules.
• Adding a support for filtering by protocols is outside the scope of this PR.
• Defaulting to TCP would break backward compatibility. As of now Chaos Mesh is protocol agnostic.

[STRRL]

Got that!

[YangKeao]

Why do we need this modification? If I'm not wrong, it means this chain applies, iff both the source and destination are in the ipset, which seems not to be what we want?

[miedzinski]

This means it must match a pair of source IP address and destination port. Please refer to man iptables-extensions - section set, --match-set parameter and man ipset - section introduction, set dimensions.

[STRRL]

I think we need more documentation to describe it but it still makes sense:

• with action: delay/loss/... (which requires tc) and direction: from, externalTargets would not works
• with action: partition, direction: from, externalTagets: [10.96.0.0/16:8080], if would drop any packet from 10.96.0.0/16 to <pod-ip>:8080.

[STRRL]

Hi @miedzinski , could you please append an entry in section Unreleased / Added of CHANGELOG.MD?

[miedzinski]

Hi @miedzinski , could you please append an entry in section Unreleased / Added of CHANGELOG.MD?

@STRRL Done!

[STRRL]

/run-e2e-tests

[STRRL]

LGTM!

Thanks for your contribution! 🤩

[cwen0]

/cc @YangKeao

[cwen0]

LGTM

[cwen0]

/merge

[ti-chi-bot]

This pull request has been accepted and is ready to merge.

Commit hash: dd92f71

[ti-chi-bot]

@miedzinski: Your PR was out of date, I have automatically updated it for you.

At the same time I will also trigger all tests for you:

/run-all-tests

If the CI test fails, you just re-trigger the test that failed and the bot will merge the PR for you after the CI passes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

[STRRL]

/run-e2e-tests