cilium-dbg: Don't fatal on XFRM rule deletion errors

This commit slightly changes the behavior of the "encrypt flush" command in case of errors when trying to delete XFRM rules. The tool currently lists rules, filters them based on user-given arguments, and then deletes them. If an XFRM rule is deleted by the agent or the user while we're filtering, the deletion will fail. The current behavior in that case is to fatal. On busy clusters, that might mean that we always fatal because XFRM states and policies are constently added and removed. This commit changes the behavior to proceed with subsequent deletions in case one fails. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
cilium · Mar 6, 2024 · 927969b · 927969b
1 parent d43ace6
commit 927969b
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/cilium-dbg/cmd/encrypt_flush.go b/cilium-dbg/cmd/encrypt_flush.go
@@ -5,6 +5,7 @@ package cmd
 
 import (
 	"fmt"
+	"os"
 	"strconv"
 	"strings"
 
@@ -82,18 +83,22 @@ func runXFRMFlush() {
 		}
 	}
 
+	nbDeleted := len(states)
 	for _, state := range states {
 		if err := netlink.XfrmStateDel(&state); err != nil {
-			Fatalf("Stopped XFRM states deletion due to error: %s", err)
+			fmt.Fprintf(os.Stderr, "Failed to delete XFRM state: %s", err)
+			nbDeleted--
 		}
 	}
-	fmt.Printf("Deleted %d XFRM states.\n", len(states))
+	fmt.Printf("Deleted %d XFRM states.\n", nbDeleted)
+	nbDeleted = len(policies)
 	for _, pol := range policies {
 		if err := netlink.XfrmPolicyDel(&pol); err != nil {
-			Fatalf("Stopped XFRM policies deletion due to error: %s", err)
+			fmt.Fprintf(os.Stderr, "Failed to delete XFRM policy: %s", err)
+			nbDeleted--
 		}
 	}
-	fmt.Printf("Deleted %d XFRM policies.\n", len(policies))
+	fmt.Printf("Deleted %d XFRM policies.\n", nbDeleted)
 }
 
 func parseNodeID(nodeID string) (uint16, error) {