Removing disabled maps causes controllers to fail #15141

aanm · 2021-03-01T11:21:28Z

Removing disabled maps in

Lines 210 to 215 in cac5218

    
           for _, m := range maps { 
        
           	p := path.Join(bpf.MapPrefixPath(), m) 
        
           	if _, err := os.Stat(p); !os.IsNotExist(err) { 
        
           		ms.RemoveMapPath(p) 
        
           	} 
        
           }

Causes the controllers to fail:

2021-02-26T14:24:45.460845518Z level=debug msg="Controller func execution time: 15.392µs" name=bpf-map-sync-cilium_snat_v4_external subsys=controller uuid=946f5dda-bd86-44d5-aa8d-7d5ee12daaed
2021-02-26T14:24:45.460882480Z level=debug msg="Controller run failed" consecutiveErrors=1 error="Unable to get object /sys/fs/bpf/tc/globals/cilium_snat_v4_external: no such file or directory" name=bpf-map-sync-cilium_snat_v4_external subsys=controller uuid=946f5dda-bd86-44d5-aa8d-7d5ee12daaed

as seen in our CI https://jenkins.cilium.io/job/Cilium-PR-K8s-1.20-kernel-4.9/799/testReport/junit/Suite-k8s-1/20/K8sServicesTest_Checks_service_across_nodes_Checks_ClusterIP_Connectivity/

This change seems to have been introduced by cac5218

cc @brb @pchaigno @mazzy89

The text was updated successfully, but these errors were encountered:

mazzy89 · 2021-03-01T11:26:16Z

Thanks @aanm for reporting this. I will take a look and wire a fix accordingly.

pchaigno · 2021-03-02T17:03:53Z

@brb If cilium_snat_v4_external is only used when BPF NodePort is enabled, should we create the userspace counterparts only when EnableNodePort is true?

cilium/daemon/cmd/datapath.go

Line 402 in a9374b5

ipv4Nat, ipv6Nat := nat.GlobalMaps(option.Config.EnableIPv4,

and

cilium/pkg/maps/ctmap/ctmap.go

Line 168 in 29c7f21

global4Map, global6Map := nat.GlobalMaps(v4, v6)

mazzy89 · 2021-03-02T17:21:25Z

Thanks, @pchaigno for taking care of this. I was looking at it this morning but you were faster than me 😝

brb · 2021-03-03T08:53:49Z

If cilium_snat_v4_external is only used when BPF NodePort is enabled, should we create the userspace counterparts only when EnableNodePort is true?

@pchaigno Yep.

tklauser · 2021-03-05T08:25:55Z

Hit this in #15213 test runs, I think: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.20-kernel-4.9/861/

17:28:14 STEP: Cilium is not ready yet: controllers are failing: cilium-agent 'cilium-jznc4': controller bpf-map-sync-cilium_snat_v4_external is failing: Exitcode: 0 
Stdout:
 	 KVStore:                Ok   Disabled
	 Kubernetes:             Ok   1.20 (v1.20.4) [linux/amd64]
	 Kubernetes APIs:        ["cilium/v2::CiliumClusterwideNetworkPolicy", "cilium/v2::CiliumEndpoint", "cilium/v2::CiliumNetworkPolicy", "cilium/v2::CiliumNode", "core/v1::Namespace", "core/v1::Node", "core/v1::Pods", "core/v1::Service", "discovery/v1beta1::EndpointSlice", "networking.k8s.io/v1::NetworkPolicy"]
	 KubeProxyReplacement:   Disabled   
	 Cilium:                 Ok   1.9.90 (v.1.9.90-r.d55bb42)
	 NodeMonitor:            Listening for events on 3 CPUs with 64x4096 of shared memory
	 IPAM:                   IPv4: 4/255 allocated from 10.0.0.0/24, IPv6: 4/255 allocated from fd02::/120
	 BandwidthManager:       Disabled
	 Host Routing:           Legacy
	 Masquerading:           IPTables [IPv4: Enabled, IPv6: Enabled]
	 Controller Status:      29/30 healthy
	   Name                                          Last success   Last error   Count   Message
	   bpf-map-sync-cilium_lxc                       5s ago         never        0       no error                                                                                         
	   bpf-map-sync-cilium_snat_v4_external          never          3s ago       5       Unable to get object /sys/fs/bpf/tc/globals/cilium_snat_v4_external: no such file or directory 
[...]

The IPv4 and IPv6 SNAT maps are only used if BPF NodePort is enabled. Commit cac5218 ("datapath: remove SNAT maps entries when kube-proxy is enabled") removed the maps on startup if BPF NodePort is disabled. We were however still creating them regardless of the BPF NodePort status. The creation started a controller which then fails once the actual map is removed. This commit fixes the issue by not creating the userspace object, including the controller, for the SNAT maps when BPF NodePort is disabled. Fixes: cac5218 ("datapath: remove SNAT maps entries when kube-proxy is enabled") Fixes: cilium#15141 Signed-off-by: Paul Chaignon <paul@cilium.io>

The IPv4 and IPv6 SNAT maps are only used if BPF NodePort is enabled. Commit cac5218 ("datapath: remove SNAT maps entries when kube-proxy is enabled") removed the maps on startup if BPF NodePort is disabled. We were however still creating them regardless of the BPF NodePort status. The creation started a controller which then fails once the actual map is removed. This commit fixes the issue by not creating the userspace object, including the controller, for the SNAT maps when BPF NodePort is disabled. Fixes: cac5218 ("datapath: remove SNAT maps entries when kube-proxy is enabled") Fixes: #15141 Signed-off-by: Paul Chaignon <paul@cilium.io>

[ upstream commit 602e5ce ] The IPv4 and IPv6 SNAT maps are only used if BPF NodePort is enabled. Commit cac5218 ("datapath: remove SNAT maps entries when kube-proxy is enabled") removed the maps on startup if BPF NodePort is disabled. We were however still creating them regardless of the BPF NodePort status. The creation started a controller which then fails once the actual map is removed. This commit fixes the issue by not creating the userspace object, including the controller, for the SNAT maps when BPF NodePort is disabled. Fixes: cac5218 ("datapath: remove SNAT maps entries when kube-proxy is enabled") Fixes: cilium#15141 Signed-off-by: Paul Chaignon <paul@cilium.io>

[ upstream commit 602e5ce ] The IPv4 and IPv6 SNAT maps are only used if BPF NodePort is enabled. Commit cac5218 ("datapath: remove SNAT maps entries when kube-proxy is enabled") removed the maps on startup if BPF NodePort is disabled. We were however still creating them regardless of the BPF NodePort status. The creation started a controller which then fails once the actual map is removed. This commit fixes the issue by not creating the userspace object, including the controller, for the SNAT maps when BPF NodePort is disabled. Fixes: cac5218 ("datapath: remove SNAT maps entries when kube-proxy is enabled") Fixes: #15141 Signed-off-by: Paul Chaignon <paul@cilium.io>

PR #14721 introduced changes that removed the cilium_snat_v{4,6}_external maps if NodePort is not enabled. Issue #15141 was attributed to the above PR, where controllers were failing with: > error=Unable to get object /sys/fs/bpf/tc/globals/cilium_snat_v4_external: no such file or directory name=bpf-map-sync-cilium_snat_v4_external In an attempt to fix #15141, #15175 added a nodeport argument to InitMapInfo() so that the cilium_snat_v{4,6}_external maps are not created if NodePort is not enabled. PR #15141 did not fix the issue: #15337 (comment) This PR takes another shot at fixing #15141 by removing a call of InitMapInfo from init(), where the (new) nodeport argument is always true. Not that in init(), option.Config.EnableNodePort is not properly set yet, so we cannot pass the config option because it would always be false. For this change to properly work, this patch also adds explicit InitMapInfo() calls since removing init() means that this function is called in contexts such as tests and the cli. Fixes: cac5218 Fixes: d639905 Fixes: #15141 Fixes: #15337 Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>

[ upstream commit e83dd53 ] PR #14721 introduced changes that removed the cilium_snat_v{4,6}_external maps if NodePort is not enabled. Issue #15141 was attributed to the above PR, where controllers were failing with: > error=Unable to get object /sys/fs/bpf/tc/globals/cilium_snat_v4_external: no such file or directory name=bpf-map-sync-cilium_snat_v4_external In an attempt to fix #15141, #15175 added a nodeport argument to InitMapInfo() so that the cilium_snat_v{4,6}_external maps are not created if NodePort is not enabled. PR #15141 did not fix the issue: #15337 (comment) This PR takes another shot at fixing #15141 by removing a call of InitMapInfo from init(), where the (new) nodeport argument is always true. Not that in init(), option.Config.EnableNodePort is not properly set yet, so we cannot pass the config option because it would always be false. For this change to properly work, this patch also adds explicit InitMapInfo() calls since removing init() means that this function is called in contexts such as tests and the cli. Fixes: cac5218 Fixes: d639905 Fixes: #15141 Fixes: #15337 Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com>

[ upstream commit e83dd53 ] PR cilium#14721 introduced changes that removed the cilium_snat_v{4,6}_external maps if NodePort is not enabled. Issue cilium#15141 was attributed to the above PR, where controllers were failing with: > error=Unable to get object /sys/fs/bpf/tc/globals/cilium_snat_v4_external: no such file or directory name=bpf-map-sync-cilium_snat_v4_external In an attempt to fix cilium#15141, cilium#15175 added a nodeport argument to InitMapInfo() so that the cilium_snat_v{4,6}_external maps are not created if NodePort is not enabled. PR cilium#15141 did not fix the issue: cilium#15337 (comment) This PR takes another shot at fixing cilium#15141 by removing a call of InitMapInfo from init(), where the (new) nodeport argument is always true. Not that in init(), option.Config.EnableNodePort is not properly set yet, so we cannot pass the config option because it would always be false. For this change to properly work, this patch also adds explicit InitMapInfo() calls since removing init() means that this function is called in contexts such as tests and the cli. Fixes: cac5218 Fixes: d639905 Fixes: cilium#15141 Fixes: cilium#15337 Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com>

[ upstream commit e83dd53 ] PR #14721 introduced changes that removed the cilium_snat_v{4,6}_external maps if NodePort is not enabled. Issue #15141 was attributed to the above PR, where controllers were failing with: > error=Unable to get object /sys/fs/bpf/tc/globals/cilium_snat_v4_external: no such file or directory name=bpf-map-sync-cilium_snat_v4_external In an attempt to fix #15141, #15175 added a nodeport argument to InitMapInfo() so that the cilium_snat_v{4,6}_external maps are not created if NodePort is not enabled. PR #15141 did not fix the issue: #15337 (comment) This PR takes another shot at fixing #15141 by removing a call of InitMapInfo from init(), where the (new) nodeport argument is always true. Not that in init(), option.Config.EnableNodePort is not properly set yet, so we cannot pass the config option because it would always be false. For this change to properly work, this patch also adds explicit InitMapInfo() calls since removing init() means that this function is called in contexts such as tests and the cli. Fixes: cac5218 Fixes: d639905 Fixes: #15141 Fixes: #15337 Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com>

aanm added kind/bug This is a bug in the Cilium logic. priority/release-blocker labels Mar 1, 2021

aanm assigned brb and pchaigno Mar 1, 2021

aanm mentioned this issue Mar 1, 2021

jenkinsfiles: remove unused environment variables #15125

Merged

aanm assigned mazzy89 Mar 1, 2021

tklauser mentioned this issue Mar 1, 2021

vagrant: bump box versions, again #15129

Merged

pchaigno mentioned this issue Mar 2, 2021

test: Unquarantine tunneling + endpoint routes test #15152

Merged

pchaigno mentioned this issue Mar 2, 2021

nat: Create SNAT maps only if BPF NodePort is enabled #15175

Merged

pchaigno unassigned brb and mazzy89 Mar 4, 2021

tklauser mentioned this issue Mar 5, 2021

Bump gops to 0.3.16 #15213

Merged

jrajahalme mentioned this issue Mar 8, 2021

envoy: Do not use deprecated fields #15232

Merged

tklauser mentioned this issue Mar 8, 2021

test/helpers: remove unused functions and consts #15241

Merged

tklauser mentioned this issue Mar 9, 2021

Add AlibabaCloud Operator #15160

Merged

joestringer closed this as completed in #15175 Mar 10, 2021

pchaigno mentioned this issue Mar 12, 2021

Unable to get object /sys/fs/bpf/tc/globals/cilium_snat_v4_external: no such file or directory #15337

Closed

kkourt mentioned this issue Apr 7, 2021

ctmap: do not call InitMapInfo() in init() #15590

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Removing disabled maps causes controllers to fail #15141

Removing disabled maps causes controllers to fail #15141

aanm commented Mar 1, 2021

mazzy89 commented Mar 1, 2021

pchaigno commented Mar 2, 2021

mazzy89 commented Mar 2, 2021 •

edited

Loading

brb commented Mar 3, 2021

tklauser commented Mar 5, 2021

Removing disabled maps causes controllers to fail #15141

Removing disabled maps causes controllers to fail #15141

Comments

aanm commented Mar 1, 2021

mazzy89 commented Mar 1, 2021

pchaigno commented Mar 2, 2021

mazzy89 commented Mar 2, 2021 • edited Loading

brb commented Mar 3, 2021

tklauser commented Mar 5, 2021

mazzy89 commented Mar 2, 2021 •

edited

Loading