Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proxy: Do not change configured proxy ports #26343

Merged
merged 1 commit into from Jun 22, 2023
Merged

proxy: Do not change configured proxy ports #26343

merged 1 commit into from Jun 22, 2023

Conversation

jrajahalme
Copy link
Member

Proxy redirect creation tries another proxy port number in case redirect creation needs to be retried. Do not change the proxy port on retries if the proxy port has already been configured, as configured proxy ports are already being used by proxies for listening.

Previously we had avoided proxy port change on retry for DNS proxies when the DNS port had been explicitly configured. We need to do the same for proxy listeners defined in CiliumEnvoyConfig CRDs. Checking for the 'configured' flag convers both cases, as it is set via SetProxyPort() called by DNS proxy on agent bootstrap, and via AllocateProxyPort() called for CEC CRD listeners.

Fixes: #25969

Keep sync on deployed proxy ports when retrying proxy redirect creation.

@jrajahalme jrajahalme added kind/bug This is a bug in the Cilium logic. area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. release-note/bug This PR fixes an issue in a previous release of Cilium. labels Jun 19, 2023
@jrajahalme jrajahalme requested a review from a team as a code owner June 19, 2023 08:43
@jrajahalme
Copy link
Member Author

/test

@jrajahalme
Copy link
Member Author

All required checks are passing.

@jrajahalme jrajahalme added the release-blocker/1.14 This issue will prevent the release of the next version of Cilium. label Jun 20, 2023
@jrajahalme
Copy link
Member Author

@mhofstetter marked this as a release blocker for 1.14, as this may become more easily hit with the non-embedded Envoy.

@jrajahalme jrajahalme self-assigned this Jun 20, 2023
@mhofstetter
Copy link
Member

@mhofstetter marked this as a release blocker for 1.14, as this may become more easily hit with the non-embedded Envoy.

👍

@jrajahalme can you please provide a little bit more context when the issue arises?

My guess is that it occurs for cases where a CEC defines a listener (port gets allocated via AllocateProxyPort) and a CNP defines a L7 policy for this port (which calls CreateOrUpdateRedirect). And this is where the configured port shouldn't be changed.

@christarazi
Copy link
Member

It seems @mhofstetter has a more in-depth understanding of this change than I do, so I will request reviews from him. FWIW, at a high level, the change makes sense.

@jrajahalme
proxy: Do not change configured proxy ports
f6106d5 
Proxy redirect creation tries another proxy port number in case redirect
creation needs to be retried. Do not change the proxy port on retries if
the proxy port has already been configured, as configured proxy ports are
already being used by proxies for listening.

Previously we had avoided proxy port change on retry for DNS proxies when
the DNS port had been explicitly configured. We need to do the same for
proxy listeners defined in CiliumEnvoyConfig CRDs. Checking for the
'configured' flag convers both cases, as it is set via SetProxyPort()
called by DNS proxy on agent bootstrap, and via AllocateProxyPort()
called for CEC CRD listeners.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
Copy link
Member Author

@mhofstetter marked this as a release blocker for 1.14, as this may become more easily hit with the non-embedded Envoy.

👍

@jrajahalme can you please provide a little bit more context when the issue arises?

My guess is that it occurs for cases where a CEC defines a listener (port gets allocated via AllocateProxyPort) and a CNP defines a L7 policy for this port (which calls CreateOrUpdateRedirect). And this is where the configured port shouldn't be changed.

Terminology here is a bit misleading as configured here means that the immediate function call used to create a proxy redirect with that port succeeded. Proxy port allocation (initially and retries, as well as re-create due to endpoint regeneration) is gated with !configured to make sure we do not change a port that has successfully been given to a proxy for listening. Previously, the retry logic was not gated with this same condition, so it was possible for the proxy port to be incremented if an immediate proxy create error occurred. An immediate proxy error could be, e.g., failing to launch the embedded cilium-envoy, maybe due to memory pressure or something.

I refactored the code to only use a single !pp.configured condition in this context to make it clearer that the proxy port increment on retry is related to the proxy port allocation right after (the incremented port number is just a hint toallocatePort() as the incremented port number could be in use already).

@jrajahalme
Copy link
Member Author

/test

@mhofstetter
Copy link
Member

Terminology here is a bit misleading as configured here means that the immediate function call used to create a proxy redirect with that port succeeded. Proxy port allocation (initially and retries, as well as re-create due to endpoint regeneration) is gated with !configured to make sure we do not change a port that has successfully been given to a proxy for listening. Previously, the retry logic was not gated with this same condition, so it was possible for the proxy port to be incremented if an immediate proxy create error occurred. An immediate proxy error could be, e.g., failing to launch the embedded cilium-envoy, maybe due to memory pressure or something.

I refactored the code to only use a single !pp.configured condition in this context to make it clearer that the proxy port increment on retry is related to the proxy port allocation right after (the incremented port number is just a hint toallocatePort() as the incremented port number could be in use already).

thanks for the explanation!

mhofstetter
mhofstetter reviewed Jun 21, 2023
View reviewed changes
pkg/proxy/proxy.go
// Do not increment port for DNS when the port is set in config
if pp.proxyType != ProxyTypeDNS || option.Config.ToFQDNsProxyPort == 0 {
}
if !pp.configured {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Follow up to my question in the PR discussion:

Am i correct that this logic still increments the proxy port in case of an initial redirect creation if an Envoy startup error occurs in createEnvoyRedirect (e.g. memory pressure in case of embedded mode). In this case pp.reservePort() , which would set pp.configured=true, will not be called (only if no error occured).

mhofstetter
mhofstetter approved these changes Jun 22, 2023
View reviewed changes
Copy link
Member

@mhofstetter mhofstetter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, with the one remaining question. but this should be only in cases with CNP listeners - where the retry with a new port is ok.

@jrajahalme jrajahalme merged commit 07d7946 into cilium:main Jun 22, 2023
61 of 62 checks passed
@joestringer joestringer mentioned this pull request Jun 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhofstetter mhofstetter mhofstetter approved these changes

@christarazi christarazi Awaiting requested review from christarazi christarazi is a code owner automatically assigned from cilium/proxy

Assignees

@jrajahalme jrajahalme

Labels
area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. kind/bug This is a bug in the Cilium logic. release-blocker/1.14 This issue will prevent the release of the next version of Cilium. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jrajahalme @mhofstetter @christarazi