routing: Fix route collisions in AWS ENI #14269
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
christarazi
added
area/azure
maintainer-s-little-helper
bot
added
dont-merge/needs-release-note-label
christarazi
added
the
upgrade-impact
christarazi
requested review from
joestringer,
tgraf,
ungureanuvladvictor and
a team
christarazi
commented
Dec 4, 2020
christarazi
force-pushed
the
pr/christarazi/eni-route-collision
branch
3 times, most recently
from
9cb50cc
to
93e8218
Compare
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
stale
bot
added
the
stale
christarazi
removed
the
stale
christarazi
force-pushed
the
pr/christarazi/eni-route-collision
branch
from
93e8218
to
3dfb7f3
Compare
christarazi
changed the title
christarazi
added
needs-backport/1.8
and removed
area/azure
[ upstream commit 332a3fd; forward-ported from v1.7 tree ] This commit fixes a potential route collision in AWS ENI IPAM modes, where the ifindex could equal the main routing table ID (from 253-255) [1], causing traffic to be subject to these routes incorrectly. This is admittedly rare, but we've seen this from a user report. The impact is that most traffic on the node is suddenly blackholed. To fix this, we say that each device or interface (ENI) will have their own dedicated routing table. The table ID will start with an offset of 10 because it is highly unlikely to collide with the main routing table ID (from 253-255). We grab the number associated with the ENI device (`Number`) and add the offset. For example, if we have an ENI device "eni-0" which has a `Number` of 5, then the table ID will be 10 + 5 = 15. Another important piece to note is that only the egress rule will reside inside the per-device tables, whereas the ingress rule will stay in the main routing table. This is because we want the main routing table to hold the routes to the endpoint. Moving forward, the ENI datapath will now create rules under a new egress priority value (RulePriorityEgressv2), as long as the egress-multi-home-ip-rule-compat flag is false. If it's true, then the datapath will create rules under the original egress priority value (RulePriorityEgress). This helps disambiguate when running with the older or newer ENI datapath. See cilium#14336. [1]: See ip-route(8) Reported-by: Vlad Ungureanu <vladu@palantir.com> Suggested-by: Joe Stringer <joe@cilium.io> Suggested-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com>
christarazi
force-pushed
the
pr/christarazi/eni-route-collision
branch
from
ac7b671
to
9efaa11
Compare
|
test-me-please |
joestringer
approved these changes
Jan 28, 2021
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.8
in 1.8.7
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.9
in 1.9.4
maintainer-s-little-helper
bot
moved this from Backport pending to v1.9
to Backport done to v1.9
in 1.9.4
maintainer-s-little-helper
bot
moved this from Backport pending to v1.8
to Backport done to v1.8
in 1.8.7
maintainer-s-little-helper
bot
moved this from Backport pending to v1.8
to Backport done to v1.8
in 1.8.7
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See commit msgs.
This PR has been "forward-ported" from the following direct backport PR to the v1.7 branch: #14337.
Most commits have been forward-ported from the aforementioned PR, but a few commits are only meant for master (with intention to be backported to v1.9 & 1.8) because of code that didn't exist in v1.7 and because of the initial assumption that this issue impacts both ENI and Azure modes. In reality, only ENI mode has been impacted so far. While it is possible for the issue to occur on Azure, it is very unlikely and a separate PR will be made to address that (see #14705).
Fixes: #14336