Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpf: Derive host netns cookie via SO_NETNS_COOKIE #17018

Merged
merged 1 commit into from Aug 3, 2021
Merged

bpf: Derive host netns cookie via SO_NETNS_COOKIE #17018

merged 1 commit into from Aug 3, 2021

Conversation

brb
Copy link
Member

@brb brb commented Jul 30, 2021

When running in nested environments (e.g. Kind), cilium-agent does not
run in the host netns. So, in such cases the cookie comparison based on
bpf_get_netns_cookie(NULL) in bpf_sock.c for checking whether a socket
belongs to a host netns does not work. This breaks some socket-lb
functionality.

To fix this, we derive the cookie of the netns in which cilium-agent
runs via getsockopt(...SO_NETNS_COOKIE...) and then use it in the check
above. This is based on an assumption that cilium-agent always runs with
"hostNetwork: true".

Fix #14956

@brb brb added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/loadbalancing labels Jul 30, 2021
@brb brb requested review from borkmann and a team July 30, 2021 10:55
@brb brb requested review from a team as code owners July 30, 2021 10:55
@brb brb mentioned this pull request Jul 30, 2021
Closed
@brb
Copy link
Member Author

brb commented Jul 30, 2021
edited by maintainer-s-little-helper bot

test-me-please

Job 'Cilium-PR-Runtime-4.9' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

RuntimePrivilegedUnitTests Run Tests

Failure Output

FAIL: Failed to run privileged unit tests

If it is a flake, comment /mlh new-flake Cilium-PR-Runtime-4.9 so I can create a new GitHub issue to track it.

borkmann
borkmann reviewed Aug 2, 2021
View reviewed changes
bpf/bpf_sock.c Outdated Show resolved Hide resolved
borkmann
borkmann approved these changes Aug 2, 2021
View reviewed changes
Copy link
Member

@borkmann borkmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

small nit, but LGTM

@brb
bpf: Derive host netns cookie via SO_NETNS_COOKIE
d612829 
When running in nested environments (e.g. Kind), cilium-agent does not
run in the host netns. So, in such cases the cookie comparison based on
bpf_get_netns_cookie(NULL) in bpf_sock.c for checking whether a socket
belongs to a host netns does not work. This breaks some socket-lb
functionality.

To fix this, we derive the cookie of the netns in which cilium-agent
runs via getsockopt(...SO_NETNS_COOKIE...) and then use it in the check
above. This is based on an assumption that cilium-agent always runs with
"hostNetwork: true".

Signed-off-by: Martynas Pumputis <m@lambda.lt>
@brb
Copy link
Member Author

brb commented Aug 3, 2021

test-1.16-netnext

@brb brb requested a review from borkmann August 3, 2021 11:24
borkmann
borkmann approved these changes Aug 3, 2021
View reviewed changes
Copy link
Member

@borkmann borkmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@brb
Copy link
Member Author

brb commented Aug 3, 2021

ci-l4lb

@borkmann borkmann merged commit 0a4a393 into master Aug 3, 2021
@borkmann borkmann deleted the pr/brb/socket-netns branch August 3, 2021 14:39
@brb brb added needs-backport/1.10 sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. and removed needs-backport/1.10 labels Oct 4, 2021
@pchaigno pchaigno mentioned this pull request Feb 1, 2022
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@borkmann borkmann borkmann approved these changes

Assignees
No one assigned
Labels
release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bpf_sock: Detect when running in host netns on Kind
2 participants
@brb @borkmann