neigh: Clean up stale/untracked non-GC'ed neighbors #17918
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Since it's not only about ARP anymore. Also remove 'neigh' abbreviation while at it. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
The NodeNeighDiscoveryEnabled() is called after we completed a resync of all nodes with kubeapi-server. (See initRestore() -> SyncWithK8sFinished() and the agent's wait in runDaemon() for restoreComplete channel to finish in non-dry mode.) Given that, neighLastPingByNextHop map is populated at that time, so when doing migration of neighbor entries in NodeCleanNeighbors() we can remove unrelevant ones at the same time to not let garbage neighbor entries pile up in the neighbor hash table and/or avoid that the kernel needs to do periodic work for them in case of NTF_EXT_MANAGED ones. neighLastPingByNextHop holds both the v4 and v6 entries as a string for the key, so it's enough to just check it there. Fixes: #17905 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
added
kind/bug
aanm
approved these changes
Nov 17, 2021
aditighag
approved these changes
Nov 17, 2021
Yeah, true, we need some custom one given this depends on earlier changes (v6 not however, only v4). |
Add a variant which does not depend on the config dir but where we can pass a link directly to it. This is needed for the runtime test given subsequent calls to NodeCleanNeighbors() won't have any effect as the link's config file gets removed upon first successful cleanup. Needed for upcoming runtime tests. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Add a test case which simulates agent resync where the agent cleans up stale neighbor entries that we no longer track due to nodes not being in cluster. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Similar as we do for IPv6, add a test case which simulates agent resync where the agent cleans up stale neighbor entries that we no longer track due to nodes not being in cluster. Make sure that we also have IPv4 entries covered. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
/test |
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.10
in 1.10.6
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.10
in 1.10.6
|
Manual backport pending in #17974 (I almost started a backport for this as part of my tophat duty) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See commit msg. We might need custom backport for <=1.10.
Fixes: #17905