service: Always allocate higher ID for svc/backend #18113

brb · 2021-12-03T15:21:49Z

Previously, it was possible that a backend or a service would get
allocated ID, which would be ID_backend_A < ID < ID_backend_B. This
could have happened after cilium-agent restart, as the nextID was not
advanced upon the restoration of IDs.

This could have led to situations in which the per-packet LB could
selected a backend which did not belong to a requested service when the
following was fulfilled in the chronological order:

Previously the same client made the request to the service and the
backend with ID_x was chosen.
The service endpoint (backend) with ID_x was removed.
cilium-agent was restarted.
A new service backend which does not belong to the initial service
was created and got the ID_x allocated.
The CT_SERVICE entry for the old connection was not removed by the CT
GC.
The same client made a new connection to the same service from the
same src port.

The above led the lb{4,6}_local() to select the wrong backend, as it
found the CT_SERVICE entry with the backend ID_x.

The advancement of the nextID upon the restoration only partly mitigates
the issue. The real fix would be to introduce a match map which key
would be (svc_id, backend_id), and it would be populated by the agent.
The lb{4,6}_local() routines would consult the map to detect whether the
backend belongs to the service.

Previously, it was possible that a backend or a service would get allocated ID, which would be ID_backend_A < ID < ID_backend_B. This could have happened after cilium-agent restart, as the nextID was not advanced upon the restoration of IDs. This could have led to situations in which the per-packet LB could selected a backend which did not belong to a requested service when the following was fulfilled in the chronological order: 1. Previously the same client made the request to the service and the backend with ID_x was chosen. 2. The service endpoint (backend) with ID_x was removed. 3. cilium-agent was restarted. 4. A new service backend which does not belong to the initial service was created and got the ID_x allocated. 5. The CT_SERVICE entry for the old connection was not removed by the CT GC. 6. The same client made a new connection to the same service from the same src port. The above led the lb{4,6}_local() to select the wrong backend, as it found the CT_SERVICE entry with the backend ID_x. The advancement of the nextID upon the restoration only partly mitigates the issue. The real fix would be to introduce a match map which key would be (svc_id, backend_id), and it would be populated by the agent. The lb{4,6}_local() routines would consult the map to detect whether the backend belongs to the service. Signed-off-by: Martynas Pumputis <m@lambda.lt>

brb · 2021-12-03T15:26:59Z

/test

brb added kind/bug This is a bug in the Cilium logic. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/loadbalancing labels Dec 3, 2021

brb requested review from borkmann and a team December 3, 2021 15:21

maintainer-s-little-helper bot assigned borkmann Dec 3, 2021

maintainer-s-little-helper bot added this to Needs backport from master in 1.11.0 Dec 3, 2021

maintainer-s-little-helper bot added this to Needs backport from master in 1.10.6 Dec 3, 2021

brb mentioned this pull request Dec 3, 2021

datapath: Consider selecting a new service backend for CT_REOPENED #18114

Closed

borkmann approved these changes Dec 3, 2021

View reviewed changes

maintainer-s-little-helper bot unassigned borkmann Dec 3, 2021

maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Dec 3, 2021

borkmann merged commit 33bd95c into master Dec 3, 2021

borkmann deleted the pr/brb/fix-backend-id-alloc branch December 3, 2021 18:42

nathanjsweet mentioned this pull request Dec 3, 2021

v1.11 backports 2021-12-03 #18119

Merged

nathanjsweet added backport-pending/1.11 and removed needs-backport/1.11 labels Dec 3, 2021

maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.10 in 1.11.0 Dec 3, 2021

joestringer added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. and removed backport-pending/1.11 labels Dec 5, 2021

joestringer moved this from Backport pending to v1.11 to Backport done to v1.11 in 1.11.0 Dec 5, 2021

nathanjsweet mentioned this pull request Dec 6, 2021

v1.10 backports 2021-12-06 #18146

Merged

nathanjsweet added backport-pending/1.10 and removed needs-backport/1.10 labels Dec 6, 2021

maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.10 in 1.10.6 Dec 6, 2021

joestringer removed the backport-pending/1.10 label Dec 10, 2021

joestringer added the backport-done/1.10 label Dec 10, 2021

maintainer-s-little-helper bot moved this from Backport pending to v1.10 to Backport done to v1.10 in 1.10.6 Dec 10, 2021

joestringer mentioned this pull request Dec 10, 2021

Prepare for release v1.10.6 #18214

Merged

This was referenced Dec 10, 2021

LB service redirect to a wrong backend #17729

Closed

Suspecting wrong backend selection while calling k8s services #17859

Closed

brb mentioned this pull request Jun 30, 2022

cilium bpf conntrack issue, packets routed to wrong service endpoint #20359

Closed

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

service: Always allocate higher ID for svc/backend #18113

service: Always allocate higher ID for svc/backend #18113

brb commented Dec 3, 2021

brb commented Dec 3, 2021

service: Always allocate higher ID for svc/backend #18113

service: Always allocate higher ID for svc/backend #18113

Conversation

brb commented Dec 3, 2021

brb commented Dec 3, 2021