bpf: Fix maglev hash with hostServices.hostNamespaceOnly

[ysksuzuki]

This PR fixes the bug that Cilium drops packets destined to ClusterIP when configured in combination with　loadBalancer.algorithm=maglev and hostServices.hostNamespaceOnly=true. See the commit message for details.

Fixes: #17474
Fixes: #16966

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Thanks for contributing!

[christarazi]

Thanks for the PR!

I have a couple of comments below, one for datapath and a minor comment on the CI test. The datapath comment should be validated with the other members of the datapath team (which I've CC'd).

[christarazi]

While this approach presumably works, I think the main concern (for me at least) is that it will cause further strain on the complexity of the BPF progs because of changing the protoype of such a fundamental, common function and all its callers.

Ultimately, the behavior we want is to force bpf_lxc to use the random backend selection AFAIU. In that case, I think there are a couple of alternatives:

• Hardcode LB_SELECTION to random only for bpf_lxc at compile-time in the agent. The code for the endpoint-specific BPF prog (bpf_lxc) starts here:

  cilium/pkg/datapath/linux/config/config.go

  Line 804 in 2581084

  func (h *HeaderfileWriter) WriteEndpointConfig(w io.Writer, e datapath.EndpointConfiguration) error {

  . From my quick glance at the code, that seems like the right place given that LB_SELECTION is set inside the node variant WriteNodeConfig().
• Provide a bpc_lxc-specific lb{4,6}_xlate function which will always use random backend selection, rather than rely on LB_SELECTION and is only called from the bpf_lxc code.

In both scenarios, we only pay the "cost" once, rather than at each packet (albeit almost negligible; optimization will likely help), and more importantly, reduce program complexity (no conditionals in BPF code) for future changes.

IMO, I think the first option seems cleaner to me, as it's simpler Go code mangling vs. C code changes which very likely will end up duplicating some code (I presume).

That's my 2 cents, but would love to hear what the others from the datapath team think (@cilium/bpf @brb).

[ysksuzuki]

Thank you for your feedback!

The first option makes sense to me too because it's simple, as you mentioned, while my current approach changes the common function and makes things more complex.

How about this one? I could confirm that the e2e tests with this branch have passed in my environment.
ysksuzuki@0d2dbc4

With this change, LB_SELECTION, initially defined in globally scoped node_config.h will be overridden in ep_config.h, and then bpf_lxc will stick to LB_SELECTION_RANDOM.

[christarazi]

Usually the It block text shouldn't overlap with the Context text. The context text can be describing what the test is and the It text can be describing what the assertion is.

So, I'd probably do something like:

Context("hostServices.hostNamespaceOnly and Maglev enabled")
...
    It("Checks ClusterIP connectivity")

[brb]

Couldn't you just #define LB_SELECTION LB_SELECTION_RANDOM in bpf_lxc.c before including lb.h?

[ysksuzuki]

Couldn't you just #define LB_SELECTION LB_SELECTION_RANDOM in bpf_lxc.c before including lb.h?

Yes, I could confirm that the e2e tests have passed with this commit that defines LB_SELECTION_RANDOM in bpf_lxc.c. Now I finally understand what you were saying.

[christarazi]

Thanks Martynas. I think it would be good to add the motivation / why in the commit msg and to also add a comment explaining briefly why this is necessary inside the code itself (above the undef).

[brb]

I'd suggest to avoid adding additional test case which redeploys cilium, and thus increases the test suite run time. Instead, you could reuse the "Checks connectivity when skipping socket lb in pod ns" test case.

[ysksuzuki]

I needed #18493 to pass the K8sServiceTest in my environment. Will rebase the branch after it's merged.

[ysksuzuki]

This test is failing in my environment even with the master branch.

Summarizing 1 Failure:

[Fail] K8sPolicyTest Multi-node policy test validates fromEntities policies [It] Validates fromEntities all policy
/home/cybozu/go/src/github.com/cilium/cilium/test/k8sT/Policies.go:1686

Ran 89 of 411 Specs in 7176.412 seconds
FAIL! -- 88 Passed | 1 Failed | 0 Pending | 322 Skipped
--- FAIL: TestTest (7176.53s)
FAIL

[brb]

Getting closer to merging 🚀

[brb]

Nit: "It will fail" => "Otherwise, it will fail".

[brb]

This needs a comment why we enable Maglev in this test case.

[brb]

Ditto.

[brb]

Thanks!