Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iptables: Fix race condition on ipset removal #18790

Merged
merged 1 commit into from
Feb 17, 2022
Merged

iptables: Fix race condition on ipset removal #18790

merged 1 commit into from
Feb 17, 2022

Conversation

pchaigno
Copy link
Member

@pchaigno pchaigno commented Feb 11, 2022
edited
Loading

We currently have a race condition between functions AddToNodeIpset and InstallRules (see stacktrace below). AddToNodeIpset creates the ipset then adds the given IP address to that ipset. At the same time, InstallRules renames ipsets to a backup name, creates new ipsets, and removes the backups. Depending on timings, AddToNodeIpset may therefore attempt to add IPs to a nonexistent ipset.

runDaemon()
- NewDameon()
  - InitK8sSubsystem()
    - EnableK8sWatcher()
      * ciliumNodeInit()
        - NodeUpdated()
          - iptables.AddToNodeIpset()
  [...]
  - d.init()
    - d.Datapath().Loader().Reinitialize()
      - InstallRules()
        - removeRulesAndIpsets()

We however don't need InstallRules to use a whole backup system for ipsets. This backup system makes sense for iptables rules because we may need to change them based on the agent configuration, but that's not the case for ipsets; their content doesn't depend on configuration. So either we need them and should create them, or we don't need them and we can remove any leftover ipsets. We never need to reset them.

The race condition didn't make it into any release, so no need to flag as bugfix.

Fixes: #17871.

@pchaigno pchaigno added sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/misc This PR makes changes that have no direct user impact. needs-backport/1.11 labels Feb 11, 2022
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.11.2 Feb 11, 2022
@pchaigno pchaigno mentioned this pull request Feb 11, 2022
Closed
@pchaigno pchaigno force-pushed the fix-race-condition-ipset-removal branch 2 times, most recently from 26c0353 to 124a631 Compare February 12, 2022 14:54
@pchaigno pchaigno marked this pull request as ready for review February 12, 2022 17:08
@pchaigno pchaigno requested review from a team and kkourt February 12, 2022 17:08
kkourt
kkourt approved these changes Feb 16, 2022
View reviewed changes
Copy link
Contributor

@kkourt kkourt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks, Paul!

pkg/datapath/iptables/iptables.go Outdated Show resolved Hide resolved
@pchaigno pchaigno force-pushed the fix-race-condition-ipset-removal branch 2 times, most recently from 954947a to 012d1d7 Compare February 16, 2022 12:40
@pchaigno
iptables: Fix race condition on ipset removal
44a96c6 
We currently have a race condition between functions AddToNodeIpset and
InstallRules (see stacktrace below). AddToNodeIpset creates the ipset
then adds the given IP address to that ipset. At the same time,
InstallRules renames ipsets to a backup name, creates new ipsets, and
removes the backups. Depending on timings, AddToNodeIpset may therefore
attempt to add IPs to a nonexistent ipset.

    runDaemon()
    - NewDameon()
      - InitK8sSubsystem()
        - EnableK8sWatcher()
          * ciliumNodeInit()
            - NodeUpdated()
              - iptables.AddToNodeIpset()
      [...]
      - d.init()
        - d.Datapath().Loader().Reinitialize()
          - InstallRules()
            - removeRulesAndIpsets()

We however don't need InstallRules to use a whole backup system for
ipsets. This backup system makes sense for iptables rules because we may
need to change them based on the agent configuration, but that's not the
case for ipsets; their content doesn't depend on configuration. So
either we need them and should create them, or we don't need them and we
can remove any leftover ipsets. We never need to reset them.

Fixes: 76551df ("iptables: Remove old ipsets")
Signed-off-by: Paul Chaignon <paul@cilium.io>
@pchaigno pchaigno force-pushed the fix-race-condition-ipset-removal branch from 012d1d7 to 44a96c6 Compare February 16, 2022 12:42
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 16, 2022
@nebril nebril merged commit 98ca102 into cilium:master Feb 17, 2022
@pchaigno pchaigno deleted the fix-race-condition-ipset-removal branch February 17, 2022 10:09
@nebril nebril mentioned this pull request Feb 17, 2022
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.10 in 1.11.2 Feb 17, 2022
@joestringer joestringer mentioned this pull request Feb 23, 2022
Merged
@qmonnet qmonnet added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. and removed backport-pending/1.11 labels Mar 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kkourt kkourt kkourt approved these changes

Assignees
No one assigned
Labels
backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
No open projects
1.11.2
Backport pending to v1.10
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@pchaigno @kkourt @nebril @qmonnet