-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iptables: Fix race condition on ipset removal #18790
Merged
nebril
merged 1 commit into
cilium:master
from
pchaigno:fix-race-condition-ipset-removal
Feb 17, 2022
Merged
iptables: Fix race condition on ipset removal #18790
nebril
merged 1 commit into
cilium:master
from
pchaigno:fix-race-condition-ipset-removal
Feb 17, 2022
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26c0353
to
124a631
Compare
kkourt
approved these changes
Feb 16, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thanks, Paul!
954947a
to
012d1d7
Compare
We currently have a race condition between functions AddToNodeIpset and InstallRules (see stacktrace below). AddToNodeIpset creates the ipset then adds the given IP address to that ipset. At the same time, InstallRules renames ipsets to a backup name, creates new ipsets, and removes the backups. Depending on timings, AddToNodeIpset may therefore attempt to add IPs to a nonexistent ipset. runDaemon() - NewDameon() - InitK8sSubsystem() - EnableK8sWatcher() * ciliumNodeInit() - NodeUpdated() - iptables.AddToNodeIpset() [...] - d.init() - d.Datapath().Loader().Reinitialize() - InstallRules() - removeRulesAndIpsets() We however don't need InstallRules to use a whole backup system for ipsets. This backup system makes sense for iptables rules because we may need to change them based on the agent configuration, but that's not the case for ipsets; their content doesn't depend on configuration. So either we need them and should create them, or we don't need them and we can remove any leftover ipsets. We never need to reset them. Fixes: 76551df ("iptables: Remove old ipsets") Signed-off-by: Paul Chaignon <paul@cilium.io>
012d1d7
to
44a96c6
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
backport-done/1.11
The backport for Cilium 1.11.x for this PR is done.
ready-to-merge
This PR has passed all tests and received consensus from code owners to merge.
release-note/misc
This PR makes changes that have no direct user impact.
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We currently have a race condition between functions
AddToNodeIpset
andInstallRules
(see stacktrace below).AddToNodeIpset
creates the ipset then adds the given IP address to that ipset. At the same time,InstallRules
renames ipsets to a backup name, creates new ipsets, and removes the backups. Depending on timings,AddToNodeIpset
may therefore attempt to add IPs to a nonexistent ipset.We however don't need
InstallRules
to use a whole backup system for ipsets. This backup system makes sense for iptables rules because we may need to change them based on the agent configuration, but that's not the case for ipsets; their content doesn't depend on configuration. So either we need them and should create them, or we don't need them and we can remove any leftover ipsets. We never need to reset them.The race condition didn't make it into any release, so no need to flag as bugfix.
Fixes: #17871.