New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Install fib rules and routes with proto kernel to avoid systemd messing with them #24288
Conversation
@NikAleksandrov any update on this PR since it's still in status |
@brandshaide it is incomplete, to fix the issue fully we need to change all routes and rules to use proto kernel |
@NikAleksandrov aweseome! and thanks a lot for your efforts 👍 |
49efd48
to
bbf0bc3
Compare
c43f8e1
to
0943194
Compare
/test |
0943194
to
bef2ff1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall, looks nice to me. A non-blocking suggestion. I think it's better to define Go constant like DefaultRTProto
(and the equivalent shell-script variable) and use that instead of hard-coding kernel protocol. So that when this kernel protocol comes at a problem, we can easily change that instead of finding all the places we set protocol.
Yep, good point. Coming right up. |
bef2ff1
to
8f5ee73
Compare
@YutaroHayakawa I've requested a new review, the code is basically the same just using a constant as you suggested. |
8f5ee73
to
d353287
Compare
This PR introduced a CI-only regression that was fixed by #24577. We'll thus need to backport that second PR wherever we backport this one. |
Why did CI not catch the regression in this PR? |
@gandro CI wasn't run after the rebase. I don't know if the test passed before the last rebase. |
Dropped the needs-backport labels as this PR is likely to be reverted |
I see the fix is reverted. Do we know whether this issue will be fixed anytime recently? |
In order to workaround systemd's bad recent changes where they decided to manage "foreign" rules and to flush them on certain events (e.g. device flap), we should add our rules as "proto kernel" so systemd will just skip them and leave them in place in such events instead of wiping them from underneath us if a networkd policy like below is not installed (https://docs.cilium.io/en/stable/operations/system_requirements/#systemd-based-distributions):
Normal rules with Cilium deployed look like:
$ ip ru
9: from all fwmark 0x200/0xf00 lookup 2004
10: from all fwmark 0xa00/0xf00 lookup 2005
100: from all lookup local
32766: from all lookup main
32767: from all lookup default
After a network event we see systemd flushing all unspec rules (9, 10 and 100, the last one being critical):
$ ip rule list
32766: from all lookup main
32767: from all lookup default
With this change the rules remain in place and everything continues working as expected.
The change also affects routes installed by Cilium, they are now with proto kernel.
For example:
Note that we rely on the fact that route deletes with proto == 0 cause the kernel to not check if
the route protocol matches (it is ignored). Note also that there is one exception for the conversion done
which is about node-to-node encryption routes because those overload the route protocol and use it
to recognize routes installed by Cilium for node-to-node encryption. That can be revisited additionally.
Patches overview:
Patch 01 - adds a new RTProto constant in linux_defaults to be used for fib rules and routes
Patch 02 - adds a new RulePriorityLocalLookup constant in linux_defaults to be used for fib rules and routes
Patch 03 - changes rules and routes in bpf/init.sh (also default rt proto is taken as an argument)
Patch 04 - changes init.sh to take the local lookup rule priority as an argument
Patch 05 - updates the netlink library to get RTA_PROTOCOL support for fib rules
Patch 06 - adds support for rule protocol to datapath/linux/route
Patch 07 - updates datapath/linux/route
Patch 08 - updates egress gateway
Patch 09 - updates datapath/loader
Patch 10 - updates datapath/linux/routing (skips migration code, more in commit msg)
Patch 11 - updates datapath/linux/node (the patch doesn't modify node-to-node encryption routes)
Patch 12 - removes RouteProtocolIPSec and uses proto kernel instead
Patch 13 - adds "-d" to bugtool when dumping fib rules so we can log their protocol
Patch 14 - ensures that local lookup IP rules are installed on agent init and also cleans up old local lookup rules with a
different rt proto only if they're before the new ones with proto kernel
I have tested locally IPv4, IPv6 with and without tunnels, with and without ipsec. Routes and rules are installed
and cleaned up properly. This set also fixes another bug when we restore ip rules on init.sh failure, we'd
install rule #0 with proto unspec instead of kernel as the original rule.
Closes: #18706
Thanks,
Nik