nodediscovery: Fix bug where CiliumInternalIP was flapping #29964
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gandro
added
release-note/bug
|
I have reproduced this also on v1.14. It likely requires a manual backport on that branch. I'll also check v1.13 and v1.12 now. |
gandro
added
the
needs-backport/1.13
|
Converting back to draft, after discussing offline with Marco that this also needs to be fixed in kvstore mode. Also, the bug is present in all supported Cilium versions. |
|
Apparently kvstore should also be fixed by this commit. Will manually verify tomorrow |
giorio94
approved these changes
Dec 18, 2023
There was a problem hiding this comment.
Thanks! The fix looks reasonable to me, especially considering the requirement for backporting it to all stable versions. Moving forward, we'll likely want to refactor the IPAM CiliumNode creation logic to avoid triggering unnecessary updates before restoring the full local node information (and fix also the bouncing of the other IP addresses), but that looks more invasive as a change.
I've also double-checked the kvstore case in combination with cluster-pool IPAM mode, and the CiliumInternalIP does not flip anymore (it was caused by the CiliumNode to kvstore synchronization process implemented by the Cilium operator):
Full kvstore events received after restart
PUT
cilium/state/nodes/v1/default/kind-worker
{"Name":"kind-worker","Cluster":"default","IPAddresses":[{"Type":"CiliumInternalIP","IP":"10.0.1.199"},{"Type":"CiliumInternalIP","IP":"fd00::147"},{"Type":"InternalIP","IP":"172.19.0.3"},{"Type":"InternalIP","IP":"fc00:c111::3"}],"IPv4AllocCIDR":{"IP":"10.0.1.0","Mask":"////AA=="},"IPv4SecondaryAllocCIDRs":null,"IPv6AllocCIDR":{"IP":"fd00::100","Mask":"////////////////////AA=="},"IPv6SecondaryAllocCIDRs":null,"IPv4HealthIP":"","IPv6HealthIP":"","IPv4IngressIP":"","IPv6IngressIP":"","ClusterID":0,"Source":"custom-resource","EncryptionKey":0,"Labels":{"beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/os":"linux","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"kind-worker","kubernetes.io/os":"linux"},"Annotations":null,"NodeIdentity":0,"WireguardPubKey":""}
PUT
cilium/state/nodes/v1/default/kind-worker
{"Name":"kind-worker","Cluster":"default","IPAddresses":[{"Type":"InternalIP","IP":"172.19.0.3"},{"Type":"InternalIP","IP":"fc00:c111::3"},{"Type":"CiliumInternalIP","IP":"10.0.1.199"},{"Type":"CiliumInternalIP","IP":"fd00::147"}],"IPv4AllocCIDR":{"IP":"10.0.1.0","Mask":"////AA=="},"IPv4SecondaryAllocCIDRs":null,"IPv6AllocCIDR":{"IP":"fd00::100","Mask":"////////////////////AA=="},"IPv6SecondaryAllocCIDRs":null,"IPv4HealthIP":"10.0.1.63","IPv6HealthIP":"fd00::11a","IPv4IngressIP":"","IPv6IngressIP":"","ClusterID":0,"Source":"local","EncryptionKey":0,"Labels":{"beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/os":"linux","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"kind-worker","kubernetes.io/os":"linux"},"Annotations":{},"NodeIdentity":1,"WireguardPubKey":""}
PUT
cilium/state/nodes/v1/default/kind-worker
{"Name":"kind-worker","Cluster":"default","IPAddresses":[{"Type":"InternalIP","IP":"172.19.0.3"},{"Type":"InternalIP","IP":"fc00:c111::3"},{"Type":"CiliumInternalIP","IP":"10.0.1.199"},{"Type":"CiliumInternalIP","IP":"fd00::147"}],"IPv4AllocCIDR":{"IP":"10.0.1.0","Mask":"////AA=="},"IPv4SecondaryAllocCIDRs":null,"IPv6AllocCIDR":{"IP":"fd00::100","Mask":"////////////////////AA=="},"IPv6SecondaryAllocCIDRs":null,"IPv4HealthIP":"10.0.1.63","IPv6HealthIP":"fd00::11a","IPv4IngressIP":"","IPv6IngressIP":"","ClusterID":0,"Source":"custom-resource","EncryptionKey":0,"Labels":{"beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/os":"linux","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"kind-worker","kubernetes.io/os":"linux"},"Annotations":null,"NodeIdentity":0,"WireguardPubKey":""}
This commit improves the debug logging of node update events by using
the JSON representation instead of the Go syntax representation of the
node. This makes it easier to parse the log message, as IP addresses are
now printed as strings instead of byte arrays.
Before:
```
level=debug msg="Received node update event from custom-resource: types.Node{Name:\"kind-worker\", Cluster:\"default\", IPAddresses:[]types.Address{types.Address{Type:\"InternalIP\", IP:net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xac, 0x12, 0x0, 0x3}}, types.Address{Type:\"InternalIP\", IP:net.IP{0xfc, 0x0, 0xc1, 0x11, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3}}, types.Address{Type:\"CiliumInternalIP\", IP:net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xa, 0x0, 0x0, 0xd2}}}, IPv4AllocCIDR:(*cidr.CIDR)(0xc000613180), IPv4SecondaryAllocCIDRs:[]*cidr.CIDR(nil), IPv6AllocCIDR:(*cidr.CIDR)(nil), IPv6SecondaryAllocCIDRs:[]*cidr.CIDR(nil), IPv4HealthIP:net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xa, 0x0, 0x0, 0x30}, IPv6HealthIP:net.IP(nil), IPv4IngressIP:net.IP(nil), IPv6IngressIP:net.IP(nil), ClusterID:0x0, Source:\"custom-resource\", EncryptionKey:0x0, Labels:map[string]string{\"beta.kubernetes.io/arch\":\"amd64\", \"beta.kubernetes.io/os\":\"linux\", \"kubernetes.io/arch\":\"amd64\", \"kubernetes.io/hostname\":\"kind-worker2\", \"kubernetes.io/os\":\"linux\"}, Annotations:map[string]string(nil), NodeIdentity:0x0, WireguardPubKey:\"\"}" subsys=nodemanager
```
After:
```
level=debug msg="Received node update event from custom-resource" node="{\"Name\":\"kind-worker\",\"Cluster\":\"default\",\"IPAddresses\":[{\"Type\":\"InternalIP\",\"IP\":\"172.18.0.3\"},{\"Type\":\"InternalIP\",\"IP\":\"fc00:c111::3\"},{\"Type\":\"CiliumInternalIP\",\"IP\":\"10.0.1.245\"}],\"IPv4AllocCIDR\":{\"IP\":\"10.0.1.0\",\"Mask\":\"////AA==\"},\"IPv4SecondaryAllocCIDRs\":null,\"IPv6AllocCIDR\":null,\"IPv6SecondaryAllocCIDRs\":null,\"IPv4HealthIP\":\"10.0.1.120\",\"IPv6HealthIP\":\"\",\"IPv4IngressIP\":\"\",\"IPv6IngressIP\":\"\",\"ClusterID\":0,\"Source\":\"custom-resource\",\"EncryptionKey\":0,\"Labels\":{\"beta.kubernetes.io/arch\":\"amd64\",\"beta.kubernetes.io/os\":\"linux\",\"kubernetes.io/arch\":\"amd64\",\"kubernetes.io/hostname\":\"kind-worker\",\"kubernetes.io/os\":\"linux\"},\"Annotations\":null,\"NodeIdentity\":0,\"WireguardPubKey\":\"\"}" subsys=nodemanager
```
Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This fixes a bug in `UpdateCiliumNodeResource` where the
`CiliumInternalIP` (aka `cilium_host` IP, aka router IP) was flapping in
the node manager during restoration (i.e. during cilium-agent restarts).
In particular in `cluster-pool` mode, `UpdateCiliumNodeResource` is
called before the `cilium_host` IP has been restored, as there are some
circular dependencies: The restored IP can only be fully validated after
the IPAM subsystem is ready, but that in turn can only happen if the
`CiliumNode` object has been created. The `UpdateCiliumNodeResource`
function however will only announce the `cilium_host` IP if it has been
restored.
This commit attempts to break that cycle by not overwriting any already
existing `CiliumInternalIP` in the CiliumNode resource.
Overall, this change is rather hacky, in particular it does not address
the fact that other less crucial node information (like the health IP)
also flaps. But since we want to backport this bugfix to older stable
branches too, this change is intentionally kept as minimal as possible.
Example node event (as observed by other nodes) before this change:
```
2023-12-18T12:58:20.070330814Z level=debug msg="Received node update event from custom-resource" node="{\"Name\":\"kind-worker\",\"Cluster\":\"default\",\"IPAddresses\":[{\"Type\":\"InternalIP\",\"IP\":\"172.18.0.4\"},{\"Type\":\"InternalIP\",\"IP\":\"fc00:c111::4\"}],..." subsys=nodemanager
2023-12-18T12:58:20.208082226Z level=debug msg="Received node update event from custom-resource" node="{\"Name\":\"kind-worker\",\"Cluster\":\"default\",\"IPAddresses\":[{\"Type\":\"InternalIP\",\"IP\":\"172.18.0.4\"},{\"Type\":\"InternalIP\",\"IP\":\"fc00:c111::4\"},{\"Type\":\"CiliumInternalIP\",\"IP\":\"10.0.1.245\"}],..." subsys=nodemanager
```
After this change (note the `CiliumInternalIP` present in both events):
```
2023-12-18T15:38:23.695653876Z level=debug msg="Received node update event from custom-resource" node="{\"Name\":\"kind-worker\",\"Cluster\":\"default\",\"IPAddresses\":[{\"Type\":\"CiliumInternalIP\",\"IP\":\"10.0.1.245\"},{\"Type\":\"InternalIP\",\"IP\":\"172.18.0.4\"},{\"Type\":\"InternalIP\",\"IP\":\"fc00:c111::4\"}],..." subsys=nodemanager
2023-12-18T15:38:23.838604573Z level=debug msg="Received node update event from custom-resource" node="{\"Name\":\"kind-worker\",\"Cluster\":\"default\",\"IPAddresses\":[{\"Type\":\"InternalIP\",\"IP\":\"172.18.0.4\"},{\"Type\":\"InternalIP\",\"IP\":\"fc00:c111::4\"},{\"Type\":\"CiliumInternalIP\",\"IP\":\"10.0.1.245\"}],...}" subsys=nodemanager
```
Reported-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
gandro
force-pushed
the
pr/gandro/fix-router-ip-being-temporarily-removed
branch
from
c8cc069
to
125ae7a
Compare
|
/test |
2 tasks
julianwiedmann
added
the
ready-to-merge
pchaigno
added
backport-pending/1.14
maintainer-s-little-helper
bot
moved this from Needs backport from main
to Backport pending to v1.15
in v1.15.0-rc.1
pchaigno
added
backport-pending/1.13
maintainer-s-little-helper
bot
moved this from Needs backport from main
to Backport pending to v1.13
in 1.13.11
maintainer-s-little-helper
bot
moved this from Needs backport from main
to Backport pending to v1.12
in 1.12.18
github-actions
bot
added
backport-done/1.14
github-actions
bot
added
backport-done/1.13
julianwiedmann
added
backport-done/1.15
maintainer-s-little-helper
bot
moved this from Backport pending to v1.15
to Backport done to v1.15
in v1.15.0-rc.1
github-actions
bot
added
backport-done/1.12
This was referenced Jan 17, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes a bug in
UpdateCiliumNodeResourcewhere theCiliumInternalIP(akacilium_hostIP, aka router IP) was flapping in the node manager during restoration (i.e. during cilium-agent restarts).In particular in
cluster-poolmode,UpdateCiliumNodeResourceis called before thecilium_hostIP has been restored, as there are some circular dependencies: The restored IP can only be fully validated after the IPAM subsystem is ready, but that in turn can only happen if theCiliumNodeobject has been created. TheUpdateCiliumNodeResourcefunction however will only announce thecilium_hostIP if it has been restored.This commit attempts to break that cycle by not overwriting any already existing
CiliumInternalIPin the CiliumNode resource.Overall, this change is rather hacky, in particular it does not address the fact that other less crucial node information (like the health IP) also flaps (see also #28299). But since we want to backport this bugfix to older stable branches too, this change is intentionally kept as minimal as possible.
Example node event (as observed by other nodes) before this change:
After this change (note the
CiliumInternalIPpresent in both events):Reported-by: Paul Chaignon paul.chaignon@gmail.com