New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
garbage collect stale distributed locks #9982
Conversation
Release note label not set, please set the appropriate release note. |
4 similar comments
Release note label not set, please set the appropriate release note. |
Release note label not set, please set the appropriate release note. |
Release note label not set, please set the appropriate release note. |
Release note label not set, please set the appropriate release note. |
test-me-please |
03fce22
to
0305d87
Compare
test-me-please |
a26a239
to
37935f8
Compare
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review @joestringer
pkg/kvstore/allocator/allocator.go
Outdated
if err := kvstore.Delete(ctx, key); err != nil { | ||
scopedLog.WithError(err). | ||
Warning("Unable to unlocked distributed lock due client staleness." + | ||
" Please check the connectivity between the KVStore and the client with that lease ID.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately it's tricky... One needs to access each cilium status on each cilium instance to know which lease ID the cilium-agent is using. I thought about this while developing the PR and the easiest would be to add it into the cilium node structure that we have. What do you think? Also, be aware this needs to be backported to 1.5 and 1.6
test-me-please |
Under special conditions [1], cilium-agent could leak distributed locks into the KVStore making all cilium-agents to deadlock. To avoid this cilium-operator will garbage collect stale distributed locks. If a lock is being held for more than 2x default value of cilium's lock lease TTL, cilium-operator will delete that lock from the KVStore. On a first sight this might not be reasonable but cilium-agents only use the distributed locks to coordinated across each other which one should pick the security identity for a new set of labels. Even if 2 cilium-agents pick 2 different security identities for the same set of labels, only the first one will be able to publish that identity into the KVStore. The 2nd agent will fail to publish the security identity that it picked for the set of labels: [1] 1) connect to a etcd member (https://node-A:2379) to create a lock with a 25 second lease (the default for cilium) 2) drop all peer packets, not client packets, to and from that etcd member (https://node-A:2380). 3) try releasing that lock immediately. The unlock will fail with the error level=error msg="Unable to unlock kvstore lock" error="etcdserver: request timed out". 4) As soon the unlock fails, resume connectivity dropped in 2), this re-connectivity needs to happen before the lease expires, which means the Unlock on step 3) needs to fail in less than 25 seconds, this is what happen for my case. 5) since the client resumed connectivity with the server in less than 25 seconds, the lease didn't expire which means the server still thinks the client is still holding the lock but the client assumes the lock was unlocked. Signed-off-by: André Martins <andre@cilium.io>
637d2f9
to
36ab0b5
Compare
test-me-please |
test-me-please |
Under special conditions [1], cilium-agent could leak distributed locks
into the KVStore making all cilium-agents to deadlock. To avoid this
cilium-operator will garbage collect stale distributed locks. If a lock
is being held for more than 2x default value of cilium's lock lease TTL,
cilium-operator will delete that lock from the KVStore. On a first sight
this might not be reasonable but cilium-agents only use the distributed
locks to coordinated across each other which one should pick the
security identity for a new set of labels. Even if 2 cilium-agents pick
2 different security identities for the same set of labels, only the
first one will be able to publish that identity into the KVStore. The
2nd agent will fail to publish the security identity that it picked for
the set of labels:
[1]
a 25 second lease (the default for cilium)
member (https://node-A:2380).
error level=error msg="Unable to unlock kvstore lock"
error="etcdserver: request timed out".
re-connectivity needs to happen before the lease expires, which means
the Unlock on step 3) needs to fail in less than 25 seconds, this is
what happen for my case.
seconds, the lease didn't expire which means the server still thinks
the client is still holding the lock but the client assumes the lock was
unlocked.
Signed-off-by: André Martins andre@cilium.io
Fix #9855
Fix #9046
This change is