Fix namespace switch issues and add ipvlan, macvlan, and bridge e2e testing

[dcbw]

A subset of #167 while we discuss how the mocking should actually work.

Fixes #179.

[dcbw]

cc @rosenhouse

[dcbw]

cc @steveej

[dcbw]

@rosenhouse one thing I'm not 100% sure about is the removal of LockOSThread() from the plugins init() functions themselves; that all works for the testcases because they run all the checks with Do(), and they run the plugin's cmdAdd/cmdDel from inside the Do() for the original namespace too. But when the plugins are run standalone from kubernetes or rkt or whatever, should they get the current host namespace and wrap inital setup with Do()?

[steveej]

But when the plugins are run standalone from kubernetes or rkt or whatever, should they get the current host namespace and wrap inital setup with Do()?
AFAIU this shouldn't be a problem, reasoning below.

If the plugins are invoked, the given network namespace will be explicitly set whenever necessary using NetNS.Do(). AFAICT the assumption is that the rest of the code is supposed to run in the caller's netns, and unless the caller doesn't mess with setting the netns themselves, CNI shouldn't be messing with it either.

[dcbw]

@steveej yeah, that should be true. I guess the testcases have issues here (which were fixed by wrapping everything in Do()) because they create a completely new namespace to ensure they don't affect the host. So I guess we're OK.

[steveej]

yeah, that should be true. I guess the testcases have issues here (which were fixed by wrapping everything in Do()) because they create a completely new namespace to ensure they don't affect the host. So I guess we're OK.

Agreed! At this point, thank you again for this excellent contribution. I lack the overview if all of @rosenhouse's issues related to the code are addressed, @dcbw can you help here?

[dcbw]

rebased to resolve the merge conflict

[dcbw]

@steveej @rosenhouse I believe they were all addressed in the previous mocking PR; the PR here doesn't change anything from that other PR except for dropping the 'netops' object. Should get @rosenhouse to confirm though.

[steveej]

As discussed in the CNI meeting, this will be merged after bringing the locking back to the plugins init() functions.

[dcbw]

@steveej reverted the init() changes; PTAL.

[rosenhouse]

So, like I said at the CNI meeting, I'm traveling on PTO, and then at a conference and therefore unable to look at this closely until late next week.

However, at first glance, I think I see instances of the issue I mentioned on the call: given how we're trying to isolate namespace switches to a goroutine, nested calls to netns.Do are problematic. Specifically, you've got test code which calls netns.Do and then inside its callback, you directly invoke the plugin code. And inside the plugin code (e.g. in the bridge plugin) there is another call to netns.Do. That is likely the cause of the test flakes you're seeing. Calling LockOSThread at the start of the test suite, as I suggested on the call, won't help here.

I think the easiest way to fix those flakes would be to invoke the plugins as a separate OS process, rather than running them in the same process as the tests.

I'll leave it up to the other maintainers to decide on merging.

[steveej]

reverted the init() changes; PTAL.

I've checked the test cases before the revert, so I trust the green lights with this now.

[steveej]

@rosenhouse

Specifically, you've got test code which calls netns.Do and then inside its callback, you directly invoke the plugin code. And inside the plugin code (e.g. in the bridge plugin) there is another call to netns.Do. That is likely the cause of the test flakes you're seeing. Calling LockOSThread at the start of the test suite, as I suggested on the call, won't help here.

Let me try to repeat what you've explained to confirm and also lay the information open on the issue.
The first Do()'s goroutine is locked correctly, but in spite of this the nested goroutine could potentially be scheduled on a new OS thread because GOMAXPROCS has not been exhausted yet?

[rosenhouse]

@steveej exactly -- that new goroutine may or may not end up on a new OS thread. If a new OS thread is created, then it will inherit the namespaces of its parent. So the new OS thread's "original" namespace is actually the "switched-to" special namespace of the first call. From that point on, the newly created OS thread is "polluted".

I've updated #183 with a description of this issue and to recommend against nested calls.

It's still not clear to me how to best expose namespace switching at a higher level of abstraction in a safe way.

For now, the only thing I can suggest is to carefully review code to check that there are no nested calls to netns.Do

[steveej]

@rosenhouse

If a new OS thread is created, then it will inherit the namespaces of its parent. So the new OS thread's "original" namespace is actually the "switched-to" special namespace of the first call. From that point on, the newly created OS thread is "polluted".

This seems to go very deep down to Go's thread/routine handling mechanism and I would appreciate the source to your knowledge.

[rosenhouse]

@steveej I don't have a written reference for the fact that threads inherit the namespace context of their parent thread. However, another member of our CloudFoundry container networking team (@sykesm) has investigated this issue. I can share the results of his work here.

He wrote code that switched the namespace of the main goroutine and spun up several more goroutines from there. All the goroutines waited while the program reported the namespace associated with each OS thread. (code here) Here are the results:

lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/task/15832/ns/net -> net:[4026533719]
lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/task/15833/ns/net -> net:[4026533719]
lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/task/15834/ns/net -> net:[4026533719]
lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/task/15835/ns/net -> net:[4026533719]
lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/task/15836/ns/net -> net:[4026533719]
lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/task/15838/ns/net -> net:[4026533719]
lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/task/15839/ns/net -> net:[4026533719]
lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/task/15840/ns/net -> net:[4026533719]
lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/task/15841/ns/net -> net:[4026533940]
lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/task/15842/ns/net -> net:[4026533940]
lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/task/15843/ns/net -> net:[4026533940]
lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/task/15844/ns/net -> net:[4026533940]
lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/task/15845/ns/net -> net:[4026533940]
lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/task/15846/ns/net -> net:[4026533940]
lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/task/15848/ns/net -> net:[4026533719]
lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/task/15849/ns/net -> net:[4026533719]
lrwxrwxrwx 1 root root 0 May  9 16:12 /proc/15832/ns/net -> net:[4026533719]

As you can see, the first few threads all share the original netns of the process, but several others are on the new netns.

As I mentioned earlier, I don't have time to dig into this now. But it might be interesting to perform a more detailed investigation to show how this state of the world evolves, perhaps reporting the full set of thread:netns pairings at each step of the loop.

[steveej]

as discussed OOB, we can't guarantee that the original namespace is restored. please add an explanation and maybe link to further docs, e.g. https://github.com/golang/go/wiki/LockOSThread

[steveej]

"short goroutines" worries me a little, is that really necessary? A lock's purpose is to synchronize concurrent tasks and prevent any unwanted runtime behavior.

[steveej]

please wrap the code snippet in a ```go ... block