-
Notifications
You must be signed in to change notification settings - Fork 784
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bridge: host ARP entries are not updated via arp_notify syscall #756
Comments
Target MAC address of Is there any difference in the Destination MAC between the two? I'd expect the L2 Destination MAC to be broadcast Also, what system, kernel etc are you using? |
@mccv1r0 Thanks! Destination MAC addresses are the same
As a matter of fact, this difference comes from their code, the kernel left the target_hw blank, while arping sets the target_hw to broadcast address(then target_hw gets copied to dest address later), see kernel and arping I am using a customized OS with cloud-kernel, the kernel has been modified some on the base of 4.19 mainline. The arp sending args in We traced a little bit, and found the 'arp_notify' ARP announcement packets always get dropped at |
I used a bpftrace script to track why the arp announcement gets dropped. It turns out that There are some conditions for this to happen:
BTW, I can reproduce this issue on CentOS 3.10.0-1160.53.1.el7.x86_64 as well, but I didn't try the newer kernel. Briefly, there may be some kind of race condition that causes arp_notify ARP announcement was handled before the bridge port goes ready, then the ARP announcement gets ignored. |
Can you share that script? |
What if we set forward_delay=0 ? Does that "fix" the race? |
Uploaded to https://gist.github.com/xh4n3/0a848898064d9a1587528d41e69c5803 with script outputs. |
Tried, the 10 seconds delay didn't go away. # ip neigh add 172.20.0.139 dev cni0 lladdr 86:03:17:7a:eb:6e nud stale // add a stale entry to mock `reusing IP`
# while true; do date; ip -s neigh | grep 172.20.0.139; sleep 1; done
Thu Jul 7 10:55:45 CST 2022
172.20.0.139 dev cni0 lladdr 86:03:17:7a:eb:6e used 78/138/78 probes 0 STALE
Thu Jul 7 10:55:46 CST 2022
172.20.0.139 dev cni0 lladdr 86:03:17:7a:eb:6e used 79/139/79 probes 0 STALE
Thu Jul 7 10:55:47 CST 2022
172.20.0.139 dev cni0 lladdr 86:03:17:7a:eb:6e used 80/140/80 probes 0 STALE
Thu Jul 7 10:55:48 CST 2022 // at this time, I start to ping 172.20.0.139, the ping hangs
172.20.0.139 dev cni0 lladdr 86:03:17:7a:eb:6e ref 1 used 0/141/0 probes 0 DELAY
Thu Jul 7 10:55:49 CST 2022
172.20.0.139 dev cni0 lladdr 86:03:17:7a:eb:6e ref 1 used 0/142/1 probes 0 DELAY
Thu Jul 7 10:55:50 CST 2022
172.20.0.139 dev cni0 lladdr 86:03:17:7a:eb:6e ref 1 used 0/143/2 probes 0 DELAY
Thu Jul 7 10:55:51 CST 2022
172.20.0.139 dev cni0 lladdr 86:03:17:7a:eb:6e ref 1 used 0/144/3 probes 0 DELAY
Thu Jul 7 10:55:52 CST 2022
172.20.0.139 dev cni0 lladdr 86:03:17:7a:eb:6e ref 1 used 0/145/4 probes 0 DELAY
Thu Jul 7 10:55:53 CST 2022
172.20.0.139 dev cni0 lladdr 86:03:17:7a:eb:6e ref 1 used 0/146/0 probes 1 PROBE
Thu Jul 7 10:55:54 CST 2022
172.20.0.139 dev cni0 lladdr 86:03:17:7a:eb:6e ref 1 used 0/147/1 probes 2 PROBE
Thu Jul 7 10:55:55 CST 2022
172.20.0.139 dev cni0 lladdr 86:03:17:7a:eb:6e ref 1 used 0/148/2 probes 3 PROBE
Thu Jul 7 10:55:56 CST 2022 // pong received
172.20.0.139 dev cni0 lladdr 06:1c:62:4b:0d:1e ref 1 used 0/0/0 probes 4 REACHABLE
|
With dmesg I only see [142421.463071] cni0: port 1(veth0) entered blocking state The transition from blocking to forwarding is quite fast, and it looks like above the port never entered a forwarding state? |
I don't think dmesg can provide detailed transition log. In the gist above, the arp_notify's ARP packet was handled in ...
10:03:16 br_set_state triggered: dev_ifindex 60 new_state 0
...
10:03:16 br_handle_frame triggered: dev_ifindex 60 source_mac \xce\xb1}N\xda\x12 dest_mac \xff\xff\xff\xff\xff\xff bridge_port_state 0 bridge_ifindex 11
...
10:03:16 br_set_state triggered: dev_ifindex 60 new_state 3
... |
Any update on this? Facing the same issue with CNI v1.2.0 on Centos7.6(3.10.0-1160.el7.x86_64). It seems the mac address of the new pod is not populated in the ARP table:
The issue gets fixed after downgrading the bridge plugin back to 0.9.1. |
Hi 👋 , we recently upgraded the bridge plugin from 0.8.x to 1.1.1, and found some newly created pods are not accessible from the host.
The downtime is about ten seconds, and it only appears when the new pod is reusing a used IP (which is already released back to the pool). We searched for the IP in
ip neighbor
, and we saw a stale item with an old MAC address first, then the item changed to a failed state, then it was replaced by a new MAC address.After a downgrade back to 0.8.x, I cannot reproduce this issue anymore. A suspicious cause might be #687
We did a tcpdump, and found out
arp_notify syscall
andgratuitous arping
are generating different ARP requests. It should be the reason for an old item doesn't get replaced in the first place.The ARP request sent by
arp_notify
, the case in which the old ARP entry doesn't go away until 10 secondsThe ARP request send by
gratuitous arping
, the case in which the old ARP entry gets replaced in the first placeThere is a slight difference in the Target MAC Address. I guess the
arp_notify
ARP doesn't get propagated to the bridge interface, then the host didn't catch it?Do you have any ideas? Thanks in advance. 😃
The text was updated successfully, but these errors were encountered: