Update fork with upstream fixes/changes (#11)

* vxlan: Generate MAC address before creating a link systemd 242+ assigns MAC addresses for all virtual devices which don't have the address assigned already. That resulted in systemd overriding MAC addresses of flannel.* interfaces. The fix which prevents systemd from setting the address is to define the concrete MAC address when creating the link. Fixes: flannel-io#1155 Ref: k3s-io/k3s#4188 Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> (cherry picked from commit 0198d5d) * Concern only about flannel ip addresses Currently flannel interface ip addresses are checked on startup when using vxlan and ipip backends. If multiple addresses are found, startup fails fatally. If only one address is found and is not the currently leased one, it will be assumed that it comes from a previous lease and be removed. This criteria seems arbitrary both in how it is done and in its timing. It may cause failures in situations where it might not be strictly necessary like for example if the node is running a dhcp client that is assigning link local addresses to all interfaces. It also might fail at flannel unexpected restarts which are completly unrelated to the external event that caused the unexpected modification in the flannel interface. This patch proposes to concern and check only ip address within the flannel network and takes the simple approach to ignore any other ip addresses assuming these would pose no problem on flannel operation. A discarded but more agressive alternative would be to remove all addresses that are not the currently leased one. Fixes flannel-io#1060 Signed-off-by: Jaime Caamaño Ruiz <jcaamano@suse.com> (cherry picked from commit 33a2fac) * Fix flannel hang if lease expired (cherry picked from commit 78035d0) * subnets: move forward the cursor to skip illegal subnet This PR fixs an issue when flannel gets illegal subnet event in watching leases, it doesn't move forward the etcd cursor and will stuck in the same invalid event forever. (cherry picked from commit 1a1b6f1) * fix cherry-pick glitches and test failures * disable udp backend tests since we don't actually have the udp backend in our fork Co-authored-by: Michal Rostecki <mrostecki@opensuse.org> Co-authored-by: Jaime Caamaño Ruiz <jcaamano@suse.com> Co-authored-by: Chun Chen <ramichen@tencent.com> Co-authored-by: huangxuesen <hxs625job@outlook.com>
gravitational · Jan 25, 2022 · 8b92dc7 · 8b92dc7
1 parent c570cc6
commit 8b92dc7
Show file tree

Hide file tree

Showing 36 changed files with 199 additions and 83 deletions.
diff --git a/backend/alivpc/alivpc.go b/backend/alivpc/alivpc.go
@@ -11,6 +11,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//go:build !windows
 // +build !windows
 
 package alivpc

diff --git a/backend/awsvpc/awsvpc.go b/backend/awsvpc/awsvpc.go
@@ -11,6 +11,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//go:build !windows
 // +build !windows
 
 package awsvpc

diff --git a/backend/awsvpc/filter.go b/backend/awsvpc/filter.go
@@ -11,6 +11,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//go:build !windows
 // +build !windows
 
 package awsvpc

diff --git a/backend/extension/extension_network.go b/backend/extension/extension_network.go
@@ -61,11 +61,12 @@ func (n *network) Run(ctx context.Context) {
 
 	for {
 		select {
-		case evtBatch := <-evts:
+		case evtBatch, ok := <-evts:
+			if !ok {
+				log.Infof("evts chan closed")
+				return
+			}
 			n.handleSubnetEvents(evtBatch)
-
-		case <-ctx.Done():
-			return
 		}
 	}
 }

diff --git a/backend/gce/api.go b/backend/gce/api.go
@@ -13,6 +13,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//go:build !windows
 // +build !windows
 
 package gce

diff --git a/backend/gce/gce.go b/backend/gce/gce.go
@@ -36,6 +36,7 @@
 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 // SOFTWARE.
+//go:build !windows
 // +build !windows
 
 package gce

diff --git a/backend/gce/metadata.go b/backend/gce/metadata.go
@@ -13,6 +13,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//go:build !windows
 // +build !windows
 
 package gce

diff --git a/backend/hostgw/hostgw.go b/backend/hostgw/hostgw.go
@@ -1,4 +1,5 @@
-// +build !windows
+//go:build !windows && !windows
+// +build !windows,!windows
 
 // Copyright 2015 flannel authors
 //
@@ -13,7 +14,6 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-// +build !windows
 
 package hostgw
 

diff --git a/backend/hostgw/hostgw_windows.go b/backend/hostgw/hostgw_windows.go
@@ -1,4 +1,5 @@
-// +build windows
+//go:build windows && windows
+// +build windows,windows
 
 // Copyright 2015 flannel authors
 //
@@ -13,7 +14,6 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-// +build windows
 
 package hostgw
 

diff --git a/backend/ipip/ipip.go b/backend/ipip/ipip.go
@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 // Copyright 2017 flannel authors
@@ -89,7 +90,7 @@ func (be *IPIPBackend) RegisterNetwork(ctx context.Context, wg *sync.WaitGroup,
 		return nil, fmt.Errorf("failed to acquire lease: %v", err)
 	}
 
-	link, err := be.configureIPIPDevice(n.SubnetLease)
+	link, err := be.configureIPIPDevice(n.SubnetLease, config.Network)
 
 	if err != nil {
 		return nil, err
@@ -124,7 +125,7 @@ func (be *IPIPBackend) RegisterNetwork(ctx context.Context, wg *sync.WaitGroup,
 	return n, nil
 }
 
-func (be *IPIPBackend) configureIPIPDevice(lease *subnet.Lease) (*netlink.Iptun, error) {
+func (be *IPIPBackend) configureIPIPDevice(lease *subnet.Lease, flannelnet ip.IP4Net) (*netlink.Iptun, error) {
 	// When modprobe ipip module, a tunl0 ipip device is created automatically per network namespace by ipip kernel module.
 	// It is the namespace default IPIP device with attributes local=any and remote=any.
 	// When receiving IPIP protocol packets, kernel will forward them to tunl0 as a fallback device
@@ -196,7 +197,7 @@ func (be *IPIPBackend) configureIPIPDevice(lease *subnet.Lease) (*netlink.Iptun,
 	// Ensure that the device has a /32 address so that no broadcast routes are created.
 	// This IP is just used as a source address for host to workload traffic (so
 	// the return path for the traffic has an address on the flannel network to use as the destination)
-	if err := ip.EnsureV4AddressOnLink(ip.IP4Net{IP: lease.Subnet.IP, PrefixLen: 32}, link); err != nil {
+	if err := ip.EnsureV4AddressOnLink(ip.IP4Net{IP: lease.Subnet.IP, PrefixLen: 32}, flannelnet, link); err != nil {
 		return nil, fmt.Errorf("failed to ensure address of interface %s: %s", link.Attrs().Name, err)
 	}
 

diff --git a/backend/ipip/ipip_windows.go b/backend/ipip/ipip_windows.go
@@ -11,6 +11,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//go:build windows
 // +build windows
 
 package ipip

diff --git a/backend/ipsec/handle_charon.go b/backend/ipsec/handle_charon.go
@@ -11,6 +11,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//go:build !windows
 // +build !windows
 
 package ipsec

diff --git a/backend/ipsec/handle_xfrm.go b/backend/ipsec/handle_xfrm.go
@@ -11,6 +11,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//go:build !windows
 // +build !windows
 
 package ipsec

diff --git a/backend/ipsec/ipsec.go b/backend/ipsec/ipsec.go
@@ -11,6 +11,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//go:build !windows
 // +build !windows
 
 package ipsec

diff --git a/backend/ipsec/ipsec_network.go b/backend/ipsec/ipsec_network.go
@@ -11,6 +11,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//go:build !windows
 // +build !windows
 
 package ipsec
@@ -95,12 +96,13 @@ func (n *network) Run(ctx context.Context) {
 
 	for {
 		select {
-		case evtsBatch := <-evts:
+		case evtsBatch, ok := <-evts:
+			if !ok {
+				log.Infof("evts chan closed")
+				return
+			}
 			log.Info("Handling event")
 			n.handleSubnetEvents(evtsBatch)
-		case <-ctx.Done():
-			log.Info("Received DONE")
-			return
 		}
 	}
 }

diff --git a/backend/route_network.go b/backend/route_network.go
@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 // Copyright 2017 flannel authors
@@ -69,11 +70,12 @@ func (n *RouteNetwork) Run(ctx context.Context) {
 
 	for {
 		select {
-		case evtBatch := <-evts:
+		case evtBatch, ok := <-evts:
+			if !ok {
+				log.Infof("evts chan closed")
+				return
+			}
 			n.handleSubnetEvents(evtBatch)
-
-		case <-ctx.Done():
-			return
 		}
 	}
 }

diff --git a/backend/route_network_test.go b/backend/route_network_test.go
@@ -11,6 +11,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//go:build !windows
 // +build !windows
 
 package backend

diff --git a/backend/vxlan/device.go b/backend/vxlan/device.go
@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 // Copyright 2015 flannel authors
@@ -13,7 +14,6 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-// +build !windows
 
 package vxlan
 
@@ -22,11 +22,11 @@ import (
 	"net"
 	"syscall"
 
-	log "github.com/golang/glog"
-	"github.com/vishvananda/netlink"
-
 	"github.com/containernetworking/plugins/pkg/utils/sysctl"
 	"github.com/coreos/flannel/pkg/ip"
+	"github.com/coreos/flannel/pkg/mac"
+	log "github.com/golang/glog"
+	"github.com/vishvananda/netlink"
 )
 
 type vxlanDeviceAttrs struct {
@@ -44,9 +44,15 @@ type vxlanDevice struct {
 }
 
 func newVXLANDevice(devAttrs *vxlanDeviceAttrs) (*vxlanDevice, error) {
+	hardwareAddr, err := mac.NewHardwareAddr()
+	if err != nil {
+		return nil, err
+	}
+
 	link := &netlink.Vxlan{
 		LinkAttrs: netlink.LinkAttrs{
-			Name: devAttrs.name,
+			Name:         devAttrs.name,
+			HardwareAddr: hardwareAddr,
 		},
 		VxlanId:      int(devAttrs.vni),
 		VtepDevIndex: devAttrs.vtepIndex,
@@ -56,7 +62,7 @@ func newVXLANDevice(devAttrs *vxlanDeviceAttrs) (*vxlanDevice, error) {
 		GBP:          devAttrs.gbp,
 	}
 
-	link, err := ensureLink(link)
+	link, err = ensureLink(link)
 	if err != nil {
 		return nil, err
 	}
@@ -112,8 +118,8 @@ func ensureLink(vxlan *netlink.Vxlan) (*netlink.Vxlan, error) {
 	return vxlan, nil
 }
 
-func (dev *vxlanDevice) Configure(ipn ip.IP4Net) error {
-	if err := ip.EnsureV4AddressOnLink(ipn, dev.link); err != nil {
+func (dev *vxlanDevice) Configure(ipa ip.IP4Net, flannelnet ip.IP4Net) error {
+	if err := ip.EnsureV4AddressOnLink(ipa, flannelnet, dev.link); err != nil {
 		return fmt.Errorf("failed to ensure address of interface %s: %s", dev.link.Attrs().Name, err)
 	}
 

diff --git a/backend/vxlan/vxlan.go b/backend/vxlan/vxlan.go
@@ -11,6 +11,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//go:build !windows
 // +build !windows
 
 package vxlan
@@ -152,7 +153,7 @@ func (be *VXLANBackend) RegisterNetwork(ctx context.Context, wg *sync.WaitGroup,
 	// Ensure that the device has a /32 address so that no broadcast routes are created.
 	// This IP is just used as a source address for host to workload traffic (so
 	// the return path for the traffic has an address on the flannel network to use as the destination)
-	if err := dev.Configure(ip.IP4Net{IP: lease.Subnet.IP, PrefixLen: 32}); err != nil {
+	if err := dev.Configure(ip.IP4Net{IP: lease.Subnet.IP, PrefixLen: 32}, config.Network); err != nil {
 		return nil, fmt.Errorf("failed to configure interface %s: %s", dev.link.Attrs().Name, err)
 	}
 

diff --git a/backend/vxlan/vxlan_network.go b/backend/vxlan/vxlan_network.go
@@ -11,6 +11,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//go:build !windows
 // +build !windows
 
 package vxlan
@@ -70,11 +71,12 @@ func (nw *network) Run(ctx context.Context) {
 
 	for {
 		select {
-		case evtBatch := <-events:
+		case evtBatch, ok := <-events:
+			if !ok {
+				log.Infof("evts chan closed")
+				return
+			}
 			nw.handleSubnetEvents(evtBatch)
-
-		case <-ctx.Done():
-			return
 		}
 	}
 }

diff --git a/backend/vxlan/vxlan_windows.go b/backend/vxlan/vxlan_windows.go
@@ -11,6 +11,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//go:build windows
 // +build windows
 
 package vxlan

diff --git a/dist/functional-test-k8s.sh b/dist/functional-test-k8s.sh
@@ -107,13 +107,13 @@ test_vxlan() {
     pings
 }
 
-if [[ ${ARCH} == "amd64" ]]; then
-test_udp() {
-    start_flannel udp
-    create_ping_dest # creates ping_dest1 and ping_dest2 variables
-    pings
-}
-fi
+#if [[ ${ARCH} == "amd64" ]]; then
+#test_udp() {
+#    start_flannel udp
+#    create_ping_dest # creates ping_dest1 and ping_dest2 variables
+#    pings
+#}
+#fi
 
 test_host-gw() {
     start_flannel host-gw

diff --git a/dist/functional-test.sh b/dist/functional-test.sh
@@ -90,13 +90,13 @@ test_vxlan_ping() {
     pings
 }
 
-if [[ ${ARCH} == "amd64" ]]; then
-test_udp_ping() {
-    write_config_etcd udp
-    create_ping_dest # creates ping_dest1 and ping_dest2 variables
-    pings
-}
-fi
+#if [[ ${ARCH} == "amd64" ]]; then
+#test_udp_ping() {
+#    write_config_etcd udp
+#    create_ping_dest # creates ping_dest1 and ping_dest2 variables
+#    pings
+#}
+#fi
 
 test_hostgw_ping() {
     write_config_etcd host-gw
@@ -135,13 +135,13 @@ test_vxlan_perf() {
     perf
 }
 
-if [[ ${ARCH} == "amd64" ]]; then
-test_udp_perf() {
-    write_config_etcd udp
-    create_ping_dest
-    perf
-}
-fi
+#if [[ ${ARCH} == "amd64" ]]; then
+#test_udp_perf() {
+#    write_config_etcd udp
+#    create_ping_dest
+#    perf
+#}
+#fi
 
 test_ipip_perf() {
     write_config_etcd ipip