Feature/ip block reservation

[krunaljain]

This PR provides the GCFS user to reserve a cidr block by providing a configurable parameter named reserved-ipv4-cidr. The /29 IP Range required for the filestore instance would be exclusively allocated from this CIDR range to avoid IP conflicts with kubernetes service IPs.

Users can now reserve a CIDR range and the /29 IP Range required for filestore instances would be exclusively provided from this range. This functionality is intended to avoid IP conflicts between filestore instances and service instances. If the CIDR range is not provided, the current implementation would allocate the reserved IP Range. 

[msau42]

/ok-to-test
/hold
/assign @davidz627

[msau42]

Instead of modifying the ip in-place, it would be better to create and return a new one

[msau42]

It's better to use defer s.config.mutex.Unlock() after Lock() so you don't miss unlocking when you return early from an error

[msau42]

We should avoid holding locks across calls that could potentially block for a long time. I'm not sure if we need to lock in this case since each CreateVolume is doing its own ListInstances call

[msau42]

I would also move this call to just before CreateInstance to avoid unnecessary cloud provider calls

[krunaljain]

To read the updated list of reserved IPs, we have to wait until this call succeeds to avoid read after write hazard, right?

[msau42]

I think you are thinking about the scenario on how to coordinate multiple CreateVolume requests and make them select different IPs.

One way to do it is to lock the entire CreateVolume call so only one volume create can occur at a time. This will work, but I think it will be undesirable because every cloud call could take on the order of minutes. We could try this way just for now to get it working, but we'll definitely need to improve on it.

In the end, we want to allow parallel CreateVolume operations to occur, but need to serialize IP allocation. I think this will require some sort of caching/shared allocator.

[msau42]

I would change the actual user-visible parameter to "reserved-ipv4-cidr"

[msau42]

You can wait to convert to a string until the very end when a non-conflicting IP has been found

[davidz627]

on that note, we don't need to use a buffer at all. After finding a nonoverlapping cidr we can just construct the necessary string in a one line concatenation.

[krunaljain]

The overlap validation function needs two cidrs as arguments. This concatenation was made to convert the IP in CIDR to /29 cidr. Maybe I am missing something here but not sure how we can convert IP to CIDR without concatenation

[davidz627]

This is not really an error. This function is more of a isCIDROverlap and should return a bool along with an error. Errors should be reserved for "problems" not a false value

[davidz627]

on that note, we don't need to use a buffer at all. After finding a nonoverlapping cidr we can just construct the necessary string in a one line concatenation.

[davidz627]

What is the number 8 in this case? Maybe we should make a const for it or a comment here to specify what it is. I noticed in the function definition its of type byte, this is somewhat unusual and is worth clarifying so there are no gotchas in the future

[krunaljain]

8 is used to get to the next /29 address. I will add a constant for this.

[davidz627]

because validateCIDROverlap returns an error for both the overlap case and a malformed cidr, this statement is not always correct. It could just be returning an error because the CIDR is malformed.

[davidz627]

Isn't this a valid increment?

for example 0.0.0.255 incremented by 2 isn't an overflow but is actually 0.0.1.2? I may be misunderstanding whats going on here. Would be helpful to put some comments explaining what these pieces are, like what is the last array entry in ip, why 255 (use a const) etc.

[krunaljain]

I will come up with a more concrete check for this.

[davidz627]

why are we incrementing each part of the IP by step then breaking if its over 0? This will always break after the first iteration unless the step is 0 and the original ip end was also 0. So in practice this will only increment the last part of the ip because if step is non-zero the break will trigger.

Could you please clarify with comments or fix?

[krunaljain]

It's to handle carry when rollover happens. I'll update this to catch rollover with a custom step size.

[davidz627]

are these reserved ip's or unreserved ips?

[krunaljain]

All /29 IPs in a /27 CIDR

[davidz627]

these test functions are prime for Table Driven Tests. They are testing same functions with different data:
https://golang.org/wiki/TableDrivenTests

[davidz627]

Table driven tests. This one is not comprehensive. Try adding some edge cases and funky input. Error cases are also good

[davidz627]

you should also test that these are not actually the same object

[msau42]

style: can you place the all the comments as a line above the code instead of at the end of the line

[msau42]

What happens if cidr range is not set? Maybe generateNewFileInstance should return the cidr range from parameters as another argument

[msau42]

This needs to be done after the GetInstance() call. And we should not unreserve the IP after every failure. The reason is a bit tricky.

In Kubernetes, the timeout value that gets passed into CreateVolume() is very short. This causes the create instance operation on the first time to always return with a timeout error. However, the create operation is still running, therefore the IP is still taken. So we should only allocate a new IP if we're making a new CreateInstance call.

For the failure case, we may have to add some extra checking, and only release the IP if we cannot find an instance.

[msau42]

We should avoid holding global locks over network calls as much as possible because they can block for a very long time.

[msau42]

Add a comment that reserved cidrs will be processed later

[msau42]

reserved cidr should not be a required argument, so this should be a new test case

[msau42]

Would the ParseCIDR function already take care of this case?

[msau42]

Can you add a comment describing the format of this map, along with an example?

[msau42]

Also, I think storing the ipnet type instead of the string representation will be more efficient. Especially later on in GetUnreservedIPBlock, you can avoid converting between ipnet and string.

[msau42]

Can you add a comment describing what this argument means?

[msau42]

These tests can be table driven too

[msau42]

These tests can be table driven too

[msau42]

This is not a required parameter. If it is not specified, then we leave the ReservedIPRange field blank and let Filestore choose an available IP

[msau42]

This is not a required parameter. If it was not specified, then we leave ReservedIpRange empty

[msau42]

The Reserve call should happen inside GetUnreservedIPBlock

[msau42]

A better name could be 'reserveIPRangeto match the eventual argument, and to avoid confusion with theGetUnreservedIPBlock` call in the IPAllocator

[msau42]

Mention in the comment that this argument will be processed later in reserveIPRange

[msau42]

Let's take a step back and whiteboard this design. I don't think just a single map is sufficient for synchronizing creation and deletion.

[davidz627]

nit: just use ok here instead of reservedIPV4CIDRPresent.

https://github.com/golang/go/wiki/CodeReviewComments#variable-names

[davidz627]

dont use error in place of true/false values. A validation should return true when validated and false when the cidr is invalid. It should only return error when there is a failure in the validation process itself

[krunaljain]

Ok. Will change that.

[davidz627]

Are we reserving the IP somewhere? Why reserve and unreserve in the same call?

[krunaljain]

We are reserving in the getUnreservedIPBlock() function which is the inside a lock. It is unreserved when your CreateInstance call resulted in a success.

[msau42]

It's a little unintuitive why you would unreserve an IP once creation is successful.

Maybe better names could be Hold/Unhold.

[davidz627]

this error should be pushed up to right after the ListInstances call. You're trying to use the instances before checking the error here

[krunaljain]

Cool. Will change that.

[davidz627]

Why is getUnreservedIPBlock calling GetUnreservedIPBlock. Do they have significantly different behavior? can we just use one of them here? Is one of them misnamed?

[krunaljain]

Cool. I will fix the naming for this.

[davidz627]

nit: Don't specify an expected answer if there is none (we expect an error here)

[davidz627]

nit: don't need to specify false values

[davidz627]

does ip[ipByte] roll over if overflow, does it reset to 0? Are we relying on undefined/unspecified behavior here?

[krunaljain]

For overflow, after increment, the least significant byte is less than the step and for other bytes the value is 0 as the maximum value of carry is 1

[davidz627]

245 + 20 == 10 or 245 + 20 == 0 was the question I was asking. Either way, a better way to check for overflow is before doing the operation check if BYTE_MAX - step < ip[ipByte]. This will find an overflow cleanly without triggering actual overflow behavior.

There are even proposals to make overflow panic in golang, so I would not rely on the current behavior:
golang/go#19624

[davidz627]

why 0?

[krunaljain]

Because in case of most significant byte, the rollover will occur when your value changes from 255 to 0. Hence after adding the carry we check if the value is greater than 0 for MSB

[davidz627]

this setup should probably be a part of each test case definition

[krunaljain]

Other functions don't accept the reserved list so created only for this.

[msau42]

I would move this mutex into the IPAllocator instead of the controller. The library should provide atomicity without relying on the caller.

[msau42]

This reserve functionality can be done inside GetUnreservedIPBlock

[krunaljain]

Wanted to decouple the Get and Reserve Operations. Also, adding a mutating operation in Get conflicts with the naming.

[msau42]

From the user's perspective, is there a purpose for getting an IP block without reserving it? If not, then I think it can be condensed into two interfaces. Internally, it could remain as two different functions.

[msau42]

It's a little unintuitive why you would unreserve an IP once creation is successful.

Maybe better names could be Hold/Unhold.

[msau42]

We should unhold the IP in both success and error cases. A defer can be used after the Hold()

[krunaljain]

In case of error, instance has not been created yet. So other threads making the list call would not get the the IP as reserved and can end up holding the reserved IP as it is no longer blocked. Returning a response from CreateVolume ensures that the instance has been created and would be available in subsequent list calls. Let me know if I am missing something in my analysis here.

[msau42]

If you reserve the IP, and then CreateInstance fails, right now, it seems like the behavior is to keep it reserved so no other requests can use it. We want the opposite behavior. This may also be a good scenario to unit test.

[krunaljain]

In this case we would need to identify whether the CreateInstance operation is running in the background and the error is due to some other source(ex timeout) or the operation itself aborted. In the previous case, we should not release the IP but in the later case we should.

[msau42]

I think both cases you can release the IP. IIUC,

1. If operation is running in the background, then when you ListInstances, you will get the IP
2. If operation aborted, the IP didn't get consumed by the Filestore service, so it is safe to release

[msau42]

does this need to be a map, or can it be a slice?

[davidz627]

I think its useful to be a map for lookup reasons. its basically being used as a "set"

[msau42]

This should create and modify a new map instead of modifying the user's map. Also does this need to be a map? We seem to just be iterating over it, so it could be a slice.

[krunaljain]

Its implementation of a Set using a Map

[msau42]

The error is being dropped. At this point, is it expected to receive an error? If not, then we should probably return immediately with an error

[krunaljain]

Error is for this cidrIP and reservedIP overlap combination. We can try out other combinations.

[msau42]

Yes, I mean that we should probably return if there's an error instead of continuing

[msau42]

I'm not a fan of modifying structures for temporary state. I think it would be simpler for incrementIP to return a new IP everytime.

[davidz627]

looking pretty good. Mostly just some naming issues and nits

[davidz627]

nit: idiomatic golang style is usually to have a smaller block to handle the error for if !ok, then the success case should be not inside a conditional block

[krunaljain]

In this case, you implement some logic in case if the param is present and do nothing in case it is not. So there is just one block depending on the condition.

[davidz627]

instead of reserve lets call it:
preallocate (?)
lock (?)
earmark (?)
designate (?)
allot (?????)
@msau42

[msau42]

out of those, i like preallocate the best, but what is the reverse? unallocate?

[davidz627]

depreunallocate

[krunaljain]

does hold and release sound appropriate?

[msau42]

sgtm

[davidz627]

nit: name this mutex after the thing that it is mutexing. This way we wont accidentally reuse this mutex for different purposes and potentially deadlock

[davidz627]

It's not super clear here that the reservedIPRanges you're passing in are being merged with those in the "ipAllocator" to me. I think this boils down to a naming issue. The code looks mostly ok but it just doesn't feel intuitive because everything is named similar things its hard to seperate concepts

[davidz627]

245 + 20 == 10 or 245 + 20 == 0 was the question I was asking. Either way, a better way to check for overflow is before doing the operation check if BYTE_MAX - step < ip[ipByte]. This will find an overflow cleanly without triggering actual overflow behavior.

There are even proposals to make overflow panic in golang, so I would not rely on the current behavior:
golang/go#19624

[davidz627]

will we never need step sizes over 255? Genuine question, I don't know.

[krunaljain]

That's an assumption here. Would be required if you want to return smaller than /24 block instead of the existing /29

[davidz627]

dont depend on overflow behavior, see above

[davidz627]

why is this an error? can't we then increment the next value by 1?

0.255.255.255 step by 1 should be 1.0.0.0 not an error

[krunaljain]

this check is after incrementing ip[ipByte]. So, after increment, if this value is still 0, that implies that it transitioned from 255 to 0 and there is an overflow. If you are already at the Most Significant byte(ipByte== 0) and the value is 0 after increment, it means that there is an overflow in the IP range and you return with an error.

[davidz627]

add test

currentIP:     "0.255.255.255",
step:          3,
expected: "1.0.0.2",

[krunaljain]

I think currentIP: "192.255.255.253", step: 255, expected: "193.0.0.252", is a similar case. But can add this if you want

[msau42]

Can you update all the comments? In this particular comment, it's referring to variables that don't exist. many of the other comments are out of date too

[msau42]

The defer should go right after you reserve the IP. That way it gets invoked if the function exits for any reason afterwards.

[msau42]

Now that the lock is hidden inside the util, this comment is not necessary

[msau42]

err is not set to anything here?

[msau42]

This comment is an implementation detail and would be better suited for inside the util library

[msau42]

Can you move the comment describing this field right above the field?

[msau42]

And can you give an example of the actual string syntax in this map, ie The key is the held ipnet in string format, ie "1.2.3.0/29"

[msau42]

What happens if incrementIP errors?

[krunaljain]

We stop iterating over the cidr

[msau42]

do you want to log the error? right now it is lost

[msau42]

This can be a private function

[msau42]

Needs a lock

[msau42]

Also please run hack/update-gofmt.sh

[msau42]

This is looking good! I just have nit picky naming comments.

[msau42]

maybe something like "we need to pick an unused /29 range from reserved-ipv4-cidr" would be more clear

[msau42]

error messages should start with lowercase. a simpler wording could be "invalid reserved-ipv4-cidr %s"

[msau42]

"the ListInstances response will contain the reservedIPRange if the operation was started"

[msau42]

The naming of this function is symmetrical with the controller call, but not with the ipAllocator. It may be cleaner to make it symmetrical with ipAlloactor, and break up reserveIPRange into "getUsedIPRanges" and then call the ipAllocator.GetUnreservedIPBlock.

Let's also try to standardize on the terminology. We're using ipblock, iprange, and ipv4-cidr. Maybe we can reduce it down to two.

1. ipv4-cidr to refer to the bigger ipnet that we're extracting from. This aligns with the rest of GKE naming
2. ipRange to refer to the /29 ipnet that we pass to Filestore. This aligns with Filestore naming.

[msau42]

the function name is not consistent in the comment

[msau42]

Does hold need to be initialized by the caller, or can it be initialized inside the constructor?

[krunaljain]

Needs to be initialized by the caller

[msau42]

Why? right now I see the caller is just initializing it to empty

[krunaljain]

Just using it as a parameterized constructor here where the caller has the flexibility to initialize it to any value rather than enforcing a default

[msau42]

A better name could be "pendingIPRanges"

[msau42]

I think "used" makes more sense than "reserved"

[davidz627]

2 small nits. then most likely LGTM

[davidz627]

nit: if only needed inside if scope you can do:
if reservedIPV4CIDR, ok := req.GetParameters()[paramReservedIPV4CIDR]; ok {

[davidz627]

nit: 255 should be a const

[msau42]

"the ListInstances response will include the reservedIPRange if the operation started"

[msau42]

the function name is wrong in this comment

"returns an available /29 IP range from the cidr"

[msau42]

a more descriptive name may be "pendingIPRanges"

[msau42]

I don't understand what this comment is referring to

[msau42]

nit: when enumerating a list, I would put 1) on a new line

[msau42]

do you want to log the error? right now it is lost

[msau42]

cidrIPBlock is a little misleading because it's actually an ip, not an ipnet.

[msau42]

It is not a good idea to generate test input based on the ordering of the test case. If a test case gets added in the middle, then all the subsequent tests will fail. It would be better make the testcase inputs an explicit parameter in the test case.

[krunaljain]

The distribution of IPs in the two lists is completely random and the test does not depend on the ordering

[msau42]

If you moved the test case "0/4 /29 IP blocks used", to the end of the cases slice, would the tests fail?

[krunaljain]

ok. got it. thanks

[msau42]

Can you also have test cases that check overlapping and non-overlapping CIDRs where the mask (/x) is the same?

[krunaljain]

sure

[msau42]

There should be a test case where the cidr is misaligned and could cause an ip range to be returned that is smaller than /29, ie 192.168.0.253/29

[krunaljain]

For our existing implementation, we are using masking to set up the address. Hence for the CIDR you provided, the starting /29 IP would still be 192.168.0.248(the starting IP address of that CIDR block) and you would always get a block with 8 IPs. Can add the test

[msau42]

Maybe instead of masking it, we should return an error if the provided CIDR is misaligned.

[krunaljain]

192.168.0.253/29 is one of the IP values in the CIDR. IP value can be anything from 192.168.0.248-255/29 in this network. When we get a reservedIPRange, its not necessarily the first IP in that CIDR but part of a network with 8 IPs. The /29 CIDR is uniquely identified by its network ID which is the first 29 bits. The last 3 bits can be anything and hence we use the mask to reset.

[msau42]

do we ensure that all 8 ips are unused?

[msau42]

I mean, when we get a reservedIPRange and pass it to Filestore, that IP range needs to contain 8 IPs.

[krunaljain]

yup that part is taken care of by the cidr overlap function. it ensures the trailing 29 bits of your network are completely unique. so you are always going to end up with 8 unused IPs

[msau42]

If you pass in a misaligned IP range to Filestore, will it succeed?

I think for simplicity, we should validate that the user's CIDR is aligned.

[krunaljain]

We would never end up passing a misaligned range from the implementation. It always passes in the first IP of the available /29 block. If the user passes the reserved-ipv4-cidr of 192.168.0.253/29, we assume he has all the IPs from 192.168.0.248-255/29

[msau42]

That's fine. We should at least validate the user specified CIDR params so there's no confusion if we end up creating a filestore instance with a "lower" IP

[krunaljain]

These are the tests for the required alignment check

[msau42]

I'm not sure why this diff is showing up because it's already like this in master. Maybe you need to rebase?

[msau42]

"maximum" is sort of misleading because the bigger the number, the smaller the network is. Maybe instead the message should say "the reserved-ipv4-cidr network size must be at least /29"

[msau42]

"... must be aligned on the /29 network boundary"

[msau42]

Can you add in test cases that could potentially catch off-by-one errors?

For example, test cases where the expected should be ".255", ".0" or ".1"

[krunaljain]

i have added the tests

[krunaljain]

expected byte .0 test

[krunaljain]

expected byte .255 test

[krunaljain]

expected byte .1 test

[krunaljain]

Updated error message

[krunaljain]

Updated error message

[msau42]

/lgtm
/hold cancel

[davidz627]

@msau42 I think you have to explicitly approve

I plan on doing one last pass-through though so please hold off until then

[msau42]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: krunaljain, msau42

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [msau42]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[msau42]

/hold

[davidz627]

/lgtm
/hold cancel