Cilium fix bpffs check

[olemarkus]

The check introduced in #7832 is unfortunately too naïve to detect if bpffs has been mounted leading to the unit file never being installed. This is quite disastrous for cilium.

This check in this PR should be more robust.

/kind bug

[k8s-ci-robot]

Hi @olemarkus. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hakman]

/ok-to-test

[rifelpet]

@olemarkus I see the original PR was backported all the way to 1.15. Should this be considered a blocker for 1.16.0 stable?

[olemarkus]

I don't understand why, but the 1.16 and 1.15 branch is not affected. The /sys/fs/bpf path doesn't exist at the time of the check on those branches even if I use the same ami. Another change added to kops after 1.16 branch was cut must be causing this.

[hakman]

Just a quick update, the Cilium periodic e2e is working again:
https://prow.k8s.io/view/gcs/kubernetes-jenkins/logs/ci-kubernetes-e2e-kops-aws-cni-cilium/1230702775738830848

[olemarkus]

@rifelpet unfortunately, this does indeed break cilium back to 1.15.2. It should probably block 1.16.

[hakman]

@olemarkus the sorting in vendor/modules.txt seems off can you check that you are using go v1.13.x?
https://go-review.googlesource.com/c/go/+/174527/

[olemarkus]

I am using go1.13.4 and just running make gomod. When I run it again, there are no changes to the vendor/modules.txt file.

[olemarkus]

For some reason make gomod used another binary than expected. Things looks a lot more sane now.

[hakman]

Thanks for the update @olemarkus. I was just about to start checking why it worked differently on my end.

[hakman]

Me and @rifelpet did some research yesterday on this topic and will add some questions.

[hakman]

I think this is still valid. If there is an unexpected error when reading from /sys/fs/bp, the systemd mount would not help, right?

[olemarkus]

This is probably still valid. Most likely this would be due to the path being absent and if the unit tries to mount it will just fail. Result will be quite similar and I suppose equally easy to detect.

[hakman]

👍

[hakman]

What happens if the fs type is not BPF? Would it be better to return with an error also?

The Cilium code describes the logic for mounting the BPF fs and there is also a mention of a fallback location /run/cilium/bpffs:
https://github.com/cilium/cilium/blob/cbd63be46569751ac45060e54f6787f1286b75cd/pkg/bpf/bpffs_linux.go#L213-L224

// checkOrMountDefaultLocations tries to check or mount the BPF filesystem in
// standard locations, which are:
// - /sys/fs/bpf
// - /run/cilium/bpffs
// There is a procedure of determining which directory is going to be used:
// 1. Checking whether BPFFS filesystem is mounted in /sys/fs/bpf.
// 2. If there is no mount, then mount BPFFS in /sys/fs/bpf and finish there.
// 3. If there is a BPFFS mount, finish there.
// 4. If there is a mount, but with the other filesystem, then it means that most
// probably Cilium is running inside container which has mounted /sys/fs/bpf
// from host, but host doesn't have proper BPFFS mount, so that mount is just
// the empty directory. In that case, mount BPFFS under /run/cilium/bpffs.

[olemarkus]

If BPF is not mounted on /sys/fs/bpf, the path will still exist, which is why the old check fails. So most likly the fs type will not be bpf before we install the unit.

/run/cilium/bpffs is a fallback if the host is not mounting bpf. This will cause network disruptions every time cilium pods restart though since the bpf mounts are lost.

[hakman]

OK, more clear now. Thanks for clarifying the fallback part.

Regarding the check, if the path exists, unix.Statfs would succeed and will return SYSFS_MAGIC=0x62656572 or something similar. If there is an error other than the "no such file or directory", maybe it's not a good thing to continue. Same goes for a magic number that is not SYSFS_MAGIC or BPF_FS_MAGIC.

[olemarkus]

Shouldn't you be able to mount bpffs on whatever path that exists?

I will add back the return on error shortly. unix.Statfs("/sys/fs/bpf", &fsdata) would return error on file not found too, shouldn't it? So the os.Stat check would be redundant.

[hakman]

Just checked and you are right, if the mount path doesn't exist, the unit won't help. Probably for any type of error BPF mounting will fail.

[hakman]

This part is mostly ok. There may be a rare case where the magic number is different from SYSFS_MAGIC=0x62656572 or BPF_FS_MAGIC= 0xCAFE4A11 and mounting will fail. I don't think it's worth adding it for now.

[rifelpet]

nit: we don't need this else statement anymore.

[rifelpet]

it might be worth adding this link as a comment: https://github.com/torvalds/linux/blob/v4.8/include/uapi/linux/magic.h#L80

[hakman]

Also would be nice to move the var and comment just before it's used.

[rifelpet]

/lgtm
/approve

We increased the frequency of the cilium periodic job to run hourly, we'll keep an eye on it to confirm things are still stable before we merge cherry-picks of this 👍

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olemarkus, rifelpet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rifelpet]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[justinsb]

I am a little confused ... https://k8s-testgrid.appspot.com/google-aws#kops-aws-cni-cilium seems to suggest this broke two days ago, but my original (insufficient) PR is from a month or two ago. Do we know what caused it to break? (Was it a newer version of cilium that makes the directory?)

[olemarkus]

Just bad timing. The e2e tests broke because of the typo fixed here #8591
The bpf mount bug this PR fixed is unrelated to the e2e tests.

[justinsb]

Ah - thanks @olemarkus (and thanks also for fixing!)

[mazzy89]

@olemarkus I'm running k8s 1.15.9 with cilium from kops 1.15.2 but I'm not having this issue.Is it clear for you why this version is not affected?

[olemarkus]

It is affected too. If you see the cilium agent logs, you should see a warning about bpf not already mounted on the hair

[mazzy89]

I see. I'll take a look at that. Which are the effects of this? I did not notice anything weird in the cluster. Everything is operative and healthy in term of networking.