Log out from multiple target portals when using iscsi storage plugin

[mtanino]

What this PR does / why we need it:

When using iscsi storage with multiple target portal (TP) addresses
and multipathing the volume manager logs on to the IQN for all
portal addresses, but when a pod gets destroyed the volume manager
only logs out for the primary TP and sessions for another TPs are
always remained.

This patch adds mount points for all TPs, and then log out from all
TPs when a pod is destroyed. If a TP is referred from another pods,
the connection will be remained as usual.

Which issue this PR fixes
fixes #45394

Special notes for your reviewer:

Release note:

iscsi storage plugin: Fix dangling session when using multiple target portal addresses.

[k8s-ci-robot]

Hi @mtanino. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with @k8s-bot ok to test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[gnufied]

/assign @rootfs

[rootfs]

@k8s-bot ok to test

[tobad357]

My go fu is not great but this looks like it will return an array with empty elements at the end in case it removes some duplicates which would mean the kubelet tries to execute iscsiadm commands on empty data.

This go playground example avoids it, maybe can use that
https://play.golang.org/p/q3bZ3hpOzD

[mtanino]

Thank you for your comment. Your suggestion looks good.
My go is not great too, so I'm curious what kind of input causes empty elements return?

[tobad357]

My bad
I expected the len of the new array to be 3 and the last element empty in the case
of having a list of three portals with on set of duplicates

See
https://play.golang.org/p/hkm8_bhlOy

[tobad357]

Nit: ture = true

[tobad357]

can just return true here as flag isn't used anywhere

[mtanino]

Correct. Thanks.

[tobad357]

@rootfs how long backwards compatibility is promised.
Can this code be removed after X versions of k8s.
If so would be good to add a todo for when it should be removed

[rootfs]

a todo is good for note taking

[mtanino]

OK. Will do.

[tobad357]

I'm not quite following the logic here
If there is two mntpaths where the first one has a cnt of 0 and the first one the second one a count of 2.
Won't we skip logging out the first one?

[mtanino]

Agreed. This logic should be changed like following.

In case of multipath with two portals, mntpaths has two global mount paths like;
/var/lib/kubelet/plugins/kubernetes.io/iscsi/iface-default/x.x.x.10:3260-iqn.aaa
/var/lib/kubelet/plugins/kubernetes.io/iscsi/iface-default/x.x.x.20:3260-iqn.bbb

Then, we should;
(1) Unmount all mntPaths
(2) Count num(cnt) of remained devices with GetDeviceNameFromMount
(3) If cnt == 0,then logout from these two iSCSI sessions

Any concerns?

[tobad357]

Is there a reason we need to wait to log out one device until the other one has cnt == 0
If we don't have to wait and just log out any device with cnt == 0 then we can combine the loops

[mtanino]

The cnt shows that the number of remained devices
If we have two remaining paths like this, then GetDeviceNameFromMount returns '2'.

/var/lib/kubelet/plugins/kubernetes.io/iscsi/iface-default/x.x.x.10:3260-iqn.aaa
/var/lib/kubelet/plugins/kubernetes.io/iscsi/iface-default/x.x.x.20:3260-iqn.bbb

In this case, I think we should unmount these paths at first. Then if these unmount is succeeded and cnt == 0, it means no one is using iSCSI connection so we can logout each iSCSI connections step by step. so I'm using divided for two loop for these steps.

But can we combine these steps into single for loop? Please let me know if you have good idea.
Thanks,

[tobad357]

By doing Unmount first and GetDeviceNameFromMount second can't the cnt, cnt-- be skipped
and only use cnt

[mtanino]

Will do.

[mtanino]

@k8s-bot ok to test

[mtanino]

@rootfs
Can you take a look of this fix?

[mtanino]

@k8s-bot pull-kubernetes-cross test this

[rootfs]

empty line

[mtanino]

I'll remove it.

[rootfs]

@humblec

[humblec]

Why we need removeDuplicate in attachdisk, can you please give some details on why we need this ?

[mtanino]

At first I thought if user passes duplicate portal IPs like this, iscsiadm will be called multiple times unnecessarily, but it was my misunderstanding.

    iscsi:
      targetPortal: 192.168.122.85:3260
      portals: ['192.168.122.85:3260', '192.168.122.7:3260']
      iqn: iqn.2017-05.com.example:rhel7

Actually waitForPathToExist() checks existing path so even if user specify duplicate portal IPs in the config, duplicate IPs will be skipped.

I'll remove removeDuplicate() logic from attachdisk()

Thanks,

[humblec]

Its perfectly valid that portal can be empty. I may be missing the logic here, can you please fill me in?

[mtanino]

same above.

[humblec]

portal is a known member here in this code path as []string. May be you could use some other name to avoid confusion. Just a thought.

[humblec]

@mtanino Thanks for this PR ! I have few comments. Also it would be appreciated if you can explain some more on the bind mount approach followed in attachdisk for better understanding, I failed to get it in quick look.

[humblec]

@mtanino : The test failure looks to be valid as well.

I0527 08:03:19.329] pkg/volume/util/device_util.go:31: cannot use deviceHandler literal (type *deviceHandler) as type DeviceUtil in return argument:
I0527 08:03:19.329] 	*deviceHandler does not implement DeviceUtil (missing FindDevicemapperName method)
I0527 08:03:19.329] !!! [0527 08:03:19] Call tree:
I0527 08:03:19.330] !!! [0527 08:03:19]  1: /go/src/k8s.io/kubernetes/hack/lib/golang.sh:690 kube::golang::build_binaries_for_platform(...)
I0527 08:03:19.330] !!! [0527 08:03:19]  2: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
I0527 08:03:19.336] Makefile:89: recipe for target 'all' failed
I0527 08:03:19.339] Makefile:396: recipe for target 'cross' failed

[humblec]

@mtanino also the PR says, logout from multiple target portals when using iscsi plugin, however it change the code in attachdisk()..etc, where my expectation was that, the change would be more or less in detachdisk(). It could be better if you can split this PR into different commits and organize the changes. It will make the review process bit easier. At time of merging we could squash it .

[mtanino]

@humblec

where my expectation was that, the change would be more or less in detachdisk().

In my understanding,

• Currently only first path is mounted under kubelet dir even if user specify multiple portals.

/dev/mapper/mpathb on /var/lib/kubelet/plugins/kubernetes.io/iscsi/iface-default/192.168.122.85:3260-iqn.2017-05.com.example:rhel7-lun-0 

• DetachDisk() collects iSCSi connection information from this mount path.
  But we don't have 2nd and subsequent sessions information so that we can't logout from them.

Is this correct?

In my approach, In order to logout from multiple iSCSI sessions, we need following two fix in this PR.

• Add mount points for all iSCSI sessions at Attachdisk()
• Logout from multiple portals using above mount points information at DetachDisk()

As a result, if user specify multiple portals like this,

    iscsi:
      targetPortal: 192.168.122.85:3260
      portals: ['192.168.122.7:3260']
      iqn: iqn.2017-05.com.example:rhel7

we can see mount points like this.

/dev/mapper/mpathb on /var/lib/kubelet/plugins/kubernetes.io/iscsi/iface-default/192.168.122.85:3260-iqn.2017-05.com.example:rhel7-lun-0 type ext4 (ro,relatime,block_validity,delalloc,barrier,user_xattr,acl,stripe=2048)
/dev/mapper/mpathb on /var/lib/kubelet/plugins/kubernetes.io/iscsi/iface-default/192.168.122.7:3260-iqn.2017-05.com.example:rhel7-lun-0 type ext4 (ro,relatime,block_validity,delalloc,barrier,user_xattr,acl,stripe=2048)
/dev/mapper/mpathb on /var/lib/kubelet/pods/f3838bc8-4562-11e7-8fd5-525400645a80/volumes/kubernetes.io~iscsi/iscsipd-rw type ext4 (ro,relatime,block_validity,delalloc,barrier,user_xattr,acl,stripe=2048)

Then we can properly logout using these two iSCSI connection information.

Any thought?

Thanks,
Mitsuhiro

[mtanino]

@humblec
I'll take a look device_util.go as well.

[humblec]

@mtanino thanks for giving more details about the approach! iirc, when there are entries in portals field, we form paths for each portal. You could validate this in /dev/disk/by-path. Please pay attention to the portal IPs ( 10.0.2.{15,16,17,18} and also the IQN. These ( as in below output) all belongs to same mpath device. Also, we could list the active sessions from iscsiadm -m session . I think once we confirmed there is no active mount/ref exist on this mpath device, we can make use of existing iscsi sessions or parse below path to understand the existing connections and logout accordingly.

# ll /dev/disk/by-path/
lrwxrwxrwx. 1 root root 9 Feb 16 15:58 ip-10.0.2.15:3260-iscsi-iqn.2016-04.test.com:storage.target00-lun-0 -> ../../sdb
lrwxrwxrwx. 1 root root 9 Feb 16 15:41 ip-10.0.2.16:3260-iscsi-iqn.2016-04.test.com:storage.target00-lun-0 -> ../../sdc
lrwxrwxrwx. 1 root root 9 Feb 16 15:58 ip-10.0.2.17:3260-iscsi-iqn.2016-04.test.com:storage.target00-lun-0 -> ../../sdd
lrwxrwxrwx. 1 root root 9 Feb 16 15:41 ip-10.0.2.18:3260-iscsi-iqn.2016-04.test.com:storage.target00-lun-0 -> ../../sde

@rootfs Any thoughts?

[tobad357]

@mtanino if going down the route of saving a json file wont that become an issue in the scenario where the umount goes through but something happens with the iscsi logout.
In that case the kubelet will not be able to logout the sessions in successive tries

[rootfs]

@tobad357 the json file lives on the host, so it will survive an unmount and iscsi logout.

[rootfs]

iscsi: create %s err %s

[mtanino]

done

[rootfs]

ditto

[mtanino]

done

[rootfs]

/approve

[rootfs]

nit: make a note here, the iscsi config json is not deleted

[mtanino]

done

[k8s-ci-robot]

@mtanino: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-cross	340a78211e46ab0fe91a4edb06516a4d6452963f	link	@k8s-bot pull-kubernetes-cross test this

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[rootfs]

/lgtm

[mtanino]

@k8s-bot pull-kubernetes-e2e-gce-etcd3 test this

[mtanino]

@k8s-bot pull-kubernetes-node-e2e test this

[humblec]

/lgtm. Thanks !!

[mtanino]

After merged the fix, can we cherry pick the PR to v1.6.x tree?

[childsb]

/approve

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: childsb, mtanino, rootfs

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/volume/iscsi/OWNERS [childsb,rootfs]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[tobad357]

@mtanino I agree this is very important to us as well
Would be great to get into a 1.6.x release

[k8s-github-robot]

Automatic merge from submit-queue