From 9be3768c909a47ee107808e383fd0546d100e3d0 Mon Sep 17 00:00:00 2001 From: TrekkieCoder Date: Sat, 29 Jul 2023 16:17:01 +0900 Subject: [PATCH 1/2] cicd for in-cluster mode updated --- cicd/k3s-flannel-incluster/Vagrantfile | 22 ++++++++++------------ cicd/k3s-flannel-incluster/host.sh | 2 ++ cicd/k3s-flannel-incluster/loxilb.yml | 2 +- cicd/k3s-flannel-incluster/master1.sh | 4 ++-- cicd/k3s-flannel-incluster/rmconfig.sh | 1 + cicd/k3s-flannel-incluster/worker.sh | 1 + 6 files changed, 17 insertions(+), 15 deletions(-) create mode 100755 cicd/k3s-flannel-incluster/host.sh diff --git a/cicd/k3s-flannel-incluster/Vagrantfile b/cicd/k3s-flannel-incluster/Vagrantfile index f442b888..5b82e9b5 100644 --- a/cicd/k3s-flannel-incluster/Vagrantfile +++ b/cicd/k3s-flannel-incluster/Vagrantfile @@ -2,7 +2,6 @@ # vi: set ft=ruby : workers = (ENV['WORKERS'] || "2").to_i -#box_name = (ENV['VAGRANT_BOX'] || "ubuntu/focal64") box_name = (ENV['VAGRANT_BOX'] || "sysnet4admin/Ubuntu-k8s") box_version = "0.7.1" Vagrant.configure("2") do |config| @@ -13,17 +12,16 @@ Vagrant.configure("2") do |config| config.vbguest.auto_update = false end - #config.vm.define "loxilb" do |loxilb| - # loxilb.vm.hostname = 'llb1' - #loxilb.vm.network "forwarded_port", guest: 55002, host: 5502, protocol: "tcp" - # loxilb.vm.network :private_network, ip: "192.168.80.9", :netmask => "255.255.255.0" - # loxilb.vm.network :private_network, ip: "192.168.90.9", :netmask => "255.255.255.0" - # loxilb.vm.provision :shell, :path => "loxilb.sh" - # loxilb.vm.provider :virtualbox do |vbox| - # vbox.customize ["modifyvm", :id, "--memory", 6000] - # vbox.customize ["modifyvm", :id, "--cpus", 4] - # end - #end + config.vm.define "host" do |host| + host.vm.hostname = 'host1' + host.vm.network :private_network, ip: "192.168.80.9", :netmask => "255.255.255.0" + host.vm.network :private_network, ip: "192.168.90.9", :netmask => "255.255.255.0" + host.vm.provision :shell, :path => "host.sh" + host.vm.provider :virtualbox do |vbox| + vbox.customize ["modifyvm", :id, "--memory", 2048] + vbox.customize ["modifyvm", :id, "--cpus", 1] + end + end config.vm.define "master1" do |master| master.vm.hostname = 'master1' diff --git a/cicd/k3s-flannel-incluster/host.sh b/cicd/k3s-flannel-incluster/host.sh new file mode 100755 index 00000000..45959183 --- /dev/null +++ b/cicd/k3s-flannel-incluster/host.sh @@ -0,0 +1,2 @@ +sudo ip route add 123.123.123.0/24 via 192.168.90.10 +echo "Host is up" diff --git a/cicd/k3s-flannel-incluster/loxilb.yml b/cicd/k3s-flannel-incluster/loxilb.yml index 0ff04637..32d55175 100644 --- a/cicd/k3s-flannel-incluster/loxilb.yml +++ b/cicd/k3s-flannel-incluster/loxilb.yml @@ -32,7 +32,7 @@ spec: containers: - name: loxilb-app image: "ghcr.io/loxilb-io/loxilb:latest" - command: [ "/root/loxilb-io/loxilb/loxilb", "--bgp", "--egr-hooks" ] + command: [ "/root/loxilb-io/loxilb/loxilb", "--bgp", "--egr-hooks", "--blacklist=cni[0-9a-z]|veth.|flannel." ] ports: - containerPort: 11111 - containerPort: 179 diff --git a/cicd/k3s-flannel-incluster/master1.sh b/cicd/k3s-flannel-incluster/master1.sh index 6b327c5b..b693d54b 100755 --- a/cicd/k3s-flannel-incluster/master1.sh +++ b/cicd/k3s-flannel-incluster/master1.sh @@ -6,6 +6,6 @@ echo $MASTER_IP > /vagrant/master-ip cp /var/lib/rancher/k3s/server/node-token /vagrant/node-token sed -i -e "s/127.0.0.1/${MASTER_IP}/g" /etc/rancher/k3s/k3s.yaml cp /etc/rancher/k3s/k3s.yaml /vagrant/k3s.yaml -#sudo kubectl apply -f /vagrant/loxilb.yml -#sudo kubectl apply -f /vagrant/kube-loxilb.yml +sudo kubectl apply -f /vagrant/loxilb.yml +sudo kubectl apply -f /vagrant/kube-loxilb.yml /vagrant/wait_ready.sh diff --git a/cicd/k3s-flannel-incluster/rmconfig.sh b/cicd/k3s-flannel-incluster/rmconfig.sh index e4b482c6..bd4b79e8 100755 --- a/cicd/k3s-flannel-incluster/rmconfig.sh +++ b/cicd/k3s-flannel-incluster/rmconfig.sh @@ -4,3 +4,4 @@ vagrant destroy -f worker1 vagrant destroy -f worker2 vagrant destroy -f master1 vagrant destroy -f master2 +vagrant destroy -f host diff --git a/cicd/k3s-flannel-incluster/worker.sh b/cicd/k3s-flannel-incluster/worker.sh index e8cb7935..adfdd871 100644 --- a/cicd/k3s-flannel-incluster/worker.sh +++ b/cicd/k3s-flannel-incluster/worker.sh @@ -5,6 +5,7 @@ export NODE_TOKEN=$(cat /vagrant/node-token) mkdir -p /etc/rancher/k3s cp -f /vagrant/k3s.yaml /etc/rancher/k3s/k3s.yaml curl -sfL https://get.k3s.io | K3S_TOKEN=${NODE_TOKEN} sh -s - agent --server https://192.168.80.10:6443 --node-ip=${WORKER_ADDR} --node-external-ip=${WORKER_ADDR} -t ${NODE_TOKEN} +sudo kubectl apply -f /vagrant/loxilb-peer.yml sudo kubectl apply -f /vagrant/nginx.yml sudo kubectl apply -f /vagrant/udp.yml sudo kubectl apply -f /vagrant/sctp.yml From 9e303c8fe46c5c8475cf23bd556a4e133c2ee90f Mon Sep 17 00:00:00 2001 From: Trekkie Coder Date: Sat, 29 Jul 2023 16:31:30 +0900 Subject: [PATCH 2/2] egr hooks: blacklisting of certain interfaces --- api/loxinlp/nlp.go | 46 +++++++++++++++++++++++++++++++++++++++++++--- loxinet/loxinet.go | 2 +- options/options.go | 1 + 3 files changed, 45 insertions(+), 4 deletions(-) diff --git a/api/loxinlp/nlp.go b/api/loxinlp/nlp.go index 2537626f..375afda7 100644 --- a/api/loxinlp/nlp.go +++ b/api/loxinlp/nlp.go @@ -82,7 +82,9 @@ type NlH struct { LinkUpdateCh NeighUpdateCh RouteUpdateCh - IMap map[string]Intf + IMap map[string]Intf + BlackList string + BLRgx *regexp.Regexp } var hooks cmn.NetHookInterface @@ -1198,6 +1200,12 @@ func DelRoute(route nlp.Route) int { func LUWorkSingle(m nlp.LinkUpdate) int { var ret int + + filter := nNl.BLRgx.MatchString(m.Link.Attrs().Name) + if filter { + return -1 + } + ret = ModLink(m.Link, m.Header.Type == syscall.RTM_NEWLINK) return ret } @@ -1210,6 +1218,11 @@ func AUWorkSingle(m nlp.AddrUpdate) int { return -1 } + filter := nNl.BLRgx.MatchString(link.Attrs().Name) + if filter { + return -1 + } + attrs := link.Attrs() name := attrs.Name if m.NewAddr { @@ -1243,6 +1256,11 @@ func NUWorkSingle(m nlp.NeighUpdate) int { return -1 } + filter := nNl.BLRgx.MatchString(link.Attrs().Name) + if filter { + return -1 + } + add := m.Type == syscall.RTM_NEWNEIGH if add { @@ -1257,6 +1275,17 @@ func NUWorkSingle(m nlp.NeighUpdate) int { func RUWorkSingle(m nlp.RouteUpdate) int { var ret int + link, err := nlp.LinkByIndex(m.LinkIndex) + if err != nil { + fmt.Println(err) + return -1 + } + + filter := nNl.BLRgx.MatchString(link.Attrs().Name) + if filter { + return -1 + } + if m.Type == syscall.RTM_NEWROUTE { ret = AddRoute(m.Route) } else { @@ -1338,6 +1367,10 @@ func GetBridges() { return } for _, link := range links { + filter := nNl.BLRgx.MatchString(link.Attrs().Name) + if filter { + continue + } switch link.(type) { case *nlp.Bridge: { @@ -1360,8 +1393,13 @@ func NlpGet(ch chan bool) int { } for _, link := range links { - ret = ModLink(link, true) + filter := nNl.BLRgx.MatchString(link.Attrs().Name) + if filter { + continue + } + + ret = ModLink(link, true) if ret == -1 { continue } @@ -1488,7 +1526,7 @@ func LbSessionGet(done bool) int { return 0 } -func NlpInit(bgpPeerMode bool) *NlH { +func NlpInit(bgpPeerMode bool, blackList string) *NlH { nNl = new(NlH) @@ -1506,6 +1544,8 @@ func NlpInit(bgpPeerMode bool) *NlH { return nNl } + nNl.BlackList = blackList + nNl.BLRgx = regexp.MustCompile(blackList) nNl.FromAUCh = make(chan nlp.AddrUpdate, cmn.AuWorkqLen) nNl.FromLUCh = make(chan nlp.LinkUpdate, cmn.LuWorkQLen) nNl.FromNUCh = make(chan nlp.NeighUpdate, cmn.NuWorkQLen) diff --git a/loxinet/loxinet.go b/loxinet/loxinet.go index ad3f7f30..f17963d8 100644 --- a/loxinet/loxinet.go +++ b/loxinet/loxinet.go @@ -303,7 +303,7 @@ func loxiNetInit() { // Initialize the nlp subsystem if !opts.Opts.NoNlp { nlp.NlpRegister(NetAPIInit(opts.Opts.BgpPeerMode)) - nlp.NlpInit(opts.Opts.BgpPeerMode) + nlp.NlpInit(opts.Opts.BgpPeerMode, opts.Opts.BlackList) } // Initialize the Prometheus subsystem diff --git a/options/options.go b/options/options.go index 9d8eb364..826587af 100644 --- a/options/options.go +++ b/options/options.go @@ -26,4 +26,5 @@ var Opts struct { RssEnable bool `long:"rss-enable" description:"Enable rss optimization(experimental)"` EgrHooks bool `long:"egr-hooks" description:"Enable eBPF egress hooks(experimental)"` BgpPeerMode bool `short:"r" long:"peer" description:"Run loxilb with goBGP only, no Datapath"` + BlackList string `long:"blacklist" description:"Regex string of blacklisted ports" default:"none"` }