multi-network policy support

[cathy-zhou]

- What this PR does and why is it needed

- Special notes for reviewers

- How to verify it

- Description for the changelog

[coveralls]

Coverage: 53.335% (+0.5%) from 52.869% when pulling 8c10787 on cathy-zhou:multi-network-mr6 into 9e21b3a on ovn-org:master.

[maiqueb]

Some nits I've found until now (I couldn't finish reviewing the entire PR).

Would it make sense to split the last commit in two ? One adding the "feature", and another adding the ACL logging ? I kept getting distracted by that while reviewing.

[maiqueb]

I don't understand this change.

Does this DeleteAddressSetsWithPredicateOps function have another caller ?

[cathy-zhou]

this is used by cleanupPolicyLogicalEntities()

[jcaamano]

just reviewed the first few files.
@cathy-zhou is #2740 is pre-requisite to this PR?

[npinaeva]

Some notes: there is an ACL ExternalIDs change that should be merged before this pr #3334, it will make sure the indexing of the acls is correct between controllers

I think we need to also implement new indices for port groups before this pr, because otherwise syncing port groups for different controllers will be very difficult (and I guess initially we wanted to make sure that all secondary-controller owned objects will have a new set of ids) @jcaamano

I also see multicast is enabled for secondary networks in the same pr, probably it makes sense to state that in the name, and maybe even split it to at least another commit, if not another pr?

A question about controller names: I see all secondary controllers are named netInfo.GetNetworkName() + "-network-controller", is it guaranteed that these names will always be unique?

One concern I have: it is extremely simple in the current version of the code to mix the objects used by the default and secondary network controllers, which may break the functionality for both. A simple example is createMulticastAllowPolicy. If you look at the implementation, it will reference the default network controller port group from
portGroupName := hashedPortGroup(ns) in its acls, and the real port group with another network-scoped name will be created in the end with bnc.buildPortGroup(portGroupName, ns, ports, acls).
I guess there are more examples of that, and maybe if we get the new IDs for all the used objects it will help somewhat, but we need to be extra careful about properly indexing db objects.

[jcaamano]

We are not synchronizing multi-network policies on NAD events?

Should the peers of a multinet policy be those on the same network or on the same NAD or all? On pod_selector_addres_set.go we are always using the default network for pod peers. For namespace peers we always look in the same network. Something doesn't add up or I am a bit confused.

[cathy-zhou]

@npinaeva

Some notes: there is an ACL ExternalIDs change that should be merged before this pr #3334, it will make sure the indexing of the acls is correct between controllers

sure, please let me know when your PR is merged

I think we need to also implement new indices for port groups before this pr, because otherwise syncing port groups for different controllers will be very difficult (and I guess initially we wanted to make sure that all secondary-controller owned objects will have a new set of ids) @jcaamano

why it is needed? we have network external-ids to differenciate them. it is like logical_routers/logical_switches/logical_ports

I also see multicast is enabled for secondary networks in the same pr, probably it makes sense to state that in the name, and maybe even split it to at least another commit, if not another pr?

it is not enabled for secondary networks yet.

A question about controller names: I see all secondary controllers are named netInfo.GetNetworkName() + "-network-controller", is it guaranteed that these names will always be unique?

I would think so. do you have any specific concerns for this?

One concern I have: it is extremely simple in the current version of the code to mix the objects used by the default and secondary network controllers, which may break the functionality for both. A simple example is createMulticastAllowPolicy. If you look at the implementation, it will reference the default network controller port group from
portGroupName := hashedPortGroup(ns) in its acls, and the real port group with another network-scoped name will be created in the end with bnc.buildPortGroup(portGroupName, ns, ports, acls).
I guess there are more examples of that, and maybe if we get the new IDs for all the used objects it will help somewhat, but we need to be extra careful about properly indexing db objects.

for this particular case, note that bnc.buildPortGroup() and bnc.getACLMatch takes the portgroupname without network scope prefix as the input argument, so the final port group name would be corrrect. I probably missed some place in multicast code as multicast for secondary network is not enabled yet. I will fix it to not confuse the reviewer.

as I understand, we need to index the db object only if there is no index for this object type, for example, acls. but for port groups and address-set, name is unique within the ovndb table, which is index. So I am not sure I understand the needs to introduce yet another index for these kind of objects.

[jcaamano]

Could we add some basic e2e tests?

[npinaeva]

A question about controller names: I see all secondary controllers are named netInfo.GetNetworkName() + "-network-controller", is it guaranteed that these names will always be unique?

I would think so. do you have any specific concerns for this?

Yes, we need to be absolutely sure that the names of controllers are different, because it is a part of objects db index. So let's figure out if/how it is guaranteed.

I also see multicast is enabled for secondary networks in the same pr, probably it makes sense to state that in the name, and maybe even split it to at least another commit, if not another pr?

it is not enabled for secondary networks yet.

I mean it may not be enabled as a flag, but the code for is there, e.g. this pr adds updateNamespaceForSecondaryNetwork functino, that calls multicastUpdateNamespace. Also the fact that configureNamespaceCommon calls multicastUpdateNamespace is also confusing

About referencing port groups, looks like it is correct now, I will suggest some changes to make the code more clear about that.

[npinaeva]

looks like we will be able to leave this file just named acl without base_network_controller prefix, if we move this function to base_network_controller-namespace, which I guess makes sense?

[cathy-zhou]

we now have a getACLMatch() which is also receiver function of BaseNetworkController

[npinaeva]

but getACLMatch doesn't use bnc in any way, I expected it to be reverted

[npinaeva]

so can we now do what is suggested in first comment?

[npinaeva]

since the port group name is not that simple now, let's move building the port group here, and then just use pg.Name to build acl?

[cathy-zhou]

I am not sure I understand. The portgroup name would follow the same convention as the default network port group name, why it is no longer simple now?

[npinaeva]

this is a very important part, let's make sure we have a unified set of functions that all controllers will use.
So I suggest to use ncni.GetNetworkScopedName not on the hash, but before the hash, so it has a similar format with already exisiting port groups

func (ncni *NetworkControllerNetInfo) getPortGroupName(name string) string {
	networkScopedName := ncni.GetNetworkScopedName(name)
	return hashedPortGroup(networkScopedName)
}

// Note that the hashName argument is the portGroup's Name without network scope prefix
func (ncni *NetworkControllerNetInfo) buildPortGroup(name string, ports []*nbdb.LogicalSwitchPort, acls []*nbdb.ACL) *nbdb.PortGroup {
	var externalIds map[string]string
	pgName := ncni.getPortGroupName(name)
	externalIds = map[string]string{"name": name}
	if ncni.IsSecondary() {
		externalIds[types.NetworkExternalID] = ncni.GetNetworkName()
	}
	return libovsdbops.BuildPortGroup(pgName, name, ports, acls, externalIds)
}

then controller should never hash or GetNetworkScopedName themselves, they should call getPortGroupName to get the Name.

[cathy-zhou]

I am not sure I understand: this is afunction that all controller use. I don't see issue with prefix after hash, but I don't have strong opinions one way or another.

The problem for us is that our downstream zone would have issues when upgrading to the latest upstream code if we change the port group name.

[npinaeva]

exactly, spreading the details about how the port group name is setup may be error-prone, so I am suggesting to replace GetNetworkScopedName calls with getPortGroupName calls
about the hash name - I see Jaime had a similar concern #3382 (comment), we can discuss what is the easiest solution for this situation

[cathy-zhou]

this is done the same way when we determine the logical router name/port name etc. for secondary networks. Note that I am getting rid of NetworkControllerNetInfo structure now and in both gressPolicy and BaseNetworkController's receiver functions needs to call the same function to get port group name.

[npinaeva]

What I am saying is that calling GetNetworkScopedName every time someone needs a real port group name, and adding comments like Note that the hashName argument is the portGroup's Name without network scope prefix is error-prone
So I suggest to always build network-prefixed port group name as early as possible by using getPortGroupName function, that would be the only function that knows how a port group name is built, and free other functions from that logic

[npinaeva]

so we can remove all hashedPortGroup and GetNetworkScopedName for port groups, and replace them with getPortGroupName and buildPortGroup functions that only take name as an argument, without any extra hashes or prefixes
then you can also remove all comments about if portGroup name is prefixed or not, because it will always be prefixed, e.g. getACLMatch won't need to prefix port group name, it will get the final port group name version

[npinaeva]

controllerName should be enough here with the new acl indexes

[cathy-zhou]

only when acls are also indexed with controllerName. This will be changed after your acl index PR merged.

[npinaeva]

let's make sure portGroupName is the pg.Name

[cathy-zhou]

let's wait for the decision if we are going to use which form of portgroup name, then we decide what needs to be changed. if it is still in the form of networkPrefix+hash, I'll keep it as is.

[npinaeva]

this should be 2 functions for default and secondary controller

[cathy-zhou]

why?

[npinaeva]

same logic I explained above: this function is directly called from the default and secondary controllers, so you can just call the right function from there

[cathy-zhou]

ok

[npinaeva]

baseNetworkPolicyEventHandler?

[cathy-zhou]

see above

[npinaeva]

newNetpolRetryFramework? also comments to this struct need to be updated, let's say which events are handled by this framework

[npinaeva]

I guess baseHandler is not really required here, because networkControllerPolicyEventHandler handles all netpol-related events, so you can just move these parts frof baseNetworkControllerEventHandler?

[maiqueb]

some more questions.

[maiqueb]

IMO this ensureNamespaceLockedForSecondaryNetwork method is poorly named (I would expect it hint it creates the address set for this particular namespace), and I also think it does too much.

A method should do one thing this one, at least according to its docs does:

• locks namespacesMutex
• gets/creates an entry for ns
• configures OVN nsInfo (which actually means creating the address set encapsulating the ns info), and returns it with its mutex locked.

Would it be possible to break this method down into smaller blocks ?

I'm afraid it'll be hard to unit test as is.

[cathy-zhou]

this is a variants of ensureNamespaceLocked() function for default networks. It does the same thing except the things that does not exist in secondary networks.

[maiqueb]

shouldn't we just move this immediately below the bsnc.namespacesMutex.Lock() ?

Why have it in both the if and else clauses ?

[cathy-zhou]

because depends on if nsInfoExisted, the unlock happens in different place. This is the same as default network ensureNamespaceLocked().

[maiqueb]

question: in the future, for when I introduce the IPAMless ipBlock policies, we won't have to do any of this right ? i.e. there won't be any IPs to keep track of in these address sets.

I could just wrap this in an if !bsnc.doesNetworkRequireIPAM() right ?

... or I could introduce an interface, and provide a separate implementation for the ipamless scenario.

[cathy-zhou]

didn't think this through yet. But I don't think you need namespace related handling if policy is not based on namespace/pod selector. If so, you don't need to watch for namespace at all. you could simply direct return in WatchNamespaces() without calling WatchResource()

[cathy-zhou]

as discussed yesterday, I haven't considered the non-ipam case in thsi PR yet. I am adding it now.

[maiqueb]

@cathy-zhou feel free to keep working exclusively the IPAM case in this PR.

I can tackle the non-IPAM case as a follow-up.

I think this would help keep this PR "small", otherwise, it'll bloat even more.

[maiqueb]

ditto: this will not be needed for IPAMless scenario, right?

[maiqueb]

ditto

[maiqueb]

ditto, this is not needed for the ipamless scenario.

[npinaeva]

the sync should never be updated, because the code only works with the previous version of ids, so I think you can just revert changes of this file and it should work

[cathy-zhou]

I made this change because it does not compile

[npinaeva]

another round :)

[npinaeva]

remove?

[npinaeva]

remove //?

[npinaeva]

but getACLMatch doesn't use bnc in any way, I expected it to be reverted

[npinaeva]

we should only add logical ports for a specific nad, not all?

[cathy-zhou]

it should for all NADs belong to this network controller

[npinaeva]

getPortGroupName(...PortGroupName) doesn't read well, because it means that the argument is not a PortGroupName. So I suggest to update variable names ClusterPortGroupName and ClusterRtrPortGroupName to something like ClusterPortGroupNameBase and ClusterRtrPortGroupNameBase

[npinaeva]

revert?

[npinaeva]

NetInfo is not used anymore?

[npinaeva]

can you please comment on what changed here

[npinaeva]

I am not sure what is our common strategy, but I think it may be better to leave these netpol-specific function under base_network_controller_policy, otherwise all the default controller specific functions will flood this file, and then it is difficult to find them
wdyt @cathy-zhou @jcaamano ?

[jcaamano]

Yeah, I am all for moving stuff out of ovn.go :P

[cathy-zhou]

probably to default_network_controller.go? this is not for base_network_controller, so it should not belong to base_network_controller_policy.go

[npinaeva]

if we had proper packaging, every file would be split into bnc/<feature_name>, default_network_controller/<feature_name> and where needed same for the secondary controllers. Now when we put the default network controller parts to the same file (ovn or default_network_controller) it may difficult to split them back when/if we change the packages structure.
I agree that it doesn't make a lot of sense to put these function under bnc_ files, so we can make default_network_controller_policy file for that purpose, wdyt?

[cathy-zhou]

create a file only for one function? I am not sure.

[npinaeva]

I guess it should be based on if we are planning to have the same separate file in the future under default network controller package, or if we want to leave all functions in one big file . For now e.g. I am not sure what is the difference between master.go ovn.go and default_network_controller.go, so what is the right place for default network controller netpol functions (that also includes addHairpinAllowACL)
@jcaamano any thoughts?

[jcaamano]

We can make default_network_controller_policy with WatchNetwoerkPolicies, addHairpinAllowACL and syncNetworkPolicies.

[npinaeva]

it is different now since we have netInfo also. Are we going to be able to get ipMode from it as @jcaamano suggested?

[cathy-zhou]

@npinaeva @jcaamano again, please take a look.

[npinaeva]

I guess at this point it makes sense to inline getNewLocalPolicyPortsForNAD back to this function, since it is not called from anywhere else?

[npinaeva]

can't we just do

for _, nadName := range bnc.getPodNADNames(pod) {
			logicalPortName := bnc.GetLogicalPortName(pod, nadName)

then the rest of this function can stay as it was

[npinaeva]

we don't need to prefix stale port group right? since it was deleted before the networkPrefix is defined

[cathy-zhou]

in that case, it is no-op. Otherwise, secondary network controllers would be trying to delete the legacy port groups of default network, which I don't want to happen. Another way is to do it only when if !bnc.IsSecondary() , but seems something we want to avoid as much as possible?

I personally is fine with either way.

[npinaeva]

I guess at this point this function is not needed, we will have a separate function for every type of port group to get its name?

[cathy-zhou]

@npinaeva I made the change, please take a look.

[npinaeva]

I guess that should be getClusterPortGroupName? Because cluster port groups are not only used by multicast, but e.g. by egress firewall
If so, I would suggest to move it to base_network_controller, update the name and add a comment for which base names it should be used

[npinaeva]

Great progress, we are getting there :)
Added some new comments, and here are some comments I don't see addressed:
#3382 (comment)
#3382 (comment)

[npinaeva]

I think releasing the lock that is acquired in another function may be error-prone, so maybe we can add configureNamespace func(nsInfo *namespaceInfo, ns *kapi.Namespace) as an argument to ensureNamespaceLockedCommon, and leave the internal logic the same?

[cathy-zhou]

how, note that in the two functions for default network controllers, configureNamespace() is receiver function of DefaultNetworkController. We need to somehow pass that to ensureNamespaceLockedCommon(), which is strange to me.

[npinaeva]

I am not sure I understand, being a method doesn't change function signature, so you still can do

func (bnc *BaseNetworkController) ensureNamespaceLockedCommon(ns string, readOnly bool, namespace *kapi.Namespace,
	ips []net.IP, configureNamespace func(nsInfo *namespaceInfo, ns *kapi.Namespace) error) (*kapi.Namespace, *namespaceInfo, func(), error) {...}

namespace, nsInfo, unlockFunc, err := oc.ensureNamespaceLockedCommon(ns, readOnly, namespace, ips, oc.configureNamespace)

namespace, nsInfo, unlockFunc, err := bsnc.ensureNamespaceLockedCommon(ns, readOnly, namespace, ips, bsnc.configureNamespaceCommon)

[cathy-zhou]

you are right. fixed. Please take a look

[npinaeva]

is this lint command required?

[npinaeva]

logicalPortName := bnc.GetLogicalPortName(pod, nadName) ?

[cathy-zhou]

are you suggesting the change the function signature of GetSecondaryNetworkLogicalPortName(), or you meant to have one single function for both default and secondary network?

for latter, the problem is that we'd still need to check if it is default network, to decide weather or not prefix the logical port name. I believe that is the reason why we agreed to have two different functions.

[npinaeva]

I mean this function already exists

func (bnc *BaseNetworkController) GetLogicalPortName(pod *kapi.Pod, nadName string) string {
	if !bnc.IsSecondary() {
		return util.GetLogicalPortName(pod.Namespace, pod.Name)
	} else {
		return util.GetSecondaryNetworkLogicalPortName(pod.Namespace, pod.Name, nadName)
	}
}

and seems to do exactly the same thing, so I just suggest using it

[cathy-zhou]

Ah, I see. I didn't even remember we have this function. thanks!

[npinaeva]

looks like errors are not returned anymore, probably we can delete that comment line

[npinaeva]

logicalPortName := bnc.GetLogicalPortName(pod, nadName) ?

[cathy-zhou]

same as above

[npinaeva]

fakeController unused?

[npinaeva]

fakeController will be unused, if getMulticastDefaultExpectedData is updated?

[npinaeva]

we usually use
fakeController = getFakeController(DefaultNetworkControllerName) right here in the function to avoid adding arguments (of course in case the controller type is predefined)

[npinaeva]

All the previous comments look addressed, just a couple more for the unit test commit.
It's great to have a unit test with both multi and regular netpols, thanks for implementing that @cathy-zhou !

[npinaeva]

I would say we can leave both getFakeController and getFakeBaseController, so that function that used DefaultNetworkController can keep using it, and multinet-tests can use getFakeBaseController?

[npinaeva]

I think it may be a good time to switch to
UUID = aclIDs.String()
it should be unique, so hopefully we won't need to change it again

[npinaeva]

I would say let's leave this function as is, and make a new one like getMultinetNsAddrSetHashNames(ns, controllerName string), and it will have only 1 usage from getGressACLs, and will reduce the number of required changes

[npinaeva]

I guess if we get getFakeController back, this may be reverted

[npinaeva]

let's make "network1" constant and use in nad definition too?

[npinaeva]

we can make netconf and netInfo variables, since they only depend on nad and used in all tests?

[npinaeva]

maybe we can make it a part of startOvn, so it checks expected secondary controllers are created based on given nads?

[npinaeva]

If we merge #3540 soon, we will be able to change the signature of this function, then pass default network args for existing wrappers, and create new functions like getDefaultDenyDataMultinet and getPolicyDataMultinet.
In that case calls in this file won't need to be changed

[npinaeva]

I think maybe in that case it makes sense to do

if !bnc.IsSecondary() {
		ops, err = libovsdbops.DeletePortGroupsOps(bnc.nbClient, ops, legacyMulticastDefaultDenyPortGroup)
		if err != nil {
			return err
		}
	}

to avoid confusion with prefixing

[cathy-zhou]

/retest

[npinaeva]

one last nit, otherwise
/lgtm
thanks @cathy-zhou!

[npinaeva]

rollback?

[cathy-zhou]

fixed. thanks!