Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix missing iptables after a HostEndpoint-protected interface is deleted and re-added #1883

Merged
merged 5 commits into from Aug 23, 2018
Merged

Fix missing iptables after a HostEndpoint-protected interface is deleted and re-added #1883

merged 5 commits into from Aug 23, 2018

Conversation

nelljerram
Copy link
Member

Description

A customer reported a calico/node having got into a state where expected
iptables programming for a HostEndpoint was missing. They created a
bridge device, and a HostEndpoint to protect that, and initially the
expected iptables programming was present. However, after some period
of churn, which we believe included

  • deleting and re-adding the bridge device
  • setting the state of the bridge device down and later up again
  • creating and deleting many real or simulated pods/containers on that
    node,

it was observed that the HostEndpoint iptables were missing, and that
setting the bridge device down and up made no difference to this. The
missing iptables could only be recreated by restarting the calico/node.

We identified a bug that would account for this if all of the following
points are also true:

  1. One time when the bridge device is deleted, the Netlink event for
    that is lost (or delayed for a long time), and the removal of the device
    is then detected by a period resync that the Felix code does. The bug
    is that the exact handling here is different than when processing an
    individual Netlink event.

  2. When the bridge device is added again, it has the same addresses and
    interface index as before it was deleted, and either there is no Netlink
    event reporting the addresses, or Felix sees that event before it sees
    the event about the device reappearing.

  3. Later, when the bridge device is set down and up again, either there
    are no address changes that ensue from that (which is unusual, because
    Linux devices normally do IPv6 autoconfiguration, which means that an
    IPv6 address is added when the device goes up, and taken away when the
    device goes down), or there is some other reason why Netlink address
    events are not generated, or don't reach Felix.

This change adds a UT case to repro that scenario, and demonstrates the
result that we are missing a non-nil address callback when the bridge
device is added again. In Felix as a whole, the absence of that
callback means that HostEndpoint iptables are not reprogrammed.

The fix - also in this PR - is to clear ifacemonitor's caches at the point in
that scenario when resync spots that an interface has disappeared.

Todos

  • Unit tests (full coverage)
  • Integration tests (delete as appropriate) In plan/Not needed/Done
  • Documentation
  • Backport
  • Release note

Release Note

Fix missing iptables after a HostEndpoint-protected interface is deleted and re-added.

Neil Jerram added 3 commits August 22, 2018 23:28
Clarify ifacemonitor_test logging
78a00e0
UT when resync spots that a link has been deleted
47921d6 
A customer reported a calico/node having got into a state where expected
iptables programming for a HostEndpoint was missing.  They created a
bridge device, and a HostEndpoint to protect that, and initially the
expected iptables programming was present.  However, after some period
of churn, which we believe included

- deleting and re-adding the bridge device
- setting the state of the bridge device down and later up again
- creating and deleting many real or simulated pods/containers on that
  node,

it was observed that the HostEndpoint iptables were missing, and that
setting the bridge device down and up made no difference to this.  The
missing iptables could only be recreated by restarting the calico/node.

We identified a bug that would account for this if all of the following
points are also true:

1. One time when the bridge device is deleted, the Netlink event for
that is lost (or delayed for a long time), and the removal of the device
is then detected by a period resync that the Felix code does.  The bug
is that the exact handling here is different than when processing an
individual Netlink event.

2. When the bridge device is added again, it has the same addresses and
interface index as before it was deleted, and either there is no Netlink
event reporting the addresses, or Felix sees that event before it sees
the event about the device reappearing.

3. Later, when the bridge device is set down and up again, either there
are no address changes that ensue from that (which is unusual, because
Linux devices normally do IPv6 autoconfiguration, which means that an
IPv6 address is added when the device goes up, and taken away when the
device goes down), or there is some other reason why Netlink address
events are not generated, or don't reach Felix.

This change adds a UT case to repro that scenario, and demonstrates the
result that we are missing a non-nil address callback when the bridge
device is added again.  In Felix as a whole, the absence of that
callback means that HostEndpoint iptables are not reprogrammed.
Clear caches when resync spots a link as having disappeared
6adc271
@nelljerram nelljerram requested a review from fasaxc August 22, 2018 23:16
fasaxc
fasaxc approved these changes Aug 23, 2018
View reviewed changes
Copy link
Member

@fasaxc fasaxc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one small comment. Otherwise LGTM.

ifacemonitor/iface_monitor.go Outdated
@@ -52,7 +52,7 @@ type InterfaceMonitor struct {

netlinkStub netlinkStub
resyncC <-chan time.Time
upIfaces set.Set
upIfaces map[string]int
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worth commenting what the int is that you're storing.

Neil Jerram added 2 commits August 23, 2018 09:33
Code review markups
4199045
Fix ifacemonitor UT flake
0db5b57 
The test code's intention is to test when a deleted link is detected in
a resync.  However there was a race, and the following was also
possible:

1. Kick off a resync.
2. Kick off link deletion.
3. Resync queries links and finds that the link is question is still
present.
4. Link deletion now proceeds, and state for that link deleted.
5. Resync queries addresses for that link and finds that there aren't
any.

resulting in an addr callback with set.New(), instead of an addr
callback with nil.

We can now use delLinkNoSignal to ensure that the original intended
scenario reliably happens, so that's what this change does.
@fasaxc fasaxc merged commit ac4d8e6 into projectcalico:master Aug 23, 2018
This was referenced Aug 23, 2018
Closed
Merged
@nelljerram nelljerram deleted the link-flap-ut branch September 5, 2018 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fasaxc fasaxc fasaxc approved these changes

Assignees
No one assigned
Labels
cherry-pick-completed
Projects
None yet
Milestone
No milestone
3 participants
@nelljerram @fasaxc @caseydavenport