ipsec: Fix IPsec reinitialization #25936

joamaki · 2023-06-06T12:37:21Z

Fixes issues in previous PR (#25744) on IPsec ENI BPF program loading:

loader: In IPsec reload ignore veth devices & fix settle wait
    
reloadIPSecOnLinkChanges() did not ignore veth device updates causing
reload to be triggered when new endpoints were created. Ignore any
updates with "veth" as device type.

The draining of updates during settle wait was broken due to unintentional
breaking out of the loop. Removed the break.

loader: Do not fatal on IPsec reinitialization

Now that the code is reloading the bpf_network program at runtime we
should not fatal if we fail to reload the program since this may be caused
by ongoing interface changes (e.g. interface was being removed). Change
the log.Fatal into log.Error and keep loading to other interfaces.

Validated these fixes in AWS ENI environment with IPsec enabled by creating and
destroying dummy devices:

$ for i in $(seq 1 100); do sleep 0.1; ip link add dummy$i type dummy; ip link del dummy$i; done
$ kubectl get logs ...
2023-06-06T13:55:03.474507212Z level=info msg="Reinitializing IPsec due to device changes" subsys=datapath-loader
2023-06-06T13:55:03.480640541Z level=info msg="Encryption network program (re)loaded" interface=ens3 subsys=datapath-loader
2023-06-06T13:55:03.480648286Z level=error msg="Load encryption network failed" error="getting interface dummy1 by name: Link not found" interface=dummy1 subsys=datapath-loader
2023-06-06T13:55:03.480656250Z level=warning msg="Failed to reinitialize IPsec after device change" error="failed to load encryption program: getting interface dummy1 by name: Link not found" subsys=datapath-loader
2023-06-06T13:55:04.479609463Z level=info msg="Reinitializing IPsec due to device changes" subsys=datapath-loader
2023-06-06T13:55:04.482395149Z level=info msg="Encryption network program (re)loaded" interface=ens3 subsys=datapath-loader
2023-06-06T13:55:05.482543443Z level=info msg="Reinitializing IPsec due to device changes" subsys=datapath-loader

The time between reinitializations is now at least 1 second and we do not crash when loading fails unexpectedly.

Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations.

Now that the code is reloading the bpf_network program at runtime we should not fatal if we fail to reload the program since this may be caused by ongoing interface changes (e.g. interface was being removed). Change the log.Fatal into log.Error and keep loading to other interfaces. Fixes: bf0940b ("loader: Reinitialize IPsec on device changes on ENI") Signed-off-by: Jussi Maki <jussi@isovalent.com>

reloadIPSecOnLinkChanges() did not ignore veth device updates causing reload to be triggered when new endpoints were created. Ignore any updates with "veth" as device type. The draining of updates during settle wait was broken due to unintentional breaking out of the loop. Removed the break. Fixes: bf0940b ("loader: Reinitialize IPsec on device changes on ENI") Signed-off-by: Jussi Maki <jussi@isovalent.com>

joamaki · 2023-06-06T13:59:54Z

/test

[ upstream PR #25936 ] Now that the code is reloading the bpf_network program at runtime we should not fatal if we fail to reload the program since this may be caused by ongoing interface changes (e.g. interface was being removed). Change the log.Fatal into log.Error and keep loading to other interfaces. Fixes: bf0940b ("loader: Reinitialize IPsec on device changes on ENI") Signed-off-by: Jussi Maki <jussi@isovalent.com>

[ upstream PR #25936 ] reloadIPSecOnLinkChanges() did not ignore veth device updates causing reload to be triggered when new endpoints were created. Ignore any updates with "veth" as device type. The draining of updates during settle wait was broken due to unintentional breaking out of the loop. Removed the break. Fixes: bf0940b ("loader: Reinitialize IPsec on device changes on ENI") Signed-off-by: Jussi Maki <jussi@isovalent.com>

pkg/datapath/loader/loader.go

rgo3

Just left non-blocking comments, as they don't address anything functional.

pkg/datapath/loader/loader.go

pkg/datapath/loader/netlink.go

pchaigno · 2023-06-07T08:32:31Z

@dylandreimerink Please don't trust MLH blindly. I had yet to re-review here.

pchaigno

LGTM.

joamaki added 2 commits June 6, 2023 15:35

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 6, 2023

joamaki added release-note/bug This PR fixes an issue in a previous release of Cilium. needs-backport/1.11 needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Jun 6, 2023

maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Jun 6, 2023

maintainer-s-little-helper bot added this to Needs backport from main in 1.12.11 Jun 6, 2023

maintainer-s-little-helper bot added this to Needs backport from main in 1.11.18 Jun 6, 2023

maintainer-s-little-helper bot added this to Needs backport from main in 1.13.4 Jun 6, 2023

joamaki requested a review from pchaigno June 6, 2023 14:00

joamaki marked this pull request as ready for review June 6, 2023 14:00

joamaki requested a review from a team as a code owner June 6, 2023 14:00

joamaki requested a review from rgo3 June 6, 2023 14:00

pchaigno reviewed Jun 6, 2023

View reviewed changes

pkg/datapath/loader/loader.go Show resolved Hide resolved

rgo3 approved these changes Jun 6, 2023

View reviewed changes

pkg/datapath/loader/loader.go Show resolved Hide resolved

pkg/datapath/loader/netlink.go Show resolved Hide resolved

maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 7, 2023

dylandreimerink merged commit 592777d into cilium:main Jun 7, 2023
62 checks passed

pchaigno reviewed Jun 7, 2023

View reviewed changes

YutaroHayakawa mentioned this pull request Jun 7, 2023

v1.13 Backports 2023-06-07 #25977

Merged

4 tasks

YutaroHayakawa added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Jun 7, 2023

maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.13 in 1.13.4 Jun 7, 2023

YutaroHayakawa mentioned this pull request Jun 8, 2023

v1.12 Backports 2023-06-08 #26006

Merged

3 tasks

YutaroHayakawa added backport-pending/1.12 and removed needs-backport/1.12 labels Jun 8, 2023

maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.12 in 1.12.11 Jun 8, 2023

YutaroHayakawa mentioned this pull request Jun 8, 2023

v1.11 Backports 2023-06-08 #26007

Merged

2 tasks

YutaroHayakawa added backport-pending/1.11 and removed needs-backport/1.11 labels Jun 8, 2023

maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.11 in 1.11.18 Jun 8, 2023

This was referenced Jun 8, 2023

v1.11 backports 2023-06-08 (ipsec fixes) #26021

Merged

v1.11 backports 2023-06-05 #25895

Closed

YutaroHayakawa added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Jun 8, 2023

maintainer-s-little-helper bot moved this from Backport pending to v1.13 to Backport done to v1.13 in 1.13.4 Jun 8, 2023

qmonnet mentioned this pull request Jun 9, 2023

Prepare for release v1.13.4 #26071

Closed

michi-covalent mentioned this pull request Jun 9, 2023

Prepare for release v1.13.4 #26091

Closed

YutaroHayakawa added backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.12 labels Jun 12, 2023

maintainer-s-little-helper bot moved this from Backport pending to v1.12 to Backport done to v1.12 in 1.12.11 Jun 12, 2023

michi-covalent mentioned this pull request Jun 12, 2023

Prepare for release v1.12.11 #26140

Closed

qmonnet added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. and removed backport-pending/1.11 labels Jun 14, 2023

qmonnet moved this from Backport pending to v1.11 to Backport done to v1.11 in 1.11.18 Jun 14, 2023

This was referenced Jun 14, 2023

Prepare for release v1.13.4 #26202

Merged

Prepare for release v1.12.11 #26203

Merged

Prepare for release v1.11.18 #26204

Merged

pchaigno added the area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. label Jun 20, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ipsec: Fix IPsec reinitialization #25936

ipsec: Fix IPsec reinitialization #25936

joamaki commented Jun 6, 2023 •

edited

joamaki commented Jun 6, 2023

rgo3 left a comment

pchaigno commented Jun 7, 2023

pchaigno left a comment

ipsec: Fix IPsec reinitialization #25936

ipsec: Fix IPsec reinitialization #25936

Conversation

joamaki commented Jun 6, 2023 • edited

joamaki commented Jun 6, 2023

rgo3 left a comment

Choose a reason for hiding this comment

pchaigno commented Jun 7, 2023

pchaigno left a comment

Choose a reason for hiding this comment

joamaki commented Jun 6, 2023 •

edited