Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.14 Backports 2023-10-12 #28563

Merged
merged 1 commit into from
Oct 12, 2023
Merged

v1.14 Backports 2023-10-12 #28563

merged 1 commit into from
Oct 12, 2023

Conversation

joamaki
Copy link
Contributor

@joamaki joamaki commented Oct 12, 2023
edited by pchaigno

Once this PR is merged, a GitHub action will update the labels of these PRs:

 28485

@pchaigno @joamaki
ipsec: Atomically upgrade XFRM states with new output-mark
7f0ba33 
[ upstream commit 45549e3 ]

Commit def1770 ("ipsec: Clear node ID and SPI with output-mark")
updates the output-mark of all our XFRM states. Without special logic to
handle the upgrade, these new states can however conflict with the
existing states. In that case, the agent will remove the existing state
and add the new one. It works fine, but can lead to a very short time
where packets are dropped because there isn't any matching XFRM state.
It also causes an error log for the conflicting states.

This commit adds the special upgrade logic to handle that situation. We
have two cases to handle, depending on where we upgrade from.

If upgrading from a version after commit 3e59b68 ("ipsec: Per-node
XFRM states & policies for EKS & AKS"), then the existing XFRM states
differ only by their output-marks. In that case, we can simply update
the state in place atomically using the appropriate netlink call.

If upgrading from a version that doesn't include commit 3e59b68, then
the XFRM states may differ significantly. In that case, we already have
some logic in place to remove the old conflicting states and add the new
ones (the netlink API doesn't let us perform an atomic update in that
case [1]). To handle the additional difference in output-marks, we
simply need to update the existing logic to not assume the output-marks
are the same. This is also the correct way to detect conflicting states
anyway, given the kernel doesn't consider the output-marks when looking
for conflicts.

This change was tested with upgrades to v1.13.7 with this patch
backported to it, on:
- IPAM=ENI, upgrading from v1.13.0 (before commit 3e59b68).
- IPAM=ENI, upgrading from v1.13.7.
- IPAM=cluster-pool, upgrading from v1.13.0.

In all three cases, I ran the full connectivity tests successfully and
checked that the logs didn't have any errors or warnings after the
upgrade. I also deployed the migrate-svc app before the upgrade to
ensure the upgrade doesn't cause any transient packet drops [2].

1 - c0d9b8c ("ipsec: Allow old and new XFRM OUT states to coexist for upgrade")
2 - Note that the second case isn't atomically updating the XFRM states
    so can in principle cause packet drops. The window for such drops
    is however so small (time between two netlink calls) that they
    haven't been reproduced yet (neither now nor when testing
    c0d9b8c).
Fixes: def1770 ("ipsec: Clear node ID and SPI with output-mark")
Reported-by: Hart Hoover <hart@isovalent.com>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Jussi Maki <jussi@isovalent.com>
@joamaki joamaki added kind/backports This PR provides functionality previously merged into master. backport/1.14 This PR represents a backport for Cilium 1.14.x of a PR that was merged to main. labels Oct 12, 2023
@joamaki joamaki requested a review from pchaigno October 12, 2023 11:45
@joamaki joamaki marked this pull request as ready for review October 12, 2023 11:46
@joamaki joamaki requested a review from a team as a code owner October 12, 2023 11:46
@joamaki
Copy link
Contributor Author

joamaki commented Oct 12, 2023

/test-backport-1.14

pchaigno
pchaigno approved these changes Oct 12, 2023
View reviewed changes
Copy link
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My PR looks good. Thanks!

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Oct 12, 2023
@aanm aanm merged commit c037915 into v1.14 Oct 12, 2023
197 checks passed
@aanm aanm deleted the pr/v1.14-backport-2023-10-12 branch October 12, 2023 13:00
@jrajahalme jrajahalme mentioned this pull request Oct 18, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@squeed squeed squeed approved these changes

@pchaigno pchaigno pchaigno approved these changes

Assignees
No one assigned
Labels
backport/1.14 This PR represents a backport for Cilium 1.14.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@joamaki @squeed @pchaigno @aanm