Skip to content

Clean up stale ENI rules upon endpoint deletion #11163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 1, 2020
Merged

Clean up stale ENI rules upon endpoint deletion #11163

merged 4 commits into from
May 1, 2020

Conversation

christarazi
Copy link
Member

@christarazi christarazi commented Apr 27, 2020
edited
Loading

See commit messages, reviewable per-commit.

Note: commits starting with "dropme!" are meant to be dropped for the final change. These changes are pending in #11073. They can be ignored for the review.

TODO:

Fixes: #11041

Remove stale rules for endpoints upon deletion in ENI mode

@maintainer-s-little-helper
Copy link

Please set the appropriate release note label.

@christarazi christarazi changed the title Clean up stale ENI rules for endpoint traffic Clean up stale ENI rules upon endpoint deletion Apr 27, 2020
@christarazi christarazi force-pushed the pr/christarazi/delete-stale-rules-eni branch from 6ee91f7 to 699cbdb Compare April 27, 2020 05:01
@christarazi christarazi added kind/bug This is a bug in the Cilium logic. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. labels Apr 27, 2020
@christarazi christarazi added release-note/bug This PR fixes an issue in a previous release of Cilium. area/cni Impacts the Container Networking Interface between Cilium and the orchestrator. area/eni Impacts ENI based IPAM. wip and removed release-note/minor This PR changes functionality that users may find relevant to operating Cilium. labels Apr 27, 2020
@christarazi christarazi force-pushed the pr/christarazi/delete-stale-rules-eni branch from 699cbdb to 3c56387 Compare April 27, 2020 19:52
@christarazi
Copy link
Member Author

test-me-please

@christarazi christarazi force-pushed the pr/christarazi/delete-stale-rules-eni branch from 3c56387 to feb589f Compare April 27, 2020 22:22
@christarazi
Copy link
Member Author

test-me-please

@coveralls
Copy link

coveralls commented Apr 27, 2020
edited
Loading

Coverage Status

Coverage decreased (-0.1%) to 44.507% when pulling e22f554 on christarazi:pr/christarazi/delete-stale-rules-eni into ba3a74b on cilium:master.

@christarazi christarazi force-pushed the pr/christarazi/delete-stale-rules-eni branch from feb589f to ac42c62 Compare April 28, 2020 03:41
@christarazi
Copy link
Member Author

test-me-please

@christarazi christarazi marked this pull request as ready for review April 28, 2020 03:46
@christarazi christarazi requested review from a team April 28, 2020 03:46
@christarazi christarazi requested review from a team as code owners April 28, 2020 03:46
@christarazi christarazi requested a review from a team April 28, 2020 03:46
@christarazi christarazi requested a review from a team as a code owner April 28, 2020 03:46
@christarazi christarazi requested a review from a team April 28, 2020 03:46
@christarazi christarazi removed the wip label Apr 28, 2020
@christarazi christarazi marked this pull request as draft April 28, 2020 16:20
@christarazi christarazi force-pushed the pr/christarazi/delete-stale-rules-eni branch from ac42c62 to d77765f Compare April 28, 2020 16:46
joestringer
joestringer requested changes Apr 30, 2020
View reviewed changes
Copy link
Member

@joestringer joestringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

All of the below are just minor nits that would help code maintainability for the future.

@christarazi christarazi force-pushed the pr/christarazi/delete-stale-rules-eni branch from b4c6885 to 133a129 Compare April 30, 2020 22:36
@christarazi
Copy link
Member Author

test-me-please

@christarazi christarazi requested a review from joestringer April 30, 2020 22:37
joestringer
joestringer approved these changes Apr 30, 2020
View reviewed changes
Copy link
Member

@joestringer joestringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Go mod bot looks like legitimate change needed but modulo that I think we're good to merge.

@christarazi christarazi force-pushed the pr/christarazi/delete-stale-rules-eni branch from 133a129 to 119cbe1 Compare April 30, 2020 22:47
@christarazi
Copy link
Member Author

test-me-please

@christarazi christarazi force-pushed the pr/christarazi/delete-stale-rules-eni branch from 119cbe1 to c53a64a Compare April 30, 2020 22:54
@christarazi christarazi requested a review from a team as a code owner April 30, 2020 22:54
@christarazi
Copy link
Member Author

christarazi commented Apr 30, 2020
edited
Loading

test-me-please

Edit: provisioning failure https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-Validated/19357/

@christarazi christarazi mentioned this pull request Apr 30, 2020
Closed
@christarazi
Copy link
Member Author

test-me-please

@christarazi
Copy link
Member Author

Build green. Editing commit message mentioned to tag issue number.

@christarazi
Implement ability to list IP routing rules
bd38935 
Currently, this facility doesn't exist in the upstream netlink library
(https://github.com/vishvananda/netlink). This commit adds it here so
that we don't have to wait to utilize it when it's merged. Once it's
merged, then we can replace this.

Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi
Implement Rule.String for string repr of Rule
a585721 
This makes log messages containing the rule much easier to read when
debugging.

Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi
Clean up stale ENI rules upon endpoint deletion
6e4b671 
Previously, ENI rules were created, but never cleaned up. This can
result in an increasing number of stale rules over the lifetime of a
node.

This commit adds the ability to delete these rules (ingress and egress).
Note that routes are deliberately not deleted as they can be reused for
future endpoints on the same node. This is due to the routes being
created with the ENI device "ifindex" as the table ID.

Fixes cilium#11041

Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi
Move rule priority constants to linux_defaults
e22f554 
Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi christarazi force-pushed the pr/christarazi/delete-stale-rules-eni branch from c53a64a to e22f554 Compare May 1, 2020 04:30
@christarazi christarazi added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. and removed pending-review labels May 1, 2020
@qmonnet qmonnet merged commit 83fc45a into cilium:master May 1, 2020
@christarazi christarazi deleted the pr/christarazi/delete-stale-rules-eni branch May 1, 2020 17:51
@christarazi christarazi mentioned this pull request May 8, 2020
Merged
@jaffcheng
Copy link
Contributor

FWIW, in case someone here from commit message is trying to clean up stale ip rules, this may save you some effort:
(tested on cilium v1.7.4)

# ip rule backup
ip rule list > /tmp/ip-rule-list
cilium endpoint list | grep -v IDENTITY | awk '{if ($6 != "") {print $6}}' > /tmp/running-iplist

# check stale ingress rules before deletion
ip rule list | grep -w "20:" | awk '{if (system("grep -w "$5" /tmp/running-iplist > /dev/null")==1) {system("echo stale ip rule found: "$0)} }'
# clean up ingress rules
ip rule list | grep -w "20:" | awk '{if (system("grep -w "$5" /tmp/running-iplist > /dev/null")==1) {system("ip rule del from all to "$5";echo deleted ip rule from all to "$5)} }'

# check stale egress rules before deletion
ip rule list | grep -w "110:" | awk '{if (system("grep -w "$3" /tmp/running-iplist > /dev/null")==1) {system("echo stale ip rule found: "$0)} }'
# clean up egress rules
ip rule list | grep -w "110:" | awk '{if (system("grep -w "$3" /tmp/running-iplist > /dev/null")==1) {system("ip rule del from "$3";echo deleted ip rule from "$3)} }'

@christarazi
Copy link
Member Author

christarazi commented Jul 29, 2020
edited
Loading

@jaffcheng Nice! I'll also point you to https://github.com/cilium/stale-rules 😉.

@jaffcheng
Copy link
Contributor

@christarazi Thanks! I should have found that earlier 😄 .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joestringer joestringer joestringer approved these changes

@ungureanuvladvictor ungureanuvladvictor ungureanuvladvictor approved these changes

Assignees
No one assigned
Labels
area/cni Impacts the Container Networking Interface between Cilium and the orchestrator. area/eni Impacts ENI based IPAM. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Rules/routes left over after endpoint deletion in ENI mode
7 participants
@christarazi @coveralls @jaffcheng @joestringer @ungureanuvladvictor @aanm @qmonnet