Skip to content

Validate when Cilium is in ENI mode that IPv4 is enabled #11328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 11, 2020
Merged

Validate when Cilium is in ENI mode that IPv4 is enabled #11328

merged 1 commit into from
May 11, 2020

Conversation

soumynathan
Copy link
Contributor

The patch checks the Cilium ENI mode and IPv4 when ENI functions
are called.

Fixes: #11272
Signed-off-by: Swaminathan Vasudevan svasudevan@suse.com

@soumynathan soumynathan requested a review from a team May 4, 2020 22:46
@maintainer-s-little-helper
Copy link

Please set the appropriate release note label.

@coveralls
Copy link

coveralls commented May 4, 2020
edited
Loading

Coverage Status

Coverage decreased (-0.02%) to 37.849% when pulling f62a4a0 on soumynathan:check-ipv4-with-eni-mode into 78739a1 on cilium:master.

aanm
aanm requested changes May 5, 2020
View reviewed changes
pkg/aws/eni/routing/routing.go Outdated
IP: ip,
Mask: net.CIDRMask(32, 32),
}
if (option.Config.IPAM == option.IPAMENI) && (ip.To4() != nil) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you invert this if statement this function can return earlier and we can avoid touching the remaining code of this function.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed

pkg/aws/eni/routing/routing.go Outdated
IP: ip,
Mask: net.CIDRMask(32, 32),
}
if (option.Config.IPAM == option.IPAMENI) && (ip.To4() != nil) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you invert this if statement this function can return earlier and we can avoid touching the remaining code of this function.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed

@aanm aanm requested a review from christarazi May 5, 2020 13:54
@aanm aanm added area/eni Impacts ENI based IPAM. release-note/misc This PR makes changes that have no direct user impact. labels May 5, 2020
@soumynathan soumynathan force-pushed the check-ipv4-with-eni-mode branch from d4a6ad0 to cdcd948 Compare May 6, 2020 00:25
@christarazi
Copy link
Member

christarazi commented May 6, 2020
edited
Loading

test-me-please

Edit: vagrant failure https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-Validated/19499/

christarazi
christarazi reviewed May 6, 2020
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR! Overall, I think the changes are good. There's currently this PR pending which should be merging pretty soon. I'd like to get that in before merging this. #11208

I am wondering though if just validating whether we have option.Config.EnableIPv4 and option.Config.IPAM == option.IPAMENI at the daemon level is enough. We could just have it be fatal if the above condition does not hold. 🤔 /cc @aanm

@joestringer I recall we had a conversation about this in another PR. Any thoughts?

@christarazi
Copy link
Member

christarazi commented May 6, 2020
edited
Loading

restart-ginkgo

Edit: weird flake with vagrant index

22:22:10  Pruning vagrant images
22:22:11  The following boxes will be kept...
22:22:11  cilium/ubuntu      (virtualbox, 170)
22:22:11  cilium/ubuntu-4-19 (virtualbox, 12)
22:22:11  cilium/ubuntu-next (virtualbox, 53)
22:22:11  
22:22:11  Checking for older boxes...
22:22:11  The machine index which stores all required information about
22:22:11  running Vagrant environments has become corrupt. This is usually
22:22:11  caused by external tampering of the Vagrant data folder.
22:22:11  
22:22:11  Vagrant cannot manage any Vagrant environments if the index is
22:22:11  corrupt. Please attempt to manually correct it. If you are unable
22:22:11  to manually correct it, then remove the data file at the path below.
22:22:11  This will leave all existing Vagrant environments "orphaned" and
22:22:11  they'll have to be destroyed manually.
22:22:11  
22:22:11  Path: /root/.vagrant.d/data/machine-index/index

@soumynathan
Copy link
Contributor Author

Thanks for the PR! Overall, I think the changes are good. There's currently this PR pending which should be merging pretty soon. I'd like to get that in before merging this. #11208

I am wondering though if just validating whether we have option.Config.EnableIPv4 and option.Config.IPAM == option.IPAMENI at the daemon level is enough. We could just have it be fatal if the above condition does not hold. /cc @aanm

@joestringer I recall we had a conversation about this in another PR. Any thoughts?

@christarazi @joestringer At the daemon level there is already a check between IPAMMode and IPv6 and throws an error if IPv6 is configured along with IPAMMode, so I think indirectly it is testing for the IPv4 with IPAMMode there. But there was comment in this bug that said that we are not validating in the calling function. Let me know your thoughts.

Also I had added couple of comments in two files where we can split. Let me if that is required.

@aanm aanm requested a review from christarazi May 6, 2020 09:47
christarazi
christarazi requested changes May 6, 2020
View reviewed changes
pkg/aws/eni/routing/routing.go Outdated
@@ -139,6 +143,9 @@ func Install(ip net.IP, info *RoutingInfo, mtu int, masq bool) error {
// with this ID, and because this table ID equals the ENI ifindex, it's stable
// to rely on and therefore can be reused.
func Delete(ip net.IP) error {
if (option.Config.IPAM == option.IPAMENI) && (ip.To4() == nil) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as the other similar spot.

@christarazi
Copy link
Member

restart-ginkgo

@joestringer
Copy link
Member

@christarazi @joestringer At the daemon level there is already a check between IPAMMode and IPv6 and throws an error if IPv6 is configured along with IPAMMode, so I think indirectly it is testing for the IPv4 with IPAMMode there. But there was comment in this bug that said that we are not validating in the calling function. Let me know your thoughts.

If we're already validating the commandline arguments to ensure that this case won't be hit, then I think we're satisfying the main concern here. It's slightly nicer to make sure that this errors out if the wrong address type is specified just to future-proof a bit but I wouldn't expect commandline argument combinations to be validated this deep; it should be occurring much earlier in the initial daemon configuration checks.

@christarazi christarazi added dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. and removed conflicts-with-pr labels May 7, 2020
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 7, 2020
@christarazi christarazi mentioned this pull request May 7, 2020
Open
@christarazi christarazi removed the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 7, 2020
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 7, 2020
@soumynathan soumynathan force-pushed the check-ipv4-with-eni-mode branch 2 times, most recently from 2d4f5c5 to cb84e53 Compare May 7, 2020 05:30
christarazi
christarazi requested changes May 7, 2020
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor nits. There also seems to be a conflict, please rebase.

@christarazi christarazi removed the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 7, 2020
@soumynathan soumynathan force-pushed the check-ipv4-with-eni-mode branch 3 times, most recently from 6d32e8f to e99a9e2 Compare May 7, 2020 19:06
christarazi
christarazi requested changes May 7, 2020
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good, a few minor comments. Also, please add test coverage now that there's an extra case for both functions.

@soumynathan soumynathan force-pushed the check-ipv4-with-eni-mode branch 3 times, most recently from 9c0e709 to e69fa05 Compare May 8, 2020 18:55
christarazi
christarazi requested changes May 8, 2020
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a minor change and we should be good to go!

@soumynathan
Validate when Cilium is in ENI mode that IPv4 is enabled
f62a4a0 
The patch checks the Cilium ENI mode and IPv4 when ENI functions
are called.

Fixes: cilium#11272
Signed-off-by: Swaminathan Vasudevan <svasudevan@suse.com>
@soumynathan soumynathan force-pushed the check-ipv4-with-eni-mode branch from e69fa05 to f62a4a0 Compare May 8, 2020 21:49
christarazi
christarazi approved these changes May 8, 2020
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉

@christarazi
Copy link
Member

test-me-please

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 10, 2020
@christarazi christarazi added needs-backport/1.7 and removed dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. labels May 10, 2020
@christarazi
Copy link
Member

christarazi commented May 10, 2020
edited
Loading

Added backport label as I'd like to backport this to 1.7 since it'll be a branch we support for a while and this PR has changed code which was recently backported, so it'll be good to keep the divergence to a minimum.

@tgraf tgraf merged commit 7ae916a into cilium:master May 11, 2020
@tklauser tklauser mentioned this pull request May 11, 2020
Merged
@christarazi christarazi mentioned this pull request May 11, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joestringer joestringer joestringer left review comments

@christarazi christarazi christarazi approved these changes

@aanm aanm aanm approved these changes

Assignees
No one assigned
Labels
area/eni Impacts ENI based IPAM. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Validate when Cilium is in ENI mode that IPv4 is enabled
6 participants
@soumynathan @coveralls @christarazi @joestringer @aanm @tgraf