datapath: Enable session affinity for older kernels #11678
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
retest-net-next |
borkmann
reviewed
May 25, 2020
daemon/cmd/daemon_main.go
Outdated
| "Disabling sessionAffinity for cases when a service is accessed from a cluster.") | ||
| log.Warnf("sessionAffinity for host reachable services needs kernel 5.7.0 or newer " + | ||
| "to work properly: the same service endpoint will be selected from all network " + | ||
| "namespaces on the host.") |
There was a problem hiding this comment.
Looks good overall. I think here this needs a bit of rewrite. It may not be clear to the user that this is for E-W traffic-only but not for N-S one.
There was a problem hiding this comment.
Another idea to improve this for older kernels:
- Given ClusterIP is non-routable, we leave this as-is what you have here for ClusterIP
- For everything else we route the traffic to the front-end node, meaning E-W traffic would be service-processed similar way as N-S traffic through bpf_host NodePort LB
For the latter, this means that in the service map for services with sessionAffinity we reroute e.g. 127.0.0.1:NodePort (the surrogate svc entries) to the front-end tuple instead of backend. (Downside is potentially one extra hop but potentially better traffic balancing.)
Wdyt?
borkmann
approved these changes
May 25, 2020
d009984 to
6c08db3
Compare
|
retest-net-next |
aanm
reviewed
May 25, 2020
6c08db3 to
812c3d2
Compare
|
test-me-please |
Instead of disabling sessionAffinity for E-W traffic (via bpf_sock) when running on < 5.7 kernel, enable it with a non-ideal functionality: the same service (annotated with "sessionAffinity") endpoint will be selected from all network namespaces on the host, because the same netns cookie (="0") will be returned for all namespaces. Signed-off-by: Martynas Pumputis <m@lambda.lt>
|
retest-4.19 |
borkmann
approved these changes
May 26, 2020
joestringer
approved these changes
May 27, 2020
|
retest-4.19 |
borkmann
added a commit
that referenced
this pull request
May 28, 2020
This reverts commit 4fa26a4 ("datapath: Enable sessionAffinity for older kernels"). On 4.19 it causes the following verifier error: msg="+ tc exec bpf pin /sys/fs/bpf/tc/globals/cilium_cgroups_connect6 obj bpf_sock.o type sockaddr attach_type connect6 sec connect6" subsys=datapath-loader subsys=datapath-loader msg="Prog section 'connect6' rejected: Invalid argument (22)!" subsys=datapath-loader msg=" - Type: 18" subsys=datapath-loader msg=" - Attach Type: 11" subsys=datapath-loader msg=" - Instructions: 740 (0 over limit)" subsys=datapath-loader msg=" - License: GPL" subsys=datapath-loader subsys=datapath-loader msg="Verifier analysis:" subsys=datapath-loader subsys=datapath-loader msg="back-edge from insn 624 to 570" subsys=datapath-loader subsys=datapath-loader msg="Error fetching program/map!" subsys=datapath-loader PR #11678's CI run on 4.19 was broken as well, so it seems it was merged accidentally. We need a different workaround for this kernel, one that the verifier can deal with. Fixes: #11731 Reported-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Instead of disabling sessionAffinity for E-W traffic (via bpf_sock) when running on < 5.7 kernel, enable it with a non-ideal functionality: the same service (annotated with "sessionAffinity") endpoint will be selected from all network namespaces on the host, because the same netns cookie (="0") will be returned for all namespaces.
The documentation update will follow soon with the session affinity docs.