Fix Egress not working with kube-proxy IPVS strictARP mode #3837
Conversation
Codecov Report
@@ Coverage Diff @@
## main #3837 +/- ##
===========================================
- Coverage 62.15% 45.64% -16.51%
===========================================
Files 281 253 -28
Lines 40094 36933 -3161
===========================================
- Hits 24919 16859 -8060
- Misses 13206 18383 +5177
+ Partials 1969 1691 -278
Flags with carried forward coverage won't be shown. Click here to find out more.
|
|
I have verified the Egress feature with this patch locally with IPVS in strictARP mode and it works as expected. |
| if a.dummyDevice == nil && a.arpResponder != nil { | ||
| // Start the ARP responder if the dummy device does not exist or | ||
| // arp_ignore of the transport interface has value other than 0. | ||
| if (a.arpIgnore > 0 || a.dummyDevice == nil) && a.arpResponder != nil { |
There was a problem hiding this comment.
Should we move this to intialization: create arpResponder only when it's required, and run it when it exists?
To avoid creating an instance when we don't use it and save a member variable.
55ee05d to
41cccc1
Compare
|
/test-all |
|
@tnqn I found a subtle issue is that after restarting the agents, the ARP responder will not work as the IP already exists on the dummy interface, no |
good catch! |
41cccc1 to
53c3fb7
Compare
| ip := net.ParseIP(assigned) | ||
| var err error | ||
| if utilnet.IsIPv4(ip) && a.arpResponder != nil { | ||
| err = a.arpResponder.AddIP(ip) |
There was a problem hiding this comment.
I found this will unconditionally trigger a GARP, which may disrupt existing connection if this node previously has one IP assigned and the agent restarts? Should we add a ReplaceIPs method which is supposed to be called on initialization and only add desired IPs to responders?
There was a problem hiding this comment.
Added ReplaceIPs interface to the responder. thanks!
| @@ -60,11 +61,19 @@ func NewIPAssigner(nodeTransportInterface string, dummyDeviceName string) (*ipAs | |||
| assignedIPs: sets.NewString(), | |||
| } | |||
| if ipv4 != nil { | |||
| arpResonder, err := responder.NewARPResponder(externalInterface) | |||
| // Create an ARP responder if the dummy device does not exist or | |||
There was a problem hiding this comment.
Question - why we do not always use ARP responder, and no longer assign IPs to the dummy device?
There was a problem hiding this comment.
Egress needs Egress IPs to be configured to host because Egress IPs are used as tunnel endpoints.
There was a problem hiding this comment.
Ok. Could we add a comment here, as it is not easy to figure out the implication.
2ded772 to
f155893
Compare
| @@ -60,11 +61,22 @@ func NewIPAssigner(nodeTransportInterface string, dummyDeviceName string) (*ipAs | |||
| assignedIPs: sets.NewString(), | |||
| } | |||
| if ipv4 != nil { | |||
| arpResonder, err := responder.NewARPResponder(externalInterface) | |||
| // For Egress scenario, the external IPs should always be present on the dummy | |||
| // interface as they are used as tunnel endpoints. If arp_ignore it set to values | |||
There was a problem hiding this comment.
it set -> is set
values -> an value
| // For Egress scenario, the external IPs should always be present on the dummy | ||
| // interface as they are used as tunnel endpoints. If arp_ignore it set to values | ||
| // other than 0, the host will not reply to ARP requests received on the transport | ||
| // interface and the target IPs are assigned on the dummy interface. So a userspace |
| @@ -60,11 +61,22 @@ func NewIPAssigner(nodeTransportInterface string, dummyDeviceName string) (*ipAs | |||
| assignedIPs: sets.NewString(), | |||
| } | |||
| if ipv4 != nil { | |||
| arpResonder, err := responder.NewARPResponder(externalInterface) | |||
| // For Egress scenario, the external IPs should always be present on the dummy | |||
There was a problem hiding this comment.
done. thanks for the review!
95885b9 to
8210a1d
Compare
9c7b2d1 to
339d536
Compare
|
/test-all |
339d536 to
4f31d03
Compare
|
/test-all |
Check the arp_ignore sysctl value of the transport interface and start a userspace ARP responder if it has a value other than 0. Copy the assigned IPs on the dummy interface to the ARP/NDP responder on initializing to fix an issue that the responders may not work as expected after the agent restarts. Fixes: antrea-io#3804 Signed-off-by: Xu Liu <xliu2@vmware.com>
4f31d03 to
d97a262
Compare
|
/test-all |
|
@xliuxu any change is made to latest version I should review? I don't find one. |
|
@tnqn The latest change is for the integration tests of the IP assigner. |
|
/test-conformance |
Check the arp_ignore sysctl value of the transport interface
and start a userspace ARP responder if it has a value other
than 0.
Copy the assigned IPs on the dummy interface to the ARP/NDP
responders on initializing to fix an issue that the responders
may not work as expected after the agent restarts.
Fixes: #3804
Signed-off-by: Xu Liu xliu2@vmware.com