bridge, del: timeout after 30 secs of trying to list rules

Making sure the exec'ed nft command is executed in 30 secs allows for CNI to fail early, thus preventing CRI from sending another CNI DEL while the previous NFT call is still being processed. This fix prevents part of the behavior described in [0], in which: > cnv-bridge and nft comes pile up in a loop, increasing every 60, never completes Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
containernetworking · Apr 20, 2023 · 6a3eb15 · 6a3eb15
1 parent f77f0a8
commit 6a3eb15
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/pkg/link/spoofcheck.go b/pkg/link/spoofcheck.go
@@ -15,8 +15,10 @@
 package link
 
 import (
+	"context"
 	"fmt"
 	"os"
+	"time"
 
 	"github.com/networkplumbing/go-nft/nft"
 	"github.com/networkplumbing/go-nft/nft/schema"
@@ -46,7 +48,9 @@ func (dnc defaultNftConfigurer) Apply(cfg *nft.Config) error {
 }
 
 func (dnc defaultNftConfigurer) Read(filterCommands ...string) (*nft.Config, error) {
-	return nft.ReadConfig(filterCommands...)
+	ctxWithTimeout, cancelFunc := context.WithTimeout(context.Background(), time.Second)
+	defer cancelFunc()
+	return nft.ReadConfigContext(ctxWithTimeout, filterCommands...)
 }
 
 func NewSpoofChecker(iface, macAddress, refID string) *SpoofChecker {