bridge, del: timeout after 30 secs of trying to list rules

Making sure the exec'ed nft command is executed in 55 secs allows for CNI to fail early, thus preventing CRI from sending another CNI DEL while the previous NFT call is still being processed. This fix prevents part of the behavior described in [0], in which: > cnv-bridge and nft comes pile up in a loop, increasing every 60, never completes The timeout had to be less than 60 seconds (otherwise CRI would still trigger CNI DEL again) but large enough for this feature to have a chance of working on older kernels (e.g. centOS 8), where it takes longer to access even a specific chain/table. Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
containernetworking · Apr 20, 2023 · ee90f39 · ee90f39
1 parent 7dcd738
commit ee90f39
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/pkg/link/spoofcheck.go b/pkg/link/spoofcheck.go
@@ -15,8 +15,10 @@
 package link
 
 import (
+	"context"
 	"fmt"
 	"os"
+	"time"
 
 	"github.com/networkplumbing/go-nft/nft"
 	"github.com/networkplumbing/go-nft/nft/schema"
@@ -46,7 +48,10 @@ func (dnc defaultNftConfigurer) Apply(cfg *nft.Config) error {
 }
 
 func (dnc defaultNftConfigurer) Read(filterCommands ...string) (*nft.Config, error) {
-	return nft.ReadConfig(filterCommands...)
+	const timeout = 55 * time.Second
+	ctxWithTimeout, cancelFunc := context.WithTimeout(context.Background(), timeout)
+	defer cancelFunc()
+	return nft.ReadConfigContext(ctxWithTimeout, filterCommands...)
 }
 
 func NewSpoofChecker(iface, macAddress, refID string) *SpoofChecker {