Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bridge: read only required chain on cni del instead of the entire ruleset #880

Merged
merged 3 commits into from
Apr 24, 2023
Merged

bridge: read only required chain on cni del instead of the entire ruleset #880

merged 3 commits into from
Apr 24, 2023

Commits on Apr 20, 2023

  1. build: consume specific tables/chains via go-nft 

    This go-nft version allows its users to only read particular
tables/chains when invoking `ReadConfig`, instead of the entire ruleset.

This will make deleting rules from a large ruleset faster, thus speeding
up CNI DELs.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2175041

Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
    @maiqueb
    maiqueb committed Apr 20, 2023
    Configuration menu
    Copy the full SHA
    83fe87c View commit details
    Browse the repository at this point in the history

  2. bridge, spoofcheck: only read the prerouting chain on CNI delete 

    Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
    @maiqueb
    maiqueb committed Apr 20, 2023
    Configuration menu
    Copy the full SHA
    7dcd738 View commit details
    Browse the repository at this point in the history

  3. bridge, del: timeout after 55 secs of trying to list rules 

    Making sure the exec'ed nft command is executed in 55 secs allows for
CNI to fail early, thus preventing CRI from sending another CNI DEL
while the previous NFT call is still being processed.

This fix prevents part of the behavior described in [0], in which:
> cnv-bridge and nft comes pile up in a loop, increasing every 60, never
completes

The timeout had to be less than 60 seconds (otherwise CRI would still
trigger CNI DEL again) but large enough for this feature to have a
chance of working on older kernels (e.g. centOS 8), where it takes
longer to access even a specific chain/table.

Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
    @maiqueb
    maiqueb committed Apr 20, 2023
    Configuration menu
    Copy the full SHA
    135292e View commit details
    Browse the repository at this point in the history