Host network broken after one of the underlying interfaces of a bond goes down

[pothos]

Is there an existing issue for this?

• I have searched the existing issues

What happened?

On Equinix Metal the network setup is a bond of two NICs using LACP.
When Cilium is used as CNI for Kubernetes on Flatcar Container Linux, and one of the two NIC interfaces goes down, the host network is broken and remains broken even if the underlying interface goes up again.

The network looks normal but ping 1.1 leads to no outgoing packets visible in tcpdump -i bond0 (ping reports 100% packet loss) and ping 127.0.0.1 leads to ping: sendmsg: Operation not permitted.

We could not restore the network even after terminating the Pods and kubelet on the node, flushing nft and deleting the Cilium interfaces (maybe BPF programs are still loaded and not cleaned up?)

IPv6 is not affected, ping6 2606:4700:4700::1111 works.

Cilium Version

1.9, 1.10, 1.11

Kernel Version

from 5.10.52 to 5.10.84

Kubernetes Version

1.22

Sysdump

🔍 Collecting Kubernetes nodes
failed to create sysdump collector: failed to collect Kubernetes nodes: Get "https://136.144.49.47:6443/api/v1/nodes": dial tcp 136.144.49.47:6443: i/o timeout

Relevant log output

Kernel

Feb 04 15:50:06 kernel: bond0: (slave enp2s0f0np0): link status down for interface, disabling it in 200 ms
Feb 04 15:50:06 kernel: bond0: (slave enp2s0f0np0): link status down for interface, disabling it in 200 ms
Feb 04 15:50:06 kernel: bond0: (slave enp2s0f0np0): link status down for interface, disabling it in 200 ms
Feb 04 15:50:06 kernel: bond0: (slave enp2s0f0np0): link status down for interface, disabling it in 200 ms
Feb 04 15:50:06 kernel: bond0: (slave enp2s0f0np0): invalid new link 1 on slave
Feb 04 15:50:06 kernel: mlx5_core 0000:02:00.0: modify lag map port 1:2 port 2:2
Feb 04 15:50:06 kernel: bond0: (slave enp2s0f0np0): link status definitely down, disabling slave
Feb 04 15:51:09 kernel: IPv6: ADDRCONF(NETDEV_CHANGE): lxc_health: link becomes ready
Feb 04 15:51:10 kernel: lxc_health: Caught tx_queue_len zero misconfig
Feb 04 15:51:33 kernel: mlx5_core 0000:02:00.0 enp2s0f0np0: Link down
Feb 04 15:51:33 kernel: mlx5_core 0000:02:00.0 enp2s0f0np0: Link up
Feb 04 15:51:33 kernel: bond0: (slave enp2s0f0np0): link status up again after 200 ms
Feb 04 15:51:33 kernel: bond0: (slave enp2s0f0np0): link status definitely up, 10000 Mbps full duplex
Feb 04 15:51:35 kernel: mlx5_core 0000:02:00.0: modify lag map port 1:1 port 2:2

Anything else?

Flatcar releases 2905.x.y to 3033.x.y are affected, running systemd from 247 to 249 (maybe relevant because systemd-networkd is used)

Flatcar releases 2764.x.y are not affected (kernel 5.10.43, systemd 247)

Reproduce it by provisioning an Equinix Metal machine with Flatcar Stable (used c3.small.x86).
Ensure it is on the latest version:

update_engine_client -update
sudo rm -f /etc/systemd/system/containerd.service.d/10-use-cgroupfs.conf
sudo sed -i 's/systemd.unified_cgroup_hierarchy=0 systemd.legacy_systemd_cgroup_controller//' /usr/share/oem/grub.cfg
sudo systemctl reboot

Set up a one-node Cilium cluster, using the script contents at the end:

sudo ./install.sh

Then, this action is valid and should not any harm, but now does:

sudo ip link set enp2s0f0np0 down

(and sudo ip link set enp2s0f0np0 up does not help)

The install.sh script used above:

#!/bin/bash

set -xe

systemctl enable --now docker
modprobe br_netfilter

cat <<EOF | tee /etc/modules-load.d/k8s.conf
br_netfilter
EOF

cat <<EOF | tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system

CNI_VERSION="v0.8.2"
CRICTL_VERSION="v1.17.0"
RELEASE_VERSION="v0.4.0"
DOWNLOAD_DIR=/opt/bin
RELEASE="$(curl -sSL https://dl.k8s.io/release/stable.txt)"

mkdir -p /opt/cni/bin
mkdir -p /etc/systemd/system/kubelet.service.d

curl() {
	command curl -sSfL "$@"
}

curl "https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-linux-amd64-${CNI_VERSION}.tgz" | tar -C /opt/cni/bin -xz
curl "https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-amd64.tar.gz" | tar -C $DOWNLOAD_DIR -xz
curl "https://raw.githubusercontent.com/kubernetes/release/${RELEASE_VERSION}/cmd/kubepkg/templates/latest/deb/kubelet/lib/systemd/system/kubelet.service" | sed "s:/usr/bin:${DOWNLOAD_DIR}:g" | tee /etc/systemd/system/kubelet.service
curl "https://raw.githubusercontent.com/kubernetes/release/${RELEASE_VERSION}/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf" | sed "s:/usr/bin:${DOWNLOAD_DIR}:g" | tee /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
curl --remote-name-all https://storage.googleapis.com/kubernetes-release/release/${RELEASE}/bin/linux/amd64/{kubeadm,kubelet,kubectl}

curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-amd64.tar.gz /opt/bin
rm cilium-linux-amd64.tar.gz{,.sha256sum}

chmod +x {kubeadm,kubelet,kubectl}
mv {kubeadm,kubelet,kubectl} $DOWNLOAD_DIR/

systemctl enable --now kubelet
#systemctl status kubelet

cat <<EOF | tee kubeadm-config.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: InitConfiguration
nodeRegistration:
  kubeletExtraArgs:
    volume-plugin-dir: "/opt/libexec/kubernetes/kubelet-plugins/volume/exec/"
---
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
controllerManager:
  extraArgs:
    flex-volume-plugin-dir: "/opt/libexec/kubernetes/kubelet-plugins/volume/exec/"
networking:
  podSubnet: "192.168.254.0/24"
EOF

# For explicit cgroupdriver selection
# ---
# kind: KubeletConfiguration
# apiVersion: kubelet.config.k8s.io/v1beta1
# cgroupDriver: systemd

# For containerd
# apiVersion: kubeadm.k8s.io/v1beta2
# kind: InitConfiguration
# nodeRegistration:
#  criSocket: "unix:///run/containerd/containerd.sock

export PATH=$PATH:$DOWNLOAD_DIR

kubeadm config images pull
kubeadm init --config kubeadm-config.yaml

mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.9.4/install/kubernetes/quick-install.yaml

kubectl taint nodes --all node-role.kubernetes.io/master-
kubectl get pods -A
kubectl get nodes -o wide

kubectl apply -f https://k8s.io/examples/application/deployment.yaml
kubectl expose deployment.apps/nginx-deployment

curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}
tar xzvfC cilium-linux-amd64.tar.gz /opt/bin
rm cilium-linux-amd64.tar.gz{,.sha256sum}

Code of Conduct

• I agree to follow this project's Code of Conduct

[borkmann]

Thanks for the report! How does ip r and ip n look like before the iface goes down and after it's back up again (maybe sysdump before / after would be best if it's just a test env)?

[pothos]

Before:

$ ip r    
default via 145.40.93.210 dev bond0 proto static 
10.0.0.0/24 via 10.0.0.18 dev cilium_host src 10.0.0.18 
10.0.0.0/8 via 10.25.75.128 dev bond0 proto static 
10.0.0.18 dev cilium_host scope link 
10.25.75.128/31 dev bond0 proto kernel scope link src 10.25.75.129 
145.40.93.210/31 dev bond0 proto kernel scope link src 145.40.93.211 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
$ ip n
145.40.93.210 dev bond0 lladdr 06:00:de:ad:be:ef REACHABLE
fe80::400:deff:fead:beef dev bond0 lladdr 06:00:de:ad:be:ef router STALE
2604:1380:4091:a200:: dev bond0 lladdr 06:00:de:ad:be:ef router STALE

cilium-sysdump-20220207-094529.zip
bpftool-output-before.txt

After:

$ ip r
default via 145.40.93.210 dev bond0 proto static 
10.0.0.0/24 via 10.0.0.18 dev cilium_host src 10.0.0.18 
10.0.0.0/8 via 10.25.75.128 dev bond0 proto static 
10.0.0.18 dev cilium_host scope link 
10.25.75.128/31 dev bond0 proto kernel scope link src 10.25.75.129 
145.40.93.210/31 dev bond0 proto kernel scope link src 145.40.93.211 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
$ ip n
10.25.75.129 dev bond0  INCOMPLETE
145.40.93.210 dev bond0 lladdr 06:00:de:ad:be:ef REACHABLE
145.40.93.211 dev bond0  INCOMPLETE
fe80::400:deff:fead:beef dev bond0 lladdr 06:00:de:ad:be:ef router STALE
2604:1380:4091:a200:: dev bond0 lladdr 06:00:de:ad:be:ef router STALE

bpftool-output-after.txt

Since cilium sysdumpdoesn't work afterwards I attached some bpftool output but I don't know what you need.

[borkmann]

10.25.75.129 dev bond0 INCOMPLETE
145.40.93.211 dev bond0 INCOMPLETE

Are these two addresses you're reaching out to?

From the agent log, I see that the Cilium version is 1.9.4. Could you try with latest 1.11.1, and dump the same outputs before/after if it reproduces there as well? (The bpftool one is not needed.)

[pothos]

These are the local addresses, pinging them gives packet loss while pinging 127.0.0.1 gives the permission denied issue as mentioned above.

Sure, I realize now that the quick-install.yaml used a hardcoded older rversion, will do it again.

[pothos]

Replaced it with (sudo) /opt/bin/cilium install → logs using Cilium version "v1.11.1"

Before:

$ ip r
default via 145.40.93.210 dev bond0 proto static 
10.0.0.0/24 via 10.0.0.195 dev cilium_host src 10.0.0.195 
10.0.0.0/8 via 10.25.75.128 dev bond0 proto static 
10.0.0.195 dev cilium_host scope link 
10.25.75.128/31 dev bond0 proto kernel scope link src 10.25.75.129 
145.40.93.210/31 dev bond0 proto kernel scope link src 145.40.93.211 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
$ ip n
145.40.93.210 dev bond0 lladdr 06:00:de:ad:be:ef STALE
10.25.75.128 dev bond0 lladdr 06:00:de:ad:be:ef STALE
fe80::400:deff:fead:beef dev bond0 lladdr 06:00:de:ad:be:ef router STALE
fe80::d6af:f7ff:fedb:4897 dev bond0  FAILED
2604:1380:4091:a200:: dev bond0 lladdr 06:00:de:ad:be:ef router STALE

After:

$ ip r
default via 145.40.93.210 dev bond0 proto static 
10.0.0.0/24 via 10.0.0.195 dev cilium_host src 10.0.0.195 
10.0.0.0/8 via 10.25.75.128 dev bond0 proto static 
10.0.0.195 dev cilium_host scope link 
10.25.75.128/31 dev bond0 proto kernel scope link src 10.25.75.129 
145.40.93.210/31 dev bond0 proto kernel scope link src 145.40.93.211 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
$ ip n
10.25.75.129 dev bond0  FAILED
145.40.93.210 dev bond0 lladdr 06:00:de:ad:be:ef REACHABLE
10.25.75.128 dev bond0 lladdr 06:00:de:ad:be:ef REACHABLE
145.40.93.211 dev bond0  INCOMPLETE
fe80::400:deff:fead:beef dev bond0 lladdr 06:00:de:ad:be:ef router STALE
fe80::d6af:f7ff:fedb:4897 dev bond0  FAILED
2604:1380:4091:a200:: dev bond0 lladdr 06:00:de:ad:be:ef router REACHABLE

[ysksuzuki]

We also hit the same issue with flatcar 3033.2.1 and systemd 249.4. It seems that systemd-networkd removed routing policy rules including local and the host couldn't recognize localhost because of it. Cilium moves the policy rule for local when L7Poxy is enabled and systemd-networkd regards this local rule as a foreign routing policy and removes it.

$ ip rule list
32766:  from all lookup main
32767:  from all lookup default

network: drop unnecessary routing policy rules
systemd/systemd@0b81225

[borkmann]

We also hit the same issue with flatcar 3033.2.1 and systemd 249.4. It seems that systemd-networkd removed routing policy rules including local and the host couldn't recognize localhost because of it.

Thanks a lot for the pointer @ysksuzuki !

Did this knowingly work before and only broke when you upgraded flatcar with related systemd commit?

How did you work around the systemd interference in this case?

(Did anyone file an issue on systemd side?)

[ysksuzuki]

You can use ManageForeignRoutingPolicyRules=no to protect policies.
systemd/systemd@d94dfe7

However, things are a little bit complicated because of this bug. This bug is backported to systems v249.5. With systemd v249.4, you need to set both IgnoreCarrierLoss=yes and KeepConfiguration=yes as well and never use networkctl reconfigure or networkctl reload. Or you need to create policy rules before networkd starts. I think the latter is difficult in our case.

Only ManageForeignRoutingPolicyRules=no is sufficient if you can use systemd v249.5.

[borkmann]

Thanks a lot for this information, much appreciated!

@pothos are you able to confirm that your issue is not seen anymore with the workaround suggested by @ysksuzuki?

[pothos]

Thanks, good to test this with Flatcar Alpha then which has a newer systemd. I'll try to get it working with one of the settings (Flatcar Stable doesn't have the bug fix yet).

So is this a variation of the topic where Flatcar has to ship networkd units that set Cilium interfaces to Unmanaged=yes instead of Cilium creating them at runtime under /run/systemd/networkd/?
I'm not sure the workaround of a global ManageForeignRoutingPolicyRules=no setting is the right way, or whether we should define the policy rules through networkd units (those don't get deleted, see https://www.freedesktop.org/software/systemd/man/networkd.conf.html#ManageForeignRoutingPolicyRules=). How would such a [RoutingPolicyRule] section look like for Cilium?

[pothos]

Can confirm that ManageForeignRoutingPolicyRules=no under [Network] in /etc/systemd/networkd.conf prevents the problem on Flatcar Alpha 3127.0.0