datapath: Enable session affinity for older kernels#11678
Merged
Conversation
Member
Author
|
retest-net-next |
borkmann
reviewed
May 25, 2020
Member
There was a problem hiding this comment.
Looks good overall. I think here this needs a bit of rewrite. It may not be clear to the user that this is for E-W traffic-only but not for N-S one.
Member
There was a problem hiding this comment.
Another idea to improve this for older kernels:
- Given ClusterIP is non-routable, we leave this as-is what you have here for ClusterIP
- For everything else we route the traffic to the front-end node, meaning E-W traffic would be service-processed similar way as N-S traffic through bpf_host NodePort LB
For the latter, this means that in the service map for services with sessionAffinity we reroute e.g. 127.0.0.1:NodePort (the surrogate svc entries) to the front-end tuple instead of backend. (Downside is potentially one extra hop but potentially better traffic balancing.)
Wdyt?
borkmann
approved these changes
May 25, 2020
Member
borkmann
left a comment
There was a problem hiding this comment.
As discussed offline. ACK with the updated warn msg.
d009984 to
6c08db3
Compare
Member
Author
|
retest-net-next |
aanm
reviewed
May 25, 2020
6c08db3 to
812c3d2
Compare
Member
Author
|
test-me-please |
Instead of disabling sessionAffinity for E-W traffic (via bpf_sock) when running on < 5.7 kernel, enable it with a non-ideal functionality: the same service (annotated with "sessionAffinity") endpoint will be selected from all network namespaces on the host, because the same netns cookie (="0") will be returned for all namespaces. Signed-off-by: Martynas Pumputis <m@lambda.lt>
Member
Author
|
retest-4.19 |
borkmann
approved these changes
May 26, 2020
joestringer
approved these changes
May 27, 2020
Member
Author
|
retest-4.19 |
borkmann
added a commit
that referenced
this pull request
May 28, 2020
This reverts commit 4fa26a4 ("datapath: Enable sessionAffinity for older kernels"). On 4.19 it causes the following verifier error: msg="+ tc exec bpf pin /sys/fs/bpf/tc/globals/cilium_cgroups_connect6 obj bpf_sock.o type sockaddr attach_type connect6 sec connect6" subsys=datapath-loader subsys=datapath-loader msg="Prog section 'connect6' rejected: Invalid argument (22)!" subsys=datapath-loader msg=" - Type: 18" subsys=datapath-loader msg=" - Attach Type: 11" subsys=datapath-loader msg=" - Instructions: 740 (0 over limit)" subsys=datapath-loader msg=" - License: GPL" subsys=datapath-loader subsys=datapath-loader msg="Verifier analysis:" subsys=datapath-loader subsys=datapath-loader msg="back-edge from insn 624 to 570" subsys=datapath-loader subsys=datapath-loader msg="Error fetching program/map!" subsys=datapath-loader PR #11678's CI run on 4.19 was broken as well, so it seems it was merged accidentally. We need a different workaround for this kernel, one that the verifier can deal with. Fixes: #11731 Reported-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Instead of disabling sessionAffinity for E-W traffic (via bpf_sock) when running on < 5.7 kernel, enable it with a non-ideal functionality: the same service (annotated with "sessionAffinity") endpoint will be selected from all network namespaces on the host, because the same netns cookie (="0") will be returned for all namespaces.
The documentation update will follow soon with the session affinity docs.