test/K8sServices: re-enable IPv4 fragment tests on kernel 4.19#12159
Merged
test/K8sServices: re-enable IPv4 fragment tests on kernel 4.19#12159
Conversation
Member
Author
|
test-me-please |
pchaigno
requested changes
Jun 18, 2020
Member
pchaigno
left a comment
There was a problem hiding this comment.
Note that (as far as I know) both 4.19 and net-next always use bpf_sock in CI runs, so the check on hostReachableServices is currently superfluous. Let's have it all the same, in case something changes in the future, to avoid unexpected breakage.
Did you check locally that it works when kube-proxy-replacement=disabled and hostReachableServices is enabled?
The test for fragment tracking support got a fix with commit 0e772e7 ("test: Fix fragment tracking test under KUBEPROXY=1"), where the pattern for searching entries in the Conntrack table accounts for DNAT not happening if kube-proxy is present. Following recent changes in the datapath and tests for the Linux 4.19 kernel, DNAT is now used even with kube-proxy, provided bpf_sock is in use. This led to CI failures, and the test was disabled for 4.19 kernels with commit 1120aed ("test/K8sServices: disable fragment tracking test for kernel 4.19"). Now that complexity issues are fixed (see #11977 and #12045), let's enable the test on 4.19 again. Ignore DNAT only if kube-proxy is present and bpf_sock (host-reachable services) is not in use. This is also the case for net-next kernels (this didn't fail in CI before because we do not test with kube-proxy on net-next). Note that (as far as I know) both 4.19 and net-next always use bpf_sock in CI runs, so the check on hostReachableServices is currently superfluous. Let's have it all the same, in case something changes in the future, to avoid unexpected breakage. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
8f04915 to
da70faf
Compare
Member
Author
|
Moved the check on host-reachable services to a dedicated helper. Yes, I tested locally with Incremental diffdiff --git a/test/helpers/utils.go b/test/helpers/utils.go
index 6884c744258d..571d465460b8 100644
--- a/test/helpers/utils.go
+++ b/test/helpers/utils.go
@@ -558,6 +558,24 @@ func DoesNotSupportMetalLB() bool {
return true
}
+func (kub *Kubectl) HasHostReachableServices(pod string, checkTCP, checkUDP bool) bool {
+ status := kub.CiliumExecContext(context.TODO(), pod,
+ "cilium status -o jsonpath='{.kube-proxy-replacement.features.hostReachableServices}'")
+ status.ExpectSuccess("Failed to get status: %s", status.OutputPrettyPrint())
+ lines := status.ByLines()
+ Expect(len(lines)).ShouldNot(Equal(0), "Failed to get hostReachableServices status")
+
+ // One-line result is e.g. "{true [TCP UDP]}" if host-reachable
+ // services are activated for both protocols.
+ if checkUDP && !strings.Contains(lines[0], "UDP") {
+ return false
+ }
+ if checkTCP && !strings.Contains(lines[0], "TCP") {
+ return false
+ }
+ return true
+}
+
// GetNodeWithoutCilium returns a name of a node which does not run cilium.
func GetNodeWithoutCilium() string {
return os.Getenv("NO_CILIUM_ON_NODE")
diff --git a/test/k8sT/Services.go b/test/k8sT/Services.go
index 80cf5334acb5..8ac348456e8c 100644
--- a/test/k8sT/Services.go
+++ b/test/k8sT/Services.go
@@ -1061,22 +1061,12 @@ var _ = Describe("K8sServicesTest", func() {
srcPort = 12345
hasDNAT = true
)
-
// Destination address and port for fragmented datagram
// are not DNAT-ed with kube-proxy but without bpf_sock.
if helpers.RunsWithKubeProxy() {
ciliumPodK8s1, err := kubectl.GetCiliumPodOnNode(helpers.CiliumNamespace, helpers.K8s1)
ExpectWithOffset(1, err).Should(BeNil(), "Cannot get cilium pod on k8s1")
- status := kubectl.CiliumExecContext(context.TODO(), ciliumPodK8s1,
- "cilium status -o jsonpath='{.kube-proxy-replacement.features.hostReachableServices}'")
- status.ExpectSuccess("Failed to get status: %s", status.OutputPrettyPrint())
- // One-line result is "{true [TCP UDP]}" if
- // host-reachable services are activated for
- // both protocols. Consider we do not have DNAT
- // only if UDP is missing.
- if len(status.ByLines()) != 0 && !strings.Contains(status.ByLines()[0], "UDP") {
- hasDNAT = false
- }
+ hasDNAT = kubectl.HasHostReachableServices(ciliumPodK8s1, false, true)
}
// Get testDSClient and testDS pods running on k8s1. |
pchaigno
approved these changes
Jun 18, 2020
Member
Author
|
test-me-please |
Member
Author
nebril
approved these changes
Jun 19, 2020
| } | ||
|
|
||
| func (kub *Kubectl) HasHostReachableServices(pod string, checkTCP, checkUDP bool) bool { | ||
| status := kub.CiliumExecContext(context.TODO(), pod, |
Member
There was a problem hiding this comment.
Not a fan of using context.TODO(), but given how nested this func is, I it would be detrimental to readability to pass newly created context from the test case.
brb
approved these changes
Jun 19, 2020
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The test for fragment tracking support got a fix with commit 0e772e7 ("test: Fix fragment tracking test under KUBEPROXY=1"), where the pattern for searching entries in the Conntrack table accounts for DNAT not happening if kube-proxy is present.
Following recent changes in the datapath and tests for the Linux 4.19 kernel, DNAT is now used even with kube-proxy, provided bpf_sock is in use. This led to CI failures, and the test was disabled for 4.19 kernels with commit 1120aed ("test/K8sServices: disable fragment tracking test for kernel 4.19").
Now that complexity issues are fixed (see #11977 and #12045), let's enable the test on 4.19 again. Ignore DNAT only if kube-proxy is present and bpf_sock (host-reachable services) is not in use. This is also the case for net-next kernels (this didn't fail in CI before because we do not test with kube-proxy on net-next).
Note that (as far as I know) both 4.19 and net-next always use bpf_sock in CI runs, so the check on hostReachableServices is currently superfluous. Let's have it all the same, in case something changes in the future, to avoid unexpected breakage.