allocator: fix out-of-valid-range identities being allocated by ArthurChiao · Pull Request #18151 · cilium/cilium

ArthurChiao · 2021-12-07T08:07:30Z

When multiple cilium clusters share the same KVStore ("" prefix
prevents them from being overlapped), the identity allocator inside each
cilium agent may allocate out identities that are out of the cluster's
valid range.

This patch fixed the problem by validating the identity at two places:

the place where an identity is just allocated out
the place before an identity is enqueued into available idpool

Adapted from Jaff Cheng's internal patch at trip.com.

Signed-off-by: ArthurChiao arthurchiao@hotmail.com

nbusseneau · 2021-12-08T18:00:47Z

@ArthurChiao FYI I'm converting this to draft since it's still WIP :)

ArthurChiao · 2021-12-09T02:10:46Z

Hi @nbusseneau just rebased to the latest master, and ready for reviewing now.

Noticed that the "Code scanning results / CodeQL" failed, but the failed code is not introduced in this patch. Should I fix them in this PR as well?

Thanks!

twpayne · 2021-12-09T11:06:31Z

Noticed that the "Code scanning results / CodeQL" failed, but the failed code is not introduced in this patch. Should I fix them in this PR as well?

No, please ignore this. It's actually a false positive from CodeQL.

nbusseneau

Code changes LGTM, thanks.

nbusseneau · 2021-12-10T15:16:58Z

/test

Job 'Cilium-PR-K8s-1.23-kernel-net-next' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sPolicyTest Basic Test checks all kind of Kubernetes policies

Failure Output

FAIL: failed to ensure kubectl version: failed to run kubectl version

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-1.23-kernel-net-next so I can create a new GitHub issue to track it.

Job 'Cilium-PR-K8s-GKE' hit: #17270 (94.25% similarity)

nbusseneau · 2021-12-10T15:17:35Z

Closing and re-opening PR since GH Actions seem stuck (this happens sometimes).

aanm · 2022-01-05T22:43:47Z

/test

aanm · 2022-01-06T14:54:36Z

/test

Job 'Cilium-PR-K8s-GKE' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sUpdates Tests upgrade and downgrade from a Cilium stable image to master

Failure Output

FAIL: Test pods are not ready after timeout

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-GKE so I can create a new GitHub issue to track it.

pchaigno · 2022-01-11T10:57:20Z

The GKE CI job failed with known flake #17307. Other required tests are passing. Reviews are in. Merging.

Oh, wait! There are merge conflicts :-(

pchaigno · 2022-01-12T10:45:17Z

@ArthurChiao You will need to rebase again to catch #18443. It fixes a CI infrastructure issue that "appeared" yesterday. Sorry for the trouble.

When multiple cilium clusters share the same KVStore ("<clustername>" prefix prevents them from being overlapped), the identity allocator inside each cilium agent may allocate out identities that are out of the cluster's valid range. This patch fixed the problem by validating the identity at two places: 1. the place where an identity is just allocated out 2. the place before an identity is enqueued into available idpool Adapted from Jaff Cheng's internal patch at trip.com. Signed-off-by: ArthurChiao <arthurchiao@hotmail.com>

ArthurChiao · 2022-01-12T14:45:17Z

@pchaigno it's ok, just rebased, thanks :)

pchaigno · 2022-01-12T14:47:58Z

/test

github-actions · 2022-02-12T01:51:01Z

This pull request has been automatically marked as stale because it
has not had recent activity. It will be closed if no further activity
occurs. Thank you for your contributions.

pchaigno · 2022-02-15T11:02:44Z

This pull request broke the multicluster workflow. I'll send a revert PR.

EDIT: PR is at #18808.

ArthurChiao requested a review from a team as a code owner December 7, 2021 08:07

ArthurChiao requested review from a team and twpayne December 7, 2021 08:07

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Dec 7, 2021

maintainer-s-little-helper bot assigned twpayne Dec 7, 2021

ArthurChiao changed the title ~~allocator: fix out-of-valid-range identities being allocated~~ WIP: allocator: fix out-of-valid-range identities being allocated Dec 7, 2021

ArthurChiao force-pushed the avoid_allocating_out_of_range_identity branch 3 times, most recently from 8c436a1 to 7bd54d7 Compare December 8, 2021 06:57

nbusseneau marked this pull request as draft December 8, 2021 17:59

ArthurChiao force-pushed the avoid_allocating_out_of_range_identity branch from 7bd54d7 to d141907 Compare December 9, 2021 01:29

ArthurChiao marked this pull request as ready for review December 9, 2021 02:07

ArthurChiao changed the title ~~WIP: allocator: fix out-of-valid-range identities being allocated~~ allocator: fix out-of-valid-range identities being allocated Dec 9, 2021

ArthurChiao force-pushed the avoid_allocating_out_of_range_identity branch from d141907 to c943f9b Compare December 9, 2021 09:13

ArthurChiao requested a review from a team as a code owner December 9, 2021 09:13

ArthurChiao requested a review from aanm December 9, 2021 09:13

maintainer-s-little-helper bot assigned aanm Dec 9, 2021

twpayne added needs-backport/1.11 release-note/bug This PR fixes an issue in a previous release of Cilium. labels Dec 9, 2021

maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Dec 9, 2021

twpayne approved these changes Dec 9, 2021

View reviewed changes

maintainer-s-little-helper bot unassigned twpayne Dec 9, 2021

nbusseneau approved these changes Dec 10, 2021

View reviewed changes

nbusseneau closed this Dec 10, 2021

maintainer-s-little-helper bot unassigned aanm Jan 5, 2022

aanm closed this Jan 6, 2022

aanm reopened this Jan 6, 2022

ArthurChiao force-pushed the avoid_allocating_out_of_range_identity branch from 384f94b to e89dcff Compare January 11, 2022 14:14

ArthurChiao force-pushed the avoid_allocating_out_of_range_identity branch from e89dcff to c9b5f5f Compare January 12, 2022 14:44

pchaigno removed the dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. label Jan 12, 2022

github-actions bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Feb 12, 2022

maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 12, 2022

jibi merged commit 5224f69 into cilium:master Feb 14, 2022

ArthurChiao deleted the avoid_allocating_out_of_range_identity branch February 14, 2022 13:53

jibi mentioned this pull request Feb 14, 2022

v1.11 backports 2022-02-14 #18800

Merged

jibi added backport-pending/1.11 and removed needs-backport/1.11 labels Feb 14, 2022

jibi added needs-backport/1.11 and removed backport-pending/1.11 labels Feb 15, 2022

pchaigno mentioned this pull request Feb 15, 2022

Revert "allocator: fix out-of-valid-range identities being allocated" #18808

Merged

jibi removed the needs-backport/1.11 label Feb 15, 2022

abocim mentioned this pull request Mar 11, 2022

clustermesh: fix: identities allocation range #19076

Merged

Conversation

ArthurChiao commented Dec 7, 2021

Uh oh!

nbusseneau commented Dec 8, 2021

Uh oh!

ArthurChiao commented Dec 9, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

twpayne commented Dec 9, 2021

Uh oh!

nbusseneau left a comment

Choose a reason for hiding this comment

Uh oh!

nbusseneau commented Dec 10, 2021 • edited by maintainer-s-little-helper bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Test Name

Failure Output

Uh oh!

nbusseneau commented Dec 10, 2021

Uh oh!

aanm commented Jan 5, 2022

Uh oh!

aanm commented Jan 6, 2022 • edited by maintainer-s-little-helper bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Test Name

Failure Output

Uh oh!

pchaigno commented Jan 11, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pchaigno commented Jan 12, 2022

Uh oh!

ArthurChiao commented Jan 12, 2022

Uh oh!

pchaigno commented Jan 12, 2022

Uh oh!

github-actions bot commented Feb 12, 2022

Uh oh!

pchaigno commented Feb 15, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants

ArthurChiao commented Dec 9, 2021 •

edited

Loading

nbusseneau commented Dec 10, 2021 •

edited by maintainer-s-little-helper bot

Loading

aanm commented Jan 6, 2022 •

edited by maintainer-s-little-helper bot

Loading

pchaigno commented Jan 11, 2022 •

edited

Loading

pchaigno commented Feb 15, 2022 •

edited

Loading