Skip to content

ipam: Wait for ENI netlink interface before configuring routes#41954

Merged
pippolo84 merged 3 commits intocilium:mainfrom
pippolo84:pr/pippolo84/wait-for-eni-metadata
Oct 9, 2025
Merged

ipam: Wait for ENI netlink interface before configuring routes#41954
pippolo84 merged 3 commits intocilium:mainfrom
pippolo84:pr/pippolo84/wait-for-eni-metadata

Conversation

@pippolo84
Copy link
Copy Markdown
Member

@pippolo84 pippolo84 commented Sep 30, 2025
edited
Loading

In ENI IPAM mode, the ENIs are created by the operator. At the same
time, on each node, the agents configure the v4 and v6 rules and routes
for the Cilium router, after retrieving its IPs from either k8s or the
filesystem. In order to do so, each agent query netlink to get the
ifindex of the interface with the router IP, given its MAC address.
Unfortunately this behavior is racy, since the agent might query netlink
too soon, when the ENI is not yet up and running. This leads to the
following error from netlink:

"daemon creation failed: failed to configure router IP rules and routes:
unable to find ifindex for interface MAC: interface with MAC ... not
found"

that ultimately stops the daemon startup.

To address this, let's poll netlink and wait for the ENI netlink
interface to show up before going ahead with routes and rules
configuration.

Fixes: #37948

Depends on #41783

@pippolo84 pippolo84 added area/eni Impacts ENI based IPAM. release-note/misc This PR makes changes that have no direct user impact. area/ipam IP address management, including cloud IPAM labels Sep 30, 2025
@pippolo84
Copy link
Copy Markdown
Member Author

pippolo84 commented Sep 30, 2025

/ci-eks

@pippolo84 pippolo84 force-pushed the pr/pippolo84/wait-for-eni-metadata branch from 7f8802f to e76518c Compare September 30, 2025 14:49
@pippolo84
Copy link
Copy Markdown
Member Author

pippolo84 commented Sep 30, 2025

/ci-eks

1 similar comment
@liyihuang
Copy link
Copy Markdown
Contributor

liyihuang commented Sep 30, 2025

/ci-eks

@pippolo84 pippolo84 force-pushed the pr/pippolo84/wait-for-eni-metadata branch from e76518c to 230a590 Compare October 1, 2025 10:04
@pippolo84 pippolo84 added the dont-merge/blocked Another PR must be merged before this one. label Oct 1, 2025
@pippolo84 pippolo84 force-pushed the pr/pippolo84/wait-for-eni-metadata branch from 230a590 to 65dd618 Compare October 1, 2025 10:08
@pippolo84
Copy link
Copy Markdown
Member Author

pippolo84 commented Oct 1, 2025

/ci-eks

@pippolo84 pippolo84 mentioned this pull request Oct 1, 2025
Merged
@pippolo84 pippolo84 force-pushed the pr/pippolo84/wait-for-eni-metadata branch 2 times, most recently from d9ed7d7 to 6447718 Compare October 1, 2025 13:48
@pippolo84 pippolo84 removed the dont-merge/blocked Another PR must be merged before this one. label Oct 1, 2025
@pippolo84
Copy link
Copy Markdown
Member Author

pippolo84 commented Oct 1, 2025

/ci-eks

@pippolo84
Copy link
Copy Markdown
Member Author

pippolo84 commented Oct 2, 2025
edited
Loading

Completed 15 successful runs of ci-eks workflow. Opening for reviews.

@pippolo84 pippolo84 marked this pull request as ready for review October 2, 2025 20:33
@pippolo84 pippolo84 requested review from a team as code owners October 2, 2025 20:33
@pippolo84 pippolo84 requested review from gandro and thorn3r October 2, 2025 20:33
@pippolo84
Copy link
Copy Markdown
Member Author

pippolo84 commented Oct 3, 2025

/test

gandro
gandro reviewed Oct 6, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@gandro gandro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix! One question/comment w.r.t. the approach

@pippolo84 pippolo84 force-pushed the pr/pippolo84/wait-for-eni-metadata branch 4 times, most recently from c14be69 to 01b159e Compare October 8, 2025 15:09
@pippolo84 pippolo84 requested a review from gandro October 8, 2025 15:10
@pippolo84

This comment was marked as outdated.

Sign in to view
@pippolo84 pippolo84 force-pushed the pr/pippolo84/wait-for-eni-metadata branch from 01b159e to c76330d Compare October 8, 2025 15:13
@pippolo84
Copy link
Copy Markdown
Member Author

pippolo84 commented Oct 8, 2025

/test

@pippolo84 pippolo84 changed the title ipam: Wait for ENI metadata before configuring routes ipam: Wait for ENI netlink interface before configuring routes Oct 8, 2025
@pippolo84

This comment was marked as outdated.

Sign in to view
@pippolo84
aws/eni: Improve metadata client to accept a context
a475c31 
Accepting a context from the caller instead of hard-coding a
context.TODO() allows for early termination of the IMDS queries when
needed.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84
ipam: Wait for ENI netlink iface before configuring routes
199a93b 
In ENI IPAM mode, the ENIs are created by the operator. At the same
time, on each node, the agents configure the v4 and v6 rules and routes
for the Cilium router, after retrieving its IPs from either k8s or the
filesystem. In order to do so, each agent query netlink to get the
ifindex of the interface with the router IP, given its MAC address.
Unfortunately this behavior is racy, since the agent might query netlink
too soon, when the ENI is not yet up and running. This leads to the
following error from netlink:

"daemon creation failed: failed to configure router IP rules and routes:
unable to find ifindex for interface MAC: interface with MAC ... not
found"

that ultimately stops the daemon startup.

To address this, let's poll netlink and wait for the ENI netlink
interface to show up before going ahead with routes and rules
configuration.

Fixes: cilium#37948

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84
ipam: Rely on the daemon context in datapath IPs allocation
304fa29 
Now that the waitForENI function accepts a context, pass the daemon
context as an argument. This way the startup procedure remains
responsive to a context cancellation.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84 pippolo84 force-pushed the pr/pippolo84/wait-for-eni-metadata branch from c76330d to 304fa29 Compare October 9, 2025 12:41
@pippolo84
Copy link
Copy Markdown
Member Author

pippolo84 commented Oct 9, 2025

/test

@pippolo84 pippolo84 removed the request for review from thorn3r October 9, 2025 12:42
@pippolo84
Copy link
Copy Markdown
Member Author

pippolo84 commented Oct 9, 2025

Removed review request to Tim since sig-agent has been covered by Sebastian

@pippolo84
Copy link
Copy Markdown
Member Author

pippolo84 commented Oct 9, 2025

@pippolo84 pippolo84 added this pull request to the merge queue Oct 9, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Oct 9, 2025
Merged via the queue into cilium:main with commit cd5db8c Oct 9, 2025
73 checks passed
@pippolo84 pippolo84 deleted the pr/pippolo84/wait-for-eni-metadata branch October 9, 2025 15:47
@mhofstetter mhofstetter mentioned this pull request Oct 9, 2025
Merged
@pippolo84 pippolo84 added affects/v1.17 This issue affects v1.17 branch affects/v1.18 This issue affects v1.18 branch labels Nov 11, 2025
@cilium-release-bot cilium-release-bot bot moved this to Released in cilium v1.19.0 Feb 3, 2026
@HadrienPatte HadrienPatte mentioned this pull request Apr 1, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@liyihuang liyihuang liyihuang left review comments

@gandro gandro gandro approved these changes

Assignees

No one assigned

Labels

affects/v1.17 This issue affects v1.17 branch affects/v1.18 This issue affects v1.18 branch area/eni Impacts ENI based IPAM. area/ipam IP address management, including cloud IPAM ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.

Projects

No open projects
cilium v1.19.0
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CI: failed to configure router IP rules and routes: unable to find ifindex for interface MAC:

4 participants

@pippolo84 @liyihuang @gandro @msune