fix(datapath): disable VF info collection in netlink

[pasteley]

Disable Virtual Function information collection in netlink handle operations to avoid hold of rtnl_mutex on systems with SR-IOV devices.

Fixes: #43516

Reduces rtnl_mutex contention on SR-IOV nodes by not requesting VF information in netlink RTM_GETLINK operations

[bersoare]

overall code looks good to me. there's a failed test, but it could be a flake. havent looked into it yet. hopefully someone can hit the retry
other than that, you're missing the release note in the pr description. mind adding it? 🙏🏽

[bersoare]

/ci-integration

[bersoare]

/test

[ti-mo]

Hi, what problem does this solve, exactly? Is there an existing issue that points out why the lock being held is a problem? Thanks.

[pasteley]

Is there an existing issue that points out why the lock being held is a problem? Thanks.

@ti-mo yes, you can find it mentioned in PR description: #43516

[bersoare]

@pasteley , can you add a release note message to the pr description?
something similar to this one (in the code block): #42896 (comment)

[bersoare]

/test

[bersoare]

/ci-ginkgo

[bersoare]

https://github.com/cilium/cilium/actions/runs/20848915321 looks like a flake. i see a similar failure on other branches too
https://github.com/cilium/cilium/actions/workflows/conformance-l7.yaml

[bersoare]

/ci-l7

[ti-mo]

Thanks, not sure how I missed the issue link. Left a few comments outlining my thoughts and the way forward for this package.

[ti-mo]

Solid, thanks! 💯

[ti-mo]

/test

[ti-mo]

I just realized this completely sidesteps the purpose of the safenetlink package, since NewHandle returns a netlink.Handle, whose methods aren't intercepted by the safenetlink package. I think we need to introduce a safenetlink.Handle that wraps the netlink one and also wraps its methods with a retry loop.

@gandro PTAL

[gandro]

Took a look - since we moved to forbidigo, we will actually detect calls to the netlink.Handle. So the PR here doesn't sidestep our linter, it will still complain if you call unsafe functions on the handle returned by safenetlink.NewHandle.

Calling unsafe functions on the handle require you to use safenetlink.WithRetry* - here's an example from our codebase:
https://github.com/nebius/cilium/blob/d06fe451b641338b41e4542661c1eb34fda4bd85/pkg/datapath/linux/route/reconciler/reconciler.go#L349-L356

If we introduce a wrapper, then we have to make sure that all wrapped functions are safe. So from a safety perspective, I think this PR is fine as is. But it would probably be a potential improvement if we wrapped netlink.Handle to offer safe methods as well.

[gandro]

On a only slightly related node: What we could consider is making sure that netlink.NewHandle is also forbidden by adding it to the list here:

cilium/.golangci.yaml

Line 63 in dcf00f5

- pattern: ^netlink\.(Handle\.)?("AddrList|BridgeVlanList|ChainList|ClassList|ConntrackTableList|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByName|LinkByAlias|LinkList|LinkSubscribeWithOptions|NeighList|NeighProxyList|NeighListExecute|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteList|RouteListFiltered|RouteListFilteredIter|RouteSubscribeWithOptions|RuleList|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|SocketXDPGetInfo|SocketDiagXDP|VDPAGetDevList|VDPAGetDevConfigList|VDPAGetMGMTDevList|XfrmPolicyList|XfrmStateList)

That way, new code would have to always use safenetlink.NewHandle (or explicitly opt out if they want to see VFs)

[ti-mo]

@pasteley I'd like to hold off on this PR a bit as it runs the risk of regressing. In its current state, it doesn't handle netlink.ErrDumpInterrupted. I've created an issue in the library to hopefully be able to remove safenetlink in the medium term: vishvananda/netlink#1163.

[gandro]

@pasteley I'd like to hold off on this PR a bit as it runs the risk of regressing. In its current state, it doesn't handle netlink.ErrDumpInterrupted. I've created an issue in the library to hopefully be able to remove safenetlink in the medium term: vishvananda/netlink#1163.

I'm not sure I follow? Our linter does complain if you call a function on netlink.Handle that may return netlink.ErrDumpInterrupted, even if the handle was constructed via safenetlink.NewHandle introduced by this PR.

[ti-mo]

I'm not sure I follow? Our linter does complain if you call a function on netlink.Handle that may return netlink.ErrDumpInterrupted, even if the handle was constructed via safenetlink.NewHandle introduced by this PR.

Ohhh, I see. We already have a bunch of places where Handle is used, forbidigo silenced, and an explicit retry loop added. Of course, then we can merge this as-is. Just need to figure out how to disable VF collection by default if/when we manage to get a retry mechanism added upstream. I'll spend some time on that when I make an upstream proposal.

[pasteley]

@cilium/sig-datapath ptal

[smagnani96]

LGTM. I don't see us using the retrieved link.Attrs().Vfs in our codebase nowadays.