[NPM] Periodic Reconciliation of NPM Chain ordering in FORWARD table (#787)

* merge conflict

* Adding in wait to get mitigate defunct process

* Adding error handling and addressing comments

* Addressing some comments

* Adding a testcase for GetlineNumber

* Adding error message in failures

* Adding error message in failures

* correcting the name for Kubeservices chain

Author: vakalapa

npm/iptm/iptm.go

@@ -54,44 +54,14 @@ func NewIptablesManager() *IptablesManager {
 func (iptMgr *IptablesManager) InitNpmChains() error {
 	log.Logf("Initializing AZURE-NPM chains.")
 
-	if err := iptMgr.AddChain(util.IptablesAzureChain); err != nil {
-		return err
-	}
-
-	// Insert AZURE-NPM chain to FORWARD chain.
-	entry := &IptEntry{
-		Chain: util.IptablesForwardChain,
-		Specs: []string{
-			util.IptablesJumpFlag,
-			util.IptablesAzureChain,
-		},
-	}
-	exists, err := iptMgr.Exists(entry)
+	err := iptMgr.CheckAndAddForwardChain()
 	if err != nil {
-		return err
+		metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to add AZURE-NPM chain to FORWARD chain. %s", err.Error())
 	}
 
-	if !exists {
-		// retrieve KUBE-SERVICES index
-		index := "1"
-		iptFilterEntries := exec.Command(util.Iptables, "-t", "filter", "-n", "--list", "FORWARD", "--line-numbers")
-		grep := exec.Command("grep", "KUBE-SERVICES")
-		pipe, _ := iptFilterEntries.StdoutPipe()
-		grep.Stdin = pipe
-		iptFilterEntries.Start()
-		output, err := grep.CombinedOutput()
-		if err == nil && len(output) > 2 {
-			tmpIndex, _ := strconv.Atoi(string(output[0]))
-			index = strconv.Itoa(tmpIndex + 1)
-		}
-		pipe.Close()
-		// position Azure-NPM chain after Kube-Forward and Kube-Service chains if it exists
-		iptMgr.OperationFlag = util.IptablesInsertionFlag
-		entry.Specs = append([]string{index}, entry.Specs...)
-		if _, err = iptMgr.Run(entry); err != nil {
-			metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to add AZURE-NPM chain to FORWARD chain.")
-			return err
-		}
+	entry := &IptEntry{
+		Chain: util.IptablesAzureChain,
+		Specs: []string{},
 	}
 
 	// Create AZURE-NPM-INGRESS-PORT chain.
@@ -102,7 +72,7 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
 	// Append AZURE-NPM-INGRESS-PORT chain to AZURE-NPM chain.
 	entry.Chain = util.IptablesAzureChain
 	entry.Specs = []string{util.IptablesJumpFlag, util.IptablesAzureIngressPortChain}
-	exists, err = iptMgr.Exists(entry)
+	exists, err := iptMgr.Exists(entry)
 	if err != nil {
 		return err
 	}
@@ -437,6 +407,86 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
 	return nil
 }
 
+// CheckAndAddForwardChain initializes and reconciles Azure-NPM chain in right order
+func (iptMgr *IptablesManager) CheckAndAddForwardChain() error {
+
+	// TODO Adding this chain is printing error messages try to clean it up
+	if err := iptMgr.AddChain(util.IptablesAzureChain); err != nil {
+		return err
+	}
+
+	// Insert AZURE-NPM chain to FORWARD chain.
+	entry := &IptEntry{
+		Chain: util.IptablesForwardChain,
+		Specs: []string{
+			util.IptablesJumpFlag,
+			util.IptablesAzureChain,
+		},
+	}
+
+	index := 1
+	// retrieve KUBE-SERVICES index
+	kubeServicesLine, err := iptMgr.GetChainLineNumber(util.IptablesKubeServicesChain, util.IptablesForwardChain)
+	if err != nil {
+		metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to get index of KUBE-SERVICES in FORWARD chain with error: %s", err.Error())
+		return err
+	}
+
+	index = kubeServicesLine + 1
+
+	exists, err := iptMgr.Exists(entry)
+	if err != nil {
+		return err
+	}
+
+	if !exists {
+		// position Azure-NPM chain after Kube-Forward and Kube-Service chains if it exists
+		iptMgr.OperationFlag = util.IptablesInsertionFlag
+		entry.Specs = append([]string{strconv.Itoa(index)}, entry.Specs...)
+		if _, err = iptMgr.Run(entry); err != nil {
+			metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to add AZURE-NPM chain to FORWARD chain.")
+			return err
+		}
+
+		return nil
+	}
+
+	npmChainLine, err := iptMgr.GetChainLineNumber(util.IptablesAzureChain, util.IptablesForwardChain)
+	if err != nil {
+		metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to get index of AZURE-NPM in FORWARD chain with error: %s", err.Error())
+		return err
+	}
+
+	// Kube-services line number is less than npm chain line number then all good
+	if kubeServicesLine < npmChainLine {
+		return nil
+	} else if kubeServicesLine <= 0 {
+		return nil
+	}
+
+	errCode := 0
+	// NPM Chain number is less than KUBE-SERVICES then
+	// delete existing NPM chain and add it in the right order
+	iptMgr.OperationFlag = util.IptablesDeletionFlag
+	metrics.SendErrorLogAndMetric(util.IptmID, "Info: Reconciler deleting and re-adding AZURE-NPM in FORWARD table.")
+	if errCode, err = iptMgr.Run(entry); err != nil {
+		metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to delete AZURE-NPM chain from FORWARD chain with error code %d.", errCode)
+		return err
+	}
+	iptMgr.OperationFlag = util.IptablesInsertionFlag
+	// Reduce index for deleted AZURE-NPM chain
+	if index > 1 {
+		index--
+	}
+	entry.Specs = append([]string{strconv.Itoa(index)}, entry.Specs...)
+	if errCode, err = iptMgr.Run(entry); err != nil {
+		metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to add AZURE-NPM chain to FORWARD chain with error code %d.", errCode)
+		return err
+	}
+
+	return nil
+}
+
 // UninitNpmChains uninitializes Azure NPM chains in iptables.
 func (iptMgr *IptablesManager) UninitNpmChains() error {
 	IptablesAzureChainList := []string{
@@ -518,6 +568,44 @@ func (iptMgr *IptablesManager) AddChain(chain string) error {
 	return nil
 }
 
+// GetChainLineNumber given a Chain and its parent chain returns line number
+func (iptMgr *IptablesManager) GetChainLineNumber(chain string, parentChain string) (int, error) {
+
+	var (
+		output []byte
+		err    error
+	)
+
+	cmdName := util.Iptables
+	cmdArgs := []string{"-t", "filter", "-n", "--list", parentChain, "--line-numbers"}
+
+	iptFilterEntries := exec.Command(cmdName, cmdArgs...)
+	grep := exec.Command("grep", chain)
+	pipe, err := iptFilterEntries.StdoutPipe()
+	if err != nil {
+		return 0, err
+	}
+	defer pipe.Close()
+	grep.Stdin = pipe
+
+	if err = iptFilterEntries.Start(); err != nil {
+		return 0, err
+	}
+	// Without this wait, defunct iptable child process are created
+	defer iptFilterEntries.Wait()
+
+	if output, err = grep.CombinedOutput(); err != nil {
+		// grep returns err status 1 if not found
+		return 0, nil
+	}
+
+	if len(output) > 2 {
+		lineNum, _ := strconv.Atoi(string(output[0]))
+		return lineNum, nil
+	}
+	return 0, nil
+}
+
 // DeleteChain deletes a chain from iptables.
 func (iptMgr *IptablesManager) DeleteChain(chain string) error {
 	entry := &IptEntry{
@@ -605,7 +693,11 @@ func (iptMgr *IptablesManager) Run(entry *IptEntry) (int, error) {
 	if msg, failed := err.(*exec.ExitError); failed {
 		errCode := msg.Sys().(syscall.WaitStatus).ExitStatus()
 		if errCode > 0 && iptMgr.OperationFlag != util.IptablesCheckFlag {
-			metrics.SendErrorLogAndMetric(util.IptmID, "Error: There was an error running command: [%s %v] Stderr: [%v, %s]", cmdName, strings.Join(cmdArgs, " "), err, strings.TrimSuffix(string(msg.Stderr), "\n"))
+			msgStr := strings.TrimSuffix(string(msg.Stderr), "\n")
+			if strings.Contains(msgStr, "Chain already exists") && iptMgr.OperationFlag == util.IptablesChainCreationFlag {
+				return 0, nil
+			}
+			metrics.SendErrorLogAndMetric(util.IptmID, "Error: There was an error running command: [%s %v] Stderr: [%v, %s]", cmdName, strings.Join(cmdArgs, " "), err, msgStr)
 		}
 
 		return errCode, err

npm/iptm/iptm_test.go

@@ -225,6 +225,113 @@ func TestRun(t *testing.T) {
 	}
 }
 
+func TestGetChainLineNumber(t *testing.T) {
+	iptMgr := &IptablesManager{}
+
+	var (
+		lineNum    int
+		err        error
+		kubeExists bool
+		npmExists  bool
+	)
+
+	if err = iptMgr.Save(util.IptablesTestConfigFile); err != nil {
+		t.Errorf("TestGetChainLineNumber failed @ iptMgr.Save")
+	}
+
+	defer func() {
+		if err = iptMgr.Restore(util.IptablesTestConfigFile); err != nil {
+			t.Errorf("TestGetChainLineNumber failed @ iptMgr.Restore")
+		}
+	}()
+
+	if err = iptMgr.AddChain(util.IptablesKubeServicesChain); err != nil {
+		t.Errorf("TestGetChainLineNumber failed @ kube-services chain iptMgr.AddChain error: %s", err.Error())
+	}
+
+	iptMgr.OperationFlag = util.IptablesCheckFlag
+	entry := &IptEntry{
+		Chain: util.IptablesForwardChain,
+		Specs: []string{
+			util.IptablesJumpFlag,
+			util.IptablesKubeServicesChain,
+		},
+	}
+
+	if kubeExists, err = iptMgr.Exists(entry); err != nil {
+		t.Errorf("TestGetChainLineNumber failed @ kube-services chain iptMgr.Exists error: %s", err.Error())
+	}
+
+	entry = &IptEntry{
+		Chain: util.IptablesForwardChain,
+		Specs: []string{
+			util.IptablesJumpFlag,
+			util.IptablesAzureChain,
+		},
+	}
+
+	// Ignore not exists errors
+	npmExists, _ = iptMgr.Exists(entry)
+
+	lineNum, err = iptMgr.GetChainLineNumber(util.IptablesAzureChain, util.IptablesForwardChain)
+	if err != nil {
+		t.Errorf("TestGetChainLineNumber @ initial iptMgr.GetChainLineNumber error: %s", err.Error())
+	}
+
+	switch {
+	case (npmExists && kubeExists):
+		if lineNum != 3 {
+			t.Errorf("TestGetChainLineNumber @ initial line number check iptMgr.GetChainLineNumber with npmExists: %t kubeExists: %t", npmExists, kubeExists)
+		}
+	case npmExists:
+		if lineNum == 0 {
+			t.Errorf("TestGetChainLineNumber @ initial line number check iptMgr.GetChainLineNumber with npmExists: %t kubeExists: %t", npmExists, kubeExists)
+		}
+	default:
+		if lineNum != 0 {
+			t.Errorf("TestGetChainLineNumber @ initial line number check iptMgr.GetChainLineNumber with npmExists: %t kubeExists: %t", npmExists, kubeExists)
+		}
+	}
+
+	if err = iptMgr.InitNpmChains(); err != nil {
+		t.Errorf("TestGetChainLineNumber @ iptMgr.InitNpmChains error: %s", err.Error())
+	}
+
+	entry = &IptEntry{
+		Chain: util.IptablesForwardChain,
+		Specs: []string{
+			util.IptablesJumpFlag,
+			util.IptablesAzureChain,
+		},
+	}
+
+	if npmExists, err = iptMgr.Exists(entry); err != nil {
+		t.Errorf("TestGetChainLineNumber failed @ azure-npm chain iptMgr.Exists error: %s", err.Error())
+	}
+
+	lineNum, err = iptMgr.GetChainLineNumber(util.IptablesAzureChain, util.IptablesForwardChain)
+	if err != nil {
+		t.Errorf("TestGetChainLineNumber @ after Init chains iptMgr.GetChainLineNumber error: %s", err.Error())
+	}
+
+	switch {
+	case (npmExists && kubeExists):
+		if lineNum < 2 {
+			t.Errorf("TestGetChainLineNumber @ after Init chains line number check iptMgr.GetChainLineNumber with npmExists: %t kubeExists: %t", npmExists, kubeExists)
+		}
+	case npmExists:
+		if lineNum == 0 {
+			t.Errorf("TestGetChainLineNumber @ after Init chains line number check iptMgr.GetChainLineNumber with npmExists: %t kubeExists: %t", npmExists, kubeExists)
+		}
+	case !npmExists:
+		t.Errorf("TestGetChainLineNumber @ after Init chains line number check iptMgr.GetChainLineNumber with failed to Add chain ")
+	}
+
+	if err = iptMgr.UninitNpmChains(); err != nil {
+		t.Errorf("TestGetChainLineNumber @ iptMgr.UninitNpmChains")
+	}
+}
+
 func TestMain(m *testing.M) {
 	metrics.InitializeAll()
 	iptMgr := NewIptablesManager()

npm/npm.go

@@ -35,6 +35,7 @@ const (
 	backupWaitTimeInSeconds       = 60
 	telemetryRetryTimeInSeconds   = 60
 	heartbeatIntervalInMinutes    = 30
+	reconcileChainTimeInMinutes   = 5
 )
 
 // NetworkPolicyManager contains informers for pod, namespace and networkpolicy.
@@ -183,6 +184,7 @@ func (npMgr *NetworkPolicyManager) Start(stopCh <-chan struct{}) error {
 		return fmt.Errorf("Network policy informer failed to sync")
 	}
 
+	go npMgr.reconcileChains()
 	go npMgr.backup()
 
 	return nil
@@ -404,3 +406,15 @@ func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory in
 
 	return npMgr
 }
+
+// reconcileChains checks for ordering of AZURE-NPM chain in FORWARD chain periodically.
+func (npMgr *NetworkPolicyManager) reconcileChains() error {
+	iptMgr := iptm.NewIptablesManager()
+	select {
+	case <-time.After(reconcileChainTimeInMinutes * time.Minute):
+		if err := iptMgr.CheckAndAddForwardChain(); err != nil {
+			return err
+		}
+	}
+	return nil
+}

npm/util/const.go

@@ -72,6 +72,7 @@ const (
 	IptablesAzureEgressPortChain  string = "AZURE-NPM-EGRESS-PORT"
 	IptablesAzureEgressToChain    string = "AZURE-NPM-EGRESS-TO"
 	IptablesAzureTargetSetsChain  string = "AZURE-NPM-TARGET-SETS"
+	IptablesKubeServicesChain     string = "KUBE-SERVICES"
 	IptablesForwardChain          string = "FORWARD"
 	IptablesInputChain            string = "INPUT"
 	// Below chains exists only for before Azure-NPM:v1.0.27