Fixes regression, where adding service VIP to the tunnel interface inside the pods when DSR is used was failing (#462)

murali-reddy · web-flow · commit 21075348a320 · 2018-06-08T14:09:54.000+05:30
diff --git a/pkg/controllers/proxy/network_services_controller.go b/pkg/controllers/proxy/network_services_controller.go
@@ -74,7 +74,7 @@ type ipvsCalls interface {
 }
 
 type netlinkCalls interface {
-	ipAddrAdd(iface netlink.Link, ip string) error
+	ipAddrAdd(iface netlink.Link, ip string, addRoute bool) error
 	ipAddrDel(iface netlink.Link, ip string) error
 	prepareEndpointForDsr(containerId string, endpointIP string, vip string) error
 	getKubeDummyInterface() (netlink.Link, error)
@@ -104,7 +104,10 @@ func (ln *linuxNetworking) ipAddrDel(iface netlink.Link, ip string) error {
 	return err
 }
 
-func (ln *linuxNetworking) ipAddrAdd(iface netlink.Link, ip string) error {
+// utility method to assign an IP to an interface. Mainly used to assign service VIP's
+// to kube-dummy-if. Also when DSR is used, used to assign VIP to dummy interface
+// inside the container.
+func (ln *linuxNetworking) ipAddrAdd(iface netlink.Link, ip string, addRoute bool) error {
 	naddr := &netlink.Addr{IPNet: &net.IPNet{IP: net.ParseIP(ip), Mask: net.IPv4Mask(255, 255, 255, 255)}, Scope: syscall.RT_SCOPE_LINK}
 	err := netlink.AddrAdd(iface, naddr)
 	if err != nil && err.Error() != IFACE_HAS_ADDR {
@@ -113,6 +116,15 @@ func (ln *linuxNetworking) ipAddrAdd(iface netlink.Link, ip string) error {
 		return err
 	}
 
+	// When a service VIP is assigned to a dummy interface and accessed from host, in some of the
+	// case Linux source IP selection logix selects VIP itself as source leading to problems
+	// to avoid this an explicit entry is added to use node IP as source IP when accessing
+	// VIP from the host. Please see https://github.com/cloudnativelabs/kube-router/issues/376
+
+	if !addRoute {
+		return nil
+	}
+
 	// TODO: netlink.RouteReplace which is replacement for below command is not working as expected. Call succeeds but
 	// route is not replaced. For now do it with command.
 	out, err := exec.Command("ip", "route", "replace", "local", ip, "dev", KUBE_DUMMY_IF, "table", "local", "proto", "kernel", "scope", "host", "src",
@@ -122,27 +134,35 @@ func (ln *linuxNetworking) ipAddrAdd(iface netlink.Link, ip string) error {
 	}
 	return nil
 }
+
 func (ln *linuxNetworking) ipvsGetServices() ([]*ipvs.Service, error) {
 	return ln.ipvsHandle.GetServices()
 }
+
 func (ln *linuxNetworking) ipvsGetDestinations(ipvsSvc *ipvs.Service) ([]*ipvs.Destination, error) {
 	return ln.ipvsHandle.GetDestinations(ipvsSvc)
 }
+
 func (ln *linuxNetworking) ipvsDelDestination(ipvsSvc *ipvs.Service, ipvsDst *ipvs.Destination) error {
 	return ln.ipvsHandle.DelDestination(ipvsSvc, ipvsDst)
 }
+
 func (ln *linuxNetworking) ipvsNewDestination(ipvsSvc *ipvs.Service, ipvsDst *ipvs.Destination) error {
 	return ln.ipvsHandle.NewDestination(ipvsSvc, ipvsDst)
 }
+
 func (ln *linuxNetworking) ipvsUpdateDestination(ipvsSvc *ipvs.Service, ipvsDst *ipvs.Destination) error {
 	return ln.ipvsHandle.UpdateDestination(ipvsSvc, ipvsDst)
 }
+
 func (ln *linuxNetworking) ipvsDelService(ipvsSvc *ipvs.Service) error {
 	return ln.ipvsHandle.DelService(ipvsSvc)
 }
+
 func (ln *linuxNetworking) ipvsUpdateService(ipvsSvc *ipvs.Service) error {
 	return ln.ipvsHandle.UpdateService(ipvsSvc)
 }
+
 func (ln *linuxNetworking) ipvsNewService(ipvsSvc *ipvs.Service) error {
 	return ln.ipvsHandle.NewService(ipvsSvc)
 }
@@ -526,7 +546,7 @@ func (nsc *NetworkServicesController) syncIpvsServices(serviceInfoMap serviceInf
 		}
 
 		// assign cluster IP of the service to the dummy interface so that its routable from the pod's on the node
-		err := nsc.ln.ipAddrAdd(dummyVipInterface, svc.clusterIP.String())
+		err := nsc.ln.ipAddrAdd(dummyVipInterface, svc.clusterIP.String(), true)
 		if err != nil {
 			continue
 		}
@@ -636,7 +656,7 @@ func (nsc *NetworkServicesController) syncIpvsServices(serviceInfoMap serviceInf
 				}
 			} else {
 				// ensure director with vip assigned
-				err := nsc.ln.ipAddrAdd(dummyVipInterface, externalIP)
+				err := nsc.ln.ipAddrAdd(dummyVipInterface, externalIP, true)
 				if err != nil && err.Error() != IFACE_HAS_ADDR {
 					glog.Errorf("Failed to assign external ip %s to dummy interface %s due to %s", externalIP, KUBE_DUMMY_IF, err.Error())
 				}
@@ -981,7 +1001,7 @@ func (ln *linuxNetworking) prepareEndpointForDsr(containerId string, endpointIP
 	}
 
 	// assign VIP to the KUBE_TUNNEL_IF interface
-	err = ln.ipAddrAdd(tunIf, vip)
+	err = ln.ipAddrAdd(tunIf, vip, false)
 	if err != nil && err.Error() != IFACE_HAS_ADDR {
 		netns.Set(hostNetworkNamespaceHandle)
 		activeNetworkNamespaceHandle, err = netns.Get()
diff --git a/pkg/controllers/proxy/network_services_controller_moq.go b/pkg/controllers/proxy/network_services_controller_moq.go
diff --git a/pkg/controllers/proxy/network_services_controller_test.go b/pkg/controllers/proxy/network_services_controller_test.go
@@ -46,7 +46,7 @@ func (lnm *LinuxNetworkingMockImpl) ipvsGetServices() ([]*ipvs.Service, error) {
 	copy(svcsCopy, lnm.ipvsSvcs)
 	return svcsCopy, nil
 }
-func (lnm *LinuxNetworkingMockImpl) ipAddrAdd(iface netlink.Link, addr string) error {
+func (lnm *LinuxNetworkingMockImpl) ipAddrAdd(iface netlink.Link, addr string, addRouter bool) error {
 	return nil
 }
 func (lnm *LinuxNetworkingMockImpl) ipvsAddServer(ipvsSvc *ipvs.Service, ipvsDst *ipvs.Destination, local bool, podCidr string) error {

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ type ipvsCalls interface {`
`74`	`74`	`}`
`75`	`75`
`76`	`76`	`type netlinkCalls interface {`
`77`		`- ipAddrAdd(iface netlink.Link, ip string) error`
	`77`	`+ ipAddrAdd(iface netlink.Link, ip string, addRoute bool) error`
`78`	`78`	`ipAddrDel(iface netlink.Link, ip string) error`
`79`	`79`	`prepareEndpointForDsr(containerId string, endpointIP string, vip string) error`
`80`	`80`	`getKubeDummyInterface() (netlink.Link, error)`
`@@ -104,7 +104,10 @@ func (ln *linuxNetworking) ipAddrDel(iface netlink.Link, ip string) error {`
`104`	`104`	`return err`
`105`	`105`	`}`
`106`	`106`
`107`		`-func (ln *linuxNetworking) ipAddrAdd(iface netlink.Link, ip string) error {`
	`107`	`+// utility method to assign an IP to an interface. Mainly used to assign service VIP's`
	`108`	`+// to kube-dummy-if. Also when DSR is used, used to assign VIP to dummy interface`
	`109`	`+// inside the container.`
	`110`	`+func (ln *linuxNetworking) ipAddrAdd(iface netlink.Link, ip string, addRoute bool) error {`
`108`	`111`	`naddr := &netlink.Addr{IPNet: &net.IPNet{IP: net.ParseIP(ip), Mask: net.IPv4Mask(255, 255, 255, 255)}, Scope: syscall.RT_SCOPE_LINK}`
`109`	`112`	`err := netlink.AddrAdd(iface, naddr)`
`110`	`113`	`if err != nil && err.Error() != IFACE_HAS_ADDR {`
`@@ -113,6 +116,15 @@ func (ln *linuxNetworking) ipAddrAdd(iface netlink.Link, ip string) error {`
`113`	`116`	`return err`
`114`	`117`	`}`
`115`	`118`
	`119`	`+ // When a service VIP is assigned to a dummy interface and accessed from host, in some of the`
	`120`	`+ // case Linux source IP selection logix selects VIP itself as source leading to problems`
	`121`	`+ // to avoid this an explicit entry is added to use node IP as source IP when accessing`
	`122`	`+ // VIP from the host. Please see https://github.com/cloudnativelabs/kube-router/issues/376`
	`123`	`+`
	`124`	`+ if !addRoute {`
	`125`	`+ return nil`
	`126`	`+ }`
	`127`	`+`
`116`	`128`	`// TODO: netlink.RouteReplace which is replacement for below command is not working as expected. Call succeeds but`
`117`	`129`	`// route is not replaced. For now do it with command.`
`118`	`130`	`out, err := exec.Command("ip", "route", "replace", "local", ip, "dev", KUBE_DUMMY_IF, "table", "local", "proto", "kernel", "scope", "host", "src",`
`@@ -122,27 +134,35 @@ func (ln *linuxNetworking) ipAddrAdd(iface netlink.Link, ip string) error {`
`122`	`134`	`}`
`123`	`135`	`return nil`
`124`	`136`	`}`
	`137`	`+`
`125`	`138`	`func (ln linuxNetworking) ipvsGetServices() ([]ipvs.Service, error) {`
`126`	`139`	`return ln.ipvsHandle.GetServices()`
`127`	`140`	`}`
	`141`	`+`
`128`	`142`	`func (ln linuxNetworking) ipvsGetDestinations(ipvsSvc ipvs.Service) ([]*ipvs.Destination, error) {`
`129`	`143`	`return ln.ipvsHandle.GetDestinations(ipvsSvc)`
`130`	`144`	`}`
	`145`	`+`
`131`	`146`	`func (ln linuxNetworking) ipvsDelDestination(ipvsSvc ipvs.Service, ipvsDst *ipvs.Destination) error {`
`132`	`147`	`return ln.ipvsHandle.DelDestination(ipvsSvc, ipvsDst)`
`133`	`148`	`}`
	`149`	`+`
`134`	`150`	`func (ln linuxNetworking) ipvsNewDestination(ipvsSvc ipvs.Service, ipvsDst *ipvs.Destination) error {`
`135`	`151`	`return ln.ipvsHandle.NewDestination(ipvsSvc, ipvsDst)`
`136`	`152`	`}`
	`153`	`+`
`137`	`154`	`func (ln linuxNetworking) ipvsUpdateDestination(ipvsSvc ipvs.Service, ipvsDst *ipvs.Destination) error {`
`138`	`155`	`return ln.ipvsHandle.UpdateDestination(ipvsSvc, ipvsDst)`
`139`	`156`	`}`
	`157`	`+`
`140`	`158`	`func (ln linuxNetworking) ipvsDelService(ipvsSvc ipvs.Service) error {`
`141`	`159`	`return ln.ipvsHandle.DelService(ipvsSvc)`
`142`	`160`	`}`
	`161`	`+`
`143`	`162`	`func (ln linuxNetworking) ipvsUpdateService(ipvsSvc ipvs.Service) error {`
`144`	`163`	`return ln.ipvsHandle.UpdateService(ipvsSvc)`
`145`	`164`	`}`
	`165`	`+`
`146`	`166`	`func (ln linuxNetworking) ipvsNewService(ipvsSvc ipvs.Service) error {`
`147`	`167`	`return ln.ipvsHandle.NewService(ipvsSvc)`
`148`	`168`	`}`
`@@ -526,7 +546,7 @@ func (nsc *NetworkServicesController) syncIpvsServices(serviceInfoMap serviceInf`
`526`	`546`	`}`
`527`	`547`
`528`	`548`	`// assign cluster IP of the service to the dummy interface so that its routable from the pod's on the node`
`529`		`- err := nsc.ln.ipAddrAdd(dummyVipInterface, svc.clusterIP.String())`
	`549`	`+ err := nsc.ln.ipAddrAdd(dummyVipInterface, svc.clusterIP.String(), true)`
`530`	`550`	`if err != nil {`
`531`	`551`	`continue`
`532`	`552`	`}`
`@@ -636,7 +656,7 @@ func (nsc *NetworkServicesController) syncIpvsServices(serviceInfoMap serviceInf`
`636`	`656`	`}`
`637`	`657`	`} else {`
`638`	`658`	`// ensure director with vip assigned`
`639`		`- err := nsc.ln.ipAddrAdd(dummyVipInterface, externalIP)`
	`659`	`+ err := nsc.ln.ipAddrAdd(dummyVipInterface, externalIP, true)`
`640`	`660`	`if err != nil && err.Error() != IFACE_HAS_ADDR {`
`641`	`661`	`glog.Errorf("Failed to assign external ip %s to dummy interface %s due to %s", externalIP, KUBE_DUMMY_IF, err.Error())`
`642`	`662`	`}`
`@@ -981,7 +1001,7 @@ func (ln *linuxNetworking) prepareEndpointForDsr(containerId string, endpointIP`
`981`	`1001`	`}`
`982`	`1002`
`983`	`1003`	`// assign VIP to the KUBE_TUNNEL_IF interface`
`984`		`- err = ln.ipAddrAdd(tunIf, vip)`
	`1004`	`+ err = ln.ipAddrAdd(tunIf, vip, false)`
`985`	`1005`	`if err != nil && err.Error() != IFACE_HAS_ADDR {`
`986`	`1006`	`netns.Set(hostNetworkNamespaceHandle)`
`987`	`1007`	`activeNetworkNamespaceHandle, err = netns.Get()`
Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ func (lnm LinuxNetworkingMockImpl) ipvsGetServices() ([]ipvs.Service, error) {`
`46`	`46`	`copy(svcsCopy, lnm.ipvsSvcs)`
`47`	`47`	`return svcsCopy, nil`
`48`	`48`	`}`
`49`		`-func (lnm *LinuxNetworkingMockImpl) ipAddrAdd(iface netlink.Link, addr string) error {`
	`49`	`+func (lnm *LinuxNetworkingMockImpl) ipAddrAdd(iface netlink.Link, addr string, addRouter bool) error {`
`50`	`50`	`return nil`
`51`	`51`	`}`
`52`	`52`	`func (lnm LinuxNetworkingMockImpl) ipvsAddServer(ipvsSvc ipvs.Service, ipvsDst *ipvs.Destination, local bool, podCidr string) error {`