Issue 572 - Graceful termination + Update to go-1.10.8, alpine-3.9 (#706)

* update netlink

* update libnetwork to get ipvs stats

* update gopkg.lock for libnetwork update

* update libnetwork

* add cli options

* make endpoints delete gracefully

* move conntrack flusher

* get some order in the mainloop

* update to alpine 3.9 & go 1.11.1

* revert to 1.10.3 just update alpine

* and revert travis.yml

* lock version

* test 1.12

* test

Author: roffe

.travis.yml

@@ -3,7 +3,7 @@ services:
 
 language: go
 go:
-  - 1.10.x
+  - 1.10.8
 
 branches:
   only: 

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.7
+FROM alpine:3.9
 
 RUN apk add --no-cache \
       iptables \

Gopkg.lock

@@ -69,7 +69,7 @@ required = ["github.com/osrg/gobgp/gobgp"]
 
 [[override]]
   name = "github.com/vishvananda/netlink"
-  version = "1.0.0"
+  revision = "f504738125a57f35f87fc30fb69b8df75237ccde"
 
 [[constraint]]
   branch = "master"
@@ -89,7 +89,7 @@ required = ["github.com/osrg/gobgp/gobgp"]
 
 [[constraint]]
   name = "github.com/docker/libnetwork"
-  revision = "14aa49f99093e1a22e65155b641103762911db8d"
+  revision = "48f846327bbe6a0dce0c556e8dc9f5bb939d5c16"
 
 [[override]]
   revision = "1e2f10eb65743fed02f573d31a4587de09afb20e"

Gopkg.toml

@@ -17,7 +17,7 @@ DOCKER=$(if $(or $(IN_DOCKER_GROUP),$(IS_ROOT),$(OSX)),docker,sudo docker)
 MAKEFILE_DIR=$(dir $(realpath $(firstword $(MAKEFILE_LIST))))
 UPSTREAM_IMPORT_PATH=$(GOPATH)/src/github.com/cloudnativelabs/kube-router/
 BUILD_IN_DOCKER?=false
-DOCKER_BUILD_IMAGE?=golang:1.10.3-alpine
+DOCKER_BUILD_IMAGE?=golang:1.10.8-alpine3.9
 ifeq ($(GOARCH), arm)
 ARCH_TAG_PREFIX=$(GOARCH)
 FILE_ARCH=ARM
@@ -53,9 +53,9 @@ endif
 test: gofmt gomoqs ## Runs code quality pipelines (gofmt, tests, coverage, lint, etc)
 ifeq "$(BUILD_IN_DOCKER)" "true"
 	$(DOCKER) run -v $(PWD):/go/src/github.com/cloudnativelabs/kube-router -w /go/src/github.com/cloudnativelabs/kube-router $(DOCKER_BUILD_IMAGE) \
-	    sh -c 'go test github.com/cloudnativelabs/kube-router/cmd/kube-router/ github.com/cloudnativelabs/kube-router/pkg/...'
+	    sh -c 'go test -v -timeout 30s github.com/cloudnativelabs/kube-router/cmd/kube-router/ github.com/cloudnativelabs/kube-router/pkg/...'
 else
-		go test github.com/cloudnativelabs/kube-router/cmd/kube-router/ github.com/cloudnativelabs/kube-router/pkg/...
+		go test -v -timeout 30s github.com/cloudnativelabs/kube-router/cmd/kube-router/ github.com/cloudnativelabs/kube-router/pkg/...
 endif
 
 vagrant-up: export docker=$(DOCKER)

Makefile

@@ -57,6 +57,8 @@ Usage of kube-router:
   -h, --help                             Print usage information.
       --hostname-override string         Overrides the NodeName of the node. Set this if kube-router is unable to determine your NodeName automatically.
       --iptables-sync-period duration    The delay between iptables rule synchronizations (e.g. '5s', '1m'). Must be greater than 0. (default 5m0s)
+      --ipvs-graceful-period duration    The graceful period before removing destinations from IPVS services (e.g. '5s', '1m', '2h22m'). Must be greater than 0. (default 30s)
+      --ipvs-graceful-termination        Enables the experimental IPVS graceful terminaton capability
       --ipvs-sync-period duration        The delay between ipvs config synchronizations (e.g. '5s', '1m', '2h22m'). Must be greater than 0. (default 5m0s)
       --kubeconfig string                Path to kubeconfig file with authorization information (the master location is set by the master flag).
       --masquerade-all                   SNAT all traffic to cluster IP/node port.
@@ -285,6 +287,13 @@ If you would like to use `HostPort` functionality below changes are required in
 
 For an e.g manifest please look at [manifest](../daemonset/kubeadm-kuberouter-all-features-hostport.yaml) with necessary changes required for `HostPort` functionality.
 
+## IPVS Graceful termination support
+
+As of 0.2.6 we support experimental graceful termination of IPVS destinations. When possible the pods's TerminationGracePeriodSeconds is used, if it cannot be retrived for some reason
+the fallback period is 30 seconds and can be adjusted with `--ipvs-graceful-period` cli-opt
+
+graceful termination works in such a way that when kube-router receives a delete endpoint notification for a service it's weight is adjusted to 0 before getting deleted after he termination grace period has passed or the Active & Inactive connections goes down to 0.
+
 ## BGP configuration
 
 [Configuring BGP Peers](bgp.md)

docs/user-guide.md

@@ -0,0 +1,162 @@
+package proxy
+
+import (
+	"fmt"
+	"os/exec"
+	"regexp"
+	"strconv"
+	"sync"
+	"syscall"
+	"time"
+
+	"github.com/docker/libnetwork/ipvs"
+	"github.com/golang/glog"
+)
+
+type gracefulQueue struct {
+	mu    sync.Mutex
+	queue []gracefulRequest
+}
+
+type gracefulQueueItem struct {
+	added   time.Time
+	service *ipvs.Service
+}
+
+type gracefulRequest struct {
+	ipvsSvc                   *ipvs.Service
+	ipvsDst                   *ipvs.Destination
+	deletionTime              time.Time
+	gracefulTerminationPeriod time.Duration
+}
+
+func (nsc *NetworkServicesController) ipvsDeleteDestination(svc *ipvs.Service, dst *ipvs.Destination) error {
+	// If we have enabled graceful termination set the weight of the destination to 0
+	// then add it to the queue for graceful termination
+	if nsc.gracefulTermination {
+		req := gracefulRequest{
+			ipvsSvc:      svc,
+			ipvsDst:      dst,
+			deletionTime: time.Now(),
+		}
+		dst.Weight = 0
+		err := nsc.ln.ipvsUpdateDestination(svc, dst)
+		if err != nil {
+			return err
+		}
+		nsc.addToGracefulQueue(&req)
+	} else {
+		err := nsc.ln.ipvsDelDestination(svc, dst)
+		if err != nil {
+			return err
+		}
+	}
+	// flush conntrack when Destination for a UDP service changes
+	if svc.Protocol == syscall.IPPROTO_UDP {
+		if err := nsc.flushConntrackUDP(svc); err != nil {
+			glog.Errorf("Failed to flush conntrack: %s", err.Error())
+		}
+	}
+	return nil
+}
+
+func (nsc *NetworkServicesController) addToGracefulQueue(req *gracefulRequest) {
+	nsc.gracefulQueue.mu.Lock()
+	defer nsc.gracefulQueue.mu.Unlock()
+	var alreadyExists bool
+	for _, jobQitem := range nsc.gracefulQueue.queue {
+		if jobQitem.ipvsSvc.Address.Equal(req.ipvsSvc.Address) && jobQitem.ipvsSvc.Port == req.ipvsSvc.Port && jobQitem.ipvsSvc.Protocol == req.ipvsSvc.Protocol {
+			if jobQitem.ipvsDst.Address.Equal(req.ipvsDst.Address) && jobQitem.ipvsDst.Port == req.ipvsDst.Port {
+				glog.V(2).Infof("Endpoint already scheduled for removal %+v %+v %s", *req.ipvsSvc, *req.ipvsDst, req.gracefulTerminationPeriod.String())
+				alreadyExists = true
+				break
+			}
+		}
+	}
+	if !alreadyExists {
+		// try to get get Termination grace period from the pod, if unsuccesfull use the default timeout
+		podObj, err := nsc.getPodObjectForEndpoint(req.ipvsDst.Address.String())
+		if err != nil {
+			glog.V(1).Infof("Failed to find endpoint with ip: %s err: %s", req.ipvsDst.Address.String(), err.Error())
+			req.gracefulTerminationPeriod = nsc.gracefulPeriod
+		} else {
+			glog.V(1).Infof("Found pod termination grace period %d for pod %s", *podObj.Spec.TerminationGracePeriodSeconds, podObj.Name)
+			req.gracefulTerminationPeriod = time.Duration(float64(*podObj.Spec.TerminationGracePeriodSeconds) * float64(time.Second))
+		}
+		nsc.gracefulQueue.queue = append(nsc.gracefulQueue.queue, *req)
+	}
+}
+
+func (nsc *NetworkServicesController) gracefulSync() {
+	nsc.gracefulQueue.mu.Lock()
+	defer nsc.gracefulQueue.mu.Unlock()
+	var newQueue []gracefulRequest
+	// Itterate over our queued destination removals one by one, and don't add them back to the queue if they were processed
+	for _, job := range nsc.gracefulQueue.queue {
+		if removed := nsc.gracefulDeleteIpvsDestination(job); removed {
+			continue
+		}
+		newQueue = append(newQueue, job)
+	}
+	nsc.gracefulQueue.queue = newQueue
+}
+
+func (nsc *NetworkServicesController) gracefulDeleteIpvsDestination(req gracefulRequest) bool {
+	var deleteDestination bool
+	// Get active and inactive connections for the destination
+	aConn, iConn, err := nsc.getIpvsDestinationConnStats(req.ipvsSvc, req.ipvsDst)
+	if err != nil {
+		glog.V(1).Infof("Could not get connection stats for destination: %s", err.Error())
+	} else {
+		// Do we have active or inactive connections to this destination
+		// if we don't, proceed and delete the destination ahead of graceful period
+		if aConn == 0 && iConn == 0 {
+			deleteDestination = true
+		}
+	}
+
+	// Check if our destinations graceful termination period has passed
+	if time.Since(req.deletionTime) > req.gracefulTerminationPeriod {
+		deleteDestination = true
+	}
+
+	//Destination has has one or more conditions for deletion
+	if deleteDestination {
+		glog.V(2).Infof("Deleting IPVS destination: %s", ipvsDestinationString(req.ipvsDst))
+		if err := nsc.ln.ipvsDelDestination(req.ipvsSvc, req.ipvsDst); err != nil {
+			glog.Errorf("Failed to delete IPVS destination: %s, %s", ipvsDestinationString(req.ipvsDst), err.Error())
+		}
+	}
+	return deleteDestination
+}
+
+// getConnStats returns the number of active & inactive connections for the IPVS destination
+func (nsc *NetworkServicesController) getIpvsDestinationConnStats(ipvsSvc *ipvs.Service, dest *ipvs.Destination) (int, int, error) {
+	destStats, err := nsc.ln.ipvsGetDestinations(ipvsSvc)
+	if err != nil {
+		return 0, 0, fmt.Errorf("failed to get IPVS destinations for service : %s : %s", ipvsServiceString(ipvsSvc), err.Error())
+	}
+
+	for _, destStat := range destStats {
+		if destStat.Address.Equal(dest.Address) && destStat.Port == dest.Port {
+			return destStat.ActiveConnections, destStat.InactiveConnections, nil
+		}
+	}
+	return 0, 0, fmt.Errorf("destination %s not found on IPVS service %s ", ipvsDestinationString(dest), ipvsServiceString(ipvsSvc))
+}
+
+// flushConntrackUDP flushes UDP conntrack records for the given service destination
+func (nsc *NetworkServicesController) flushConntrackUDP(svc *ipvs.Service) error {
+	// Conntrack exits with non zero exit code when exiting if 0 flow entries have been deleted, use regex to check output and don't Error when matching
+	re := regexp.MustCompile("([[:space:]]0 flow entries have been deleted.)")
+
+	// Shell out and flush conntrack records
+	out, err := exec.Command("conntrack", "-D", "--orig-dst", svc.Address.String(), "-p", "udp", "--dport", strconv.Itoa(int(svc.Port))).CombinedOutput()
+	if err != nil {
+		if matched := re.MatchString(string(out)); !matched {
+			return fmt.Errorf("Failed to delete conntrack entry for endpoint: %s:%d due to %s", svc.Address.String(), svc.Port, err.Error())
+		}
+	}
+	glog.V(1).Infof("Deleted conntrack entry for endpoint: %s:%d", svc.Address.String(), svc.Port)
+	return nil
+}