Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

udn: Wire up multicast for primary networks. #4547

Closed
wants to merge 12 commits into from

Conversation

qinqon
Copy link
Contributor

@qinqon qinqon commented Jul 19, 2024

What this PR does and why is it needed

TODO:

  • The e2e IGMP test depends on installing tcpdump, but we don't have egress yet to do so
  • Unit test, reuse stuff under pkg/ovn/mutlicast_test.go

Which issue(s) this PR fixes

Fixes #

Special notes for reviewers

How to verify it

Details to documentation updates

Description for the changelog

Does this PR introduce a user-facing change?


@coveralls
Copy link

coveralls commented Jul 19, 2024

Coverage Status

coverage: 52.804% (-0.01%) from 52.818%
when pulling bf6ec33 on qinqon:primary-udn-e2e-multicast
into 01c2456 on ovn-org:master.

@qinqon qinqon force-pushed the primary-udn-e2e-multicast branch 2 times, most recently from a58ec67 to aad2a3c Compare July 19, 2024 09:53
@tssurya tssurya added the feature/user-defined-network-segmentation All PRs related to User defined network segmentation label Jul 19, 2024
@qinqon qinqon force-pushed the primary-udn-e2e-multicast branch from aad2a3c to 1b8a8dc Compare July 19, 2024 13:07
@qinqon
Copy link
Contributor Author

qinqon commented Jul 23, 2024

e2e passes at CI but not locally.

@qinqon
Copy link
Contributor Author

qinqon commented Jul 23, 2024

Default deny is breaking multicast, this are the ACLs so far

2 Default deny ingress/egress ACLs

_uuid               : 8dbd89c3-9ac2-4532-bda9-9b1df3d85b28
action              : drop
direction           : to-lport
external_ids        : {direction=Ingress, "k8s.ovn.org/id"="rzgnb_gryffindor-network-controller:MulticastCluster:DefaultDeny:Ingress", "k8s.ovn.org/owner-controller"=rzgnb_gryffindor-network-controller, "k8s.ovn.org/owner-type"=MulticastCluster, type=DefaultDeny}
label               : 0
log                 : false
match               : "(ip4.mcast || mldv1 || mldv2 || (ip6.dst[120..127] == 0xff && ip6.dst[116] == 1))"
meter               : acl-logging
name                : []
options             : {}
priority            : 1011
severity            : []
tier                : 2

_uuid               : 10c39707-c72e-4da4-9664-8c6fabc88c1f
action              : drop
direction           : from-lport
external_ids        : {direction=Egress, "k8s.ovn.org/id"="rzgnb_gryffindor-network-controller:MulticastCluster:DefaultDeny:Egress", "k8s.ovn.org/owner-controller"=rzgnb_gryffindor-network-controller, "k8s.ovn.org/owner-type"=MulticastCluster, type=DefaultDeny}
label               : 0
log                 : false
match               : "(ip4.mcast || mldv1 || mldv2 || (ip6.dst[120..127] == 0xff && ip6.dst[116] == 1))"
meter               : acl-logging
name                : []
options             : {apply-after-lb="true"}
priority            : 1011
severity            : []
tier                : 2

2 ACLs cluster default allow inter node multicast traffic ingress/egress


_uuid               : f5626f2a-ebc1-43f1-b8a3-adb3e6e0aa53
action              : allow
direction           : from-lport
external_ids        : {direction=Egress, "k8s.ovn.org/id"="rzgnb_gryffindor-network-controller:MulticastCluster:AllowInterNode:Egress", "k8s.ovn.org/owner-controller"=rzgnb_gryffindor-network-controller, "k8s.ovn.org/owner-type"=MulticastCluster, type=AllowInterNode}
label               : 0
log                 : false
match               : "inport == @a10122709809664695909 && (ip4.mcast || mldv1 || mldv2 || (ip6.dst[120..127] == 0xff && ip6.dst[116] == 1))"
meter               : acl-logging
name                : []
options             : {apply-after-lb="true"}
priority            : 1012
severity            : []
tier                : 2

_uuid               : de0f1ea1-0576-4903-a123-6b862eafb703
action              : allow
direction           : to-lport
external_ids        : {direction=Ingress, "k8s.ovn.org/id"="rzgnb_gryffindor-network-controller:MulticastNS:network-segmentation-668:Ingress", "k8s.ovn.org/name"=network-segmentation-668, "k8s.ovn.org/owner-controller"=rzgnb_gryffindor-network-controller, "k8s.ovn.org/owner-type"=MulticastNS}
label               : 0
log                 : false
match               : "outport == @a14005067550931942570 && ((igmp || (ip4.src == $a16357502162385096434 && ip4.mcast)) || (mldv1 || mldv2 || (ip6.src == $a16357499963361840012 && (ip6.dst[120..127] == 0xff && ip6.dst[116] == 1))))"
meter               : acl-logging
name                : []
options             : {}
priority            : 1012
severity            : []
tier                : 2

2 ACLs per namespace + network for ingress/egress


_uuid               : 733c2a1a-25c9-4f72-a56f-77d8c87b6aba
action              : allow
direction           : from-lport
external_ids        : {direction=Egress, "k8s.ovn.org/id"="rzgnb_gryffindor-network-controller:MulticastNS:network-segmentation-668:Egress", "k8s.ovn.org/name"=network-segmentation-668, "k8s.ovn.org/owner-controller"=rzgnb_gryffindor-network-controller, "k8s.ovn.org/owner-type"=MulticastNS}
label               : 0
log                 : false
match               : "inport == @a14005067550931942570 && (ip4.mcast || (mldv1 || mldv2 || (ip6.dst[120..127] == 0xff && ip6.dst[116] == 1)))"
meter               : acl-logging
name                : []
options             : {apply-after-lb="true"}
priority            : 1012
severity            : []
tier                : 2

_uuid               : 4ca31f5a-11dd-4125-864a-9ce6fc107f93
action              : allow
direction           : to-lport
external_ids        : {direction=Ingress, "k8s.ovn.org/id"="rzgnb_gryffindor-network-controller:MulticastNS:network-segmentation-668:Ingress", "k8s.ovn.org/name"=network-segmentation-668, "k8s.ovn.org/owner-controller"=rzgnb_gryffindor-network-controller, "k8s.ovn.org/owner-type"=MulticastNS}
label               : 0
log                 : false
match               : "outport == @a14005067550931942570 && ((igmp || (ip4.src == $a16357502162385096434 && ip4.mcast)) || (mldv1 || mldv2 || (ip6.src == $a16357499963361840012 && (ip6.dst[120..127] == 0xff && ip6.dst[116] == 1))))"
meter               : acl-logging
name                : []
options             : {}
priority            : 1012

@qinqon
Copy link
Contributor Author

qinqon commented Jul 23, 2024

Ok, the per namepsace port group is missing the LSPs

_uuid               : 3c8d8603-345c-4bec-ac25-93b0a0d12ed8
acls                : [de0f1ea1-0576-4903-a123-6b862eafb703, f7fb75a3-0234-476f-ab79-9c6832b99fbf]
external_ids        : {"k8s.ovn.org/id"="rzgnb_gryffindor-network-controller:Namespace:network-segmentation-668", "k8s.ovn.org/name"=network-segmentation-668, "k8s.ovn.org/owner-controller"=rzgnb_gryffindor-network-controller, "k8s.ovn.org/owner-type"=Namespace}
name                : a14005067550931942570
ports               : []

@qinqon qinqon force-pushed the primary-udn-e2e-multicast branch 2 times, most recently from 7a8128a to 12095a4 Compare July 23, 2024 12:45
@qinqon
Copy link
Contributor Author

qinqon commented Jul 23, 2024

Legit unit test failure

• Failure [1.524 seconds]
OVN MultiNetworkPolicy Operations
/home/ellorent/Documents/cnv/upstream/ovn-kubernetes/go-controller/pkg/ovn/multipolicy_test.go:219
  during execution
  /home/ellorent/Documents/cnv/upstream/ovn-kubernetes/go-controller/pkg/ovn/multipolicy_test.go:427
    correctly adds and deletes pod IPs from secondary network namespace address set
    /home/ellorent/Documents/cnv/upstream/ovn-kubernetes/go-controller/pkg/ovn/multipolicy_test.go:560
      on remote zone for layer3 topology [It]
      /home/ellorent/Documents/cnv/upstream/ovn-kubernetes/go-controller/pkg/ovn/multipolicy_test.go:652

      Timed out after 1.001s.
      The function passed to Eventually failed at /home/ellorent/Documents/cnv/upstream/ovn-kubernetes/go-controller/pkg/ovn/address_set/fake_address_set.go:202 with:
      Expected
          <map[string]string | len:0>: {}
      to have key
          <string>: 10.1.1.1

      /home/ellorent/Documents/cnv/upstream/ovn-kubernetes/go-controller/pkg/ovn/address_set/fake_address_set.go:248
------------------------------

@qinqon qinqon force-pushed the primary-udn-e2e-multicast branch from 12095a4 to bf6ec33 Compare July 23, 2024 15:16
@qinqon qinqon marked this pull request as ready for review July 23, 2024 15:21
@qinqon qinqon requested a review from a team as a code owner July 23, 2024 15:21
@qinqon qinqon requested a review from jcaamano July 23, 2024 15:21
@qinqon qinqon changed the title Primary udn e2e multicast udn: Wire up multicast for primary networks. Jul 23, 2024
@qinqon qinqon force-pushed the primary-udn-e2e-multicast branch 2 times, most recently from 62256a9 to f209a02 Compare July 24, 2024 08:03
@qinqon
Copy link
Contributor Author

qinqon commented Jul 24, 2024

IGMP query test not working for primary UDNs.

@qinqon qinqon force-pushed the primary-udn-e2e-multicast branch from f209a02 to 708b0a4 Compare July 24, 2024 11:41
@github-actions github-actions bot added area/unit-testing Issues related to adding/updating unit tests feature/egress-firewall All issues related to egress firewall labels Jul 24, 2024
@qinqon qinqon force-pushed the primary-udn-e2e-multicast branch 3 times, most recently from 9a141da to aada474 Compare July 26, 2024 07:08
To reuse the multicast UDP and IGMP test at network segmentation test suite this
change move the test to a function we can call from there, it also wrap
the mechanism to activate at namespace and make both UDP and IGMP take
same parameters

Signed-off-by: Enrique Llorente <ellorent@redhat.com>
Signed-off-by: Enrique Llorente <ellorent@redhat.com>
Signed-off-by: Enrique Llorente <ellorent@redhat.com>
Signed-off-by: Enrique Llorente <ellorent@redhat.com>
Multicast was disable for UDN, this change activate it only when network
segmentation and multicast is enabled and the network is layer2 or
layer3.

Signed-off-by: Enrique Llorente <ellorent@redhat.com>
At UDN namespace controller was started only if multi net policies was
enabled this change activate it also when network segmentation and
multicast is enabled.

Signed-off-by: Enrique Llorente <ellorent@redhat.com>
Signed-off-by: Enrique Llorente <ellorent@redhat.com>
Signed-off-by: Enrique Llorente <ellorent@redhat.com>
Signed-off-by: Enrique Llorente <ellorent@redhat.com>
Signed-off-by: Enrique Llorente <ellorent@redhat.com>
Signed-off-by: Enrique Llorente <ellorent@redhat.com>
Signed-off-by: Enrique Llorente <ellorent@redhat.com>
tssurya added a commit to tssurya/ovn-kubernetes that referenced this pull request Sep 19, 2024
We kept trying to add the management port
for secondary networks into the cluster
port group of secondary networks.

But that port group doesn't exist yet.
It will exist once we get ovn-org#4547
merged but until then this is causing
infinite retries from syncMgmtPort
erroring out.

Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
tssurya added a commit to tssurya/ovn-kubernetes that referenced this pull request Sep 19, 2024
We kept trying to add the management port
for secondary networks into the cluster
port group of secondary networks.

But that port group doesn't exist yet.
It will exist once we get ovn-org#4547
merged but until then this is causing
infinite retries from syncMgmtPort
erroring out.

Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
tssurya added a commit to tssurya/ovn-kubernetes that referenced this pull request Sep 19, 2024
We kept trying to add the management port
for secondary networks into the cluster
port group of secondary networks.

But that port group doesn't exist yet.
It will exist once we get ovn-org#4547
merged but until then this is causing
infinite retries from syncMgmtPort
erroring out.

Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
tssurya added a commit to tssurya/ovn-kubernetes that referenced this pull request Oct 9, 2024
We kept trying to add the management port
for secondary networks into the cluster
port group of secondary networks.

But that port group doesn't exist yet.
It will exist once we get ovn-org#4547
merged but until then this is causing
infinite retries from syncMgmtPort
erroring out.

Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
tssurya added a commit to tssurya/ovn-kubernetes that referenced this pull request Oct 9, 2024
We kept trying to add the management port
for secondary networks into the cluster
port group of secondary networks.

But that port group doesn't exist yet.
It will exist once we get ovn-org#4547
merged but until then this is causing
infinite retries from syncMgmtPort
erroring out.

Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
zeeke pushed a commit to zeeke/ovn-kubernetes-us that referenced this pull request Oct 22, 2024
We kept trying to add the management port
for secondary networks into the cluster
port group of secondary networks.

But that port group doesn't exist yet.
It will exist once we get ovn-org#4547
merged but until then this is causing
infinite retries from syncMgmtPort
erroring out.

Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
@dceara
Copy link
Contributor

dceara commented Oct 22, 2024

Closing in favor of #4797

@dceara dceara closed this Oct 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/e2e-testing area/unit-testing Issues related to adding/updating unit tests feature/egress-firewall All issues related to egress firewall feature/user-defined-network-segmentation All PRs related to User defined network segmentation
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

4 participants