Skip to content

Watch firewall reload in sysconfigwatcher#1185

Closed
zshi-redhat wants to merge 2 commits intoopenshift:mainfrom
zshi-redhat:firewall-reload-watcher
Closed

Watch firewall reload in sysconfigwatcher#1185
zshi-redhat wants to merge 2 commits intoopenshift:mainfrom
zshi-redhat:firewall-reload-watcher

Conversation

@zshi-redhat
Copy link
Contributor

@zshi-redhat zshi-redhat commented Dec 11, 2022

@openshift-ci openshift-ci bot requested review from benluddy and fzdarsky December 11, 2022 05:02
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 11, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: zshi-redhat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 11, 2022
ggiguash
ggiguash reviewed Dec 11, 2022
View reviewed changes
ggiguash
ggiguash suggested changes Dec 11, 2022
View reviewed changes
@zshi-redhat zshi-redhat force-pushed the firewall-reload-watcher branch from b65f05f to 499e54c Compare December 11, 2022 13:35
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 11, 2022
@zshi-redhat zshi-redhat force-pushed the firewall-reload-watcher branch from 499e54c to 79941fb Compare December 11, 2022 13:40
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 11, 2022
@zshi-redhat
Copy link
Contributor Author

zshi-redhat commented Dec 11, 2022

resolved merge conflict.

ggiguash
ggiguash reviewed Dec 11, 2022
View reviewed changes
@zshi-redhat zshi-redhat force-pushed the firewall-reload-watcher branch from 79941fb to 178ad89 Compare December 12, 2022 01:15
@ggiguash
Copy link
Contributor

ggiguash commented Dec 12, 2022

This change is LGTM, but we need to wait until 4.12 branch is created.
/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 12, 2022
dhellmann
dhellmann reviewed Dec 12, 2022
View reviewed changes
Copy link
Contributor

@dhellmann dhellmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For CSI, we drew a boundary so there was a clear line between the system configuration the user had to provide (volume groups and the lvmd.conf file) and the setup that MicroShift did (a default lvmd.conf if none is provided). Can we create a similar boundary for CNI so that we do not need to monitor the firewall rules, IP, or other networking changes?

pkg/config/config.go Outdated
Copy link
Contributor

@dhellmann dhellmann Dec 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to expose this field to users or can it be an internal value?

Copy link
Contributor Author

@zshi-redhat zshi-redhat Dec 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will be for internal use only. Captured when microshift main process starts.

@zshi-redhat
Copy link
Contributor Author

zshi-redhat commented Dec 13, 2022

For CSI, we drew a boundary so there was a clear line between the system configuration the user had to provide (volume groups and the lvmd.conf file) and the setup that MicroShift did (a default lvmd.conf if none is provided). Can we create a similar boundary for CNI so that we do not need to monitor the firewall rules, IP, or other networking changes?

Agree on the boundary statement between microshift and plugins, I thought about adding this in CNI implementation only.
One consideration of adding this monitor logic in sysconfWatcher is that iptables could be used by other components.
For example: with hostPort in pod spec, iptables rules are used to map host ports to container ports, they will be affected by firewall reload as well. These hostPort iptables are not managed by CNI.

@dhellmann
Copy link
Contributor

dhellmann commented Dec 13, 2022

For CSI, we drew a boundary so there was a clear line between the system configuration the user had to provide (volume groups and the lvmd.conf file) and the setup that MicroShift did (a default lvmd.conf if none is provided). Can we create a similar boundary for CNI so that we do not need to monitor the firewall rules, IP, or other networking changes?

Agree on the boundary statement between microshift and plugins, I thought about adding this in CNI implementation only. One consideration of adding this monitor logic in sysconfWatcher is that iptables could be used by other components. For example: with hostPort in pod spec, iptables rules are used to map host ports to container ports, they will be affected by firewall reload as well. These hostPort iptables are not managed by CNI.

Is there a way to organize the system so that we do not need to restart MicroShift when firewall rules change at all? Can we isolate the rule sets that users manage from the ones that MicroShift manages somehow?

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 16, 2022
@zshi-redhat zshi-redhat force-pushed the firewall-reload-watcher branch from 178ad89 to 694a167 Compare December 22, 2022 01:49
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 22, 2022
@zshi-redhat
Copy link
Contributor Author

zshi-redhat commented Dec 22, 2022

For CSI, we drew a boundary so there was a clear line between the system configuration the user had to provide (volume groups and the lvmd.conf file) and the setup that MicroShift did (a default lvmd.conf if none is provided). Can we create a similar boundary for CNI so that we do not need to monitor the firewall rules, IP, or other networking changes?

Agree on the boundary statement between microshift and plugins, I thought about adding this in CNI implementation only. One consideration of adding this monitor logic in sysconfWatcher is that iptables could be used by other components. For example: with hostPort in pod spec, iptables rules are used to map host ports to container ports, they will be affected by firewall reload as well. These hostPort iptables are not managed by CNI.

Is there a way to organize the system so that we do not need to restart MicroShift when firewall rules change at all? Can we isolate the rule sets that users manage from the ones that MicroShift manages somehow?

@dhellmann I moved the iptable detection logic to infrastructure manager service which only reloads affected microshift components (router and ovnk). This avoids microshift restart. For application workload that uses hostPort, this won't help since the iptable rules for hostPort are injected by cri-o during pod sandbox creation, these rules won't be reconciled periodically unless recreating the workload. So current patch takes care of microshift components when firewall reload happens, we probably want to document that user workload with hostPort could be impacted by user action (reload firewall). wdyt?

@zshi-redhat
Copy link
Contributor Author

zshi-redhat commented Dec 22, 2022

/retest

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 22, 2022

@zshi-redhat: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@zshi-redhat
Copy link
Contributor Author

zshi-redhat commented Jan 9, 2023

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 9, 2023
mangelajo
mangelajo reviewed Jan 24, 2023
View reviewed changes
pkg/components/controllers.go
}

if err := assets.ApplyDeployments(apps, renderTemplate, renderParamsFromConfig(cfg, nil), kubeconfigPath); err != nil {
extraParams := assets.RenderParams{
Copy link
Contributor

@mangelajo mangelajo Jan 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess that for a decoupled CNI-plugin we may need to call the CNI plugin (know it's a CNI plugin) and call it to re-create the deployment.

We could make that part of a plugin interface i.e. have a "restart" call to the plugin which would add creation timestamps to the objects that need re-creation in the event of necessity.

Hmmmmm

Copy link
Contributor

@dhellmann dhellmann Jan 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is one reason to have MicroShift run the plugin scripts, instead of relying solely on systemd. @fzdarsky

@mangelajo
Copy link
Contributor

mangelajo commented Jan 24, 2023

@dhellmann I left a comment inside about could we make something like this work with pluggable CNI.

@mangelajo mangelajo mentioned this pull request Jan 26, 2023
Closed
@mangelajo
Copy link
Contributor

mangelajo commented Jan 27, 2023

/hold

I believe I found an alternative to make firewalld leave iptables alone (not flushing them)

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 27, 2023
@mangelajo
Copy link
Contributor

mangelajo commented Jan 27, 2023

/hold

@dhellmann
Copy link
Contributor

dhellmann commented Jan 31, 2023

I think since we took #1306 we no longer need this. Please reopen the PR if I misunderstood.

/close

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 31, 2023
@openshift-merge-robot
Copy link
Contributor

openshift-merge-robot commented Jan 31, 2023

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot closed this Jan 31, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 31, 2023

@dhellmann: Closed this PR.

Details

In response to this:

I think since we took #1306 we no longer need this. Please reopen the PR if I misunderstood.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@microshift-rebase-script microshift-rebase-script bot mentioned this pull request Jan 19, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhellmann dhellmann dhellmann left review comments

@mangelajo mangelajo mangelajo left review comments

@benluddy benluddy Awaiting requested review from benluddy

@fzdarsky fzdarsky Awaiting requested review from fzdarsky

+1 more reviewer

@ggiguash ggiguash ggiguash requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@zshi-redhat @ggiguash @dhellmann @mangelajo @openshift-merge-robot