Merge pull request #426 from anfredette/check-inodes

Check for Duplicate Network Namespace Inodes

Author: mergify[bot]

Makefile

@@ -362,7 +362,6 @@ build-agent-image: ## Build bpfman-agent image.
 push-images: ## Push bpfman-agent and bpfman-operator images.
 	$(OCI_BIN) push ${BPFMAN_OPERATOR_IMG}
 	$(OCI_BIN) push ${BPFMAN_AGENT_IMG}
-	$(OCI_BIN) push ${BPFMAN_IMG}
 
 .PHONY: load-images-kind
 load-images-kind: ## Load bpfman-agent, and bpfman-operator images into the running local kind devel cluster.

cmd/bpfman-agent/main.go

@@ -267,11 +267,11 @@ func interfaceListener(ctx context.Context, ifaceEvents <-chan ifaces.Event, int
 			iface := event.Interface
 			switch event.Type {
 			case ifaces.EventAdded:
-				setupLog.Info("interface created", "Name", iface.Name, "netns", iface.NetNS)
+				setupLog.Info("interface created", "Name", iface.Name, "netns", iface.NSName, "NsHandle", iface.NetNS)
 				interfaces.Store(iface, true)
 			case ifaces.EventDeleted:
-				setupLog.Info("interface deleted", "Name", iface.Name, "netns", iface.NetNS)
-				interfaces.Store(iface, false)
+				setupLog.Info("interface deleted", "Name", iface.Name, "netns", iface.NSName, "NsHandle", iface.NetNS)
+				interfaces.Delete(iface)
 			default:
 			}
 		}

config/bpfman-deployment/daemonset.yaml

@@ -147,6 +147,9 @@ spec:
               name: host-dockerd
             - mountPath: /etc/crictl.yaml
               name: host-crictl-config
+            - mountPath: /host/proc
+              name: host-proc
+              mountPropagation: HostToContainer
             - mountPath: /var/run/netns
               name: var-run-netns
               mountPropagation: HostToContainer

controllers/bpfman-agent/cl_application_program.go

@@ -125,8 +125,9 @@ func (r *ClBpfApplicationReconciler) Reconcile(ctx context.Context, req ctrl.Req
 	r.Logger = ctrl.Log.WithName("cluster-app")
 	r.finalizer = internal.ClBpfApplicationControllerFinalizer
 	r.recType = internal.ApplicationString
+	r.NetnsCache = make(map[string]uint64)
 
-	r.Logger.Info("Enter BpfApplication Reconcile", "Name", req.Name)
+	r.Logger.Info("Enter ClusterBpfApplication Reconcile", "Name", req.Name)
 
 	// Lookup K8s node object for this bpfman-agent This should always succeed
 	if err := r.Get(ctx, types.NamespacedName{Namespace: v1.NamespaceAll, Name: r.NodeName}, r.ourNode); err != nil {

controllers/bpfman-agent/cl_tc_program.go

@@ -168,12 +168,17 @@ func (r *ClTcProgramReconciler) updateLinks(ctx context.Context, isBeingDeleted
 
 	if r.currentProgram.TC != nil && r.currentProgram.TC.Links != nil {
 		for _, attachInfo := range r.currentProgram.TC.Links {
-			expectedLinks, error := r.getExpectedLinks(ctx, attachInfo)
-			if error != nil {
-				return fmt.Errorf("failed to get node links: %v", error)
+			expectedLinks, err := r.getExpectedLinks(ctx, attachInfo)
+			if err != nil {
+				r.Logger.V(1).Info("updateLinks() failed", "error", err)
+				return fmt.Errorf("failed to get node links: %v", err)
 			}
 			for _, link := range expectedLinks {
-				index := r.findLink(link)
+				index, err := r.findLink(link)
+				if err != nil {
+					r.Logger.Info("Error", "Invalid link", r.printAttachInfo(link), "Error", err)
+					continue
+				}
 				if index != nil {
 					// Link already exists, so set ShouldAttach to true.
 					r.currentProgramState.TC.Links[*index].AttachInfoStateCommon.ShouldAttach = true
@@ -194,18 +199,36 @@ func (r *ClTcProgramReconciler) updateLinks(ctx context.Context, isBeingDeleted
 	return nil
 }
 
-func (r *ClTcProgramReconciler) findLink(attachInfoState bpfmaniov1alpha1.ClTcAttachInfoState) *int {
+func (r *ClTcProgramReconciler) printAttachInfo(attachInfoState bpfmaniov1alpha1.ClTcAttachInfoState) string {
+	var netnsPath string
+	if attachInfoState.NetnsPath == "" {
+		netnsPath = "host"
+	} else {
+		netnsPath = attachInfoState.NetnsPath
+	}
+
+	return fmt.Sprintf("interfaceName: %s, netnsPath: %s, direction: %s, priority: %d",
+		attachInfoState.InterfaceName, netnsPath, attachInfoState.Direction, attachInfoState.Priority)
+}
+
+func (r *ClTcProgramReconciler) findLink(attachInfoState bpfmaniov1alpha1.ClTcAttachInfoState) (*int, error) {
+	newNetnsId := r.getNetnsId(attachInfoState.NetnsPath)
+	if newNetnsId == nil {
+		return nil, fmt.Errorf("failed to get netnsId for path %s", attachInfoState.NetnsPath)
+	}
+	r.Logger.V(1).Info("findlink", "New Path", attachInfoState.NetnsPath, "NetnsId", newNetnsId)
 	for i, a := range r.currentProgramState.TC.Links {
 		// attachInfoState is the same as a if the the following fields are the
-		// same: InterfaceName, Direction, Priority, NetnsPath, and ProceedOn.
-		if a.InterfaceName == attachInfoState.InterfaceName && a.Direction == attachInfoState.Direction &&
+		// same: InterfaceName, Direction, Priority, ProceedOn, and network namespace.
+		if a.InterfaceName == attachInfoState.InterfaceName &&
+			a.Direction == attachInfoState.Direction &&
 			a.Priority == attachInfoState.Priority &&
-			reflect.DeepEqual(a.NetnsPath, attachInfoState.NetnsPath) &&
-			reflect.DeepEqual(a.ProceedOn, attachInfoState.ProceedOn) {
-			return &i
+			reflect.DeepEqual(a.ProceedOn, attachInfoState.ProceedOn) &&
+			reflect.DeepEqual(r.getNetnsId(a.NetnsPath), newNetnsId) {
+			return &i, nil
 		}
 	}
-	return nil
+	return nil, nil
 }
 
 // processLinks calls reconcileBpfLink() for each link. It
@@ -291,22 +314,24 @@ func (r *ClTcProgramReconciler) getExpectedLinks(ctx context.Context, attachInfo
 
 	// Handle interface discovery
 	if isInterfacesDiscoveryEnabled(&attachInfo.InterfaceSelector) {
-		discoveredInterfaces, err := getDiscoveredInterfaces(&attachInfo.InterfaceSelector, r.Interfaces)
-		if err != nil {
-			return nil, fmt.Errorf("failed to discover interfaces: %w", err)
-		}
+		discoveredInterfaces := getDiscoveredInterfaces(&attachInfo.InterfaceSelector, r.Interfaces)
+		r.Logger.Info("getExpectedLinks", "num discoveredInterfaces", len(discoveredInterfaces))
 		for _, intf := range discoveredInterfaces {
 			nodeLinks = append(nodeLinks, createLinkEntry(intf.interfaceName, intf.netNSPath))
 		}
+		r.Logger.V(1).Info("getExpectedLinks-discovery", "Links created", len(nodeLinks))
 		return nodeLinks, nil
 	}
 
 	// Fetch interfaces if discovery is disabled
 	interfaces, err := getInterfaces(&attachInfo.InterfaceSelector, r.ourNode)
 	if err != nil {
+		r.Logger.V(1).Info("getExpectedLinks failed to get interfaces", "error", err)
 		return nil, fmt.Errorf("failed to get interfaces for XdpProgram: %w", err)
 	}
 
+	r.Logger.Info("getExpectedLinks", "Number of interfaces", len(interfaces))
+
 	// Handle network namespaces if provided
 	if attachInfo.NetworkNamespaces != nil {
 		containerInfo, err := r.Containers.GetContainers(
@@ -317,6 +342,7 @@ func (r *ClTcProgramReconciler) getExpectedLinks(ctx context.Context, attachInfo
 			r.Logger,
 		)
 		if err != nil {
+			r.Logger.V(1).Info("getExpectedLinks failed to get container pids", "error", err)
 			return nil, fmt.Errorf("failed to get container pids: %w", err)
 		}
 
@@ -332,6 +358,7 @@ func (r *ClTcProgramReconciler) getExpectedLinks(ctx context.Context, attachInfo
 				nodeLinks = append(nodeLinks, createLinkEntry(iface, netnsPath))
 			}
 		}
+		r.Logger.V(1).Info("getExpectedLinks", "Links created", len(nodeLinks))
 		return nodeLinks, nil
 	}
 
@@ -340,6 +367,7 @@ func (r *ClTcProgramReconciler) getExpectedLinks(ctx context.Context, attachInfo
 		nodeLinks = append(nodeLinks, createLinkEntry(iface, ""))
 	}
 
+	r.Logger.V(1).Info("getExpectedLinks", "Links created", len(nodeLinks))
 	return nodeLinks, nil
 }
 

controllers/bpfman-agent/cl_tcx_program.go

@@ -133,12 +133,17 @@ func (r *ClTcxProgramReconciler) updateLinks(ctx context.Context, isBeingDeleted
 
 	if r.currentProgram.TCX != nil && r.currentProgram.TCX.Links != nil {
 		for _, attachInfo := range r.currentProgram.TCX.Links {
-			expectedLinks, error := r.getExpectedLinks(ctx, attachInfo)
-			if error != nil {
-				return fmt.Errorf("failed to get node links: %v", error)
+			expectedLinks, err := r.getExpectedLinks(ctx, attachInfo)
+			if err != nil {
+				r.Logger.V(1).Info("updateLinks() failed", "error", err)
+				return fmt.Errorf("failed to get node links: %v", err)
 			}
 			for _, link := range expectedLinks {
-				index := r.findLink(link)
+				index, err := r.findLink(link)
+				if err != nil {
+					r.Logger.Info("Error", "Invalid link", r.printAttachInfo(link), "Error", err)
+					continue
+				}
 				if index != nil {
 					// Link already exists, so set ShouldAttach to true.
 					r.currentProgramState.TCX.Links[*index].AttachInfoStateCommon.ShouldAttach = true
@@ -159,17 +164,35 @@ func (r *ClTcxProgramReconciler) updateLinks(ctx context.Context, isBeingDeleted
 	return nil
 }
 
-func (r *ClTcxProgramReconciler) findLink(attachInfoState bpfmaniov1alpha1.ClTcxAttachInfoState) *int {
+func (r *ClTcxProgramReconciler) printAttachInfo(attachInfoState bpfmaniov1alpha1.ClTcxAttachInfoState) string {
+	var netnsPath string
+	if attachInfoState.NetnsPath == "" {
+		netnsPath = "host"
+	} else {
+		netnsPath = attachInfoState.NetnsPath
+	}
+
+	return fmt.Sprintf("interfaceName: %s, netnsPath: %s, direction: %s, priority: %d",
+		attachInfoState.InterfaceName, netnsPath, attachInfoState.Direction, attachInfoState.Priority)
+}
+
+func (r *ClTcxProgramReconciler) findLink(attachInfoState bpfmaniov1alpha1.ClTcxAttachInfoState) (*int, error) {
+	newNetnsId := r.getNetnsId(attachInfoState.NetnsPath)
+	if newNetnsId == nil {
+		return nil, fmt.Errorf("failed to get netnsId for path %s", attachInfoState.NetnsPath)
+	}
+	r.Logger.V(1).Info("findlink", "New Path", attachInfoState.NetnsPath, "NetnsId", newNetnsId)
 	for i, a := range r.currentProgramState.TCX.Links {
 		// attachInfoState is the same as a if the the following fields are the
-		// same: InterfaceName, NetnsPath, Priority, and Direction.
-		if a.InterfaceName == attachInfoState.InterfaceName && a.Priority == attachInfoState.Priority &&
+		// same: InterfaceName, Direction, Priority, and network namespace.
+		if a.InterfaceName == attachInfoState.InterfaceName &&
 			a.Direction == attachInfoState.Direction &&
-			reflect.DeepEqual(a.NetnsPath, attachInfoState.NetnsPath) {
-			return &i
+			a.Priority == attachInfoState.Priority &&
+			reflect.DeepEqual(r.getNetnsId(a.NetnsPath), newNetnsId) {
+			return &i, nil
 		}
 	}
-	return nil
+	return nil, nil
 }
 
 // processLinks calls reconcileBpfLink() for each link. It
@@ -254,22 +277,25 @@ func (r *ClTcxProgramReconciler) getExpectedLinks(ctx context.Context, attachInf
 
 	// Handle interface discovery
 	if isInterfacesDiscoveryEnabled(&attachInfo.InterfaceSelector) {
-		discoveredInterfaces, err := getDiscoveredInterfaces(&attachInfo.InterfaceSelector, r.Interfaces)
-		if err != nil {
-			return nil, fmt.Errorf("failed to discover interfaces: %w", err)
-		}
+		discoveredInterfaces := getDiscoveredInterfaces(&attachInfo.InterfaceSelector, r.Interfaces)
+
+		r.Logger.Info("getExpectedLinks", "num discoveredInterfaces", len(discoveredInterfaces))
 		for _, intf := range discoveredInterfaces {
 			nodeLinks = append(nodeLinks, createLinkEntry(intf.interfaceName, intf.netNSPath))
 		}
+		r.Logger.V(1).Info("getExpectedLinks-discovery", "Links created", len(nodeLinks))
 		return nodeLinks, nil
 	}
 
 	// Fetch interfaces if discovery is disabled
 	interfaces, err := getInterfaces(&attachInfo.InterfaceSelector, r.ourNode)
 	if err != nil {
+		r.Logger.V(1).Info("getExpectedLinks failed to get interfaces", "error", err)
 		return nil, fmt.Errorf("failed to get interfaces for XdpProgram: %w", err)
 	}
 
+	r.Logger.Info("getExpectedLinks", "Number of interfaces", len(interfaces))
+
 	// Handle network namespaces if provided
 	if attachInfo.NetworkNamespaces != nil {
 		containerInfo, err := r.Containers.GetContainers(
@@ -280,6 +306,7 @@ func (r *ClTcxProgramReconciler) getExpectedLinks(ctx context.Context, attachInf
 			r.Logger,
 		)
 		if err != nil {
+			r.Logger.V(1).Info("getExpectedLinks failed to get container pids", "error", err)
 			return nil, fmt.Errorf("failed to get container pids: %w", err)
 		}
 
@@ -295,6 +322,7 @@ func (r *ClTcxProgramReconciler) getExpectedLinks(ctx context.Context, attachInf
 				nodeLinks = append(nodeLinks, createLinkEntry(iface, netnsPath))
 			}
 		}
+		r.Logger.V(1).Info("getExpectedLinks", "Links created", len(nodeLinks))
 		return nodeLinks, nil
 	}
 
@@ -303,6 +331,7 @@ func (r *ClTcxProgramReconciler) getExpectedLinks(ctx context.Context, attachInf
 		nodeLinks = append(nodeLinks, createLinkEntry(iface, ""))
 	}
 
+	r.Logger.V(1).Info("getExpectedLinks", "Links created", len(nodeLinks))
 	return nodeLinks, nil
 }