Merge pull request #706 from l1b0k/feat/update_gc

enable gc for crd ipam

Author: BSWANG

daemon/builder.go

@@ -400,7 +400,10 @@ func (b *NetworkServiceBuilder) PostInitForCRDV2() *NetworkServiceBuilder {
 	crdv2 := eni.NewCRDV2(b.service.k8s.NodeName())
 	mgr := eni.NewManager(0, 0, 0, 0, []eni.NetworkInterface{crdv2}, types.EniSelectionPolicy(b.config.EniSelectionPolicy), nil)
 
-	return b.RunENIMgr(b.ctx, mgr)
+	svc := b.RunENIMgr(b.ctx, mgr)
+	go b.service.startGarbageCollectionLoop(b.ctx)
+
+	return svc
 }
 
 func (b *NetworkServiceBuilder) InitResourceDB() *NetworkServiceBuilder {

daemon/daemon.go

@@ -11,6 +11,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/go-logr/logr"
 	"k8s.io/apimachinery/pkg/util/sets"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 
@@ -135,8 +136,8 @@ func (n *networkService) AllocIP(ctx context.Context, r *rpc.AllocIPRequest) (*r
 		}
 	}()
 
-	// 0. Get pod Info
-	pod, err := n.k8s.GetPod(ctx, r.K8SPodNamespace, r.K8SPodName, true)
+	// 0. Get pod Info, change the req to no cache , we want to get the exact pod uid
+	pod, err := n.k8s.GetPod(ctx, r.K8SPodNamespace, r.K8SPodName, false)
 	if err != nil {
 		return nil, &types.Error{
 			Code: types.ErrInvalidArgsErrCode,
@@ -352,7 +353,11 @@ func (n *networkService) ReleaseIP(ctx context.Context, r *rpc.ReleaseIPRequest)
 			return reply, nil
 		}
 	}
-	if pod.IPStickTime == 0 {
+	if oldRes.PodInfo != nil && oldRes.PodInfo.PodUID != "" {
+		cni.PodUID = oldRes.PodInfo.PodUID
+	}
+
+	if n.ipamType == types.IPAMTypeCRD || pod.IPStickTime == 0 {
 		for _, resource := range oldRes.Resources {
 			res := parseNetworkResource(resource)
 			if res == nil {
@@ -510,6 +515,8 @@ func (n *networkService) gcPods(ctx context.Context) error {
 	n.Lock()
 	defer n.Unlock()
 
+	serviceLog.V(4).WithName("gc").Info("gcPods")
+
 	pods, err := n.k8s.GetLocalPods()
 	if err != nil {
 		return err
@@ -540,18 +547,23 @@ func (n *networkService) gcPods(ctx context.Context) error {
 			}
 		}
 
+		if serviceLog.V(4).Enabled() {
+			serviceLog.Info("pod res", "pod", podRes)
+		}
+
 		podID := utils.PodInfoKey(podRes.PodInfo.Namespace, podRes.PodInfo.Name)
 		if _, ok := exist[podID]; ok {
 			continue
 		}
+
 		// check kube-api again
 		ok, err := n.k8s.PodExist(podRes.PodInfo.Namespace, podRes.PodInfo.Name)
 		if err != nil || ok {
 			continue
 		}
 
 		// that is old logic ... keep it
-		if podRes.PodInfo.IPStickTime != 0 {
+		if n.ipamType != types.IPAMTypeCRD && podRes.PodInfo.IPStickTime != 0 {
 			podRes.PodInfo.IPStickTime = 0
 
 			err = n.resourceDB.Put(podID, podRes)
@@ -566,6 +578,34 @@ func (n *networkService) gcPods(ctx context.Context) error {
 			if res == nil {
 				continue
 			}
+			// clean up rules
+			switch res.ResourceType() {
+			case eni.ResourceTypeLocalIP, eni.ResourceTypeRemoteIP, eni.ResourceTypeRDMA:
+
+				for _, v := range res.ToRPC() {
+					if v.ENIInfo == nil ||
+						v.BasicInfo == nil ||
+						v.BasicInfo.PodIP == nil {
+						continue
+					}
+
+					containerIP := &types.IPNetSet{}
+					if v.BasicInfo.PodIP.IPv4 != "" {
+						containerIP.SetIPNet(v.BasicInfo.PodIP.IPv4 + "/32")
+					}
+
+					if v.BasicInfo.PodIP.IPv6 != "" {
+						containerIP.SetIPNet(v.BasicInfo.PodIP.IPv6 + "/128")
+					}
+
+					ctx = logr.NewContext(ctx, serviceLog)
+					err = gcPolicyRoutes(ctx, v.ENIInfo.MAC, containerIP, podRes.PodInfo.Namespace, podRes.PodInfo.Name)
+					if err != nil {
+						return err
+					}
+				}
+			}
+
 			err = n.eniMgr.Release(ctx, &daemon.CNI{
 				PodName:      podRes.PodInfo.Name,
 				PodNamespace: podRes.PodInfo.Namespace,

daemon/daemon_linux.go

@@ -1,14 +1,38 @@
 package daemon
 
 import (
+	"context"
 	"encoding/binary"
 	"net"
 
 	"github.com/samber/lo"
 	"github.com/vishvananda/netlink"
 	"k8s.io/apimachinery/pkg/util/sets"
+
+	"github.com/AliyunContainerService/terway/pkg/link"
+	"github.com/AliyunContainerService/terway/plugin/datapath"
+	cnitypes "github.com/AliyunContainerService/terway/plugin/driver/types"
+	"github.com/AliyunContainerService/terway/types"
 )
 
+func gcPolicyRoutes(ctx context.Context, mac string, containerIPNet *types.IPNetSet, namespace, name string) error {
+	index, err := link.GetDeviceNumber(mac)
+	if err != nil {
+		if _, ok := err.(netlink.LinkNotFoundError); ok {
+			return nil
+		}
+		return err
+	}
+	vethName, _ := link.VethNameForPod(name, namespace, "", "cali")
+	p := &datapath.PolicyRoute{}
+	err = p.Teardown(ctx, &cnitypes.TeardownCfg{
+		HostVETHName:   vethName,
+		ContainerIPNet: containerIPNet,
+		ENIIndex:       int(index),
+	}, nil)
+	return err
+}
+
 func gcLeakedRules(existIP sets.Set[string]) {
 	links, err := netlink.LinkList()
 	if err != nil {

daemon/daemon_unsupported.go

@@ -3,7 +3,15 @@
 package daemon
 
 import (
+	"context"
+
 	"k8s.io/apimachinery/pkg/util/sets"
+
+	"github.com/AliyunContainerService/terway/types"
 )
 
 func gcLeakedRules(existIP sets.Set[string]) {}
+
+func gcPolicyRoutes(ctx context.Context, mac string, containerIPNet *types.IPNetSet, namespace, name string) error {
+	return nil
+}

pkg/eni/crdv2.go

@@ -116,8 +116,8 @@ func (r *CRDV2) Allocate(ctx context.Context, cni *daemon.CNI, request ResourceR
 	}
 }
 
-func (r *CRDV2) Release(ctx context.Context, cni *daemon.CNI, request NetworkResource) bool {
-	return false
+func (r *CRDV2) Release(ctx context.Context, cni *daemon.CNI, request NetworkResource) (bool, error) {
+	return false, nil
 }
 
 func (r *CRDV2) Dispose(n int) int {

pkg/eni/local.go

@@ -447,9 +447,9 @@ func (l *Local) Allocate(ctx context.Context, cni *daemon.CNI, request ResourceR
 }
 
 // Release take the cni Del request and release resource to pool
-func (l *Local) Release(ctx context.Context, cni *daemon.CNI, request NetworkResource) bool {
+func (l *Local) Release(ctx context.Context, cni *daemon.CNI, request NetworkResource) (bool, error) {
 	if request.ResourceType() != ResourceTypeLocalIP {
-		return false
+		return false, nil
 	}
 
 	l.cond.L.Lock()
@@ -458,7 +458,7 @@ func (l *Local) Release(ctx context.Context, cni *daemon.CNI, request NetworkRes
 	res := request.(*LocalIPResource)
 
 	if l.eni == nil || l.eni.ID != res.ENI.ID {
-		return false
+		return false, nil
 	}
 
 	log := logf.FromContext(ctx)
@@ -478,7 +478,7 @@ func (l *Local) Release(ctx context.Context, cni *daemon.CNI, request NetworkRes
 		log.Info("release ipv6", "ipv6", res.IP.IPv6)
 	}
 
-	return true
+	return true, nil
 }
 
 // Priority for local resource only

pkg/eni/local_test.go

@@ -50,7 +50,8 @@ func TestLocal_Release_ValidIPv4(t *testing.T) {
 	local.ipv4.Add(NewValidIP(netip.MustParseAddr("192.0.2.1"), false))
 	local.ipv4[netip.MustParseAddr("192.0.2.1")].Allocate("pod-1")
 
-	assert.True(t, local.Release(context.Background(), cni, request))
+	ok, _ := local.Release(context.Background(), cni, request)
+	assert.True(t, ok)
 }
 
 func TestLocal_Release_ValidIPv6(t *testing.T) {
@@ -64,7 +65,8 @@ func TestLocal_Release_ValidIPv6(t *testing.T) {
 	local.ipv6.Add(NewValidIP(netip.MustParseAddr("fd00:46dd:e::1"), false))
 	local.ipv6[netip.MustParseAddr("fd00:46dd:e::1")].Allocate("pod-1")
 
-	assert.True(t, local.Release(context.Background(), cni, request))
+	ok, _ := local.Release(context.Background(), cni, request)
+	assert.True(t, ok)
 }
 
 func TestLocal_Release_NilENI(t *testing.T) {
@@ -75,7 +77,8 @@ func TestLocal_Release_NilENI(t *testing.T) {
 	}
 	cni := &daemon.CNI{PodID: "pod-1"}
 
-	assert.False(t, local.Release(context.Background(), cni, request))
+	ok, _ := local.Release(context.Background(), cni, request)
+	assert.False(t, ok)
 }
 
 func TestLocal_Release_DifferentENIID(t *testing.T) {
@@ -86,7 +89,8 @@ func TestLocal_Release_DifferentENIID(t *testing.T) {
 	}
 	cni := &daemon.CNI{PodID: "pod-1"}
 
-	assert.False(t, local.Release(context.Background(), cni, request))
+	ok, _ := local.Release(context.Background(), cni, request)
+	assert.False(t, ok)
 }
 
 func TestLocal_Release_ValidIPv4_ReleaseIPv6(t *testing.T) {
@@ -103,7 +107,8 @@ func TestLocal_Release_ValidIPv4_ReleaseIPv6(t *testing.T) {
 	local.ipv6.Add(NewValidIP(netip.MustParseAddr("fd00:46dd:e::1"), false))
 	local.ipv6[netip.MustParseAddr("fd00:46dd:e::1")].Allocate("pod-1")
 
-	assert.True(t, local.Release(context.Background(), cni, request))
+	ok, _ := local.Release(context.Background(), cni, request)
+	assert.True(t, ok)
 
 	assert.Equal(t, ipStatusValid, local.ipv4[netip.MustParseAddr("192.0.2.1")].status)
 	assert.Equal(t, "", local.ipv4[netip.MustParseAddr("192.0.2.1")].podID)

pkg/eni/manager.go

@@ -75,7 +75,7 @@ type ReportStatus interface {
 }
 type NetworkInterface interface {
 	Allocate(ctx context.Context, cni *daemon.CNI, request ResourceRequest) (chan *AllocResp, []Trace)
-	Release(ctx context.Context, cni *daemon.CNI, request NetworkResource) bool
+	Release(ctx context.Context, cni *daemon.CNI, request NetworkResource) (bool, error)
 	Priority() int
 	Dispose(n int) int
 	Run(ctx context.Context, podResources []daemon.PodResources, wg *sync.WaitGroup) error
@@ -237,7 +237,11 @@ func (m *Manager) Release(ctx context.Context, cni *daemon.CNI, req *ReleaseRequ
 
 	for _, networkResource := range req.NetworkResources {
 		for _, ni := range m.networkInterfaces {
-			ok := ni.Release(ctx, cni, networkResource)
+			ok, err := ni.Release(ctx, cni, networkResource)
+			if err != nil {
+				return err
+			}
+
 			if ok {
 				if networkResource.ResourceType() == ResourceTypeLocalIP {
 					m.node.UnsetIPExhaustive()

pkg/eni/manager_test.go

@@ -25,8 +25,8 @@ func (o *timeOut) Allocate(ctx context.Context, cni *daemon.CNI, request Resourc
 	return make(chan *AllocResp), nil
 }
 
-func (o *timeOut) Release(ctx context.Context, cni *daemon.CNI, request NetworkResource) bool {
-	return true
+func (o *timeOut) Release(ctx context.Context, cni *daemon.CNI, request NetworkResource) (bool, error) {
+	return true, nil
 }
 
 func (o *timeOut) Priority() int {
@@ -66,8 +66,8 @@ func (s *success) Allocate(ctx context.Context, cni *daemon.CNI, request Resourc
 	return ch, nil
 }
 
-func (s *success) Release(ctx context.Context, cni *daemon.CNI, request NetworkResource) bool {
-	return true
+func (s *success) Release(ctx context.Context, cni *daemon.CNI, request NetworkResource) (bool, error) {
+	return true, nil
 }
 
 func (s *success) Priority() int {

pkg/eni/remote.go

@@ -206,8 +206,8 @@ func (r *Remote) Allocate(ctx context.Context, cni *daemon.CNI, request Resource
 	return resp, nil
 }
 
-func (r *Remote) Release(ctx context.Context, cni *daemon.CNI, request NetworkResource) bool {
-	return false
+func (r *Remote) Release(ctx context.Context, cni *daemon.CNI, request NetworkResource) (bool, error) {
+	return false, nil
 }
 
 func (r *Remote) Dispose(n int) int {

pkg/eni/trunk.go

@@ -47,14 +47,14 @@ func (r *Trunk) Allocate(ctx context.Context, cni *daemon.CNI, request ResourceR
 	}
 }
 
-func (r *Trunk) Release(ctx context.Context, cni *daemon.CNI, request NetworkResource) bool {
+func (r *Trunk) Release(ctx context.Context, cni *daemon.CNI, request NetworkResource) (bool, error) {
 	switch request.ResourceType() {
 	case ResourceTypeLocalIP:
 		return r.local.Release(ctx, cni, request)
 	case ResourceTypeRemoteIP:
 		return r.remote.Release(ctx, cni, request)
 	default:
-		return false
+		return false, nil
 	}
 }
 

plugin/datapath/ipvlan_linux.go

@@ -330,7 +330,7 @@ func (d *IPvlanDriver) Teardown(ctx context.Context, cfg *types.TeardownCfg, net
 				return err
 			}
 		} else {
-			err = utils.DelEgressPriority(link, cfg.ContainerIPNet)
+			err = utils.DelEgressPriority(ctx, link, cfg.ContainerIPNet)
 			if err != nil {
 				return err
 			}
@@ -345,7 +345,7 @@ func (d *IPvlanDriver) Teardown(ctx context.Context, cfg *types.TeardownCfg, net
 			}
 			return nil
 		}
-		return utils.DelFilter(link, netlink.HANDLE_MIN_EGRESS, cfg.ContainerIPNet)
+		return utils.DelFilter(ctx, link, netlink.HANDLE_MIN_EGRESS, cfg.ContainerIPNet)
 	}()
 	if err != nil {
 		return err
@@ -447,7 +447,7 @@ func (d *IPvlanDriver) createSlaveIfNotExist(ctx context.Context, parentLink net
 	return link, nil
 }
 
-func (d *IPvlanDriver) setupFilters(link netlink.Link, cidrs []*net.IPNet, dstIndex int) error {
+func (d *IPvlanDriver) setupFilters(ctx context.Context, link netlink.Link, cidrs []*net.IPNet, dstIndex int) error {
 	parent := uint32(netlink.HANDLE_CLSACT&0xffff0000 | netlink.HANDLE_MIN_EGRESS&0x0000ffff)
 	filters, err := netlink.FilterList(link, parent)
 	if err != nil {
@@ -478,7 +478,7 @@ func (d *IPvlanDriver) setupFilters(link netlink.Link, cidrs []*net.IPNet, dstIn
 		if filter.Attrs() != nil && filter.Attrs().Priority != 4000 {
 			continue
 		}
-		if err := utils.FilterDel(filter); err != nil {
+		if err := utils.FilterDel(ctx, filter); err != nil {
 			return fmt.Errorf("delete filter of %s error, %w", link.Attrs().Name, err)
 		}
 	}
@@ -487,7 +487,7 @@ func (d *IPvlanDriver) setupFilters(link netlink.Link, cidrs []*net.IPNet, dstIn
 		if !in {
 			u32 := rule.toU32Filter()
 			u32.Parent = parent
-			if err := utils.FilterAdd(u32); err != nil {
+			if err := utils.FilterAdd(ctx, u32); err != nil {
 				return fmt.Errorf("add filter for %s error, %w", link.Attrs().Name, err)
 			}
 		}
@@ -521,7 +521,7 @@ func (d *IPvlanDriver) setupInitNamespace(ctx context.Context, parentLink netlin
 	}
 
 	redirectCIDRs := append(cfg.HostStackCIDRs, cfg.ServiceCIDR.IPv4)
-	err = d.setupFilters(parentLink, redirectCIDRs, slaveLink.Attrs().Index)
+	err = d.setupFilters(ctx, parentLink, redirectCIDRs, slaveLink.Attrs().Index)
 	if err != nil {
 		return err
 	}