Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding option to configure UDP timeouts for conntrack #120808

Merged
merged 1 commit into from
Oct 11, 2023
Merged

Adding option to configure UDP timeouts for conntrack #120808

merged 1 commit into from
Oct 11, 2023

Conversation

aroradaman
Copy link
Member

@aroradaman aroradaman commented Sep 21, 2023
edited

What type of PR is this?

/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #120214

Special notes for your reviewer:

This PR will allow users to configure the following netfilter conntrack options:

  1. nf_conntrack_udp_timeout
  2. nf_conntrack_udp_timeout_stream

Does this PR introduce a user-facing change?

Added options for configuring nf_conntrack_udp_timeout, and nf_conntrack_udp_timeout_stream variables of netfilter conntrack subsystem.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Sep 21, 2023
@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 21, 2023
@k8s-ci-robot k8s-ci-robot added needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/code-generation area/kube-proxy kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/network Categorizes an issue or PR as relevant to SIG Network. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Sep 21, 2023
@aroradaman aroradaman marked this pull request as ready for review September 21, 2023 13:53
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 21, 2023
@aroradaman aroradaman changed the title Adding options to configure UDP timeouts for conntrack Adding option to configure UDP timeouts for conntrack Sep 21, 2023
@aroradaman aroradaman mentioned this pull request Sep 21, 2023
Merged
@danwinship
Copy link
Contributor

/approve
/assign @aojea
for lgtm since he mostly reviewed the original

@aojea
Copy link
Member

aojea commented Sep 21, 2023

/lgtm

I had some fun and learned something with the pointers and the flags XD

/assign @thockin

for approval of the missing places

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 21, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 5b711d67e0293d9d28b6a009a43f24c3a6bb87fd

@aroradaman
Copy link
Member Author

I had some fun and learned something with the pointers and the flags XD

@aojea me too xD

@jiahuif
Copy link
Member

jiahuif commented Sep 21, 2023

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 21, 2023
thockin
thockin reviewed Oct 11, 2023
View reviewed changes
pkg/proxy/apis/config/validation/validation.go
allErrs = append(allErrs, field.Invalid(fldPath.Child("TCPCloseWaitTimeout"), config.TCPCloseWaitTimeout, "must be greater than or equal to 0"))
}

if config.UDPTimeout.Duration < 0 {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You added nil-checks to the above cases but not these new ones, why?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TCPEstablishedTimeout and TCPCloseWaitTimeout are pointer types *metav1.Duration.

The new ones - UDPTimeout and UDPStreamTimeout are value types metav1.Duration so nil-check is not required here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did we opt to do them differently? I'm not sure the originals needed to be pointers, but half-and-half is probably the worst choice.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but half-and-half is probably the worst choice.

I agree with this, but we already have a mixture of both.
Currently there are 8 fields with of type metav1.Duration and 2 of type *metav1.Duration.

We can't use objects of type *metav1.Duration directly in pflag without setting any default value.

var param *metav1.Duration

fs.DurationVar(&param.Duration, ...)
                    ^^ this will panic as param is nil

#55261 changed types of TCPCloseWaitTimeout and TCPEstablishedTimeout to pointer types to allow zero values.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh, I see. For TCP, we have default values which we assert. So we need to know the difference between "uspecified" (meaning "set the default value") and "specified as 0" (meaning "do not change").

We're not proposing default values for these new ones, so 0, whether specified or not, means "do not change it". Right?

And setting a default at this point is likely to end in tears for someone.

So adding the nil-check is actually wrong - the TCP fields must have a value by this point, and allowing nil to slip through is actually bad.

Can you please remove those nil-checks and add comments like "config.TCPEstablishedTimeout has a default value, so can't be nil"?

We should fix the API comment-docs, but we can do that later.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please remove those nil-checks and add comments like "config.TCPEstablishedTimeout has a default value, so can't be nil"?

sure.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We went through these in another review, the pointers come from here #55261 , but should not be there honestly, are confusing

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the pointer-ness DOES matter here - we need to know the difference between "uspecified" (meaning "set the default value") and "specified as 0" (meaning "do not change"), but these new fields do not have defaults.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the pointer-ness DOES matter here - we need to know the difference between "uspecified" (meaning "set the default value") and "specified as 0" (meaning "do not change"), but these new fields do not have defaults.

@thockin we tried to add a new cliflag.MetaDuration flag - #120489 for the same purpose and this can be directly consumed by flag avoiding any panics.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Oct 11, 2023
thockin
thockin reviewed Oct 11, 2023
View reviewed changes
Copy link
Member

@thockin thockin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 11, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 1f15838a7b6523b510511039c923ff9fead3cf8d

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aroradaman, danwinship, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 11, 2023
@k8s-ci-robot k8s-ci-robot merged commit b47aa1c into kubernetes:master Oct 11, 2023
14 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.29 milestone Oct 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thockin thockin thockin left review comments

@freehan freehan Awaiting requested review from freehan

@MrHohn MrHohn Awaiting requested review from MrHohn

@danwinship danwinship Awaiting requested review from danwinship

@dims dims Awaiting requested review from dims

@aojea aojea Awaiting requested review from aojea

Assignees

@thockin thockin

@aojea aojea

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/code-generation area/kube-proxy cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/network Categorizes an issue or PR as relevant to SIG Network. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.29
Development

Successfully merging this pull request may close these issues.

kube-proxy conntrack configuration should support UDP timeouts
6 participants
@aroradaman @k8s-ci-robot @danwinship @aojea @jiahuif @thockin