Retry Sendto() for IPv6 NA for tentative IPv6 addresses and EADDRNOTAVAIL #307
Conversation
Pull Request Test Coverage Report for Build 10466886239Details
💛 - Coveralls |
thom311
force-pushed
the
th/send-na-eaddrnotavail-retry
branch
2 times, most recently
from
a49b44b to
9056782
Compare
thom311
force-pushed
the
th/send-na-eaddrnotavail-retry
branch
2 times, most recently
from
ca6eccc to
e60d611
Compare
|
delaying CNI call for a single interface by up to 3 seconds for an optimization mechanism is very problematic in my view. having opportunistic DAD enabled seems like the correct approach. from cni POV we dont expect addresses to be duplicate (unless IPAM plugin is doing something wrong). |
In practice, it seems to be more like 1.8 seconds. The 3 seconds is a maximum (which the patch maybe should reduce to 2 seconds). Still, it's long.
Note that the IPv6 addresses are not really usable on the POD anyway. It also means, to start the pod with non-complete IP configuration (e.g. they cannot bind to the IPv6 address). So delaying the startup may be desirable also for those reasons. However, to have this wait implemented via AnnounceIPs() is non-obvious.
I don't understand this. If the first IPv6 was delayed by the full 3 seconds, then indeed, subsequent addresses won't be delayed/retried. But they are still tried at least once.
Sorry, I misspoke earlier: I agree. Something like |
yes, i re-read the code. you are correct. |
thom311
force-pushed
the
th/send-na-eaddrnotavail-retry
branch
from
e60d611 to
0a30adb
Compare
|
@adrianchiris branch completely reworked. Now, optimistic_dad is set. This is a far-reaching change, I am not sure I understand all implications. It does however seem the right thing to me, also because it seems bad to hand control over to the container with IPv6 addresses that are not ready yet. The retry is gone because it should no longer be necessary. It would however not hurt, because the retry was only done when it was determined to be necessary. WDYT? |
|
I really like the opportunistic DAD approach! It looks much better now. Also IPAM should really never give a duplicate IPv6 address when setup properly. As Adrian said, duplicate IPv6 addresses shouldn't occur. |
|
but we still need to remember the case where a user wants a static IP address on a pod and he restart the pod. that is a valid use-case |
I don't follow. Could you please elaborate? |
thom311
force-pushed
the
th/send-na-eaddrnotavail-retry
branch
from
0a30adb to
7da1fcd
Compare
Without it, DAD is enabled and it takes more than a second for an IPv6 address to be no longer tentative and become usable. This affects announceIPs(), which fails to send IPv6 NA. I assume, this also meant that the container already started at a point when IPv6 is not yet fully usable. For example, binding to the address would fail. Instead, enable optimistic_dad, so that we can use the address right away.
thom311
force-pushed
the
th/send-na-eaddrnotavail-retry
branch
2 times, most recently
from
302327f to
e225822
Compare
|
overall LGTM, once comments addressed we can merge. |
Don't let the first error shortcut the announcement of subsequent addresses. Loop over all addresses, and return the joined errors. Note that the caller anyway ignores the error and only uses it for debug logging.
thom311
force-pushed
the
th/send-na-eaddrnotavail-retry
branch
from
e225822 to
8d1c353
Compare
adrianchiris
merged commit fca6591
into
k8snetworkplumbingwg:master
When kernel initially adds an IPv6 address, it is still tentative and
pending DuplicateAddressDetection. Trying to use the address results in
EADDRNOTAVAIL error.
Detect that error, and retry for up to 3 seconds to send the message.
Unfortunately, DAD can easily take more than a second, so this change
delays the completion of the CNI binary quite a bit.
@SchSeba Follow-up for #306
This seems to happen with Openshift 4.17, which makes me wonder whether previous versions had
opportunisticoptimistic DAD enabled. If so, why was it disabled?