Dualstack cilium proposal #1673
Conversation
rbtr
requested review from
rbtr,
tamilmani1989,
ashvindeodhar,
vipul-21 and
thatmattlong
rbtr
added
enhancement
cns
There was a problem hiding this comment.
Needs a twice-over to improve formatting and language, needs to introduce the problem and involved components, etc. This is documentation of not just the what (and needs more of that), but the why, so that when we revisit this in the future, we will still be able to understand why we made the decisions we made.
|
|
||
| ## Overview | ||
|
|
||
| With the current CNS solution for dualstack we are setting the nnc to pass multiple NCs with CIDR to be unrolled and added to a pool that contains both v6 and v4 ips. Since we are planning to use Cilium CNI for the linux dualstack solution we need to make changes to azure-ipam to allow for a dualstack cluster to get multiple IPs. Currently azure-Ipam handles the [`CmdAdd`](https://github.com/Azure/azure-container-networking/blob/master/azure-ipam/ipam.go) command from Cilium CNI and sends an IP request to the CNS. The CNS hen in overlay then looks through the pool and picks the first IP found that isn’t used. For dualstack we need to change two things: |
There was a problem hiding this comment.
nit:
"The CNS hen in overlay"
rjdenney
force-pushed
the
dualstack-cilium
branch
from
56a0ee6 to
829c40b
Compare
| - PodIpInfo PodIpInfo | ||
| + PodIpInfo []PodIpInfo | ||
| Response Response | ||
| } |
There was a problem hiding this comment.
you'll need a new API for this, so a new type too probably. We need the existing API to continue returning just a PodIPInfo, and then callers that know how to work with the new changes can call a different API to get the slice. Then, if the caller gets a 404 when using the new API, it can fallback to the old API if desired
There was a problem hiding this comment.
actually new type is probably not required, the new api can just return the slice as top-level lists are still valid json
There was a problem hiding this comment.
When you say that I wouldn't need a new type are you suggesting that I just return a slice of the IPConfigResponse instead of the PodIPInfo within it?
There was a problem hiding this comment.
@thatmattlong IMO it would be better to create a new type so that there will be a single 'Response' indicating if the client should consume the response. Can't do that if we return slice of IPConfigResponse
|
@thatmattlong and @rbtr, I have updated the doc to reflect more of an API and would appreciate if you guys could give me an comments or a thumbs up if you think it is good. I am also going to split up my changes into multiple PRs so that I can push the CNS changes with the new contract first and then push up the azure-ipam changes after. |
| @@ -0,0 +1,74 @@ | |||
| # Cilium Azure-ipam dualstack Overlay Proposal | |||
There was a problem hiding this comment.
nit: this doesn't really have anything to do with Cilium - azure-ipam complies with the CNI spec for delegated IPAM and could be used with any other CNI plugin capable of delegated IPAM. I would drop all specific references to Cilium.
|
|
||
| ### New API | ||
|
|
||
| A new API will called `RequestAllIPAddresses` be created for requesting IPs when running in Overlay. This will work similar to the current [`RequestIPAddress`](https://github.com/Azure/azure-container-networking/blob/master/cns/client/client.go) and will accept the same [`IPConfigRequest`](https://github.com/Azure/azure-container-networking/blob/master/cns/NetworkContainerContract.go), the main difference will be that it will return the new contract type `IPConfigsResponse` with the slice of `PodIpInfo`. |
There was a problem hiding this comment.
You are inconsistent in naming here, and it would be better if we could pick a scheme and stick to it. I prefer being more concise so if we do IPConfigsResponse, the method should similarly be RequestIPAddresses (or, maybe better, RequestIPs).
There was a problem hiding this comment.
I agree that RequestIPs would be a better naming convention and will shift some of the names to be more consistent with IPConfigsResponse
| } | ||
| ``` | ||
|
|
||
| If for some reason this function returns a 404 error we will then try again but use the original [`RequestIPAddress`](https://github.com/Azure/azure-container-networking/blob/master/cns/client/client.go) API instead. The swift case will not use the new API and will continue to use the current one. |
There was a problem hiding this comment.
swift case will not use the new API
Don't treat Swift as a special case, nothing about the delegated-ipam/CNS/NC interactions that happen here are any different in the Swift scenario. The new API should be the only API in use (and the previous one deprecated and removed), once all the pieces have rolled out.
|
@ashvindeodhar I'm sad that this design proposal PR is still open, but there are already a half dozen implementation PRs in-flight. |
Hey Evan, I didn't realize this is not yet merged. I remember you approving it some time back so I thought this was merged with an ack from Matt too. |
@thatmattlong @rbtr @ashvindeodhar Just made the updates with the suggestions and bit more that I ended up changing in the implementation. Mostly just variable names and mentioned that I also updated GetExistingIPConfig and AssignDesiredIPConfig so that they can also work with multiple IPs. Should be ready to merge and the CNS side of changes I have up at #1773 . I also have a separate PR for the azure-ipam with the CNS changes here #1715 but we will need to push in CNS before azure-ipam goes in |
rbtr
force-pushed
the
dualstack-cilium
branch
from
7fa6798 to
8c87628
Compare
| +// IPConfigsResponse is used in CNS IPAM mode to return a slice of IP configs as a response to CNI ADD | ||
| +type IPConfigsResponse struct { | ||
| + PodIpInfo []PodIpInfo | ||
| + Response Response |
There was a problem hiding this comment.
I don't know what we use this Response type for, but if it exists in each PodIpInfo, do we also need one for the whole list?
There was a problem hiding this comment.
From my understanding I believe the response just is a return code and a message for the IPConfigsResponse and isn't specific to each PodIpInfo. If for some reason we get an error trying to get IPs it is adds a ReturnCode and the error message to Response
There was a problem hiding this comment.
@rjdenney you need to consider what happens if we get one IPConfig and then fail the next one. Is the first one marked as "Assigned" already? We would need to roll that back, and make the whole op transactional - entirely successful or entirely failed.
There was a problem hiding this comment.
@rbtr yes we had thought about it and have added a todo in the code as a reminder to address it before merging the change. We cannot have the partial success because in that case, we may mark IPs as 'Assigned' w/o the containers using those IPs. We cannot rely on the client to do the right thing of releasing the partially succeeded requests. We may run out of the IPs if we don't handle this ourselves.
|
|
||
| ```diff | ||
| +// RequestIPs calls the RequestIPConfigs in CNS | ||
| +func (c *Client) RequestIPs(ctx context.Context, ipconfig cns.IPConfigRequest) (*cns.IPConfigsResponse, error) |
There was a problem hiding this comment.
will this return just ipv4 in an array when running in overlay singlestack ipv4?
There was a problem hiding this comment.
Ryan is making changes in azure-ipam and CNS.
Paul Yu is making changes in azure-cni. So ipv4 overlay will still keep using the old API until new changes made in azure-cni get deployed which is when it will also start using slice of results. It will have single result in the slice.
|
@rjdenney can this be merged? |
Please enter the commit message for your changes. Lines starting
rjdenney
force-pushed
the
dualstack-cilium
branch
from
8c87628 to
69ecb7d
Compare
yes |
|
go on then |
* Add proposal for changes made to CNS for dualstack overlay
Reason for Change:
Issue Fixed:
Requirements:
Notes: