-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TAPA unreachable for ~10 sec when its NSM interface is replaced #548
Comments
Unfortunately, enabling arp_notify in the TAPA won't resolve the problem. That's because of the chained architecture of NSM meaning the interface is first created and its state is set to UP and then the addresses are configured afterwards. While, linux for IPV4 won't send a gARP in such case: https://github.com/torvalds/linux/blob/v6.8/net/ipv4/devinet.c#L1606 For IPv6, ndisc_notify does work though: https://github.com/torvalds/linux/blob/v6.8/net/ipv6/addrconf.c#L4292 There's also the the issue, how to set any sysctl in the TAPA i.e. application POD. A privileged init container could be used for this purpose. But if that's not feasible, a multus network-attachment-definition relying on tuning CNI could be used to set ndisc_notify for the default interface (thus NSM interfaces created later could inherit the default value). Or NSM feature set could be extended to include setting arp_notify/ndisc_notify sysctls for a particular interface. |
ideas to resolve: 1., Lowering probe delay by tweaking sysctl params in LB, primarily ucast_solicit and delay_first_probe_time values: 2., Use arping program in TAPA (NSC) to send out gARP: 3., Change NSM Target registration protocol. E.g. report if associated NSM connection's state becomes DELETE, upon which LBs could remove any cached neighbor entries. This would be sensitive to NSP unavailability. 4., Proxy to send promisc gARP instead of the TAPA when a new NSM connection gets established between a TAPA and said proxy: 5., Using some custom communication channel proxy could signal the Target IPs to LBs when a new TAPA->proxy connection gets established. So, that the LB could remove any possible cached neighbor entries. 6., LBs could rely on NSM's Connection Monitor feature to learn if TAPA->Proxy NSM connection state changes to DELETE, and extract associated IPs from the connection to issue neighbor delete operations. Unfortunately, MonitorScopeSelector in NSM currently only supports PathSegment related filters like path name, id and token. Which are not known by LB, and can change dynamically over time. On the other hand, without filters there's a risk of receiving way too much events depending on the deployments using NSM. At the moment I don't see any obstacle or drawback to add a new filter option based on network service name. |
NSM MonitorScopeSelector should from now on support network service based filtering: |
Describe the bug
When an NSM interface in a TAPA is replaced during NSM heal (old connection is closed part of which the old interface is removed) the new interface most probably will end up with a different MAC address. Yet, the IP address(es) assigned by the proxy component would be most likely the same.
During such NSM heal event the LBs currently won't be informed about the temporary unavailability of said TAPA/Target. However, in an LB the linux neighbor cache might contain a related neighbor entry (with the old/invalid MAC). Renewal of the neighbor entry is delayed by
delay_first_probe_time
sec (default: 5) and then initially probes are sent out to the invalid MAC in the cache forucast_solicit
times (defaults: 3).So, even if NSM heal would replace the NSM interface in TAPA instantly, there would be at least 8 seconds delay until LBs could learn the new MAC address.
Context
The text was updated successfully, but these errors were encountered: