bootstrap: update openshift-gcp-routes

vrutkovs · vrutkovs · commit bdbc03f61db5 · 2021-06-02T11:43:49.000+02:00
Sync with openshift-gcp-routes.* from MCO master
diff --git a/bootstrap/overlay/etc/systemd/system/openshift-gcp-routes.service b/bootstrap/overlay/etc/systemd/system/openshift-gcp-routes.service
@@ -2,16 +2,15 @@
 Description=Update GCP routes for forwarded IPs.
 ConditionKernelCommandLine=|ignition.platform.id=gce
 ConditionKernelCommandLine=|ignition.platform.id=gcp
-
-Wants=network-online.target
-After=network-online.target
+Before=network-online.target
 [Service]
 Type=simple
 ExecStart=/bin/bash /usr/local/bin/openshift-gcp-routes.sh start
 ExecStopPost=/bin/bash /usr/local/bin/openshift-gcp-routes.sh cleanup
 User=root
 RestartSec=30
 Restart=always
-
 [Install]
 WantedBy=multi-user.target
+# Ensure that network-online.target will not complete until the node has working external LBs.
+RequiredBy=network-online.target
diff --git a/bootstrap/overlay/usr/local/bin/openshift-gcp-routes.sh b/bootstrap/overlay/usr/local/bin/openshift-gcp-routes.sh
@@ -23,138 +23,153 @@ set -e
 declare -A vips
 
 curler() {
-  curl --silent -L -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/${1}"
+curl --silent -L -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/${1}"
 }
 
 CHAIN_NAME="gcp-vips"
-
 RUN_DIR="/run/cloud-routes"
+
 # Create a chan if it doesn't exist
 ensure_chain() {
-    local table="${1}"
-    local chain="${2}"
+local table="${1}"
+local chain="${2}"
 
-    if ! iptables -w -t "${table}" -S "${chain}" &> /dev/null ; then
-        iptables -w -t "${table}" -N "${chain}";
-    fi;
+if ! iptables -w -t "${table}" -S "${chain}" &> /dev/null ; then
+    iptables -w -t "${table}" -N "${chain}";
+fi;
 }
 
 ensure_rule() {
-    local table="${1}"
-    local chain="${2}"
-    shift 2
+local table="${1}"
+local chain="${2}"
+shift 2
 
-    if ! iptables -w -t "${table}" -C "${chain}" "$@" &> /dev/null; then
-        iptables -w -t "${table}" -A "${chain}" "$@"
-    fi
+if ! iptables -w -t "${table}" -C "${chain}" "$@" &> /dev/null; then
+    iptables -w -t "${table}" -A "${chain}" "$@"
+fi
 }
 
 # set the chain, ensure entry rules, ensure ESTABLISHED rule
 initialize() {
-    ensure_chain nat "${CHAIN_NAME}"
-    ensure_chain nat "${CHAIN_NAME}-local"
-    ensure_rule nat PREROUTING -m comment --comment 'gcp LB vip DNAT' -j ${CHAIN_NAME}
-    ensure_rule nat OUTPUT -m comment --comment 'gcp LB vip DNAT for local clients' -j ${CHAIN_NAME}-local
-
-    # Need this so that existing flows (with an entry in conntrack) continue to be
-    # balanced, even if the DNAT entry is removed
-    ensure_rule filter INPUT -m comment --comment 'gcp LB vip existing' -m addrtype ! --dst-type LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
-
-    mkdir -p "${RUN_DIR}"
+ensure_chain nat "${CHAIN_NAME}"
+ensure_chain nat "${CHAIN_NAME}-local"
+ensure_rule nat PREROUTING -m comment --comment 'gcp LB vip DNAT' -j ${CHAIN_NAME}
+ensure_rule nat OUTPUT -m comment --comment 'gcp LB vip DNAT for local clients' -j ${CHAIN_NAME}-local
+
+# Need this so that existing flows (with an entry in conntrack) continue to be
+# balanced, even if the DNAT entry is removed
+ensure_rule filter INPUT -m comment --comment 'gcp LB vip existing' -m addrtype ! --dst-type LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# bz1925698: GCP LBs can create stale entries causing apiservers disruption
+# The GCP LB Health Check polls continuously the LB VIP assigned to the VM
+# but, if the LB VIP is down, we are not handling the VIP traffic and
+# the traffic can hairpin, leaving stale conntrack entries on the host.
+# xref: https://bugzilla.redhat.com/show_bug.cgi?id=1925698#c29
+# Deleting conntrack entries solves the problem, but it also affects other connections
+# directed to the LB vips, causing unexpected networks disruptions.
+# The solution is to not FORWARD GCP HealthCheckers traffic, because that traffic 
+# is only directed to the host, and it must go to the INPUT chain.
+# xref: https://bugzilla.redhat.com/show_bug.cgi?id=1930457#c8
+# The HealthCheck origin ip-ranges are documented: 130.211.0.0/22 and 35.191.0.0/16
+# xref: https://cloud.google.com/load-balancing/docs/health-check-concepts#ip-ranges
+ensure_rule filter FORWARD -m comment --comment 'gcp HealthCheck traffic' -s 35.191.0.0/16 -j DROP
+ensure_rule filter FORWARD -m comment --comment 'gcp HealthCheck traffic' -s 130.211.0.0/22 -j DROP
+
+mkdir -p "${RUN_DIR}"
 }
 
 remove_stale() {
-    ## find extra iptables rules
-    for ipt_vip in $(iptables -w -t nat -S "${CHAIN_NAME}" | awk '$4{print $4}' | awk -F/ '{print $1}'); do
-        if [[ -z "${vips[${ipt_vip}]}" ]]; then
-            echo removing stale vip "${ipt_vip}" for external clients
-            iptables -w -t nat -D "${CHAIN_NAME}" --dst "${ipt_vip}" -j REDIRECT
-        fi
-    done
-    for ipt_vip in $(iptables -w -t nat -S "${CHAIN_NAME}-local" | awk '$4{print $4}' | awk -F/ '{print $1}'); do
-        if [[ -z "${vips[${ipt_vip}]}" ]] || [[ "${vips[${ipt_vip}]}" = down ]]; then
-            echo removing stale vip "${ipt_vip}" for local clients
-            iptables -w -t nat -D "${CHAIN_NAME}-local" --dst "${ipt_vip}" -j REDIRECT
-        fi
-    done
+## find extra iptables rules
+for ipt_vip in $(iptables -w -t nat -S "${CHAIN_NAME}" | awk '$4{print $4}' | awk -F/ '{print $1}'); do
+    if [[ -z "${vips[${ipt_vip}]}" ]]; then
+        echo removing stale vip "${ipt_vip}" for external clients
+        iptables -w -t nat -D "${CHAIN_NAME}" --dst "${ipt_vip}" -j REDIRECT
+    fi
+done
+for ipt_vip in $(iptables -w -t nat -S "${CHAIN_NAME}-local" | awk '$4{print $4}' | awk -F/ '{print $1}'); do
+    if [[ -z "${vips[${ipt_vip}]}" ]] || [[ "${vips[${ipt_vip}]}" = down ]]; then
+        echo removing stale vip "${ipt_vip}" for local clients
+        iptables -w -t nat -D "${CHAIN_NAME}-local" --dst "${ipt_vip}" -j REDIRECT
+    fi
+done
 }
 
 add_rules() {
-    for vip in "${!vips[@]}"; do
-        echo "ensuring rule for ${vip} for external clients"
-        ensure_rule nat "${CHAIN_NAME}" --dst "${vip}" -j REDIRECT
-
-        if [[ "${vips[${vip}]}" != down ]]; then
-            echo "ensuring rule for ${vip} for internal clients"
-            ensure_rule nat "${CHAIN_NAME}-local" --dst "${vip}" -j REDIRECT
-        fi
-    done
+for vip in "${!vips[@]}"; do
+    echo "ensuring rule for ${vip} for external clients"
+    ensure_rule nat "${CHAIN_NAME}" --dst "${vip}" -j REDIRECT
+
+    if [[ "${vips[${vip}]}" != down ]]; then
+        echo "ensuring rule for ${vip} for internal clients"
+        ensure_rule nat "${CHAIN_NAME}-local" --dst "${vip}" -j REDIRECT
+    fi
+done
 }
 
 clear_rules() {
-    iptables -t nat -F "${CHAIN_NAME}" || true
-    iptables -t nat -F "${CHAIN_NAME}-local" || true
+iptables -t nat -F "${CHAIN_NAME}" || true
+iptables -t nat -F "${CHAIN_NAME}-local" || true
 }
 
 # out paramater: vips
 list_lb_ips() {
-    for k in "${!vips[@]}"; do
-        unset vips["${k}"]
-    done
-
-    local net_path="network-interfaces/"
-    for vif in $(curler ${net_path}); do
-        local hw_addr; hw_addr=$(curler "${net_path}${vif}mac")
-        local fwip_path; fwip_path="${net_path}${vif}forwarded-ips/"
-        for level in $(curler "${fwip_path}"); do
-            for fwip in $(curler "${fwip_path}${level}"); do
-                if [[ -e "${RUN_DIR}/${fwip}.down" ]]; then
-                    echo "${fwip} is manually marked as down, skipping for internal clients..."
-                    vips[${fwip}]="down"
-                else
-                    echo "Processing route for NIC ${vif}${hw_addr} for ${fwip}"
-                    vips[${fwip}]="${fwip}"
-                fi
-            done
+for k in "${!vips[@]}"; do
+    unset vips["${k}"]
+done
+
+local net_path="network-interfaces/"
+for vif in $(curler ${net_path}); do
+    local hw_addr; hw_addr=$(curler "${net_path}${vif}mac")
+    local fwip_path; fwip_path="${net_path}${vif}forwarded-ips/"
+    for level in $(curler "${fwip_path}"); do
+        for fwip in $(curler "${fwip_path}${level}"); do
+            if [[ -e "${RUN_DIR}/${fwip}.down" ]]; then
+                echo "${fwip} is manually marked as down, skipping for internal clients..."
+                vips[${fwip}]="down"
+            else
+                echo "Processing route for NIC ${vif}${hw_addr} for ${fwip}"
+                vips[${fwip}]="${fwip}"
+            fi
         done
     done
+done
 }
 
 sleep_or_watch() {
-    if hash inotifywait &> /dev/null; then
-        inotifywait -t 30 -r "${RUN_DIR}" &> /dev/null || true
-    else
-        # no inotify, need to manually poll
-        for i in {0..5}; do
-            for vip in "${!vips[@]}"; do
-                if [[ "${vips[${vip}]}" != down ]] && [[ -e "${RUN_DIR}/${vip}.down" ]]; then
-                    echo "new downfile detected"
-                    break 2
-                elif [[ "${vips[${vip}]}" = down ]] && ! [[ -e "${RUN_DIR}/${vip}.down" ]]; then
-                    echo "downfile disappeared"
-                    break 2
-                fi
-            done
-            sleep 1 # keep this small enough to not make gcp-routes slower than LBs on recovery
+if hash inotifywait &> /dev/null; then
+    inotifywait -t 30 -r "${RUN_DIR}" &> /dev/null || true
+else
+    # no inotify, need to manually poll
+    for i in {0..5}; do
+        for vip in "${!vips[@]}"; do
+            if [[ "${vips[${vip}]}" != down ]] && [[ -e "${RUN_DIR}/${vip}.down" ]]; then
+                echo "new downfile detected"
+                break 2
+            elif [[ "${vips[${vip}]}" = down ]] && ! [[ -e "${RUN_DIR}/${vip}.down" ]]; then
+                echo "downfile disappeared"
+                break 2
+            fi
         done
-    fi
+        sleep 1 # keep this small enough to not make gcp-routes slower than LBs on recovery
+    done
+fi
 }
 
 case "$1" in
-  start)
-    initialize
-    while :; do
-      list_lb_ips
-      remove_stale
-      add_rules
-      echo "done applying vip rules"
-      sleep_or_watch
-    done
-    ;;
-  cleanup)
-    clear_rules
-    ;;
-  *)
-    echo $"Usage: $0 {start|cleanup}"
-    exit 1
+start)
+initialize
+while :; do
+    list_lb_ips
+    remove_stale
+    add_rules
+    echo "done applying vip rules"
+    sleep_or_watch
+done
+;;
+cleanup)
+clear_rules
+;;
+*)
+echo $"Usage: $0 {start|cleanup}"
+exit 1
 esac
