sdn: try cleaning up OVS rules even if sandbox is gone

dcbw · dcbw · commit b71decbecbc3 · 2018-01-18T14:13:45.000-06:00
If a sandbox is deleted underneath kubernetes its netns will be gone and its veth interface will be deleted by the kernel. That means we can't inspect the veth for its IP address and other details, which are used to remove OVS flows for the interface. But we've already got code to find out the IP using the sandbox ID which kubelet passes down to us. Let's use that code to at least delete the stale OVS flows. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1518684
diff --git a/pkg/network/node/ovscontroller.go b/pkg/network/node/ovscontroller.go
@@ -402,11 +402,17 @@ func (oc *ovsController) TearDownPod(hostVeth, podIP, sandboxID string) error {
 		podIP = ip
 	}
 
-	if err := oc.cleanupPodFlows(podIP); err != nil {
+	err := oc.cleanupPodFlows(podIP)
+	if err != nil {
 		return err
 	}
-	_ = oc.SetPodBandwidth(hostVeth, -1, -1)
-	return oc.ovs.DeletePort(hostVeth)
+
+	// veth may have already been destroyed if the container was deleted out-of-band
+	if hostVeth != "" {
+		_ = oc.SetPodBandwidth(hostVeth, -1, -1)
+		err = oc.ovs.DeletePort(hostVeth)
+	}
+	return err
 }
 
 func policyNames(policies []networkapi.EgressNetworkPolicy) string {
diff --git a/pkg/network/node/pod.go b/pkg/network/node/pod.go
@@ -679,23 +679,26 @@ func (m *podManager) teardown(req *cniserver.PodRequest) error {
 	defer PodOperationsLatency.WithLabelValues(PodOperationTeardown).Observe(sinceInMicroseconds(time.Now()))
 
 	netnsValid := true
-	if err := ns.IsNSorErr(req.Netns); err != nil {
+	err := ns.IsNSorErr(req.Netns)
+	if err != nil {
 		if _, ok := err.(ns.NSPathNotExistErr); ok {
 			glog.V(3).Infof("teardown called on already-destroyed pod %s/%s; only cleaning up IPAM", req.PodNamespace, req.PodName)
 			netnsValid = false
 		}
 	}
 
-	errList := []error{}
+	var hostVethName string
+	var podIP string
 	if netnsValid {
-		hostVethName, _, podIP, err := getVethInfo(req.Netns, podInterfaceName)
+		hostVethName, _, podIP, err = getVethInfo(req.Netns, podInterfaceName)
 		if err != nil {
 			return err
 		}
+	}
 
-		if err := m.ovs.TearDownPod(hostVethName, podIP, req.SandboxID); err != nil {
-			errList = append(errList, err)
-		}
+	errList := []error{}
+	if err := m.ovs.TearDownPod(hostVethName, podIP, req.SandboxID); err != nil {
+		errList = append(errList, err)
 	}
 
 	if err := m.ipamDel(req.SandboxID); err != nil {

Original file line number	Diff line number	Diff line change
`@@ -402,11 +402,17 @@ func (oc *ovsController) TearDownPod(hostVeth, podIP, sandboxID string) error {`
`402`	`402`	`podIP = ip`
`403`	`403`	`}`
`404`	`404`
`405`		`- if err := oc.cleanupPodFlows(podIP); err != nil {`
	`405`	`+ err := oc.cleanupPodFlows(podIP)`
	`406`	`+ if err != nil {`
`406`	`407`	`return err`
`407`	`408`	`}`
`408`		`- _ = oc.SetPodBandwidth(hostVeth, -1, -1)`
`409`		`- return oc.ovs.DeletePort(hostVeth)`
	`409`	`+`
	`410`	`+ // veth may have already been destroyed if the container was deleted out-of-band`
	`411`	`+ if hostVeth != "" {`
	`412`	`+ _ = oc.SetPodBandwidth(hostVeth, -1, -1)`
	`413`	`+ err = oc.ovs.DeletePort(hostVeth)`
	`414`	`+ }`
	`415`	`+ return err`
`410`	`416`	`}`
`411`	`417`
`412`	`418`	`func policyNames(policies []networkapi.EgressNetworkPolicy) string {`