loader: attach skb programs using tcx by default, add enableTCX Helm …

…value This commit puts the tcx logic in the endpoint attachment path and enables it by default. The 'enableTCX' Helm value is added to disable tcx attachments if external tooling hasn't caught up yet, as attaching a tcx program to an interface disables the legacy tc pipeline. The agent upgrades and downgrades interfaces seamlessly based on tcx being enabled or not, so any existing workloads are migrated automatically at runtime, without having to reboot the node. Signed-off-by: Timo Beckers <timo@isovalent.com>
cilium · Apr 26, 2024 · 5b42a5f · 5b42a5f
1 parent be46dff
commit 5b42a5f
Show file tree

Hide file tree

Showing 14 changed files with 88 additions and 5 deletions.
diff --git a/Documentation/cmdref/cilium-agent.md b/Documentation/cmdref/cilium-agent.md
diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
@@ -705,6 +705,9 @@ func InitGlobalFlags(cmd *cobra.Command, vp *viper.Viper) {
 	flags.Bool(option.EnableXDPPrefilter, false, "Enable XDP prefiltering")
 	option.BindEnv(vp, option.EnableXDPPrefilter)
 
+	flags.Bool(option.EnableTCX, false, "Attach endpoint programs using tcx if supported by the kernel")
+	option.BindEnv(vp, option.EnableTCX)
+
 	flags.Bool(option.PreAllocateMapsName, defaults.PreAllocateMaps, "Enable BPF map pre-allocation")
 	option.BindEnv(vp, option.PreAllocateMapsName)
 

diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
@@ -579,6 +579,12 @@ data:
   enable-ipv6-big-tcp: {{ .Values.enableIPv6BIGTCP | quote }}
   enable-ipv6-masquerade: {{ .Values.enableIPv6Masquerade | quote }}
 
+{{- if hasKey .Values "enableTCX" }}
+  enable-tcx: {{ .Values.enableTCX | quote }}
+{{- else }}
+  enable-tcx: "true"
+{{- end }}
+
 {{- if (not (kindIs "invalid" .Values.bpf.masquerade)) }}
   enable-bpf-masquerade: {{ .Values.bpf.masquerade | quote }}
 {{- else if eq $defaultBpfMasquerade "true" }}

diff --git a/install/kubernetes/cilium/values.schema.json b/install/kubernetes/cilium/values.schema.json
@@ -1499,6 +1499,9 @@
     "enableRuntimeDeviceDetection": {
       "type": "boolean"
     },
+    "enableTCX": {
+      "type": "boolean"
+    },
     "enableXTSocketFallback": {
       "type": "boolean"
     },

diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl
@@ -1802,6 +1802,8 @@ enableMasqueradeRouteSource: false
 enableIPv4BIGTCP: false
 # -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods
 enableIPv6BIGTCP: false
+# -- Attach endpoint programs using tcx instead of legacy tc hooks on supported kernels.
+enableTCX: true
 egressGateway:
   # -- Enables egress gateway to redirect and SNAT the traffic that leaves the
   # cluster.

diff --git a/pkg/datapath/loader/base.go b/pkg/datapath/loader/base.go
@@ -223,6 +223,7 @@ func (l *loader) reinitializeIPSec(ctx context.Context) error {
 				elf:      networkObj,
 				programs: progs,
 				linkDir:  bpffsDeviceLinksDir(bpf.CiliumPath(), device),
+				tcx:      option.Config.EnableTCX,
 			},
 		)
 		if err != nil {

diff --git a/pkg/datapath/loader/loader.go b/pkg/datapath/loader/loader.go
@@ -412,6 +412,7 @@ func (l *loader) reloadHostDatapath(ctx context.Context, ep datapath.Endpoint, o
 			elf:      objPath,
 			programs: progs,
 			linkDir:  bpffsDeviceLinksDir(bpf.CiliumPath(), host),
+			tcx:      option.Config.EnableTCX,
 		},
 	)
 	if err != nil {
@@ -452,6 +453,7 @@ func (l *loader) reloadHostDatapath(ctx context.Context, ep datapath.Endpoint, o
 			elf:      secondDevObjPath,
 			programs: progs,
 			linkDir:  bpffsDeviceLinksDir(bpf.CiliumPath(), net),
+			tcx:      option.Config.EnableTCX,
 		},
 	)
 	if err != nil {
@@ -506,6 +508,7 @@ func (l *loader) reloadHostDatapath(ctx context.Context, ep datapath.Endpoint, o
 				elf:      netdevObjPath,
 				programs: progs,
 				linkDir:  linkDir,
+				tcx:      option.Config.EnableTCX,
 			},
 		)
 		if err != nil {
@@ -575,6 +578,7 @@ func (l *loader) reloadDatapath(ctx context.Context, ep datapath.Endpoint, dirs
 				elf:      objPath,
 				programs: progs,
 				linkDir:  linkDir,
+				tcx:      option.Config.EnableTCX,
 			},
 		)
 		if err != nil {
@@ -633,6 +637,7 @@ func (l *loader) replaceOverlayDatapath(ctx context.Context, cArgs []string, ifa
 			elf:      overlayObj,
 			programs: progs,
 			linkDir:  bpffsDeviceLinksDir(bpf.CiliumPath(), device),
+			tcx:      option.Config.EnableTCX,
 		},
 	)
 	if err != nil {

diff --git a/pkg/datapath/loader/loader_test.go b/pkg/datapath/loader/loader_test.go
@@ -141,6 +141,7 @@ func TestReload(t *testing.T) {
 		elf:      objPath,
 		programs: progs,
 		linkDir:  testutils.TempBPFFS(t),
+		tcx:      true,
 	}
 	finalize, err := replaceDatapath(ctx, opts)
 	require.NoError(t, err)
@@ -289,6 +290,7 @@ func BenchmarkReplaceDatapath(b *testing.B) {
 				elf:      objPath,
 				programs: progs,
 				linkDir:  linkDir,
+				tcx:      true,
 			},
 		)
 		if err != nil {

diff --git a/pkg/datapath/loader/netlink.go b/pkg/datapath/loader/netlink.go
@@ -52,6 +52,7 @@ type replaceDatapathOptions struct {
 	programs []progDefinition // programs that we want to attach/replace
 	xdpMode  string           // XDP driver mode, only applies when attaching XDP programs
 	linkDir  string           // path to bpffs dir holding bpf_links for the device/endpoint
+	tcx      bool             // attempt attaching skb programs using tcx
 }
 
 // replaceDatapath replaces the qdisc and BPF program for an endpoint or XDP program.
@@ -230,7 +231,7 @@ func replaceDatapath(ctx context.Context, opts replaceDatapathOptions) (_ func()
 			err = attachXDPProgram(link, coll.Programs[prog.progName], prog.progName, opts.linkDir, xdpConfigModeToFlag(opts.xdpMode))
 		} else {
 			scopedLog.Debug("Attaching SKB program to interface")
-			err = attachSKBProgram(link, coll.Programs[prog.progName], prog.progName, opts.linkDir, directionToParent(prog.direction))
+			err = attachSKBProgram(link, coll.Programs[prog.progName], prog.progName, opts.linkDir, directionToParent(prog.direction), opts.tcx)
 		}
 
 		if err != nil {

diff --git a/pkg/datapath/loader/tc.go b/pkg/datapath/loader/tc.go
@@ -4,19 +4,41 @@
 package loader
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 
 	"github.com/vishvananda/netlink"
 	"golang.org/x/sys/unix"
 
 	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/link"
 
 	"github.com/cilium/cilium/pkg/option"
 )
 
-// attachSKBProgram attaches prog to device using legacy tc.
-func attachSKBProgram(device netlink.Link, prog *ebpf.Program, progName, bpffsDir string, parent uint32) error {
+// attachSKBProgram attaches prog to device using tcx if available and enabled,
+// or legacy tc as a fallback.
+func attachSKBProgram(device netlink.Link, prog *ebpf.Program, progName, bpffsDir string, parent uint32, tcxEnabled bool) error {
+	if tcxEnabled {
+		// Attach using tcx if available. This is seamless on interfaces with
+		// existing tc programs since attaching tcx disables legacy tc evaluation.
+		err := upsertTCXProgram(device, prog, progName, bpffsDir, parent)
+		if err == nil {
+			// Created tcx link, clean up any leftover legacy tc attachments.
+			if err := removeTCFilters(device, parent); err != nil {
+				return fmt.Errorf("legacy tc cleanup after attaching tcx program %s: %w", progName, err)
+			}
+
+			// Don't fall back to legacy tc.
+			return nil
+		}
+		if !errors.Is(err, link.ErrNotSupported) {
+			// Unrecoverable error, surface to the caller.
+			return fmt.Errorf("attaching tcx program %s: %w", progName, err)
+		}
+	}
+
 	// tcx not available or disabled, fall back to legacy tc.
 	if err := attachTCProgram(device, prog, progName, parent); err != nil {
 		return fmt.Errorf("attaching legacy tc program %s: %w", progName, err)

diff --git a/pkg/datapath/loader/tc_test.go b/pkg/datapath/loader/tc_test.go
@@ -65,13 +65,42 @@ func TestAttachDetachSKBProgram(t *testing.T) {
 		prog := mustTCProgram(t)
 		linkDir := testutils.TempBPFFS(t)
 
-		require.NoError(t, attachSKBProgram(lo, prog, "test", linkDir, directionToParent(dirEgress)))
+		require.NoError(t, attachSKBProgram(lo, prog, "test", linkDir, directionToParent(dirEgress), true))
 		require.NoError(t, detachSKBProgram(lo, "test", linkDir, directionToParent(dirEgress)))
 
 		return nil
 	})
 }
 
+// Upgrade a legacy tc program to tcx.
+func TestAttachSKBUpgrade(t *testing.T) {
+	testutils.PrivilegedTest(t)
+
+	ns := netns.NewNetNS(t)
+	ns.Do(func() error {
+		prog := mustTCProgramWithName(t, "cil_test")
+		linkDir := testutils.TempBPFFS(t)
+
+		// Use the cil_ prefix so the attachment algorithm knows which tc filter to
+		// clean up after attaching tcx.
+		require.NoError(t, attachTCProgram(lo, prog, "cil_test", directionToParent(dirEgress)))
+
+		require.NoError(t, attachSKBProgram(lo, prog, "cil_test", linkDir, directionToParent(dirEgress), true))
+
+		hasFilters, err := hasCiliumTCFilters(lo, directionToParent(dirEgress))
+		require.NoError(t, err)
+		require.False(t, hasFilters)
+
+		require.NoError(t, testutils.WaitUntil(func() bool {
+			hasLinks, err := hasCiliumTCXLinks(lo, ebpf.AttachTCXEgress)
+			require.NoError(t, err)
+			return hasLinks
+		}, time.Second))
+
+		return nil
+	})
+}
+
 // Downgrade a tcx program to legacy tc.
 func TestAttachSKBDowngrade(t *testing.T) {
 	testutils.PrivilegedTest(t)
@@ -83,7 +112,7 @@ func TestAttachSKBDowngrade(t *testing.T) {
 
 		require.NoError(t, upsertTCXProgram(lo, prog, "cil_test", linkDir, directionToParent(dirEgress)))
 
-		require.NoError(t, attachSKBProgram(lo, prog, "cil_test", linkDir, directionToParent(dirEgress)))
+		require.NoError(t, attachSKBProgram(lo, prog, "cil_test", linkDir, directionToParent(dirEgress), false))
 
 		hasFilters, err := hasCiliumTCFilters(lo, directionToParent(dirEgress))
 		require.NoError(t, err)

diff --git a/pkg/option/config.go b/pkg/option/config.go
@@ -391,6 +391,9 @@ const (
 	// EnableXDPPrefilter enables XDP-based prefiltering
 	EnableXDPPrefilter = "enable-xdp-prefilter"
 
+	// EnableTCX enables attaching endpoint programs using tcx
+	EnableTCX = "enable-tcx"
+
 	ProcFs = "procfs"
 
 	// PrometheusServeAddr IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off)
@@ -1350,6 +1353,7 @@ type DaemonConfig struct {
 	LBDevInheritIPAddr  string   // Device which IP addr used by bpf_host devices
 	EnableXDPPrefilter  bool     // Enable XDP-based prefiltering
 	XDPMode             string   // XDP mode, values: { xdpdrv | xdpgeneric | none }
+	EnableTCX           bool     // Enable attaching endpoint programs using tcx
 	HostV4Addr          net.IP   // Host v4 address of the snooping device
 	HostV6Addr          net.IP   // Host v6 address of the snooping device
 	EncryptInterface    []string // Set of network facing interface to encrypt over
@@ -2896,6 +2900,7 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) {
 	c.WireguardPersistentKeepalive = vp.GetDuration(WireguardPersistentKeepalive)
 	c.EnableWellKnownIdentities = vp.GetBool(EnableWellKnownIdentities)
 	c.EnableXDPPrefilter = vp.GetBool(EnableXDPPrefilter)
+	c.EnableTCX = vp.GetBool(EnableTCX)
 	c.DisableCiliumEndpointCRD = vp.GetBool(DisableCiliumEndpointCRDName)
 	c.MasqueradeInterfaces = vp.GetStringSlice(MasqueradeInterfaces)
 	c.EgressMasqueradeInterfaces = strings.Join(c.MasqueradeInterfaces, ",")