Make calico MTU configurable in bootstrap config #2677
Conversation
Hello teddyandrieux,My role is to assist you with the merge of this Status report is not available. |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
|
| @@ -79,3 +79,26 @@ def get_oidc_service_ip(): | |||
| range. | |||
| ''' | |||
| return _pick_nth_service_ip(OIDC_ADDRESS_NUMBER) | |||
|
|
|||
|
|
|||
| def get_mtu_from_ip(ip): | |||
There was a problem hiding this comment.
IP or CIDR?
Reading the doc, I would say CIDR.
There was a problem hiding this comment.
Not really the doc is wrong here it's not a cidr but an IP (maybe not full)
(And btw it's a bit bugged if you not specify the full IP because he consider 0 as wildcard)
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether fa:16:3e:2b:fd:d5 brd ff:ff:ff:ff:ff:ff
inet 10.200.2.69/16 brd 10.200.255.255 scope global dynamic eth0
valid_lft 71176sec preferred_lft 71176sec
inet6 fe80::f816:3eff:fe2b:fdd5/64 scope link
valid_lft forever preferred_lft forever
3: tunl0@NONE: <NOARP,UP,LOWER_UP> mtu 1440 qdisc noqueue state UNKNOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
inet 10.233.132.64/32 brd 10.233.132.64 scope global tunl0
valid_lft forever preferred_lft forever
[root@bootstrap ~]# salt-call network.ifacestartswith 10.200.0.0/16
local:
[root@bootstrap ~]# salt-call network.ifacestartswith 10.200
local:
- tunl0
- eth0
[root@bootstrap ~]# salt-call network.ifacestartswith 10.200.
local:
- eth0
| {#- Check that service MTU configured is inferior to the local workload interface one #} | ||
| {%- set workload_local_mtu = salt.metalk8s_network.get_mtu_from_ip(grains.metalk8s.workload_plane_ip) %} | ||
| {%- if pillar['networks']['mtu'] > workload_local_mtu %} | ||
| {{ raise('Trying to configure CNI with ' ~ pillar['metalk8s']['networks']['mtu'] | ||
| ~ 'MTU but local workload interface MTU is inferior ' ~ workload_local_mtu) }} | ||
| {%- endif %} |
There was a problem hiding this comment.
Neat! Do you think we can add a similar check earlier in the bootstrap/deploy_node orchestrate?
Maybe consider adding these checks in metalk8s.internal.preflight?
There was a problem hiding this comment.
Yes I could add check earlier (maybe not in the preflight because to me preflight should be removed at some point, since it does not bring any value)
I will try to find a better place earlier I agree it fail a bit late here (at least for bootstrap because for new node it will fail when rendering the "bring new node to highstate" so not really late I think)
There was a problem hiding this comment.
Could be done later, and as you said, since we may want to do some refactoring around the pre-checks, would make sense to add as a task in #1999
TeddyAndrieux
force-pushed
the
improvement/GH-1095-make-calico-mtu-configurable
branch
from
bb3674e to
de68d1d
Compare
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
|
TeddyAndrieux
force-pushed
the
improvement/GH-1095-make-calico-mtu-configurable
branch
9 times, most recently
from
3a68daf to
58f2755
Compare
| @@ -15,6 +15,7 @@ | |||
|
|
|||
| DEFAULT_POD_NETWORK = '10.233.0.0/16' | |||
| DEFAULT_SERVICE_NETWORK = '10.96.0.0/12' | |||
| DEFAULT_MTU = 1460 | |||
There was a problem hiding this comment.
That's the default Calico uses based on GCP. Should we keep it (to smooth upgrades), or find one that better suits our use cases? (for on-prem, I don't what the lowest reasonable MTU we'd find, but maybe we could start by considering the ones on Scality Cloud - 1500 apparently)
There was a problem hiding this comment.
Don't really know, but to me it's not really part of this PR, but indeed it's a good question
There was a problem hiding this comment.
Let's keep it for now, shouldn't hurt unless we start deploying in envs where this default value is too low.
TeddyAndrieux
force-pushed
the
improvement/GH-1095-make-calico-mtu-configurable
branch
2 times, most recently
from
53a31d1 to
6b0e6b7
Compare
TeddyAndrieux
force-pushed
the
improvement/GH-1095-make-calico-mtu-configurable
branch
from
15b657c to
60877dc
Compare
There was a problem hiding this comment.
Perfect! Thanks, I guess we just need to create some tracking tickets for open questions:
- how to get the MTU checks "standalone" so we can run them earlier
- what default MTU should we use
- what's the impact of having multiple CIDRs (manual + automated tests to consider)
No need to provide much details, just get a title, link to this PR, and the state:question label and we'll get back to them later.
|
Something to keep in mind: when multiple CIDRs are used, you almost certainly require tunneling (IPIP/VXLAN) to be enabled! (Unless Calico is configured to peer with routers on the data path etc. which is rather unlikely in our deployments). |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
|
TeddyAndrieux
force-pushed
the
improvement/GH-1095-make-calico-mtu-configurable
branch
from
60877dc to
2275742
Compare
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
The following reviewers are expecting changes from the author, or must review again: |
Before this commit we use networks pillar to compute the salt-api address in salt-api tests, but it's wrong we should directly use the MetalK8s grains containing the control plane IP we want. Use this grains instead of computing the address from CIDR in the pillar
Add a module function to retrieve the first IP available from several CIDRs with an optionnal argument for `current_ip` so that we return this current_ip if this IP still available in one of the provided CIDRs
Add unit tests for `get_ip_from_cidrs` function from `metalk8s_network` salt custom module
Add a function in `metalk8s_network` salt module to retrieve MTU configured on an interface from an IP (will be needed to check MTU on workload plane network before configuring calico #1095)
Add unit tests for `get_mtu_from_ip` function from `metalk8s_network` salt custom module
In metalk8s we may have node not in the same L2 networks so that some routing was needed to communicate between node and it's perfectly find just we need to allow multiple CIDRs for workload plane and control plane networks. Now in bootstrap config you can provide a list of CIDRs for this 2 networks. Bump apiVersion of bootstrap config as the layout of the file changed
Add a utils in tests to get a pillar key with salt
In expansions test we need to have the CIDR of the control-plane network to create the new nodes, instead of retrieving the CIDR from bootstrap config directly, retrieve it from the pillar. NOTE: In expansions test we expect to have only one CIDR for control plane network
Use the new version `v1alpha3` for BootstrapConfiguration file generated with vagrant
Use the new version `v1alpha3` for BootstrapConfiguration file generated by openstack worker for multiple-nodes
Use the new version `v1alpha3` for BootstrapConfiguration file generated by openstack worker for single-node rhel
BootstrapConfig layout just changed, this commit update the documentation according to this Bootstrap config changes
Add a `mtu` key in bootstrap configuration to configure the value for MTU on Pod network, this value is used by calico to create the interface for Pod network. NOTE: We set the calico MTU to the workload MTU - 20 so that if IPinIP is enabled the MTU is still valid Fixes: #1095
Add a small paragraph about MTU value that may be provided for workloadPlane network in BootstrapConfiguration Refs: #1095
Add a changelog entry about the ability to use multiple CIDRs for workload and control plane networks and to configure the MTU used by Calico Refs: #1095
TeddyAndrieux
force-pushed
the
improvement/GH-1095-make-calico-mtu-configurable
branch
from
2275742 to
25193fe
Compare
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list:
|
|
/approve |
In the queueThe changeset has received all authorizations and has been added to the The changeset will be merged in:
The following branches will NOT be impacted:
There is no action required on your side. You will be notified here once IMPORTANT Please do not attempt to modify this pull request.
If you need this pull request to be removed from the queue, please contact a The following options are set: approve |
|
I have successfully merged the changeset of this pull request
The following branches have NOT changed:
Please check the status of the associated issue GH-1095. Goodbye teddyandrieux. |
Component:
'salt', 'kubernetes'
Context:
#1095
Summary:
New bootstrap config network layout (still backward compatible with old style)
TODO:
get_mtu_from_ipget_ip_from_cidrsFixes: #1095