NSM datapath monitoring on proxy NSC

Introduce optional NSM datapath monitoring/healing (or liveness check) checking if the
connection is alive by pinging endpoint from the client.
This option is for now available only between the proxy and LBs and has
to be enabled via new env variables introduced in the proxy.

Author: LionelJouin

cmd/proxy/internal/client/fullmesh.go

@@ -28,6 +28,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/networkservicemesh/api/pkg/api/networkservice"
 	"github.com/networkservicemesh/api/pkg/api/registry"
+	"github.com/networkservicemesh/sdk/pkg/networkservice/common/heal"
 	registryrefresh "github.com/networkservicemesh/sdk/pkg/registry/common/refresh"
 	registrysendfd "github.com/networkservicemesh/sdk/pkg/registry/common/sendfd"
 	registrychain "github.com/networkservicemesh/sdk/pkg/registry/core/chain"
@@ -237,9 +238,9 @@ func (fmnsc *FullMeshNetworkServiceClient) prepareQuery() *registry.NetworkServi
 // monitoring Network Service Endpoints belonging to the Network Service of the request.
 // Connects to each new Network Service Endpoint, and closes connection when a known
 // endpoint disappears.
-func NewFullMeshNetworkServiceClient(ctx context.Context, config *Config, additionalFunctionality ...networkservice.NetworkServiceClient) NetworkServiceClient {
+func NewFullMeshNetworkServiceClient(ctx context.Context, config *Config, healOptions []heal.Option, additionalFunctionality ...networkservice.NetworkServiceClient) NetworkServiceClient {
 	// create base client relying on NSM's client.NewClient API
-	client := newClient(ctx, config.Name, config.APIClient, additionalFunctionality...)
+	client := newClient(ctx, config.Name, config.APIClient, healOptions, additionalFunctionality...)
 
 	fullMeshNetworkServiceClient := &FullMeshNetworkServiceClient{
 		networkServiceClients: make(map[string]NetworkServiceClient),

cmd/proxy/internal/client/utils.go

@@ -41,15 +41,15 @@ func expirationTimeIsNull(expirationTime *timestamppb.Timestamp) bool {
 // Refresh Client comes from the NSM sdk version used. (In case of NSM v1.1.1 the built-in
 // refresh might lead to connection issues if the different path segments have different
 // maxTokenLifetime configured (unless the NSC side has the lowest maxtokenlifetime)).
-func newClient(ctx context.Context, name string, nsmAPIClient *nsm.APIClient, additionalFunctionality ...networkservice.NetworkServiceClient) networkservice.NetworkServiceClient {
+func newClient(ctx context.Context, name string, nsmAPIClient *nsm.APIClient, healOptions []heal.Option, additionalFunctionality ...networkservice.NetworkServiceClient) networkservice.NetworkServiceClient {
 	additionalFunctionality = append(additionalFunctionality,
 		sendfd.NewClient(),
 	)
 
 	return client.NewClient(ctx,
 		client.WithClientURL(&nsmAPIClient.Config.ConnectTo),
 		client.WithName(name),
-		client.WithHealClient(heal.NewClient(ctx)),
+		client.WithHealClient(heal.NewClient(ctx, healOptions...)),
 		client.WithAdditionalFunctionality(additionalFunctionality...),
 		client.WithDialTimeout(nsmAPIClient.Config.DialTimeout),
 		client.WithDialOptions(nsmAPIClient.GRPCDialOption...),

cmd/proxy/internal/config/config.go

@@ -25,27 +25,30 @@ import (
 
 // Config for the proxy
 type Config struct {
-	Name                string        `default:"proxy" desc:"Pod Name"`
-	ServiceName         string        `default:"proxy" desc:"Name of the Network Service" split_words:"true"`
-	ConnectTo           url.URL       `default:"unix:///var/lib/networkservicemesh/nsm.io.sock" desc:"url to connect to NSM" split_words:"true"`
-	DialTimeout         time.Duration `default:"5s" desc:"timeout to dial NSMgr" split_words:"true"`
-	RequestTimeout      time.Duration `default:"15s" desc:"timeout to request NSE" split_words:"true"`
-	MaxTokenLifetime    time.Duration `default:"24h" desc:"maximum lifetime of tokens" split_words:"true"`
-	IPAMService         string        `default:"ipam-service:7777" desc:"IP (or domain) and port of the IPAM Service" split_words:"true"`
-	Host                string        `default:"" desc:"Host name the proxy is running on" split_words:"true"`
-	NetworkServiceName  string        `default:"load-balancer" desc:"Name of the network service the proxy request the connection" split_words:"true"`
-	Namespace           string        `default:"default" desc:"Namespace the pod is running on" split_words:"true"`
-	Trench              string        `default:"default" desc:"Trench the pod is running on" split_words:"true"`
-	Conduit             string        `default:"load-balancer" desc:"Name of the conduit" split_words:"true"`
-	NSPServiceName      string        `default:"nsp-service" desc:"IP (or domain) of the NSP Service" split_words:"true"`
-	NSPServicePort      int           `default:"7778" desc:"port of the NSP Service" split_words:"true"`
-	IPFamily            string        `default:"dualstack" desc:"ip family" envconfig:"ip_family"`
-	LogLevel            string        `default:"DEBUG" desc:"Log level" split_words:"true"`
-	MTU                 int           `default:"1500" desc:"Conduit MTU considered by local NSCs and NSE composing the network mesh" split_words:"true"`
-	GRPCKeepaliveTime   time.Duration `default:"30s" desc:"gRPC keepalive timeout"`
-	GRPCProbeRPCTimeout time.Duration `default:"1s" desc:"RPC timeout of internal gRPC health probe" envconfig:"grpc_probe_rpc_timeout"`
-	GRPCMaxBackoff      time.Duration `default:"5s" desc:"Upper bound on gRPC connection backoff delay" envconfig:"grpc_max_backoff"`
-	IPReleaseDelay      time.Duration `default:"20s" desc:"delay releasing IP address of NSM connection" envconfig:"ip_release_delay"`
+	Name                  string        `default:"proxy" desc:"Pod Name"`
+	ServiceName           string        `default:"proxy" desc:"Name of the Network Service" split_words:"true"`
+	ConnectTo             url.URL       `default:"unix:///var/lib/networkservicemesh/nsm.io.sock" desc:"url to connect to NSM" split_words:"true"`
+	DialTimeout           time.Duration `default:"5s" desc:"timeout to dial NSMgr" split_words:"true"`
+	RequestTimeout        time.Duration `default:"15s" desc:"timeout to request NSE" split_words:"true"`
+	MaxTokenLifetime      time.Duration `default:"24h" desc:"maximum lifetime of tokens" split_words:"true"`
+	IPAMService           string        `default:"ipam-service:7777" desc:"IP (or domain) and port of the IPAM Service" split_words:"true"`
+	Host                  string        `default:"" desc:"Host name the proxy is running on" split_words:"true"`
+	NetworkServiceName    string        `default:"load-balancer" desc:"Name of the network service the proxy request the connection" split_words:"true"`
+	Namespace             string        `default:"default" desc:"Namespace the pod is running on" split_words:"true"`
+	Trench                string        `default:"default" desc:"Trench the pod is running on" split_words:"true"`
+	Conduit               string        `default:"load-balancer" desc:"Name of the conduit" split_words:"true"`
+	NSPServiceName        string        `default:"nsp-service" desc:"IP (or domain) of the NSP Service" split_words:"true"`
+	NSPServicePort        int           `default:"7778" desc:"port of the NSP Service" split_words:"true"`
+	IPFamily              string        `default:"dualstack" desc:"ip family" envconfig:"ip_family"`
+	LogLevel              string        `default:"DEBUG" desc:"Log level" split_words:"true"`
+	MTU                   int           `default:"1500" desc:"Conduit MTU considered by local NSCs and NSE composing the network mesh" split_words:"true"`
+	GRPCKeepaliveTime     time.Duration `default:"30s" desc:"gRPC keepalive timeout"`
+	GRPCProbeRPCTimeout   time.Duration `default:"1s" desc:"RPC timeout of internal gRPC health probe" envconfig:"grpc_probe_rpc_timeout"`
+	GRPCMaxBackoff        time.Duration `default:"5s" desc:"Upper bound on gRPC connection backoff delay" envconfig:"grpc_max_backoff"`
+	IPReleaseDelay        time.Duration `default:"20s" desc:"delay releasing IP address of NSM connection" envconfig:"ip_release_delay"`
+	LivenessCheckInterval time.Duration `default:"2s" desc:"Dataplane liveness check interval" split_words:"true"`
+	LivenessCheckTimeout  time.Duration `default:"1s" desc:"Dataplane liveness check timeout" split_words:"true"`
+	LivenessCheckEnabled  bool          `default:"false" desc:"Dataplane liveness check enabled/disabled" split_words:"true"`
 }
 
 // IsValid checks if the configuration is valid

cmd/proxy/internal/service/client.go

@@ -26,6 +26,7 @@ import (
 	"github.com/networkservicemesh/api/pkg/api/networkservice/payload"
 	"github.com/networkservicemesh/sdk-sriov/pkg/networkservice/common/mechanisms/vfio"
 	sriovtoken "github.com/networkservicemesh/sdk-sriov/pkg/networkservice/common/token"
+	"github.com/networkservicemesh/sdk/pkg/networkservice/common/heal"
 	"github.com/networkservicemesh/sdk/pkg/networkservice/common/mechanisms"
 	"github.com/networkservicemesh/sdk/pkg/networkservice/common/mechanisms/kernel"
 	"github.com/networkservicemesh/sdk/pkg/networkservice/core/chain"
@@ -46,6 +47,7 @@ func GetNSC(ctx context.Context,
 	config *config.Config,
 	nsmAPIClient *nsm.APIClient,
 	p *proxy.Proxy,
+	healOptions []heal.Option,
 	interfaceMonitorClient networkservice.NetworkServiceClient) client.NetworkServiceClient {
 
 	logger := log.FromContextOrGlobal(ctx).WithValues("func", "GetNSC")
@@ -70,7 +72,7 @@ func GetNSC(ctx context.Context,
 		proxyHealth.NewClient(),
 		fullmeshtracker.NewClient(),
 	)
-	fullMeshClient := client.NewFullMeshNetworkServiceClient(ctx, clientConfig, additionalFunctionality)
+	fullMeshClient := client.NewFullMeshNetworkServiceClient(ctx, clientConfig, healOptions, additionalFunctionality)
 
 	return fullMeshClient
 }

cmd/proxy/main.go

@@ -28,6 +28,7 @@ import (
 
 	"github.com/kelseyhightower/envconfig"
 	"github.com/networkservicemesh/api/pkg/api/networkservice"
+	"github.com/networkservicemesh/sdk/pkg/networkservice/common/heal"
 	"github.com/networkservicemesh/sdk/pkg/tools/grpcutils"
 	nsmlog "github.com/networkservicemesh/sdk/pkg/tools/log"
 	ipamAPI "github.com/nordix/meridio/api/ipam/v1"
@@ -41,6 +42,7 @@ import (
 	"github.com/nordix/meridio/pkg/health/probe"
 	linuxKernel "github.com/nordix/meridio/pkg/kernel"
 	"github.com/nordix/meridio/pkg/nsm"
+	kernelheal "github.com/nordix/meridio/pkg/nsm/heal"
 	"github.com/nordix/meridio/pkg/nsm/interfacemonitor"
 	nsmmonitor "github.com/nordix/meridio/pkg/nsm/monitor"
 	"github.com/nordix/meridio/pkg/nsp"
@@ -236,9 +238,18 @@ func main() {
 	monitorClient := networkservice.NewMonitorConnectionClient(cc)
 	go nsmmonitor.ConnectionMonitor(ctx, config.Name, monitorClient)
 
+	healOptions := []heal.Option{}
+	if config.LivenessCheckEnabled {
+		healOptions = []heal.Option{
+			heal.WithLivenessCheckInterval(config.LivenessCheckInterval),
+			heal.WithLivenessCheckTimeout(config.LivenessCheckTimeout),
+			heal.WithLivenessCheck(kernelheal.KernelLivenessCheck),
+		}
+	}
+
 	// create and start NSC that connects all remote NSE belonging to the right service
 	interfaceMonitorClient := interfacemonitor.NewClient(interfaceMonitor, p, netUtils)
-	nsmClient := service.GetNSC(ctx, &config, nsmAPIClient, p, interfaceMonitorClient)
+	nsmClient := service.GetNSC(ctx, &config, nsmAPIClient, p, healOptions, interfaceMonitorClient)
 	defer nsmClient.Close()
 	go func() {
 		service.StartNSC(nsmClient, config.NetworkServiceName)

cmd/tapa/main.go

@@ -25,6 +25,7 @@ import (
 	"os"
 	"os/signal"
 	"syscall"
+	"time"
 
 	"github.com/go-logr/logr"
 	"github.com/kelseyhightower/envconfig"
@@ -49,6 +50,7 @@ import (
 	linuxKernel "github.com/nordix/meridio/pkg/kernel"
 	"github.com/nordix/meridio/pkg/log"
 	"github.com/nordix/meridio/pkg/nsm"
+	kernelheal "github.com/nordix/meridio/pkg/nsm/heal"
 	"github.com/nordix/meridio/pkg/nsm/interfacename"
 	"github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
@@ -155,10 +157,16 @@ func main() {
 		sendfd.NewClient(),
 	}
 
+	healOptions := []heal.Option{
+		heal.WithLivenessCheckInterval(2 * time.Second),
+		heal.WithLivenessCheckTimeout(1 * time.Second),
+		heal.WithLivenessCheck(kernelheal.KernelLivenessCheck),
+	}
+
 	networkServiceClient := client.NewClient(ctx,
 		client.WithClientURL(&nsmAPIClient.Config.ConnectTo),
 		client.WithName(config.Name),
-		client.WithHealClient(heal.NewClient(ctx)),
+		client.WithHealClient(heal.NewClient(ctx, healOptions...)),
 		client.WithAdditionalFunctionality(additionalFunctionality...),
 		client.WithDialTimeout(nsmAPIClient.Config.DialTimeout),
 		client.WithDialOptions(nsmAPIClient.GRPCDialOption...),

docs/components/proxy.md

@@ -39,6 +39,14 @@ NSM_NSP_SERVICE_NAME | string | IP (or domain) of the NSP Service | nsp-service
 NSM_NSP_SERVICE_PORT | int | port of the NSP Service | 7778
 NSM_IP_FAMILY | string | ip family | dualstack
 NSM_LOG_LEVEL | string | Log level | DEBUG
+NSM_MTU | string | Conduit MTU considered by local NSCs and NSE composing the network mesh | 1500
+NSM_GRPC_KEEPALIVE_TIME | time.Duration | gRPC keepalive timeout | 30s
+NSM_GRPC_PROBE_RPC_TIMEOUT | time.Duration | RPC timeout of internal gRPC health probe | 1s
+NSM_GRPC_MAX_BACKOFF | time.Duration | Upper bound on gRPC connection backoff delay | 5s
+NSM_IP_RELEASE_DELAY | time.Duration | delay releasing IP address of NSM connection | 20s
+NSM_LIVENESS_CHECK_INTERVAL | time.Duration | Dataplane liveness check interval | 2s
+NSM_LIVENESS_CHECK_TIMEOUT | time.Duration | Dataplane liveness check timeout | 1s
+NSM_LIVENESS_CHECK_ENABLED | bool | Dataplane liveness check enabled/disabled | false
 
 ## Command Line 
 

go.mod

@@ -7,6 +7,7 @@ require (
 	github.com/faisal-memon/sviddisk v0.0.0-20211007205134-77ccea0b9271
 	github.com/go-logr/logr v1.4.1
 	github.com/go-logr/zapr v1.3.0
+	github.com/go-ping/ping v1.0.0
 	github.com/golang/mock v1.6.0
 	github.com/google/nftables v0.1.0
 	github.com/google/uuid v1.3.1

go.sum

@@ -106,6 +106,8 @@ github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2Kv
 github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
 github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-ping/ping v1.0.0 h1:34GZiqLDqqIHEeL5NZIz7jSnMluK7/p0qDB436yO6H0=
+github.com/go-ping/ping v1.0.0/go.mod h1:35JbSyV/BYqHwwRA6Zr1uVDm1637YlNOU61wI797NPI=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
@@ -412,6 +414,7 @@ golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200904194848-62affa334b73/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=