Merge pull request #3798 from telepresenceio/thallgren/port-forward-stability

Port forward stability and race conditions

Author: thallgren

.golangci.yml

@@ -53,11 +53,6 @@ linters-settings:
         - gotest.tools:    { recommendations: ['github.com/stretchr/testify', 'github.com/google/go-cmp/cmp'] }
         - gotest.tools/v2: { recommendations: ['github.com/stretchr/testify', 'github.com/google/go-cmp/cmp'] }
         - gotest.tools/v3: { recommendations: ['github.com/stretchr/testify', 'github.com/google/go-cmp/cmp'] }
-  forbidigo:
-    forbid:
-      - '^os\.(DirEntry|FileInfo|FileMode|PathError)$' # deprecated in Go 1.16, import them from 'io/fs' instead
-      - '\.Readdir$' # deprecated in Go 1.16, use ReadDir instead
-    exclude_godoc_examples: false
 
   gocyclo:
     min-complexity: 35
@@ -71,7 +66,6 @@ linters-settings:
 
   nolintlint:
     allow-unused: true # Needed because there's some linters disabled for 1.18
-    allow-leading-space: false
     require-explanation: true
     require-specific: true
     allow-no-explanation:

build-aux/docker/images/Dockerfile.client

@@ -33,7 +33,7 @@ ARG TARGETARCH
 RUN \
     --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
-    GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /usr/local/bin/ --buildmode pie -trimpath -tags docker -ldflags=-X=$(go list ./pkg/version).Version=$(cat version.txt) ./cmd/telepresence/...
+    GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /usr/local/bin/ -trimpath -tags docker -ldflags=-X=$(go list ./pkg/version).Version=$(cat version.txt) ./cmd/telepresence/...
 
 # setcap is necessary because the process will listen to privileged ports
 RUN setcap 'cap_net_bind_service+ep' /usr/local/bin/telepresence

build-aux/docker/images/Dockerfile.traffic

@@ -32,7 +32,7 @@ ARG TARGETARCH
 RUN \
     --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
-    GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /usr/local/bin/ --buildmode pie -trimpath -ldflags=-X=$(go list ./pkg/version).Version=$(cat version.txt) ./cmd/traffic/...
+    GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /usr/local/bin/ -trimpath -ldflags=-X=$(go list ./pkg/version).Version=$(cat version.txt) ./cmd/traffic/...
 
 # setcap is necessary because the process will listen to privileged ports
 RUN setcap 'cap_net_bind_service+ep' /usr/local/bin/traffic

build-aux/genversion/main.go

@@ -129,6 +129,8 @@ func Main() error {
 		gitDescVer.Patch++
 	}
 
+	out := os.Stdout
+
 	// If an additional arg has been used, we include it in the tag
 	if len(os.Args) >= 2 {
 		// gitDescVer.Pre[0] contains the number of commits since the last tag and the
@@ -140,7 +142,7 @@ func Main() error {
 		if err != nil {
 			return fmt.Errorf("unable to git rev-parse: %w", err)
 		}
-		if _, err := fmt.Printf("v%d.%d.%d-%s-%s\n", gitDescVer.Major, gitDescVer.Minor, gitDescVer.Patch, os.Args[1], shortHash); err != nil {
+		if _, err = fmt.Fprintf(out, "v%d.%d.%d-%s-%s\n", gitDescVer.Major, gitDescVer.Minor, gitDescVer.Patch, os.Args[1], shortHash); err != nil {
 			return fmt.Errorf("unable to printf: %w", err)
 		}
 		return nil
@@ -163,9 +165,9 @@ func Main() error {
 		b64 := base64.RawURLEncoding.EncodeToString(md5Out)
 		b64 = strings.ReplaceAll(b64, "_", "Z")
 		b64 = strings.ReplaceAll(b64, "-", "z")
-		_, err = fmt.Printf("v%s-%s\n", gitDescVer, b64)
+		_, err = fmt.Fprintf(out, "v%s-%s\n", gitDescVer, b64)
 	} else {
-		_, err = fmt.Printf("v%s\n", gitDescVer)
+		_, err = fmt.Fprintf(out, "v%s\n", gitDescVer)
 	}
 	return err
 }

build-aux/main.mk

@@ -31,6 +31,8 @@ bindir ?= $(or $(shell go env GOBIN),$(shell go env GOPATH|cut -d: -f1)/bin)
 # https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md.
 export DOCKER_BUILDKIT := 1
 
+GOLANGCI_VERSION:=v1.64.5
+
 .PHONY: FORCE
 FORCE:
 
@@ -393,8 +395,6 @@ shellscripts += ./packaging/windows-package.sh
 
 lint: lint-rpc lint-go
 
-GOLANGCI_VERSION:=v1.63.4
-
 lint-go: lint-deps ## (QA) Run the golangci-lint
 	$(eval badimports = $(shell find cmd integration_test pkg -name '*.go' | grep -v '/mocks/' | xargs $(tools/gosimports) --local github.com/datawire/,github.com/telepresenceio/ -l))
 	$(if $(strip $(badimports)), echo "The following files have bad import ordering (use make format to fix): " $(badimports) && false)

cmd/traffic/cmd/manager/service.go

@@ -324,6 +324,7 @@ func (s *service) WatchAgentPods(session *rpc.SessionInfo, stream rpc.Manager_Wa
 				}
 				ap := &rpc.AgentPodInfo{
 					WorkloadName: a.Name,
+					PodId:        a.PodUid,
 					PodName:      a.PodName,
 					Namespace:    a.Namespace,
 					PodIp:        aip.AsSlice(),
@@ -687,9 +688,9 @@ func (s *service) ReviewIntercept(ctx context.Context, rIReq *rpc.ReviewIntercep
 			return
 		}
 
-		// Only update intercepts in the waiting state.  Agents race to review an intercept, but we
-		// expect they will always compatible answers.
-		if intercept.Disposition == rpc.InterceptDispositionType_WAITING {
+		// Only update intercepts in the waiting or no agent states.  Agents race to review an intercept, but we
+		// expect they will always produce compatible answers.
+		if intercept.Disposition == rpc.InterceptDispositionType_NO_AGENT || intercept.Disposition == rpc.InterceptDispositionType_WAITING {
 			intercept.Disposition = rIReq.Disposition
 			intercept.Message = rIReq.Message
 			intercept.PodIp = rIReq.PodIp

cmd/traffic/cmd/manager/state/assert_test.go

@@ -59,7 +59,6 @@ func includeElement(list any, element proto.Message) (ok, found bool) {
 	listKind := reflect.TypeOf(list).Kind()
 	defer func() {
 		if e := recover(); e != nil {
-			fmt.Println("ERR", e)
 			ok = false
 			found = false
 		}

cmd/traffic/cmd/manager/state/state.go

@@ -342,14 +342,16 @@ func (s *state) consolidateAgentSessionIntercepts(ctx context.Context, agent *Ag
 
 		if errCode, errMsg := s.checkAgentsForIntercept(intercept); errCode != rpc.InterceptDispositionType_UNSPECIFIED {
 			// No agents matching this intercept are available, so the intercept is now dormant or in error.
-			dlog.Debugf(ctx, "Intercept %q no longer has available agents. Setting it disposition to %s", interceptID, errCode)
+			dlog.Debugf(ctx, "Intercept %q no longer has available agents. Setting its disposition to %s", interceptID, errCode)
 			s.UpdateIntercept(interceptID, func(intercept *Intercept) {
+				intercept.PodIp = ""
+				intercept.PodName = ""
 				intercept.Disposition = errCode
 				intercept.Message = errMsg
 			})
 		} else if agent.PodIp == intercept.PodIp {
 			// The agent is about to die, but apparently more agents are present. Let some other agent pick it up then.
-			dlog.Debugf(ctx, "Intercept %q lost its agent pod %s(%s). Setting it disposition to WAITING", interceptID, agent.PodName, agent.PodIp)
+			dlog.Debugf(ctx, "Intercept %q lost its agent pod %s(%s). Setting its disposition to WAITING", interceptID, agent.PodName, agent.PodIp)
 			s.UpdateIntercept(interceptID, func(intercept *Intercept) {
 				intercept.PodIp = ""
 				intercept.PodName = ""

cmd/traffic/main.go

@@ -43,7 +43,7 @@ func main() {
 			os.Exit(1)
 		}
 	} else {
-		fmt.Println("traffic: unknown command:", name)
+		_, _ = fmt.Fprintln(os.Stderr, "traffic: unknown command:", name)
 		os.Exit(127)
 	}
 }

integration_test/docker_run_test.go

@@ -170,8 +170,6 @@ func (s *dockerDaemonSuite) Test_DockerRun_DockerDaemon() {
 		}
 		if err != nil {
 			dlog.Error(ctx, err.Error())
-		} else {
-			s.CapturePodLogs(ctx, svc, "traffic-agent", s.AppNamespace())
 		}
 	}
 
@@ -213,6 +211,7 @@ func (s *dockerDaemonSuite) Test_DockerRun_DockerDaemon() {
 		soft, softCancel := context.WithCancel(dcontext.WithSoftness(ctx))
 		wch := make(chan struct{})
 		go runDockerRun(soft, wch)
+		s.CapturePodLogs(ctx, svc, "traffic-agent", s.AppNamespace())
 		assertInterceptResponse(ctx)
 		softCancel()
 		assertNotIntercepted(ctx)
@@ -223,6 +222,7 @@ func (s *dockerDaemonSuite) Test_DockerRun_DockerDaemon() {
 		ctx := s.Context()
 		wch := make(chan struct{})
 		go runDockerRun(ctx, wch)
+		s.CapturePodLogs(ctx, svc, "traffic-agent", s.AppNamespace())
 		assertInterceptResponse(ctx)
 		itest.TelepresenceOk(ctx, "leave", svc)
 		select {
@@ -238,6 +238,7 @@ func (s *dockerDaemonSuite) Test_DockerRun_DockerDaemon() {
 		ctx := s.Context()
 		wch := make(chan struct{})
 		go runDockerRun(ctx, wch)
+		s.CapturePodLogs(ctx, svc, "traffic-agent", s.AppNamespace())
 		assertInterceptResponse(ctx)
 		itest.TelepresenceDisconnectOk(ctx)
 		select {

integration_test/gather_logs_test.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/datawire/dlib/dlog"
 	"github.com/telepresenceio/telepresence/v2/integration_test/itest"
 	"github.com/telepresenceio/telepresence/v2/pkg/labels"
 )
@@ -95,14 +96,6 @@ func (s *multipleInterceptsSuite) TestGatherLogs_NoK8sLogs() {
 
 func (s *connectedSuite) TestGatherLogs_OnlyMappedLogs() {
 	const svc = "echo"
-	require := s.Require()
-	defer func() {
-		ctx := s.Context()
-		itest.TelepresenceDisconnectOk(ctx)
-		stdout := s.TelepresenceConnect(ctx)
-		require.Contains(stdout, "Connected to context")
-	}()
-
 	ctx := s.Context()
 	itest.TelepresenceDisconnectOk(ctx)
 
@@ -118,7 +111,15 @@ func (s *connectedSuite) TestGatherLogs_OnlyMappedLogs() {
 		Namespace: s.ManagerNamespace(),
 		Selector:  labels.SelectorFromNames(otherOne, otherTwo),
 	}), true)
-	defer s.RollbackTM(ctx)
+
+	require := s.Require()
+	defer func() {
+		so, se, err := itest.Telepresence(ctx, "quit")
+		dlog.Debug(ctx, so, se, err)
+		s.RollbackTM(ctx)
+		stdout := s.TelepresenceConnect(ctx)
+		require.Contains(stdout, "Connected to context")
+	}()
 
 	itest.TelepresenceDisconnectOk(ctx)
 	itest.ApplyEchoService(ctx, svc, otherOne, 8083)

pkg/client/agentpf/clients.go

@@ -15,6 +15,7 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/datawire/dlib/dlog"
 	"github.com/datawire/dlib/dtime"
@@ -48,7 +49,7 @@ func (ac *client) String() string {
 		return "<nil>"
 	}
 	ai := ac.info
-	return fmt.Sprintf("%s.%s:%d", ai.PodName, ai.Namespace, ai.ApiPort)
+	return fmt.Sprintf("%s(%s), port %d, dormant %t", ai.PodName, net.IP(ai.PodIp), ai.ApiPort, ac.dormant())
 }
 
 func (ac *client) ensureConnect(ctx context.Context) (err error) {
@@ -78,8 +79,10 @@ func (ac *client) Tunnel(ctx context.Context, opts ...grpc.CallOption) (tunnel.C
 		// Client was closed.
 		return nil, io.EOF
 	}
+	dlog.Tracef(ctx, "%s(%s) creating Tunnel over gRPC", ac, net.IP(ac.info.PodIp))
 	tc, err := cli.Tunnel(ctx, opts...)
 	if err != nil {
+		dlog.Tracef(ctx, "%s(%s) failed to create Tunnel over gRPC: %v", ac, net.IP(ac.info.PodIp), err)
 		return nil, err
 	}
 	atomic.AddInt32(&ac.tunnelCount, 1)
@@ -107,7 +110,8 @@ func (ac *client) connect(ctx context.Context, deleteMe func()) {
 	var conn *grpc.ClientConn
 	var cli agent.AgentClient
 
-	conn, cli, _, err = k8sclient.ConnectToAgent(dialCtx, ac.info.PodName, ac.info.Namespace, uint16(ac.info.ApiPort))
+	ai := ac.info
+	conn, cli, _, err = k8sclient.ConnectToAgent(dialCtx, ai.PodName, ai.Namespace, uint16(ac.info.ApiPort), types.UID(ai.PodId))
 	if err != nil {
 		return
 	}
@@ -117,18 +121,16 @@ func (ac *client) connect(ctx context.Context, deleteMe func()) {
 	ac.cancelClient = func() {
 		// Need to run this in a separate thread to avoid deadlock.
 		go func() {
-			ac.Lock()
+			// Need to invalidate the pod connection cache here, because StatefulSets reuse the same pod name.
 			conn.Close()
+			ac.Lock()
 			ac.cancelClient = nil
 			ac.cli = nil
 			ac.infant.Store(true)
-			for len(ac.ready) > 0 {
-				<-ac.ready
-			}
 			ac.Unlock()
 		}()
 	}
-	intercepted := ac.info.Intercepted
+	intercepted := ai.Intercepted
 	ac.Unlock()
 	if intercepted {
 		err = ac.startDialWatcherReady(ctx)
@@ -169,26 +171,29 @@ func (ac *client) cancel() bool {
 	return didCancel
 }
 
-func (ac *client) setIntercepted(ctx context.Context, k string, status bool) {
-	ac.RLock()
-	aci := ac.info.Intercepted
+func (ac *client) refresh(ctx context.Context, ai *manager.AgentPodInfo) {
+	ac.Lock()
+	oldStatus := ac.info.Intercepted
+	ac.info = ai
 	cdw := ac.cancelDialWatch
-	ac.RUnlock()
-	if status {
-		if aci {
-			return
-		}
-		dlog.Debugf(ctx, "Agent %s changed to intercepted", k)
+	ac.Unlock()
+	if ai.Intercepted == oldStatus {
+		return
+	}
+	if ai.Intercepted {
+		dlog.Debugf(ctx, "Agent %s(%s) changed to intercepted", ai.PodName, net.IP(ai.PodIp))
 		go func() {
 			if err := ac.startDialWatcher(ctx); err != nil {
-				dlog.Errorf(ctx, "failed to start client watcher for %s: %v", k, err)
+				dlog.Errorf(ctx, "failed to start client watcher for %s(%s): %v", ai.PodName, net.IP(ai.PodIp), err)
 			}
 		}()
 		// This agent is now intercepting. Start a dial watcher.
-	} else if aci && cdw != nil {
+	} else {
 		// This agent is no longer intercepting. Stop the dial watcher
-		dlog.Debugf(ctx, "Agent %s changed to not intercepted", k)
-		cdw()
+		dlog.Debugf(ctx, "Agent %s(%s) changed to not intercepted", ai.PodName, net.IP(ai.PodIp))
+		if cdw != nil {
+			cdw()
+		}
 	}
 }
 
@@ -203,7 +208,11 @@ func (ac *client) startDialWatcher(ctx context.Context) error {
 func (ac *client) startDialWatcherReady(ctx context.Context) error {
 	ac.RLock()
 	cli := ac.cli
+	running := ac.cancelDialWatch != nil
 	ac.RUnlock()
+	if running {
+		return nil
+	}
 	if cli == nil {
 		return fmt.Errorf("agent connection closed")
 	}
@@ -218,7 +227,6 @@ func (ac *client) startDialWatcherReady(ctx context.Context) error {
 	}
 
 	ac.Lock()
-	ac.info.Intercepted = true
 	ac.cancelDialWatch = func() {
 		ac.Lock()
 		ac.info.Intercepted = false
@@ -549,7 +557,7 @@ func (s *clients) updateClients(ctx context.Context, ais []*manager.AgentPodInfo
 	// Refresh current clients
 	for k, ai := range aim {
 		if ac, ok := s.clients.Load(k); ok {
-			ac.setIntercepted(ctx, k, ai.Intercepted)
+			ac.refresh(ctx, ai)
 		}
 	}
 

pkg/client/config.go

@@ -354,6 +354,8 @@ type Timeouts struct {
 	// PrivateTrafficManagerConnect is how long to wait for the initial port-forwards to the traffic-manager
 	PrivateTrafficManagerConnect time.Duration `json:"trafficManagerConnect"`
 	// PrivateFtpReadWrite read/write timeout used by the fuseftp client.
+	PrivateTrafficAgentArrival time.Duration `json:"trafficAgentArrival"`
+	// PrivateFtpReadWrite read/write timeout used by the fuseftp client.
 	PrivateFtpReadWrite time.Duration `json:"ftpReadWrite"`
 	// PrivateFtpShutdown max time to wait for the fuseftp client to complete pending operations before forcing termination.
 	PrivateFtpShutdown time.Duration `json:"ftpShutdown"`
@@ -373,6 +375,7 @@ const (
 	TimeoutRoundtripLatency
 	TimeoutTrafficManagerAPI
 	TimeoutTrafficManagerConnect
+	TimeoutTrafficAgentArrival
 	TimeoutFtpReadWrite
 	TimeoutFtpShutdown
 	TimeoutContainerShutdown
@@ -418,6 +421,8 @@ func (t *Timeouts) Get(timeoutID TimeoutID) time.Duration {
 		timeoutVal = t.PrivateTrafficManagerAPI
 	case TimeoutTrafficManagerConnect:
 		timeoutVal = t.PrivateTrafficManagerConnect
+	case TimeoutTrafficAgentArrival:
+		timeoutVal = t.PrivateTrafficAgentArrival
 	case TimeoutFtpReadWrite:
 		timeoutVal = t.PrivateFtpReadWrite
 	case TimeoutFtpShutdown:
@@ -478,6 +483,9 @@ func (e timeoutError) Error() string {
 	case TimeoutTrafficManagerConnect:
 		yamlName = "trafficManagerConnect"
 		humanName = "port-forward connection to the traffic manager"
+	case TimeoutTrafficAgentArrival:
+		yamlName = "trafficAgentArrival"
+		humanName = "waiting for traffic agent arrival"
 	case TimeoutFtpReadWrite:
 		yamlName = "ftpReadWrite"
 		humanName = "FTP client read/write"
@@ -515,6 +523,7 @@ const (
 	defaultTimeoutsRoundtripLatency      = 2 * time.Second
 	defaultTimeoutsTrafficManagerAPI     = 15 * time.Second
 	defaultTimeoutsTrafficManagerConnect = 60 * time.Second
+	defaultTimeoutsTrafficAgentArrival   = 60 * time.Second
 	defaultTimeoutsFtpReadWrite          = 1 * time.Minute
 	defaultTimeoutsFtpShutdown           = 2 * time.Minute
 	defaultTimeoutsContainerShutdown     = 0
@@ -531,6 +540,7 @@ var defaultTimeouts = Timeouts{ //nolint:gochecknoglobals // constant
 	PrivateRoundtripLatency:      defaultTimeoutsRoundtripLatency,
 	PrivateTrafficManagerAPI:     defaultTimeoutsTrafficManagerAPI,
 	PrivateTrafficManagerConnect: defaultTimeoutsTrafficManagerConnect,
+	PrivateTrafficAgentArrival:   defaultTimeoutsTrafficAgentArrival,
 	PrivateFtpReadWrite:          defaultTimeoutsFtpReadWrite,
 	PrivateFtpShutdown:           defaultTimeoutsFtpShutdown,
 	PrivateContainerShutdown:     defaultTimeoutsContainerShutdown,