Need to move pod network setup out of process

[danwinship]

Apparently, it is impossible to reliably work with network namespaces in a long-running golang process because the goroutine scheduler's shenanigans are incompatible with APIs that set current-thread state; calling ns.Set() or ns.Do() may cause other goroutines to change their current namespace as well. (eg, containernetworking/cni#262, https://www.weave.works/blog/linux-namespaces-and-go-don-t-mix)

I don't know of any bugs we've seen that would be explained by our getting this wrong, but it seems likely that there must be some, and if not there eventually will be.

So we need to move at least half of pod_linux.go over to sdn-cni-plugin... Basically, we probably don't want to import any of the CNI packages into the openshift binary. The OVS-manipulating parts of pod_linux.go would probably stay in the openshift binary.

[dcbw]

@danwinship summary of our discussion on IRC...

Using netns stuff in the same process is OK as long as all the code is properly using Do() or WithNetNSPath(). All the pod* stuff does that, but the concern is other code in Kubernetes/OpenShift that always expects to be run in the host's netns. If an OS thread is created by the Go runtime while some goroutine is in a container's netns, that OS thread will be created in the container's netns even though it is completely unrelated to netns-manipulating code. Later, any code that runs in that new OS thread will not be running in the netns it probably expects.

Any code that does something network related should be setting the netns before running that code. Obviously that's somewhat hard as we don't/can't control all the code, nor vendor code.

So yes, to completely ensure that this won't be a problem, the netns-using code should get moved. That will be somewhat complicated though, and given we haven't run into this issue much (if at all?) in OpenShift yet, perhaps this could be an RFE for now.

[danwinship]

@dcbw it looks like this does happen sometimes: #14385 (comment)

[danwinship]

Ugh. It looks like this happens a lot.

In the last few weeks of post-commit extended networking tests:

• https://openshift-gce-devel.appspot.com/build/origin-ci-test/logs/test_branch_origin_extended_networking/1418/ failed for unclear reasons, but the logs show that at roughly the same time as the test was failing, NodeIPTables.syncIPTableRules() failed because after ensuring that the OPENSHIFT-MASQUERADE chain existed, it was unable to ensure that a rule pointed from POSTROUTING to OPENSHIFT-MASQUERADE, because the OPENSHIFT-MASQUERADE chain didn't exist (despite having just been verified to exist).
• https://openshift-gce-devel.appspot.com/build/origin-ci-test/logs/test_branch_origin_extended_networking/1449/ failed because partway through the test run, while running Kubelet.syncNodeStatus(), nettest-node-2 determined that its primary IP address was 10.130.0.2 (ie, the address of one of its pods) and updated its Node record to reflect that, causing miscellaneous later lossage (in particular, "oc exec" failing because the master no longer knows how to contact the node).

In the last one week of extended_networking_minimal tests running against PRs:

• https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/18193/test_pull_request_origin_extended_networking_minimal/13079/, https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/17547/test_pull_request_origin_extended_networking_minimal/13107/, and https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/17547/test_pull_request_origin_extended_networking_minimal/13135/ all failed because of the "node updated its Node record to contain the IP of a pod rather than the node itself and then 'oc exec' fails" bug.
• https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/18162/test_pull_request_origin_extended_networking_minimal/13138/ and https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/18246/test_pull_request_origin_extended_networking_minimal/13280/ failed for unclear reasons and had "impossible" iptables resync errors in the logs around the same time
• https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/17893/test_pull_request_origin_extended_networking_minimal/13150/ failed for unclear reasons and had a "NetworkPlugin cni failed to set up pod ... could not open network device vethc58fdf7f (No such device)" error shortly before.