Fix Blackhole implementation for e2e tests #17938
Conversation
|
Hi @henrybear327. Thanks for your PR. I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
henrybear327
force-pushed
the
fix/e2e_blackhole_proxy_review_forward_proxy_review
branch
from
9887b13
to
3e15f96
Compare
henrybear327
force-pushed
the
fix/e2e_blackhole_proxy_review_forward_proxy_review
branch
6 times, most recently
from
e94e96d
to
48d1936
Compare
|
/retitle Fix Blackhole implementation for e2e tests |
k8s-ci-robot
changed the title
henrybear327
force-pushed
the
fix/e2e_blackhole_proxy_review_forward_proxy_review
branch
from
48d1936
to
6158507
Compare
|
Not a networking expert, would like to get some help. cc @aojea |
henrybear327
force-pushed
the
fix/e2e_blackhole_proxy_review_forward_proxy_review
branch
3 times, most recently
from
763b0d3
to
465b00c
Compare
Thanks to Fu Wei for the input regarding etcd-io#17938. [Problem] A peer will (a) receive traffic from its peers (b) initiate connections to its peers (via stream and pipeline). Thus, the current mechanism of only blocking peer traffic via the peer's existing proxy is insufficient, since only scenario (a) is handled, and scenario (b) is not blocked at all. [Main idea] We introduce 1 shared "HTTP proxy" for all peers. All peers will be proxying all the connections through it. The modified architecture will look something like this: ``` A -- shared HTTP proxy ----- B ^ newly introduced ``` By adding this HTTP proxy, we can block all in and out traffic that is initiated from a peer to others, without having to resort to external tools, such as iptables. It's verified that the blocking of traffic is complete, compared to previous solutions [2][3]. [Implementation] The main subtasks are - set up an environment variable `FORWARD_PROXY`, because go will not parse HTTP_PROXY and HTTPS_PROXY that is using localhost or 127.0.0.1, regardless if the port is present or not - implement the shared HTTP proxy by extending the existing proxy server code - remove existing proxy setup (the per-peer proxy) - implement enable/disable of the HTTP proxy in the e2e test [Testing] - `make gofail-enable && make build && make gofail-disable && \ go test -timeout 60s -run ^TestBlackholeByMockingPartitionLeader$ go.etcd.io/etcd/tests/v3/e2e -v -count=1` - `make gofail-enable && make build && make gofail-disable && \ go test -timeout 60s -run ^TestBlackholeByMockingPartitionFollower$ go.etcd.io/etcd/tests/v3/e2e -v -count=1` [References] [1] Tracking issue etcd-io#17737 [2] PR (V1) https://github.com/henrybear327/etcd/tree/fix/e2e_blackhole [3] PR (V2) etcd-io#17891 [4] PR (V3) etcd-io#17938 Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
Thanks to Fu Wei for the input regarding etcd-io#17938. [Problem] A peer will (a) receive traffic from its peers (b) initiate connections to its peers (via stream and pipeline). Thus, the current mechanism of only blocking peer traffic via the peer's existing proxy is insufficient, since only scenario (a) is handled, and scenario (b) is not blocked at all. [Main idea] We introduce 1 shared HTTP proxy for all peers. All peers will be proxying all the connections through it. The modified architecture will look something like this: ``` A -- shared HTTP proxy ----- B ^ newly introduced ``` By adding this HTTP proxy, we can block all in and out traffic that is initiated from a peer to others, without having to resort to external tools, such as iptables. It's verified that the blocking of traffic is complete, compared to previous solutions [2][3]. [Implementation] The main subtasks are - set up an environment variable `FORWARD_PROXY`, because go will not parse HTTP_PROXY and HTTPS_PROXY that is using localhost or 127.0.0.1, regardless if the port is present or not - implement the shared HTTP proxy by extending the existing proxy server code (we need to be able to identify the source sender) - remove existing proxy setup (the per-peer proxy) - implement enable/disable of the HTTP proxy in the e2e test [Testing] - `make gofail-enable && make build && make gofail-disable && \ go test -timeout 60s -run ^TestBlackholeByMockingPartitionLeader$ go.etcd.io/etcd/tests/v3/e2e -v -count=1` - `make gofail-enable && make build && make gofail-disable && \ go test -timeout 60s -run ^TestBlackholeByMockingPartitionFollower$ go.etcd.io/etcd/tests/v3/e2e -v -count=1` [References] [1] Tracking issue etcd-io#17737 [2] PR (V1) https://github.com/henrybear327/etcd/tree/fix/e2e_blackhole [3] PR (V2) etcd-io#17891 [4] PR (V3) etcd-io#17938 Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
|
Talked with @aojea, proposed L7 forward proxy is an improvement over the previous faulty approach, however it might not be necessarily what we want. We want to simulate a realistic network disruptions, and there is no way to do that using a L7 proxy. This is currently impossible with current setup where etcd processes communicate via localhost, to modify packets we need them to go through kernel network stack, and that's not possible if they share the same network stack. Unfortunately setting dedicated network stack this is pretty complicated, @aojea suggest using docker which sets it up for each container, however I'm worried about how much using docker will complicate etcd e2e testing. I would prefer to set up network ourselves, however this makes it less portable. Main benefit of using docker is portability across platforms. As we won't be able to build such solution anytime soon, I'm ok with still using L7 http proxy in the meantime. |
client/pkg/transport/transport.go
Outdated
| // then a nil URL and nil error will be returned. | ||
| // Thus, we need to workaround this by manually setting an | ||
| // ENV named FORWARD_PROXY and parse the URL (which is a localhost in our case) | ||
| if httpProxy, exists := os.LookupEnv("FORWARD_PROXY"); exists { |
There was a problem hiding this comment.
Don't know if we want to support a new environment variable FORWARD_PROXY for proxying.
I know that http.ProxyFromEnvironment(req) will ignore HTTP_PROXY when it URL targets localhost, but what about just changing the LookupEnv to check for HTTP_PROXY and return early?
cc @ahrtr
There was a problem hiding this comment.
The reason I did it this way is that I don't want to interfere with the default Golang behavior, since this code change will be reflected in the normally built binaries and I am not sure if this will break some other parts of the system or existing user assumption/usage. (my main concern is that HTTP_PROXY or HTTPS_PROXY parsing behavior will change if we use LookupEnv to intercept the HTTP_PROXY or HTTPS_PROXY and if it's set with localhost or 127.0.0.1)
I am too new to judge so I need @ahrtr 's help to confirm this!
There was a problem hiding this comment.
I suggest that we do not change this very basic common function. Instead, we can extend its functionality on top of it in test only using the Decorator pattern.
Specifically, you can add a similar function NewTransport in test framework, it calls this function, but it also lookup the environment variable "HTTP_PROXY" or "HTTPS_PROXY", and set the proxy no matter it's localhost or not.
There was a problem hiding this comment.
The other option is to enhance the test framework to enable contributors to use a non localhost IP, so that you can use environment variable "HTTP_PROXY" or "HTTPS_PROXY" to set a proxy directly, and no need to change this common function NewTransport, similar to what #17661 does.
There was a problem hiding this comment.
I will look into those 2 approaches :) Thank you @ahrtr
There was a problem hiding this comment.
Clarify on my previous comment #17938 (comment),
We can enable users to inject a customized NewTransport, similar to
Lines 29 to 30 in e1244f1
There was a problem hiding this comment.
Thanks @ahrtr for the code snippets!
After looking into the suggestions, I think it's hard to obtain a non-localhost IP and use it as a proxy during e2e testing, so I went on to look into injecting a customized NewTransport.
My understanding is that the e2e test is not like a unit test where we can change the function pointers during the execution of the unit test dynamically (like #17938 (comment)) because they are in the same module. Instead, the client code is compiled before the e2e test is run. Therefore, some sort of communication channel is required for the e2e test to indicate its need to change the code path during testing (not as easy as swapping lookupSRV), so I use the ENV E2E_TEST_FORWARD_PROXY_IP as a way to pass in the proxy address.
My current attempt is c93e3fc. The idea is kind of borrowed from #17938 (comment), where the HTTP proxy parsing function in use will be determined during the first Transport initialization. I currently can't come up with a cleaner way without having to use a custom ENV though... :( I am not using HTTP_PROXY or HTTPS_PROXY as we would like to not affect the default behavior of http.ProxyFromEnvironment (not parse localhost addresses), and only use a custom NewTransport during e2e testing only when E2E_TEST_FORWARD_PROXY_IP is set.
Not sure if this makes sense to you! Happy to know if there is a better way of implementing this. :)
Yes @serathius, @fuweid and I came up with a working fix a while ago already! Please take a look at #17938 (comment) and let us know what your thoughts are :) The PR can be prepared and ready for review within a day of work if the direction is set! Thank you! |
|
I still don't know what the status is. Please understand how open source review works. Maintainers review tens of PRs and issues daily, sometimes some comment notifications get lost sometimes we don't have time to deep dive on the whole discussion thread. For me PR is stuck in draft and I didn't see a reason to review it until:
If you need any answers from maintainers please post them like: |
henrybear327
force-pushed
the
fix/e2e_blackhole_proxy_review_forward_proxy_review
branch
from
9cb5536
to
78559a3
Compare
- Remove To and From fields, as this is only used in reverse proxy - Add Listen field, to indicate which URL that the forward is listening for requests - Update the tests as required TODO - Not sure why DelayTx() isn't working anymore Reference: - etcd-io#17938 (comment)
- Remove To and From fields, as this is only used in reverse proxy - Add Listen field, to indicate which URL that the forward is listening for requests - Update the tests as required TODO - Figure out why DelayTx() isn't working anymore Reference: - etcd-io#17938 (comment)
henrybear327
force-pushed
the
fix/e2e_blackhole_proxy_review_forward_proxy_review
branch
from
78559a3
to
45b55ab
Compare
Signed-off-by: Siyuan Zhang <sizhang@google.com>
Shorten the wait time for the open connection to expire to 5s Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
Based on Fu Wei's idea discussed in the [issue](etcd-io#17737), we employ the blocking on L7 but without using external tools. [Background] A peer will (a) receive traffic from its peers (b) initiate connections to its peers (via stream and pipeline). Thus, the current mechanism of only blocking peer traffic via the peer's existing proxy is insufficient, since only scenario (a) is handled, and scenario (b) is not blocked at all. [Proposed solution] We introduce an forward proxy for each peer, which will be proxying all the connections initiated from a peer to its peers. The modified architecture will look something like this: ``` A -- A's forward proxy ----- B's reverse proxy - B ^ newly introduced ^ in the original codebase (renamed) ``` By adding this forward proxy, we can block all in and out traffic that is initiated from a peer to others, without having to resort to external tools, such as iptables. [Testing] - `make gofail-enable && make build && make gofail-disable && \ go test -timeout 60s -run ^TestBlackholeByMockingPartitionLeader$ go.etcd.io/etcd/tests/v3/e2e -v -count=1` - `make gofail-enable && make build && make gofail-disable && \ go test -timeout 60s -run ^TestBlackholeByMockingPartitionFollower$ go.etcd.io/etcd/tests/v3/e2e -v -count=1` [Issues] - I run into `context deadline exceeded` sometimes ``` etcd_mix_versions_test.go:175: Error Trace: /Users/henrybear327/go/src/etcd/tests/e2e/etcd_mix_versions_test.go:175 /Users/henrybear327/go/src/etcd/tests/e2e/blackhole_test.go:75 /Users/henrybear327/go/src/etcd/tests/e2e/blackhole_test.go:31 Error: Received unexpected error: [/Users/henrybear327/go/src/etcd/bin/etcdctl --endpoints=http://localhost:20006 put key-0 value-0] match not found. Set EXPECT_DEBUG for more info Errs: [unexpected exit code [1] after running [/Users/henrybear327/go/src/etcd/bin/etcdctl --endpoints=http://localhost:20006 put key-0 value-0]], last lines: {"level":"warn","ts":"2024-05-05T23:02:36.809726+0800","logger":"etcd-client","caller":"v3@v3.6.0-alpha.0/retry_interceptor.go:65","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0x140001ee960/localhost:20006","method":"/etcdserverpb.KV/Put","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = context deadline exceeded"} Error: context deadline exceeded (expected "OK", got []). Try EXPECT_DEBUG=TRUE Test: TestBlackholeByMockingPartitionLeader Messages: failed to put "key-0", error: [/Users/henrybear327/go/src/etcd/bin/etcdctl --endpoints=http://localhost:20006 put key-0 value-0] match not found. Set EXPECT_DEBUG for more info Errs: [unexpected exit code [1] after running [/Users/henrybear327/go/src/etcd/bin/etcdctl --endpoints=http://localhost:20006 put key-0 value-0]], last lines: {"level":"warn","ts":"2024-05-05T23:02:36.809726+0800","logger":"etcd-client","caller":"v3@v3.6.0-alpha.0/retry_interceptor.go:65","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0x140001ee960/localhost:20006","method":"/etcdserverpb.KV/Put","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = context deadline exceeded"} Error: context deadline exceeded (expected "OK", got []). Try EXPECT_DEBUG=TRUE ``` [References] [1] issue etcd-io#17737 [2] PR (V1) https://github.com/henrybear327/etcd/tree/fix/e2e_blackhole [3] PR (V2) etcd-io#17891 Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com> It's verified that the blocking of traffic is complete, compared to previous solutions [2][3]. [Implementation] The main subtasks are - set up an environment variable `E2E_TEST_FORWARD_PROXY_IP` - implement forward proxy by extending the existing proxy server code - implement enable/disable of the forward proxy in the e2e test The result is that for every peer, we will have the arch like this ``` A -- A's forward proxy (connections initiated from A will be forwarded from this proxy) | ^ covers case (b) | --- A's (currently existing) reverse proxy (advertised to other peers where the connection should come in from) ^ covers case (a) ```
Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com> Co-authored-by: Iván Valdés Castillo <iv@nvald.es>
There is no need of reverse proxy after the introduction of forward proxy, as the forward proxy holds the information of the destination, we can filter connection traffic from there, and this can reduce 1 hop when the proxy is turned on. Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
Due to forward proxy's need to parse the CONNECT header, which is a L7 layer feature, thus we are splitting the proxy into 2 types, for better maintainability. Reference: - etcd-io#17985 (comment) Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
- Remove To and From fields, as this is only used in reverse proxy - Add Listen field, to indicate which URL that the forward is listening for requests - Update the tests as required TODO - Figure out why DelayTx() isn't working anymore Reference: - etcd-io#17938 (comment)
henrybear327
force-pushed
the
fix/e2e_blackhole_proxy_review_forward_proxy_review
branch
from
45b55ab
to
407b59f
Compare
…witch to L7 proxy design If the first request is not a CONNECT, we will need to receive perfectly parsable HTTP packets, not just random byte streams, as Serve() will leverage ReadRequest() under the hood. Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
We are using Serve(), which will be hugging the listener on our behave, so we can't randomly terminate the listener anymore Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
- Remove To and From fields, as this is only used in reverse proxy - Add Listen field, to indicate which URL that the forward is listening for requests - Update the tests as required TODO - Figure out why DelayTx() isn't working anymore Reference: - etcd-io#17938 (comment) Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
…ttp/https/and socks5) - It's L7 so we need to send perfectly crafted http request - Bug fix: Doing var httpTransportProxyParsingFunc = determineHTTPTransportProxyParsingFunc() will initialize the function once only (env var read on program init) Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
… sent first (containing the intended destination HOST). If the traffic to the destination is HTTP, no CONNECT request will be sent first, but normal HTTP request, with the HOST set to the final destination, will be sent. Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
henrybear327
force-pushed
the
fix/e2e_blackhole_proxy_review_forward_proxy_review
branch
from
407b59f
to
a673a34
Compare
|
/ok-to-test |
|
@henrybear327: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Not fully fixed yet Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
henrybear327
force-pushed
the
fix/e2e_blackhole_proxy_review_forward_proxy_review
branch
from
a673a34
to
7357f81
Compare
Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.
Based on Fu Wei's idea discussed in the issue, we employ the blocking on L7 but without using external tools.
Problem
A peer will
(a) receive traffic from its peers
(b) initiate connections to its peers (via stream and pipeline).
Thus, the current mechanism of only blocking peer traffic via the peer's existing proxy is insufficient, since only scenario (a) is handled, and scenario (b) is not blocked at all.
Solution - main idea
We introduce an "HTTP proxy" for each peer, which will be proxying all the connections initiated from a peer to its peers.
The modified architecture will look something like this:
By adding this HTTP proxy, we can block all in and out traffic that is initiated from a peer to others, without having to resort to external tools, such as iptables. It's verified that the blocking of traffic is complete, compared to previous solutions [2][3].
Implementation
The main subtasks are
FORWARD_PROXY: please read Fix Blackhole implementation for e2e tests #17938 (comment)The result is that for every peer, we will have the arch like this
Test
make gofail-enable && make build && make gofail-disable && \ go test -timeout 60s -run ^TestBlackholeByMockingPartitionLeader$ go.etcd.io/etcd/tests/v3/e2e -v -count=1make gofail-enable && make build && make gofail-disable && \ go test -timeout 60s -run ^TestBlackholeByMockingPartitionFollower$ go.etcd.io/etcd/tests/v3/e2e -v -count=1Known issue
context deadline exceededsometimes[References]
[1] issue #17737
[2] PR (V1) https://github.com/henrybear327/etcd/tree/fix/e2e_blackhole
[3] PR (V2) #17891