make 80-ec2.network match primary eni only #1738
Conversation
M00nF1sh
changed the title
|
/ci |
M00nF1sh
changed the title
|
/ci |
| @@ -0,0 +1,24 @@ | |||
| [Match] | |||
| Driver=ena ixgbevf vif | |||
| PermanentMACAddress={{.PermanentMACAddress}} | |||
There was a problem hiding this comment.
do we want the snapshot of the entire config to add PermanentMACAddress, or does it makes more sense to use a 80-ec2.network.d/*.conf drop-in?
There was a problem hiding this comment.
+1, ideally we just patch in the MAC instead of maintaining a copy of the full network unit here
There was a problem hiding this comment.
@ndbaker1 @cartermckinnon
the drop-in might be better as it will keep the original ec2's settings(even if they update this file in the future)
my original thought were to use the existence check on the network file to have the ability to override this behavior with a custom file. But cx can also override this anyway with a higher priority file names as well.
let me do the change to do the drop-in instead
|
/ci |
M00nF1sh
changed the title
|
don't merge this yet,having some issues with drop-in, debugging |
|
fixed :D it's due to the |
|
/ci |
M00nF1sh
changed the title
|
/ci |
|
I am facing the same issue in 1.30, is this fix added to 1.30 ? |
|
@rajeevpnair yep, if you’re still seeing this on AL2023, it’s a different issue |
Issue #, if available:
N/A
Description of changes:
Override the default
80-ec2.network(generated byamazon-ec2-net-utils) with drop-in config to make systemd.network manage primary ENI only.After this change, the sequence is as follows:
during initial boot, the
80-ec2.networkbyamazon-ec2-net-utilswill match all ENIs(only primary ENI at this moment), thus systemd.network will configure them properly with DHCP.the
nodeadm-rununit will execute, which will generate a10-eks_primary_eni_only.confin administrative drop-in folder/etc/systemd/network/80-ec2.network.dthat matches the MAC of primary ENI(obtained from ec2-metadata) only and reload the config.after kubelet init and vpc-cni runs, vpc-cni will launch new secondary ENIs as pod scheduled, and those secondary ENIs will be setup by CNI and
systemd.networktreats them asunmanaged.This is a temporary fix for EKS AL2023 AMI, where the
80-ec2.networkgenerated by amazon-ec2-net-utils will cause systemd.network managing all ENIs on host, and caused multiple issues including:To address this issue temporarily, we override the
80-ec2.networkafter boot to make it match against primary ENI only.macfrom ec2 metadata is guaranteed to primary eni's mac and guaranteed to be available at boot according to this code comment and internal code links.TODOs after this PR: there are limitations on current solutions as well, and we should figure long term solution for this:
Alternative solutions consider:
80-ec2.networkmatchIFINDEX: 2. However, after communications with ec2 networking, the primary ENI may not always beIFINDEX: 2.amazon-ec2-net-utilsand simply have the default80-ec2.networkinto/usr/lib/systemd/network/80-ec2.networkfor initial setup. This should work as we have almost disabled all functionality ofamazon-ec2-net-utilsexcept this file. However, to keep things simple, i kept it as it is for now, and we can work on a long term solution later. (e.g. make changes to amazon-ec2-net-utils to let us optionally disable secondary eni management).By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Testing Done
Build an AMI in us-west-2:
ami-0caada624a580a108and launched a node group with it.After boot:
/etc/systemd/network/80-ec2.networkcontains correct content:journalctl -u nodeadm-runjournalctl -u systemd-networkdAfter launching enough pods to node:
sudo networkctl listip route show table mainip route show table 2After reboot
journalctl -u systemd-networkdsudo networkctl listSee this guide for recommended testing for PRs. Some tests may not apply. Completing tests and providing additional validation steps are not required, but it is recommended and may reduce review time and time to merge.