Fix caching in ingress mode by kleimkuhler · Pull Request #965 · linkerd/linkerd2-proxy

kleimkuhler · 2021-04-06T01:13:55Z

When the proxy is in ingress mode, requests with different l5d-dst-override headers but the same address share the same key in the cache. This causes consecutive requests to the same address to all go to the value of the first l5d-dst-override header, ignoring the header values of later requests—unless the services are evicted from the cache.

This occurs because each key into the cache is calculated based off LogicalAddr's orig_dst and protocol fields (source). When the proxy is in ingress mode, the value of orig_dst is overridden to 0.0.0.0:port (source). This results in an easy key conflict: two different requests with the same port and protocol with result in the same key.

To fix this, the logical_addr field is added to LogicalAddr and is used as a third field in calculating the cache key. logical_addr is the value of the l5d-dst-override header which means requests to the same address but with different header values will result in different keys.

Fixes linkerd/linkerd2#5975

Testing

For manual testing, Linkerd can be installed with this version of the proxy:

linkerd install --set proxy.image.name='ghcr.io/kleimkuhler/proxy',proxy.image.version='5381fd45' |kubectl apply -f -

Then, apply this manifest which creates two 3 deployments and 2 services:

injected nginx server and service
injected nginx server and service
injected ingress pod with curl used to send requests to 1 and 2

From the curl pod, send requests with the l5d-dst-override header set and observer with linkerd viz tap that the requests are received by the correct pods:

$ curl-5ffd49f57-fwk2d:/$ curl -H "l5d-dst-override: svc-1.default.svc.cluster.local:8000" 10.0.0.1
$ curl-5ffd469f57-fwk2d:/$ curl -H "l5d-dst-override: svc-2.default.svc.cluster.local:8000" 10.0.0.1

Proxy tests

There are currently no tests for the l5d-dst-override header. I'll keep working on adding some additional tests for this, but those may come as a follow-up

Signed-off-by: Kevin Leimkuhler <[email protected]>

hawkw

looks good to me!

for the tests, it might be nice to have a function for constructing Logicals to make that code a little more concise, but that's not a hard blocker.

linkerd/app/outbound/src/tcp/tests.rs

linkerd/app/gateway/src/lib.rs

Signed-off-by: Kevin Leimkuhler <[email protected]>

kleimkuhler · 2021-04-06T01:40:29Z

I may rename logical_addr field to addr. It feels a little redundant to to have a LogicalAddr struct with a logical_addr field. Any strong preference about keeping or changing it?

Signed-off-by: Kevin Leimkuhler <[email protected]>

olix0r

thanks @kleimkuhler!

This release fixes a caching issue in the outbound proxy's "ingress mode" that could cause the incorrect client to be used for requests. This caching has been fixed so that clients cannot be incorrectly reused across logical destinations. --- * transport: introduce Bind trait and move orig dst to the type level (linkerd/linkerd2-proxy#957) * Initial fuzzer integration (linkerd/linkerd2-proxy#961) * Fix caching in ingress mode (linkerd/linkerd2-proxy#965)

This release fixes a caching issue in the outbound proxy's "ingress mode" that could cause the incorrect client to be used for requests. This caching has been fixed so that clients cannot be incorrectly reused across logical destinations. --- * transport: introduce Bind trait and move orig dst to the type level (linkerd/linkerd2-proxy#957) * Initial fuzzer integration (linkerd/linkerd2-proxy#961) * Fix caching in ingress mode (linkerd/linkerd2-proxy#965) Signed-off-by: Jijeesh <[email protected]>

This release fixes a caching issue in the outbound proxy's "ingress mode" that could cause the incorrect client to be used for requests. This caching has been fixed so that clients cannot be incorrectly reused across logical destinations. --- * transport: introduce Bind trait and move orig dst to the type level (linkerd/linkerd2-proxy#957) * Initial fuzzer integration (linkerd/linkerd2-proxy#961) * Fix caching in ingress mode (linkerd/linkerd2-proxy#965)

Fix caching in ingress mode

bbb1948

Signed-off-by: Kevin Leimkuhler <[email protected]>

kleimkuhler requested a review from a team April 6, 2021 01:13

hawkw approved these changes Apr 6, 2021

View reviewed changes

linkerd/app/outbound/src/tcp/tests.rs Outdated Show resolved Hide resolved

hawkw reviewed Apr 6, 2021

View reviewed changes

linkerd/app/gateway/src/lib.rs Outdated Show resolved Hide resolved

Fix clippy lint

c277c85

Signed-off-by: Kevin Leimkuhler <[email protected]>

Add Logical builder in tests

2f0ee12

Signed-off-by: Kevin Leimkuhler <[email protected]>

olix0r approved these changes Apr 6, 2021

View reviewed changes

olix0r merged commit 74a1632 into main Apr 6, 2021

olix0r deleted the kleimkuhler/logical-caching-fix branch April 6, 2021 15:02

olix0r mentioned this pull request Apr 7, 2021

proxy: v2.141.0 linkerd/linkerd2#5998

Merged

Wenliang-CHEN mentioned this pull request May 3, 2021

Outbound requests fail intermittently after the proxy reported "panicked at 'cancel sender lost'" linkerd/linkerd2#6086

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix caching in ingress mode#965

Fix caching in ingress mode#965
olix0r merged 3 commits intomainfrom
kleimkuhler/logical-caching-fix

kleimkuhler commented Apr 6, 2021

Uh oh!

hawkw left a comment

Uh oh!

Uh oh!

Uh oh!

kleimkuhler commented Apr 6, 2021

Uh oh!

olix0r left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

kleimkuhler commented Apr 6, 2021

Testing

Proxy tests

Uh oh!

hawkw left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

kleimkuhler commented Apr 6, 2021

Uh oh!

olix0r left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants