Include nftables information in Agent supportbundle

Signed-off-by: molegit9 <[email protected]>

Author: molegit9

cmd/antrea-agent/agent.go

@@ -71,6 +71,7 @@ import (
 	"antrea.io/antrea/pkg/agent/stats"
 	support "antrea.io/antrea/pkg/agent/supportbundlecollection"
 	agenttypes "antrea.io/antrea/pkg/agent/types"
+	nftclient "antrea.io/antrea/pkg/agent/util/nftables"
 	"antrea.io/antrea/pkg/apis"
 	"antrea.io/antrea/pkg/apis/controlplane"
 	crdinformers "antrea.io/antrea/pkg/client/informers/externalversions"
@@ -334,6 +335,15 @@ func run(o *Options) error {
 	}
 	nodeConfig := agentInitializer.GetNodeConfig()
 
+	var nftablesSupported bool
+	if _, err := nftclient.New(networkConfig.IPv4Enabled, networkConfig.IPv6Enabled); err != nil {
+		klog.InfoS("nftables is not supported on this Node, skipping nftables-related features", "err", err)
+		nftablesSupported = false
+	} else {
+		klog.InfoS("nftables is supported on this Node")
+		nftablesSupported = true
+	}
+
 	var ipsecCertController *ipseccertificate.Controller
 
 	if networkConfig.TrafficEncryptionMode == config.TrafficEncryptionModeIPSec &&
@@ -1001,7 +1011,7 @@ func run(o *Options) error {
 			nodeType = controlplane.SupportBundleCollectionNodeTypeExternalNode
 		}
 		supportBundleController := support.NewSupportBundleController(nodeConfig.Name, nodeType, nodeNamespace, antreaClientProvider,
-			ovsctl.NewClient(o.config.OVSBridge), agentQuerier, networkPolicyController, v4Enabled, v6Enabled)
+			ovsctl.NewClient(o.config.OVSBridge), agentQuerier, networkPolicyController, v4Enabled, v6Enabled, nftablesSupported)
 		go supportBundleController.Run(stopCh)
 	}
 
@@ -1029,7 +1039,8 @@ func run(o *Options) error {
 		o.config.ClientConnection.Kubeconfig,
 		apis.APIServerLoopbackTokenPath,
 		v4Enabled,
-		v6Enabled)
+		v6Enabled,
+		nftablesSupported)
 	if err != nil {
 		return fmt.Errorf("error when creating agent API server: %v", err)
 	}

pkg/agent/apiserver/apiserver.go

@@ -108,10 +108,10 @@ func installHandlers(aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolic
 	s.Handler.NonGoRestfulMux.HandleFunc("/fqdncache", fqdncache.HandleFunc(npq))
 }
 
-func installAPIGroup(s *genericapiserver.GenericAPIServer, aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, v4Enabled, v6Enabled bool) error {
+func installAPIGroup(s *genericapiserver.GenericAPIServer, aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, v4Enabled, v6Enabled bool, nftablesSupported bool) error {
 	systemGroup := genericapiserver.NewDefaultAPIGroupInfo(systemv1beta1.GroupName, scheme, metav1.ParameterCodec, codecs)
 	systemStorage := map[string]rest.Storage{}
-	supportBundleStorage := supportbundle.NewAgentStorage(ovsctl.NewClient(aq.GetNodeConfig().OVSBridge), aq, npq, v4Enabled, v6Enabled)
+	supportBundleStorage := supportbundle.NewAgentStorage(ovsctl.NewClient(aq.GetNodeConfig().OVSBridge), aq, npq, v4Enabled, v6Enabled, nftablesSupported)
 	systemStorage["supportbundles"] = supportBundleStorage.SupportBundle
 	systemStorage["supportbundles/download"] = supportBundleStorage.Download
 	systemGroup.VersionedResourcesStorageMap["v1beta1"] = systemStorage
@@ -132,6 +132,7 @@ func New(aq agentquerier.AgentQuerier,
 	loopbackClientTokenPath string,
 	v4Enabled,
 	v6Enabled bool,
+	nftablesSupported bool,
 ) (*agentAPIServer, error) {
 	cfg, err := newConfig(aq, npq, secureServing, authentication, authorization, enableMetrics, kubeconfig, loopbackClientTokenPath)
 	if err != nil {
@@ -141,7 +142,7 @@ func New(aq agentquerier.AgentQuerier,
 	if err != nil {
 		return nil, err
 	}
-	if err := installAPIGroup(s, aq, npq, v4Enabled, v6Enabled); err != nil {
+	if err := installAPIGroup(s, aq, npq, v4Enabled, v6Enabled, nftablesSupported); err != nil {
 		return nil, err
 	}
 	installHandlers(aq, npq, mq, seipq, s, bgpq)

pkg/agent/apiserver/apiserver_test.go

@@ -80,7 +80,7 @@ current-context: cluster
 	// InClusterLookup is skipped when testing, otherwise it would always fail as there is no real cluster.
 	authentication.SkipInClusterLookup = true
 	authorization := options.NewDelegatingAuthorizationOptions().WithAlwaysAllowPaths("/healthz", "/livez", "/readyz")
-	apiServer, err := New(agentQuerier, npQuerier, nil, nil, nil, secureServing, authentication, authorization, true, kubeConfigPath, tokenPath, true, true)
+	apiServer, err := New(agentQuerier, npQuerier, nil, nil, nil, secureServing, authentication, authorization, true, kubeConfigPath, tokenPath, true, true, false)
 	require.NoError(t, err)
 	fakeAPIServer := &fakeAgentAPIServer{
 		agentAPIServer: apiServer,

pkg/agent/supportbundlecollection/support_bundle_controller.go

@@ -72,6 +72,7 @@ type SupportBundleController struct {
 	v4Enabled                    bool
 	v6Enabled                    bool
 	sftpUploader                 sftp.Uploader
+	nftablesSupported            bool
 }
 
 func NewSupportBundleController(nodeName string,
@@ -82,7 +83,8 @@ func NewSupportBundleController(nodeName string,
 	aq agentquerier.AgentQuerier,
 	npq querier.AgentNetworkPolicyInfoQuerier,
 	v4Enabled,
-	v6Enabled bool) *SupportBundleController {
+	v6Enabled bool,
+	nftablesSupported bool) *SupportBundleController {
 	c := &SupportBundleController{
 		nodeName:              nodeName,
 		supportBundleNodeType: supportBundleNodeType,
@@ -91,12 +93,13 @@ func NewSupportBundleController(nodeName string,
 		queue: workqueue.NewTypedWithConfig(workqueue.TypedQueueConfig[string]{
 			Name: "supportbundle",
 		}),
-		ovsCtlClient: ovsCtlClient,
-		aq:           aq,
-		npq:          npq,
-		v4Enabled:    v4Enabled,
-		v6Enabled:    v6Enabled,
-		sftpUploader: sftp.NewUploader(),
+		ovsCtlClient:      ovsCtlClient,
+		aq:                aq,
+		npq:               npq,
+		v4Enabled:         v4Enabled,
+		v6Enabled:         v6Enabled,
+		sftpUploader:      sftp.NewUploader(),
+		nftablesSupported: nftablesSupported,
 	}
 	return c
 }
@@ -236,7 +239,7 @@ func (c *SupportBundleController) generateSupportBundle(supportBundle *cpv1b2.Su
 	}
 	defer defaultFS.RemoveAll(basedir)
 
-	agentDumper := newAgentDumper(defaultFS, defaultExecutor, c.ovsCtlClient, c.aq, c.npq, supportBundle.SinceTime, c.v4Enabled, c.v6Enabled)
+	agentDumper := newAgentDumper(defaultFS, defaultExecutor, c.ovsCtlClient, c.aq, c.npq, supportBundle.SinceTime, c.v4Enabled, c.v6Enabled, c.nftablesSupported)
 	if err = agentDumper.DumpLog(basedir); err != nil {
 		return err
 	}

pkg/agent/supportbundlecollection/support_bundle_controller_test.go

@@ -60,7 +60,7 @@ func newFakeController(t *testing.T) (*fakeController, *fakeversioned.Clientset)
 	controller := gomock.NewController(t)
 	clientset := &fakeversioned.Clientset{}
 	supportBundleController := NewSupportBundleController("vm1", controlplane.SupportBundleCollectionNodeTypeExternalNode, "vm-ns", &antreaClientGetter{clientset}, nil,
-		nil, nil, true, true)
+		nil, nil, true, true, false)
 	return &fakeController{
 		SupportBundleController: supportBundleController,
 		mockController:          controller,
@@ -207,7 +207,7 @@ func TestSupportBundleCollectionAdd(t *testing.T) {
 
 	for _, tt := range testcases {
 		t.Run(tt.name, func(t *testing.T) {
-			newAgentDumper = func(fs afero.Fs, executor exec.Interface, ovsCtlClient ovsctl.OVSCtlClient, aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, since string, v4Enabled, v6Enabled bool) support.AgentDumper {
+			newAgentDumper = func(fs afero.Fs, executor exec.Interface, ovsCtlClient ovsctl.OVSCtlClient, aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, since string, v4Enabled, v6Enabled bool, nftablesSupported bool) support.AgentDumper {
 				return tt.agentDumper
 			}
 			defer func() {

pkg/apiserver/registry/system/supportbundle/rest.go

@@ -71,7 +71,7 @@ func NewControllerStorage() Storage {
 }
 
 // NewAgentStorage creates a support bundle storage for working on antrea agent.
-func NewAgentStorage(client ovsctl.OVSCtlClient, aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, v4Enabled, v6Enabled bool) Storage {
+func NewAgentStorage(client ovsctl.OVSCtlClient, aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, v4Enabled, v6Enabled bool, nftablesSupported bool) Storage {
 	bundle := &supportBundleREST{
 		mode:         modeAgent,
 		ovsCtlClient: client,
@@ -81,8 +81,9 @@ func NewAgentStorage(client ovsctl.OVSCtlClient, aq agentquerier.AgentQuerier, n
 			ObjectMeta: metav1.ObjectMeta{Name: modeAgent},
 			Status:     systemv1beta1.SupportBundleStatusNone,
 		},
-		v4Enabled: v4Enabled,
-		v6Enabled: v6Enabled,
+		v4Enabled:         v4Enabled,
+		v6Enabled:         v6Enabled,
+		nftablesSupported: nftablesSupported,
 	}
 	return Storage{
 		Mode:          modeAgent,
@@ -117,11 +118,12 @@ type supportBundleREST struct {
 	// ensure thread-safety. Otherwise, we would have a race with Get callers.
 	cache *systemv1beta1.SupportBundle
 
-	ovsCtlClient ovsctl.OVSCtlClient
-	aq           agentquerier.AgentQuerier
-	npq          querier.AgentNetworkPolicyInfoQuerier
-	v4Enabled    bool
-	v6Enabled    bool
+	ovsCtlClient      ovsctl.OVSCtlClient
+	aq                agentquerier.AgentQuerier
+	npq               querier.AgentNetworkPolicyInfoQuerier
+	v4Enabled         bool
+	v6Enabled         bool
+	nftablesSupported bool
 }
 
 // Create triggers a bundle generation. It only allows resource creation when
@@ -268,7 +270,7 @@ func (r *supportBundleREST) collect(ctx context.Context, dumpers ...func(string)
 }
 
 func (r *supportBundleREST) collectAgent(ctx context.Context, since string) (*systemv1beta1.SupportBundle, error) {
-	dumper := newAgentDumper(defaultFS, defaultExecutor, r.ovsCtlClient, r.aq, r.npq, since, r.v4Enabled, r.v6Enabled)
+	dumper := newAgentDumper(defaultFS, defaultExecutor, r.ovsCtlClient, r.aq, r.npq, since, r.v4Enabled, r.v6Enabled, r.nftablesSupported)
 	return r.collect(
 		ctx,
 		dumper.DumpLog,

pkg/apiserver/registry/system/supportbundle/rest_test.go

@@ -252,7 +252,7 @@ func (f *fakeAgentDumper) DumpMemberlist(basedir string) error {
 func TestAgentStorage(t *testing.T) {
 	defaultFS = afero.NewMemMapFs()
 	defaultExecutor = new(testExec)
-	newAgentDumper = func(fs afero.Fs, executor exec.Interface, ovsCtlClient ovsctl.OVSCtlClient, aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, since string, v4Enabled, v6Enabled bool) support.AgentDumper {
+	newAgentDumper = func(fs afero.Fs, executor exec.Interface, ovsCtlClient ovsctl.OVSCtlClient, aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, since string, v4Enabled, v6Enabled bool, nftablesSupported bool) support.AgentDumper {
 		return &fakeAgentDumper{}
 	}
 	defer func() {
@@ -266,7 +266,7 @@ func TestAgentStorage(t *testing.T) {
 	fakeOVSCtl := ovsctltest.NewMockOVSCtlClient(ctrl)
 	fakeAgentQuerier := agentqueriertest.NewMockAgentQuerier(ctrl)
 	fakeNetworkPolicyQuerier := queriertest.NewMockAgentNetworkPolicyInfoQuerier(ctrl)
-	storage := NewAgentStorage(fakeOVSCtl, fakeAgentQuerier, fakeNetworkPolicyQuerier, true, true)
+	storage := NewAgentStorage(fakeOVSCtl, fakeAgentQuerier, fakeNetworkPolicyQuerier, true, true, false)
 	_, err := storage.SupportBundle.Create(ctx, &system.SupportBundle{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: modeAgent,
@@ -311,7 +311,7 @@ func TestAgentStorage(t *testing.T) {
 func TestAgentStorageFailure(t *testing.T) {
 	defaultFS = afero.NewMemMapFs()
 	defaultExecutor = new(testExec)
-	newAgentDumper = func(fs afero.Fs, executor exec.Interface, ovsCtlClient ovsctl.OVSCtlClient, aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, since string, v4Enabled, v6Enabled bool) support.AgentDumper {
+	newAgentDumper = func(fs afero.Fs, executor exec.Interface, ovsCtlClient ovsctl.OVSCtlClient, aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, since string, v4Enabled, v6Enabled bool, nftablesSupported bool) support.AgentDumper {
 		return &fakeAgentDumper{returnErr: fmt.Errorf("iptables not found")}
 	}
 	defer func() {
@@ -326,7 +326,7 @@ func TestAgentStorageFailure(t *testing.T) {
 	fakeAgentQuerier := agentqueriertest.NewMockAgentQuerier(ctrl)
 	fakeNetworkPolicyQuerier := queriertest.NewMockAgentNetworkPolicyInfoQuerier(ctrl)
 
-	storage := NewAgentStorage(fakeOVSCtl, fakeAgentQuerier, fakeNetworkPolicyQuerier, true, true)
+	storage := NewAgentStorage(fakeOVSCtl, fakeAgentQuerier, fakeNetworkPolicyQuerier, true, true, false)
 	_, err := storage.SupportBundle.Create(ctx, &system.SupportBundle{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: modeAgent,

pkg/support/dump.go

@@ -295,14 +295,15 @@ func NewControllerDumper(fs afero.Fs, executor exec.Interface, since string) Con
 }
 
 type agentDumper struct {
-	fs           afero.Fs
-	executor     exec.Interface
-	ovsCtlClient ovsctl.OVSCtlClient
-	aq           agentquerier.AgentQuerier
-	npq          querier.AgentNetworkPolicyInfoQuerier
-	since        string
-	v4Enabled    bool
-	v6Enabled    bool
+	fs                afero.Fs
+	executor          exec.Interface
+	ovsCtlClient      ovsctl.OVSCtlClient
+	aq                agentquerier.AgentQuerier
+	npq               querier.AgentNetworkPolicyInfoQuerier
+	since             string
+	v4Enabled         bool
+	v6Enabled         bool
+	nftablesSupported bool
 }
 
 func (d *agentDumper) DumpAgentInfo(basedir string) error {
@@ -360,15 +361,16 @@ func (d *agentDumper) DumpOVSPorts(basedir string) error {
 	return writeFile(d.fs, filepath.Join(basedir, "ovsports"), "ports", []byte(strings.Join(portData, "\n")))
 }
 
-func NewAgentDumper(fs afero.Fs, executor exec.Interface, ovsCtlClient ovsctl.OVSCtlClient, aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, since string, v4Enabled, v6Enabled bool) AgentDumper {
+func NewAgentDumper(fs afero.Fs, executor exec.Interface, ovsCtlClient ovsctl.OVSCtlClient, aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, since string, v4Enabled, v6Enabled bool, nftablesSupported bool) AgentDumper {
 	return &agentDumper{
-		fs:           fs,
-		executor:     executor,
-		ovsCtlClient: ovsCtlClient,
-		aq:           aq,
-		npq:          npq,
-		since:        since,
-		v4Enabled:    v4Enabled,
-		v6Enabled:    v6Enabled,
+		fs:                fs,
+		executor:          executor,
+		ovsCtlClient:      ovsCtlClient,
+		aq:                aq,
+		npq:               npq,
+		since:             since,
+		v4Enabled:         v4Enabled,
+		v6Enabled:         v6Enabled,
+		nftablesSupported: nftablesSupported,
 	}
 }

pkg/support/dump_others.go

@@ -18,6 +18,7 @@
 package support
 
 import (
+	"bytes"
 	"fmt"
 	"path"
 	"path/filepath"
@@ -41,6 +42,9 @@ func (d *agentDumper) DumpHostNetworkInfo(basedir string) error {
 	if err := d.dumpIPTables(basedir); err != nil {
 		return err
 	}
+	if err := d.dumpNFTables(basedir); err != nil {
+		return err
+	}
 	if err := d.dumpIPToolInfo(basedir); err != nil {
 		return err
 	}
@@ -59,6 +63,48 @@ func (d *agentDumper) dumpIPTables(basedir string) error {
 	return writeFile(d.fs, filepath.Join(basedir, "iptables"), "iptables", data)
 }
 
+func (d *agentDumper) dumpNFTables(basedir string) error {
+
+	if !d.nftablesSupported {
+		return nil
+	}
+
+	var data bytes.Buffer
+
+	if d.v4Enabled {
+		output, err := d.executor.Command("nft", "list", "table", "ip", "antrea").CombinedOutput()
+		if err != nil {
+			return fmt.Errorf("failed to dump nftables table 'ip antrea': %w", err)
+		}
+		if len(output) > 0 {
+			data.Write(output)
+			data.WriteString("\n")
+		}
+	}
+
+	if d.v6Enabled {
+		output, err := d.executor.Command("nft", "list", "table", "ip6", "antrea").CombinedOutput()
+		if err != nil {
+			return fmt.Errorf("failed to dump nftables table 'ip6 antrea': %w", err)
+		}
+		if len(output) > 0 {
+			data.Write(output)
+			data.WriteString("\n")
+		}
+	}
+
+	if data.Len() == 0 {
+		return nil
+	}
+
+	fileName := "nftables"
+	if err := writeFile(d.fs, filepath.Join(basedir, fileName), fileName, data.Bytes()); err != nil {
+		return fmt.Errorf("failed to write nftables file: %w", err)
+	}
+
+	return nil
+}
+
 func (d *agentDumper) dumpIPToolInfo(basedir string) error {
 	dump := func(name string) error {
 		output, err := d.executor.Command("ip", name).CombinedOutput()