Include nftables information in Agent supportbundle

[molegit9]

Fixes: #7546
Modification location: pkg/support/dump_others.go

I corrected it because the diagnostic file did not contain the information of 'NFTables'.
' 'pkg/support/dump_others.go' has been added with the function 'dumpNFTables' to allow information to be included in the diagnosis

[molegit9]

/test-all
/skip-windows-e2e

[antoninbas]

If nftables is not supported, we should not fail the suppot bundle collection operation
cc @hongliangl

[hongliangl]

Yes, I think we should just log the error and return nil.

[antoninbas]

what are all these files for?

[molegit9]

My apologies. Those were temporary files generated by my local tests that were added by mistake.
I have removed them from the commit in the latest push. Thanks for catching that!

[hongliangl]

I would save the results of table ip antrea and table ip6 antrea to one file nftables, just like file iptables.

Additionally, could you add the unit tests for this?

[hongliangl]

We don't use klog.Warningf. Just use klog.ErrorS or klog.InfoS.

[hongliangl]

I didn't find the method DumpTable in the interface from nftables lib https://github.com/hongliangl/knftables/blob/e4307300abb50f2d9e7a492c474fe046d777f87f/nftables.go#L30.

Please use the appropriate methods to dump the table.

[hongliangl]

We should return an error here since nftables.New succeeded.

[hongliangl]

Ditto, return the error.

[hongliangl]

Suggested change

	if d.v4Enabled && c.IPv4 != nil {
	if c.IPv4 != nil {

[hongliangl]

Suggested change

	if d.v6Enabled && c.IPv6 != nil {
	if c.IPv6 != nil {

[molegit9]

Thanks for the detailed feedback! I've pushed the updates incorporating all your suggestions

[hongliangl]

Suggested change

	klog.InfoS("Skipping nftables dump, 'nft' command not found", "err", err)
	klog.ErrorS(err, "'nft' command not found")

[hongliangl]

LGTM overall from me, only a nit in PR description:

issue : #7546 -> Fixes: #7546

For git commit and PR titles, how about removing the prefix Fix(#7546):?

Defer to @antoninbas @luolanzone to do the final approval.

[hongliangl]

Please resolve the failed checks :

• Go/Golangci-lint
• Go/Unit test
• DCO

[molegit9]

Please resolve the failed checks :

• Go/Golangci-lint
• Go/Unit test
• DCO

Go/Golangci-lint I reordered the import statements using goimports -w -local antrea.io/antrea pkg/support/dump_others.go.

Go/Unit test I modified the code to not write data when there is no output (empty string), like so:

dump_others.go
line 82, 93
if len(output) > 0 {
data.Write(output)
data.WriteString("\n")
}

dump_others_test.go
line 174
Set 'fakeExecutor := &testingexec.FakeExec{}' to ensure it returns the proper fake results.

DCO I corrected the Signed-off-by line from just a name to the full email address.

[antoninbas]

@hongliangl shouldn't we use the wrapper library here?

[hongliangl]

We should prioritize using the library. But unfortunately, the library doesn't provide a method to dump all contents of a table. The existing methods for dumping:

	// List returns a list of the names of the objects of objectType ("chain", "set",
	// "map" or "counter") in the table. If there are no such objects, this will return an empty
	// list and no error.
	List(ctx context.Context, objectType string) ([]string, error)

	// ListRules returns a list of the rules in a chain, in order. If no chain name is
	// specified, then all rules within the table will be returned. Note that at the
	// present time, the Rule objects will have their `Comment` and `Handle` fields
	// filled in, but *not* the actual `Rule` field. So this can only be used to find
	// the handles of rules if they have unique comments to recognize them by, or if
	// you know the order of the rules within the chain. If the chain exists but
	// contains no rules, this will return an empty list and no error.
	ListRules(ctx context.Context, chain string) ([]*Rule, error)

	// ListElements returns a list of the elements in a set or map. (objectType should
	// be "set" or "map".) If the set/map exists but contains no elements, this will
	// return an empty list and no error.
	ListElements(ctx context.Context, objectType, name string) ([]*Element, error)

	// ListCounters returns a list of the counters.
	ListCounters(ctx context.Context) ([]*Counter, error)

We can use the above methods to dump a table, but it is a little complicated:

• Use List to dump all chains, sets, maps
• Use ListRules to dump all chains
• Use ListElements to dump all sets and maps

[antoninbas]

I would omit this log message

[antoninbas]

nft can be found (in the antrea-agent container image), but that doesn't mean it will run successfully: maybe nf_tables is not available.
We should check for compatibility once during initialization, and skip dumpNFTables if there is no support in the host kernel. @hongliangl what do you think i the best way to do that?

[hongliangl]

How about this:

1. Only initialize the wrapper library Client to check if nftables is available. This is because the initialization process does the following checks. See the link

   antrea/pkg/agent/util/nftables/nftables.go

   Line 67 in b36df94

   func newNFTables(ipFamily knftables.Family) (knftables.Interface, error) {

	// knftables.New validates:
	//  - nft binary is available
	//  - sufficient permissions
	//  - kernel version compatibility
	//  - "nft destroy" support

If an error is got when initializing, just log something that nftables is not available and skip dumping nftables.

2. Use the d.executor.Command("nft", "list", "table", "ip", "antrea").CombinedOutput() to dump the table.

The first step might be confusing, and we need to document it well to state that this step is to verify the availability of nftables.

[molegit9]

Hi @antoninbas and @hongliangl,

Just a gentle ping regarding the updates based on your previous discussion.

I've refactored the PR according to the approach you mentioned:

Startup Check: Added nftclient.New in agent.go to verify kernel compatibility during initialization.

Dump Execution: Kept d.executor.Command("nft", ...) for the actual dump since the library doesn't support a full dump.

Log Cleanup: Removed the "No Antrea nftables rules found to dump" log message.

I believe this reflects all the points you raised.
When you have a moment, could you please take a look?

Thanks!

[molegit9]

In agent.go, I made it check for nftables support once at agent startup using nftclient.New(), save it to nftablesSupported, and added it as an argument to the functions.

And I changed the existing LookPath check method to check via nftablesSupported.

There were no problems when I ran make golangci and make .linux-test-unit locally, but I don't know if other problems will occur as I lack knowledge.

Please review the code, and if you find it strange, I will re-upload a version with only the log removal that the reviewer requested.

[hongliangl]

We can just move the logic L338-L346 to function dumpNFTables in dump_others.go, and we don't need the changes of introducing extra parameter nftablesSupported, simplifying the PR.

[molegit9]

Thanks for the review! I reverted the complex changes and moved the check logic directly into 'dumpNFTable's as you suggested.

Now it uses 'nftclient.New' to check for support at the beginning.

I verified that both 'make golangci' and 'make .linux-test-unit' pass locally.

[hongliangl]

Use klog.ErrorS here.

[molegit9]

Thank you for the review!
'klog.V(4).InfoS' -> 'ErrorS'
I modified it.

[hongliangl]

LGTM, but you need to resolve the DCO failure in github action.

[hongliangl]

LGTM, defer to @antoninbas and @luolanzone to do final approvals.

[hongliangl]

You have failed unit tests, please correct them first.

[antoninbas]

There is never a reason to import this package in a non-test file.

[antoninbas]

This code is confusing and also doesn't match what was discussed in #7547 (comment)

Ideally we should check for nftables only once, not for every call to dumpNFTables. It was also mentioned that we should comment this code well to explain why we are calling nftclient.New, but not using the returned value.

[molegit9]

As you advised, we removed the testingexec import. Instead, we separated the kernel inspection called inside dumpNFTables into a variable (var checkNFTablesSupport). And in the test code, we modified this variable to pass the test by mocking it.

[antoninbas]

could we do something like this:

var nftablesIPv4Supported = sync.OnceValue(func() bool {
         _, err := newNFTables(knftables.IPv4Family)
        return err != nil
})
var nftablesIPv6Supported = sync.OnceValue(func() bool {
         _, err := newNFTables(knftables.IPv6Family)
        return err != nil
})

I am using "sigs.k8s.io/knftables" directly here, instead of "antrea.io/antrea/pkg/agent/util/nftables" which is fine.

This way in dumpNFTables you can use nftablesIPv4Supported() / nftablesIPv6Supported(), and the sync.OnceValue wrapper ensures that we don't check the same thing multiple times over.

You can also easily "mock" them in unit tests.

[molegit9]

Thanks for the review. I've updated the PR based on your feedback.