[Release v3.31] IPSets: re-create ipsets failed during re-sync #11464
Conversation
mazdakn
added
release-note-required
There was a problem hiding this comment.
Pull request overview
This PR addresses issue #11051 by implementing a mechanism to re-create IPSets that fail during resync operations due to version incompatibilities (e.g., userspace/kernel revision mismatch). The solution introduces a ListFailed field to track listing failures and adjusts the retry logic to allow recreation by swapping after persistent failures.
Key changes:
- Adds
ListFailedfield todataplaneMetadatato track when ipset listing fails - Introduces
MaxRetryAttemptconstant and modifies retry logic to distinguish transient vs persistent failures - Failed ipsets in desired state are tracked and re-created via swap mechanism after multiple retry attempts
- Enhanced error handling to continue processing other ipsets when one fails to parse
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| felix/ipsets/ipsets.go | Core logic changes: adds ListFailed field, implements retry logic with transient/persistent failure distinction, updates resync error handling to track failed ipsets and trigger recreation via swap |
| felix/ipsets/ipsets_test.go | Adds test case for ipsets with unsupported revisions, updates existing test to use new MaxRetryAttempt constant |
| felix/ipsets/utils_for_test.go | Test infrastructure: adds supportedMockRevision constant and Revision field to mock metadata, implements revision checking in mock list command to simulate version incompatibility |
| if desired { | ||
| s.logCxt.WithError(err).WithField("name", name). | ||
| Warn("Failed to parse required Calico-owned ipset that is needed, will try recreating it.") | ||
| } else { | ||
| s.logCxt.WithError(err).WithField("name", name). | ||
| Warn("Failed to parse Calico-owned ipset that is no longer needed, will queue it for deletion.") | ||
| } |
There was a problem hiding this comment.
Duplicate condition check on line 484. The condition if desired is already checked on line 481, making this second check redundant. This appears to be a copy-paste error where the logging was intended to be inside the first if desired block.
3 participants
Description
Re-create (by swapping) an ipset that was failed during re-syncing with dataplane. It includes:
Introduce a new field to
dataplaneMetadatacalledListFailedto store if listing an ipsets is successful or not.If listing an ipset fails, set
ListFailuretotrue.If listing an ipset fails several times, try to re-create that ipset by swapping it out with one created from desired state.
Related issues/PRs
Pick of #11340
GH issue #11051
Todos
Release Note
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one
docs-*label.docs-pr-required: This change requires a change to the documentation that has not been completed yet.docs-completed: This change has all necessary documentation completed.docs-not-required: This change has no user-facing impact and requires no docs.Every PR needs one
release-note-*label.release-note-required: This PR has user-facing changes. Most PRs should have this label.release-note-not-required: This PR has no user-facing changes.Other optional labels:
cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.