Skip to content

Commit

Permalink
Windows support for Flow Exporter with Flow Aggregator (#2138)
Browse files Browse the repository at this point in the history
In this commit, we fix the error when running Flow Exporter on Windows
node with Flow Aggregator.
There is a limitation in DNS resolution on Windows,
flow-aggregator.flow-aggregator.svc DNS name couldn't be resolved.
The reason is because on Windows the Antrea Agent runs as a process,
it uses the host's default DNS setting and the DNS resolver will not be
configured to talk to the CoreDNS Service for cluster local DNS queries.
So we require flowCollectorAddr could only be IP for Flow Exporter on
Windows node and add IP in certicate for flow aggregator.
Also change to use dpctl/ct-get-limits intead of dpctl/ct-get-maxconns
since it returns operation not supported on Windows node.

Signed-off-by: Yongming Ding <dyongming@vmware.com>
  • Loading branch information
Yongming Ding authored May 21, 2021
1 parent 71fb938 commit fa54190
Show file tree
Hide file tree
Showing 5 changed files with 100 additions and 25 deletions.
36 changes: 25 additions & 11 deletions build/yamls/antrea-windows.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,21 +56,35 @@ data:
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
#enablePrometheusMetrics: true
# Provide flow collector address as string with format <IP>:<port>[:<proto>], where proto is tcp or udp.
# Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
# HOST can only be IP right now because there is a DNS resolution issue in current Windows support.
# IP can be either IPv4 or IPv6. However, IPv6 address should be wrapped with [].
# This also enables the flow exporter that sends IPFIX flow records of conntrack flows on OVS bridge.
# If no L4 transport proto is given, we consider tcp as default.
# If PORT is empty, we default to 4739, the standard IPFIX port.
# If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp"
# L4 transport protocols.
#flowCollectorAddr: ""
# Provide flow poll interval as a duration string. This determines how often the flow exporter dumps connections from the conntrack module.
# Flow poll interval should be greater than or equal to 1s (one second).
# Provide flow poll interval as a duration string. This determines how often the
# flow exporter dumps connections from the conntrack module. Flow poll interval
# should be greater than or equal to 1s (one second).
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
#flowPollInterval: "5s"
# Provide flow export frequency, which is the number of poll cycles elapsed before flow exporter exports flow records to
# the flow collector.
# Flow export frequency should be greater than or equal to 1.
#flowExportFrequency: 12
# Provide the active flow export timeout, which is the timeout after which a flow
# record is sent to the collector for active flows. Thus, for flows with a continuous
# stream of packets, a flow record will be exported to the collector once the elapsed
# time since the last export event is equal to the value of this timeout.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
#activeFlowExportTimeout: "30s"
# Provide the idle flow export timeout, which is the timeout after which a flow
# record is sent to the collector for idle flows. A flow is considered idle if no
# packet matching this flow has been observed since the last export event.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
#idleFlowExportTimeout: "15s"
# Enable TLS communication from flow exporter to flow aggregator.
#enableTLSToFlowAggregator: true
antrea-cni.conflist: |
{
"cniVersion":"0.3.0",
Expand All @@ -89,7 +103,7 @@ kind: ConfigMap
metadata:
labels:
app: antrea
name: antrea-windows-config-kc6bfhk4mg
name: antrea-windows-config-cm7h2cd86m
namespace: kube-system
---
apiVersion: apps/v1
Expand Down Expand Up @@ -177,7 +191,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-windows-config-kc6bfhk4mg
name: antrea-windows-config-cm7h2cd86m
name: antrea-windows-config
- configMap:
defaultMode: 420
Expand Down
32 changes: 23 additions & 9 deletions build/yamls/windows/base/conf/antrea-agent.conf
Original file line number Diff line number Diff line change
Expand Up @@ -38,18 +38,32 @@ featureGates:
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
#enablePrometheusMetrics: true

# Provide flow collector address as string with format <IP>:<port>[:<proto>], where proto is tcp or udp.
# Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
# HOST can only be IP right now because there is a DNS resolution issue in current Windows support.
# IP can be either IPv4 or IPv6. However, IPv6 address should be wrapped with [].
# This also enables the flow exporter that sends IPFIX flow records of conntrack flows on OVS bridge.
# If no L4 transport proto is given, we consider tcp as default.
# If PORT is empty, we default to 4739, the standard IPFIX port.
# If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp"
# L4 transport protocols.
#flowCollectorAddr: ""

# Provide flow poll interval as a duration string. This determines how often the flow exporter dumps connections from the conntrack module.
# Flow poll interval should be greater than or equal to 1s (one second).
# Provide flow poll interval as a duration string. This determines how often the
# flow exporter dumps connections from the conntrack module. Flow poll interval
# should be greater than or equal to 1s (one second).
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
#flowPollInterval: "5s"

# Provide flow export frequency, which is the number of poll cycles elapsed before flow exporter exports flow records to
# the flow collector.
# Flow export frequency should be greater than or equal to 1.
#flowExportFrequency: 12
# Provide the active flow export timeout, which is the timeout after which a flow
# record is sent to the collector for active flows. Thus, for flows with a continuous
# stream of packets, a flow record will be exported to the collector once the elapsed
# time since the last export event is equal to the value of this timeout.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
#activeFlowExportTimeout: "30s"

# Provide the idle flow export timeout, which is the timeout after which a flow
# record is sent to the collector for idle flows. A flow is considered idle if no
# packet matching this flow has been observed since the last export event.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
#idleFlowExportTimeout: "15s"

# Enable TLS communication from flow exporter to flow aggregator.
#enableTLSToFlowAggregator: true
13 changes: 10 additions & 3 deletions docs/network-flow-visibility.md
Original file line number Diff line number Diff line change
Expand Up @@ -114,9 +114,16 @@ parameters have to be set in the Antrea Agent ConfigMap:
Please note that the default value for `flowCollectorAddr` is `"flow-aggregator.flow-aggregator.svc:4739:tcp"`,
which uses the DNS name of the Flow Aggregator Service, if the Service is deployed
with the Name and Namespace set to `flow-aggregator`. If you deploy the Flow Aggregator
Service with a different Name and Namespace, then either use the appropriate DNS
name or the Cluster IP of the Service. Please note that the default values for
with the Name and Namespace set to `flow-aggregator`. For Antrea Agent running on
a Windows node, the user is required to change the default value of `HOST` in `flowCollectorAddr`
from DNS name to the Cluster IP of the Flow Aggregator service. The reason is because
on Windows the Antrea Agent runs as a process, it uses the host's default DNS setting and the DNS
resolver will not be configured to talk to the CoreDNS Service for cluster local DNS queries like
`flow-aggregator.flow-aggregator.svc`. In addition, if you deploy the Flow Aggregator Service
with a different Name and Namespace, then either use the appropriate DNS name or the Cluster IP of
the Service.

Please note that the default values for
`flowPollInterval`, `activeFlowExportTimeout`, and `idleFlowExportTimeout` parameters are set to 5s, 60s, and 15s, respectively.
TLS communication between the Flow Exporter and the Flow Aggregator is enabled by default.
Please modify them as per your requirements.
Expand Down
38 changes: 36 additions & 2 deletions pkg/agent/flowexporter/connections/conntrack_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,45 @@
package connections

import (
"fmt"
"net"
"strconv"
"strings"

"antrea.io/antrea/pkg/agent/config"
"antrea.io/antrea/pkg/agent/openflow"
)

func NewConnTrackSystem(nodeConfig *config.NodeConfig, serviceCIDRv4 *net.IPNet, serviceCIDRv6 *net.IPNet, isAntreaProxyEnabled bool) *connTrackOvsCtl {
return NewConnTrackOvsAppCtl(nodeConfig, serviceCIDRv4, serviceCIDRv6, isAntreaProxyEnabled)
type connTrackOvsCtlWindows struct {
connTrackOvsCtl
}

func (ct *connTrackOvsCtlWindows) GetMaxConnections() (int, error) {
var zoneID int
if ct.serviceCIDRv4 != nil {
zoneID = openflow.CtZone
} else {
zoneID = openflow.CtZoneV6
}
// dpctl/ct-get-maxconns returns operation not supported on Windows node, use dpctl/ct-get-limits intead.
cmdOutput, execErr := ct.ovsctlClient.RunAppctlCmd("dpctl/ct-get-limits", false, fmt.Sprintf("zone=%d", zoneID))
if execErr != nil {
return 0, fmt.Errorf("error when executing dpctl/ct-get-limits command: %v", execErr)
}
flowSlice := strings.Split(string(cmdOutput), ",")
for _, fs := range flowSlice {
if strings.HasPrefix(fs, "limit") {
fields := strings.Split(fs, "=")
maxConns, err := strconv.Atoi(fields[len(fields)-1])
if err != nil {
return 0, fmt.Errorf("error when converting '%s' to int", fields[len(fields)-1])
}
return maxConns, nil
}
}
return 0, fmt.Errorf("couldn't find limit field in dpctl/ct-get-limits command output '%s'", cmdOutput)
}

func NewConnTrackSystem(nodeConfig *config.NodeConfig, serviceCIDRv4 *net.IPNet, serviceCIDRv6 *net.IPNet, isAntreaProxyEnabled bool) *connTrackOvsCtlWindows {
return &connTrackOvsCtlWindows{*NewConnTrackOvsAppCtl(nodeConfig, serviceCIDRv4, serviceCIDRv6, isAntreaProxyEnabled)}
}
6 changes: 6 additions & 0 deletions pkg/flowaggregator/certificate.go
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,12 @@ func generateCertKey(caCert *x509.Certificate, caKey *rsa.PrivateKey, isServer b
cert.IPAddresses = []net.IP{ip}
} else {
cert.DNSNames = []string{flowAggregatorAddress}
// add IP in certicate since flow exporter on Windows Node can't resolve DNS name
flowAggregatorIPs, err := net.LookupIP(flowAggregatorAddress)
if err != nil {
return nil, nil, err
}
cert.IPAddresses = flowAggregatorIPs
}
} else {
cert = &x509.Certificate{
Expand Down

0 comments on commit fa54190

Please sign in to comment.