-
Notifications
You must be signed in to change notification settings - Fork 373
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add packetcapture api #6257
Add packetcapture api #6257
Conversation
efdfde8
to
1f9e3c5
Compare
moved API to this MR. Thanks you previous feedback and welcome to help review this again. @luolanzone @tnqn @jianjuns @antoninbas Accoding to #5821 (comment) . |
4b65b01
to
9567b89
Compare
packet: | ||
type: object | ||
properties: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it looks like we are missing the srcIP
/ dstIP
properties here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's actually not missed, since we have a Source
and Destination
field in spec
, so the srcIP/dstIP
is not used. The golang structure still keep these fields in the PR, but i think we can removed them. The whole Packet
structure has changed a lot during the review compared to the original one(==Traceflow's Packet strucuture).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated this part. Currently the package related structure looks like this:
// Packet includes header info.
type Packet struct {
IPv6Header *IPv6Header `json:"ipv6Header,omitempty"`
TransportHeader TransportHeader `json:"transportHeader"`
}
Note: remove IPv4Header
as it's unused and in another thread, we are discussing if a IPFamily
field is needed.
Also in the TransportHeader
, we have tcp/icmp/udp strcuture to allow user filter based on transport attributes. For icmp, we don't have any filter yet, so the strucutre is mainly used as a type indicator.
type ICMPEchoRequestHeader struct {
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @jianjuns @tnqn @luolanzone
Can you help review this MR again? Thank you
I will be actively working on this recently.
9567b89
to
7d8d4b1
Compare
pkg/apis/crd/v1alpha1/types.go
Outdated
Destination Destination `json:"destination"` | ||
Packet *Packet `json:"packet,omitempty"` | ||
// FileServer specifies the sftp url config for the fileServer. Captured packets will be uploaded to this server. | ||
FileServer BundleFileServer `json:"fileServer"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like we should have the option to write the pcap to a local file as well, just for ease of use / testing
Not everyone will want to have an ftp server for this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So do you think keep the files in container is enough? Since this is not a cli, it would be odd to export the files to a location on the host.
If keep it in the container, filepath + container name should be ok?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If keep it in the container, filepath + container name should be ok
Just filepath I think, the container will always be antrea-agent
? If users want the file to be on the Node, they can provide a path that is mounted from the host, such as /var/log/antrea
.
But there would need to be a way for users to figure out which antrea-agent Pod has the capture file, so that would need to be included in the Status. Are packets captured at the source or the destination or both?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both could happen, in the source or destination. pod name can be exposed in the status. Just need to think about the value format for the filepath field.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think my original point still applies. Always requiring users to provide an SFTP server in order to do a packet capture is not ideal. That being said, if I am the only one who feels strongly about this, we can always address it in the future if needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed here. I have the following plans:
- make
FileServer
field optional. - Change the
status.packetsFileName
tostatus.packetsFilePath
and it's value will be likeantrea-agent-xxxx:/tmp/xxx.pcap
.
The impl should be trival.
Does this sounds good?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see: 939fe06
pkg/apis/crd/v1alpha1/types.go
Outdated
|
||
type PacketCapturePhase string | ||
|
||
const ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to share some types/constants with Traceflow?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also see discussion #6257 (comment)
for the constants part i think it's unnecessary, each CRD may have more different status in the future.
About types, since Traceflow
is in vebeta1
now, are you suggesting we define some common types in neutral place?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure if we should define common types across versions. Let us see if @tnqn and @antoninbas have an opinion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess in theory we could have common definitions in a neutral directory, it wouldn't need to be under apis/crd/<version>
. But if it's not a versioned directory, then we would have to be confident that they are not going to change.
K8s has meta/v1
with comm types, such as Time
. I don't know how good of an analogy it is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Except those meta types in meta/v1. K8s doesn't define common types across versions. If a constant needs to be used by a version, it will just be replicated in that version. I think it's to keep every version's stability and compatability. Otherwise a change in one version would have an impact on other versions.
@jianjuns Do you think we can add a ip family and ip protocol field? so we can remove ipv6header and icmpheader. |
That works for me, if you do not see a potential requirement to support other IP header fields, esp. v4 or v6 specific fields. |
updated. |
pkg/apis/crd/v1alpha1/types.go
Outdated
|
||
type PacketCapturePhase string | ||
|
||
const ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure if we should define common types across versions. Let us see if @tnqn and @antoninbas have an opinion.
2c563b3
to
57f6640
Compare
pkg/apis/crd/v1alpha1/types.go
Outdated
|
||
type PacketCapturePhase string | ||
|
||
const ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Except those meta types in meta/v1. K8s doesn't define common types across versions. If a constant needs to be used by a version, it will just be replicated in that version. I think it's to keep every version's stability and compatability. Otherwise a change in one version would have an impact on other versions.
pkg/apis/crd/v1alpha1/types.go
Outdated
Destination Destination `json:"destination"` | ||
Packet *Packet `json:"packet,omitempty"` | ||
// FileServer specifies the sftp url config for the fileServer. Captured packets will be uploaded to this server. | ||
FileServer BundleFileServer `json:"fileServer"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think my original point still applies. Always requiring users to provide an SFTP server in order to do a packet capture is not ideal. That being said, if I am the only one who feels strongly about this, we can always address it in the future if needed.
d27c417
to
9150331
Compare
pkg/apis/crd/v1alpha1/types.go
Outdated
Reason string `json:"reason"` | ||
// NumCapturedPackets records how many packets have been captured. If it reaches the target number, the capture | ||
// can be considered as finished. | ||
NumCapturedPackets *int32 `json:"numCapturedPackets,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you mean it's "either in the source or the destination", when the user defined both source and destination in the spec, how do we tell which Node the packets are captured from?
pkg/apis/crd/v1alpha1/types.go
Outdated
Timeout *uint16 `json:"timeout,omitempty"` | ||
CaptureConfig CaptureConfig `json:"captureConfig"` | ||
Source Source `json:"source"` | ||
Destination Destination `json:"destination"` | ||
Packet *Packet `json:"packet,omitempty"` | ||
// FileServer specifies the sftp url config for a file server. If present, captured packets will be uploaded to this server. | ||
FileServer *PacketCaptureFileServer `json:"fileServer,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The spec doesn't provide enough information to understand how to use the API. I have the questions when looking at the fields:
- What's the behavior if Timeout is nil, capturing forever or there is a default value?
- Could I set Source only or Destination only, or they must be set together? If not the latter, why they are not optional like other fields?
- I suppose it means capturing all traffic matching Source and Destination when Packet is nil, but please make this explicit in the comment.
- If FileServer is present, captured packets will be uploaded to this server, then what if FileServer is not present? This seems a valid input given it's a pointer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure, will add more comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
pkg/apis/crd/v1alpha1/types.go
Outdated
Phase PacketCapturePhase `json:"phase"` | ||
// Reason records the failure reason when the capture fails. | ||
Reason string `json:"reason"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Phase is a deprecated pattern of K8s API, it recommends to use conditions which is more flexible to express state of each condition. For example, there could be a condition for capture and another condition for upload. See https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
I don't have strong opinion if the phase and a single reason can cover all possible results.
cf512e7
to
b4e2f05
Compare
pkg/apis/crd/v1alpha1/types.go
Outdated
Phase PacketCapturePhase `json:"phase"` | ||
// Reason records the failure reason when the capture fails. | ||
Reason string `json:"reason"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was not addressed, so I assume we are sticking to Phase
/ Reason
?
Note that this is hard to change in future API versions, so I personally think that we should go with the recommended approach right away.
b4e2f05
to
5b1e5fc
Compare
f517cd8
to
03b443c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, it would be good to get a second approval
pkg/apis/crd/v1alpha1/types.go
Outdated
type PacketCaptureFileServer struct { | ||
// The URL of the file server. It is set with format: scheme://host[:port][/path], | ||
// e.g, https://api.example.com:8443/v1/supportbundles/. If scheme is not set, https is used by default. | ||
URL string `json:"url"` | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I pointed out in the other PR, it seems that we don't have an equivalent to BundleServerAuthConfiguration
for PacketCapture (to configure sftp authentication). But that may have been intentional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes. a dedicated secret is serving the purpose. It's hard to find the origin discussion in the previous PR..
d01bb70
to
333f9b8
Compare
@luolanzone All updated. Can you take a look again? I also removed the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
09c05bb
to
d5f9743
Compare
Signed-off-by: Hang Yan <yhang@vmware.com> Co-authored-by: Lan <luola@vmware.com> Co-authored-by: Quan Tian <quan.tian@broadcom.com> Co-authored-by: Antonin Bas <antonin.bas@gmail.com>
d5f9743
to
807ba3e
Compare
/skip-all |
Add packetcapture's API changes.
For the full feature, please ref to:
#5821