Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add packetcapture api #6257

Merged
merged 1 commit into from
Nov 4, 2024

Conversation

hangyan
Copy link
Member

@hangyan hangyan commented Apr 23, 2024

Add packetcapture's API changes.

For the full feature, please ref to:

#5821

@hangyan hangyan force-pushed the topic/yhang/packet-capture-api branch from efdfde8 to 1f9e3c5 Compare April 23, 2024 08:06
@hangyan
Copy link
Member Author

hangyan commented Apr 23, 2024

moved API to this MR. Thanks you previous feedback and welcome to help review this again.

@luolanzone @tnqn @jianjuns @antoninbas

Accoding to #5821 (comment) . IPHeader field was removed.

@antoninbas antoninbas added api-review Categorizes an issue or PR as actively needing an API review. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API. labels Apr 23, 2024
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
@antoninbas antoninbas added this to the Antrea v2.1 release milestone Apr 23, 2024
@luolanzone luolanzone added the action/release-note Indicates a PR that should be included in release notes. label May 7, 2024
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
@hangyan hangyan force-pushed the topic/yhang/packet-capture-api branch from 4b65b01 to 9567b89 Compare May 14, 2024 08:25
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
Comment on lines +88 to +106
packet:
type: object
properties:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks like we are missing the srcIP / dstIP properties here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's actually not missed, since we have a Source and Destination field in spec, so the srcIP/dstIP is not used. The golang structure still keep these fields in the PR, but i think we can removed them. The whole Packet structure has changed a lot during the review compared to the original one(==Traceflow's Packet strucuture).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated this part. Currently the package related structure looks like this:


// Packet includes header info.
type Packet struct {
	IPv6Header      *IPv6Header     `json:"ipv6Header,omitempty"`
	TransportHeader TransportHeader `json:"transportHeader"`
}

Note: remove IPv4Header as it's unused and in another thread, we are discussing if a IPFamily field is needed.

Also in the TransportHeader, we have tcp/icmp/udp strcuture to allow user filter based on transport attributes. For icmp, we don't have any filter yet, so the strucutre is mainly used as a type indicator.

type ICMPEchoRequestHeader struct {
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @jianjuns @tnqn @luolanzone

Can you help review this MR again? Thank you

I will be actively working on this recently.

@hangyan hangyan closed this Aug 20, 2024
@hangyan hangyan force-pushed the topic/yhang/packet-capture-api branch from 9567b89 to 7d8d4b1 Compare August 20, 2024 06:26
@hangyan hangyan reopened this Aug 20, 2024
pkg/apis/crd/v1alpha1/types.go Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
Destination Destination `json:"destination"`
Packet *Packet `json:"packet,omitempty"`
// FileServer specifies the sftp url config for the fileServer. Captured packets will be uploaded to this server.
FileServer BundleFileServer `json:"fileServer"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like we should have the option to write the pcap to a local file as well, just for ease of use / testing
Not everyone will want to have an ftp server for this

Copy link
Member Author

@hangyan hangyan Aug 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So do you think keep the files in container is enough? Since this is not a cli, it would be odd to export the files to a location on the host.

If keep it in the container, filepath + container name should be ok?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If keep it in the container, filepath + container name should be ok

Just filepath I think, the container will always be antrea-agent? If users want the file to be on the Node, they can provide a path that is mounted from the host, such as /var/log/antrea.

But there would need to be a way for users to figure out which antrea-agent Pod has the capture file, so that would need to be included in the Status. Are packets captured at the source or the destination or both?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both could happen, in the source or destination. pod name can be exposed in the status. Just need to think about the value format for the filepath field.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think my original point still applies. Always requiring users to provide an SFTP server in order to do a packet capture is not ideal. That being said, if I am the only one who feels strongly about this, we can always address it in the future if needed.

Copy link
Member Author

@hangyan hangyan Oct 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed here. I have the following plans:

  1. make FileServer field optional.
  2. Change the status.packetsFileName to status.packetsFilePath and it's value will be like antrea-agent-xxxx:/tmp/xxx.pcap.

The impl should be trival.

Does this sounds good?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see: 939fe06

pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved

type PacketCapturePhase string

const (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to share some types/constants with Traceflow?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also see discussion #6257 (comment)

for the constants part i think it's unnecessary, each CRD may have more different status in the future.

About types, since Traceflow is in vebeta1 now, are you suggesting we define some common types in neutral place?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if we should define common types across versions. Let us see if @tnqn and @antoninbas have an opinion.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess in theory we could have common definitions in a neutral directory, it wouldn't need to be under apis/crd/<version>. But if it's not a versioned directory, then we would have to be confident that they are not going to change.

K8s has meta/v1 with comm types, such as Time. I don't know how good of an analogy it is.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Except those meta types in meta/v1. K8s doesn't define common types across versions. If a constant needs to be used by a version, it will just be replicated in that version. I think it's to keep every version's stability and compatability. Otherwise a change in one version would have an impact on other versions.

pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
@hangyan
Copy link
Member Author

hangyan commented Aug 30, 2024

@jianjuns Do you think we can add a ip family and ip protocol field? so we can remove ipv6header and icmpheader.

@jianjuns
Copy link
Contributor

jianjuns commented Aug 30, 2024

@jianjuns Do you think we can add a ip family and ip protocol field? so we can remove ipv6header and icmpheader.

That works for me, if you do not see a potential requirement to support other IP header fields, esp. v4 or v6 specific fields.
And I meant to use intstr.IntOrString for protocol.

@hangyan
Copy link
Member Author

hangyan commented Sep 3, 2024

@jianjuns Do you think we can add a ip family and ip protocol field? so we can remove ipv6header and icmpheader.

That works for me, if you do not see a potential requirement to support other IP header fields, esp. v4 or v6 specific fields. And I meant to use intstr.IntOrString for protocol.

updated.

pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved

type PacketCapturePhase string

const (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if we should define common types across versions. Let us see if @tnqn and @antoninbas have an opinion.

@hangyan hangyan force-pushed the topic/yhang/packet-capture-api branch 2 times, most recently from 2c563b3 to 57f6640 Compare September 6, 2024 07:29
build/charts/antrea/crds/packetcapture.yaml Outdated Show resolved Hide resolved
build/charts/antrea/crds/packetcapture.yaml Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved

type PacketCapturePhase string

const (
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Except those meta types in meta/v1. K8s doesn't define common types across versions. If a constant needs to be used by a version, it will just be replicated in that version. I think it's to keep every version's stability and compatability. Otherwise a change in one version would have an impact on other versions.

pkg/apis/crd/v1alpha1/types.go Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
build/charts/antrea/crds/packetcapture.yaml Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
build/charts/antrea/crds/packetcapture.yaml Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
Destination Destination `json:"destination"`
Packet *Packet `json:"packet,omitempty"`
// FileServer specifies the sftp url config for the fileServer. Captured packets will be uploaded to this server.
FileServer BundleFileServer `json:"fileServer"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think my original point still applies. Always requiring users to provide an SFTP server in order to do a packet capture is not ideal. That being said, if I am the only one who feels strongly about this, we can always address it in the future if needed.

@hangyan hangyan force-pushed the topic/yhang/packet-capture-api branch from d27c417 to 9150331 Compare October 14, 2024 06:11
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Show resolved Hide resolved
Reason string `json:"reason"`
// NumCapturedPackets records how many packets have been captured. If it reaches the target number, the capture
// can be considered as finished.
NumCapturedPackets *int32 `json:"numCapturedPackets,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean it's "either in the source or the destination", when the user defined both source and destination in the spec, how do we tell which Node the packets are captured from?

pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
Comment on lines 469 to 465
Timeout *uint16 `json:"timeout,omitempty"`
CaptureConfig CaptureConfig `json:"captureConfig"`
Source Source `json:"source"`
Destination Destination `json:"destination"`
Packet *Packet `json:"packet,omitempty"`
// FileServer specifies the sftp url config for a file server. If present, captured packets will be uploaded to this server.
FileServer *PacketCaptureFileServer `json:"fileServer,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The spec doesn't provide enough information to understand how to use the API. I have the questions when looking at the fields:

  1. What's the behavior if Timeout is nil, capturing forever or there is a default value?
  2. Could I set Source only or Destination only, or they must be set together? If not the latter, why they are not optional like other fields?
  3. I suppose it means capturing all traffic matching Source and Destination when Packet is nil, but please make this explicit in the comment.
  4. If FileServer is present, captured packets will be uploaded to this server, then what if FileServer is not present? This seems a valid input given it's a pointer.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, will add more comments.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

Comment on lines 467 to 474
Phase PacketCapturePhase `json:"phase"`
// Reason records the failure reason when the capture fails.
Reason string `json:"reason"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Phase is a deprecated pattern of K8s API, it recommends to use conditions which is more flexible to express state of each condition. For example, there could be a condition for capture and another condition for upload. See https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties

I don't have strong opinion if the phase and a single reason can cover all possible results.

pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
@hangyan hangyan force-pushed the topic/yhang/packet-capture-api branch from cf512e7 to b4e2f05 Compare October 21, 2024 10:44
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
Comment on lines 467 to 474
Phase PacketCapturePhase `json:"phase"`
// Reason records the failure reason when the capture fails.
Reason string `json:"reason"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was not addressed, so I assume we are sticking to Phase / Reason?

Note that this is hard to change in future API versions, so I personally think that we should go with the recommended approach right away.

build/charts/antrea/crds/packetcapture.yaml Show resolved Hide resolved
@hangyan hangyan force-pushed the topic/yhang/packet-capture-api branch from b4e2f05 to 5b1e5fc Compare October 29, 2024 02:31
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
@hangyan hangyan force-pushed the topic/yhang/packet-capture-api branch from f517cd8 to 03b443c Compare October 30, 2024 08:49
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
antoninbas
antoninbas previously approved these changes Oct 31, 2024
Copy link
Contributor

@antoninbas antoninbas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, it would be good to get a second approval

Comment on lines 445 to 449
type PacketCaptureFileServer struct {
// The URL of the file server. It is set with format: scheme://host[:port][/path],
// e.g, https://api.example.com:8443/v1/supportbundles/. If scheme is not set, https is used by default.
URL string `json:"url"`
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I pointed out in the other PR, it seems that we don't have an equivalent to BundleServerAuthConfiguration for PacketCapture (to configure sftp authentication). But that may have been intentional?

Copy link
Member Author

@hangyan hangyan Nov 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes. a dedicated secret is serving the purpose. It's hard to find the origin discussion in the previous PR..

pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
@hangyan
Copy link
Member Author

hangyan commented Nov 1, 2024

@luolanzone All updated. Can you take a look again?

I also removed the ipv6 related support in CRD schema. It should be easy to add it back in the following releases.

pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
build/yamls/antrea.yml Outdated Show resolved Hide resolved
build/yamls/antrea.yml Outdated Show resolved Hide resolved
build/yamls/antrea.yml Outdated Show resolved Hide resolved
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

@luolanzone luolanzone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hangyan hangyan force-pushed the topic/yhang/packet-capture-api branch from 09c05bb to d5f9743 Compare November 1, 2024 10:01
Signed-off-by: Hang Yan <yhang@vmware.com>
Co-authored-by: Lan <luola@vmware.com>
Co-authored-by: Quan Tian <quan.tian@broadcom.com>
Co-authored-by: Antonin Bas <antonin.bas@gmail.com>
@hangyan hangyan force-pushed the topic/yhang/packet-capture-api branch from d5f9743 to 807ba3e Compare November 1, 2024 10:09
@antoninbas
Copy link
Contributor

/skip-all

@antoninbas antoninbas merged commit 92454fb into antrea-io:main Nov 4, 2024
57 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
action/release-note Indicates a PR that should be included in release notes. api-review Categorizes an issue or PR as actively needing an API review. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants