On Thu, Mar 25, 2021 at 06:58:56PM +0100, Ilya Maximets wrote: > On 3/25/21 5:43 PM, Stefan Hajnoczi wrote: > > On Thu, Mar 25, 2021 at 12:00:11PM +0100, Ilya Maximets wrote: > >> On 3/25/21 10:35 AM, Stefan Hajnoczi wrote: > >>> On Wed, Mar 24, 2021 at 02:11:31PM +0100, Ilya Maximets wrote: > >>>> On 3/24/21 1:05 PM, Stefan Hajnoczi wrote: > >>>>> On Tue, Mar 23, 2021 at 04:54:57PM -0400, Billy McFall wrote: > >>>>>> On Tue, Mar 23, 2021 at 3:52 PM Ilya Maximets wrote: > >>>>>>> On 3/23/21 6:57 PM, Adrian Moreno wrote: > >>>>>>>> On 3/19/21 6:21 PM, Stefan Hajnoczi wrote: > >>>>>>>>> On Fri, Mar 19, 2021 at 04:29:21PM +0100, Ilya Maximets wrote: > >>>>>>>>>> On 3/19/21 3:05 PM, Stefan Hajnoczi wrote: > >>>>>>>>>>> On Thu, Mar 18, 2021 at 08:47:12PM +0100, Ilya Maximets wrote: > >>>>>>>>>>>> On 3/18/21 6:52 PM, Stefan Hajnoczi wrote: > >>>>>>>>>>>>> On Wed, Mar 17, 2021 at 09:25:26PM +0100, Ilya Maximets wrote: > >>>> - How to get this fd again after the OVS restart? CNI will not be invoked > >>>> at this point to pass a new fd. > >>>> > >>>> - If application will close the connection for any reason (restart, some > >>>> reconfiguration internal to the application) and OVS will be re-started > >>>> at the same time, abstract socket will be gone. Need a persistent daemon > >>>> to hold it. > >>> > >>> I remembered that these two points can be solved by sd_notify(3) > >>> FDSTORE=1. This requires that OVS runs as a systemd service. Not sure if > >>> this is the case (at least in the CNI use case)? > >>> > >>> https://www.freedesktop.org/software/systemd/man/sd_notify.html > >> > >> IIUC, these file descriptors only passed on the restart of the service, > >> so port-del + port-add scenario is not covered (and this is a very > >> common usecase, users are implementing some configuration changes this > >> way and also this is internally possible scenario, e.g. this sequence > >> will be triggered internally to change the OpenFlow port number). > >> port-del will release all the resources including the listening socket. > >> Keeping the fd for later use is not an option, because OVS will not know > >> if this port will be added back or not and fds is a limited resource. > > > > If users of the CNI plugin are reasonably expected to do this then it > > sounds like a blocker for the sd_notify(3) approach. Maybe it could be > > fixed by introducing an atomic port-rename (?) operation, but this is > > starting to sound too invasive. > > It's hard to implement, actually. Things like 'port-rename' will > be internally implemented as del+add in most cases. Otherwise, it > will require a significant rework of OVS internals. > There are things that could be adjusted on the fly, but some > fundamental parts like OF port number that every other part depends > on are not easy to change. I see. In that case the sd_notify(3) approach won't work. > >> OVS could run as a system pod or as a systemd service. It differs from > >> one setup to another. So it might not be controlled by systemd. > > > > Does the CNI plugin allow both configurations? > > CNI runs as a DaemonSet (pod on each node) by itself, and it doesn't > matter if OVS is running on the host or in a different pod. Okay. > > > > It's impossible to come up with one approach that works for everyone in > > the general case (beyond the CNI plugin, beyond Kubernetes). > > If we're looking for a solution to store abstract sockets somehow > for OVS then it's hard to came up with something generic. It will > have dependency on specific init system anyway. > > OTOH, Broker solution will work for all cases. :) One may think > of a broker as a service that supplies abstract sockets for processes > from different namespaces. These sockets are already connected, for > convenience. I'm not sure what we're trying to come up with :). I haven't figured out how much of what has been discussed is cosmetic and nice-to-have stuff versus what is a real problem that needs a solution. From the vhost-user point of view I would prefer to stick to the existing UNIX domain socket approach. Any additional mechanism adds extra complexity, won't be supported by all software, requires educating users and developers, requires building new vhost-user application container images, etc. IMO it's only worth doing if there is a real problem with UNIX domain sockets that cannot be solved without introducing a new connection mechanism. Stefan