Attempt to make Blockhole blocking on L7 #4
Closed
Commits on Apr 27, 2024
-
-
Add a 5s delay after unblackholing (for the catch-up to work)
Shorten the wait time for the open connection to expire to 5s
Commits on Apr 28, 2024
-
[RFC] Attempt to make Blockhole blocking on L7
Based on Fu Wei's idea, we employ blocking on L7 but without using external tools. [Main ideas] The main idea is 1) utilize the `X-PeerURLs` field from the header, as we know all traffic to peer will contain this header field. 2) As we also know that all nodes will create direct connections with their peers, so the traffic blocking will have to happen at all nodes' proxies, contrary to the current design, where only the proxy of the peer is being blackholed. Based on the main ideas, we introduce a SSL termination proxy so we can obtain the `X-PeerURLs` field from the header. [Issues] There are 2 known issues with this approach 1) still leaking some traffic. But the leaked traffic (as discussed later won't affect the blackhole idea that we would like to achieve (as stream and pipeline traffic between raft nodes are now properly terminated) 2) we would need to employ SSL termination proxy, which might lead to a small performance hit For 1), as this way of blocking (by utilizing `X-PeerURLs` from the header) will miss certain types of traffic to certain endpoints, as the traffic to some endpoints doesn't have the `X-PeerURLs` field. Currently, here are the known ones: /members, /version, and /raft/probing. As you can see from the log, its header doesn't contain the `X-PeerURLs` field, but only the following fields: - map[Accept-Encoding:[gzip] User-Agent:[Go-http-client/1.1]] /members - map[Accept-Encoding:[gzip] User-Agent:[Go-http-client/1.1]] /version - map[Accept-Encoding:[gzip] User-Agent:[Go-http-client/1.1]] /raft/probing For 2) in order to read out `X-PeerURLs` from the header, we need to terminate the SSL connection, as we can't drop cleartext traffic (ref [1]). Thus, a new option `e2e.WithSSLTerminationProxy(true)` is introduced, which will change the network flow into ``` A -- B's SSL termination proxy - B's transparent proxy - B ^ newly introduced ^ in the original codebase ``` [Known improvements required before turning RFC into PR] The prototype needs to be further improved for code review after fixing the following issues: - blocking only RX or TX traffic (as currently a call to `blackholeTX` or `blackholeRX` will black both TX and RX traffic instead of just the specified one. - slowness when performing test cleanup (I think this is related to the SSL timeout setting, but I haven't looked into it yet) - coding style improvements References: [1] etcd-io#15595
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.