Add packet capture feature

[hangyan]

This commit adds the packet capture feature to Antrea.

Fix #5443

Feature Introduction

Traceflow works well for network flow diagnose, but sometimes users may want to take a look into the raw packets in the flow. Currently, Antrea lacks the ability to capture raw packet in live traffic.

CRD Example

apiVersion: crd.antrea.io/v1alpha1
kind: PacketCapture
metadata:
  name: tf-test
spec:
  timeout: 60             # a hard limit for all sampling session
  type: FirstNCapture   # support one type first
  parameters: 
    number: 15            # the number of packets to be captured
  source:                 # same selector as Traceflow
    namespace: default
    pod: tcp-sts-0
  destination:
    namespace: default
    pod: tcp-sts-2   
  packet:
    ipHeader: 
      protocol: 6 
    transportHeader:
      tcp:
        srcPort: 10000 
        dstPort: 80 
  fileServer:
    url: sftp://youtestdomain.com:22/root/test
  authentication:
    authType: “BasicAuthenticaion“
    authSecret:
      name: support-bundle-secret
      namespace: default

Notice

1. PacketCapture uses OVS REG as the flow mark to do the capture.
2. Compare to traceflow/supportbundle, since the results need to be uploaded to a sftp server (rather being included in CRD spec or supporting download directly), it's not very convenient for users to specify url/pwd/username for a sftp server in cmd args, so antctl sub-command support for PacketSampling is not implemented yet.

Vefied cases

1. pod -> pod
2. IP -> pod / pod -> IP
3. pod -> svc
4. udp/icmp...

known issue for now

1. pod -> svc -> local pod not working.

Links:

1. Origin Proposal
2. Add first N sampling to the live-traffic traceflow #5345

[hangyan]

@luolanzone Here is the current PR for packet sampling. If you think more information was needed to help review this, let me know and I will update this ASAP. currently i'm actively working on the remaining tests and unitest/docs. Appreciate any inputs on the current implemention.

[hangyan]

@luolanzone Hi lan, all updated. will make sure the golangci-fix pass and import order is correct in the following commits. Please have a review again

[luolanzone]

what's your thoughts about the name?

[luolanzone]

I saw you used both packetsampling and PacketSampling in the log. Maybe stick to PacketSampling in logs and comments.

[luolanzone]

@hangyan please check and add e2e test as traceflow_test.go for this new feature. Thanks.

[hangyan]

hi @tnqn @wenyingd @gran-vmv Can you help review this PR too? Currently i'm working on finishing the unit tests and i think the main code is ready. Thanks!

[wenyingd]

Why we not create directory under TEMP on Windows?

[wenyingd]

Why not move this check to the logic in validation webhook when creating the CR?

[hangyan]

1. updated to use golang function for temp dir.
2. updated to use webhook

[luolanzone]

+1, please use webhook to do the validation.

[hangyan]

Updated on 4.7

Accoding to Quan's suggestions. controller was removed, so i think the validation webhook can keep the old way? because it only do some simple validation on the fields, not calling k8s apis.

also @tnqn . Is it ok to keep the validation code in controller/<feature-name>/... when there are no controller?

---

Is it possible that the pod/service object exist during the webhook validation but was deleted when the packetsapmpling was running? We still need to add error check in the code, right?

[tnqn]

not finished yet

[luolanzone]

Hi @hangyan I have moved this PR out of v2.0, could you please create a separate PR for API first. We can do a further discussion for the data path implementation. Thanks.

[hangyan]

Hi @hangyan I have moved this PR out of v2.0, could you please create a separate PR for API first. We can do a further discussion for the data path implementation. Thanks.

OK.

[hangyan]

cc @jianjuns @antoninbas also continue help review this. (there some quan's comment left on the pipeline impl i'm current working on a fix. but the other parts has been updated according to the api change.

[luolanzone]

not finished yet.

[luolanzone]

I would agree not to support Pod-to-Service at the moment, @jianjuns @antoninbas please input if you have a different view. Thanks.

[luolanzone]

It seems you missed another case that senderOnly && pc.Spec.Destination.IP !="" . I feel senderOnly is not aproper name, maybe emptyDestinationPod

[hangyan]

this was only for the service case to generated flows for endpoints. Since we are planning to remove this, will see after that settled

[luolanzone]

There are multiple returns between c.runningPacketCapturesMutex.Lock() and c.runningPacketCapturesMutex.Unlock(), there will be dead locks if the function returned but Unlock() is not executed. Please wrap them into a function and use defer to run unlock:

func(){
    c.runningPacketCapturesMutex.Lock()
    defer c.runningPacketCapturesMutex.Unlock()
    ...
}

[hangyan]

done

[luolanzone]

Does it mean you only capture the packets on the destination Node?

[hangyan]

not exactly. we first select a target pod, then use this pod to select the target node. The pod could be on the source or the dest, so the node also is.

[luolanzone]

Probably wrap into a function as getFileAndWriter.

[hangyan]

done

[luolanzone]

receiverOnly = pc.Spec.Destination.Pod != nil && pc.Spec.Source.Pod == nil
When it's receiverOnly, why the destination Pod in the spec is ignored in this case? here only assigned source IP and destinationMAC.

[hangyan]

we have an ofPort matcher in the flow to serve this purpose in this case.

			MatchDstMAC(packet.DestinationMAC).
			Action().LoadToRegField(TargetOFPortField, ofPort).

[luolanzone]

It's not correct, I didn't see you limit the protocol scope in the manifest:

                   protocol:
                      x-kubernetes-int-or-string: true

I can see we set port as x-kubernetes-int-or-string in most cases, we should limit the protocol to three string types: TCP/UDP/ICMP as you mentioned in the usage document.

[hangyan]

yeah, waiting for the updates from the API MR comments.

cc @antoninbas to confirm this.

[luolanzone]

Is this log correct? it's not defined by the CR but a pre-defined secret, right?

[hangyan]

updated

[luolanzone]

@hangyan don't forget to resolve code conflicts in pkg/agent/supportbundlecollection/support_bundle_controller.go

[hangyan]

@hangyan don't forget to resolve code conflicts in pkg/agent/supportbundlecollection/support_bundle_controller.go

Done. All fixed. Please take a look again.

[luolanzone]

Can you make the changes for API related into a dedicated commit? and the details should be added to the commit message of data path change, this can help to simplify code review. Please do the same if you plan to have a new PR for the new data path implementation.

[luolanzone]

Suggested change

	Currently we support max to `15` concurrrent PacketCapture session running at the same time.
	Currently, we support a maximum of 15 concurrent sessions running at the same time.

[luolanzone]

Suggested change

	# path format: <pod-name>:<filepath>. If this file was uploaded to the target file server, filename format is <uid>.pcapng
	# path format: <pod-name>:<filepath>. If this file was uploaded to the target file server, the filename format is <uid_of_packetcapture>.pcapng

[jianjuns]

Should we say "The path of the packets file that is uploaded to the target file server, in the format of :. The PacketCapture CR UID is used as the file name".

[hangyan]

see updates in new MR:

https://github.com/antrea-io/antrea/pull/6756/files#diff-85885950227d9a63e3111e9d55beab8866d76d2286150454e04e1e60966fa60d

[luolanzone]

We should provide the path info in the antrea-agent pod, and it's not clear about "local antrea-agent pod", which antrea-agent Pod it will be? The Pod on the Node where the target Pod is running?