Skip to content

Commit

Permalink
Merge pull request #3140 from etungsten/1.14.1-cherrypicks
Browse files Browse the repository at this point in the history
[1.14.x] Cherry-pick #3137, #3138, #3139
  • Loading branch information
etungsten authored May 24, 2023
2 parents bf52160 + 2febd98 commit 95ed132
Show file tree
Hide file tree
Showing 7 changed files with 289 additions and 91 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
From b3983ebbfa2dc231a2b61092b0a936bd25294239 Mon Sep 17 00:00:00 2001
From: Markus Boehme <markubo@amazon.com>
Date: Tue, 23 May 2023 21:24:38 +0000
Subject: [PATCH] af_unix: increase default max_dgram_qlen to 512

The net.unix.max_dgram_qlen sysctl has been defined with a default value of
10 since before the current Git history started in 2005. Systems have more
resources these days, and while the default values for other sysctls like
net.core.somaxconn have been adapted, max_dgram_qlen never was.

Increase the default value for max_dgram_qlen to 512. A large number of
hosts effectively already run with this or a larger value, since systemd
has been making sure it is set to at least 512 since 2015.

Signed-off-by: Markus Boehme <markubo@amazon.com>
---
Documentation/networking/ip-sysctl.rst | 2 +-
net/unix/af_unix.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
index 252212998..164a65667 100644
--- a/Documentation/networking/ip-sysctl.rst
+++ b/Documentation/networking/ip-sysctl.rst
@@ -2688,5 +2688,5 @@ addr_scope_policy - INTEGER
max_dgram_qlen - INTEGER
The maximum length of dgram socket receive queue

- Default: 10
+ Default: 512

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 28721e957..a5f081ad8 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2948,7 +2948,7 @@ static int __net_init unix_net_init(struct net *net)
{
int error = -ENOMEM;

- net->unx.sysctl_max_dgram_qlen = 10;
+ net->unx.sysctl_max_dgram_qlen = 512;
if (unix_sysctl_register(net))
goto out;

--
2.39.2

2 changes: 2 additions & 0 deletions packages/kernel-5.10/kernel-5.10.spec
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ Source103: config-bottlerocket-vmware
Patch1001: 1001-Makefile-add-prepare-target-for-external-modules.patch
# Enable INITRAMFS_FORCE config option for our use case.
Patch1002: 1002-initramfs-unlink-INITRAMFS_FORCE-from-CMDLINE_-EXTEN.patch
# Increase default of sysctl net.unix.max_dgram_qlen to 512.
Patch1003: 1003-af_unix-increase-default-max_dgram_qlen-to-512.patch

# Add zstd support for compressed kernel modules
Patch2000: 2000-kbuild-move-module-strip-compression-code-into-scrip.patch
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
From e36140bfb2795377360bb92c343b10c717567c62 Mon Sep 17 00:00:00 2001
From: Markus Boehme <markubo@amazon.com>
Date: Tue, 23 May 2023 17:16:44 +0000
Subject: [PATCH] af_unix: increase default max_dgram_qlen to 512

The net.unix.max_dgram_qlen sysctl has been defined with a default value of
10 since before the current Git history started in 2005. Systems have more
resources these days, and while the default values for other sysctls like
net.core.somaxconn have been adapted, max_dgram_qlen never was.

Increase the default value for max_dgram_qlen to 512. A large number of
hosts effectively already run with this or a larger value, since systemd
has been making sure it is set to at least 512 since 2015.

Signed-off-by: Markus Boehme <markubo@amazon.com>
---
Documentation/networking/ip-sysctl.rst | 2 +-
net/unix/af_unix.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
index 7890b395e..54a0be396 100644
--- a/Documentation/networking/ip-sysctl.rst
+++ b/Documentation/networking/ip-sysctl.rst
@@ -2885,5 +2885,5 @@ plpmtud_probe_interval - INTEGER
max_dgram_qlen - INTEGER
The maximum length of dgram socket receive queue

- Default: 10
+ Default: 512

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index a96026dbd..267ee6d29 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -3343,7 +3343,7 @@ static int __net_init unix_net_init(struct net *net)
{
int error = -ENOMEM;

- net->unx.sysctl_max_dgram_qlen = 10;
+ net->unx.sysctl_max_dgram_qlen = 512;
if (unix_sysctl_register(net))
goto out;

--
2.39.2

2 changes: 2 additions & 0 deletions packages/kernel-5.15/kernel-5.15.spec
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ Patch1001: 1001-Makefile-add-prepare-target-for-external-modules.patch
Patch1002: 1002-Revert-kbuild-hide-tools-build-targets-from-external.patch
# Enable INITRAMFS_FORCE config option for our use case.
Patch1003: 1003-initramfs-unlink-INITRAMFS_FORCE-from-CMDLINE_-EXTEN.patch
# Increase default of sysctl net.unix.max_dgram_qlen to 512.
Patch1004: 1004-af_unix-increase-default-max_dgram_qlen-to-512.patch

# Backport from v5.15.111 upstream, drop when Amazon Linux base is v5.15.111 or later
Patch5001: 5001-netfilter-nf_tables-deactivate-anonymous-set-from-pr.patch
Expand Down
76 changes: 72 additions & 4 deletions sources/host-ctr/cmd/host-ctr/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -575,16 +575,84 @@ func cleanUp(containerdSocket string, namespace string, containerID string) erro
return nil
}

// parseImageURISpecialRegions mimics the parsing in ecr.ParseImageURI but
// constructs the canonical ECR references while skipping certain checks.
// We only do this for special regions that are not yet supported by the aws-go-sdk.
// Referenced source: /~https://github.com/awslabs/amazon-ecr-containerd-resolver/blob/a5058cf091f4fc573813a032db37a9820952f1f9/ecr/ref.go#L70-L71
func parseImageURISpecialRegions(input string) (ecr.ECRSpec, error) {
ecrRefPrefixMapping := map[string]string{
"il-central-1": "ecr.aws/arn:aws:ecr:il-central-1:",
}
// Matching on account, region
matches := ecrRegex.FindStringSubmatch(input)
if len(matches) < 3 {
return ecr.ECRSpec{}, fmt.Errorf("invalid image URI: %s", input)
}
account := matches[1]
region := matches[2]

// Need to include the full repository path and the imageID (e.g. /eks/image-name:tag)
tokens := strings.SplitN(input, "/", 2)
if len(tokens) != 2 {
return ecr.ECRSpec{}, fmt.Errorf("invalid image URI: %s", input)
}
fullRepoPath := tokens[len(tokens)-1]
// Run simple checks on the provided repository.
switch {
case
// Must not be empty
fullRepoPath == "",
// Must not have a partial/unsupplied label
strings.HasSuffix(fullRepoPath, ":"),
// Must not have a partial/unsupplied digest specifier
strings.HasSuffix(fullRepoPath, "@"):
return ecr.ECRSpec{}, errors.New("incomplete reference provided")
}

// Get the ECR image reference prefix from the AWS region
ecrRefPrefix, ok := ecrRefPrefixMapping[region]
if !ok {
return ecr.ECRSpec{}, fmt.Errorf("%s: %s", "invalid region in internal mapping", region)
}

return ecr.ParseRef(fmt.Sprintf("%s%s:repository/%s", ecrRefPrefix, account, fullRepoPath))
}

// fetchECRRef attempts to resolve the ECR reference from an input source string
// by first using the aws-sdk-go's ParseImageURI function. This will fail for
// special regions that are not yet supported. If it fails for any reason,
// attempt to parse again using parseImageURISpecialRegions in this package.
// This uses a special region reference to build the ECR image references.
// If both fail, an error is returned.
func fetchECRRef(ctx context.Context, input string) (ecr.ECRSpec, error) {
var spec ecr.ECRSpec
spec, err := ecr.ParseImageURI(input)
if err == nil {
return spec, nil
}
log.G(ctx).WithError(err).WithField("source", input).Warn("failed to parse ECR reference")

// The parsing might fail if the AWS region is special, parse again with special handling:
spec, err = parseImageURISpecialRegions(input)
if err == nil {
return spec, nil
}

// Return the error for the parseImageURISpecialRegions from this package
// if a valid ECR ref has not yet been returned
log.G(ctx).WithError(err).WithField("source", input).Error("failed to parse special ECR reference")
return ecr.ECRSpec{}, errors.Wrap(err, "could not parse ECR reference for special regions")

}

// fetchECRImage does some additional conversions before resolving the image reference and fetches the image.
func fetchECRImage(ctx context.Context, source string, client *containerd.Client, registryConfigPath string, fetchCachedImageIfExist bool) (containerd.Image, error) {
ref := source
ecrRef, err := ecr.ParseImageURI(ref)
ecrRef, err := fetchECRRef(ctx, source)
if err != nil {
log.G(ctx).WithError(err).WithField("source", source).Error("failed to parse ECR reference")
return nil, err
}
ref := ecrRef.Canonical()

ref = ecrRef.Canonical()
log.G(ctx).
WithField("ref", ref).
WithField("source", source).
Expand Down
62 changes: 62 additions & 0 deletions sources/host-ctr/cmd/host-ctr/main_test.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package main

import (
"context"
"testing"

"github.com/containerd/containerd/remotes/docker"
Expand Down Expand Up @@ -160,3 +161,64 @@ func TestBadRegistryHosts(t *testing.T) {
_, err := f("docker.io")
assert.Error(t, err)
}

func TestFetchECRRef(t *testing.T) {
tests := []struct {
name string
ecrImgURI string
expectedErr bool
expectedRef string
}{
{
"Parse typical region for normal use-cases",
"111111111111.dkr.ecr.us-west-2.amazonaws.com/bottlerocket/container:1.2.3",
false,
"ecr.aws/arn:aws:ecr:us-west-2:111111111111:repository/bottlerocket/container:1.2.3",
},
{
"Parse special region",
"111111111111.dkr.ecr.il-central-1.amazonaws.com/bottlerocket/container:1.2.3",
false,
"ecr.aws/arn:aws:ecr:il-central-1:111111111111:repository/bottlerocket/container:1.2.3",
},
{
"Parse China regions",
"111111111111.dkr.ecr.cn-north-1.amazonaws.com/bottlerocket/container:1.2.3",
false,
"ecr.aws/arn:aws-cn:ecr:cn-north-1:111111111111:repository/bottlerocket/container:1.2.3",
},
{
"Parse gov regions",
"111111111111.dkr.ecr.us-gov-west-1.amazonaws.com/bottlerocket/container:1.2.3",
false,
"ecr.aws/arn:aws-us-gov:ecr:us-gov-west-1:111111111111:repository/bottlerocket/container:1.2.3",
},
{
"Fail for invalid region",
"111111111111.dkr.ecr.outer-space.amazonaws.com/bottlerocket/container:1.2.3",
true,
"",
},
{
"Empty string fails",
"",
true,
"",
},
}

for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
result, err := fetchECRRef(context.TODO(), tc.ecrImgURI)
if tc.expectedErr {
// handle error cases
if err == nil {
t.Fail()
}
} else {
// handle happy paths
assert.Equal(t, tc.expectedRef, result.Canonical())
}
})
}
}
Loading

0 comments on commit 95ed132

Please sign in to comment.