[AclOrch] aclOrch enhancement to handle LAG port not configured case #494
Conversation
orchagent/main.cpp
Outdated
| @@ -249,8 +249,9 @@ int main(int argc, char **argv) | |||
| /* Initialize orchestration components */ | |||
| DBConnector *appl_db = new DBConnector(APPL_DB, DBConnector::DEFAULT_UNIXSOCKET, 0); | |||
| DBConnector *config_db = new DBConnector(CONFIG_DB, DBConnector::DEFAULT_UNIXSOCKET, 0); | |||
There was a problem hiding this comment.
new [](start = 29, length = 3)
There are memory leak risk at extreme memory situation. #Closed
There was a problem hiding this comment.
@qiluo-msft Hi Qi, could you elaborate the concern here? #Closed
There was a problem hiding this comment.
There are several 'new' statements here. If memory is used up in the middle, there will be memory leak issue.
The bug should be here for a long time, and your added code make it worse a little bit.
In reply to: 186248077 [](ancestors = 186248077)
orchagent/aclorch.h
Outdated
| @@ -248,6 +248,10 @@ class AclTable { | |||
| std::map<sai_object_id_t, sai_object_id_t> ports; | |||
| // Map rule name to rule data | |||
| map<string, shared_ptr<AclRule>> rules; | |||
| // Set to store the ACL table port alias | |||
| set<string> portListsSet; | |||
| // Set tje store the not cofigured ACL table port alias | |||
orchagent/aclorch.cpp
Outdated
| } | ||
| else | ||
| { | ||
| it = consumer.m_toSync.erase(it); |
There was a problem hiding this comment.
it = consumer.m_toSync.erase(it); [](start = 12, length = 33)
erase is common for all cases, so you can do it outside the if-else. #Closed
orchagent/aclorch.cpp
Outdated
| @@ -1740,6 +1812,7 @@ bool AclOrch::processPorts(string portsList, std::function<void (sai_object_id_t | |||
| split(portsList, strList, ','); | |||
|
|
|||
| set<string> strSet(strList.begin(), strList.end()); | |||
| aclTable.portListsSet = strSet; | |||
There was a problem hiding this comment.
portListsSet [](start = 13, length = 12)
Call it portSet? #Closed
orchagent/aclorch.cpp
Outdated
|
|
||
| return true; | ||
| } | ||
|
|
||
| bool AclOrch::processAclTableType(string type, acl_table_type_t &table_type) |
There was a problem hiding this comment.
processAclTableType [](start = 14, length = 19)
Lots of repeated code, you can call one from the other. #Closed
There was a problem hiding this comment.
Sorry, I mean processPorts() and processPendingPort() share some code, it is possible to call one from the other?
In reply to: 186252087 [](ancestors = 186252087)
There was a problem hiding this comment.
@qiluo-msft They do share some same code, I also have considered calling processPendingPort(previously processSinglePort) in processPorts. But if we look into the whole procedure, processPorts only "link" ports to tables and the action to "bind" table to ports are not included.
For processPendingPort, it's dedicated to receiving the notification and handle the pending port, in this one function "link" and "bind" all performed. To keep the code more straightforward and readable I decide to have these two functions separated through will have some slight redundant code.
There was a problem hiding this comment.
you can move aclTable.bind out of the processPendingPort() function and make the code reuse.
you can do aclTable.bind in doAclTablePortUpdateTask().
In reply to: 186911317 [](ancestors = 186911317)
orchagent/aclorch.cpp
Outdated
| { | ||
| auto table = itmap.second; | ||
|
|
||
| if (table.pendingPortListSet.find(port_alias) != table.pendingPortListSet.end()) |
There was a problem hiding this comment.
pendingPortListSet [](start = 26, length = 18)
Call it pendingPortSet? #Closed
|
@qiluo-msft all comments handled, please check the latest commit. #Closed |
|
|
||
| OrchDaemon *orchDaemon = new OrchDaemon(appl_db, config_db); |
There was a problem hiding this comment.
I don't think we would need to have orchDaemon allocate from stack. This could still be retained as it is (allocate via new) so we wouldn't have to worry about the class holding more data in future just in case.
orchagent/aclorch.cpp
Outdated
|
|
||
| if (table.pendingPortSet.find(port_alias) != table.pendingPortSet.end()) | ||
| { | ||
| SWSS_LOG_NOTICE("found the port: %s in ACL table: %s pending port list, bind it to ACL table.", port_alias.c_str(), table.description.c_str()); |
There was a problem hiding this comment.
You may want to put this as INFO instead of NOTICEs?
orchagent/aclorch.cpp
Outdated
| for (auto itmap : m_AclTables) | ||
| { | ||
| auto table = itmap.second; | ||
|
|
There was a problem hiding this comment.
Can you remove the extra lines. There are few other redundant lines as well in the PR.
orchagent/aclorch.cpp
Outdated
| @@ -1898,18 +2024,17 @@ sai_status_t AclOrch::bindAclTable(sai_object_id_t table_oid, AclTable &aclTable | |||
| sai_status_t status = SAI_STATUS_SUCCESS; | |||
|
|
|||
| SWSS_LOG_INFO("%s table %s to ports", bind ? "Bind" : "Unbind", aclTable.id.c_str()); | |||
|
|
|||
| if (aclTable.portSet.empty()) | |||
There was a problem hiding this comment.
I don't think this condition will be ever true in this flow. Can you check?
There was a problem hiding this comment.
you are correct, I removed this flow.
orchagent/aclorch.cpp
Outdated
| { | ||
| return SAI_STATUS_SUCCESS; | ||
| } | ||
| SWSS_LOG_WARN("Binding port list is empty for %s table", aclTable.id.c_str()); |
There was a problem hiding this comment.
It could be a normal flow to delete aclTable which is not yet bind to any port list. We wouldn't want to log warning if it is in the delete flow.
There was a problem hiding this comment.
condition check added.
|
As for VS, it should be added but for now we have the testbed to cover this flow. |
|
3 new VS test case added
|
orchagent/aclorch.cpp
Outdated
| { | ||
| SWSS_LOG_ENTER(); | ||
|
|
||
| sai_object_id_t port_id; |
There was a problem hiding this comment.
sai_object_id_t port_id == SAI_NULL_OBJECT_ID; do it here. then you do not need to assign later in the function.
orchagent/aclorch.cpp
Outdated
| if (port.m_lag_member_id != SAI_NULL_OBJECT_ID) | ||
| { | ||
| SWSS_LOG_ERROR("Failed to process port. Bind table to LAG member %s is not allowed", alias.c_str()); | ||
| port_id = SAI_NULL_OBJECT_ID; |
There was a problem hiding this comment.
port_id = SAI_NULL_OBJECT_ID; [](start = 12, length = 29)
remove this.
orchagent/aclorch.cpp
Outdated
| if (table.portSet.find(port_alias) != table.portSet.end()) | ||
| { | ||
| table.pendingPortSet.emplace(port_alias); | ||
| SWSS_LOG_WARN("Add deleted port: %s to the pending list of ACL table: %s", port_alias.c_str(), table.description.c_str()); |
There was a problem hiding this comment.
why is this warning level?
orchagent/aclorch.cpp
Outdated
| table.pendingPortSet.emplace(port_alias); | ||
| SWSS_LOG_WARN("Add deleted port: %s to the pending list of ACL table: %s", port_alias.c_str(), table.description.c_str()); | ||
| } | ||
| } |
There was a problem hiding this comment.
what is the scenario here? when a port is removed, then to update the acl table? In this case, you need to unbind the port from acl table, and then put the port to pending list. You cannot simply put the port into the pending list.
There was a problem hiding this comment.
for this one maybe need to marked as TODO here. if one port or LAG deleted, do will still have the chance to unbind it? I mean maybe some DB entries already destroyed and for SDK level all the configuration should already be cleared?
orchagent/aclorch.cpp
Outdated
| string port_alias = key.substr(0, found); | ||
| string op = kfvOp(t); | ||
|
|
||
| SWSS_LOG_INFO("doAclTablePortUpdateTask: OP: %s, port_alias: %s", op.c_str(), port_alias.c_str()); |
There was a problem hiding this comment.
SWSS_LOG_INFO("doAclTablePortUpda [](start = 7, length = 34)
this is debug level message.
orchagent/aclorch.cpp
Outdated
| SWSS_LOG_ENTER(); | ||
|
|
||
| sai_object_id_t port_id; | ||
|
|
||
| vector<string> strList; | ||
|
|
||
| SWSS_LOG_INFO("Processing ACL table port list %s", portsList.c_str()); |
There was a problem hiding this comment.
SWSS_LOG_INFO(" [](start = 4, length = 15)
this is debug level message.
orchagent/aclorch.cpp
Outdated
| @@ -1754,30 +1856,50 @@ bool AclOrch::processPorts(string portsList, std::function<void (sai_object_id_t | |||
| Port port; | |||
| if (!gPortsOrch->getPort(alias, port)) | |||
| { | |||
| SWSS_LOG_ERROR("Failed to process port. Port %s doesn't exist", alias.c_str()); | |||
| return false; | |||
| SWSS_LOG_WARN("Port %s not configured yet, add it to ACL table %s pending list", alias.c_str(), aclTable.description.c_str()); | |||
There was a problem hiding this comment.
SWSS_LOG_WARN [](start = 12, length = 13)
why warning level? this should be info level since this is a common situation your code is handling, so this should not be warning level.
orchagent/aclorch.cpp
Outdated
| { | ||
| SWSS_LOG_ENTER(); | ||
|
|
||
| SWSS_LOG_INFO("Processing ACL table port %s", portAlias.c_str()); |
There was a problem hiding this comment.
SWSS_LOG_INFO [](start = 4, length = 13)
debug level.
orchagent/aclorch.cpp
Outdated
| Port port; | ||
| if (!gPortsOrch->getPort(portAlias, port)) | ||
| { | ||
| SWSS_LOG_WARN("Port %s not configured yet, add it to ACL table %s pending list", portAlias.c_str(), aclTable.description.c_str()); |
There was a problem hiding this comment.
SWSS_LOG_WARN [](start = 8, length = 13)
info level.
tests/test_acl.py
Outdated
| self.verify_acl_group_member(adb, 0, test_acl_table_id) | ||
|
|
||
| # check port binding | ||
| self.verify_acl_lag_binding(adb, 0) |
There was a problem hiding this comment.
move this after port channel member creation, before state db creation.
tests/test_acl.py
Outdated
| keys = atbl.getKeys() | ||
| assert len(keys) == 0 | ||
|
|
||
| def verify_acl_group(self, adb, expt): |
There was a problem hiding this comment.
expt [](start = 36, length = 4)
rename to "acl_group_num" for clarity.
There was a problem hiding this comment.
tests/test_acl.py
Outdated
| self.verify_acl_group(adb, 2) | ||
|
|
||
| # check acl table group member | ||
| self.verify_acl_group_member(adb, 2, test_acl_table_id) |
There was a problem hiding this comment.
verify_acl_group_member [](start = 13, length = 23)
this function signature should be
verify_acl_group_member(adb, [acl_group_ids], acl_table_id)
it should verify the acl_groups have corresponding acl_group_member which has the acl_table_id.
tests/test_acl.py
Outdated
| assert set(port_groups) == set(acl_table_groups) | ||
|
|
||
|
|
||
| def verify_acl_lag_binding(self, adb, expt): |
There was a problem hiding this comment.
verify_acl_lag_binding(self, adb, expt): [](start = 8, length = 40)
like the verifying the port binding, we need to give the lag name as input.
There was a problem hiding this comment.
I didn't find out how a lag port name
was mapped to a SAI_OBJECT_TYPE_LAG_MEMBER in ASIC DB, unless you create one LAG and then know that the only SAI_OBJECT_TYPE_LAG_MEMBER record in ASIC DB is yours?
There was a problem hiding this comment.
tests/test_acl.py
Outdated
|
|
||
| # check port binding | ||
|
|
||
| def verify_acl_port_binding(self, dvs, adb, expt, bind_ports): |
There was a problem hiding this comment.
expt [](start = 48, length = 4)
you do not need give expt here, just use the len(bind_ports)
tests/test_acl.py
Outdated
| assert set(port_groups) == set(acl_table_groups) | ||
|
|
||
|
|
||
| def verify_acl_lag_binding(self, adb, expt): |
There was a problem hiding this comment.
expt [](start = 42, length = 4)
change to bind_ports as well, do not need expt here.
There was a problem hiding this comment.
for lag case it different with port case, bind_ports len may not equal to the binding lag number if some LAG not configured yet, so I think we still need a expt?
tests/test_acl.py
Outdated
|
|
||
| # check acl table group member | ||
|
|
||
| def verify_acl_group_member(self, adb, expt, test_acl_table_id): |
There was a problem hiding this comment.
expt [](start = 43, length = 4)
change to acl_group_id list.
orchagent/aclorch.h
Outdated
| bool validateAclTable(AclTable &aclTable); | ||
| sai_object_id_t getValidPortId(string alias, Port port); |
There was a problem hiding this comment.
getValidPortId [](start = 20, length = 14)
to reflect the true meaning, it is better to rename it to getBindPortId. Besides, it makes more sense to move this into portsyncd since it is retrieving a port property.
There was a problem hiding this comment.
renamed and move it to portOrch.
orchagent/portsorch.cpp
Outdated
| break; | ||
| default: | ||
| SWSS_LOG_ERROR("Failed to process port. Incorrect port %s type %d", alias.c_str(), port.m_type); | ||
| return false; |
tests/test_acl.py
Outdated
| self.verify_acl_group_member(adb, acl_group_ids, test_acl_table_id) | ||
|
|
||
| # check port binding | ||
| self.verify_acl_lag_binding(adb, 1) |
There was a problem hiding this comment.
- [](start = 40, length = 3)
use lag id
…ed ACL table configuration (#1712) * Fix minigraph parser issue when handling LAG related ACL table configuration * rephrase the warning message. * pick up swss change in sonic-net/sonic-swss#494
…494) * enhance acl orch to handle the LAG port not configured case * rename variable, function; redunce redundant code; fix memory issue * revise according to comments * one more blank line * add new VS test cases for acl on LAG * update with PR comments fix * rename getValidPortId and move it to portOrch * fix indent * fix test case comments
…ed ACL table configuration (sonic-net#1712) * Fix minigraph parser issue when handling LAG related ACL table configuration * rephrase the warning message. * pick up swss change in sonic-net/sonic-swss#494
…ed ACL table configuration (#1712) * Fix minigraph parser issue when handling LAG related ACL table configuration * rephrase the warning message. * pick up swss change in sonic-net/sonic-swss#494
Signed-off-by: Wenda Ni <wenni@microsoft.com>
What I did
Why I did it
it's possible that LAG port configured later or not configured yet while ACL table created, in this case we can add this LAG to the pending list and wait for it created, instead of fail the whole ACL table creating.
How I verified it
manual test, run ACL and Everflow test case on T1 and T1-LAG topo.
Details if related