Short

We need a way to configure the subnetworks size. Right now, each worker node gets a subnetwork with 64 addresses. This must first be configurable, and in the future, this must be dynamic.

Proposal

Each worker node currently gets a subnetwork of size /26. As of now, let's make the subnetwork configurable at the root level. Such that each worker node can get a larger or smaller subnetwork. Then this can be made dynamic later on and a proposal must be made.

Ratio

A node currently supports around 60 applications due to this network limitation. Let's overcome this limitation with bigger subnetworks. Eventually, a better mechanism must be found.

Impact

The Root service manager and Node net manager

Development time

1 day of development and 1 day of testing

Status

Proposal

Checklist

• Discussed
• Documented
• Implemented
• Tested

Short

running the release 0.4.2 we get the following error:

panic: Something in this program imports go4.org/unsafe/assume-no-moving-gc to declare that it assumes a non-moving garbage collector, but your version of go4.org/unsafe/assume-no-moving-gc hasn't been updated to assert that it's safe against the go1.19 runtime. If you want to risk it, run with environment variable ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.19 set. Notably, if go1.19 adds a moving garbage collector, this program is unsafe to use.

Solution

To solve this, we simply need to create the release artefacts with a proper version of GO from the GitHub runners.

Status

Solving it

Checklist

• Discussed
• Solved
• Tested

Short

Reorder/-write net-managers proxy code in order for it to be more flexible with outlook on IPv6 implementation extension.

Proposal

Currently the code is very limited to IPv4 packets, working with raw go types (net.IPv4). Casting the packets to custom types which implement an interface will make the code easier to modify and extend in the long run.

Ratio

Makes code cleaner and easier to extend with functionality

Impact

net-manager

Status

Needs testing

Checklist

• Discussed
• Documented
• Implemented
• Tested

Short

tuncfg.json is not used for tunnel setup of netmanager

Proposal

The tuncfg.json is copied to /etc/netmanager/ by the install.sh script.
On first impression, this configuration file sets the defaults for the tunnel to be set up by the netmanager, however, instead the netmanagers proxyTunnel is set up using os.getenv - so environment variables, which are not necessarily set up by the developer/host.
This renders the file useless.

Solution

Change the netmanager proxy tunnel setup to read configuration defaults from /etc/netmanager/tuncfg.json
or remove it from the setup and document it to use environment variables.

Status

Looking for feedback

Checklist

• Discussed
• Solved
• Tested

Short

Let's make the NetManager a system daemon compatible with systemd

Proposal

We want so use systemctl to start, stop, restart and check the NetManager status. Additionally, the NetManager should expose a local socket for the communication with the NodeEngine, avoiding the usage of port 6000.

Ratio

Easier to manage and install

Impact

NetManager

Development time

1 Week

Status

Discussed, implementing.

Checklist

• Discussed
• Documented
• Implemented
• Tested

Short

Establish a file naming convention for golang files

Proposal

Currently the node-net-manager files do not follow a comprehensive file naming structure, which is desirable in any case.

As for golang, there is no documented styleguide for file naming, however general consensus seems to be all lower case, with snake case, where needed, while avoiding snake case suffixes like <file>_arm.go or <file>_linux.go, just like _test.go for tests. (see golang/go#36060)

My proposal is scanning the node-net-manager files and renaming long files to shorter ones where possible, while keeping the filenames as descriptive as possible. Generally a go-esque structure could be the following:

node-net-manager/
├─ environment/
├─ proxy/
│ ├─ tunnel.go
│ ├─ tunnel_test.go
│ ├─ cache.go
├─ mqtt/
│ ├─ tablequery.go
│ ├─ handlers.go
│ ├─ client.go
│ ├─ updates.go
├─ go.mod
├─ go.sum
├─ netmanager.go

Ratio

Better structure and a agreed upon file naming standard for this project

Impact

only file names in node-net-manager

Development time

1 hour

Status

looking for feedback

Checklist

• Discussed
• Documented
• Implemented
• Tested

There are many instances in the code where I used exec.Command

This was done at the beginning for fast prototyping but it's hard to maintain and can fail due to parallel handling of OS file descriptors. All these instances can be replaced using

Netlink
Iptable

Short

Transition the networking to IPv6 in order to solve the possible network address space exhaustion.

Proposal

Move the networking to IPv6 for more addresses, as well as semantic addressing.
The Oakestra platform then uses the reserved private IPv6 subnet fc00::/7.
This private subnet is further divided reserving the last 16 bit subnetwork block fdff::/16 for a Service IP subnet, which is needed in order to give addresses to Instances and the (up to) 30 balancing strategies per Instance. We divide the Service IP subnet into 32 equal sized subnetworks with up to 30 balancing strategy subnets and 2 Instance IP subnets, using a prefix of /21. The fdfe::/16 I would propose to keep reserved for future use. The remainder of the address space is used to hand out subnetworks for worker nodes, using a /120 prefix. This leaves a worker subnetwork with 8 bits for namespace IPs for the containers inside a worker subnetwork.

To sum up the subnetwork division with subnet specification:

The Oakestra components are also required to support IPv6.
The net-manager should support to forward both IPv4 and IPv6 traffic. The service managers will additionally have to manage IPv6 entries in the databases.

Ratio

This solves the address space limitations IPv4 has with growing worker nodes. So far the limit is ~65535 workers, which would grow into a very large, unimaginable number with IPv6 subnetworking.

Impact

cluster/root service managers and netmanager

Status

Testing

Checklist

• Discussed
• Documented
• Implemented
• Tested

Short

This function

Return None if an invalid job name is given.
It should return empty list

Solution

Return empty list as default

Status

solved

Checklist

• Discussed
• Solved
• Tested

Short

Let's make the NetManager a Go Module instead of a separate binary.

Proposal

Currently, the NetManager component must be deployed as a separate service with a separate binary for each device. Each Worker node must run both the NodeEngine and the NetManager. Since, for performance reasons, both components are implemented in GO, NetManager can be implemented as a module that can be imported inside the NodeEngine at startup—simplifying the pairing process and reducing the change for configuration errors.

Ratio

Simplify startup, reducing manual configuration.

Impact

Oakestra NodeEngine and OakestraNet NetManager

Development time

1/2 weeks

Status

looking for feedback | for a solution,

Checklist

• Discussed
• Documented
• Implemented
• Tested

Short

Enable IPv6 for service managers in order for them to be able to respond to IPv6 traffic.

Proposal

Enable IPv6 for cluster and root service managers. Additionally adjust requests to properly utilize IPv6 addressing.

Ratio

Short description of why this is important

Impact

root and cluster service manager

Status

Implemented and tested

Checklist

• Discussed
• Documented
• Implemented
• Tested

Short

Implement the Closest Instance routing policy

Proposal

Right now, the only balancing policy usable is RR balancing. Let's try to implement the Closest Semantic IP using the cluster position information.

Ratio

This helps improve the geographical awareness of the applications without forcing the developer to manage it from a code perspective. Just by using the Closest IP, the applications will always talk with the closes instance available.m

Impact

All the components will have in impact.

Development time

3 Days

Status

Looking for a solution

Checklist

• Discussed
• Documented
• Implemented
• Tested

Short

Fragmented packets are not forwarded

Proposal

With large packets, like video frames, packets are split into multiple IP frames. Our TUN interface processes and decodes an l4 packet starting from a single frame which is not always the case. When a L4 packet is split across multiple frames, the decode fails, and the packet is dropped.

Solution

We need a packet buffer to sum together all the incoming frames into a single packet.

Status

Looking for an efficient solution

Checklist

• Discussed
• Solved
• Tested

Short

Based on #147 - currently only IPv4 proxy traffic. Extend it for IPv6 packets and make containers addressable over IPv6 across the whole platform

Proposal

Currently the proxy only works with IPv4 packets. It would be desirable to have working IPv6 traffic inside Oakestra. This would require proxy extensions, as well as IPv6 addressing mechanisms across the whole Oakestra platform.

Ratio

Makes IPv6 work for Oakestra

Impact

all

Status

implemented - requires thorough testing on large deployments

Checklist

• Discussed
• Documented
• Implemented
• Tested

Short

The OUTPUT chain in iptables does not jump to the OAKESTRA DNAT rules. This means that when we expose ports the service is not reachable internally on the same node but only outside

Proposal

Adding a jump to the Oakestra chain in the OUTPUT chain enable the DNAT roules for local calls as well.
E.g., If right now I deploy a service that uses port tcp 80, the port tcp 80 is exposed externally towards other nodes, but it's not reachable internally using curl :80.

Solution

Can be easily fixed by adding the following code here

err = iptable.AppendUnique("nat", "OUTPUT", "-j", chain)
	if err != nil {
		log.Fatal(err.Error())
	}

Status

testing

Checklist

• Discussed
• Solved
• Tested

Currently the subnetworks are just generated and assigned. The address recycling is missing.

• Enable a node to communicate that a subnetwork Is not needed anymore via MQTT
• Cache the node subnetwork info, if the node crash the same subnetwork must be associated back
• task that checks the health status of the platform and redeem the unused subnetworks

Short

Add special endpoints for the deployment of unikernels.

Proposal

This change is necessary to facilitate the deployment of unikernels.
The changes include new new Endpoints for creating and destroying the network environment for a unikernel.
This will include the creation of a namespace, bridge and tap device in addition to the veth making it possible
for unikernels to communicate with the network including other unikernels and containers.

Ratio

This change is needed to use unikernels on the network and to inter-op with the containers when using
the network component.

Impact

This change impacts the node net manager and does not change its general operations but only adds the
additional support without changing the container functionality.

Status

Currently under development.

Checklist

• Discussed
• Documented
• Implemented
• Tested

Short

The current platform does not allow for external entities to connect to services deployed inside a Oakestra cluster. Implementing a gateway component that enables this could fix this.

Proposal

Extend the net-manager to deploy gateways as needed, when a developer requests the exposure of a service to the outside network. This gateway would setup a direct connection to the service in question, exposing it on a port of its public IP address.

Ratio

Allows for external developers/services/servers to connect to the service inside Oakestra

Impact

all

Status

testing

Checklist

• Discussed
• Documented
• Implemented
• Tested

Short

Concurrent map access, fatal error!

Proposal

fatal error: concurrent map iteration and map write
goroutine 179 [running]:
NetManager/env.(*Environment).IsServiceDeployed(0xc0001e6f98?, {0xc007058320
, 0x1e})

Happens when startSelfDestructTimeout from MqttJobsUpdates calls if !jut.env.IsServiceDeployed(jut.job) {

Solution

Make env.deployedServices thread safe

Status

Working on it

Checklist

• Discussed
• Solved
• Tested

Short

When using a netcat client and server setup in Oakestra flakiness occurs, i.e. if you send 20 messages several of them get dropped with no clear pattern or explanation. - This was my assumption a week ago, when I now replicated this it no longer occurred ...

Deeper description of the bug

Concrete Example

Let's take service C (client) and S (server).
(Note: There are multiple different netcat implementations. I used "netcat-traditional".)
We run this script on S

#!/bin/bash
while true
  do
     # Make sure to use -p otherwise no message can get propagated.
     # -w teminates the server session after 5 s. This is used to avoid getting stuck due to a broken/stale connection.
      nc -l -p 99 -w 5
  done

And this cmd on C:

# -q is used to terminate the client after sending the message to avoid getting the client stuck.
for i in {1..20}; do echo $i | nc 10.30.27.3 99 -q 1; done

This screenshot shows outputs of flaky behavior. On my local setup (non Oakestra) there is a smooth flow from 1-20.

Update

I have pushed a custom image that has that exact netcat version installed as well as provided both scripts there for easier testing.

Here is the SLA:

{
  "sla_version": "v2.0",
  "customerID": "Admin",
  "applications": [
      {
          "applicationID": "",
          "application_name": "app",
          "application_namespace": "test",
          "application_desc": "",
          "microservices": [
            {
              "microserviceID": "",
              "microservice_name": "server",
              "microservice_namespace": "test",
              "virtualization": "container",
              "cmd": ["bash","server.sh"],
              "memory": 100,
              "vcpus": 1,
              "storage": 0,
              "code": "ghcr.io/malyuk-a/netcat:testing",
              "addresses": {
                "rr_ip": "10.30.27.3"
              }
            },
            {
                "microserviceID": "",
                "microservice_name": "client",
                "microservice_namespace": "test",
                "virtualization": "container",
                "cmd": ["bash","client.sh"],
                "memory": 100,
                "vcpus": 1,
                "storage": 0,
                "code": "ghcr.io/malyuk-a/netcat:testing",
                "one_shot": true
              }
        ]
      }
  ]
}

Interestingly enough, now I no longer can replicate that flakiness ...

Example output:

...
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
...

I have no idea why or what is going on differently now all of a sudden. When experiencing the bug mentioned above I was able to replicate that behavior multiple times in the span of ~2-3 days.

I am able to see rather strange behavior when it comes to redeploying these services, I am not sure if this is related or due to the CLI tool I use that handles these deployments/creations in a very quick way.

Solution

We (@giobart, @smnzlnsk, @Malyuk-A) had a look and we couldn't spot errors in the NetManager logs, thus this needs deep analysis.

Update

Right now I simply want to know what others can observe. When you run the same SLA do you see a nice flow from 1-20 or do you see gaps? If multiple people do not see any gaps we can close this Issue I guess.

Status

Replicated and discussed. Needs deep analysis to figure out what is going wrong.
Why might this be critical: If a classic tool like netcat is not properly working who knows how other tools behave? This can very much interfere with proper practical/scientific work.

Update

Let's see, maybe this was a very strange anomaly on my local system's side.

Checklist

• Discussed
• Replicated
• Solved
• Tested

Short

Sometimes when undeploying applications, the cluster-level network info remains in the db, as well as the interest registered. Not a problem on its own, but when deploying a different application with same service IP this creates conflicts and prevents proper propagation of the routes.

Proposal

This requires more investigation.

Solution

This requires more investigation.

Status

Under Investigation

Checklist

• Discussed
• Solved
• Tested

Currently once a sip is assigned and a table query resolved there is no update mechanism and cache refresh. It work only once.

To solve this the entire "interest registration" mechanism must be implemented accordingly.

Short

Create pre-release images from the develop branch to facilitate testing before merging to main

Proposal

Using github workflow we need to create a new cluster, root service manager image, together with a NetManager tar.gz.
The images can be named as:
develop-<component-name>:aaaammgg_hhmm

Ratio

facilitate testing before merging to main

Impact

github workflows

Development time

1 day

Status

searching for a solution

Checklist

• Discussed
• Implemented
• Tested

Short

Applications using UDP fragmentation crash when repeatedly deployed and underplayed.

Proposal

I noticed this issue randomly while continuously deploying and undeploying the pipeline described here
After deploying the application, stressing it, and undeploying it, the communication starts behaving oddly, causing the application to crash. The solution is to restart the network manager. This is why this looks more like a communication problem than anything else.

Most likely, the application is not very fault-tolerant. Nevertheless, this issue underlines a problem in the forwarded packets.

This issue is currently under investigation. Next time this happens, I'll post here the trace routes, logs, and stack traces.

Solution

None yet

Status

Under investigation

Checklist

• Discussed
• Solved
• Tested

Short

If a worker disconnects from the Oakestra cluster, the worker address space it was assigned is not returned to the collection of available subnets.

Proposal

If a worker with previously assigned worker subnet 10.18.0.0/26 is disconnected from the Oakestra cluster, that worker subnet should be recycled for future workers that register to the Oakestra cluster. This is currently not the case, which ultimately leads to address space exhaustion, despite addresses being theoretically available.

Solution

Create a automatic procedure to trigger the lookup and recollection of worker subnets to recycle if the worker disconnects or is unavailable/unresponsive for a long time. Also implement this recycling for the handout of worker subnets on worker registration.

Status

Searching for a solution/help wanted

Checklist

• Discussed
• Solved
• Tested

Short

With the current configuration in Oakestra, DNS inside deployed containers only works, iff the container is able to successfully reach the in-container configured DNS server over the bridge and the host. If the host machine cannot reach the in-container configured DNS server because of a closed firewall policy, the container cannot resolve any hostnames, i.e. DNS is broken.
This also means that the container completely disregards the host machine working DNS configuration, if there is one.

Proposal

Implement a rewriting of container originating DNS requests arriving at the oakestra bridge using iptables DNAT + SNAT to instead use the host machine DNS configuration.
The goal is for DNS requests (all traffic arriving at the oakestra bridge with destination port 53) to instead be resolved by the host machines DNS configuration.

For example:
Container DNS is 8.8.8.8, but host machine cannot contact 8.8.8.8 and instead uses local ISP DNS.
Container queries 8.8.8.8:53, which defaults to the container bridge and arrives at the host machine firewall.
Firewall uses DNAT to rewrite to 127.0.0.53:53, which usually is the systemd-resolver, and SNAT to rewrite source to be the host machine.
DNS Query is then resolved like a usual DNS Query from the host machine to the local ISP DNS, and the results get re-translated back through the SNAT and DNAT to go back to the container, as if 8.8.8.8 responded.
Whether the resulting connection to the chosen A-record works is not a concern as of now. We want working DNS, regardless of the configured DNS Server in the container image.

Ratio

This in general should make DNS work for containers regardless of configured DNS server, if the host machine has a working DNS configuration.

Impact

net-manager

Development time

one day

Status

in development

Checklist

• Discussed
• Documented
• Implemented
• Tested

Short

When a service IP is recycled by a service with a different name, the routes are not properly propagated across the clusters

Proposal

This issue happens when we have a multicluster setup with a service previously using a service ip that is now assigned to another service. The worker asks for an updated, but the cluster has garbage info about a previous service.

Solution

Force service deletion upon undeployment and interest deregistration for unused services in a cluster

Status

development

Checklist

• Discussed
• Solved
• Tested

Short

The latest container images should be the one from the main branch and not the alpha releases

Solution

Same as oakestra main repo

Checklist

• Discussed
• Solved
• Tested

Short

cosign dependency is broken again

Short

Can't access microservices using semantic addresses.

Proposal

Solution

Status

I deployed an application in oakestra which consists of 2 microservices, I assigned them with rr_ip like 10.30.0.1 and 10.30.0.2. Howerver I can't access it, for example ,when I type http://10.30.0.2:80 in browser, I can't see my front page, and I have to use my NodeIP like http://192.168.227.133:80 to see it. What's more, when I use axios post to post http request to http://10.30.0.1/index,
it fails too. Please tell me how to use semantic in detail?

Checklist

• Discussed
• Solved
• Tested

Please add a parser for all the structures that are passed through the API and directly pushed into the DB

Short

In some cases, the net manager de-registers immediately from the service updates.

Proposal

Example:

2022/11/14 11:31:05 Received HTTP request - /container/deploy
2022/11/14 11:31:05 ReqBody received : [123 34 112 105 100 34 58 49 50 54 56 56 44 34 115 101 114 118 105 99 101 78 97 109 101 34 58 34 99 108
105 101 110 116 46 112 101 114 99 111 109 109 46 99 108 105 101 110 116 46 100 101 112 108 111 121 34 44 34 105 110 115 116 97 110 99 101 78 1$
7 109 98 101 114 34 58 50 44 34 112 111 114 116 77 97 112 112 105 110 103 115 34 58 34 34 125]
2022/11/14 11:31:05 {12688 client.percomm.client.deploy 2  131.159.24.80 50103 0xc00025e300 0xc0003fe050 0xc00010e180}
2022/11/14 11:31:05 MQTT - publish to - service/deployed - the payload - {"appname":"client.percomm.client.deploy","status":"DEPLOYED","instan$
e_number":2,"nsip":"10.18.0.130","host_port":"50103","host_ip":"131.159.24.80"}
2022/11/14 11:31:05 [MQTT TABLE QUERY] sname: client.percomm.client.deploy
2022/11/14 11:31:05 MQTT - publish to - tablequery/request - the payload - {"sname":"client.percomm.client.deploy","sip":""}
2022/11/14 11:31:05 waiting for table query client.percomm.client.deploy
2022/11/14 11:31:05 MQTT - Received mqtt table query message: {"app_name": "client.percomm.client.deploy", "instance_list": [{"cluster_id": "6$
720dcb7da606aeff413bd5", "instance_ip": "10.30.0.13", "instance_number": 2, "worker_id": "6372110f665f0c3b79ca0234", "namespace_ip": "10.18.0.$
30", "host_ip": "131.159.24.80", "host_port": 50103, "service_ip": [{"Address": "10.30.0.0", "IpType": "RR"}, {"IpType": "instance_ip", "Addre$
s": "10.30.0.13"}]}]}
2022/11/14 11:31:05 TableQuery response - notifying a channel regarding client.percomm.client.deploy
2022/11/14 11:31:05 MQTT - Subscribed to jobs/client.percomm.client.deploy/updates_available
2022/11/14 11:31:05 Response to /container/deploy:  {client.percomm.client.deploy 10.18.0.130}
2022/11/14 11:31:05 self destruction timeout started for job client.percomm.client.deploy
2022/11/14 11:31:05 [MQTT TABLE QUERY] sip: 10.30.100.1
2022/11/14 11:31:05 MQTT - publish to - tablequery/request - the payload - {"sname":"","sip":"10.30.100.1"}
2022/11/14 11:31:05 waiting for table query 10.30.100.1
2022/11/14 11:31:05 MQTT - Received mqtt table query message: {"app_name": "pipeline.percomm.primary.deploy", "instance_list": [{"cluster_id":
"63720dcb7da606aeff413bd5", "instance_ip": "10.30.0.6", "instance_number": 0, "worker_id": "63720e27665f0c3b79c9fc9d", "namespace_ip": "10.18.$
.2", "host_ip": "131.159.25.19", "host_port": 50103, "service_ip": [{"Address": "10.30.100.1", "IpType": "RR"}, {"IpType": "instance_ip", "Add$
ess": "10.30.0.6"}]}]}
2022/11/14 11:31:05 TableQuery response - notifying a channel regarding 10.30.100.1
2022/11/14 11:31:05 MQTT - Subscribed to jobs/pipeline.percomm.primary.deploy/updates_available
2022/11/14 11:31:05 self destruction timeout started for job pipeline.percomm.primary.deploy
2022/11/14 11:31:05 MQTT - Subscribed to jobs/10.30.100.1/updates_available
2022/11/14 11:31:05 self destruction timeout started for job 10.30.100.1
2022/11/14 11:31:15 De-registering from 10.30.100.1
2022/11/14 11:31:15 MQTT - publish to - interest/remove - the payload - {"appname":"10.30.100.1"}
2022/11/14 11:31:15 De-registering from pipeline.percomm.primary.deploy
2022/11/14 11:31:15 MQTT - publish to - interest/remove - the payload - {"appname":"pipeline.percomm.primary.deploy"}
ERROR-2022/11/14 11:31:15 ProxyTunnel.go:553: Unable to resolve remote addr: address -1: invalid port
ERROR-2022/11/14 11:31:15 ProxyTunnel.go:553: Unable to resolve remote addr: address -1: invalid port

Steps
1: We deploy the service: client.percomm.client.deploy with serviceip 10.30.0.0 and instaceip 10.30.0.13
2: Then the service requires a table query for service pipeline.percomm.primary.deploy with RRIP 10.30.100.1
3: The self-destruction timeout towards 10.30.100.1 starts
4: The traffic flows and the application works as desired
5: De-registering from 10.30.100.1 even if the application is still sending traffic to 10.30.100.1
6: As a result ERROR-2022/11/14 11:31:15 ProxyTunnel.go:553: Unable to resolve remote addr: address -1: invalid port
7: No further table queries!

So we have two different problems:

• Undesired de-registration
• No table query towards that route. Something is preventing the net manager to handle the table query

Setup:
client.percomm.client.deploy -> Intel NUC VM hosting only NodeEngine and NetManager
pipeline.percomm.primary.deploy -> AMD64 VM hosting Root Orch + Cluster Orch + Node Engine

the machines are mutually reachable (as proof, the application initially works)

Possible causes:
-Something is preventing the self-destruction timer from properly "ticking"

Solution

--

Status

searching for a solution

Checklist

• Discussed
• Solved
• Tested

Short

The cluster service manager is flooded with requests in the event of unknown ServiceIP. Let's use the interest registration mechanism to avoid repeated queries.

Proposal

Currently, the worker node that requires information on a specific route registers an interest. Anyway, I a service requires to contact an unknown ServiceIP, the cache miss trigger every time a new query. Let's use the interest registration mechanism in such a way that if the interest is registered, but the cache miss happens, no further query is sent and the communication simply fails.

Ratio

This reduces the burden drastically on the Cluster Service Manager in the event of unknown ServiceIP call.

Impact

Only the Node Net Manager component needs to be updated.

Development time

1 Day of work (development and testing)

Status

Analysing the feasibility

Checklist

• Discussed
• Documented
• Implemented
• Tested

Short

When generating a new packet the signature process fails

Proposal

Tag v.0.4.2 fails the build with a signature error. The packages are published, but only the signature process fails.

Solution

Apparently, we only need to update the GitHub workflow using cosign v1.13.1 -> update cosign version to fix signature issue

Status

Solution found, proceeding with the fix

Checklist

• Discussed
• Solved
• Tested

Short

All requests from containers on a node or external requests to a specific port are intercepted if that port is defined as an OakestraPort.

Proposal

The command curl google.com makes a request to google.com on port 80. However, if an Oakestra service is already running on this node and has defined port 80, the request curl google.com will be forwarded to the Oakestra service because Curl searches on port 80 by default.

Another example:
If an Oakestra service is running on port 90, curl google.com:90 will also return the Oakestra service because all requests to port 90 are intercepted. Normally, there should be no response on google.com:90.

Potentially another issue:
If three instances of an Oakestra service are running on the same node, only one of them will be addressed because all requests will use the "most recent" routing IP table rule.

Solution

The IP table entry needs to be adjusted. Either the rule should only apply to specific source IPs or used ports should not be overwritten.

The code which needs to be changed can be found here:
https://github.com/oakestra/oakestra-net/blob/f6434294717c2448aac296575ca802fd1dfcd4cb/node-net-manager/network/Nat.go#L160C1-L221C2

Short

After a failure in packet decoding, the NetManager stops working

Proposal

Due to this line, when an outgoing proxy decode fails, the ingoing message thread returns and no more packets will be processed.

Solution

1. Substitute return with continue
2. Find eventual other instances of this problem in the ingoing message and outgoing message handlers
3. investigate why sometimes we have cache miss even with services that are supposed to be deployed internally

Status

I'm fixing it

Checklist

• Discussed
• Solved
• Tested

Short

We need new API endpoints in the networking components in order to register and manage new Gateway components.

Proposal

The upcoming gateway component will allow for external connectivity to the inside of the Oakestra network. We plan to allow this gateway component to attach at the two levels present - root and cluster. This will allow for encapsulation of network traffic, since inherently a gateway component attached to the root will or should be able to manage connections to the entirety of Oakestra deployed services. Gateways attached to a cluster orchestrator will or should be able to allow for connections to services deployed at the respective cluster.
In order to register and manage such gateways we need new API endpoints.

Ratio

This will allow for gateways to assign to the Oakestra network in order to allow for external connectivity.

Impact

Since we are planning to allow the component to attach to any orchestrator level, we will need the APIs from the root and cluster service managers to support the registration.

Status

Looking for feedback

Checklist

• Discussed
• Documented
• Implemented
• Tested

Even if the environment variable is configured the proxy tun keeps reading the network ports from the tuncfg.json file

Short

Currently the platform is limited by the amount IPv4 subnets available to workers, despite working alongside IPv6 in dual-stack. We need to make this subnet assignment at worker initialization to be optional, allowing for either IPv4-only, IPv6-only or dual-stack workers.

Proposal

Create a signalling method in order for the worker node to be initialized to tell the root-service-manager to return subnets
according to its 'wishes'. This can be done by e.g a -4 flag at net-manager startup to boot up in IPv4-only mode. The net-manager would then only request a IPv4 subnet from the root-service-manager.

Ratio

This frees the platform from the IPv4 worker count limitations, allowing for far more workers.

Impact

net-manager/mqtt, cluster-service-manager, root-service-manager

Status

Backlogged

Checklist

• Discussed
• Documented
• Implemented
• Tested

Short

The README.md (especially in the oakestra-net/node-net-manager) is outdated, thus faulty. If you try to follow it to build/install/setup things it will eventually fail.

Proposal

Bring the README up to date, and or migrate it to the new OAK Docs entirely. Currently it does confuse more than it helps IMO.

A few examples:

• Under the "Structure" header, a "install.sh" is mentioned, however it is no longer there - it is the build folder instead.
• The install.sh (in the build folder) makes a lot of assumptions, e.g. where the user calls this script from (without any comment about where it should be invoked from), the tuncfg.json and netcfg.json are files that are (AFAIK) only acquired when installing the main OAK repo and fetching the NetManaget/NodeEngine resources - i.e. these two files are "magic-files" that are not part of the repo, especially not the build folder
• etc.

Without the help of @smnzlnsk I would not have been able to build this - without reinventing the wheel.
He mentioned that he uses a custom makefile for this, so no one currently seems to be using these build instructions.

Solution

Bring these instructions up to date and or migrate them to the upcoming OAK Docs/Wiki.

Status

This ticket is there to inform others about the current state of things.

Checklist

• Discussed
• Solved
• Tested

Short

The node subnet is composed of 64 addresses. If a worker requires more addresses, we should perform another request to extend the subnetwork.

Proposal

At worker initialization time, the worker requires a net size of 64 as usual. Then, every time the address space is exhausted because we have more than 64 networked containers in a worker, we should extend it with a new request that proposes a second subnet to the worker.

One possible solution would
-> Request a new subnet if a subnet is exhausted inside env.generateAddress()
-> The new addresses can be stored inside env.addrCache

Ratio

Remove container limitations.

Impact

NetManager - Cluster manager(maybe)

Development time

1 week

Status

finding a solution

Checklist

• Discussed
• Documented
• Implemented
• Tested

Short

Update cosign to version 2.22 in github runner

Short

NetManager's deploy task queue gets stuck.

Proposal

Only on a specific machine, I noticed the following bug.

2022/12/27 18:18:04 Received HTTP request - /container/deploy
2022/12/27 18:18:04 ReqBody received : [123 34 112 105 100 34 58 51 51
 56 55 48 53 54 44 34 115 101 114 118 105 99 101 78 97 109 101 34 58 3
4 112 105 112 101 108 105 110 101 46 112 101 114 99 111 109 109 46 101
 110 99 111 100 105 110 103 46 100 101 112 108 111 121 34 44 34 105 11
0 115 116 97 110 99 101 78 117 109 98 101 114 34 58 48 44 34 112 111 1
14 116 77 97 112 112 105 110 103 115 34 58 34 34 125]
2022/12/27 18:18:04 {3387056 pipeline.percomm.encoding.deploy 0  131.1
59.24.51 50103 0xc0005de000 0xc00058d380 0xc0039d8780}
2022/12/27 18:21:38 Received job update regarding jobs/pipeline.percom
m.encoding.deploy/updates_available
2022/12/27 18:21:38 [MQTT TABLE QUERY] sname: pipeline.percomm.encodin
g.deploy
2022/12/27 18:21:38 Received job update regarding jobs/pipeline.percom
m.lsh.deploy/updates_available
2022/12/27 18:21:38 Received job update regarding jobs/pipeline.percom
m.encoding.deploy/updates_available
2022/12/27 18:21:38 [MQTT TABLE QUERY] sname: pipeline.percomm.encodin
g.deploy
2022/12/27 18:21:38 Received job update regarding jobs/pipeline.percom
m.lsh.deploy/updates_available
2022/12/27 18:21:38 [MQTT TABLE QUERY] sname: pipeline.percomm.lsh.dep
loy
2022/12/27 18:21:43 Received HTTP request - /container/undeploy
2022/12/27 18:21:43 {pipeline.percomm.lsh.deploy 0}
2022/12/27 18:23:59 Received HTTP request - /container/deploy
2022/12/27 18:23:59 Received HTTP request - /container/deploy
2022/12/27 18:23:59 ReqBody received : [123 34 112 105 100 34 58 51 51
 56 55 54 50 51 44 34 115 101 114 118 105 99 101 78 97 109 101 34 58 3
4 112 105 112 101 108 105 110 101 46 112 101 114 99 111 109 109 46 101
 110 99 111 100 105 110 103 46 100 101 112 108 111 121 34 44 34 105 11
0 115 116 97 110 99 101 78 117 109 98 101 114 34 58 48 44 34 112 111 1
14 116 77 97 112 112 105 110 103 115 34 58 34 34 125]
2022/12/27 18:23:59 {3387623 pipeline.percomm.encoding.deploy 0  131.1
59.24.51 50103 0xc0005de000 0xc00058c040 0xc003edc2a0}
2022/12/27 18:24:09 Received HTTP request - /container/deploy
2022/12/27 18:24:09 ReqBody received : [123 34 112 105 100 34 58 51 51
 56 55 54 56 50 44 34 115 101 114 118 105 99 101 78 97 109 101 34 58 3
4 112 105 112 101 108 105 110 101 46 112 101 114 99 111 109 109 46 108
 115 104 46 100 101 112 108 111 121 34 44 34 105 110 115 116 97 110 99
 101 78 117 109 98 101 114 34 58 48 44 34 112 111 114 116 77 97 112 11
2 105 110 103 115 34 58 34 34 125]
2022/12/27 18:24:09 {3387682 pipeline.percomm.lsh.deploy 0  131.159.24
.51 50103 0xc0005de000 0xc00031c140 0xc003b38180}
2022/12/27 18:24:19 Received HTTP request - /container/deploy
2022/12/27 18:24:19 ReqBody received : [123 34 112 105 100 34 58 51 51
 56 56 49 53 48 44 34 115 101 114 118 105 99 101 78 97 109 101 34 58 3
4 112 105 112 101 108 105 110 101 46 112 101 114 99 111 109 109 46 109
 97 116 99 104 105 110 103 46 100 101 112 108 111 121 34 44 34 105 110
 115 116 97 110 99 101 78 117 109 98 101 114 34 58 48 44 34 112 111 11
4 116 77 97 112 112 105 110 103 115 34 58 34 34 125]
2022/12/27 18:24:19 {3388150 pipeline.percomm.matching.deploy 0  131.1
59.24.51 50103 0xc0005de000 0xc00058c0b0 0xc003edc5a0}

Steps to reproduce the bug:
I deployed a fault microservice that instantaneously fails, triggering multiple consecutive reboot. After consecutive failures, the NetManager enters a condition where the task queuel used to deploy the net components is stuck. In fact, after receiving the "ReqBody" and the unmarshal, the task is sent to the task queue and never executed. As a result, the veth pairs and the networking stack are not deployed or updated in the new instance, and no communication happens. Further investigation is required.

Solution

Under investigation

Status

Under Investigation

Checklist

• Discussed
• Solved
• Tested

Short

We can improve the network performance of unikernel bypassing iptables within the network namespace and attaching a macvtap directly to the network interface

Proposal

Current approach

                          container net ns
                         ______________________________________
                        |        [host routes]                 |
 ___________            |          ____________                |
| OakBridge | |veth|----|-|veth|  |virt bridge| --|tap|--{vm}  |
|___________|           |         |___________|                |
                        |______________________________________|

proposed approach

                          container net ns
                         __________________________
                        |                          |
 ___________            |                          |
| OakBridge | |veth|----|-|veth|--|macvtap|--{vm}  |
|___________|           |                          |
                        |__________________________|

Ratio

Avoid iptables step inside the network namespace and improve performance

Impact

Node net manager

Development time

1 week

Status

Implementing

Checklist

• Discussed
• Documented
• Implemented
• Tested

Using docker sometimes the NetManager can't attach the vets interface. The container interface is simply not found. This must be investigated.

Under further investigation seems like sometimes the veths attachment starts too soon before the container is fully created or too late when the container crashes after not being able to start the communication.

We need to expose at the root service manager the following endpoint:

GET /api/net//network -

returning a structure containing:
rr_ip and all sip + all instances and addresses of that service

Check oakestra CI/CD

Short

You can create and deploy apps and services with _ (underscores) in their names (e.g. "x_service", or "x_app"), however, the networking no longer works for them. I had a chat with @smnzlnsk and he found out that this is due to the mapping (most likely MQTT mapping, where special characters get turned into _ as dividers).

Proposal

Due to the mentioned "mapping" a name like "app_x" gets interpreted as "app" / "x" which leads to unreachability.
See above, the bug itself is easy to replicate.
E.g. Take this working SLA: and change the app name to "app_X" or service name to "x_curl" and see for yourself.

{
    "sla_version": "v2.0",
    "customerID": "Admin",
    "applications": [
        {
            "applicationID": "",
            "application_name": "appX",
            "application_namespace": "test",
            "application_desc": "Simple demo with curl client and Nginx server",
            "microservices": [
                {
                        "microserviceID": "",
                        "microservice_name": "curl",
                        "microservice_namespace": "test",
                        "virtualization": "container",
                        "cmd": ["sh", "-c", "curl 10.30.55.55 ; sleep 5"],
                        "memory": 100,
                        "vcpus": 1,
                        "vgpus": 0,
                        "vtpus": 0,
                        "bandwidth_in": 0,
                        "bandwidth_out": 0,
                        "storage": 0,
                        "code": "docker.io/curlimages/curl:7.82.0",
                        "state": "",
                        "port": "",
                        "added_files": [],
                        "one_shot": true,
                        "constraints":[]
                      },
                      {
                        "microserviceID": "",
                        "microservice_name": "nginx",
                        "microservice_namespace": "test",
                        "virtualization": "container",
                        "cmd": [],
                        "memory": 100,
                        "vcpus": 1,
                        "vgpus": 0,
                        "vtpus": 0,
                        "bandwidth_in": 0,
                        "bandwidth_out": 0,
                        "storage": 0,
                        "code": "docker.io/library/nginx:latest",
                        "state": "",
                        "port": "",
                        "addresses": {
                          "rr_ip": "10.30.55.55"
                        },
                        "added_files": [],
                        "constraints": []
                      }
                    ]
        }
    ]
}

Solution

Very easy solution: Restrict the naming of the services in the main app.
More complex solution: Figure out a way to allow "_" names - need to refactor "mapping" in networking.

Status

Discussed. Need implementation/fixing.

Checklist

• Discussed
• Replicated (Replicability)
• Solved
• Tested