Fix race condition in ConntrackConnectionStore and FlowExporter

[heanlan]

Conntrack connection store's polling go routine and flow exporter both access to conntrack connection store, and there's a race condition error.

In func (cs *ConntrackConnectionStore) Poll(), two things happen in sequence:

1. in deleteIfStaleOrResetConn, we acquire the lock, reset conn.IsPresent = false for all the connections in connection map, and then release the lock (conn.IsPresent is used to describe whether the connection exist in conntrack table or not)
2. if a connection is verified to exist in the conntrack table, in AddOrUpdateConn, we acquire the lock, set conn.IsPresent = true, then release the lock

It is likely to happen, when flow exporter's timer is triggered between 1 and 2, it will grab the lock, and read a connection with IsPresent set to false. In the corresponding exported flow record, flowEndReason will be set to 3, representing the flow has ended. Here's an antrea-agent log to verify the existence of this error: log

We fix it by holding the lock until we finish 1&2.

The observation comes from the error log of flowaggregator e2e test. In the record, flowEndReason was set to 3, so the test treated the record as the last record. Pointer to test code. It computed the throughput value by totalByteCount/iperfTimeSec, without reading from the throughput field in the record, which has the correct value.

Fixes: #3650

Signed-off-by: heanlan [email protected]

[codecov-commenter]

Codecov Report

Merging #3655 (323ba53) into main (bd82ef6) will decrease coverage by 7.54%.
The diff coverage is 67.56%.

@@            Coverage Diff             @@
##             main    #3655      +/-   ##
==========================================
- Coverage   64.65%   57.10%   -7.55%     
==========================================
  Files         278      392     +114     
  Lines       39363    54823   +15460     
==========================================
+ Hits        25449    31306    +5857     
- Misses      11939    21060    +9121     
- Partials     1975     2457     +482     

Flag	Coverage Δ
integration-tests	38.39% <ø> (?)
kind-e2e-tests	52.07% <67.56%> (-0.22%)	⬇️
unit-tests	43.84% <29.72%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/flowexporter/connections/connections.go	75.75% <44.44%> (-2.27%)	⬇️
.../flowexporter/connections/conntrack_connections.go	78.92% <75.00%> (-0.39%)	⬇️
pkg/agent/openflow/service.go	72.09% <0.00%> (-11.63%)	⬇️
pkg/agent/controller/networkpolicy/reject.go	77.05% <0.00%> (-8.83%)	⬇️
pkg/controller/networkpolicy/status_controller.go	68.14% <0.00%> (-3.63%)	⬇️
pkg/controller/traceflow/controller.go	74.72% <0.00%> (-2.53%)	⬇️
pkg/log/log_file.go	70.17% <0.00%> (-1.76%)	⬇️
pkg/agent/route/route_linux.go	48.22% <0.00%> (-1.58%)	⬇️
pkg/controller/ipam/antrea_ipam_controller.go	77.55% <0.00%> (-1.54%)	⬇️
...gent/controller/noderoute/node_route_controller.go	56.15% <0.00%> (-0.97%)	⬇️
... and 123 more

[antoninbas]

Thanks for the helpful PR description.
A couple of typos there, e.g. "We fix it by hold the lock until finish 1&2." instead of "We fix it by holding the lock until we finish 1&2."

[antoninbas]

LGTM

[heanlan]

/test-all

[heanlan]

Squash the commits and rewrite the commit message...

/test-all

[dreamtalen]

LGTM except a nit.

[heanlan]

/test-all

[heanlan]

/test-networkpolicy

[heanlan]

/test-e2e

[heanlan]

/test-all

[heanlan]

/test-e2e

[heanlan]

/test-e2e
/test-networkpolicy