Add shutdown listener

[mogren]

*Issue #608, #401

Description of changes:

Some changes to reduce the risk of leaking ENIs during CNI upgrades.

• Added shutdown listener for SIGTERM and SIGINT.
• Use exec /app/aws-k8s-agent to start the agent in order to propagate signals.
• Stop detaching ENIs if ipamd is about to shut down.
• Stop attaching ENIs and IPs if node is about to shut down.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[jaypipes]

Code lgtm. Couple minor suggestions, nothing major.

[jaypipes]

you could just make this an int32 and then when doing the atomic.StoreInt32() call below, just refer to the address of this field, like so:

atomic.StoreInt32(&c.terminating, 1)

[mogren]

Good idea, makes it cleaner. (Was testing the concept first with a boolean, but that's not thread safe.)

[jaypipes]

that way you wouldn't need the above line or temporary variable.

[mattmb]

@mogren @jaypipes do you think this maybe needs to be extended to prevent ipamd making any other updates in addition to the ENI updates? I'm currently debugging some weirdness and spotted some updates being made after a SIGTERM which led me here. Are you sure that if we SIGKILL at any point things will always reconcile cleanly on the next start?

[jayanthvn]

@mogren @jaypipes do you think this maybe needs to be extended to prevent ipamd making any other updates in addition to the ENI updates? I'm currently debugging some weirdness and spotted some updates being made after a SIGTERM which led me here. Are you sure that if we SIGKILL at any point things will always reconcile cleanly on the next start?

Hi @mattmb - Can you please expand more on what other updates you are seeing?

[mattmb]

I don't have a full conclusion yet @jayanthvn but will keep you posted if I find something conclusive. This is more of a hunch right now so just interested if the design of the shutdown process has been thought about before. In our infra we issue certificates to auth IPAMd to k8s and when we renew them we have to restart IPAMd. In addition we had a config management bug where we were doing an unnecessary restart quite soon after boot. One symptom I've seen is stale IP rules that seem to be left behind when the Pod itself was terminated some time ago. Here's an example log from one host I was debugging that shows quite a bit of activity after the sigterm before the sigkill:

{"level":"info","ts":"2022-04-19T09:07:34.994-0700","caller":"runtime/asm_amd64.s:1371","msg":"Received shutdown signal, setting 'terminating' to true"}
{"level":"info","ts":"2022-04-19T09:08:01.859-0700","caller":"ipamd/ipamd.go:705","msg":"Deleted ENI(eni-09d937e6f7f9eddc1)'s IP/Prefix 172.20.89.61/32 from datastore"}
{"level":"info","ts":"2022-04-19T09:08:01.859-0700","caller":"ipamd/ipamd.go:705","msg":"Deleted ENI(eni-09d937e6f7f9eddc1)'s IP/Prefix 172.20.71.58/32 from datastore"}
{"level":"info","ts":"2022-04-19T09:08:01.859-0700","caller":"ipamd/ipamd.go:705","msg":"Deleted ENI(eni-09d937e6f7f9eddc1)'s IP/Prefix 172.20.101.159/32 from datastore"}
{"level":"info","ts":"2022-04-19T09:08:01.859-0700","caller":"ipamd/ipamd.go:1961","msg":"Trying to unassign the following IPs [172.20.89.61 172.20.71.58 172.20.101.159] from ENI eni-09d937e6f7f9eddc1"}
{"level":"error","ts":"2022-04-19T09:08:04.055-0700","caller":"ipamd/ipamd.go:640","msg":"Error finding unassigned IPs for ENI eni-0f88ba0d81e64b3c6"}
{"level":"info","ts":"2022-04-19T09:08:09.753-0700","caller":"rpc/rpc.pb.go:519","msg":"Received DelNetwork for Sandbox 735dd25330d30a0b2f936bdfd52395c6ce6309af89b0fe0514d5cbba9b7f40e3"}
{"level":"info","ts":"2022-04-19T09:08:09.753-0700","caller":"datastore/data_store.go:1008","msg":"UnAssignPodIPv4Address: Unassign IP 172.20.99.254 from sandbox aws-cni/735dd25330d30a0b2f936bdfd52395c6ce6309af89b0fe0514d5cbba9b7f40e3/eth0"}
{"level":"info","ts":"2022-04-19T09:08:09.754-0700","caller":"ipamd/rpc_handler.go:204","msg":"UnassignPodIPv4Address: sandbox aws-cni/735dd25330d30a0b2f936bdfd52395c6ce6309af89b0fe0514d5cbba9b7f40e3/eth0's ipAddr 172.20.99.254, DeviceNumber 1"}
{"level":"info","ts":"2022-04-19T09:08:09.754-0700","caller":"rpc/rpc.pb.go:519","msg":"Send DelNetworkReply: IPv4Addr 172.20.99.254, DeviceNumber: 1, err: <nil>"}
{"level":"info","ts":"2022-04-19T09:08:13.707-0700","caller":"rpc/rpc.pb.go:519","msg":"Received DelNetwork for Sandbox a48196fc6d713fd542aa0305d9d47001dc962879c74a546f8034e00d687d6c8b"}
{"level":"info","ts":"2022-04-19T09:08:13.707-0700","caller":"datastore/data_store.go:1008","msg":"UnAssignPodIPv4Address: Unassign IP 172.20.77.92 from sandbox aws-cni/a48196fc6d713fd542aa0305d9d47001dc962879c74a546f8034e00d687d6c8b/eth0"}
{"level":"info","ts":"2022-04-19T09:08:13.707-0700","caller":"ipamd/rpc_handler.go:204","msg":"UnassignPodIPv4Address: sandbox aws-cni/a48196fc6d713fd542aa0305d9d47001dc962879c74a546f8034e00d687d6c8b/eth0's ipAddr 172.20.77.92, DeviceNumber 1"}
{"level":"info","ts":"2022-04-19T09:08:13.707-0700","caller":"rpc/rpc.pb.go:519","msg":"Send DelNetworkReply: IPv4Addr 172.20.77.92, DeviceNumber: 1, err: <nil>"}
{"level":"info","ts":"2022-04-19T09:08:33.712-0700","caller":"retry/retry.go:70","msg":"Successfully deleted ENI: eni-0dcb02a83ec89ab00"}
{"level":"error","ts":"2022-04-19T09:08:34.060-0700","caller":"ipamd/ipamd.go:640","msg":"Error finding unassigned IPs for ENI eni-0f88ba0d81e64b3c6"}
{"level":"info","ts":"2022-04-19T09:09:04.066-0700","caller":"ipamd/ipamd.go:705","msg":"Deleted ENI(eni-09d937e6f7f9eddc1)'s IP/Prefix 172.20.107.40/32 from datastore"}
{"level":"info","ts":"2022-04-19T09:09:04.066-0700","caller":"ipamd/ipamd.go:705","msg":"Deleted ENI(eni-09d937e6f7f9eddc1)'s IP/Prefix 172.20.72.208/32 from datastore"}
{"level":"info","ts":"2022-04-19T09:09:04.066-0700","caller":"ipamd/ipamd.go:1961","msg":"Trying to unassign the following IPs [172.20.107.40 172.20.72.208] from ENI eni-09d937e6f7f9eddc1"}
{"level":"error","ts":"2022-04-19T09:09:04.774-0700","caller":"ipamd/ipamd.go:640","msg":"Error finding unassigned IPs for ENI eni-0f88ba0d81e64b3c6"}
{"level":"info","ts":"2022-04-19T09:09:05.054-0700","caller":"aws-k8s-agent/main.go:28","msg":"Starting L-IPAMD v1.9.1-2-g8ae2e186  ..."}