Routed ingress primary udn with static ips

[maiqueb]

No description provided.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign trozet for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• enhancements/network/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[maiqueb]

/cc @kyrtapz

[qinqon]

Can also be a modificable field at the UDN/CUDN, since implicitly is affecting the network

[maiqueb]

it surely can, but I think:

• that'll cause marshal/unmarshal of the (c)UDN object to cost more
• there's value in separating the concepts
• (c) UDN is an OVN-K entity. I don't see why this needs to be an OVN-K entity - OVN-K doesn't need write / read access to it. This is for the admin (or MTV, or any other introspection tool) to configure, and for the ipam-extensions to read / act upon its data

[qinqon]

btw we have see that qemu do also get configured with macAddress field on some envs, we should tackle that

[maiqueb]

IIUC you're saying there's value outside of this enhancement (preserve IP / MAC / GW net config of imported VMs to L2 overlays w/ IPAM) in allowing the MAC address of the primary UDN attachment to be configurable.

[qinqon]

I mean that configuring macAddress at the VMI interface has consequences, that we should be aware of.

[qinqon]

Also for live migration/restart we are going to have both NSE address and the ipamclaims address, we should take care of that, maybe just checking that both are the same.

[maiqueb]

that's a good point. First thing that comes to mind is we could report an error condition in the IPAMClaim + event on the pod when they differ.

[maiqueb]

This will be handled in detail in the upstream OVN-Kubernetes OKEP.

[maiqueb]

@qinqon tks for the review.

[maiqueb]

it surely can, but I think:

• that'll cause marshal/unmarshal of the (c)UDN object to cost more
• there's value in separating the concepts
• (c) UDN is an OVN-K entity. I don't see why this needs to be an OVN-K entity - OVN-K doesn't need write / read access to it. This is for the admin (or MTV, or any other introspection tool) to configure, and for the ipam-extensions to read / act upon its data

[maiqueb]

IIUC you're saying there's value outside of this enhancement (preserve IP / MAC / GW net config of imported VMs to L2 overlays w/ IPAM) in allowing the MAC address of the primary UDN attachment to be configurable.

[maiqueb]

that's a good point. First thing that comes to mind is we could report an error condition in the IPAMClaim + event on the pod when they differ.

[qinqon]

btw this CRD should be at the same "namespace" as IPAMClaim it should not be a OVN thing

[maiqueb]

hm, not 100% sure yet.

How will it work for C-UDNs ? We need the MAC:IPs association per network, which is a non-namespaced object.

Furthermore, I envision associating this pool to the network using the NAD, enabling this feature to work outside OVN-K (i.e. making it a part of k8snetworkplumbingwg, as IPAMClaims are).

[qinqon]

Sorry I mean the kind namespace, not the resource namespace like muiltus.io/IPAMClaim or the like.

[maiqueb]

OK, then I agree. I don't see a reason for this CRD to be added on OVN-K. I think we can get it on k8snetworkplumbing - as IPAMClaim is.

[tssurya]

didn't review fully , stopped at the API starting point so that i can have context for today's meeting

[tssurya]

reachability to the VM is what we are after when you say "routed" ?
routed ingress here and everywhere would be good to clarify if its simple external to pod or something else

[maiqueb]

reachability to the VM without NAT, yes.

[tssurya]

same here their own managed IP configuration rather than the CNI doing it

[maiqueb]

I read the words, but I'm afraid I don't follow what the sentence means ...
Could you clarify ?

[tssurya]

I imagine this would be the IPAM disable mode? cause once migraton is done we don't let them do any IPAM management, new ones will get random IPs from IPAM
TBD to be revisited as spoken with @maiqueb on slack

[maiqueb]

No, not at all.

IPAM disabled mode is OVN-K is 100% unaware of what IPs are in the workloads.
IP spoofing protection is off, network policies will only allow IPBlock selectors, and so forth.

[tssurya]

hmm i don't think manual population like that will be acceptable will it? for ppl bringing in 5000 vms is this even possible?

[maiqueb]

a later implementation can focus on that. E.g. introspect the src cluster (check out ARP requests / replies on the switch) and provision this on behalf of the user.

... or something like that. That should be covered on an MTV enhancement.

[tssurya]

hmm why not make IPAMClaim's v2alpha2 API AddressClaims so enhance IPAMClaim ? :D

[maiqueb]

1. that's not a centralized place with the MAC => IPs association. There's value in that. Plus, it's closer to what existing platforms provide.
2. I feel we'd do that because "there's a box we're opening already. Let's put this disjoint information into the same box, and retrieve both". I.e. we're bending what we have so we reach the goal we think we have faster.

Having said that, re-purposing IPAMClaims to something more generic is an option. I just feel we're not doing it for the right reasons. I'm afraid we might be doing it because it fits the time-frame rather than the use case.

FWIW, the issue of "importing 5000" VMs is still there if we take this route. How will the 5000 AddressClaims be provisioned ? By whom ? With what data ?

[qinqon]

Is this localnet ipamful ?

[maiqueb]

No - "As the owner of a VM running in a traditional virtualization platform, I want to import said VM into Kubernetes, attaching it to an overlay network"

[qinqon]

But is said

I want to
have managed IPs for my VMs

[maiqueb]

Yes, but I still don't see the implication.

If it helps, this is about importing a VM into a layer2 overlay with IPAM.

[qinqon]

Do we know if the ip address is at the same subnet ?

[maiqueb]

Yeah, we'll only take care of that scenario.

I'll add it to the list of non-goals.

[qinqon]

Also put at the non goals adding non default gw routes.

[maiqueb]

Done.

[qinqon]

Do we also need to preserve the other DHCP stuff like DNS servers and MTU ? like imaging that we configure DHCPOPtions with bad MTU, after the lease we may break stuff ?

[maiqueb]

I don't understand what you mean, but I think we need to keep advertising MTU / DNS / other properties as we are already doing for primary UDN.

[qinqon]

Ahh after migration virtual machine get restarted so it will take the new MTU for new system also the new DNS servers, nah all good here.

[qinqon]

The enhacement is about static IPs but we talk all over about managed IPs, is quite confusing for me, static IPs does not feel like managed IPs.

[maiqueb]

they're not. Managed IPs are about having IPAM in the UDN, while static IPs are about having the ability of specifying which IPs is your workload going to have.

I'll add a disclaimer / explanation to a nomenclature section.

[qinqon]

This is missing the step about MTV creating the VirtualMachine with macAddress field so ipam extensions can map it to IPs.

[maiqueb]

Done.

[qinqon]

This is useful always I think, for centralized and not centralized.

[maiqueb]

I'm mentioning it somewhere else that this is needed for both options, as you're pointing out.

[qinqon]

I am missing the mapping mechanism between VM and IPAMClaim

[maiqueb]

This will be elaborated on the implementation details section. Does it make sense to split it like this ?

[qinqon]

ahh ok, implementation details is the place.

[qinqon]

Do we need this to be a CIDR ?

Suggested change

	Entries map[net.HardwareAddr][]net.IP `json:"entries"`
	Entries map[net.HardwareAddr][]net.IPNet `json:"entries"`

The NSE ip request is a cidr

annotations:
    k8s.v1.cni.cncf.io/networks: '[
            {
                "name": "macvlan1-config",
                "ips": [ "10.1.1.11/24" ],
                "interface": "net1"
            }
    ]'

Maybe is dangerous to do so.

[qinqon]

That means we will need to reconcile on nad creation even if i's not attached to any VM, not sure it's worth it, I would just not include that and add if only if needed.

[maiqueb]

I think it is good information to have and present to the admin.

Still, I might flag it for an optional future improvement - since the feature itself does not require it.

Does that work for you @qinqon ?

[qinqon]

Yep, if it's not really needed, let's mark it as opìonal, we have already a lot of stuff at our plate.

[qinqon]

Show yaml with them to see typoe, reason and message.

[maiqueb]

Done.

[qinqon]

As said this is a not needed extra work that need a new reconcile logic to keep this up to date.

[maiqueb]

Listed these as optional improvements for improving the UX.

[qinqon]

Maybe we can put here the alternative of chaning kubevirt VMI api ? stating the problems with ip pool depletion and stuff

[maiqueb]

Good point. I'll refer that alternative. FWIW, I assume you're mentioning adding an IP / IPRequests attribute to the KubeVirt Interface definition.

[qinqon]

yep, thanks.

[maiqueb]

@qinqon please take another look

[maiqueb]

Done.

[maiqueb]

This will be elaborated on the implementation details section. Does it make sense to split it like this ?

[maiqueb]

Tried to disambiguate by pointing at the KubeVirt API reference attribute where the MAC is actually defined.

[maiqueb]

This will be handled in detail in the upstream OVN-Kubernetes OKEP.

[maiqueb]

Done.

[maiqueb]

Done.

[maiqueb]

Done.

[maiqueb]

Done.

[maiqueb]

Done.

[maiqueb]

Done.

[maiqueb]

@qinqon please keep me honest here.

[qinqon]

@maiqueb we have see hypershift customers asking for fixed IPs, but I think that is different kind of animal to what we need with MTV, feels more of a possible centralized approach although hypershift VMs name and mac is randomtly generated.

[qinqon]

VMs + ipv6 + default gw is a big issue.

[qinqon]

This is still very confusing to me, like this case we import the VM, but users are fine with ovn-kubernetes assigning IPs ?

[maiqueb]

No - users want to specify their IPs.

But OVN-K is fully aware of which IPs are in which pods, thus it can have network policies (with pod / namespace selectors) and have IP spoofing protection enabled.

I'll try to reword the user story.

[maiqueb]

I think I'll drop it, I think this user story is represented in the other two:

• As the owner of a VM running in a traditional virtualization platform, I want
  to import said VM - whose IPs were statically configured - into Kubernetes,
  attaching it to an overlay network. I want to ingress/egress using the same IP
  address (the one assigned to the VM).
• As the owner of a VM running in a traditional virtualization platform, I want
  to import said VM into Kubernetes, attaching it to an overlay network. I want to
  be able to consume Kubernetes features like network policies, and services, to
  benefit from the Kubernetes experience.

[qinqon]

Ahh after migration virtual machine get restarted so it will take the new MTU for new system also the new DNS servers, nah all good here.

[qinqon]

ahh ok, implementation details is the place.

[qinqon]

Nah all good, I was just pointing out stuff that was missing, but if it's going to be clarified I am all good.

[qinqon]

Don't use the word "attachment" since it's confusing with the multus idiom.

[qinqon]

Should we fail if the VMI has macAddress but there is no entry at the mac -> ip mapping ?, like maybe the admin forgot so VM keeps trying and then after admin fix the issue vm is corrected.

Also we have to think about ippool mutability, like maybe we should be able to add new entries but not to modify or remve them ?

[maiqueb]

Should we fail if the VMI has macAddress but there is no entry at the mac -> ip mapping ?, like maybe the admin forgot so VM keeps trying and then after admin fix the issue vm is corrected.

For this scenario, I think we should just create the request for the MAC to be preserved. I.e. you'd get the original VM MAC, but an IP that was assigned by the primary UDN IP allocator.

This is getting into the behavior we expect, we should iron this out ASAP.

@tssurya / @kyrtapz thoughts ?

Also we have to think about ippool mutability, like maybe we should be able to add new entries but not to modify or remve them ?

For that we should consider what we want the pool for: e.g. do we want to sync the pool also w/ the dynamic allocations ? That would be good for observability - but it is IMHO a follow-up feature we may want to pursue.

That would require the pool to be subject to updates.

Having the pool immutable (only data provisioned during creation) would only allow you to fulfill the importing use case.

We should also consider that if we want to be able to create a VM attached to a primary UDN with a dedicated MAC / IP addresses we need the pool to be mutable.

We need to get our goals set up ASAP.

What are your thoughts @tssurya @kyrtapz ?

[qinqon]

Is the fact that networkName ippool field is not indexed a problem ? at the end ipam extensions will have to iterate them instead of using "List", but I understand that they will be at the informer's cache.

[maiqueb]

Is the fact that networkName ippool field is not indexed a problem ? at the end ipam extensions will have to iterate them instead of using "List", but I understand that they will be at the informer's cache.

It is what it is ... we either use label selectors, we list then filter, or we associate using a different mean - i.e. point at the NAD or cluster UDN name (both are bad IMHO).

I'm going with what I think is the least worse option. Maybe relying on selectors is not that bad though ...

Waiting for more feedback.

[qinqon]

Maybe we can show an example with it ?

apiVersion: v1
kind: Pod
metadata:
  name: pod-example
  annotations:
    v1.multus-cni.io/default-network: '{
      "name": "isolated-net",
      "namespace": "myisolatedns",
      ...
     "default-route":[
        "192.0.2.5",
        "fd90:1234::5"
      ]
}'

[maiqueb]

that's really not what I mean here - you're showing the network selection element for the multus default network.

I'm saying the NAD should have a place for the user to indicate which GW to use on all attachments to that network. I don't see how showing an NSE can be an example of that.

[kyrtapz]

@trozet @tssurya @maiqueb
We need to get clarity on whether this is a requirement for this enhancement.
We talked about it offline and we do not see this as a must for importing VMs.

[maiqueb]

tks for catching @kyrtapz ; yes, I think this should be moved to future goals or something (since it seems to be about supporting evpn / networks spanning multiple clusters use-cases).

[maiqueb]

Done.

[kyrtapz]

My understanding is that the gateway IP we want to allow the user to specify is the one of the UDN, we do not want to allow each imported VM to specify it's own. Could you clarify that here?

[maiqueb]

not sure how to do that, but I'll try.

FWIW, yes: the idea is to specify the gateway of the network - i.e. the GW of each workload attached to the network will be the same.

[kyrtapz]

Is this a limitation of MTV?

[maiqueb]

no, this simply is being requested in a different epic, which we have not prioritized.

[mnecas]

MTV can migrate powered-off VMs to which we don't have IPs.
We do require the IPs to preserve static IPs but users can still skip it.

[EdDev]

MTV can migrate powered-off VMs to which we don't have IPs.

AFAIK there are solution which set IP addresses explicitly on the management system that apply on VMs that come up (through DHCP or cloudinit). We do not have such users that expect it to pass to OCP-V?

@maiqueb , is it possible to specify from where we learn what is the configuration used (IP, etc)? If we do not know at the moment, maybe specify that it is expected as input. WDYT?

[kyrtapz]

Do you think it is worth it to specify that we are not going to support "live" migrating VMs? i.e importing VMs without a reboot.

[maiqueb]

I don't, but I've added it. Better now ?

[kyrtapz]

Not sure I understand this note, is it the same as https://github.com/openshift/enhancements/pull/1793/files#diff-ef7ea92bb7f0198174529787f912ec7898b84fa65e3e1b102ce30ed76735ab43R90-R91?

[maiqueb]

yes, it's the same one.

What don't you understand ?

Do you recommend any course of action ? I can drop one of the entries if that makes it less confusing.
@kyrtapz

[kyrtapz]

The de-cetralized approach described here changes how CNV integrates with OVN-K.
There would no longer be a need to pass the IP/MAC requests through the v1.multus-cni.io/default-network annotation.

[maiqueb]

Yes. It would just do what it does today, read the ipam-claim-reference from an annotation, and attempt to consume the data present in the IPAMClaim.

[kyrtapz]

This CRD would be cluster scoped and limited to work with cluster UDNs only?
Are there any specific reasons limiting it to cluster UDNs?

[maiqueb]

This CRD would be cluster scoped and limited to work with cluster UDNs only?

Yes.

Are there any specific reasons limiting it to cluster UDNs?

The entire feature is scoped to cluster UDNs because that's the type of CRD that works for BGP.

[kyrtapz]

De-centralized IP management chapter states that the IPAMClaimSpec would also include the MAC address, it's missing here.

[maiqueb]

Well, not sure .

I say the following:

This approach requires having N CRs with a 1:1 association between a primary
UDN attachment and the MAC and IPs it had on the original platform.

We could either introduce a new CRD with IPs and MAC association (which would
deprecate the IPAMClaim CRD), or, assuming clunkiness in all its glory, we
could change the IPAMClaim CRD to have MAC and IP addresses being requested in
the spec stanza as well.

I'll add these to the IPAMClaimSpec object, but I do think this is the least preferred option.

I'd even rather have a new CRD with the required info in it, and deal with the upgrade issues, than having this clunky API. IMHO we're putting things here because it suits the design, not because the API actually makes sense.

[mnecas]

Yes, you don't need to be a cluster admin to use MTV, we have MTV roles which specify the minimal requirements to operate.

[mnecas]

MTV can migrate powered-off VMs to which we don't have IPs.
We do require the IPs to preserve static IPs but users can still skip it.

[mnecas]

Yeah MTV has this MAC:IP mapping, for the static IPs we even know this from the guest level, but that doesn't apply here.

[mnecas]

I know it's not goal for this, but MTV will need to manage these resources aswell for the live migration.
And if Kubvirt is not exposing the IP:MAC it might be problematic.

[mnecas]

MTV could start applying some annotation right now and we could remap it to the CR later. We are migrating lot of VMs right now and this might take some time to implement and deliver it to the customer. So in the meanwhile we could start preparing the VMs for this Feature. WDYT?

[maiqueb]

That would be nice.

I want to run a PoC with the multus default net annotation to see how it plays along if we define a VM with that.

I'll report the findings ASAP.

[qinqon]

@maiqueb @mnecas I can confirm that KubeVirt do not filter out the default-network annotation.

[maiqueb]

Right, it does not.

I have also to say there's a check in place that prevents the users from setting an IP via the NSE annotation and providing an ipam-claim-reference in it. We need to relax that constraint if we take this route.

[mnecas]

Please give me some annotation example, maybe you could have a controller that would consume that annotation and create the necessary CRs, and cleanup the annotation from VM CR.

[maiqueb]

this would be the annotation you would set on your VM.spec.template:

        v1.multus-cni.io/default-network: '[{
          "name": "pony",  # you'll need a NAD with this name on the "blue" namespace
          "namespace": "blue", # this is the namespace where the VM will be created / imported
          "mac": "02:03:04:05:06:07",
          "ips": [
            "10.0.0.5/24"
          ]
        }]'

[maiqueb]

@mnecas threw me on a different course; what if:

• MTV templated the VM with the multus default network annotation (featuring both IPs and MAC requests, like the example in this comment. - KubeVirt does what it does today: carry over the VM's template metadata annotations to the pod's metadata annotations (i.e. the pod would be templated w/ the multus default network annotation)
• the ipam-extensions webhook mutates the launcher pod, adding to this annotation the ipam claim reference (OR it keeps using the current annotation ...)
• OVN-Kubernetes would apply the IPs / MAC requested on the NSE; it would persist that IP in the status of the IPAMClaim it was pointed to by the webhook.

This is a flow that doesn't require nor the IPPool CRD, nor updates to the IPAMClaim spec.
Pure profit. (... until we spot why it's a bad idea ... 😅 )

@qinqon / @kyrtapz

[mnecas]

I would be careful about global/centrilized VM configs, as there can be many VM and the CR might run out of size.

[maiqueb]

the max size of the CR is 1.5 MBi (by default) - which is AFAIU defined in the etcd configuration.

We should at least have a slight notion of how many MAC <=> IPs that can hold.

But for sure this is an argument against having a centralized place to store this info - tks for raising.

[mnecas]

yeah MTV hit that limit quite easily we have limit of migrating 500 VMs at once.
So don't underestimate perf/scale team

[mnecas]

From MTV's perspective, we are capable of doing both centralised and decentralised. Personally, I would lean more towards the decentralised. The centralised would have a lot of collisions when updating the CR. MTv can migrate lot of VMs at once.

[mnecas]

That said I would focus more on user experience, and if you will say that it's better for users to have it at one place we will manage it.

[maiqueb]

From MTV's perspective, we are capable of doing both centralised and decentralised. Personally, I would lean more towards the decentralised. The centralised would have a lot of collisions when updating the CR. MTv can migrate lot of VMs at once.

Still it can compute everything and perform a single write.

[mnecas]

Should MTV map also the IPv6 MAC?

[maiqueb]

I don't think we need to care about ipv6 LLAs - unless that's the old gateway.

As I see it, you'd just have a place in the C-UDN to define what was the network's old gateway, and you'd tell your workloads to forget about it.

We would only allow migrating from IPv6 networks with a single GW per network though ... if the workloads are using the IPv6 LLAs on the nodes where they run (I don't know how they implement this) we'd not be able to do it, since each workload might have a different GW.

[maiqueb]

@qinqon ^ FYI

[qinqon]

@maiqueb I was thinking the other day that maybe instead of removing gateway paths with the RA lifetime=0 trick we can do the following, depending on the ipv6 gateway IP nature:

• if it's global (ip from the subnet) we configure it as gateway router "Networks" like ipv4
• if it's a LLA maybe we can add it to gateway router Networks as /128 so VM's path is still valid, also the gateway router Networks will have the subnet .1 too.

What do you think ? we have to confirm with OVN people if we can configure /128 Networks at gateway router.

Also if in the future we go with transit router topology change we will be able to configure one mac fo all the nodes as the gateway then MTV importing the gateway mac make sense.

[maiqueb]

@maiqueb I was thinking the other day that maybe instead of removing gateway paths with the RA lifetime=0 trick we can do the following, depending on the ipv6 gateway IP nature:

* if it's global (ip from the subnet) we configure it as gateway router "Networks" like ipv4

Is that even possible ? Won't it advertise the LLA of the interface even when the ip from the subnet is defined in the LRP ?... I thought so.

* if it's a LLA maybe we can add it to gateway router Networks as /128 so VM's path is still valid, also the gateway router Networks will have the subnet .1 too.

What's the advantage of this over forgetting the old gw and adjusting to the new ? If possible, I'd like to have a single code path that works for all scenarios.

What do you think ? we have to confirm with OVN people if we can configure /128 Networks at gateway router.

Also if in the future we go with transit router topology change we will be able to configure one mac fo all the nodes as the gateway then MTV importing the gateway mac make sense.

I still don't get what's the advantage that would bring, would you elaborate ? As I see it, since the VMs have to restart when they are imported, I don't see any advantage here.

[qinqon]

@maiqueb I was thinking the other day that maybe instead of removing gateway paths with the RA lifetime=0 trick we can do the following, depending on the ipv6 gateway IP nature:

* if it's global (ip from the subnet) we configure it as gateway router "Networks" like ipv4

Is that even possible ? Won't it advertise the LLA of the interface even when the ip from the subnet is defined in the LRP ?... I thought so.

Yes, and that's why VM will still have a multipath ipv6 gateway, but both paths will be point to the same mac, OVN will also answer the NDP to discover the mac of the original ipv6 global IP gateway.

* if it's a LLA maybe we can add it to gateway router Networks as /128 so VM's path is still valid, also the gateway router Networks will have the subnet .1 too.

What's the advantage of this over forgetting the old gw and adjusting to the new ? If possible, I'd like to have a single code path that works for all scenarios.

The advantage is that we then don't need to send the lifetime=0 RAs and we do like on ipv4, we set the gatway router Network with it.

What do you think ? we have to confirm with OVN people if we can configure /128 Networks at gateway router.
Also if in the future we go with transit router topology change we will be able to configure one mac fo all the nodes as the gateway then MTV importing the gateway mac make sense.

I still don't get what's the advantage that would bring, would you elaborate ? As I see it, since the VMs have to restart when they are imported, I don't see any advantage here.

As said just the fact that we will not need to send the lifetime=0 RAs.

[maiqueb]

@maiqueb I was thinking the other day that maybe instead of removing gateway paths with the RA lifetime=0 trick we can do the following, depending on the ipv6 gateway IP nature:

* if it's global (ip from the subnet) we configure it as gateway router "Networks" like ipv4

Is that even possible ? Won't it advertise the LLA of the interface even when the ip from the subnet is defined in the LRP ?... I thought so.

Yes, and that's why VM will still have a multipath ipv6 gateway, but both paths will be point to the same mac, OVN will also answer the NDP to discover the mac of the original ipv6 global IP gateway.

IIUC, you're suggesting solving the "importing GW MAC" instead of forgetting old gateway (assuming it is needed - @kyrtapz made me wonder about that, we really don't know if the old IPv6 default route survives a VM restart).

* if it's a LLA maybe we can add it to gateway router Networks as /128 so VM's path is still valid, also the gateway router Networks will have the subnet .1 too.

What's the advantage of this over forgetting the old gw and adjusting to the new ? If possible, I'd like to have a single code path that works for all scenarios.

The advantage is that we then don't need to send the lifetime=0 RAs and we do like on ipv4, we set the gatway router Network with it.

But we already have the code to do that. I'd rather re-use existing "fixes" than having to come up with solutions for different problems. I'd really rather not have to care about the gateway MAC address unless it is required. Generally speaking, I'd rather re-use the solution to a problem I know I can solve, than focusing on solving a new optional problem with a different solution.

What do you think ? we have to confirm with OVN people if we can configure /128 Networks at gateway router.
Also if in the future we go with transit router topology change we will be able to configure one mac fo all the nodes as the gateway then MTV importing the gateway mac make sense.

We can tackle it as part of that epic when it is prioritized. Prematurely optimizing for a feature we don't know when / if will be prioritized does not sound good (to me).

I still don't get what's the advantage that would bring, would you elaborate ? As I see it, since the VMs have to restart when they are imported, I don't see any advantage here.

As said just the fact that we will not need to send the lifetime=0 RAs.

But we already have code for that.

[qinqon]

Since MTV do not support IPv6 yet and we have found that routed get ditched on restart maybe we can skip this and when time comes implement IPv6 missing features for gateway (for example if by that time we are doing a live migration insteaf of restart).

[mnecas]

Will the DuplicateMACAddresses block VM creation?
Bit worried about cross namespace migrations.

[maiqueb]

IMHO it should, but this would only happen if there are duplicates in your network.

i.e. if you have two primary UDNs (one for each namespace) you can have the same MAC in both namespaces / networks.

But if you have a cluster UDN interconnecting two namespaces, you must have unique MACs in your network.

I don't see how you'll end up in this situation if you didn't have MAC collisions in the source cluster ... Unless you're mapping your networks wrong.

Could you elaborate on how we would reach this scenario ?

[mnecas]

As of the moment MTV is using the VirtualMachineExport [1] to migrate between cluster and namespaces.
In future we will be live migrating the VMs. During these migrations we will preserve the MACs so I'm bit worried that this could cause problems in future.
[1] https://kubevirt.io/user-guide/storage/export_api/

[maiqueb]

Yes, but unless said VMs already had duplicate MACs on the source cluster, they won't have duplicate MACs in the dst cluster, right ?

Keep in mind we're (kind of ...) attempting to re-create the network that existed in the source cluster - we don't have L2 connectivity to it.

[RamLavi]

I would also add a Pro: it would be easier to spot nasty duplicate IPs that can cause unintended traffic behavior.
(not saying I prefer this approach of course)

[qinqon]

Add a possible improvement of annotating VM with default-network

[qinqon]

Should we add that we are not going to support ip overlapping since we are using BGP without EVPN ?

[maiqueb]

I would assume that to be a limitation of the BGP integration w/ primary UDN.

Let them call that out.

If you insist, I can add a short sentence about it though.

[qinqon]

Should we add multus ?

[maiqueb]

I don't think so - there's nothing we need to design / implement in multus.

[qinqon]

Should we mention ipv6 as non goal, kind of extra mile since MTV do not support it.

[maiqueb]

we could ... still, nothing in the solution being presented here is IPv4 centric ..

it would work with IPv6 if the client app (MTV) managed to instruct which MACs and IPs to use.

[EdDev]

If some component/product supports something or not should be less relevant to the "need".
Is this needed by the user stories / users, that is the focus that needs to be expressed IMO in this section.

IPv6 has implications on implementation in some cases and possible requirements or limitations on the guest. I would prefer to have this proposal covering IPv6 as well, but if it requires follow up work, then I would recommend to emphasize it explicitly.

[qinqon]

We have mention the possibility of excluding "name" and "namespace" and ipam extensions adding it, this way users do not need to know the ovn-kubernetes namespace

'[{
          "name": "default",
          "namespace": "openshift-ovn-kubernetes",
          "mac": "02:03:04:05:06:07",
          "ips": [
            "10.0.0.5/24"
          ]
        }]

[maiqueb]

it's not a bad idea - that'd allow MTV to only care about MACs and IPs.

How would we configure this in ipam-ext ? A configuration knob ?

[qinqon]

It's kind of defaulting, for ipam extensions if there is no "name" then it's "default" or if there is no "namespace" then it's the namespace where ovn-kubernetes is living (it will have to discover it).

[maiqueb]

hm, I'd rather have a configuration knob to do that.

i.e. the operator that deploy the component should be aware of this, and pass the information along.

having to figure out where ovn-k is living is IMHO more work than adding configuration.

Still, it's a good alternative.

We need to listen for feedback. @kyrtapz / @tssurya / @trozet thoughts ?

[qinqon]

@maiqueb we have see hypershift customers asking for fixed IPs, but I think that is different kind of animal to what we need with MTV, feels more of a possible centralized approach although hypershift VMs name and mac is randomtly generated.

[qinqon]

If the customers want centralized it can be implemented later on and it will annotate the VM with needed stuff.

[maiqueb]

for sure.

[qinqon]

I have added a comment bellow doing this but with annotations, maybe is not a bad option, this way we don't differenciate between primary and secondaries that's done by ipam extensions.

[maiqueb]

for that to happen, we'd need to have a network dimension in the annotations, which your proposal lacks.

Could you update it ?

Maybe it's worth pursuing. I just assumed that using existing structures would streamline the development - I could be persuaded to adding yet another struct that looks like a trimmed down network selection element.

[qinqon]

The default-network approach is de-centralized too, we should say that this is the CRD backed de-centralized ip management, where the IP and MAC are at the CRD instead of default-network annotation.

[maiqueb]

Do we really need to add more nomenclature for keeping track of discarded options ?

[qinqon]

We should not support updating gateway field right ? like MTV will create new UDNs for the VMs.

[maiqueb]

yeah, pretty much anything in UDN / C-UDN is immutable right now.

[RamLavi]

why not let MTV/other create the v1.multus-cni.io/default-network annotation, and ipam-ext will only add the ipamClaimReference?
why should we add the MAC to VMI.Spec.Domain.Devices.Interfaces? I think it would get kubemacpool involved. I don't think we do that now on primary-udn right now. Am I mistaken?

[maiqueb]

why not let MTV/other create the v1.multus-cni.io/default-network annotation, and ipam-ext will only add the ipamClaimReference?

that's my proposal, isn't it ?

why should we add the MAC to VMI.Spec.Domain.Devices.Interfaces? I think it would get kubemacpool involved. I don't think we do that now on primary-udn right now. Am I mistaken?

Isn't this what MTV does ? @mnecas please keep me honest.

kubemacpool should stay away from this.

[RamLavi]

@maiqueb can you please be explicit as to what MTV does exactly? is it just:

1. set the v1.multus-cni.io/default-network annotation
2. set the VM's VM.Spec.Template.Spec.Domain.Devices.Interfaces with the MAC

kubemacpool should stay away from this.

Setting the VM's (not VMIs) interface's MACs on the interfaces will get kubemacpool involved. it will cache the MACs and will prevent duplications if needed.
The only way to prevent KMP from doing this is to manually opt-out the namespace.

[maiqueb]

@maiqueb can you please be explicit as to what MTV does exactly? is it just:

1. set the `v1.multus-cni.io/default-network` annotation

2. set the VM's VM.Spec.Template.Spec.Domain.Devices.Interfaces with the MAC

Let's have @mnecas reply to this.

kubemacpool should stay away from this.

Setting the VM's (not VMIs) interface's MACs on the interfaces will get kubemacpool involved. it will cache the MACs and will prevent duplications if needed. The only way to prevent KMP from doing this is to manually opt-out the namespace.

I don't want to change what MTV does today - if it sets that MAC on the interfaces, it'll still do it. If it doesn't, well, let's keep it that way.

All I want is for the annotation to be there, which is the only thing the ipam-extensions will care about.

[RamLavi]

I don't want to change what MTV does today - if it sets that MAC on the interfaces, it'll still do it. If it doesn't, well, let's keep it that way.
All I want is for the annotation to be there, which is the only thing the ipam-extensions will care about.

just be aware that the way CNV is deployed now - if the VM's MAC is involved then KMP will also be in the game, so might never be able to recreate a duplicate MAC scenario.

[mnecas]

yeah we are already adding the mac to the interfaces

[maiqueb]

@RamLavi thus, what I understand from @mnecas reply, is that if we import a VM whose MAC already exists in the network kubemacpool will prevent it somehow.

@kyrtapz maybe we could relax the MAC duplicates part ?... AFAIU we only need to ensure the MAC of the GW is not in use in the logical network.

[RamLavi]

mmm thinking about this again - I was wrong. KMP will not interfere, beacause the VM's interface is neither masq nor the corresponding network is set to multus (see here).

[qinqon]

Are we also going to denote mac collision at the IPAMClaim status ? is so we have to define it here.

[maiqueb]

Hm ... didn't think of that.

It would be useful, at least for persisting the error ...

Still, I'd rather keep anything MAC related out of the IPAMClaim.

Meaning, the answer is no - unless we come up w/ compelling reasons to do it.

[JoelSpeed]

What is a net.HardwareAddr? I suspect we will need to find a way to represent and validate this within the API as a string rather than using a net type

[JoelSpeed]

Will it always be a Pod that is the owner of this IPAMClaim? Are there any other properties you might want to include about the ownership, for example, a lastTransitionTime?

Is it possible for an IPAMClaim to be unowned? How would you represent an unowned IPAMClaim? Would that be a condition?

[maiqueb]

All claims are created without an owner.

When the CNI's IPAM component allocates an IP address for the pod, it'll update the IPAMClaim status.IPs and also the status.OwnerPod.

Meaning, a claim without owner is represented by an empty (or missing) OwnerPod.

[JoelSpeed]

I assume that the ownerPod cannot change over time? Have you considered making this immutable once set?

[maiqueb]

No, it surely can mutate.

Take into account the following virt use cases:

• vm live migration: a new pod is scheduled on the target node. the live VM is copied from the src pod to the dst pod. If the migration is successful, the VM then runs in the dst pod. We would need to mutate the owner pod, now indicating it is owned by the dst pod.
• vm stopped: we want to stop a VM, but we don't want to lose that IP assignment. Once the VM is started again, it will run in a new pod, and we'll have to set that as the IPAMClaim owner pod. Probably we'd want to remove the owner pod value when the vm is stopped.

[JoelSpeed]

Ack that makes sense.

So I'm wondering if there are additional properties that the user might want to know about the owner pod, rather than just its name

Does the namespace matter? Does it matter when that owner pod was last changed? Anything about the pod status itself?

Would it make sense to make this a struct, so we at least have the option of adding additional information about the owner later

[maiqueb]

Ack that makes sense.

So I'm wondering if there are additional properties that the user might want to know about the owner pod, rather than just its name

Does the namespace matter? Does it matter when that owner pod was last changed? Anything about the pod status itself?

No the namespace doesn't matter - the IPAMClaim must be in the same namespace of the pod for this to work.

Would it make sense to make this a struct, so we at least have the option of adding additional information about the owner later

This would be a nice addition - as you say, we can later on extend it to include more info - e.g. the timestamp where pod XYZ "claimed" the claim.

[JoelSpeed]

Where does this API actually live? Is there a WIP PR that we can work on to work out validations and markers that are appropriate (e.g. the SSA listType=map markers are missing here)

[maiqueb]

here it is @JoelSpeed
https://github.com/k8snetworkplumbingwg/ipamclaims/blob/main/pkg/crd/ipamclaims/v1alpha1/types.go

[JoelSpeed]

Has this had any upstream API review at all? It might be worthwhile creating a DNM PR to o/api and then we can go through rounds of API review there to help get the API validations/documentation/shape into a convention happy place

[JoelSpeed]

Out of interest, have you ever looked at/compared this to how ClusterAPI is managing IPAM? It looks fairly similar

[maiqueb]

no ... would you point me in the right direction ? Do you have some links at hand, or can point me towards who would know how to get them ?

[JoelSpeed]

There are some details in https://cluster-api.sigs.k8s.io/developer/providers/contracts/ipam

@rvanderp3 has an implementation of the contract in https://github.com/rvanderp3/machine-ipam-controller/blob/main/pkg/apis/ipamcontroller.openshift.io/v1/types.go

There may be little overlap in the end but thought I'd call out that there are others creating IPPool types and show how they are working.

The Machine creates an IPAddressClaim, and then the controller in the referenced IPPool is responsible for populating the IPAddressClaim with the allocated IP address, and of course freeing that from the pool when deleted

[openshift-ci]

@maiqueb: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[EdDev]

Posting a small feedback on the motivation/reasoning section.
Continuing to the proposal.

[EdDev]

Attaching to the overlay network is a requirement or solution?
Is it possible to phrase it in a way we understand the need to use an overlay network vs something like localnet?

Based on the overview/summary, my understanding is that it comes from the existing situation where everything is managed for them by the solution (vs having a self managed separate network solution).
Do I understand it right?

It may also be more accurate if it is mentioned that the IP addresses are statically configured by the VM operator but uses dynamic methods to apply it on the guest (e.g. DHCP).

[EdDev]

I understand why the IP and gateway needs to be preserved in case the guest configuration for these settings is statically configured.
It is less trivial why the MAC needs to be preserved.
Any chance the reason can be mentioned? I am asking about this because some reasons are local (e.g. the OS used can detect wrongly a mac change as a new NIC) and some may be "remote" (e.g. some access rule on a network device/machine or a DHCP record that assigns sticky addresses).

[EdDev]

There are some IP details that are missing and it would be nice to be explicit about them:

• Is this referring to both IPv4 and IPv6?
• What about DNS entries?
• What about custom routes in general? (e.g. to reach 10.10.0.0/16, pass through 192.168.1.1).

[EdDev]

If some component/product supports something or not should be less relevant to the "need".
Is this needed by the user stories / users, that is the focus that needs to be expressed IMO in this section.

IPv6 has implications on implementation in some cases and possible requirements or limitations on the guest. I would prefer to have this proposal covering IPv6 as well, but if it requires follow up work, then I would recommend to emphasize it explicitly.

[EdDev]

MTV can migrate powered-off VMs to which we don't have IPs.

AFAIK there are solution which set IP addresses explicitly on the management system that apply on VMs that come up (through DHCP or cloudinit). We do not have such users that expect it to pass to OCP-V?

@maiqueb , is it possible to specify from where we learn what is the configuration used (IP, etc)? If we do not know at the moment, maybe specify that it is expected as input. WDYT?