Currently, the default CNI config dir is /etc/cni/multus/net.d [1].
However, pods do not mount this hostPath.
This issue only occurs when a delegate network-attachment-definition
has no spec, and it therefore needs to be loaded from disk[2].
For example, when deploying Istio-cni in multus mode,
the deployment creates an empty Istio-cni NAD in default namespace, while
the actual config is deployed on disk.
CmdAdd fails with the following error message:
GetNetworkDelegates: failed getting the delegate: GetCNIConfig:
err in GetCNIConfigFromFile: No networks found in /etc/cni/multus/net.d
[[1]](https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.2.0/pkg/types/conf.go#L38)
[[2]](https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.2.0/pkg/k8sclient/k8sclient.go#L506)
Signed-off-by: Nir Dothan <ndothan@redhat.com>
Removes the it `fails to execute confListDel given no 'plugins' key"` test.
This test no longer fails after libcni version 1.2.3.
It probably shouldn't failduring a DEL action as it is, we want the least error prone path.
The GC test now uses both cni.dev attachment formats.
Uses both attachment formats as per https://github.com/containernetworking/cni/issues/1101 for GC's cni.dev/valid-attachments & cni.dev/attachments
This is needed to avoid issues with volume unmounts
when (other) pods exit as by default kubernetes mounts
as private.
Signed-off-by: adrianc <adrianc@nvidia.com>
The ClusterRole was missing the watch permission on pods, which resulted in Multus throwing this error message every few seconds:
Failed to watch *v1.Pod: unknown (get pods)
We used to run chroot in multus main process when calling other CNI
plugin binary. We also use a mutex to lock the access to pod files.
But this causes performance issues when facing heavy
CNI_ADD/CNI_DEL requests.
With this patch, we do chroot in the child processes instead. So
file operations in the main process will not be affected by chroot.
This change requires the multus thick plugin pod to mount CNI bin
directory to the same path in the container host.
Signed-off-by: Peng Liu <pliu@redhat.com>
When running in server mode we can use a shared informer to listen for
Pod events from the apiserver, and grab pod info from that cache rather
than doing direct apiserver requests each time.
This reduces apiserver load and retry latency, since multus can poll
the local cache more frequently than it should do direct apiserver
requests.
Oddly static pods don't show up in the informer by the timeout and
require a direct apiserver request. Since static pods are not common
and are typically long-running, it should not be a big issue to
fall back to direct apiserver access for them.
Signed-off-by: Dan Williams <dcbw@redhat.com>
* config, daemon: shim socket path is not needed
The shim socket dir attribute is only required for the shim (cni
configuration). Thus, it can be removed from the daemon configuration.
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
* config, daemon: rename socket dir attribute
Now the socketDir parameter no longer stutters.
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
* docs, thick plugin: align docs with new configuration reference
PR #1053 - [0] - changed the thick plugin configuration to happen
exclusively via the user provided config map. This PR aligns the multus
documentation with the existing code.
[0] - https://github.com/k8snetworkplumbingwg/multus-cni/pull/1053
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
---------
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
This commit changes thin container base image to distroless
to simplify container image. It replace old shell script entrypoint
to golang implementation and implement multus installer (i.e. copy).
* Draft for refine options
* config: remove command line args; use configMap/JSON config
The `socketDir` configuration was split in two, since the multus daemon,
and multus shim have the socket in different paths. This allows the user
to customize these paths.
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
* deployment, ci: update daemonset spec
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
---------
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com>
Co-authored-by: dougbtv <dosmith@redhat.com>
Fix thick plugin daemonset to add volume mapping required for
sr-iov and fix code to update network status.
In addition, fix checkpoint structures to support K8s without
kubelet pod resources API.
fix#665 and #778
to prevent "unknown FS magic on "/var/run/netns/*": 1021994" errors
Signed-off-by: Peter Hunt <pehunt@redhat.com>
Co-authored-by: Peter Hunt <pehunt@redhat.com>
Multus is refactored as a thick plugin, featuring 2 main components:
- a server listening to a unix domain socket, running in a pod
- a shim, a binary on the host that will send JSON requests built from
its environment / stdin values to the aforementioned server.
The pod where the multus daemon is running must share the host's PID
namespace.
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
react to maintainers review
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
thick, deployment: update the daemonset spec
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
thick, config: validate the cni config passed by the runtime
Without this patch, we're blindly trusting anything sent by the server.
This way, we assure the requests arriving at the multus controller are
valid before hand.
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
thick: model client / server config
Also add a new command line parameter on the multus controller, pointing
it to the server configuration.
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
SQUASH candidate, thick, config: cleanup the configuration
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
multus: use args.args instead of an env variable
CNI is already filling the args structure; we should consume that
rather than rely on the environment variables.
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
unit tests: remove weird tests that check an impossible scenario
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
docs, thick: document the thick plugin variant
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
thick, server, multus: re-use common types
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
This volume was removed since multus now requires the default cluster
network CNI configuration to be available. As such, the volume as
removed, but we unfortunately forgot to remove to remove the volume
mount.
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
* build: install the multus binary in an init container
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
* build: generate kubeconfig via go
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
* build: generate multus cni configuration via golang
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
* build: provide a docker img for daemon based deployments
We will have 2 different images (only on amd64 archs):
- legacy entrypoint script based
- daemonized process
The `image-build` docker action is updated, to build these 2 images.
There will be 2 different deployment specs, along with e2e test
lanes, one for each of the aforementioned alternatives.
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
* build: delegate CNI config watch loop via golang
For the thick-plugin alternative, provide the watch loop for
configuration regeneration via a golang binary.
Over time, this binary is expected to run the control loop to watch
out for pod updates.
To enable current multus users to chose when they upgrade to this new
deployment setup, these changes are provided in separate multus images,
having a different yaml spec files. Both of these alternatives are
tested e2e, since a new lane is introduced.
The following libraries are introduced, along with the motivation for
adding them:
- dproxy: allows traversing the default network configuration arbitrarily,
similar to what an X path / JSON path tool provides.
Repo is available at [0].
- fsnotify: watch for changes in the default CNI configuration file.
Repo is available at [1].
The config map providing the default network CNI configuration is not
copied over, since originally, the user was not required to install a
default network CNI plugin first, but, nowadays, this is a required
step of multus.
As such, it is no longer required to provide a default CNI
configuration.
[0] - https://github.com/koron/go-dproxy
[1] - https://github.com/fsnotify/fsnotify
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
* run gofmt
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
* refactor: make the builder pattern more idiomatic to golang
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
* build: update github actions to release new imgs
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
Currently golang community supports 1.16 and later, hence, need
to update golang version in our build pipeline. This change
updates golang version to 1.17/1.16.
This PR updates the GitHub Actions workflows to build multus
container images for the IBM Z architecture (s390x), and also
adds daemonsets for s390x nodes.
entrypoint.sh uses python3 when it is available, since centos images
are not available for s390x, and python2 is not installed by default
on debian-based images.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
