This change is to add CNI_ARGS support in static IPAM plugin.
When IP/SUBNET/GATEWAY are given in CNI_ARGS, static IPAM adds
these info in addition to config files.
To configure ip address only from CNI_ARGS, 'address' field in config
is changed to optional from required.
Recent CNI specification changes require the container ID on ADD/DEL,
which the testcases were not providing. Fix that up so things work
when this repo gets CNI revendored.
Namespace creation had an unergonomic interface and isn't used, except
for testing code. Remove it; downstream users should really be creating
their own namespaces
When chained with a plugin that returns multiple devices, the bandwidth
plugin chooses the host veth device.
Signed-off-by: Tyler Schultz <tschultz@pivotal.io>
Don't lock around the Stop() operation though, as that may take
a while and block other operations. That may mean we call Stop()
multiple times, but the Lease object should handle that correctly
itself.
Classless static routes (DHCP option 121) are now processed first.
If CSRs exist, static routes (DHCP option 33) and the gateway default
route are ignored as per RFC 3442.
This diff adds -hostprefix option in dhcp daemon. This option
could be used to run dhcp daemon as container because container
cannot touch host's netns directly. The diff changes dhcp daemon
to touch procfs mounted to another path, like '/hostfs/proc'.
On ADD save the host device's name into its IFLA_ALIAS property and
rename the device to the requested CNI_IFNAME inside the container
to conform to the CNI specification. On DEL rename the device to
the original name and move it back into the host namespace.
For IP allocation schemes that cannot be interface agnostic, the
ipvlan plugin can be chained with an earlier plugin that handles this
logic. If "master" is omitted from the ipvlan configuration, then the
previous Result must contain a single interface name for the ipvlan
plugin to enslave. If "ipam" is omitted, then the previous Result is
used to configure the ipvlan interface.
- start list of linux_only plugins; ignore them when testing on Windows
- Isolate linux-only code by filename suffix
- Remove stub (NotImplemented) functions
- other misc. fixes for Windows compatibility
This change improves the performance of the portmap plugin and fixes
hairpin, when a container is mapped back to itself.
Performance is improved by using a multiport test to reduce rule
traversal, and by using a masquerade mark.
Hairpin is fixed by enabling masquerading for hairpin traffic.
For IP allocation schemes that cannot be interface agnostic, master can be set
to "ipam". In this configuration, the IPAM plugin is required to return a single
interface name for the ipvlan plugin to enslave.
There are at least two reasons why a lease is not present:
* The dhcp ipam daemon was restarted
* On add the IPAM plugin failed
Don't fail the IPAM invocation when the lease is not present, to allow
proper device cleanup on CNI delete invocations.
In real-world address allocations, disjoint address ranges are common.
Therefore, the host-local allocator should support them.
This change still allows for multiple IPs in a single configuration, but
also allows for a "set of subnets."
Fixes: #45
The source address selection was random, and sometimes we picked a
source address that the container didn't have a route to. Adding a
default route fixes that!
* Wait for addresses to leave tentative state before setting routes
* Enable forwarding correctly
* Set up masquerading according to the active protocol
This change adds support for IPv6 container/pod addresses to the CNI
bridge plugin, both for dual-stack (IPv4 + IPv6) and for IPv6-only
network configurations.
The proposed changes support multiple IPv6 addresses on a container
interface. If isGW is configured, the bridge will also be configured with
gateway addresses for each IPv6 subnet.
Please note that both the dual-stack functionality and support for multiple
IPv6 container/gateway addresses depends upon containernetworking/cni
PR 451 "ipam/host-local: support multiple IP ranges".
This change could potentially be committed independently from this host-local
plugin change, however the dual-stack and multiple IPv6 address
functionality that is enabled by this change can't be exercised/tested
until the host-local plugin change is committed.
There are some IPv6 unit test cases that are currently commented out
in the proposed changes because these test cases will fail without the
prior commits of the multiple IP range host-local change.
This pull request includes a temporary workaround for Kubernetes
Issue #32291 (Container IPv6 address is marked as duplicate, or dadfailed).
The problem is that kubelet enables hairpin mode on bridge veth
interfaces. Hairpin mode causes the container/pod to see echos of its
IPv6 neighbor solicitation packets, so that it declares duplicate address
detection (DAD) failure. The long-term fix is to use enhanced-DAD
when that feature is readily available in kernels. The short-term fix is
to disable IPv6 DAD in the container. Unfortunately, this has to be done
unconditionally (i.e. without a check for whether hairpin mode is enabled)
because hairpin mode is turned on by kubelet after the CNI bridge plugin
has completed cmdAdd processing. Disabling DAD should be okay if
IPv6 addresses are guaranteed to be unique (which is the case for
host-local IPAM plugin).
This change allows the host-local allocator to allocate multiple IPs.
This is intended to enable dual-stack, but is not limited to only two
subnets or separate address families.
