nireconciler

package
v0.0.0-...-251590c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 14, 2025 License: Apache-2.0 Imports: 32 Imported by: 0

Documentation

Overview

Package nireconciler (Network Instance (config) Reconciler) is used by zedrouter to configure network instances and connect them with applications inside the target network stack. The main entry point is the interface of NIReconciler, which is expected to eventually have multiple implementations, one for every supported network stack (currently EVE only provides one implementation of network instances, built on top of the Linux bridge).

Index

Constants

View Source 
const (
	// GraphName : name of the graph with the managed state as a whole.
	GraphName = "ApplicationConnectivity"
	// GlobalSG : name of the sub-graph with the global configuration.
	GlobalSG = "Global"
	// PortsSG : name of the sub-graph with (external) device network ports.
	PortsSG = "Ports"
	// IPSetsSG : subgraph with ipsets combined from all NIs.
	IPSetsSG = "IPSets"
	// BlackHoleSG : subgraph with config items creating a "black-hole" where traffic marked
	// by ACLs with the DROP action is routed to.
	BlackHoleSG = "BlackHole"
	// ACLRootChainsSG : subgraph listing iptables chains externally created by NIM
	// for application ACLs. From there, the traffic is guided further into
	// VIF-specific chains (based on input/output interfaces, etc.).
	ACLRootChainsSG = "ACLRootChains"
	// ACLChainL2FwdSG : subgraph with config items creating an iptables chain
	// which is used to allow packet forwarding inside L2 network instances.
	ACLChainL2FwdSG = "ACLChainL2Fwd"
	// IPv4ChainsSG : subgraph with iptables chains for IPv4 traffic.
	// Used under ACLRootChains.
	IPv4ChainsSG = "IPv4Chains"
	// IPv6ChainsSG : subgraph with ip6tables chains for IPv6 traffic.
	// Used under ACLRootChains.
	IPv6ChainsSG = "IPv6Chains"
	// NISGPrefix : prefix used for name of the subgraph encapsulating the entire
	// configuration of the given network instance.
	NISGPrefix = "NI-"
	// L2SG : subgraph with configuration items for a given NI related to Layer2
	// of the ISO/OSI model.
	L2SG = "L2"
	// L3SG : subgraph with configuration items for a given NI related to Layer3
	// of the ISO/OSI model.
	L3SG = "L3"
	// NIMirroringSG : subgraph with items belonging to a given NI that collectively
	// implement mirroring of some traffic for monitoring purposes.
	NIMirroringSG = "Mirroring"
	// NIServicesSG : subgraph with items belonging to a given NI that collectively
	// provide various services for connected applications, such as DHCP, DNS, cloud-init
	// metadata, etc.
	NIServicesSG = "Services"
	// AppConnACLsSG : subgraph with iptables chain and rules implementing ACLs
	// for a given application VIF (connection from app to NI).
	AppConnACLsSG = "ACLs"
	// IPv4RulesSG : subgraph with iptables rules (and some chains) implementing
	// IPv4 ACLs for a given application VIF.
	IPv4RulesSG = "IPv4Rules"
	// IPv6RulesSG : subgraph with ip6tables rules (and some chains) implementing
	// IPv6 ACLs for a given application VIF.
	IPv6RulesSG = "IPv6Rules"
)
View Source 
const (
	// IPSetNameLenLimit : Netfilter limits IP set name to contain at most 31 characters.
	IPSetNameLenLimit = 31
)
View Source 
const LogAndErrPrefix = "NI Reconciler"

LogAndErrPrefix is prepended to every log message and error returned by NI Reconciler so that they are easy to filter in log file.

Variables

This section is empty.

Functions

func AppConnSGName 

func AppConnSGName(appID uuid.UUID, netAdapterName string) string

AppConnSGName : name of the subgraph containing items that collectively build a connection (VIF + ACLs + some other things) from an application to a network instance. It is a subgraph of the "NI-<niID>" graph where the app connection goes to.

func HostIPSetBasename 

func HostIPSetBasename(hostname string) string

HostIPSetBasename returns basename (without the "ipvX." prefix) to use for ipset matching a given domain name (ACE match of type "host"). Needs to ensure that the ipset name doesn't exceed the length limit of 31 characters imposed by netfilter. Function is exported only for unit testing purposes.

func NIToSGName 

func NIToSGName(niID uuid.UUID) string

NIToSGName returns the name of the subgraph encapsulating the entire configuration of the given network instance. There is one such subgraph for every network instance.

func SGNameToNI 

func SGNameToNI(sg string) uuid.UUID

SGNameToNI is the inverse of NIToSGName.

Types

type AppConnReconcileStatus 

type AppConnReconcileStatus struct {
	// App : application UUID.
	App uuid.UUID
	// Deleted is true if the application was unconfigured.
	Deleted bool
	// VIFs : the reconciliation status reported separately for each VIF.
	VIFs []AppVIFReconcileStatus
}

AppConnReconcileStatus : status of the config reconciliation related to application connectivity.

func (AppConnReconcileStatus) Equal 

func (s AppConnReconcileStatus) Equal(s2 AppConnReconcileStatus) bool

Equal compares two instances of AppConnReconcileStatus.

func (AppConnReconcileStatus) SortVIFs 

func (s AppConnReconcileStatus) SortVIFs()

SortVIFs sorts the VIFs by VIFNum. No need for pointer receiver since VIFs is a slice, hence passed as a pointer, plus sort.Slice does not need to change the slice size.

type AppVIF 

type AppVIF struct {
	// App : application UUID.
	App uuid.UUID
	// NI : UUID of the network instance to which the application is connected through
	// this virtual interface.
	NI uuid.UUID
	// NetAdapterName is the logical name for this interface received from the controller
	// in NetworkAdapter.Name.
	// Unique in the scope of the application.
	NetAdapterName string
	// VIFNum : a positive integer number (>0) allocated for the application virtual
	// interface by zedrouter.
	// This number is only unique in the scope of the app (AppVIF.App).
	// Can be used by Reconciler to for example generate a unique VIF interface name
	// (when combined with appNum).
	VIFNum int
	// GuestIfMAC : MAC address assigned to VIF on the guest side (inside the app).
	GuestIfMAC net.HardwareAddr
	// GuestIP : IP address assigned to VIF on the guest side (inside the app).
	GuestIP net.IP
	// PodVIF can only be defined in kube mode.
	PodVIF types.PodVIF
}

AppVIF : describes interface created to connect application with network instance. This comes from zedrouter.

type AppVIFReconcileStatus 

type AppVIFReconcileStatus struct {
	// NetAdapterName can be used to match AppVIFReconcileStatus with the corresponding
	// AppVIF.
	NetAdapterName string
	// VIFNum can be used to match AppVIFReconcileStatus with the corresponding AppVIF.
	VIFNum int
	// HostIfName : name of the interface inside the network stack on the host-side.
	HostIfName string
	// True if any config operations are still in progress
	// (i.e. VIF is not yet fully created and ready).
	// Note that VIF is typically created in cooperation with zedmanager + domainmgr,
	// meaning that NIReconciler may spend some time waiting for an action to be completed
	// by other microservices.
	InProgress bool
	// FailedItems : The set of configuration items currently in a failed state.
	FailedItems map[dg.ItemRef]error
}

AppVIFReconcileStatus : status of the config reconciliation related to a particular application VIF.

func (AppVIFReconcileStatus) Equal 

func (s AppVIFReconcileStatus) Equal(s2 AppVIFReconcileStatus) bool

Equal compares two instances of AppVIFReconcileStatus.

type IPRoute 

type IPRoute struct {
	DstNetwork *net.IPNet // cannot be nil
	Gateway    net.IP     // can be nil
	OutputPort string     // logical label, empty if gateway is application running on EVE
}

IPRoute is a static IP route configured inside the NI routing table.

func (IPRoute) IsDefaultRoute 

func (r IPRoute) IsDefaultRoute() bool

IsDefaultRoute returns true if this is a default route, i.e. matches all destinations.

type LinuxNIReconciler 

type LinuxNIReconciler struct {
	// contains filtered or unexported fields
}

LinuxNIReconciler is a network instance reconciler for Linux network stack, i.e. it configures and uses Linux networking to provide application connectivity.

func NewLinuxNIReconciler 

func NewLinuxNIReconciler(log *base.LogObject, logger *logrus.Logger,
	netMonitor netmonitor.NetworkMonitor, metadataHandler http.Handler,
	exportCurrentState, exportIntendedState, withKubernetesNetworking bool) *LinuxNIReconciler

NewLinuxNIReconciler is a constructor for LinuxNIReconciler. Enable exportCurrentState to have the current state exported to currentStateFile on every change. Enable exportIntendedState to have the intended state exported to intendedStateFile on every change.

func (*LinuxNIReconciler) AddAppConn 

func (r *LinuxNIReconciler) AddAppConn(ctx context.Context,
	appNetConfig types.AppNetworkConfig, appNum int, kubePod cnirpc.AppPod,
	vifs []AppVIF) (AppConnReconcileStatus, error)

AddAppConn : make necessary changes inside the network stack to connect a new application into the desired set of network instance(s). This is called by zedrouter before the guest VM is started, meaning that some operations will be completed later from within ResumeReconcile() after domainmgr starts the VM, or when UpdateAppConn is called from within Kubernetes CNI plugin.

func (*LinuxNIReconciler) AddNI 

func (r *LinuxNIReconciler) AddNI(ctx context.Context,
	niConfig types.NetworkInstanceConfig, br NIBridge) (NIReconcileStatus, error)

AddNI : create this new network instance inside the network stack.

func (*LinuxNIReconciler) ApplyUpdatedGCP 

func (r *LinuxNIReconciler) ApplyUpdatedGCP(ctx context.Context,
	newGCP types.ConfigItemValueMap)

ApplyUpdatedGCP : apply change in the global config properties.

func (*LinuxNIReconciler) DelAppConn 

func (r *LinuxNIReconciler) DelAppConn(ctx context.Context,
	appID uuid.UUID) (AppConnReconcileStatus, error)

DelAppConn : disconnect (removed) application from network instance(s).

func (*LinuxNIReconciler) DelNI 

func (r *LinuxNIReconciler) DelNI(ctx context.Context,
	niID uuid.UUID) (NIReconcileStatus, error)

DelNI : remove network instance from the network stack.

func (*LinuxNIReconciler) GetAppConnStatus 

func (r *LinuxNIReconciler) GetAppConnStatus(appID uuid.UUID) (AppConnReconcileStatus, error)

GetAppConnStatus : get current status of app connectivity.

func (*LinuxNIReconciler) GetCurrentState 

func (r *LinuxNIReconciler) GetCurrentState() dg.GraphR

GetCurrentState : get the current state (read-only). Exported only for unit-testing purposes.

func (*LinuxNIReconciler) GetIntendedState 

func (r *LinuxNIReconciler) GetIntendedState() dg.GraphR

GetIntendedState : get the intended state (read-only). Exported only for unit-testing purposes.

func (*LinuxNIReconciler) ResumeReconcile 

func (r *LinuxNIReconciler) ResumeReconcile(ctx context.Context)

ResumeReconcile : resume reconciliation to follow-up on completed async operations or externally changed current state.

func (*LinuxNIReconciler) RunInitialReconcile 

func (r *LinuxNIReconciler) RunInitialReconcile(ctx context.Context)

RunInitialReconcile is called once by zedrouter at startup before any NI or Application connection is created. It is expected to apply the initial configuration of the network stack.

func (*LinuxNIReconciler) UpdateAppConn 

func (r *LinuxNIReconciler) UpdateAppConn(ctx context.Context,
	appNetConfig types.AppNetworkConfig, kubePod cnirpc.AppPod,
	vifs []AppVIF) (AppConnReconcileStatus, error)

UpdateAppConn : update application connectivity to reflect config changes.

func (*LinuxNIReconciler) UpdateNI 

func (r *LinuxNIReconciler) UpdateNI(ctx context.Context,
	niConfig types.NetworkInstanceConfig, br NIBridge) (NIReconcileStatus, error)

UpdateNI : apply a change in the intended NI configuration inside the network stack. Note that BrNum and NI Type is not allowed to change.

func (*LinuxNIReconciler) WatchReconcilerUpdates 

func (r *LinuxNIReconciler) WatchReconcilerUpdates() <-chan ReconcilerUpdate

WatchReconcilerUpdates returns channel with updates about the reconciliation status, which is provided separately for every network instance and connected application.

type NIBridge 

type NIBridge struct {
	// NI : UUID of the network instance.
	NI uuid.UUID
	// BrNum : a positive integer number (>0) allocated for the bridge by zedrouter.
	// Unique across all NI bridges.
	// This number is persisted and doesn't change across app config changes or node
	// reboots.
	// Can be used by Reconciler to for example generate a unique bridge interface name.
	BrNum int
	// MACAddress : MAC address allocated for (or already assigned by NIM to) the bridge.
	MACAddress net.HardwareAddr
	// IPAddress : IP address allocated for the bridge itself (with network mask).
	// Used only with L3 network instances.
	// Reconciler is expected to assign this address to the bridge that it will create.
	IPAddress *net.IPNet
	// Device network ports selected for this network instance to provide external
	// connectivity.
	// Empty list if network instance is air-gapped.
	Ports []Port
	// Set of static routes to configure inside the NI routing table.
	// This are user-defined routes, plus zedrouter uses this to decide which port
	// and gateway the default route should be using.
	// This does not include link-local, DHCP-received and connected IP routes,
	// all of which NI Reconciler automatically propagates from the global routing table
	// for all NI ports (filtering out those which are overwritten by static routes).
	StaticRoutes []IPRoute
	// IPConflict is used to mark (Local) NI with IP subnet that overlaps with the network
	// of one of the device network ports.
	// Currently, for conflicting NI, NIReconciler keeps only app VIFs configured, and even
	// they are in the DOWN state to prevent any traffic getting through.
	// In the future, we may improve isolation between NIs and device ports using advanced
	// policy-based routing or VRFs. This will enable conflicting NIs to remain functional.
	IPConflict bool
	// MTU : Maximum transmission unit size set for the bridge and all VIFs connected
	// to it.
	MTU uint16
}

NIBridge either references an already created bridge (by NIM) that Reconciler should use for switch (L2) NI with external connectivity, or it describes parameters of a bridge that Reconciler should create/update for air-gapped switch NI or for local (L3, NATed) NI.

func (NIBridge) GetPort 

func (b NIBridge) GetPort(logicalLabel string) *Port

GetPort returns port with the given logical label.

type NIReconcileStatus 

type NIReconcileStatus struct {
	// NI : network instance UUID.
	NI uuid.UUID
	// Deleted is true if the network instance was unconfigured.
	Deleted bool
	// BrIfName : name of the bridge interface inside the network stack.
	BrIfName string
	// BrIfIndex : integer used as a handle for the bridge interface
	// inside the network stack.
	BrIfIndex int
	// MirrorIfName : name of a (dummy) interface where ICMP, ARP, DNS and DHCP packets
	// are mirrored from the bridge and can be used for monitoring purposes.
	// Empty if mirroring is not available.
	MirrorIfName string
	// InProgress is true if any config operations are still in progress
	// (i.e. network instance is not yet fully created).
	InProgress bool
	// FailedItems : The set of configuration items currently in a failed state.
	FailedItems map[dg.ItemRef]error
	// Currently configured IP routes.
	// Empty for switch network instance.
	Routes []types.IPRouteInfo
}

NIReconcileStatus : status of the config reconciliation related to a particular network instance.

func (NIReconcileStatus) Equal 

func (s NIReconcileStatus) Equal(s2 NIReconcileStatus) bool

Equal compares two instances of NIReconcileStatus.

type NIReconciler 

type NIReconciler interface {
	// RunInitialReconcile is called once by zedrouter at startup before any NI
	// or Application connection is created.
	// It is expected to apply the initial configuration of the network stack.
	RunInitialReconcile(ctx context.Context)

	// ResumeReconcile should be called whenever ReconcilerUpdate of UpdateType
	// AsyncOpDone or CurrentStateChanged is received from the reconciler
	// (via channel returned by WatchReconcilerUpdates).
	ResumeReconcile(ctx context.Context)

	// ApplyUpdatedGCP : apply change in the global config properties.
	ApplyUpdatedGCP(ctx context.Context, gcp types.ConfigItemValueMap)

	// AddNI : create this new network instance inside the network stack.
	AddNI(ctx context.Context, niConfig types.NetworkInstanceConfig, br NIBridge) (
		NIReconcileStatus, error)
	// UpdateNI : apply a change in the intended NI configuration inside the network stack.
	UpdateNI(ctx context.Context, niConfig types.NetworkInstanceConfig, br NIBridge) (
		NIReconcileStatus, error)
	// DelNI : remove network instance from the network stack.
	DelNI(ctx context.Context, niID uuid.UUID) (NIReconcileStatus, error)

	// AddAppConn : make necessary changes inside the network stack to connect a new
	// application into the desired set of network instance(s).
	// This is called by zedrouter before the guest VM is started, meaning that
	// some operations will be completed later from within ResumeReconcile() after
	// domainmgr starts the VM, or when UpdateAppConn is called from within Kubernetes CNI
	// plugin. Use WatchReconcilerUpdates to watch for updates.
	// appNum is a positive integer number (>0) allocated for the application by zedrouter.
	// It is unique among all applications deployed on the node.
	// This number is persisted and doesn't change across app config changes or node
	// reboots.
	// kubePod.Name should only be defined in Kubernetes mode, where applications
	// run inside pods.
	AddAppConn(ctx context.Context, appNetConfig types.AppNetworkConfig, appNum int,
		kubePod cnirpc.AppPod, vifs []AppVIF) (AppConnReconcileStatus, error)
	// UpdateAppConn : update application connectivity to reflect config changes.
	UpdateAppConn(ctx context.Context, appNetConfig types.AppNetworkConfig,
		kubePod cnirpc.AppPod, vifs []AppVIF) (AppConnReconcileStatus, error)
	// DelAppConn : disconnect (removed) application from network instance(s).
	DelAppConn(ctx context.Context, app uuid.UUID) (AppConnReconcileStatus, error)
	// GetAppConnStatus : get current status of app connectivity.
	GetAppConnStatus(app uuid.UUID) (AppConnReconcileStatus, error)

	// WatchReconcilerUpdates returns channel with updates about the reconciliation
	// status, which is provided separately for every network instance and connected
	// application.
	WatchReconcilerUpdates() <-chan ReconcilerUpdate
}

NIReconciler translates the currently submitted config for network instances and application interfaces into the corresponding low-level network configuration of the target network stack and applies it using the Reconciler (see libs/reconciler).

type Port 

type Port struct {
	LogicalLabel string
	SharedLabels []string
	IfName       string
	IsMgmt       bool
	MTU          uint16
	DhcpType     types.DhcpType
	DNSServers   []net.IP
	NTPServers   []net.IP
}

Port is a physical network device used by a network instance to provide external connectivity for applications.

func (Port) Equal 

func (p Port) Equal(p2 Port) bool

Equal compares two ports for equality.

func (Port) UsedWithIP 

func (p Port) UsedWithIP() bool

UsedWithIP returns true if the port is (potentially) used with an IP address.

type ReconcilerUpdate 

type ReconcilerUpdate struct {
	// UpdateType : determines the type of the update.
	// ReconcilerUpdate is basically a union and UpdateType determines
	// which of the attributes below is defined (if any).
	UpdateType UpdateType
	// NIStatus is provided if UpdateType is NIReconcileStatusChanged.
	NIStatus *NIReconcileStatus
	// AppConnStatus is provided if UpdateType is AppConnReconcileStatusChanged.
	AppConnStatus *AppConnReconcileStatus
}

ReconcilerUpdate is published by the Reconciler whenever there is a status update related to the process of NI/App-connectivity config reconciliation.

type UpdateType 

type UpdateType int

UpdateType : type of the ReconcilerUpdate. 

const (
	// AsyncOpDone is a signal for the zedrouter that one or more asynchronous operations
	// have finalized and therefore NIReconciler.ResumeReconcile() should be called
	// to process them.
	AsyncOpDone UpdateType = iota
	// CurrentStateChanged is a signal for the zedrouter informing that the Reconciler
	// detected a change in the current state (e.g. a device port appeared) and therefore
	// NIReconciler.ResumeReconcile() should be called to reconcile the current and
	// the intended states.
	CurrentStateChanged
	// NIReconcileStatusChanged signals that the reconciliation status for one of NIs
	// have changed. The new status is available in ReconcilerUpdate.NIStatus
	NIReconcileStatusChanged
	// AppConnReconcileStatusChanged signals that reconciliation status for one
	// of the connected applications have changed. The new status is available
	// in ReconcilerUpdate.AppConnStatus.
	AppConnReconcileStatusChanged
)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.