azure-container-networking/network/network_windows.go

494 строки
17 KiB
Go

// Copyright 2017 Microsoft. All rights reserved.
// MIT License
package network
import (
"encoding/json"
"fmt"
"strconv"
"strings"
"time"
"github.com/Azure/azure-container-networking/cns"
"github.com/Azure/azure-container-networking/network/hnswrapper"
"github.com/Azure/azure-container-networking/network/policy"
"github.com/Azure/azure-container-networking/platform"
"github.com/Microsoft/hcsshim"
"github.com/Microsoft/hcsshim/hcn"
"github.com/google/uuid"
"github.com/pkg/errors"
"go.uber.org/zap"
)
const (
// HNS network types.
hnsL2bridge = "l2bridge"
hnsL2tunnel = "l2tunnel"
CnetAddressSpace = "cnetAddressSpace"
vEthernetAdapterPrefix = "vEthernet"
baseDecimal = 10
bitSize = 32
defaultRouteCIDR = "0.0.0.0/0"
// prefix for interface name created by azure network
ifNamePrefix = "vEthernet"
// ipv4 default hop
ipv4DefaultHop = "0.0.0.0"
// ipv6 default hop
ipv6DefaultHop = "::"
// ipv6 route cmd
routeCmd = "netsh interface ipv6 %s route \"%s\" \"%s\" \"%s\" store=persistent"
// add/delete ipv4 and ipv6 route rules to/from windows node
netRouteCmd = "netsh interface %s %s route \"%s\" \"%s\" \"%s\""
// Default IPv6 Route
defaultIPv6Route = "::/0"
// Default IPv6 nextHop
defaultIPv6NextHop = "fe80::1234:5678:9abc"
)
// Windows implementation of route.
type route interface{}
// UseHnsV2 indicates whether to use HNSv1 or HNSv2
// HNSv2 should be used if the NetNs is a valid GUID and if the platform
// has HCN which supports HNSv2 API.
func UseHnsV2(netNs string) (bool, error) {
// Check if the netNs is a valid GUID to decide on HNSv1 or HNSv2
useHnsV2 := false
var err error
if _, err = uuid.Parse(netNs); err == nil {
useHnsV2 = true
if err = Hnsv2.HNSV2Supported(); err != nil {
logger.Info("HNSV2 is not supported on this windows platform")
}
}
return useHnsV2, err
}
// Regarding this Hnsv2 and Hnv1 variable
// this pattern is to avoid passing around os specific objects in platform agnostic code
var Hnsv2 hnswrapper.HnsV2WrapperInterface = hnswrapper.Hnsv2wrapper{}
var Hnsv1 hnswrapper.HnsV1WrapperInterface = hnswrapper.Hnsv1wrapper{}
func EnableHnsV2Timeout(timeoutValue int) {
if _, ok := Hnsv2.(hnswrapper.Hnsv2wrapperwithtimeout); !ok {
timeoutDuration := time.Duration(timeoutValue) * time.Second
Hnsv2 = hnswrapper.Hnsv2wrapperwithtimeout{Hnsv2: hnswrapper.Hnsv2wrapper{}, HnsCallTimeout: timeoutDuration}
}
}
func EnableHnsV1Timeout(timeoutValue int) {
if _, ok := Hnsv1.(hnswrapper.Hnsv1wrapperwithtimeout); !ok {
timeoutDuration := time.Duration(timeoutValue) * time.Second
Hnsv1 = hnswrapper.Hnsv1wrapperwithtimeout{Hnsv1: hnswrapper.Hnsv1wrapper{}, HnsCallTimeout: timeoutDuration}
}
}
// newNetworkImplHnsV1 creates a new container network for HNSv1.
func (nm *networkManager) newNetworkImplHnsV1(nwInfo *EndpointInfo, extIf *externalInterface) (*network, error) {
var (
vlanid int
err error
)
networkAdapterName := extIf.Name
// Pass adapter name here if it is not empty, this is cause if we don't tell HNS which adapter to use
// it will just pick one randomly, this is a problem for customers that have multiple adapters
if nwInfo.AdapterName != "" {
networkAdapterName = nwInfo.AdapterName
}
// FixMe: Find a better way to check if a nic that is selected is not part of a vSwitch
// per hns team, the hns calls fails if passed a vSwitch interface
if strings.HasPrefix(networkAdapterName, vEthernetAdapterPrefix) {
logger.Info("vSwitch detected, setting adapter name to empty")
networkAdapterName = ""
}
logger.Info("Adapter name used with HNS is", zap.String("networkAdapterName", networkAdapterName))
// Initialize HNS network.
hnsNetwork := &hcsshim.HNSNetwork{
Name: nwInfo.NetworkID,
NetworkAdapterName: networkAdapterName,
Policies: policy.SerializePolicies(policy.NetworkPolicy, nwInfo.NetworkPolicies, nil, false, false),
}
// Set the VLAN and OutboundNAT policies
opt, _ := nwInfo.Options[genericData].(map[string]interface{})
if opt != nil && opt[VlanIDKey] != nil {
vlanPolicy := hcsshim.VlanPolicy{
Type: "VLAN",
}
vlanID, _ := strconv.ParseUint(opt[VlanIDKey].(string), baseDecimal, bitSize)
vlanPolicy.VLAN = uint(vlanID)
serializedVlanPolicy, _ := json.Marshal(vlanPolicy)
hnsNetwork.Policies = append(hnsNetwork.Policies, serializedVlanPolicy)
vlanid = (int)(vlanPolicy.VLAN)
}
// Set network mode.
switch nwInfo.Mode {
case opModeBridge:
hnsNetwork.Type = hnsL2bridge
case opModeTunnel:
hnsNetwork.Type = hnsL2tunnel
default:
return nil, errNetworkModeInvalid
}
// Populate subnets.
for _, subnet := range nwInfo.Subnets {
hnsSubnet := hcsshim.Subnet{
AddressPrefix: subnet.Prefix.String(),
GatewayAddress: subnet.Gateway.String(),
}
hnsNetwork.Subnets = append(hnsNetwork.Subnets, hnsSubnet)
}
hnsResponse, err := Hnsv1.CreateNetwork(hnsNetwork, "")
if err != nil {
return nil, err
}
defer func() {
if err != nil {
logger.Info("HNSNetworkRequest DELETE", zap.String("id", hnsResponse.Id))
hnsResponse, err := Hnsv1.DeleteNetwork(hnsResponse.Id)
logger.Info("HNSNetworkRequest DELETE response", zap.Any("hnsResponse", hnsResponse), zap.Error(err))
}
}()
// route entry for pod cidr
if err = nm.appIPV6RouteEntry(nwInfo); err != nil {
return nil, err
}
// Create the network object.
nw := &network{
Id: nwInfo.NetworkID,
HnsId: hnsResponse.Id,
Mode: nwInfo.Mode,
Endpoints: make(map[string]*endpoint),
extIf: extIf,
VlanId: vlanid,
EnableSnatOnHost: nwInfo.EnableSnatOnHost,
NetNs: nwInfo.NetNs,
}
nwInfo.HNSNetworkID = hnsResponse.Id // we use this later in stateless to clean up in ADD if there is an error
globals, err := Hnsv1.GetHNSGlobals()
if err != nil || globals.Version.Major <= hcsshim.HNSVersion1803.Major {
// err would be not nil for windows 1709 & below
// Sleep for 10 seconds as a workaround for windows 1803 & below
// This is done only when the network is created.
time.Sleep(time.Duration(10) * time.Second)
}
return nw, nil
}
func (nm *networkManager) appIPV6RouteEntry(nwInfo *EndpointInfo) error {
var (
err error
out string
)
if nwInfo.IPV6Mode == IPV6Nat {
if len(nwInfo.Subnets) < 2 {
return fmt.Errorf("Ipv6 subnet not found in network state")
}
// get interface name of VM adapter
ifName := nwInfo.MasterIfName
if !strings.Contains(nwInfo.MasterIfName, ifNamePrefix) {
ifName = fmt.Sprintf("%s (%s)", ifNamePrefix, nwInfo.MasterIfName)
}
cmd := fmt.Sprintf(routeCmd, "delete", nwInfo.Subnets[1].Prefix.String(),
ifName, ipv6DefaultHop)
if out, err = nm.plClient.ExecuteRawCommand(cmd); err != nil {
logger.Error("Deleting ipv6 route failed", zap.Any("out", out), zap.Error(err))
}
cmd = fmt.Sprintf(routeCmd, "add", nwInfo.Subnets[1].Prefix.String(),
ifName, ipv6DefaultHop)
if out, err = nm.plClient.ExecuteRawCommand(cmd); err != nil {
logger.Error("Adding ipv6 route failed", zap.Any("out", out), zap.Error(err))
}
}
return err
}
// configureHcnEndpoint configures hcn endpoint for creation
func (nm *networkManager) configureHcnNetwork(nwInfo *EndpointInfo, extIf *externalInterface) (*hcn.HostComputeNetwork, error) {
// Initialize HNS network.
hcnNetwork := &hcn.HostComputeNetwork{
Name: nwInfo.NetworkID,
Ipams: []hcn.Ipam{
{
Type: hcnIpamTypeStatic,
},
},
SchemaVersion: hcn.SchemaVersion{
Major: hcnSchemaVersionMajor,
Minor: hcnSchemaVersionMinor,
},
}
// Set hcn network adaptor name policy
// FixMe: Find a better way to check if a nic that is selected is not part of a vSwitch
// per hns team, the hns calls fails if passed a vSwitch interface
// Pass adapter name here if it is not empty, this is cause if we don't tell HNS which adapter to use
// it will just pick one randomly, this is a problem for customers that have multiple adapters
if nwInfo.AdapterName != "" || !strings.HasPrefix(extIf.Name, vEthernetAdapterPrefix) {
var adapterName string
if nwInfo.AdapterName != "" {
adapterName = nwInfo.AdapterName
} else {
adapterName = extIf.Name
}
logger.Info("Adapter name used with HNS is", zap.String("adapterName", adapterName))
netAdapterNamePolicy, err := policy.GetHcnNetAdapterPolicy(adapterName)
if err != nil {
logger.Error("Failed to serialize network adapter policy due to", zap.Error(err))
return nil, err
}
hcnNetwork.Policies = append(hcnNetwork.Policies, netAdapterNamePolicy)
}
// Set hcn subnet policy
var (
vlanid int
subnetPolicy []byte
)
opt, _ := nwInfo.Options[genericData].(map[string]interface{})
if opt != nil && opt[VlanIDKey] != nil {
var err error
vlanID, _ := strconv.ParseUint(opt[VlanIDKey].(string), baseDecimal, bitSize)
subnetPolicy, err = policy.SerializeHcnSubnetVlanPolicy((uint32)(vlanID))
if err != nil {
logger.Error("Failed to serialize subnet vlan policy due to", zap.Error(err))
return nil, err
}
vlanid = (int)(vlanID)
}
// Set network mode.
switch nwInfo.Mode {
case opModeBridge:
hcnNetwork.Type = hcn.L2Bridge
case opModeTunnel:
hcnNetwork.Type = hcn.L2Tunnel
default:
return nil, errNetworkModeInvalid
}
// AccelnetNIC flag: hcn.EnableIov(9216) - treat Delegated/FrontendNIC also the same as Accelnet
// For L1VH with accelnet, hcn.DisableHostPort and hcn.EnableIov must be configured
if nwInfo.NICType == cns.NodeNetworkInterfaceFrontendNIC {
hcnNetwork.Type = hcn.Transparent
// set transparent network as non-persistent so that networks will be gone after the node gets rebooted
// hcnNetwork.flags = hcn.DisableHostPort | hcn.EnableIov | hcn.EnableNonPersistent (1024 + 8192 + 8 = 9224)
hcnNetwork.Flags = hcn.DisableHostPort | hcn.EnableIov | hcn.EnableNonPersistent
}
// Populate subnets.
for _, subnet := range nwInfo.Subnets {
hnsSubnet := hcn.Subnet{
IpAddressPrefix: subnet.Prefix.String(),
// Set the Gateway route
Routes: []hcn.Route{
{
NextHop: subnet.Gateway.String(),
DestinationPrefix: defaultRouteCIDR,
},
},
}
// Set the subnet policy
if vlanid > 0 {
hnsSubnet.Policies = append(hnsSubnet.Policies, subnetPolicy)
}
hcnNetwork.Ipams[0].Subnets = append(hcnNetwork.Ipams[0].Subnets, hnsSubnet)
}
return hcnNetwork, nil
}
func (nm *networkManager) addIPv6DefaultRoute() error {
// add ipv6 default route if it does not exist in dualstack overlay windows node from persistent store
// persistent store setting is only read during the adapter restarts or reboots to re-populate the active store
// get interface index to add ipv6 default route and only consider there is one vEthernet interface for now
getIpv6IfIndexCmd := `((Get-NetIPInterface | where InterfaceAlias -Like "vEthernet*").IfIndex)[0]`
ifIndex, err := nm.plClient.ExecutePowershellCommand(getIpv6IfIndexCmd)
if err != nil {
return errors.Wrap(err, "error while executing powershell command to get ipv6 Hyper-V interface")
}
getIPv6RoutePersistentCmd := fmt.Sprintf("Get-NetRoute -DestinationPrefix %s -PolicyStore Persistentstore", defaultIPv6Route)
if out, err := nm.plClient.ExecutePowershellCommand(getIPv6RoutePersistentCmd); err != nil {
logger.Info("ipv6 default route is not found from persistentstore, adding default ipv6 route to the windows node", zap.String("out", out), zap.Error(err))
// run powershell cmd to add ipv6 default route
// if there is an ipv6 default route in active store but not persistent store; to add ipv6 default route to persistent store
// need to remove ipv6 default route from active store and then use this command to add default route entry to both active and persistent store
addCmd := fmt.Sprintf("Remove-NetRoute -DestinationPrefix %s -InterfaceIndex %s -NextHop %s -confirm:$false;New-NetRoute -DestinationPrefix %s -InterfaceIndex %s -NextHop %s -confirm:$false",
defaultIPv6Route, ifIndex, defaultIPv6NextHop, defaultIPv6Route, ifIndex, defaultIPv6NextHop)
if _, err := nm.plClient.ExecutePowershellCommand(addCmd); err != nil {
return errors.Wrap(err, "Failed to add ipv6 default route to both persistent and active store")
}
}
return nil
}
// newNetworkImplHnsV2 creates a new container network for HNSv2.
func (nm *networkManager) newNetworkImplHnsV2(nwInfo *EndpointInfo, extIf *externalInterface) (*network, error) {
// network creation is not required for IB
if nwInfo.NICType == cns.BackendNIC {
return &network{Endpoints: make(map[string]*endpoint)}, nil
}
hcnNetwork, err := nm.configureHcnNetwork(nwInfo, extIf)
if err != nil {
logger.Error("Failed to configure hcn network due to", zap.Error(err))
return nil, err
}
// check if network exists, only create the network does not exist
hnsResponse, err := Hnsv2.GetNetworkByName(hcnNetwork.Name)
if err != nil {
// if network not found, create the HNS network.
if errors.As(err, &hcn.NetworkNotFoundError{}) {
logger.Info("Creating hcn network", zap.Any("hcnNetwork", hcnNetwork))
hnsResponse, err = Hnsv2.CreateNetwork(hcnNetwork)
if err != nil {
return nil, fmt.Errorf("Failed to create hcn network: %s due to error: %v", hcnNetwork.Name, err)
}
logger.Info("Successfully created hcn network with response", zap.Any("hnsResponse", hnsResponse))
} else {
// we can't validate if the network already exists, don't continue
return nil, fmt.Errorf("Failed to create hcn network: %s, failed to query for existing network with error: %v", hcnNetwork.Name, err)
}
} else {
if hcnNetwork.Type == hcn.Transparent {
// CNI triggers Add() for new pod first and then delete older pod later
// for transparent network type, do not ignore network creation if network already exists
// return error to avoid creating second endpoint
logger.Error("HNS network with name already exists. Returning error for transparent network", zap.String("networkName", hcnNetwork.Name))
return nil, fmt.Errorf("HNS network with name:%s already exists. Returning error for transparent network", hcnNetwork.Name) //nolint
}
logger.Info("Network with name already exists", zap.String("name", hcnNetwork.Name))
}
// check if ipv6 default gateway route is missing before windows endpoint creation
for i := range nwInfo.Subnets {
if nwInfo.Subnets[i].Family == platform.AfINET6 {
if err = nm.addIPv6DefaultRoute(); err != nil {
// should not block network creation but remind user that it's failed to add ipv6 default route to windows node
logger.Error("failed to add missing ipv6 default route to windows node active/persistent store", zap.Error(err))
}
break
}
}
var vlanid int
opt, _ := nwInfo.Options[genericData].(map[string]interface{})
if opt != nil && opt[VlanIDKey] != nil {
vlanID, _ := strconv.ParseInt(opt[VlanIDKey].(string), baseDecimal, bitSize)
vlanid = (int)(vlanID)
}
// Create the network object.
nw := &network{
Id: nwInfo.NetworkID,
HnsId: hnsResponse.Id,
Mode: nwInfo.Mode,
Endpoints: make(map[string]*endpoint),
extIf: extIf,
VlanId: vlanid,
EnableSnatOnHost: nwInfo.EnableSnatOnHost,
NetNs: nwInfo.NetNs,
}
nwInfo.HNSNetworkID = hnsResponse.Id // we use this later in stateless to clean up in ADD if there is an error
return nw, nil
}
// NewNetworkImpl creates a new container network.
func (nm *networkManager) newNetworkImpl(nwInfo *EndpointInfo, extIf *externalInterface) (*network, error) {
if useHnsV2, err := UseHnsV2(nwInfo.NetNs); useHnsV2 {
if err != nil {
return nil, err
}
return nm.newNetworkImplHnsV2(nwInfo, extIf)
}
return nm.newNetworkImplHnsV1(nwInfo, extIf)
}
// DeleteNetworkImpl deletes an existing container network.
func (nm *networkManager) deleteNetworkImpl(nw *network, nicType cns.NICType) error {
if nicType != cns.NodeNetworkInterfaceFrontendNIC { //nolint
return nil
}
logger.Info("Deleting HNS network", zap.String("networkID", nw.HnsId), zap.Any("nictype", nicType))
if useHnsV2, err := UseHnsV2(nw.NetNs); useHnsV2 {
if err != nil {
return err
}
return nm.deleteNetworkImplHnsV2(nw)
}
return nm.deleteNetworkImplHnsV1(nw)
}
// DeleteNetworkImplHnsV1 deletes an existing container network using HnsV1.
func (nm *networkManager) deleteNetworkImplHnsV1(nw *network) error {
logger.Info("HNSNetworkRequest DELETE id", zap.String("id", nw.HnsId))
hnsResponse, err := Hnsv1.DeleteNetwork(nw.HnsId)
logger.Info("HNSNetworkRequest DELETE response", zap.Any("hnsResponse", hnsResponse), zap.Error(err))
return err
}
// DeleteNetworkImplHnsV2 deletes an existing container network using Hnsv2.
func (nm *networkManager) deleteNetworkImplHnsV2(nw *network) error {
var hcnNetwork *hcn.HostComputeNetwork
var err error
logger.Info("Deleting hcn network with id", zap.String("id", nw.HnsId))
if hcnNetwork, err = Hnsv2.GetNetworkByID(nw.HnsId); err != nil {
return fmt.Errorf("Failed to get hcn network with id: %s due to err: %v", nw.HnsId, err)
}
if err = Hnsv2.DeleteNetwork(hcnNetwork); err != nil {
return fmt.Errorf("Failed to delete hcn network: %s due to error: %v", nw.HnsId, err)
}
logger.Info("Successfully deleted hcn network with id", zap.String("id", nw.HnsId))
return err
}
func getNetworkInfoImpl(_ *EndpointInfo, _ *network) {
}