Macvtap binding plugin

[AlonaKaplan]

What this PR does / why we need it:
This PR allows using macvtap binding as a plugin.

Those are the extra steps that need to be done to run a VM with a macvtap plugin binding interface (the rest is similar to the old API usage).
Enable network binding plugin feature-gate in the KV CR

kubectl patch kubevirts -n kubevirt kubevirt --type=json -p='[{"op": "add", "path": "/spec/configuration/developerConfiguration/featureGates/-",   "value": "NetworkBindingPlugins"}]'

Register the macvtap binding plugin in the KV CR

note: use the name of the network-attachment-definition defined earlier.

kubectl patch kubevirts -n kubevirt kubevirt --type=json -p='[{"op": "add", "path": "/spec/configuration/network",   "value": {
            "binding": {
                "macvtap": {
                    domainAttachmentType: tap,
                }
            }
        }}]'

Create (and apply) a VM with a macvtap binding interface

---
apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
  labels:
    kubevirt.io/vm: vm-net-binding-macvtap
  name: vm-net-binding-macvtap
spec:
  running: true
  template:
    metadata:
      labels:
        kubevirt.io/vm: vm-net-binding-macvtap
    spec:
      domain:
        devices:
          disks:
          - disk:
              bus: virtio
            name: containerdisk
          interfaces:
          - name: macvtapnet
            binding:
              name: macvtap
            ports:
            - name: http
              port: 80
              protocol: TCP
          rng: {}
        resources:
          requests:
            memory: 1024M
      networks:
      - name: macvtapnet
        mutlus:
          networkName: macvtapNad  
      terminationGracePeriodSeconds: 0
      volumes:
      - containerDisk:
          image: registry:5000/kubevirt/fedora-with-test-tooling-container-disk:devel
        name: containerdisk

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Checklist

This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.

• Design: A design document was considered and is present (link) or not required
• PR: The PR description is expressive enough and will help future contributors
• Code: Write code that humans can understand and Keep it simple
• Refactor: You have left the code cleaner than you found it (Boy Scout Rule)
• Upgrade: Impact of this change on upgrade flows was considered and addressed if required
• Testing: New code requires new unit tests. New features and bug fixes require at least on e2e test
• Documentation: A user-guide update was considered and is present (link) or not required. You want a user-guide update if it's a user facing feature / API change.
• Community: Announcement to kubevirt-dev was considered

Release note:

Support macvtap as a binding plugin

[kubevirt-bot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[ormergi]

Regarding the example in PR the description, isn't it necessary to create NAD for mavtap binding?

[AlonaKaplan]

/test pull-kubevirt-build
/test pull-kubevirt-build-arm64
/test pull-kubevirt-generate
/test pull-kubevirt-manifests
/test pull-kubevirt-unit-test
/test pull-kubevirt-e2e-k8s-1.27-sig-network

[AlonaKaplan]

Regarding the example in PR the description, isn't it necessary to create NAD for mavtap binding?

Edited the comment to emphasize those are just the extra steps.

[ormergi]

nit: It seems the root cause for the additional empty element in Multus annotation is passing bindingPluginAnnotationData by value instead of pointer to add.
We can avoid yet another if in this function by passing pointer and performing nil checking inside add.

[AlonaKaplan]

But then the nil check will be in the "add" method. So we anyway need to add a nil check.

[ormergi]

Why is that error ignored?
It seems it will be ignored whether its ErrNoExist or not.

[AlonaKaplan]

It means that is is ok if the device is just not there, in this case we don't need to change the ownership - there is no device.

[EdDev]

This looks wrong or I miss something.
Of the device is missing or not, you always return nil.

[AlonaKaplan]

you"re right. It is a bug. Done.

[ormergi]

What will happen when Mavtap interface API is used, will it work?

[AlonaKaplan]

We will soon see in the tests are passing:) But generally, mactvap old API should return true here (since it is in the map).

[ormergi]

Aren't these can set as consts?

[AlonaKaplan]

done.

[ormergi]

I think kubevirt.Client() can be called directly, its implemented as singleton and its safe to call it more then once.

[AlonaKaplan]

done.

[ormergi]

These seem redundant because they only used in the BeforeEach

[AlonaKaplan]

done.

[AlonaKaplan]

/test pull-kubevirt-build
/test pull-kubevirt-build-arm64
/test pull-kubevirt-generate
/test pull-kubevirt-manifests
/test pull-kubevirt-unit-test
/test pull-kubevirt-e2e-k8s-1.27-sig-network

[EdDev]

masquerade and bridge
are exluded since we know in advance there is no tap device on those
bindings

We indeed know, but why is that a good reasoning to keep conditioning on it?
I thought we can generalize it to not have to ask. As a side effect, it will assure we are able to handle it for other future bindings that do use a simple tap without a device behind it.

Bottom line, it will be nice to specify here all the users of tap & tap-device.

[AlonaKaplan]

We can generalize it and everything will perfectly work if inf.Masquerade == nil && inf.Bridge == nil will be removed from the condition.
The reason I prefer to exclude it is because the next step is to step into the virt-laucnher's network namespace and looking for the device. It is a bit expensive, so if we can avoid it. Why not?
Another bindings don't have this privilege (that we know in advance if the tap device is there or not), so they we have to step into the network namespace to check.

[EdDev]

This looks wrong or I miss something.
Of the device is missing or not, you always return nil.

[EdDev]

This is odd.

There is a hidden assumption that if there is a device behind a tap domainAttachement, it is always with the pod interface name.
Why is that correct? Maybe it is a device used with the tap* naming.

Well, you could always define this as a "rule", but it feels ugly.
Can this be solved in the future or will we be stuck with this forever? (I mean, assuming we let this slide in, can this be improved without breaking things).

[AlonaKaplan]

yes, this is the rule. I should use the pod interface naming.
If we will improve it in the future we will have to somehow pass the "name" of the tap device.
I don't think it will break anything, we can say that the default is the pod interface name.

[EdDev]

Can you please reuse or do something similar to createBasicNetworkAttachmentDefinition, this one is too noisy. You know I do not like these closure functions :).

[AlonaKaplan]

removed it.

[EdDev]

I do not see a need for another indented context here. We are in the "macvtap" context, and if there is a need for some pre-setup, it can be done at that level.

But I also think it is wrong to keep the current separation between the fixture and test body.
The test itself is also about defining the VM correctly.

[AlonaKaplan]

done.

[EdDev]

I do not understand why this is needed.
We do not check this for other tests, what is special about this one?

If there are no scheduled nodes, it should fail on timing out to create the VM.
I do not need to know about these details unless you tell me it is a must.

[AlonaKaplan]

It is nit needed, removed.

[EdDev]

Where is this GenerateRandomMac coming from? I guess it should be moved to libnet.

[AlonaKaplan]

kubevirt/tests/network/mac.go

Line 8 in ea0a699

func GenerateRandomMac() (net.HardwareAddr, error) {

A separate PR can move it.

[EdDev]

nit: Can these appear on the same line?

[AlonaKaplan]

done.

[EdDev]

I;m having hard time understanding how macvtap can be the primary network.

[AlonaKaplan]

It is not the primary. Changed the name so it will be clearer.

[EdDev]

Thank you!

[EdDev]

nit: You do not need these now.

[EdDev]

nit: I would call it networkName and set it as a const.

When we use iface, it has too many possible interpretations (logical iface/network name, name on the OS kernel).

[AlonaKaplan]

Raising to approve.

/approve

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AlonaKaplan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [AlonaKaplan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kvaps]

Hi @AlonaKaplan, wouldn't you like to add an opportunity from #7648 to make macvtap method working also for default podNetworking and other CNIs?

I can investigate into it to make this working.

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-bot]

@AlonaKaplan: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kubevirt-check-tests-for-flakes	e378ba2	link	false	/test pull-kubevirt-check-tests-for-flakes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[AlonaKaplan]

/cherry-pick release-1.1

[kubevirt-bot]

@AlonaKaplan: new pull request created: #10831

In response to this:

/cherry-pick release-1.1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.