Deviceinfo downwardAPI

[AlonaKaplan]

What this PR does

In some cases the multus status annotation contains device-info.
This info may be valuable for the binding plugin sidecar. For example SRIOV and VDPA plugins need this info.
As the multus status annotation is not there yet on virt-laucher pod creation, the suggested solution is to use downwardAPI volume and mount it to the sidecar.
The downwardAPI volume will track a new virt-launcher pod annotation kubevirt.io/network-info that will contain a list of interfaces with their device-info.
Very similar to the existing SRIOV downwardAPI solution which is mapping the networkName to the pci-address of the device and mounting the downwardAPI volume to the virt-launcher pod.

To enable the downwardAPI for a network binding plugin, it should have downwardAPI: device-info attribute.

apiVersion: kubevirt.io/v1
kind: KubeVirt
metadata:
  name: kubevirt
  namespace: kubevirt
spec:
  configuration:
    network:
      binding:
        vdpa:
          sidecarImage: quay.io/kubevirt/network-vdpa-binding
          downwardAPI: device-info

Before this PR:

• Interfaces device info was exposed to the virt-launcher compute container via environment variables by the device plugin.
  The compute container could use those env var to construct the libvirt domain xml.
• A downward API is used to expose network to PCI map for SRIOV interfaces.

After this PR:

• A downward API is used to expose interfaces device info to virt-launcher hook sidecars.

Follow-up - use the new network to device info map for SRIOV interfaces instead of the network to PCI map,

Fixes #

Why we need it and why it was done in this way

The following tradeoffs were made:

The following alternatives were considered:
alternatives -

• Instead of configuring in the kubevirt CR whether deviceInfo should be mounted to the sidecar or not we can always mount it in case it exists in the status.
• Share via the downwardAPI only the deviceInfo of binding that request it. It can be controlled by the binding config in the kubivirt CR (e.g “deviceInfo: true/false” attribute).
• Passing PCIDEVICE_<RESOURCE_NAME>_NET_INFO env var from the virt-launcher to the sidecar by adding it as an annotation to the vmi object passed to the onDefineDomain method. The problem with this approach is that it will reintroduce the same bug SRIOV that the SRIOV downward API solved.
• Sharing CNIDeviceInfo file with the sidecar. It is a very similar approach to the downwardAPI option, the * disadvantage here is that the user would have to specify the file path in the NAD.
  More alternatives to a similar issue are listed in the SRIOV mapping design doc.

Links to places where the discussion took place:
design proposal

TBD: covert the to design to markdown and add it to the kubevirt/community design proposals.

Special notes for your reviewer

Checklist

This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.

• Design: A design document was considered and is present (link) or not required
• PR: The PR description is expressive enough and will help future contributors
• Code: Write code that humans can understand and Keep it simple
• Refactor: You have left the code cleaner than you found it (Boy Scout Rule)
• Upgrade: Impact of this change on upgrade flows was considered and addressed if required
• Testing: New code requires new unit tests. New features and bug fixes require at least on e2e test
• Documentation: A user-guide update was considered and is present (link) or not required. You want a user-guide update if it's a user facing feature / API change.
• Community: Announcement to kubevirt-dev was considered

Release note

Extend network binding plugin to support device-info DownwardAPI.

[kubevirt-bot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[AlonaKaplan]

/test pull-kubevirt-build
/test pull-kubevirt-build-arm64
/test pull-kubevirt-generate
/test pull-kubevirt-manifests
/test pull-kubevirt-unit-test
/test pull-kubevirt-e2e-k8s-1.27-sig-network

[ormergi]

I would store the new device-info annotation in different dir then the sriov-network-pci one.
IMO it will be easier to debug that way, also avoid potential overwrites, if tomorrow someone changes the downward API volumes render code.

[AlonaKaplan]

It is under the deviceinfo dir. What place do you find better than this?

[ormergi]

The path will be /etc/podinfo/deviceinfo?

I though about saving it in its own dir /etc/net-device-info

[ormergi]

nit: adding some indentations could make it easier to read.

[AlonaKaplan]

I don't think it will work with indentations. Can you please give an example of what you suggest?

[ormergi]

See the following examples, if the assertions fails you can use MatchJSON matcher:

networkStatusWithMixedNetworksFmt := `[
	{
		"name": "kindnet",
		"interface": "eth0",
		"ips": [
		  "10.244.1.9"
		],
		"mac": "3a:7e:42:fa:37:c6",
		"default": true,
		"dns": {}
	},
	{
		"name": "default/nad1",
		"interface": "%s",
		"mac": "8a:37:d9:e7:0f:18",
		"dns": {}
	},
	{
		"name": "default/nad2",
		"interface": "%s",
		"dns": {},
		"device-info": {
		  "type": "pci",
		  "version": "1.0.0",
		  "pci": {
			"pci-address": "0000:65:00.2"
		  }
		}
	}
]`

networkStatusWithPrimaryInterfaceOnly := `[{
	"name": "kindnet",
	"interface": "eth0",
	"ips": [
	  "10.244.2.131"
	],
	"mac": "82:cf:7c:98:43:7e",
	"default": true,
	"dns": {}
  }]`

[AlonaKaplan]

done.

[ormergi]

Recently I got review comment that it should be The Kubevirt Authors instead of Red Hat, Inc.
Nevertheless, some files in the code base have the first and other has the latter, I guess it should be aligned soon to The Kubevirt Authors.

[AlonaKaplan]

done.

[ormergi]

It seems that only the expected annotation varies between the tests in this table, specifically the pod interface names, hashed vs. ordinal.
Please consider simplifying it by passing only the expected annotation.

[AlonaKaplan]

done.

[ormergi]

Please consider removing map prefix, IMO it doesn't add value.
Also if tomorrow we decide to change the annotation value format (to not be map) the name would no longer be valid.

[AlonaKaplan]

If we change the annotation value not to be a map it is API change. virt-launcher containers assume it is a map.

[ormergi]

Here is a nice argue about having info about the value of a variable in its name
kubevirt/community#281 (comment)

[ormergi]

Please consider using the "equal" matcher instead of (haveLen + haveKeyWithValue), it can provide better visibility for expected results.

In general it can be easier to maintain: in case there it require adding another annotation, you could change the expected annotation slice instead adding new assert and incrementing the haveLen assert.

[AlonaKaplan]

/test pull-kubevirt-build
/test pull-kubevirt-build-arm64
/test pull-kubevirt-generate
/test pull-kubevirt-manifests
/test pull-kubevirt-unit-test
/test pull-kubevirt-e2e-k8s-1.27-sig-network

[AlonaKaplan]

/test pull-kubevirt-build
/test pull-kubevirt-build-arm64
/test pull-kubevirt-generate
/test pull-kubevirt-manifests
/test pull-kubevirt-unit-test
/test pull-kubevirt-e2e-k8s-1.27-sig-network

[ormergi]

Thanks for the changes, second round

[ormergi]

Suggested change

	// DownwardAPI specifies what kind of data should be exposed to the binding plugin sidecar.
	// DownwardAPI specifies what kind of data should be exposed to the binding plugin sidecar using Kubernetes Downward API
	https://kubernetes.io/docs/concepts/workloads/pods/downward-api/

[AlonaKaplan]

Why should I mention here what method is used to implement it. It is an implementation detail.

[ormergi]

Well this impl. detail is well exposed by the downwardAPI field name :)

[AlonaKaplan]

The name downward API means we want to expose to the container some of the pod fields.
It doesn't expose how we implement it and whether we use a k8s volume or some other method (e.g env vars).

Reference - https://kubernetes.io/docs/concepts/workloads/pods/downward-api/

[ormergi]

Maybe we need to think of better name then DownwardAPI because this name imply k8s downward API feature is being used, which is an impl. detail according to you.

I dont have better name to suggest though.

[EdDev]

I do not think the the name is a trade-mark.
It sounds a reasonable name to me, taking API data "down".

If there is no better name to suggest, continuing this thread is not useful.

[ormergi]

Should be device-info?
If so, please note there are other places it should be changed.

[AlonaKaplan]

done.

[ormergi]

The path will be /etc/podinfo/deviceinfo?

I though about saving it in its own dir /etc/net-device-info

[ormergi]

See the following examples, if the assertions fails you can use MatchJSON matcher:

networkStatusWithMixedNetworksFmt := `[
	{
		"name": "kindnet",
		"interface": "eth0",
		"ips": [
		  "10.244.1.9"
		],
		"mac": "3a:7e:42:fa:37:c6",
		"default": true,
		"dns": {}
	},
	{
		"name": "default/nad1",
		"interface": "%s",
		"mac": "8a:37:d9:e7:0f:18",
		"dns": {}
	},
	{
		"name": "default/nad2",
		"interface": "%s",
		"dns": {},
		"device-info": {
		  "type": "pci",
		  "version": "1.0.0",
		  "pci": {
			"pci-address": "0000:65:00.2"
		  }
		}
	}
]`

networkStatusWithPrimaryInterfaceOnly := `[{
	"name": "kindnet",
	"interface": "eth0",
	"ips": [
	  "10.244.2.131"
	],
	"mac": "82:cf:7c:98:43:7e",
	"default": true,
	"dns": {}
  }]`

[ormergi]

Please consider simplifying mapNetworkNameToDeviceInfo by passing interfaces slice instead of a lambda.
Also we can use vmispec.FilterInterfacesSpec for filtering:

vmispec.FilterInterfacesSpec(interfaces, func(iface v1.Interface) bool {
    if iface.Binding != nil {
        plugin, exist := bindingPlugins[iface.Binding.Name]
        return exist && binding.DownwardAPI == v1.DeviceInfo
    }
})

[ormergi]

I would not add the annotation at all if it has empty value, having it with empty value is equivalent to no exist at all.

[ormergi]

Here is a nice argue about having info about the value of a variable in its name
kubevirt/community#281 (comment)

[ormergi]

nit: I would call it NetworkBindingPluginRequireDeviceInfo

[AlonaKaplan]

I find the original name more explicit.

[ormergi]

The BindingPluginNetwork confusing it should be NetworkBindingPlugin as the feature name IMO.

[AlonaKaplan]

The method is mot checking whether there is NetworkBindingPlugin with device info (in the kubevirt CR). It checks whether a VM has a network using this kind of BindingPlugin. Therefore, I find the current name as more suitable.

[ormergi]

Now I understand what it means, maybe mentioning interface fit better a because the function receives interfaces slice.
Although, we already know the API suffer from the network/interface naming semantics, so maybe network can still work.

Still a nit, not a must.

[ormergi]

s/onfo/info/g

[AlonaKaplan]

done.

[ormergi]

It seems to remain at the same place

[EdDev]

Partial review.

[EdDev]

I think it should be v1alphav1.

[AlonaKaplan]

Done. We need a separate PR to change all the occurrences.

[EdDev]

nit: You can drop the Map, it is ugly. Same for networkDeviceInfoMap.

[AlonaKaplan]

done.

[EdDev]

I am not sure if it is something I missed, but this seems over complicated.
Why not pass the filtered interface instead of the function?

Will this work?

return mapNetworkNameToDeviceInfo(networks, networkStatusAnnotationValue, vmispec.FilterInterfacesSpec(interfaces, func(iface v1.Interface) bool {
    if iface.Binding != nil {
	if binding, exist := bindingPlugins[iface.Binding.Name]; exist && binding.DownwardAPI == v1.DeviceInfo {
	    return true
	}
    }
    return false
})

You can even consider making this an object, as a large number of data is passed around.

[AlonaKaplan]

done.

[EdDev]

Can you use libvmi for this one and all the rest?

[AlonaKaplan]

done, much nicer:)

[EdDev]

Reviewed the 1st 5 commits.

[EdDev]

Any reason you have not used vmispec.FilterInterfacesSpec as suggested previously?

[AlonaKaplan]

done.

[EdDev]

I find continue messy.
Perhaps you will agree to a direct approach:

if networkStatusEntry, exist := multusInterfaceNameToNetworkStatus[multusInterfaceName]; exist {
    networkDeviceInfo[iface.Name] = networkStatusEntry.DeviceInfo
}

[AlonaKaplan]

done.

[EdDev]

nit: This is "our" API, I think it can be a simple v1.

[AlonaKaplan]

done.

[EdDev]

I am not familiar with this style, usually we do:

Expect(deviceinfo.MapBindingPluginNetworkNameToDeviceInfo(
    networkList,
    interfaceList,
    networkStatusAnnotationValue,
    bindingPlugins,
)).To(BeEmpty())

The error is implicitly checked.

[ormergi]

I would still use additional variable in between (networkDeviceInfoMap), just not break the line right at the assignment.

[AlonaKaplan]

done.

[EdDev]

Do we need to ignore the error so deep here? Why not let the caller decide if to ignore it or not?

If you can explain what is the reason for this in the commit message, it will be great.

[AlonaKaplan]

This behavior was copied from SRIOV to keep consistency.
Updated the commit message.

[EdDev]

nit: return NetworkInfo{Interfaces: downwardAPIInterfaces}

[AlonaKaplan]

done.

[EdDev]

?

[EdDev]

This will return an empty list and not a nil one.
Any reason it is not a simple uninitialized slice? var downwardAPIInterfaces []Interface

[AlonaKaplan]

done.

[EdDev]

nit: I can you keep these separated from the above one?

[AlonaKaplan]

done.

[EdDev]

Please consider:

• An empty list one.
• One with an error in the marshaling (if possible).

[AlonaKaplan]

An empty list one.

Done.

One with an error in the marshaling.

I don't know how to simulate it.

[ormergi]

Marshaling errors results in empty annotation value.

[ormergi]

Please note line 1282, there is already code that update multus network annotation (c.updateMultus, it also calls syncAnnotations) and patches the pod.
Is it possible to consolidate these two pieces of code so there will be one patch operation?

[AlonaKaplan]

It is not in the scope of this big enough PR.

[ormergi]

Myabe you can replace those with libvmi as well.

[AlonaKaplan]

done.

[ormergi]

Suggested change

	It("should prepare network device info annotation with multiple networks", func() {
	It("should prepare network to device-info mapping given multiple networks", func() {

[EdDev]

I think it is fine as is, the suggestion is not better than the existing. And it is a super nit.

[ormergi]

yep not a must, sorry for not mentioning it a nit and not meaningful

[ormergi]

nit:

Suggested change

	expectedMap :=
	expectedMap := map[string]*networkv1.DeviceInfo{
	"foo": {Type: "pci", Version: "1.0.0", Pci: &networkv1.PciDevice{PciAddress: "0000:65:00.2"}}
	}

[AlonaKaplan]

done.

[ormergi]

The BindingPluginNetwork confusing it should be NetworkBindingPlugin as the feature name IMO.

[ormergi]

Suggested change

	It("returns true when there is no network with device info plugin", func() {
	It("returns true when there is at least one network with device-info plugin", func() {

[AlonaKaplan]

done, thanks.

[ormergi]

nit: indentation would be nice, also it seems it can defined as const

networkStatus := `[
      {
        "name": "default/no-device-info",
        "interface": "pod6446d58d6df",
        "mac": "8a:37:d9:e7:0f:18",
        "dns": {}
      },
      {
        "name": "default/with-device-info",
        "interface": "pod2c26b46b68f",
        "dns": {},
        "device-info": {
          "type": "pci",
          "version": "1.0.0",
          "pci": {
            "pci-address": "0000:65:00.2"
          }
        }
      },
      {
        "name": "default/sriov",
        "interface": "pod778c553efa0",
        "dns": {},
        "device-info": {
          "type": "pci",
          "version": "1.0.0",
          "pci": {
            "pci-address": "0000:65:00.3"
          }
        }
      }
  ]`

[AlonaKaplan]

done.

[ormergi]

nit: Using equal matcher would improve visibility of expected results.

[AlonaKaplan]

done.

[EdDev]

I do not think the the name is a trade-mark.
It sounds a reasonable name to me, taking API data "down".

If there is no better name to suggest, continuing this thread is not useful.

[EdDev]

I think it is fine as is, the suggestion is not better than the existing. And it is a super nit.

[EdDev]

nit:

Expect(deviceinfo.MapBindingPluginNetworkNameToDeviceInfo(networks, interfaces, networkStatusWithMixedNetworks, bindingPlugins)).To(Equal(expectedMap))

The error is implicitly checked.

[AlonaKaplan]

done.

[EdDev]

In continuation or Or's comment a few lines before.
I think you can do this now:

for netName, deviceInfo := range networkNameToDeviceInfo {
    ...
}

Wherever sriovIface.Name appears, netName can be used.

[AlonaKaplan]

done.

[EdDev]

6th commit review

[EdDev]

I think this is the only production usage of this function, therefore it may be a good idea to reconsider its signature.
There is duplication with BindingPluginNetworkWithDeviceInfoExist and I hope we can avoid adding that other function.

How about this: The bindingPlugins is only needed for the filtering, both here and in the prev one.
So we can pass in an already filtered interfaces slice.

ifacesWithDeviceInfo := vmispec.FilterInterfacesSpec(interfaces, func(iface v1.Interface) bool {
    if iface.Binding != nil {
        if binding, exist := bindingPlugins[iface.Binding.Name]; exist && binding.DownwardAPI == v1.DeviceInfo {
            return true
        }
    }
    return false
})
if len(ifacesWithDeviceInfo) > 0 {
    networkDeviceInfoMap, err := deviceinfo.MapBindingPluginNetworkNameToDeviceInfo(networks, ifacesWithDeviceInfo, multusStatusAnnotation)
    if err != nil {
        ...
    }
    ...
}
return newAnnotations

[AlonaKaplan]

The method has one more usage in the next commit. Also, I find it much more readable and telling the story of the method the way it is.

[EdDev]

IMO the only readability problem is with binding, exist := bindingPlugins[iface.Binding.Name]; exist && binding.DownwardAPI == v1.DeviceInfo , which you could extract to a function if you want.

If the problem is re-use, you can also just move the filter to vmispec and name it.

vmispec.FilterInterfacesSpec(interfaces, func(iface v1.Interface) bool {
    if iface.Binding != nil {
        if binding, exist := bindingPlugins[iface.Binding.Name]; exist && binding.DownwardAPI == v1.DeviceInfo {
            return true
        }
    }
    return false
})

We will benefit here from the filtered interfaces slice.

I find the current helper in vmispec not elegant.

But if you do not like it, I won't insist further.

[EdDev]

nit: Exposing the consts, it may have been better to just return from downwardapi package the k8sv1.VolumeMount. The advantage would have been that no one will misuse the consts.
WDYT?

[AlonaKaplan]

I think the current option is more readable and the consts (at least downwardapi.NetworkInfoVolumeName) are used on volume creation as well.

[EdDev]

It is unsafe to use consts like this, because they may be used in the wrong place.
Returning the object itself would have been safer over exposing the consts.

I will not insist on this.

[EdDev]

I think that when you add it here, it is exposed to the sidecar-hook annotation [1].

[1]

kubevirt/pkg/hooks/hooks_test.go

Lines 49 to 60 in 25b3733

	hooks.HookSidecarListAnnotationName: `
	[
	{
	"image": "some-image:v1",
	"imagePullPolicy": "IfNotPresent"
	},
	{
	"image": "another-image:v1",
	"imagePullPolicy": "Always"
	}
	]
	`,

[AlonaKaplan]

Changed to json:"-" so the DownwardAPI value won't be unmarshaled from the annotation.

[EdDev]

Thank you!

I don't like the addition added to vmispec, but it is not worth blocking this great work.

We should wait for the design to be merged before taking this one in.
Hope we can resolve the current discussion there soon.

[EdDev]

?

[EdDev]

IMO the only readability problem is with binding, exist := bindingPlugins[iface.Binding.Name]; exist && binding.DownwardAPI == v1.DeviceInfo , which you could extract to a function if you want.

If the problem is re-use, you can also just move the filter to vmispec and name it.

vmispec.FilterInterfacesSpec(interfaces, func(iface v1.Interface) bool {
    if iface.Binding != nil {
        if binding, exist := bindingPlugins[iface.Binding.Name]; exist && binding.DownwardAPI == v1.DeviceInfo {
            return true
        }
    }
    return false
})

We will benefit here from the filtered interfaces slice.

I find the current helper in vmispec not elegant.

But if you do not like it, I won't insist further.

[EdDev]

It is unsafe to use consts like this, because they may be used in the wrong place.
Returning the object itself would have been safer over exposing the consts.

I will not insist on this.

[ormergi]

Thank you, awesome work

[lmilleri]

I have tested this PR content in my vdpa environment and it works as expected, thank you!
This is an example of the file mounted in the vdpa sidecar plugin:

{ "interfaces": [ { "network": "nic1", "deviceInfo": { "type": "vdpa", "version": "1.1.0", "vdpa": { "parent-device": "vdpa:0000:65:00.2", "driver": "vhost", "path": "/dev/vhost-vdpa-0", "pci-address": "0000:65:00.2" } } } ] }

[AlonaKaplan]

Raising 2 lgtms to approve.

/approve

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AlonaKaplan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [AlonaKaplan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubevirt-commenter-bot]

Required labels detected, running phase 2 presubmits:
/test pull-kubevirt-e2e-windows2016
/test pull-kubevirt-e2e-kind-1.27-vgpu
/test pull-kubevirt-e2e-kind-sriov
/test pull-kubevirt-e2e-k8s-1.29-ipv6-sig-network
/test pull-kubevirt-e2e-k8s-1.27-sig-network
/test pull-kubevirt-e2e-k8s-1.27-sig-storage
/test pull-kubevirt-e2e-k8s-1.27-sig-compute
/test pull-kubevirt-e2e-k8s-1.27-sig-operator
/test pull-kubevirt-e2e-k8s-1.28-sig-network
/test pull-kubevirt-e2e-k8s-1.28-sig-storage
/test pull-kubevirt-e2e-k8s-1.28-sig-compute
/test pull-kubevirt-e2e-k8s-1.28-sig-operator

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.