Add masquerade binding mechanism.

[SchSeba]

Changes:

• added new interface type (proxy)
• added coreos/iptables package into glide
• added unit tests
• added functinal tests
• updated some packages

What this PR does / why we need it:
Add a new binding mechanism call proxy.

This implementation insert iptable rules on the virt-launcher pod.
MASQUERADE all the outgoing traffic from the vm with the ip of the pod.
NAT (SNAT and DNAT) all the ports configured on the vm yaml.
NAT all the localhost traffic from the configured ports to the vm.

Release note:

proxy binding mechanism

---

This change is 

[SchSeba]

/cc @rmohr

Can you please take a look.

[SchSeba]

/cc @phoracek @booxter

Can you please take a look on this PR ?

[booxter]

Some testing coverage expansion would be great.

[booxter]

please add a unit test for this scenario

[SchSeba]

Done

[booxter]

where is it used?

[SchSeba]

Removed

[booxter]

is it possible to get a unit test for converting a vmi with a proxy interface?

[SchSeba]

Sure, done

[booxter]

It's not exactly clear to me why these functions should be part of the handler and not just regular functions.

[SchSeba]

The function is here because I use it also as mock for the podinterface unit tests

[booxter]

Perhaps it makes sense in context of what we already have here.

[booxter]

Could you please explain in a comment why 4 is a special number here, and why you think this check belongs to this method (and not to its consumer who may probably be a better fit to tell whether the number is enough for their needs)?

[SchSeba]

I change the function name and also add a comment.

[booxter]

how huge do we expect the CIDRs to be? Is it a problem that, while you need just two addresses, you are going to generate all of them inside the handler method? (Which, in theory could be thousands of throw away entries).

[SchSeba]

I change the function to GetHostAndGwAddressesFromCIDR just return the gw and the vm ip address.

The function stop after find 4 ips

[booxter]

"failed"

[SchSeba]

Done

[booxter]

"2 ip addresses", "found"

[SchSeba]

I removed this. the function now return gw and vm addresses or error.

[booxter]

by ready -> become ready?

[SchSeba]

Done

[booxter]

could you please also add a negative check that ports not registered with the container are NOT accessible?

[SchSeba]

Sure, done

[fabiand]

Please consider to call this masquerade or nat.

To me at least, proxy is rather a process which does the relaying.
And I'd also like to keep the process bound proxying free, because I hope that we'll have some process bound proxying in future, as it's the only K8s compatible way to do things.

[dankenigsberg]

Why would the App Operator care if the proxy is implemented by a process, or as suggested here, by the kernel? I would assume that if we find an efficient way to do what you hope, we can just flip the implementation.

Why is kernel-based less k8s compatible?

(I'm not going for a holy war about the name proxy, just willing to understand your position)

[fabiand]

Please reach out to @SchSeba to understand the differences between a kernel and process based proxy approach for kubernetes.

A user would usually not care, but if sees a spec, then I would like to leave the best hints to give a user transparency. That#s why I favor to have a more kernel-ish name for this implementation and proxy for a more process-ish implementation.

[SchSeba]

Rebase

[booxter]

Thanks. There is a comment from @fabiand about naming of the feature that I think we should address (answer or adopt in code) before merging.

[SchSeba]

There is an error for the masquerade test

{"component":"virt-launcher","kind":"","level":"error","msg":"Defining the VirtualMachineInstance failed.","name":"testvmiswlkx788gh4wjpwz78wlj55nmq8n8zft9rz66snkwq4wgnmf","namespace":"kubevirt-test-default","pos":"libvirt_helper.go:101","reason":"virError(Code=8, Domain=44, Message='invalid argument: could not find capabilities for arch=x86_64 domaintype=kvm ')","timestamp":"2018-12-02T16:40:29.751213Z","uid":"f0262580-f650-11e8-b453-525500d15501"}

for reference
https://jenkins.ovirt.org/job/kubevirt_kubevirt_standard-check-pr/2726//artifact/check-patch.k8s-multus-1.11.1-release.el7.x86_64/mock_logs/script/stdout_stderr.log

I will try to run the tests again

[SchSeba]

ci test please

[SchSeba]

@fabiand Change the interface as requested can you please take a look

[fabiand]

wfm - thanks!

[fabiand]

wfm

[SchSeba]

Multiple error on the tests

• Failure [109.562 seconds]
Networking
/root/go/src/kubevirt.io/kubevirt/tests/vmi_networking_test.go:48
  VirtualMachineInstance with masquerade binding mechanism
  /root/go/src/kubevirt.io/kubevirt/tests/vmi_networking_test.go:616
    should allow regular network connection [It]
    /root/go/src/kubevirt.io/kubevirt/tests/vmi_networking_test.go:620

    Expected error:
        <expect.TimeoutError>: 30000000000
        expect: timer expired after 30 seconds
    not to have occurred

    /root/go/src/kubevirt.io/kubevirt/tests/vmi_networking_test.go:671
------------------------------
STEP: creating two virtual machines
STEP: waiting for the virtual machines to become ready
{"component":"tests","kind":"VirtualMachineInstance","level":"info","msg":"Created virtual machine pod virt-launcher-testvmi7tqnq7hzsqmpv45n4jdll8bfkvt5fcvxsq4679bsd9","name":"testvmi7tqnq7hzsqmpv45n4jdll8bfkvt5fcvxsq467g4gdsf6vn48","namespace":"kubevirt-test-default","pos":"utils.go:270","timestamp":"2018-12-02T21:06:03.306216Z","uid":"13adb077-f676-11e8-8b73-525500d15501"}
{"component":"tests","kind":"VirtualMachineInstance","level":"info","msg":"VirtualMachineInstance defined.","name":"testvmi7tqnq7hzsqmpv45n4jdll8bfkvt5fcvxsq467g4gdsf6vn48","namespace":"kubevirt-test-default","pos":"utils.go:270","timestamp":"2018-12-02T21:06:18.189213Z","uid":"13adb077-f676-11e8-8b73-525500d15501"}
{"component":"tests","kind":"VirtualMachineInstance","level":"info","msg":"VirtualMachineInstance started.","name":"testvmi7tqnq7hzsqmpv45n4jdll8bfkvt5fcvxsq467g4gdsf6vn48","namespace":"kubevirt-test-default","pos":"utils.go:270","timestamp":"2018-12-02T21:06:18.207509Z","uid":"13adb077-f676-11e8-8b73-525500d15501"}
{"component":"tests","kind":"VirtualMachineInstance","level":"info","msg":"Created virtual machine pod virt-launcher-testvmi2mlr9ggcv8mrsdz2bt4n2bm5pv4nclwqp9pwcfw9ps","name":"testvmi2mlr9ggcv8mrsdz2bt4n2bm5pv4nclwqp9pwc6cpk8pztr6z","namespace":"kubevirt-test-default","pos":"utils.go:270","timestamp":"2018-12-02T21:07:06.265913Z","uid":"13b2a684-f676-11e8-8b73-525500d15501"}
{"component":"tests","kind":"VirtualMachineInstance","level":"info","msg":"VirtualMachineInstance defined.","name":"testvmi2mlr9ggcv8mrsdz2bt4n2bm5pv4nclwqp9pwc6cpk8pztr6z","namespace":"kubevirt-test-default","pos":"utils.go:270","timestamp":"2018-12-02T21:07:06.266135Z","uid":"13b2a684-f676-11e8-8b73-525500d15501"}
{"component":"tests","kind":"VirtualMachineInstance","level":"info","msg":"VirtualMachineInstance started.","name":"testvmi2mlr9ggcv8mrsdz2bt4n2bm5pv4nclwqp9pwc6cpk8pztr6z","namespace":"kubevirt-test-default","pos":"utils.go:270","timestamp":"2018-12-02T21:07:06.266509Z","uid":"13b2a684-f676-11e8-8b73-525500d15501"}
STEP: expose service for the server virtual machine
STEP: check ping to google
STEP: start a tcp server
STEP: Connect from the client
{"component":"tests","kind":"VirtualMachineInstance","level":"info","msg":"[{1 \r\n\r\n$  [$ ]} {3 echo test | nc -w 1 server-tcp 8080 1\u003e /dev/null\r\nnc: bad address 'server-tcp'\r\n$  [$ ]} {5 echo $?\r\n1\r\n$  []}]","name":"testvmi2mlr9ggcv8mrsdz2bt4n2bm5pv4nclwqp9pwc6cpk8pztr6z","namespace":"kubevirt-test-default","pos":"utils.go:1712","timestamp":"2018-12-02T21:07:48.452142Z","uid":""}
• [SLOW TEST:40.909 seconds]

Run functional tests with focus

/hold

[booxter]

@SchSeba you need to rebase it. Also, is hold label valid still?

[booxter]

Wait, you disabled all tests but this one.

[SchSeba]

Yes I know just want to be sure this test pass on the CI before I run it with all the other tests.

[SchSeba]

@booxter I will wait for the CI to finish and then I will remove the hold

[SchSeba]

The logs look good now.
on the network provider there is one error related to a know issue we have of the mac starting with "fe"

Now I think this PR is ready to be merge.
/hold cancel

[fabiand]

@mfranczy do you mind doing a sanity check?

If @booxter can then give it's blessing the we should be good I guess.

As always: Please keep an eye on the tests.

[mfranczy]

In general LGTM but I added a few comments.

[mfranczy]

Wrong type, bridgeNic is not a string.
FilteredLogger.Errorf format %s has arg bridgeNic of wrong type *kubevirt.io/kubevirt/vendor/github.com/vishvananda/netlink.Dummy

should be changed to bridgeNic.Name

[SchSeba]

Good one!

[mfranczy]

Please keep the same style everywhere, as example By("start a tcp server") should be changed to By("starting a tcp server")

[SchSeba]

Done

[mfranczy]

Might be changed to Expect(domain).ToNot(BeNil())

[mfranczy]

should be unregistered

[SchSeba]

Done

[mfranczy]

For me this conversion looks dangerous, the range of uint16 is 0 to 65535 and MTU is int type. I would add additional checks.

[SchSeba]

I don't think we need to add any other check here. I get the podNicLink from the system. I tried to create an interface with a bad MTU ( < 0 and > 65535) and it fails on the system level.

[mfranczy]

Okay, but what about jumbograms? Do we support it or not?
According to RFC doc

A "jumbogram" is an IPv6 packet containing a payload longer than
65,535 octets. This document describes the IPv6 Jumbo Payload
option, which provides the means of specifying such large payload
lengths. It also describes the changes needed to TCP and UDP to make
use of jumbograms.

Jumbograms are relevant only to IPv6 nodes that may be attached to
links with a link MTU greater than 65,575 octets, and need not be
implemented or understood by IPv6 nodes that do not support
attachment to links with such large MTUs.

So if some crazy guy will need to use it then this conversion will fail.
Or maybe there is some check somewhere else which prevents using such a high MTU?

[mfranczy]

Ah forget about jumbogram comment, virtio does not support it. But I still think there should be some additional check or VIF.Mtu field should be the same type. It's just my opinion after all, it's up to you.

[SchSeba]

I think it will be hard to chnage the variable to int because of the dhcp option

	mtuArray := make([]byte, 2)
	binary.BigEndian.PutUint16(mtuArray, mtu)

	dhcpOptions := dhcp.Options{
		dhcp.OptionSubnetMask:       []byte(clientMask),
		dhcp.OptionRouter:           []byte(routerIP),
		dhcp.OptionDomainNameServer: bytes.Join(dnsIPs, nil),
		dhcp.OptionInterfaceMTU:     mtuArray,
	}

I can add if statement to check this < 0 and > 65535

[booxter]

I think it makes sense to guard the code and not rely on virtio limitations. A if statement is the way to go.

[booxter]

That being said... Isn't it the same bug that is perhaps present in other places of code? We may want to fix them too. I would be fine if e.g. this part is moved into a separate PR, as long as we are assured this happens.

[booxter]

I see this bug in at least one other place, for BridgePodInterface. (Not a surprise considering that a lot of this code is a copy-pasted and then adjusted code for bridge implementation.) @SchSeba please tell us what you prefer: fixing the issue here or sending a follow up PR. I am fine with both approaches. (I am not fine with leaving it not handled for long though.)

[SchSeba]

@booxter I just add this to the code for the bridge and the masquerade bindings.
Also added a unit test for that please see my last commit

[mfranczy]

What's the point fo returning an error here when you always return nil?

[SchSeba]

This function is part of an interface. if I change it I will need to check all the other bindings

[mfranczy]

that's quite a long func name NewRandomVMIWithMasqueradeInterfaceEphemeralDiskAndUserdata :), may I suggest to rename it and move it to local Context scope? You're using this function only here so I have doubts if we need it in utils. My opinion is, if someone will need to use it somewhere else than he/she should moved it then.

[SchSeba]

Done

[SchSeba]

@mfranczy Thanks for the review I updated the last commit with the requested changes can you please make another review?

[SchSeba]

I don't think we need to add any other check here. I get the podNicLink from the system. I tried to create an interface with a bad MTU ( < 0 and > 65535) and it fails on the system level.

[SchSeba]

Good one!

[SchSeba]

This function is part of an interface. if I change it I will need to check all the other bindings

[SchSeba]

Done

[SchSeba]

Done

[SchSeba]

Done

[mfranczy]

LGTM

[booxter]

this trailing space... :)

[booxter]

Also, you could include the failed value too.

[booxter]

@SchSeba please add user guide docs