Stop using a different network namespace #242
Conversation
|
Can one of the admins verify this patch? |
Uh - That's a nice idea - IIRC it was floating around at some point - to keep the k8s feeling. /cc @rmohr |
pkg/virt-handler/vm.go
Outdated
| // to a local UDP socket lets us figure out the IP addr. | ||
| // If libvirtd were to move into a private network | ||
| // namespace, then we can instead switch to query | ||
| // the Status.PodIP field from the libvirtd POD. |
There was a problem hiding this comment.
I'd like to perform the switch to pod networking rather sooner than later.
This will directly break network connectivity, as we'll only have "ipd endpoints" inside the pod, and not a complete interface/L2 connectivity.
We might be able to workaround this by using macvlan/bridge or alike.
There was a problem hiding this comment.
@fabiand Are you working with the assumption, that it is ok if the libvirt container dies and all VMs go away?
There was a problem hiding this comment.
In short, yes - for now.
I've also summarized this in #196 (comment).
Right now - in this early development phase -it is okay to me to live with this fact that VMs are getting killed.
OTOH I'd work with k8s to find a way of how this could be solved on the k8s layer - as this problem might not be kubevirt specific.
There was a problem hiding this comment.
Note that there are a few drawback, which I don't really see discussed anywhere:
- If the libvirt pod uses host network namespace, you would have to care about the firewall on the host for spice connections.
- If the libvirt pod uses the pod network namespace, you run into the situation, that if you use a networking solution which actually enforces the
containerPortmapping (I think e.g. open shift does), you can't specify the spice ports in advance and therefore can't reach the spice endpoint via plain tcp. - Since switching to the pod network for libvirt seems to be discussed, how do you plan to handle libvirt restarts/crashes? What should happen then to the VMs? What should happen with the pod network namespace?
Further, I really need reasonable arguments, why the namespaces are considered to be such a bad thing by you. Using emulators in production is bad and libvirt will never support namespaces, like you said before, is not really a good argument why a solution involving namespaces in general is bad. I am definitely open for working without the network namespaces, if there is an equally well working and with Kubernetes integrated solution proposed. As it is done here, I see it as a huge step back, while at the same time not showing how this should be better on the long run.
images/libvirt-kubevirt/qemu-kube
Outdated
| pkill -P \$! --signal SIG\$1 | ||
| } | ||
|
|
||
| trap "_term TERM" TERM |
There was a problem hiding this comment.
Why are you removing the traps? When libvirt is running inside a container, we have to forward them because of the PID namespace.
There was a problem hiding this comment.
The traps should be redundant - k8s/docker will kill every process in the namespace which includes both the qemu-kube wrapper & real QEMU. Now we no longer need to cleanup the resolv.conf file, we don't need to catch the signals
There was a problem hiding this comment.
We have a functional test which tests if it works. Let me see.
pkg/virt-handler/vm.go
Outdated
| // to a local UDP socket lets us figure out the IP addr. | ||
| // If libvirtd were to move into a private network | ||
| // namespace, then we can instead switch to query | ||
| // the Status.PodIP field from the libvirtd POD. |
There was a problem hiding this comment.
@fabiand Are you working with the assumption, that it is ok if the libvirt container dies and all VMs go away?
| spice := v1.NewSpice(vm.GetObjectMeta().GetName()) | ||
| spice.Info = v1.SpiceInfo{ | ||
| Type: "spice", | ||
| Host: ip, | ||
| Port: port, | ||
| Host: d.Host, |
There was a problem hiding this comment.
To make seamless spice work during migrations, you also have to change things at https://github.com/kubevirt/kubevirt/blob/master/pkg/virt-controller/services/template.go#L133. Otherwise during the migration, the spice connection would be forwarded to the pod ip, which is no longer the case in this PR.
|
As explained in the first commit message, what it done with moving namespaces for QEMU is guaranteed to break with future libvirt + QEMU, when libvirt switches over to passing a pre-opened SPICE/VNC listener connection down to QEMU instead of letting QEMU open it itself. This alone makes the current approach untenable - it is relying on an assumption of the current implementation of QEMU which is not going to be valid across future releases. IOW we have no option but to run QEMU & libvirtd in the same namespaces if we want to avoid our architecture being broken by future libvirt/qemu. |
|
Pushed update to kill the --pod-ip stuff during migration since it was never even needed given the original listen address is always 0.0.0.0 |
|
@berrange it was needed, since the original qemu instance needed to know to which IP to redirect the traffic. |
|
@berrange I understand the this can break because of libvirt changes (and obviously there are already some changes in progess which will do that), but that is not what I have been asking for. Like with your ideas on how to add libvirt features to ensure that a VM is bound to a running Pod, libvirt could be changed to support namespaces in some way, or libvirt could allow to still let qemu do the work. The question is, why it is from your point of view definitely the wrong track to integrate with kubernetes namespaces, and how do you plan to integrate with kubernetes instead? |
|
Breaking the seemless migration support in unavoidable right now since the controller doesn't know the IP address it'll be listening on the target host. It would be possible to fix this (and some other problems related to migration configuration), but that'll require refactoring other areas of code, so that has to wait. It is already going to be painful to get changes to switch over to the new VM startup process between the handler & launcher, without having to refactor migration code at the same time. So breaking seemless migration is an worthwhile tradeoff to getting the architectural stuff working better. If we want to expose SPICE via the POD IP address then it would be necessary to write some kind of forwarding service that runs a listener in the POD and when clients connect, proxy traffic onto QEMU's listener. This could be a dumb proxy that actually copies data, but it might be possible to write a more intelligent proxy that actually just passes the pre-accepted client socket FD into QEMU via libvirt. That is something worth exploring in future. I'm not sure it si worth building such a solution though. Instead it would be better to focus on providing a HTTP connect proxy and/or websockets proxy, at which point you just have a single public facing IP for all VMs, and the particular VM is determined by the authentication cookie provided to the proxy. Both these approaches have implications for seemless migration because the IP address the user connects to is completely different from the IP address QEMU listens on. So for seemless migration to work, we actually need to pass in an IP address to the migrate command manually instead of triggering it off the listen address. So that's another reason why I don't think it is worth trying to make seemless migration work right now |
|
To follow up, as their are good questions:
True
According to https://kubernetes.io/docs/concepts/cluster-administration/networking/ it is a reliable assumption that "all containers can communicate with all other containers without NAT".
We can use systemd if we want to cover the case where libvirt is crashing. There are many open questions, but we can slowly walk through them and still have the freedom to give different solutions a try. |
|
Before reviewing this, I want to know if removing the Namespace is the long term approach. My initial reaction is that it is a mistake. The container should have a very specific network namespace setup that the Virtual machine should inherit. I think that is what you are targetting, and this is just removing the explicit namespace entry from the front end, but the net effect of breaking a working feature is, in my opinion, unacceptable. A commit like this needs to be atomic enough that we keep moving first. As the corollary to Murphy's law says: if it is stupid but it works, its not stupid. Is there any good justification for making this an interim step as opposed to part of a larger rengineering that gets us all the way to the VM launch script-removal? |
That is not about NAT, it is about iptable rules on the interface in the container. |
as far as I understand your idea of changing the VM start flow, it is not related at all to the namespace usage. So you could do your socket detection - startup, ... first without even thinking about the namespaces. Then you could remove the pid namspace and then you can think about the network namespace and provide an equally capable replacement for that. |
@berrange Still waiting for the justifications I asked for here. Neither the startup solution you try to accomplish, nor the current one are perfect. For both you have to either change libvirt and/or kubernetes, so it is not just like we are now going to the definitive superior solution and I want to be sure that this refactoring is not just for the sake of refactoring. Further, we did not even talk about other solutions at all. |
|
@berrange @fabiand To say this clearly, there is no agreement between us maintainers at all if the new startup process (removing namespaces and giving the user the control of creating a pod) is a good thing. Further @berrange I am really missing that you are trying to convince people that your changes are good. |
Right - Now I see what you meant about enforcing
And these are other words for what I meant above - pods (with pod networking) can reach all ports of all others pods (with pod networking). And I did not find anything in the OpenShift docs that Origin behaves different. (Btw - We could question how valuable containerPort is, if the current guarantee is that anything bound to 0.0.0.0 will be accessible from the network …) |
Let me look at it in two parts: User VM pod creation from my POV there are two main points on this topic
|
|
Namespaces: especially the PID namespace expresses a need to bind the VM to the Pod lifecycle, and it did not work so great when libvirt was moved into the container, but works now (however so lightly ignoring how far away libvirt is from running suitable for us in a container, is another topic worth it's own thread). While this "undermines" as you say, libvirts expectations, it gives right now better guarantees than not using them (with an unchanged libvirt). That gives a better overall experience when using Kubevirt (even if it is only for the sake of making developing and testing on top of kubernetes more stable, and allowing us to already now define needs in our tests). Further this PR, without also using the Pod namespace for libvirt, breaks a few things, including referencing iscsi storage, which is exposed through services. I think it is fair and necessary to ask for a suitable replacement, before removing the workaround (and I am absolutely not claiming that it is more than that). If that replacement is then already something production ready, then I find this awesome. User VM pod creation:
For what?
It definitely makes the easy use-case extremely hard to understand. One has to shape the Pod in the right way, so that it will work with it's VM spec. Furhter, while one could see our qemu process as just another application inside a Pod, and the VM spec as a config map, on first sight, it is not really the case. It just leads to strange situations, where we are then sometimes treating our VM as an application inside the Pod, and sometimes as a Kubernetes entitie, with it's own state. That makes it tremendously hard to implement features like VMPools, ... in a kubernetes like way. Whereas, if the VM is the atomic entity for KubeVirt, like e Pod is for Kubernetes, expressing the needs with all our controller is much more simple and is much more Kubernetes like. I think, if there needs to be some flexibility in designing the VM Pod by the user (which is not even unlikely), it should be done through the VM (e.g. template field like in Deployments, or having extra fields which are passed through, ...). |
|
WRT attaching a VM to a pod. I think we are making the issue bigger than it is. We could also say: I don't see a strong reason to build the controller into the critical chain to launch a VM. WRT namespaces
Sure - something to look at. I wonder if this is due to the fact that currently the libvirt pod is using host networking. And IIUIC it should be fixed by switching to using pod networking (as discussed in #160) |
|
Last addition - WRT running VMs - Like with the networking - let's sketch the broader design (including stopped) |
|
@berrange if you use the node ip (which we also use to connect to libvirt on the target node) as spice target IP, seamless spice should work fine. Regarding iscsi dns name resolution, could you first make sure that libvirt uses it's own network namespace instead of the host one? I think then we can go ahead with this patch. |
|
#279 is related to this one, it enables pod networking for libvirt. |
|
@fabiand I'm not intending to make any change to libvirt POD networking in this PR. It is only about dealing with QEMU namespaces. I have a way to solve the kube DNS problem with QEMU without changing libvirt POD namespaces. So any change to libvirt POD networking can be totally independant. |
|
wfm |
|
Updated with workaround for DNS problems & updates for migration |
There was a problem hiding this comment.
Sorry, took me some time to run the tests because of #286. So I see the following tests failing:
[Fail] Vmlifecycle New VM with a serial console given [It] should be allowed to connect to the console
/home/rmohr/go/src/kubevirt.io/kubevirt/tests/utils.go:150
[Fail] Vmlifecycle New VM with a serial console given [It] should be returned that we are running cirros
/home/rmohr/go/src/kubevirt.io/kubevirt/tests/utils.go:150
[Fail] VmMigration New Migration given [It] Should migrate the VM three times in a row
/home/rmohr/go/src/kubevirt.io/kubevirt/tests/vm_migration_test.go:127
[Fail] Storage Given a VM and a directly connected Alpine LUN [It] should be successfully started by libvirt
/home/rmohr/go/src/kubevirt.io/kubevirt/tests/utils.go:150
[Fail] Storage Given a VM and an Alpine PVC [It] should be successfully started by libvirt
/home/rmohr/go/src/kubevirt.io/kubevirt/tests/utils.go:150
Checking the events
cluster/kubectl.sh get events --watch
2017-07-04 17:01:25 +0200 CEST 2017-07-04 17:01:25 +0200 CEST 1 testvmbss7r VM Warning SyncFailed virt-handler, node0 Unable to resolve host 'iscsi-demo-target.default.svc.cluster.local': lookup iscsi-demo-target.default.svc.cluster.local: no such hos
I see that resolving the iscsi addresses does not work and that teh VM are stuck in the Scheduling phase. At least some, but most likely all of them are failing because virt-handler uses the host network namespace. Something I did not think about, when looking at the DNS workaround to resolve the storage IPs.
We could stay in the Pod Network namespace with virt-handler, if we add some logic, which resolves the console connection call from virt-api to virt-handler to a Pod IP, instead of a host IP. That would be fairly simple.
However, with #160 and #279 in mind (which all require virt-handler to run CNI code in the host network namespace), and the fact that we want to switch libvirt over to the Pod network namespace anyway, I would suggest to use the Pod network namespace for libvirt instead, like suggested in #279.
|
I want to avoid a dependancy on the changes to move libvirtd into a private network namespace, because that's such a large topic of discussion that I don't think we'll be in a position to make such a move for a while yet, which would thus block this PR for long time potentially. |
|
Good point. Calling CNI from virt-handler and the libvirt network namespace switch seem to be closely related. Thus I would go with the console lookup change, since the need to run virt-handler withing the host namespace, only arises with the CNI integration. At that line https://github.com/kubevirt/kubevirt/blob/master/pkg/virt-api/rest/console.go#L91, a REST lookup woud be needed, to get the Pod IP of the virt-handler running on the target node. That should be the only dependency. |
|
Ok, lemme see if I can fix the console and move virt-handler to a pod ns |
|
When I debugged the tests locally, I found the key problem was that my Hostname -> IP address subsitution was only done for disks that were backed by PVCs. The test VM was instead using a disk that directly referenced an iSCSI server with no PVC involved. I added extra code to handle IP address conversion for that too. The only test that failed after that was the storage_test.go, because it was checking for the IP addresses of the virt-launcher POD as a iSCSI client, where it needs to now be check the IP addresses of the libvirtd POD as an iSCSI client. |
|
Updated the branch with the fixes mentioned |
|
|
||
| vm.Status.Graphics = []v1.VMGraphics{} | ||
|
|
||
| podIP, err := d.getVMNodeAddress(vm) |
There was a problem hiding this comment.
Here it's podIP, but you get the nodeIP.
I'd assume that we want the pod IP once libvrit uses pod networking, right?
There was a problem hiding this comment.
Yes, if libvirtd were to be moved into a private net namespace this would need to be the virtual POD IP addr, instead of node IP addr.
There was a problem hiding this comment.
Right - so we probably need to do this once that move is done. but this is outside of scope of this PR iiuic.
cmd/virt-migrator/migrate
Outdated
|
|
||
| # Migrate | ||
| virsh -c $SOURCE migrate --xml $VM.xml $VM $DEST tcp://$POD_IP | ||
| virsh -c $SOURCE migrate --xml $VM.xml $VM $DEST spice://$NODE_IP |
There was a problem hiding this comment.
This change makes the migration tests fail:
error: argument unsupported: unsupported scheme spice in migration URI spice://192.168.121.186
``
berrange
force-pushed
the
namespaces
branch
2 times, most recently
from
adc225d
to
f8e98a7
Compare
|
Hopefully fixed console & mig problems, and resolved conflicts |
|
Ok, so the traps are still needed. I had to apply diff --git a/images/libvirt-kubevirt/qemu-kube b/images/libvirt-kubevirt/qemu-kube
index c707317..7307a42 100755
--- a/images/libvirt-kubevirt/qemu-kube
+++ b/images/libvirt-kubevirt/qemu-kube
@@ -98,6 +98,20 @@ set -e
# Start the qemu process in the cgroups of the docker container
# to adhere to the resource limitations of the container.
exec sudo -C 10000 unshare --mount bash -s << END
+
+ function _term() {
+ pkill -P \$! --signal SIG\$1
+ }
+
+ trap "_term TERM" TERM
+ trap "_term INT" INT
+ trap "_term HUP" HUP
+ trap "_term QUIT" QUIT
+ trap "_term TERM" EXIT
+ trap "_term TERM" ERR
+
cgclassify -g ${CGROUPS}:$CGROUP_PATH --sticky \$\$
- exec nsenter -t $CONTAINER_PID -p $CMD
+ nsenter -t $CONTAINER_PID -p $CMD &
+
+ wait
END
```.
Otherwise the qemu process stayed alive on the source system, and migrating back there was not possible. |
tests/storage_test.go
Outdated
| for _, pod := range pods.Items { | ||
| if pod.ObjectMeta.DeletionTimestamp == nil { | ||
| hostIP = pod.Status.HostIP |
There was a problem hiding this comment.
The check for the actual IP, now gets very difficult. Depending on the kube proxy mode, in which network namespace the qemu process is, which network provider is used, or if just bridging is used, we always see different IPs connecting on the iscsi target. The BeforeEach block already makes sure that there is no connection to the iscsi target before each test. Maybe we should just check if a connection appears, and not try to check for specific IPs.
Record the VNC/SPICE graphics port details against the VM object, under the VMStatus struct. This gets populated with the (potentially dynamically allocated) QEMU port for VNC/SPICE, and the IP address seen from virt-handler, which is assumed to be the same as the IP seen from libvirtd, given both are in the host net namespace. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
It seems that bash is not honouring the 'exec' statement when using !#/bin/sh, but changing to !#/bin/bash causes other problems with the wrapper script. |
Moving QEMU into a different network namespaces is not a supported usage of libvirt and will break in future. For example when libvirt switches to passing pre-opened for the listener socket for VNC/SPICE backends, the listening socket will now be on an IP associated with the libvirtd POD, despite QEMU being moved into a different network namespace. With the network namespace switch removed, the SPICE API has to be updated to reflect the new IP, and so this info is obtained from the VM status graphics data added in the previous commit. The code for changing SPICE IP address during migration is removed on the assumption that the SPICE server is set to listen on 0.0.0.0. This is the implicit default set by the virt-controller. Since the libvirtd POD is currently using the host network namespace, it cannot resolve k8s DNS names. Thus when we configure QEMU to access iSCSI servers, we must resolve the DNS name to an IP address. To enable this virt-handler must stay in a POD private network namespace. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
Pushed an update |
In many cases, we don't see the Pod IP connecting. Therefore, remove all workarounds, to cope with these scenarios, and only check if a new connection appears when the VM is started. This simplifies the tests and is almost as good, since the BeforeEach block makes sure that no connection exists before each test. Signed-off-by: Roman Mohr <rmohr@redhat.com>
gofmt'd cmd, pkg, and test dirs (no change in cmd)
* Configure br_netfilter to fix DNS Unless the knobs are enabled, DNS replies originate from a wrong IP address, which breaks in-pod DNS resolution. Signed-off-by: Ihar Hrachyshka <ihrachys@redhat.com> * Load br_netfilter before setting its sysctl knobs There's a chance the module is not loaded at all. Signed-off-by: Ihar Hrachyshka <ihrachys@redhat.com> * Use sysctl instead of /proc to set br_netfilter knobs Signed-off-by: Ihar Hrachyshka <ihrachys@redhat.com>
As a first step towards refactoring the VM startup process so that a QEMU wrapper script is no longer used, this stop using the network namespace of the POD. The SPICE listen address is now associated with the libvirtd POD ip addresses. The SPICE console API is updated to reflect this too, so that still works.
Eventually it might be possible to have some kind of connection forwarder running in the VM POD that connects to the QEMU server in the libvirtd namespace, thus allowing users to connect to SPICE using a virtual service IP assigned to the POD. This is an exercise for future work though.