New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add hybrid cluster extensions framework (v2) #36
Conversation
Due to the problems met in issue: ovn-org/ovn-kubernetes#855 We should use ovs 2.11 instead of 2.10 to fix the problem of ovn-nbctl running in daemon mode. So the ovs version used in the Dockerfile should be promoted to 2.11 to build a suitable image for daemonset install. The DPDK library is also updated 18.11 to satisfy the requirement of ovs2.11. The related changes in Dockerfile for rpmArch of aarch64(arm64) are also given. Signed-off-by: Trevor Tao <trevor.tao@arm.com>
Upgrade ovs version in Dockerfile to 2.11
Signed-off-by: Michael Cambria <mcambria@redhat.com>
Signed-off-by: Dan Williams <dcbw@redhat.com> (cherry picked from commit 76504df)
Signed-off-by: Shahar Klein <sklein@nvidia.com>
…centos Use a newer kubectl version for the centos image
Move management port creation to the master
Signed-off-by: Girish Moodalbail <gmoodalbail@nvidia.com>
remove the unnecessary annotation from the ovn-kubernetes namespace
Kubelet may keep multiple sandboxes running for a given pod if some are waiting for garbage collection. We need to make sure that only the latest sandbox has iface-id set to the container's namespace/name or ovn-controller may get confused about which OVS port to associate with the Pod's logical switch port. Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Dan Williams <dcbw@redhat.com>
util: validate pod annotation
the serviceaccount user `ovn` has a cluster-admin role today and can pretty much do anything in the clsuter. we need to fine grain access control and pod privileges for this user. to do this: 1. define a PodSecurityPolicy object that captures minimum required security policies to run our deployments and daemonset. 2. define a ClusterRole object that captures all the resources we are intersted in and all the actions we need on them. also, this role should use the PodSecurityPolicy defined in step 1. 3. bind the above role to `ovn` serviceaccount Note: this commit adds (1) that provides almost any securityContext to be set (this can be restricted in future commits) Signed-off-by: Girish Moodalbail <gmoodalbail@nvidia.com>
cni/linux: ensure only the latest sandbox has external-ids:iface-id set
Commit 0c0aa45 moved the creation of the management lsp to the master, but the comment and error message createManagementPortGeneric() doesn't reflect this. Also, util.GetNodeWellKnownAddresses() never returns an error, so let's remove the return value and the error handling from callers.
management-port: clean up from move to master
If dynamic addressing is set up, but there are no addresses assigned, then since commit 11f284c, you'll see: /usr/bin/ovn-nbctl --db=tcp:10.0.141.40:9641 --timeout=15 get logical_switch_port jtor-GR_ip-10-0-170-219.us-west-2.compute.internal addresses" stdout: \"[dynamic]\\n\"" stderr: \"\"" failed to localnet gateway: error while waiting for addresses for gateway switch port whereas the error before was: failed to localnet gateway: empty addresses for gateway switch port Restore the previous behavior by recognizing that [dynamic] means that no addresses are assigned. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
fixes the following lint warning post commit 0c0aa45 warning: cannot initialize 1 variables with 2 values (staticcheck) Signed-off-by: Girish Moodalbail <gmoodalbail@nvidia.com>
Handle static vs dynamic better in GetPortAddresses()
The connection tracking offload is not merged yet into kernel and ovs therefore update the doc to reflect that. Once all the patches get merged we will update the doc with the relevant kernel and ovs versions. This patch also fix the sriov device plugin json example Signed-off-by: moshe010 <moshele@mellanox.com>
For egress network bandwidth, we configure ingress_policying_rate, but, by itself, it might end up allowing less than the rate (e.g. iperf TCP with a rate of 4Gbps gives < 1Gbps). OVSDB schema has this to say about ingress_policying_burst: " Specifying a larger burst size lets the algorithm be more forgiving, which is important for protocols like TCP that react severely to dropped packets. The burst size should be at least the size of the interface’s MTU. Specifying a value that is numerically at least as large as 10% of ingress_policing_rate helps TCP come closer to achieving the full rate " Set ingress_policying_burst to 10% of ingress_policying_rate. Additionally, for a SR-IOV VF we also need to configure its max_tx_rate using the egress value in Mbps. Tested by configuring egress-bandwidth for a pod and using iperf. Tested the VF setting by giving a VF as OVN interface to the pod, with egress-bandwidth configured. Signed-off-by: venu iyer <venugopali@nvidia.com>
Bandwidth: Actual egress bandwidth might be much lower than configured.
right now it returns router IP as IP/PLEN, whilst returns the management port IP as IP. make the return arugments to be just *net.IPnet so that the callers can make use of the String() function to either construct IP or construct IP with mask. this change makes this function usable elsewhere in the code as well. Signed-off-by: Girish Moodalbail <gmoodalbail@nvidia.com>
Signed-off-by: Girish Moodalbail <gmoodalbail@nvidia.com>
To reduce risk of errors using CIDRs where we want IPs which is more possible with string types, convert from strings to real Go types immediately when parsing the pod annotation and use the real Go types everywhere in the code. Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Dan Williams <dcbw@redhat.com>
No code changes, just moving things around. Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Dan Williams <dcbw@redhat.com>
make use of GetNodeWellKnownAddresses() in createManagementPortGeneric()
Used the below command: govendor fetch k8s.io/client-go/tools/leaderelection@kubernetes-1.14.3 Upcoming patch will make use of leaderelection to support HA ovnkube-master. Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
/test e2e-aws-ovn-kubernetes |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dcbw The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
namespace: fix panic
/test e2e-aws-ovn-kubernetes |
1 similar comment
/test e2e-aws-ovn-kubernetes |
When the configuration file changes, exit. The configuration file is a mounted configmap (ovnkube-config) so when it changes exit. SDN-456 - OVN: use config file via ConfigMap rather than environment variables https://jira.coreos.com/browse/SDN-456 Signed-off-by: Phil Cameron <pcameron@redhat.com>
Notice change in configmap and exit.
/test e2e-aws-ovn-kubernetes |
The annotator provides a better-encapsulated interface for setting or removing multiple annotations on a node from disconnected functions since it bundles them all up into a single set and/or delete call. Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Dan Williams <dcbw@redhat.com>
Doesn't check for OVS/OVN utilities; to be used for components that don't need those. Signed-off-by: Dan Williams <dcbw@redhat.com>
…nels Heavily modified from work by Rajat Chopra in: ovn-org/ovn-kubernetes#593 Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Jocelyn Berrendonner <jocelynb@microsoft.com>
Signed-off-by: Dan Williams <dcbw@redhat.com>
The hybrid overlay uses the 3rd IP of the logical switch, but when upgrading from a non-hybrid-overlay-enabled ovn-kubernetes that doesn't exclude that IP to one that does, existing pods may have that IP when the hybrid-overlay-enabled ovn-kubernetes starts. When ovn-kubernetes adds the 3rd IP to the exclude_ips of the switch, OVN will helpfully re-address any logical port with that IP, but since Kubernetes doesn't support changing pod IPs, OVN and Kube will mismatch and the pod won't work. Just kill it.
/test e2e-aws-ovn-kubernetes |
3 similar comments
/test e2e-aws-ovn-kubernetes |
/test e2e-aws-ovn-kubernetes |
/test e2e-aws-ovn-kubernetes |
@dcbw: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
obsoleted by #43 |
…d_validation Add Hardware Offload Validation as a test option for flows.
@squeed @JacobTanenbaum