Merge pull request #175 from bpickard22/ds-merge-3/7/25

OCPBUGS-45272: Ds merge 3/7/25

Author: openshift-merge-bot[bot]

go.mod

@@ -16,9 +16,9 @@ require (
 	github.com/onsi/ginkgo/v2 v2.22.2
 	github.com/onsi/gomega v1.36.2
 	github.com/opencontainers/selinux v1.11.1
-	github.com/safchain/ethtool v0.5.9
+	github.com/safchain/ethtool v0.5.10
 	github.com/vishvananda/netlink v1.3.0
-	golang.org/x/sys v0.29.0
+	golang.org/x/sys v0.30.0
 	sigs.k8s.io/knftables v0.0.18
 )
 

go.sum

@@ -97,8 +97,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/safchain/ethtool v0.5.9 h1://6RvaOKFf3nQ0rl5+8zBbE4/72455VC9Jq61pfq67E=
-github.com/safchain/ethtool v0.5.9/go.mod h1:w8oSsZeowyRaM7xJJBAbubzzrOkwO8TBgPSEqPP/5mg=
+github.com/safchain/ethtool v0.5.10 h1:Im294gZtuf4pSGJRAOGKaASNi3wMeFaGaWuSaomedpc=
+github.com/safchain/ethtool v0.5.10/go.mod h1:w9jh2Lx7YBR4UwzLkzCmWl85UY0W2uZdd7/DckVE5+c=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -164,9 +164,9 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=

plugins/ipam/dhcp/lease.go

@@ -16,6 +16,7 @@ package main
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"log"
 	"math/rand"
@@ -55,6 +56,13 @@ const (
 	leaseStateRebinding
 )
 
+// Timing for retrying link existence check
+const (
+	linkCheckDelay0       = 1 * time.Second
+	linkCheckRetryMax     = 10 * time.Second
+	linkCheckTotalTimeout = 30 * time.Second
+)
+
 // This implementation uses 1 OS thread per lease. This is because
 // all the network operations have to be done in network namespace
 // of the interface. This can be improved by switching to the proper
@@ -65,6 +73,7 @@ type DHCPLease struct {
 	clientID      string
 	latestLease   *nclient4.Lease
 	link          netlink.Link
+	linkName      string
 	renewalTime   time.Time
 	rebindingTime time.Time
 	expireTime    time.Time
@@ -190,6 +199,7 @@ func AcquireLease(
 			}
 
 			l.link = link
+			l.linkName = link.Attrs().Name
 
 			if err = l.acquire(); err != nil {
 				return err
@@ -243,7 +253,7 @@ func withAllOptions(l *DHCPLease) dhcp4.Modifier {
 
 func (l *DHCPLease) acquire() error {
 	if (l.link.Attrs().Flags & net.FlagUp) != net.FlagUp {
-		log.Printf("Link %q down. Attempting to set up", l.link.Attrs().Name)
+		log.Printf("Link %q down. Attempting to set up", l.linkName)
 		if err := netlink.LinkSetUp(l.link); err != nil {
 			return err
 		}
@@ -292,6 +302,14 @@ func (l *DHCPLease) maintain() {
 	for {
 		var sleepDur time.Duration
 
+		linkCheckCtx, cancel := context.WithTimeoutCause(l.ctx, l.resendTimeout, errNoMoreTries)
+		defer cancel()
+		linkExists, _ := checkLinkExistsWithBackoff(linkCheckCtx, l.linkName)
+		if !linkExists {
+			log.Printf("%v: interface %s no longer exists or link check failed, terminating lease maintenance", l.clientID, l.linkName)
+			return
+		}
+
 		switch state {
 		case leaseStateBound:
 			sleepDur = time.Until(l.renewalTime)
@@ -344,9 +362,40 @@ func (l *DHCPLease) maintain() {
 	}
 }
 
+func checkLinkExistsWithBackoff(ctx context.Context, linkName string) (bool, error) {
+	baseDelay := linkCheckDelay0
+	for {
+		exists, err := checkLinkByName(linkName)
+		if err == nil {
+			return exists, nil
+		}
+
+		select {
+		case <-ctx.Done():
+			return false, ctx.Err() // Context's done, return with its error
+		case <-time.After(baseDelay):
+			if baseDelay < linkCheckRetryMax {
+				baseDelay *= 2
+			}
+		}
+	}
+}
+
+func checkLinkByName(linkName string) (bool, error) {
+	_, err := netlink.LinkByName(linkName)
+	if err != nil {
+		var linkNotFoundErr *netlink.LinkNotFoundError = &netlink.LinkNotFoundError{}
+		if errors.As(err, linkNotFoundErr) {
+			return false, nil
+		}
+		return false, err
+	}
+	return true, nil
+}
+
 func (l *DHCPLease) downIface() {
 	if err := netlink.LinkSetDown(l.link); err != nil {
-		log.Printf("%v: failed to bring %v interface DOWN: %v", l.clientID, l.link.Attrs().Name, err)
+		log.Printf("%v: failed to bring %v interface DOWN: %v", l.clientID, l.linkName, err)
 	}
 }
 

plugins/main/host-device/host-device.go

@@ -131,6 +131,11 @@ func cmdAdd(args *skel.CmdArgs) error {
 	defer containerNs.Close()
 
 	result := &current.Result{}
+	result.Interfaces = []*current.Interface{{
+		Name:    args.IfName,
+		Sandbox: containerNs.Path(),
+	}}
+
 	var contDev netlink.Link
 	if !cfg.DPDKMode {
 		hostDev, err := getLink(cfg.Device, cfg.HWAddr, cfg.KernelPath, cfg.PCIAddr, cfg.auxDevice)
@@ -143,11 +148,10 @@ func cmdAdd(args *skel.CmdArgs) error {
 			return fmt.Errorf("failed to move link %v", err)
 		}
 
-		result.Interfaces = []*current.Interface{{
-			Name:    contDev.Attrs().Name,
-			Mac:     contDev.Attrs().HardwareAddr.String(),
-			Sandbox: containerNs.Path(),
-		}}
+		// Override the device name with the name in the container namespace
+		result.Interfaces[0].Name = contDev.Attrs().Name
+		// Set the MAC address of the interface
+		result.Interfaces[0].Mac = contDev.Attrs().HardwareAddr.String()
 	}
 
 	if cfg.IPAM.Type == "" {

plugins/main/host-device/host-device_test.go

@@ -218,7 +218,7 @@ func buildOneConfig(name, cniVersion string, orig *Net, prevResult types.Result)
 
 type tester interface {
 	expectInterfaces(result types.Result, name, mac, sandbox string)
-	expectDpdkInterfaceIP(result types.Result, ipAddress string)
+	expectDpdkInterfaceIP(result types.Result, name, sandbox, ipAddress string)
 }
 
 type testerBase struct{}
@@ -256,11 +256,16 @@ func (t *testerV10x) expectInterfaces(result types.Result, name, mac, sandbox st
 	}))
 }
 
-func (t *testerV10x) expectDpdkInterfaceIP(result types.Result, ipAddress string) {
+func (t *testerV10x) expectDpdkInterfaceIP(result types.Result, name, sandbox, ipAddress string) {
 	// check that the result was sane
 	res, err := types100.NewResultFromResult(result)
 	Expect(err).NotTo(HaveOccurred())
-	Expect(res.Interfaces).To(BeEmpty())
+	Expect(res.Interfaces).To(Equal([]*types100.Interface{
+		{
+			Name:    name,
+			Sandbox: sandbox,
+		},
+	}))
 	Expect(res.IPs).To(HaveLen(1))
 	Expect(res.IPs[0].Address.String()).To(Equal(ipAddress))
 }
@@ -278,11 +283,16 @@ func (t *testerV04x) expectInterfaces(result types.Result, name, mac, sandbox st
 	}))
 }
 
-func (t *testerV04x) expectDpdkInterfaceIP(result types.Result, ipAddress string) {
+func (t *testerV04x) expectDpdkInterfaceIP(result types.Result, name, sandbox, ipAddress string) {
 	// check that the result was sane
 	res, err := types040.NewResultFromResult(result)
 	Expect(err).NotTo(HaveOccurred())
-	Expect(res.Interfaces).To(BeEmpty())
+	Expect(res.Interfaces).To(Equal([]*types040.Interface{
+		{
+			Name:    name,
+			Sandbox: sandbox,
+		},
+	}))
 	Expect(res.IPs).To(HaveLen(1))
 	Expect(res.IPs[0].Address.String()).To(Equal(ipAddress))
 }
@@ -300,11 +310,16 @@ func (t *testerV03x) expectInterfaces(result types.Result, name, mac, sandbox st
 	}))
 }
 
-func (t *testerV03x) expectDpdkInterfaceIP(result types.Result, ipAddress string) {
+func (t *testerV03x) expectDpdkInterfaceIP(result types.Result, name, sandbox, ipAddress string) {
 	// check that the result was sane
 	res, err := types040.NewResultFromResult(result)
 	Expect(err).NotTo(HaveOccurred())
-	Expect(res.Interfaces).To(BeEmpty())
+	Expect(res.Interfaces).To(Equal([]*types040.Interface{
+		{
+			Name:    name,
+			Sandbox: sandbox,
+		},
+	}))
 	Expect(res.IPs).To(HaveLen(1))
 	Expect(res.IPs[0].Address.String()).To(Equal(ipAddress))
 }
@@ -598,7 +613,7 @@ var _ = Describe("base functionality", func() {
 
 			// check that the result was sane
 			t := newTesterByVersion(ver)
-			t.expectDpdkInterfaceIP(resI, targetIP)
+			t.expectDpdkInterfaceIP(resI, cniName, targetNS.Path(), targetIP)
 
 			// call CmdDel
 			_ = originalNS.Do(func(ns.NetNS) error {
@@ -870,7 +885,7 @@ var _ = Describe("base functionality", func() {
 
 			// check that the result was sane
 			t := newTesterByVersion(ver)
-			t.expectDpdkInterfaceIP(resI, targetIP)
+			t.expectDpdkInterfaceIP(resI, cniName, targetNS.Path(), targetIP)
 
 			// call CmdCheck
 			n := &Net{}

plugins/meta/firewall/firewall.go

@@ -64,6 +64,13 @@ const (
 	// IngressPolicySameBridge executes `iptables` regardless to the value of `Backend`.
 	// IngressPolicySameBridge may not work as expected for non-bridge networks.
 	IngressPolicySameBridge IngressPolicy = "same-bridge"
+
+	// IngressPolicyIsolated ("isolated"): similar to ingress policy "same-bridge" with the exception
+	// that connections from the same bridge are also blocked.
+	// This is equivalent to Docker network option "enable_icc" when set to false.
+	// IngressPolicyIsolated executes `iptables` regardless to the value of `Backend`.
+	// IngressPolicyIsolated may not work as expected for non-bridge networks.
+	IngressPolicyIsolated IngressPolicy = "isolated"
 )
 
 type FirewallBackend interface {