fix: handle empty IP and CIDR in GetIPAddrWithMask function (#6002)

zbb88888 · web-flow · commit 68b9dce79c40 · 2025-12-08T10:34:45.000+08:00
fix: log message for skipping IP allocation in NAT gateway

Signed-off-by: zbb88888 &lt;jmdxjsjgcxy@gmail.com&gt;
diff --git a/dist/images/vpcnatgateway/nat-gateway.sh b/dist/images/vpcnatgateway/nat-gateway.sh
@@ -87,11 +87,11 @@ function init() {
             >&2 echo "Error: Expected two interfaces separated by a comma (e.g., net1,net2)"
             exit 1
         fi
-        
+
         # Trim any remaining leading and trailing whitespace
         VPC_INTERFACE=$(echo "${interface_array[0]}" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
         EXTERNAL_INTERFACE=$(echo "${interface_array[1]}" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
-        
+
         # Validate interface names are not empty after trimming
         if [ -z "$VPC_INTERFACE" ] || [ -z "$EXTERNAL_INTERFACE" ]; then
             >&2 echo "Error: Interface names cannot be empty"
@@ -136,8 +136,16 @@ function init() {
     $iptables_cmd -t nat -A SNAT_FILTER -j SHARED_SNAT
 
     # Send gratuitous ARP for all the IPs on the external network interface at initialization
-    # This is especially useful to update the MAC of the nexthop we announce to the BGP speaker 
-    ip -4 addr show dev $EXTERNAL_INTERFACE | awk '/inet /{print $2}' | cut -d/ -f1 | xargs -n1 arping -I $EXTERNAL_INTERFACE -c 3 -U
+    # This is especially useful to update the MAC of the nexthop we announce to the BGP speaker
+    # Only send ARP if there are IP addresses on the external interface (skip in no-IPAM mode)
+    external_ips=$(ip -4 addr show dev $EXTERNAL_INTERFACE | awk '/inet /{print $2}' | cut -d/ -f1)
+    if [ -n "$external_ips" ]; then
+        echo "Sending gratuitous ARP for external IPs on $EXTERNAL_INTERFACE"
+        echo "$external_ips" | xargs -n1 arping -I $EXTERNAL_INTERFACE -c 3 -U
+        echo "Gratuitous ARP completed"
+    else
+        echo "INFO: No IP addresses on $EXTERNAL_INTERFACE, skipping gratuitous ARP (no-IPAM mode or waiting for EIP allocation)"
+    fi
 }
 
 
@@ -195,14 +203,14 @@ function add_eip() {
         exec_cmd "ip addr replace $eip dev $EXTERNAL_INTERFACE"
         exec_cmd "arping -I $EXTERNAL_INTERFACE -c 3 -U $eip_without_prefix"
     done
-    
+
     if [ -n "$GATEWAY_V4" ]; then
         exec_cmd "ip route replace default via $GATEWAY_V4 dev $EXTERNAL_INTERFACE"
     fi
-    
+
     if [ -n "$GATEWAY_V6" ]; then
         exec_cmd "ip -6 route replace default via $GATEWAY_V6 dev $EXTERNAL_INTERFACE"
-    fi 
+    fi
 }
 
 function del_eip() {
diff --git a/pkg/controller/vpc_nat_gateway.go b/pkg/controller/vpc_nat_gateway.go
@@ -358,9 +358,10 @@ func (c *Controller) handleInitVpcNatGw(key string) error {
 		}
 	}
 	if err = c.execNatGwRules(pod, natGwInit, interfaces); err != nil {
-		err = fmt.Errorf("failed to init vpc nat gateway, %w", err)
-		klog.Error(err)
-		return err
+		// Check if this is a transient initialization error (e.g., first attempt before iptables chains are created)
+		// The init script may fail on first run but succeed on retry after chains are established
+		klog.Warningf("vpc nat gateway %s init attempt failed (will retry): %v", key, err)
+		return fmt.Errorf("failed to init vpc nat gateway, %w", err)
 	}
 
 	if gw.Spec.QoSPolicy != "" {
@@ -731,21 +732,21 @@ func (c *Controller) execNatGwRules(pod *corev1.Pod, operation string, rules []s
 	}()
 
 	cmd := fmt.Sprintf("bash /kube-ovn/nat-gateway.sh %s %s", operation, strings.Join(rules, " "))
-	klog.V(3).Info(cmd)
+	klog.V(3).Infof("executing NAT gateway command: %s", cmd)
 	stdOutput, errOutput, err := util.ExecuteCommandInContainer(c.config.KubeClient, c.config.KubeRestConfig, pod.Namespace, pod.Name, "vpc-nat-gw", []string{"/bin/bash", "-c", cmd}...)
 	if err != nil {
 		if len(errOutput) > 0 {
-			klog.Errorf("failed to ExecuteCommandInContainer, errOutput: %v", errOutput)
+			klog.Errorf("NAT gateway command failed - stderr: %v", errOutput)
 		}
 		if len(stdOutput) > 0 {
-			klog.V(3).Infof("failed to ExecuteCommandInContainer, stdOutput: %v", stdOutput)
+			klog.Infof("NAT gateway command failed - stdout: %v", stdOutput)
 		}
-		klog.Error(err)
+		klog.Errorf("NAT gateway command execution error: %v", err)
 		return err
 	}
 
 	if len(stdOutput) > 0 {
-		klog.V(3).Infof("ExecuteCommandInContainer stdOutput: %v", stdOutput)
+		klog.V(3).Infof("NAT gateway command succeeded - stdout: %v", stdOutput)
 	}
 
 	if len(errOutput) > 0 {
@@ -978,12 +979,16 @@ func (c *Controller) genNatGwStatefulSet(gw *kubeovnv1.VpcNatGateway, oldSts *v1
 	if v6Gateway != "" {
 		routes = append(routes, request.Route{Destination: "::/0", Gateway: v6Gateway})
 	}
+	// TODO:// check NAD if has ipam to disable ipam
 	if !gw.Spec.NoDefaultEIP {
 		if err = setPodRoutesAnnotation(annotations, subnet.Spec.Provider, routes); err != nil {
 			klog.Error(err)
 			return nil, err
 		}
 	} else {
+		// NAT gateway uses no-IPAM mode in network attachment definition when NoDefaultEIP is enabled
+		// This allows macvlan/other CNI plugins to work without IP allocation from Kube-OVN
+		klog.Infof("skipping IP allocation for NAT gateway %s (NoDefaultEIP enabled)", gw.Name)
 		annotations[fmt.Sprintf(util.AllocatedAnnotationTemplate, subnet.Spec.Provider)] = "true"
 	}
 
diff --git a/pkg/daemon/handler.go b/pkg/daemon/handler.go
@@ -91,7 +91,7 @@ func (csh cniServerHandler) handleAdd(req *restful.Request, resp *restful.Respon
 	var gatewayCheckMode int
 	var macAddr, ip, ipAddr, cidr, gw, subnet, ingress, egress, providerNetwork, ifName, nicType, podNicName, vmName, latency, limit, loss, jitter, u2oInterconnectionIP, oldPodName string
 	var routes []request.Route
-	var isDefaultRoute bool
+	var isDefaultRoute, noIPAM bool
 	var pod *v1.Pod
 	var err error
 	for range 20 {
@@ -130,7 +130,7 @@ func (csh cniServerHandler) handleAdd(req *restful.Request, resp *restful.Respon
 		jitter = pod.Annotations[fmt.Sprintf(util.NetemQosJitterAnnotationTemplate, podRequest.Provider)]
 		providerNetwork = pod.Annotations[fmt.Sprintf(util.ProviderNetworkTemplate, podRequest.Provider)]
 		vmName = pod.Annotations[fmt.Sprintf(util.VMAnnotationTemplate, podRequest.Provider)]
-		ipAddr, err = util.GetIPAddrWithMask(ip, cidr)
+		ipAddr, noIPAM, err = util.GetIPAddrWithMaskForCNI(ip, cidr)
 		if err != nil {
 			errMsg := fmt.Errorf("failed to get ip address with mask, %w", err)
 			klog.Error(errMsg)
@@ -210,11 +210,13 @@ func (csh cniServerHandler) handleAdd(req *restful.Request, resp *restful.Respon
 	if subnet == "" && podSubnet != nil {
 		subnet = podSubnet.Name
 	}
-	if err := csh.UpdateIPCR(podRequest, subnet, ip); err != nil {
-		if err := resp.WriteHeaderAndEntity(http.StatusInternalServerError, request.CniResponse{Err: err.Error()}); err != nil {
-			klog.Errorf("failed to write response, %v", err)
+	if !noIPAM {
+		if err := csh.UpdateIPCR(podRequest, subnet, ip); err != nil {
+			if err := resp.WriteHeaderAndEntity(http.StatusInternalServerError, request.CniResponse{Err: err.Error()}); err != nil {
+				klog.Errorf("failed to write response, %v", err)
+			}
+			return
 		}
-		return
 	}
 
 	if isDefaultRoute && pod.Annotations[fmt.Sprintf(util.RoutedAnnotationTemplate, podRequest.Provider)] != "true" && util.IsOvnProvider(podRequest.Provider) {
diff --git a/pkg/util/net.go b/pkg/util/net.go
@@ -334,6 +334,20 @@ func GetStringIP(v4IP, v6IP string) string {
 	return strings.Join(ipList, ",")
 }
 
+// GetIPAddrWithMaskForCNI returns IP address with mask for CNI plugin.
+// When ip is empty, it indicates no-IPAM mode (e.g., NAT gateway macvlan without default EIP).
+// Returns (ipAddr, noIPAM, error) where noIPAM is true when IP allocation is skipped.
+func GetIPAddrWithMaskForCNI(ip, cidr string) (string, bool, error) {
+	if ip == "" {
+		// Network attachment definition using no-IPAM plugin (e.g., NAT gateway net1 macvlan with no default EIP)
+		// IP is not allocated by Kube-OVN, but cidr still comes from subnet configuration
+		klog.V(3).Infof("skipping IP allocation: ip is empty for cidr %s (no-IPAM mode)", cidr)
+		return "", true, nil
+	}
+	ipAddr, err := GetIPAddrWithMask(ip, cidr)
+	return ipAddr, false, err
+}
+
 func GetIPAddrWithMask(ip, cidr string) (string, error) {
 	var ipAddr string
 	ips := strings.Split(ip, ",")
diff --git a/pkg/util/net_test.go b/pkg/util/net_test.go
@@ -937,6 +937,90 @@ func TestGetIPAddrWithMask(t *testing.T) {
 	}
 }
 
+func TestGetIPAddrWithMaskForCNI(t *testing.T) {
+	tests := []struct {
+		name      string
+		ip        string
+		cidr      string
+		wantAddr  string
+		wantNoIP  bool
+		wantError bool
+	}{
+		{
+			name:      "Normal IPv4 address",
+			ip:        "192.168.1.1",
+			cidr:      "192.168.1.0/24",
+			wantAddr:  "192.168.1.1/24",
+			wantNoIP:  false,
+			wantError: false,
+		},
+		{
+			name:      "Normal IPv6 address",
+			ip:        "2001:db8::1",
+			cidr:      "2001:db8::/32",
+			wantAddr:  "2001:db8::1/32",
+			wantNoIP:  false,
+			wantError: false,
+		},
+		{
+			name:      "Dual stack addresses",
+			ip:        "192.168.1.1,2001:db8::1",
+			cidr:      "192.168.1.0/24,2001:db8::/32",
+			wantAddr:  "192.168.1.1/24,2001:db8::1/32",
+			wantNoIP:  false,
+			wantError: false,
+		},
+		{
+			name:      "No-IPAM mode (empty IP with CIDR)",
+			ip:        "",
+			cidr:      "192.168.1.0/24",
+			wantAddr:  "",
+			wantNoIP:  true,
+			wantError: false,
+		},
+		{
+			name:      "No-IPAM mode (empty IP with dual-stack CIDR)",
+			ip:        "",
+			cidr:      "192.168.1.0/24,2001:db8::/32",
+			wantAddr:  "",
+			wantNoIP:  true,
+			wantError: false,
+		},
+		{
+			name:      "Error: invalid dual stack ip format",
+			ip:        "192.168.1.1",
+			cidr:      "192.168.1.0/24,2001:db8::/32",
+			wantAddr:  "",
+			wantNoIP:  false,
+			wantError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotAddr, gotNoIP, gotErr := GetIPAddrWithMaskForCNI(tt.ip, tt.cidr)
+
+			if tt.wantError {
+				if gotErr == nil {
+					t.Errorf("GetIPAddrWithMaskForCNI() expected error but got nil")
+				}
+			} else {
+				if gotErr != nil {
+					t.Errorf("GetIPAddrWithMaskForCNI() unexpected error: %v", gotErr)
+				}
+			}
+
+			if gotAddr != tt.wantAddr {
+				t.Errorf("GetIPAddrWithMaskForCNI() gotAddr = %v, want %v", gotAddr, tt.wantAddr)
+			}
+
+			if gotNoIP != tt.wantNoIP {
+				t.Errorf("GetIPAddrWithMaskForCNI() gotNoIP = %v, want %v", gotNoIP, tt.wantNoIP)
+			}
+		})
+	}
+}
+
 func TestGetIPWithoutMask(t *testing.T) {
 	tests := []struct {
 		name string

Original file line number	Diff line number	Diff line change
`@@ -358,9 +358,10 @@ func (c *Controller) handleInitVpcNatGw(key string) error {`
`358`	`358`	`}`
`359`	`359`	`}`
`360`	`360`	`if err = c.execNatGwRules(pod, natGwInit, interfaces); err != nil {`
`361`		`- err = fmt.Errorf("failed to init vpc nat gateway, %w", err)`
`362`		`- klog.Error(err)`
`363`		`- return err`
	`361`	`+ // Check if this is a transient initialization error (e.g., first attempt before iptables chains are created)`
	`362`	`+ // The init script may fail on first run but succeed on retry after chains are established`
	`363`	`+ klog.Warningf("vpc nat gateway %s init attempt failed (will retry): %v", key, err)`
	`364`	`+ return fmt.Errorf("failed to init vpc nat gateway, %w", err)`
`364`	`365`	`}`
`365`	`366`
`366`	`367`	`if gw.Spec.QoSPolicy != "" {`
`@@ -731,21 +732,21 @@ func (c Controller) execNatGwRules(pod corev1.Pod, operation string, rules []s`
`731`	`732`	`}()`
`732`	`733`
`733`	`734`	`cmd := fmt.Sprintf("bash /kube-ovn/nat-gateway.sh %s %s", operation, strings.Join(rules, " "))`
`734`		`- klog.V(3).Info(cmd)`
	`735`	`+ klog.V(3).Infof("executing NAT gateway command: %s", cmd)`
`735`	`736`	`stdOutput, errOutput, err := util.ExecuteCommandInContainer(c.config.KubeClient, c.config.KubeRestConfig, pod.Namespace, pod.Name, "vpc-nat-gw", []string{"/bin/bash", "-c", cmd}...)`
`736`	`737`	`if err != nil {`
`737`	`738`	`if len(errOutput) > 0 {`
`738`		`- klog.Errorf("failed to ExecuteCommandInContainer, errOutput: %v", errOutput)`
	`739`	`+ klog.Errorf("NAT gateway command failed - stderr: %v", errOutput)`
`739`	`740`	`}`
`740`	`741`	`if len(stdOutput) > 0 {`
`741`		`- klog.V(3).Infof("failed to ExecuteCommandInContainer, stdOutput: %v", stdOutput)`
	`742`	`+ klog.Infof("NAT gateway command failed - stdout: %v", stdOutput)`
`742`	`743`	`}`
`743`		`- klog.Error(err)`
	`744`	`+ klog.Errorf("NAT gateway command execution error: %v", err)`
`744`	`745`	`return err`
`745`	`746`	`}`
`746`	`747`
`747`	`748`	`if len(stdOutput) > 0 {`
`748`		`- klog.V(3).Infof("ExecuteCommandInContainer stdOutput: %v", stdOutput)`
	`749`	`+ klog.V(3).Infof("NAT gateway command succeeded - stdout: %v", stdOutput)`
`749`	`750`	`}`
`750`	`751`
`751`	`752`	`if len(errOutput) > 0 {`
`@@ -978,12 +979,16 @@ func (c Controller) genNatGwStatefulSet(gw kubeovnv1.VpcNatGateway, oldSts *v1`
`978`	`979`	`if v6Gateway != "" {`
`979`	`980`	`routes = append(routes, request.Route{Destination: "::/0", Gateway: v6Gateway})`
`980`	`981`	`}`
	`982`	`+ // TODO:// check NAD if has ipam to disable ipam`
`981`	`983`	`if !gw.Spec.NoDefaultEIP {`
`982`	`984`	`if err = setPodRoutesAnnotation(annotations, subnet.Spec.Provider, routes); err != nil {`
`983`	`985`	`klog.Error(err)`
`984`	`986`	`return nil, err`
`985`	`987`	`}`
`986`	`988`	`} else {`
	`989`	`+ // NAT gateway uses no-IPAM mode in network attachment definition when NoDefaultEIP is enabled`
	`990`	`+ // This allows macvlan/other CNI plugins to work without IP allocation from Kube-OVN`
	`991`	`+ klog.Infof("skipping IP allocation for NAT gateway %s (NoDefaultEIP enabled)", gw.Name)`
`987`	`992`	`annotations[fmt.Sprintf(util.AllocatedAnnotationTemplate, subnet.Spec.Provider)] = "true"`
`988`	`993`	`}`
`989`	`994`