cni-server: check ipv6 dadfailed flag (#5042)

Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>

Author: zhangzujian

Makefile

@@ -379,7 +379,7 @@ kind-network-create-underlay:
 	$(eval UNDERLAY_NETWORK_ID = $(shell docker network ls -f name='^kind-underlay$$' --format '{{.ID}}'))
 	@if [ -z "$(UNDERLAY_NETWORK_ID)" ]; then \
 		docker network create --attachable -d bridge \
-			--ipv6 --subnet fc00:adb1:b29b:608d::/64 --gateway fc00:adb1:b29b:608d::1 \
+			--ipv6 --subnet fc00:19fa:9eea:6085::/64 --gateway fc00:19fa:9eea:6085::1 \
 			-o com.docker.network.bridge.enable_ip_masquerade=true \
 			-o com.docker.network.driver.mtu=1500 kind-underlay; \
 	fi

pkg/daemon/handler.go

@@ -249,8 +249,8 @@ func (csh cniServerHandler) handleAdd(req *restful.Request, resp *restful.Respon
 			u2oInterconnectionIP = podSubnet.Status.U2OInterconnectionIP
 		}
 
+		var vmMigration bool
 		subnetHasVlan := podSubnet.Spec.Vlan != ""
-		detectIPConflict := csh.Config.EnableArpDetectIPConflict && subnetHasVlan
 		// skip ping check gateway for pods during live migration
 		if pod.Annotations[util.MigrationJobAnnotation] == "" {
 			if subnetHasVlan && !podSubnet.Spec.LogicalGateway {
@@ -267,8 +267,7 @@ func (csh cniServerHandler) handleAdd(req *restful.Request, resp *restful.Respon
 				}
 			}
 		} else {
-			// do not perform ipv4 conflict detection during VM live migration
-			detectIPConflict = false
+			vmMigration = true
 		}
 		if pod.Annotations[fmt.Sprintf(util.ActivationStrategyTemplate, podRequest.Provider)] != "" {
 			gatewayCheckMode = gatewayCheckModeDisabled
@@ -308,12 +307,12 @@ func (csh cniServerHandler) handleAdd(req *restful.Request, resp *restful.Respon
 		podNicName = ifName
 		switch nicType {
 		case util.InternalType:
-			podNicName, routes, err = csh.configureNicWithInternalPort(podRequest.PodName, podRequest.PodNamespace, podRequest.Provider, podRequest.NetNs, podRequest.ContainerID, ifName, macAddr, mtu, ipAddr, gw, isDefaultRoute, detectIPConflict, routes, podRequest.DNS.Nameservers, podRequest.DNS.Search, ingress, egress, podRequest.DeviceID, nicType, latency, limit, loss, jitter, gatewayCheckMode, u2oInterconnectionIP)
+			podNicName, routes, err = csh.configureNicWithInternalPort(podRequest.PodName, podRequest.PodNamespace, podRequest.Provider, podRequest.NetNs, podRequest.ContainerID, ifName, macAddr, mtu, ipAddr, gw, isDefaultRoute, vmMigration, routes, podRequest.DNS.Nameservers, podRequest.DNS.Search, ingress, egress, podRequest.DeviceID, nicType, latency, limit, loss, jitter, gatewayCheckMode, u2oInterconnectionIP)
 		case util.DpdkType:
 			err = csh.configureDpdkNic(podRequest.PodName, podRequest.PodNamespace, podRequest.Provider, podRequest.NetNs, podRequest.ContainerID, ifName, macAddr, mtu, ipAddr, gw, ingress, egress, getShortSharedDir(pod.UID, podRequest.VhostUserSocketVolumeName), podRequest.VhostUserSocketName, podRequest.VhostUserSocketConsumption)
 			routes = nil
 		default:
-			routes, err = csh.configureNic(podRequest.PodName, podRequest.PodNamespace, podRequest.Provider, podRequest.NetNs, podRequest.ContainerID, podRequest.VfDriver, ifName, macAddr, mtu, ipAddr, gw, isDefaultRoute, detectIPConflict, routes, podRequest.DNS.Nameservers, podRequest.DNS.Search, ingress, egress, podRequest.DeviceID, nicType, latency, limit, loss, jitter, gatewayCheckMode, u2oInterconnectionIP, oldPodName)
+			routes, err = csh.configureNic(podRequest.PodName, podRequest.PodNamespace, podRequest.Provider, podRequest.NetNs, podRequest.ContainerID, podRequest.VfDriver, ifName, macAddr, mtu, ipAddr, gw, isDefaultRoute, vmMigration, routes, podRequest.DNS.Nameservers, podRequest.DNS.Search, ingress, egress, podRequest.DeviceID, nicType, latency, limit, loss, jitter, gatewayCheckMode, u2oInterconnectionIP, oldPodName)
 		}
 		if err != nil {
 			errMsg := fmt.Errorf("configure nic %s for pod %s/%s failed: %w", ifName, podRequest.PodName, podRequest.PodNamespace, err)

pkg/daemon/ovs_linux.go

@@ -68,7 +68,7 @@ func (csh cniServerHandler) configureDpdkNic(podName, podNamespace, provider, ne
 	return ovs.SetInterfaceBandwidth(podName, podNamespace, ifaceID, egress, ingress)
 }
 
-func (csh cniServerHandler) configureNic(podName, podNamespace, provider, netns, containerID, vfDriver, ifName, mac string, mtu int, ip, gateway string, isDefaultRoute, detectIPConflict bool, routes []request.Route, _, _ []string, ingress, egress, deviceID, nicType, latency, limit, loss, jitter string, gwCheckMode int, u2oInterconnectionIP, oldPodName string) ([]request.Route, error) {
+func (csh cniServerHandler) configureNic(podName, podNamespace, provider, netns, containerID, vfDriver, ifName, mac string, mtu int, ip, gateway string, isDefaultRoute, vmMigration bool, routes []request.Route, _, _ []string, ingress, egress, deviceID, nicType, latency, limit, loss, jitter string, gwCheckMode int, u2oInterconnectionIP, oldPodName string) ([]request.Route, error) {
 	var err error
 	var hostNicName, containerNicName, pfPci string
 	var vfID int
@@ -197,7 +197,7 @@ func (csh cniServerHandler) configureNic(podName, podNamespace, provider, netns,
 		klog.Error(err)
 		return nil, err
 	}
-	finalRoutes, err := csh.configureContainerNic(podName, podNamespace, containerNicName, ifName, ip, gateway, isDefaultRoute, detectIPConflict, routes, macAddr, podNS, mtu, nicType, gwCheckMode, u2oInterconnectionIP)
+	finalRoutes, err := csh.configureContainerNic(podName, podNamespace, containerNicName, ifName, ip, gateway, isDefaultRoute, vmMigration, routes, macAddr, podNS, mtu, nicType, gwCheckMode, u2oInterconnectionIP)
 	if err != nil {
 		klog.Error(err)
 		return nil, err
@@ -380,7 +380,7 @@ func configureHostNic(nicName string) error {
 	return nil
 }
 
-func (csh cniServerHandler) configureContainerNic(podName, podNamespace, nicName, ifName, ipAddr, gateway string, isDefaultRoute, detectIPConflict bool, routes []request.Route, macAddr net.HardwareAddr, netns ns.NetNS, mtu int, nicType string, gwCheckMode int, u2oInterconnectionIP string) ([]request.Route, error) {
+func (csh cniServerHandler) configureContainerNic(podName, podNamespace, nicName, ifName, ipAddr, gateway string, isDefaultRoute, vmMigration bool, routes []request.Route, macAddr net.HardwareAddr, netns ns.NetNS, mtu int, nicType string, gwCheckMode int, u2oInterconnectionIP string) ([]request.Route, error) {
 	containerLink, err := netlink.LinkByName(nicName)
 	if err != nil {
 		return nil, fmt.Errorf("can not find container nic %s: %w", nicName, err)
@@ -397,9 +397,14 @@ func (csh cniServerHandler) configureContainerNic(podName, podNamespace, nicName
 		return nil, fmt.Errorf("failed to move link to netns: %w", err)
 	}
 
+	// do not perform ipv4/ipv6 duplicate address detection during VM live migration
+	checkIPv6DAD := !vmMigration
+	detectIPv4Conflict := !vmMigration && csh.Config.EnableArpDetectIPConflict
 	var finalRoutes []request.Route
 	err = ns.WithNetNSPath(netns.Path(), func(_ ns.NetNS) error {
+		interfaceName := nicName
 		if nicType != util.InternalType {
+			interfaceName = ifName
 			if err = netlink.LinkSetName(containerLink, ifName); err != nil {
 				klog.Error(err)
 				return err
@@ -415,12 +420,12 @@ func (csh cniServerHandler) configureContainerNic(podName, podNamespace, nicName
 				klog.Error(err)
 				return err
 			}
-			if err = configureNic(nicName, ipAddr, macAddr, mtu, detectIPConflict, false, false); err != nil {
+			if err = configureNic(nicName, ipAddr, macAddr, mtu, detectIPv4Conflict, false, false); err != nil {
 				klog.Error(err)
 				return err
 			}
 		} else {
-			if err = configureNic(ifName, ipAddr, macAddr, mtu, detectIPConflict, true, false); err != nil {
+			if err = configureNic(ifName, ipAddr, macAddr, mtu, detectIPv4Conflict, true, false); err != nil {
 				klog.Error(err)
 				return err
 			}
@@ -501,22 +506,35 @@ func (csh cniServerHandler) configureContainerNic(podName, podNamespace, nicName
 		}
 
 		if gwCheckMode != gatewayCheckModeDisabled {
-			var (
-				underlayGateway = gwCheckMode == gatewayCheckModeArping || gwCheckMode == gatewayCheckModeArpingNotConcerned
-				interfaceName   = nicName
-			)
+			underlayGateway := gwCheckMode == gatewayCheckModeArping || gwCheckMode == gatewayCheckModeArpingNotConcerned
+			if u2oInterconnectionIP != "" {
+				if err = csh.checkGatewayReady(podName, podNamespace, gwCheckMode, interfaceName, ipAddr, u2oInterconnectionIP, false, true); err != nil {
+					klog.Error(err)
+					return err
+				}
+			}
+			if err = csh.checkGatewayReady(podName, podNamespace, gwCheckMode, interfaceName, ipAddr, gateway, underlayGateway, true); err != nil {
+				klog.Error(err)
+				return err
+			}
+		}
 
-			if nicType != util.InternalType {
-				interfaceName = ifName
+		if checkIPv6DAD {
+			// check whether the ipv6 address has a dadfailed flag
+			addresses, err := netlink.AddrList(containerLink, netlink.FAMILY_V6)
+			if err != nil {
+				err = fmt.Errorf("failed to get ipv6 addresses of link %s: %w", interfaceName, err)
+				klog.Error(err)
+				return err
 			}
 
-			if u2oInterconnectionIP != "" {
-				if err := csh.checkGatewayReady(podName, podNamespace, gwCheckMode, interfaceName, ipAddr, u2oInterconnectionIP, false, true); err != nil {
+			for _, addr := range addresses {
+				if addr.Flags&syscall.IFA_F_DADFAILED != 0 {
+					err = fmt.Errorf("IPv6 address %s has a dadfailed flag, please check whether it has been used by another host", addr.IP.String())
 					klog.Error(err)
 					return err
 				}
 			}
-			return csh.checkGatewayReady(podName, podNamespace, gwCheckMode, interfaceName, ipAddr, gateway, underlayGateway, true)
 		}
 
 		return nil
@@ -1122,7 +1140,7 @@ func macToLinkLocalIPv6(mac net.HardwareAddr) (net.IP, error) {
 	return linkLocalIPv6, nil
 }
 
-func configureNic(link, ip string, macAddr net.HardwareAddr, mtu int, detectIPConflict, setUfoOff, ipv6LinkLocalOn bool) error {
+func configureNic(link, ip string, macAddr net.HardwareAddr, mtu int, detectIPv4Conflict, setUfoOff, ipv6LinkLocalOn bool) error {
 	nodeLink, err := netlink.LinkByName(link)
 	if err != nil {
 		klog.Error(err)
@@ -1207,22 +1225,23 @@ func configureNic(link, ip string, macAddr net.HardwareAddr, mtu int, detectIPCo
 		}
 	}
 	for ip, addr := range ipAddMap {
-		if detectIPConflict && addr.IP.To4() != nil {
-			ip := addr.IP.String()
-			mac, err := util.ArpDetectIPConflict(link, ip, macAddr)
-			if err != nil {
-				err = fmt.Errorf("failed to detect address conflict for %s on link %s: %w", ip, link, err)
-				klog.Error(err)
-				return err
-			}
-			if mac != nil {
-				return fmt.Errorf("IP address %s has already been used by host with MAC %s", ip, mac)
-			}
-		}
-		if addr.IP.To4() != nil && !detectIPConflict {
-			// when detectIPConflict is true, free arp is already broadcast in the step of announcement
-			if err := util.AnnounceArpAddress(link, addr.IP.String(), macAddr, 1, 1*time.Second); err != nil {
-				klog.Warningf("failed to broadcast free arp with err %v", err)
+		if addr.IP.To4() != nil {
+			if detectIPv4Conflict {
+				ip := addr.IP.String()
+				mac, err := util.ArpDetectIPConflict(link, ip, macAddr)
+				if err != nil {
+					err = fmt.Errorf("failed to detect address conflict for %s on link %s: %w", ip, link, err)
+					klog.Error(err)
+					return err
+				}
+				if mac != nil {
+					return fmt.Errorf("IP address %s has already been used by host with MAC %s", ip, mac)
+				}
+			} else {
+				// when detectIPConflict is true, free arp is already broadcast in the step of announcement
+				if err := util.AnnounceArpAddress(link, addr.IP.String(), macAddr, 1, 1*time.Second); err != nil {
+					klog.Warningf("failed to broadcast free arp with err %v", err)
+				}
 			}
 		}
 

pkg/daemon/ovs_windows.go

@@ -29,7 +29,7 @@ func (csh cniServerHandler) configureNicWithInternalPort(podName, podNamespace,
 	return ifName, routes, err
 }
 
-func (csh cniServerHandler) configureNic(podName, podNamespace, provider, netns, containerID, vfDriver, ifName, mac string, mtu int, ip, gateway string, isDefaultRoute, detectIPConflict bool, routes []request.Route, dnsServer, dnsSuffix []string, ingress, egress, DeviceID, nicType, latency, limit, loss, jitter string, gwCheckMode int, u2oInterconnectionIP, _ string) ([]request.Route, error) {
+func (csh cniServerHandler) configureNic(podName, podNamespace, provider, netns, containerID, vfDriver, ifName, mac string, mtu int, ip, gateway string, isDefaultRoute, vmMigration bool, routes []request.Route, dnsServer, dnsSuffix []string, ingress, egress, DeviceID, nicType, latency, limit, loss, jitter string, gwCheckMode int, u2oInterconnectionIP, _ string) ([]request.Route, error) {
 	if DeviceID != "" {
 		return nil, errors.New("SR-IOV is not supported on Windows")
 	}

test/e2e/kube-ovn/underlay/underlay.go

@@ -447,11 +447,11 @@ var _ = framework.SerialDescribe("[group:underlay]", func() {
 		framework.ExpectEqual(links[0].Mtu, docker.MTU)
 	})
 
-	framework.ConformanceIt("should be able to detect IPv4 address conflict", func() {
-		if !f.IsIPv4() {
-			ginkgo.Skip("Address conflict detection only supports IPv4")
+	framework.ConformanceIt("should be able to detect duplicate address", func() {
+		f.SkipVersionPriorTo(1, 9, "Duplicate address detection was introduced in v1.9")
+		if !f.HasIPv4() {
+			f.SkipVersionPriorTo(1, 14, "Duplicate address detection for IPv6 was introduced in v1.14")
 		}
-		f.SkipVersionPriorTo(1, 9, "Address conflict detection was introduced in v1.9")
 
 		ginkgo.By("Creating provider network " + providerNetworkName)
 		pn := makeProviderNetwork(providerNetworkName, false, linkMap)
@@ -463,7 +463,7 @@ var _ = framework.SerialDescribe("[group:underlay]", func() {
 
 		containerName := "container-" + framework.RandomSuffix()
 		ginkgo.By("Creating container " + containerName)
-		cmd := []string{"sh", "-c", "sleep 600"}
+		cmd := []string{"sleep", "infinity"}
 		containerInfo, err := docker.ContainerCreate(containerName, f.KubeOVNImage, dockerNetworkName, cmd)
 		framework.ExpectNoError(err)
 		containerID = containerInfo.ID
@@ -473,35 +473,67 @@ var _ = framework.SerialDescribe("[group:underlay]", func() {
 		_ = vlanClient.Create(vlan)
 
 		ginkgo.By("Creating subnet " + subnetName)
-		cidr := make([]string, 0, 2)
-		gateway := make([]string, 0, 2)
+		var cidrV4, cidrV6, gatewayV4, gatewayV6 string
 		for _, config := range dockerNetwork.IPAM.Config {
-			if util.CheckProtocol(config.Subnet) == apiv1.ProtocolIPv4 {
-				cidr = append(cidr, config.Subnet)
-				gateway = append(gateway, config.Gateway)
-				break
+			switch util.CheckProtocol(config.Subnet) {
+			case apiv1.ProtocolIPv4:
+				if f.HasIPv4() {
+					cidrV4 = config.Subnet
+					gatewayV4 = config.Gateway
+				}
+			case apiv1.ProtocolIPv6:
+				if f.HasIPv6() {
+					cidrV6 = config.Subnet
+					gatewayV6 = config.Gateway
+				}
 			}
 		}
+		cidr := make([]string, 0, 2)
+		gateway := make([]string, 0, 2)
+		if f.HasIPv4() {
+			cidr = append(cidr, cidrV4)
+			gateway = append(gateway, gatewayV4)
+		}
+		if f.HasIPv6() {
+			cidr = append(cidr, cidrV6)
+			gateway = append(gateway, gatewayV6)
+		}
 		excludeIPs := make([]string, 0, len(network.Containers)*2)
 		for _, container := range network.Containers {
-			if container.IPv4Address != "" {
+			if f.HasIPv4() && container.IPv4Address != "" {
 				excludeIPs = append(excludeIPs, strings.Split(container.IPv4Address, "/")[0])
 			}
+			if f.HasIPv6() && container.IPv6Address != "" {
+				excludeIPs = append(excludeIPs, strings.Split(container.IPv6Address, "/")[0])
+			}
 		}
 		subnet := framework.MakeSubnet(subnetName, vlanName, strings.Join(cidr, ","), strings.Join(gateway, ","), "", "", excludeIPs, nil, []string{namespaceName})
 		_ = subnetClient.CreateSync(subnet)
 
-		ip := containerInfo.NetworkSettings.Networks[dockerNetworkName].IPAddress
-		mac := containerInfo.NetworkSettings.Networks[dockerNetworkName].MacAddress
+		networkInfo := containerInfo.NetworkSettings.Networks[dockerNetworkName]
+		ips := make([]string, 0, 2)
+		if f.HasIPv4() {
+			ips = append(ips, networkInfo.IPAddress)
+		}
+		if f.HasIPv6() {
+			ips = append(ips, networkInfo.GlobalIPv6Address)
+		}
+		ip := strings.Join(ips, ",")
+		mac := networkInfo.MacAddress
 		ginkgo.By("Creating pod " + podName + " with IP address " + ip)
 		annotations := map[string]string{util.IPAddressAnnotation: ip}
-		pod := framework.MakePod(namespaceName, podName, nil, annotations, f.KubeOVNImage, cmd, nil)
+		pod := framework.MakePod(namespaceName, podName, nil, annotations, "", nil, nil)
 		pod.Spec.TerminationGracePeriodSeconds = nil
 		_ = podClient.Create(pod)
 
 		ginkgo.By("Waiting for pod events")
 		events := eventClient.WaitToHaveEvent("Pod", podName, "Warning", "FailedCreatePodSandBox", "kubelet", "")
-		message := fmt.Sprintf("IP address %s has already been used by host with MAC %s", ip, mac)
+		var message string
+		if f.HasIPv4() {
+			message = fmt.Sprintf("IP address %s has already been used by host with MAC %s", networkInfo.IPAddress, mac)
+		} else {
+			message = "dadfailed"
+		}
 		var found bool
 		for _, event := range events {
 			if strings.Contains(event.Message, message) {