cni-server: fix ovn0 gateway check (#6098)

Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>

Author: zhangzujian

pkg/controller/node.go

@@ -685,7 +685,7 @@ func (c *Controller) checkSubnetGatewayNode() error {
 						if !pingSucceeded || !nodeIsReady {
 							if exist {
 								if !pingSucceeded {
-									klog.Warningf("failed to ping ovn0 ip %s on node %s", ip, node.Name)
+									klog.Warningf("failed to ping %s ip %s on node %s", util.NodeNic, ip, node.Name)
 								}
 								if !nodeIsReady {
 									klog.Warningf("node %s is not ready", node.Name)
@@ -700,7 +700,7 @@ func (c *Controller) checkSubnetGatewayNode() error {
 								}
 							}
 						} else {
-							klog.V(3).Infof("succeeded to ping ovn0 ip %s on node %s", ip, node.Name)
+							klog.V(3).Infof("succeeded to ping %s ip %s on node %s", util.NodeNic, ip, node.Name)
 							if !exist {
 								nextHops.Add(ip)
 								if nameIPMap == nil {

pkg/daemon/controller.go

@@ -955,7 +955,7 @@ func (c *Controller) Run(stopCh <-chan struct{}) {
 	go wait.Until(c.ovnMetricsUpdate, 3*time.Second, stopCh)
 	go wait.Until(func() {
 		if err := c.reconcileRouters(nil); err != nil {
-			klog.Errorf("failed to reconcile ovn0 routes: %v", err)
+			klog.Errorf("failed to reconcile %s routes: %v", util.NodeNic, err)
 		}
 	}, 3*time.Second, stopCh)
 

pkg/daemon/gateway_linux.go

@@ -631,7 +631,7 @@ func (c *Controller) setIptables() error {
 	var (
 		v4Rules = []util.IPTableRule{
 			// mark packets from pod to service
-			{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(`-i ovn0 -m set --match-set ovn40subnets src -m set --match-set ovn40services dst -j MARK --set-xmark 0x4000/0x4000`)},
+			{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(`-i ` + util.NodeNic + ` -m set --match-set ovn40subnets src -m set --match-set ovn40services dst -j MARK --set-xmark 0x4000/0x4000`)},
 			// nat packets marked by kube-proxy or kube-ovn
 			{Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(`-m mark --mark 0x4000/0x4000 -j ` + OvnMasquerade)},
 			// nat service traffic
@@ -672,7 +672,7 @@ func (c *Controller) setIptables() error {
 		}
 		v6Rules = []util.IPTableRule{
 			// mark packets from pod to service
-			{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(`-i ovn0 -m set --match-set ovn60subnets src -m set --match-set ovn60services dst -j MARK --set-xmark 0x4000/0x4000`)},
+			{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(`-i ` + util.NodeNic + ` -m set --match-set ovn60subnets src -m set --match-set ovn60services dst -j MARK --set-xmark 0x4000/0x4000`)},
 			// nat packets marked by kube-proxy or kube-ovn
 			{Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(`-m mark --mark 0x4000/0x4000 -j ` + OvnMasquerade)},
 			// nat service traffic
@@ -741,7 +741,7 @@ func (c *Controller) setIptables() error {
 			return err
 		}
 		if ipsetExists {
-			iptablesRules[0].Rule = strings.Fields(fmt.Sprintf(`-i ovn0 -m set --match-set %s src -m set --match-set %s dst,dst -j MARK --set-xmark 0x4000/0x4000`, matchset, ipset))
+			iptablesRules[0].Rule = strings.Fields(fmt.Sprintf(`-i %s -m set --match-set %s src -m set --match-set %s dst,dst -j MARK --set-xmark 0x4000/0x4000`, util.NodeNic, matchset, ipset))
 			rejectRule := strings.Fields(fmt.Sprintf(`-p tcp -m mark ! --mark 0x4000/0x4000 -m set --match-set %s dst -m conntrack --ctstate NEW -j REJECT`, svcMatchset))
 			obsoleteRejectRule := strings.Fields(fmt.Sprintf(`-m mark ! --mark 0x4000/0x4000 -m set --match-set %s dst -m conntrack --ctstate NEW -j REJECT`, svcMatchset))
 			iptablesRules = append(iptablesRules,
@@ -1188,7 +1188,7 @@ func (c *Controller) cleanObsoleteIptablesRules(protocol string, rules []util.IP
 	var (
 		v4ObsoleteRules = []util.IPTableRule{
 			{Table: NAT, Chain: Postrouting, Rule: strings.Fields(`-m mark --mark 0x40000/0x40000 -j MASQUERADE`)},
-			{Table: "mangle", Chain: Prerouting, Rule: strings.Fields(`-i ovn0 -m set --match-set ovn40subnets src -m set --match-set ovn40services dst -j MARK --set-xmark 0x40000/0x40000`)},
+			{Table: "mangle", Chain: Prerouting, Rule: strings.Fields(`-i ` + util.NodeNic + ` -m set --match-set ovn40subnets src -m set --match-set ovn40services dst -j MARK --set-xmark 0x40000/0x40000`)},
 			// legacy rules
 			// nat packets marked by kube-proxy or kube-ovn
 			{Table: NAT, Chain: Postrouting, Rule: strings.Fields(`-m mark --mark 0x4000/0x4000 -j MASQUERADE`)},
@@ -1205,7 +1205,7 @@ func (c *Controller) cleanObsoleteIptablesRules(protocol string, rules []util.IP
 			// nat outgoing
 			{Table: NAT, Chain: Postrouting, Rule: strings.Fields(`-m set --match-set ovn40subnets-nat src -m set ! --match-set ovn40subnets dst -j MASQUERADE`)},
 			// mark packets from pod to service
-			{Table: "mangle", Chain: Prerouting, Rule: strings.Fields(`-i ovn0 -m set --match-set ovn40subnets src -m set --match-set ovn40services dst -j MARK --set-xmark 0x4000/0x4000`)},
+			{Table: "mangle", Chain: Prerouting, Rule: strings.Fields(`-i ` + util.NodeNic + ` -m set --match-set ovn40subnets src -m set --match-set ovn40services dst -j MARK --set-xmark 0x4000/0x4000`)},
 			// Input Accept
 			{Table: "filter", Chain: "INPUT", Rule: strings.Fields(`-m set --match-set ovn40subnets src -j ACCEPT`)},
 			{Table: "filter", Chain: "INPUT", Rule: strings.Fields(`-m set --match-set ovn40subnets dst -j ACCEPT`)},
@@ -1222,7 +1222,7 @@ func (c *Controller) cleanObsoleteIptablesRules(protocol string, rules []util.IP
 		}
 		v6ObsoleteRules = []util.IPTableRule{
 			{Table: NAT, Chain: Postrouting, Rule: strings.Fields(`-m mark --mark 0x40000/0x40000 -j MASQUERADE`)},
-			{Table: "mangle", Chain: Prerouting, Rule: strings.Fields(`-i ovn0 -m set --match-set ovn60subnets src -m set --match-set ovn60services dst -j MARK --set-xmark 0x40000/0x40000`)},
+			{Table: "mangle", Chain: Prerouting, Rule: strings.Fields(`-i ` + util.NodeNic + ` -m set --match-set ovn60subnets src -m set --match-set ovn60services dst -j MARK --set-xmark 0x40000/0x40000`)},
 			// legacy rules
 			// nat packets marked by kube-proxy or kube-ovn
 			{Table: NAT, Chain: Postrouting, Rule: strings.Fields(`-m mark --mark 0x4000/0x4000 -j MASQUERADE`)},
@@ -1239,7 +1239,7 @@ func (c *Controller) cleanObsoleteIptablesRules(protocol string, rules []util.IP
 			// nat outgoing
 			{Table: NAT, Chain: Postrouting, Rule: strings.Fields(`-m set --match-set ovn60subnets-nat src -m set ! --match-set ovn60subnets dst -j MASQUERADE`)},
 			// mark packets from pod to service
-			{Table: "mangle", Chain: Prerouting, Rule: strings.Fields(`-i ovn0 -m set --match-set ovn60subnets src -m set --match-set ovn60services dst -j MARK --set-xmark 0x4000/0x4000`)},
+			{Table: "mangle", Chain: Prerouting, Rule: strings.Fields(`-i ` + util.NodeNic + ` -m set --match-set ovn60subnets src -m set --match-set ovn60services dst -j MARK --set-xmark 0x4000/0x4000`)},
 			// Input Accept
 			{Table: "filter", Chain: "INPUT", Rule: strings.Fields(`-m set --match-set ovn60subnets src -j ACCEPT`)},
 			{Table: "filter", Chain: "INPUT", Rule: strings.Fields(`-m set --match-set ovn60subnets dst -j ACCEPT`)},

pkg/daemon/init.go

@@ -61,7 +61,7 @@ func InitNodeGateway(config *Configuration) error {
 			return err
 		}
 		if node.Annotations[util.IPAddressAnnotation] == "" {
-			klog.Warningf("no ovn0 address for node %s, please check kube-ovn-controller logs", nodeName)
+			klog.Warningf("no %s address for node %s, please check kube-ovn-controller logs", util.NodeNic, nodeName)
 			time.Sleep(3 * time.Second)
 			continue
 		}

pkg/daemon/ovs_linux.go

@@ -565,7 +565,7 @@ func (csh cniServerHandler) configureContainerNic(podName, podNamespace, nicName
 func (csh cniServerHandler) checkGatewayReady(podName, podNamespace string, gwCheckMode int, intr, ipAddr, gateway string, verbose bool) error {
 	if gwCheckMode == gatewayCheckModeArpingNotConcerned || gwCheckMode == gatewayCheckModePingNotConcerned {
 		// ignore error if disableGatewayCheck=true
-		_ = waitNetworkReady(intr, ipAddr, gateway, verbose, 1, nil)
+		_ = waitNetworkReady(intr, ipAddr, gateway, true, verbose, 1, nil)
 		return nil
 	}
 
@@ -600,14 +600,14 @@ func (csh cniServerHandler) checkGatewayReady(podName, podNamespace string, gwCh
 		}
 	}()
 
-	return waitNetworkReady(intr, ipAddr, gateway, verbose, gatewayCheckMaxRetry, done)
+	return waitNetworkReady(intr, ipAddr, gateway, true, verbose, gatewayCheckMaxRetry, done)
 }
 
-func waitNetworkReady(nic, ipAddr, gateway string, verbose bool, maxRetry int, done chan struct{}) error {
+func waitNetworkReady(nic, ipAddr, gateway string, preferARP, verbose bool, maxRetry int, done chan struct{}) error {
 	ips := strings.Split(ipAddr, ",")
 	for i, gw := range strings.Split(gateway, ",") {
 		src := strings.Split(ips[i], "/")[0]
-		if util.CheckProtocol(gw) == kubeovnv1.ProtocolIPv4 {
+		if preferARP && util.CheckProtocol(gw) == kubeovnv1.ProtocolIPv4 {
 			mac, count, err := util.ArpResolve(nic, gw, time.Second, maxRetry, done)
 			cniConnectivityResult.WithLabelValues(nodeName).Add(float64(count))
 			if err != nil {
@@ -721,8 +721,8 @@ func configureNodeNic(cs kubernetes.Interface, nodeName, portName, ip, gw, joinC
 	status := corev1.ConditionFalse
 	reason := "JoinSubnetGatewayReachable"
 	message := fmt.Sprintf("ping check to gateway ip %s succeeded", gw)
-	if err = waitNetworkReady(util.NodeNic, ip, gw, true, gatewayCheckMaxRetry, nil); err != nil {
-		klog.Errorf("failed to init ovn0 check: %v", err)
+	if err = waitNetworkReady(util.NodeNic, ip, gw, false, true, gatewayCheckMaxRetry, nil); err != nil {
+		klog.Errorf("failed to init %s check: %v", util.NodeNic, err)
 		status = corev1.ConditionTrue
 		reason = "JoinSubnetGatewayUnreachable"
 		message = fmt.Sprintf("ping check to gateway ip %s failed", gw)
@@ -739,11 +739,11 @@ func configureNodeNic(cs kubernetes.Interface, nodeName, portName, ip, gw, joinC
 func (c *Controller) loopOvn0Check() {
 	link, err := netlink.LinkByName(util.NodeNic)
 	if err != nil {
-		util.LogFatalAndExit(err, "failed to get ovn0 nic")
+		util.LogFatalAndExit(err, "failed to get node nic %s", util.NodeNic)
 	}
 
 	if link.Attrs().OperState == netlink.OperDown {
-		util.LogFatalAndExit(err, "ovn0 nic is down")
+		util.LogFatalAndExit(err, "node nic %s is down", util.NodeNic)
 	}
 
 	node, err := c.nodesLister.Get(c.config.NodeName)
@@ -756,8 +756,8 @@ func (c *Controller) loopOvn0Check() {
 	status := corev1.ConditionFalse
 	reason := "JoinSubnetGatewayReachable"
 	message := fmt.Sprintf("ping check to gateway ip %s succeeded", gw)
-	if err = waitNetworkReady(util.NodeNic, ip, gw, false, 5, nil); err != nil {
-		klog.Errorf("failed to init ovn0 check: %v", err)
+	if err = waitNetworkReady(util.NodeNic, ip, gw, false, false, 5, nil); err != nil {
+		klog.Errorf("failed to init %s check: %v", util.NodeNic, err)
 		status = corev1.ConditionTrue
 		reason = "JoinSubnetGatewayUnreachable"
 		message = fmt.Sprintf("ping check to gateway ip %s failed", gw)
@@ -778,7 +778,7 @@ func (c *Controller) loopOvn0Check() {
 	}
 
 	if err != nil {
-		util.LogFatalAndExit(err, "failed to ping ovn0 gateway %s", gw)
+		util.LogFatalAndExit(err, "failed to ping %s gateway %s", util.NodeNic, gw)
 	}
 }
 
@@ -831,7 +831,7 @@ func (c *Controller) checkNodeGwNicInNs(nodeExtIP, ip, gw string, gwNS ns.NetNS)
 	}
 	if exists {
 		return ns.WithNetNSPath(gwNS.Path(), func(_ ns.NetNS) error {
-			err = waitNetworkReady(util.NodeGwNic, ip, gw, true, 3, nil)
+			err = waitNetworkReady(util.NodeGwNic, ip, gw, true, true, 3, nil)
 			if err == nil {
 				if output, err := exec.Command("bfdd-control", "status").CombinedOutput(); err != nil {
 					err := fmt.Errorf("failed to get bfdd status, %w, %s", err, output)
@@ -956,7 +956,7 @@ func configureNodeGwNic(portName, ip, gw string, macAddr net.HardwareAddr, mtu i
 			klog.Error(err)
 			return err
 		}
-		return waitNetworkReady(util.NodeGwNic, ip, gw, true, 3, nil)
+		return waitNetworkReady(util.NodeGwNic, ip, gw, true, true, 3, nil)
 	})
 }