Add ip and iptables management to vbmctl

Signed-off-by: Nuutti Hakala <nuutti.hakala@est.tech>

Author: nuhakala

hack/ci-e2e.sh

@@ -69,10 +69,6 @@ sudo sysctl fs.inotify.max_user_instances=8192
 # Build the container image with e2e tag (used in tests)
 IMG=quay.io/metal3-io/baremetal-operator IMG_TAG=e2e make docker
 
-# Build vbmctl
-make build-vbmctl
-# Create VMs to act as BMHs in the tests and the libvirt network
-./bin/vbmctl -c "${REPO_ROOT}/test/e2e/config/vbmctl.yaml" create bml
 
 # We need to create veth pair to connect metal3 net (defined above with vbmctl)
 # and kind docker subnet. Let us start by creating a docker network with
@@ -91,22 +87,10 @@ if ! docker network list | grep kind; then
 fi
 docker network list
 
-# Next create the veth pair
-if ! ip a | grep metalend; then
-    sudo ip link add metalend type veth peer name kindend
-    sudo ip link set metalend master metal3
-    sudo ip link set kindend master kind-bridge
-    sudo ip link set metalend up
-    sudo ip link set kindend up
-fi
-ip a
-
-# Then we need to set routing rules as well
-if ! sudo iptables -L FORWARD -v -n | grep kind-bridge; then
-    sudo iptables -I FORWARD -i kind-bridge -o metal3 -j ACCEPT
-    sudo iptables -I FORWARD -i metal3 -o kind-bridge -j ACCEPT
-fi
-sudo iptables -L FORWARD -n -v
+# Build vbmctl
+make build-vbmctl
+# Create VMs to act as BMHs in the tests and the libvirt network
+./bin/vbmctl -c "${REPO_ROOT}/test/e2e/config/vbmctl.yaml" create bml
 
 # This IP is defined by the network we created above. It is sushy-tools / image
 # server endpoint, not ironic.

test/e2e/config/vbmctl.yaml

@@ -34,3 +34,8 @@ spec:
     bridge: metal3
     address: 192.168.222.1
     netmask: 255.255.255.0
+  vethPairs:
+  - master1: metal3
+    master2: kind-bridge
+    veth1: metalend
+    veth2: kindend

test/go.mod

@@ -4,12 +4,14 @@ go 1.25.0
 
 require (
 	github.com/cert-manager/cert-manager v1.20.1
+	github.com/coreos/go-iptables v0.8.0
 	github.com/metal3-io/baremetal-operator/apis v0.5.1
 	github.com/metal3-io/baremetal-operator/pkg/hardwareutils v0.5.1
 	github.com/metal3-io/ironic-standalone-operator/api v0.8.1
 	github.com/onsi/ginkgo/v2 v2.28.1
 	github.com/onsi/gomega v1.39.1
 	github.com/spf13/cobra v1.10.2
+	github.com/vishvananda/netlink v1.3.1
 	golang.org/x/crypto v0.49.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.35.3
@@ -104,6 +106,7 @@ require (
 	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/spf13/viper v1.21.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/vishvananda/netns v0.0.5 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect

test/go.sum

@@ -48,6 +48,8 @@ github.com/coredns/caddy v1.1.1 h1:2eYKZT7i6yxIfGP3qLJoJ7HAsDJqYB+X68g4NYjSrE0=
 github.com/coredns/caddy v1.1.1/go.mod h1:A6ntJQlAWuQfFlsd9hvigKbo2WS0VUs2l1e2F+BawD4=
 github.com/coredns/corefile-migration v1.0.30 h1:ljZNPGgna+4yKv81gfkvkgLEWdtz0NjBR1glaiPI140=
 github.com/coredns/corefile-migration v1.0.30/go.mod h1:56DPqONc3njpVPsdilEnfijCwNGC3/kTJLl7i7SPavY=
+github.com/coreos/go-iptables v0.8.0 h1:MPc2P89IhuVpLI7ETL/2tx3XZ61VeICZjYqDEgNsPRc=
+github.com/coreos/go-iptables v0.8.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -277,6 +279,10 @@ github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
 github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
 github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
+github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
+github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
+github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
+github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
@@ -330,7 +336,9 @@ golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
 golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

test/vbmctl/README.md

@@ -17,7 +17,7 @@ This tool is under active development.
 | `vbmctl create bml` / `vbmctl delete bml` | ✅ Implemented |
 | `vbmctl status` | ✅ Implemented (basic) |
 | Configurable volumes | ❌ TODO (hard-coded to two per VM) |
-| Network management | ⚠️ Partially implemented (only libvirt networks) |
+| Network management | ⚠️ Partially implemented (container networking missing) |
 | BMC emulator support | ❌ TODO |
 | Image server | ❌ TODO |
 | State management (persistent state) | ❌ TODO |
@@ -30,6 +30,8 @@ This tool is under active development.
    libvirt networks
 - **Library Support**: Can be imported as a Go module for programmatic use
 - **Libvirt network management**: create and delete libvirt networks
+- **Creating/deleting veth pairs**: create and delete veth-pairs to connect
+  virtual networks. Works only with config file.
 
 ## Build Tags
 
@@ -157,6 +159,11 @@ spec:
     bridge: metal3
     address: 192.168.222.1
     netmask: 255.255.255.0
+  vethPairs:
+  - master1: metal3
+    master2: kind-bridge
+    veth1: metalend
+    veth2: kindend
 ```
 
 The `spec.vms` section defines the VMs that will be created when you run `vbmctl

test/vbmctl/cmd/vbmctl/main.go

@@ -16,6 +16,7 @@ import (
 	vbmctlapi "github.com/metal3-io/baremetal-operator/test/vbmctl/pkg/api"
 	"github.com/metal3-io/baremetal-operator/test/vbmctl/pkg/config"
 	"github.com/metal3-io/baremetal-operator/test/vbmctl/pkg/libvirt"
+	"github.com/metal3-io/baremetal-operator/test/vbmctl/pkg/network"
 	"github.com/spf13/cobra"
 	libvirtgo "libvirt.org/go/libvirt"
 )
@@ -204,7 +205,12 @@ Example configuration:
             macAddress: "00:60:2f:31:81:01"
 	networks:
       - name: "baremetal-e2e"
-	  - bridge: "metal3"`,
+	  - bridge: "metal3"
+    vethPairs:
+      - master1: "metal3"
+        master2: "kind-bridge"
+        veth1: "metalend"
+        veth2: "kindend"`,
 		RunE: func(_ *cobra.Command, _ []string) error {
 			ctx, cancel := contextWithSignal()
 			defer cancel()
@@ -240,6 +246,17 @@ Example configuration:
 				fmt.Printf("  - %s (UUID: %s)\n", network.Name, network.UUID)
 			}
 
+			// Connect the specified networks
+			network.ConnectAllWithVeth(ctx, cfg.Spec.VethPairs)
+			// Add forward rules to allow fordawing between connected networks
+			network.AddForwardRulesAll(ctx, cfg.Spec.VethPairs)
+			//nolint:forbidigo // CLI output is intentional
+			fmt.Println("\nCreated veth pairs:")
+			for _, pair := range cfg.Spec.VethPairs {
+				//nolint:forbidigo // CLI output is intentional
+				fmt.Printf("  - between %s and %s\n", pair.Master1, pair.Master2)
+			}
+
 			vmManager, err := libvirt.NewVMManager(conn, libvirt.VMManagerOptions{
 				PoolName: cfg.Spec.Pool.Name,
 				PoolPath: cfg.Spec.Pool.Path,
@@ -435,6 +452,17 @@ func newDeleteBMLCmd() *cobra.Command {
 				fmt.Printf("  - %s\n", name)
 			}
 
+			// Delete forward rules
+			network.DeleteForwardRulesAll(ctx, cfg.Spec.VethPairs)
+			// Delete veth pairs
+			network.DeleteAllVeth(ctx, cfg.Spec.VethPairs)
+			//nolint:forbidigo // CLI output is intentional
+			fmt.Println("\nDeleted veth pairs:")
+			for _, pair := range cfg.Spec.VethPairs {
+				//nolint:forbidigo // CLI output is intentional
+				fmt.Printf("  - between %s and %s\n", pair.Master1, pair.Master2)
+			}
+
 			networkManager, err := libvirt.NewNetworkManager(conn)
 			if err != nil {
 				return fmt.Errorf("failed to create Network manager: %w", err)

test/vbmctl/pkg/api/types.go

@@ -57,6 +57,20 @@ type NetworkConfig struct {
 	Netmask string `json:"netmask,omitempty" yaml:"netmask,omitempty"`
 }
 
+type VethPairs struct {
+	// Name of the first network to be connected
+	Master1 string `json:"master1" yaml:"master1"`
+
+	// Name of the second network to be connected
+	Master2 string `json:"master2" yaml:"master2"`
+
+	// Name of the veth pair to be pushed to first network
+	Veth1 string `json:"veth1" yaml:"veth1"`
+
+	// Name of the veth pair to be pushed to the second network
+	Veth2 string `json:"veth2" yaml:"veth2"`
+}
+
 // PoolConfig represents the configuration for a storage pool.
 type PoolConfig struct {
 	// Name is the name of the storage pool.

test/vbmctl/pkg/config/config.go

@@ -76,6 +76,8 @@ type Spec struct {
 	VMs []vbmctlapi.VMConfig `json:"vms,omitempty" yaml:"vms,omitempty"`
 
 	Networks []vbmctlapi.NetworkConfig `json:"networks,omitempty" yaml:"networks,omitempty"`
+
+	VethPairs []vbmctlapi.VethPairs `json:"vethPairs,omitempty" yaml:"vethPairs,omitempty"`
 }
 
 // LibvirtConfig contains libvirt connection settings.

test/vbmctl/pkg/network/ip.go

@@ -0,0 +1,98 @@
+package network
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	vbmctlapi "github.com/metal3-io/baremetal-operator/test/vbmctl/pkg/api"
+	"github.com/vishvananda/netlink"
+)
+
+func ConnectWithVeth(_ context.Context, network1 string, network2 string, vethpeer1 string, vethpeer2 string) error {
+	// Create veth pair
+	la := netlink.NewLinkAttrs()
+	la.Name = vethpeer1
+	veth := &netlink.Veth{
+		LinkAttrs: la,
+		PeerName:  vethpeer2,
+	}
+	err := netlink.LinkAdd(veth)
+	if err != nil {
+		return fmt.Errorf("could not add vethpair %s: %v\n", la.Name, err)
+	}
+
+	// Connect the networks with the veth pair
+	master1, err := netlink.LinkByName(network1)
+	if err != nil {
+		return fmt.Errorf("failed to get network interface %s: %w", network1, err)
+	}
+	master2, err := netlink.LinkByName(network2)
+	if err != nil {
+		return fmt.Errorf("failed to get network interface %s: %w", network2, err)
+	}
+	veth1, err := netlink.LinkByName(vethpeer1)
+	if err != nil {
+		return fmt.Errorf("failed to get veth interface %s: %w", vethpeer1, err)
+	}
+	veth2, err := netlink.LinkByName(vethpeer2)
+	if err != nil {
+		return fmt.Errorf("failed to get veth interface %s: %w", vethpeer2, err)
+	}
+
+	if err := netlink.LinkSetUp(veth1); err != nil {
+		return fmt.Errorf("failed to bring up veth interface %s: %w", vethpeer1, err)
+	}
+	if err := netlink.LinkSetUp(veth2); err != nil {
+		return fmt.Errorf("failed to bring up veth interface %s: %w", vethpeer2, err)
+	}
+
+	if err := netlink.LinkSetMaster(veth1, master1); err != nil {
+		return fmt.Errorf("failed to set master %s for veth %s: %w", network1, vethpeer1, err)
+	}
+	if err := netlink.LinkSetMaster(veth2, master2); err != nil {
+		return fmt.Errorf("failed to set master %s for veth %s: %w", network2, vethpeer2, err)
+	}
+	return nil
+}
+
+func ConnectAllWithVeth(ctx context.Context, vethPairs []vbmctlapi.VethPairs) error {
+	createdPairs := make([]*vbmctlapi.VethPairs, 0, len(vethPairs))
+	for _, pair := range vethPairs {
+		err := ConnectWithVeth(ctx, pair.Master1, pair.Master2, pair.Veth1, pair.Veth2)
+		if err != nil {
+			// Clean up previously created pairs
+			log.Printf("Failed to create veth pair %s, cleaning up %d previously created pair(s)\n", pair.Veth1, len(createdPairs))
+			for _, created := range createdPairs {
+				if delErr := DeleteLink(ctx, pair.Veth1); delErr != nil {
+					log.Printf("Warning: failed to clean up veth pair %s: %v\n", created.Veth1, delErr)
+				}
+			}
+			return fmt.Errorf("failed to create veth pair %s: %w", pair.Veth1, err)
+		}
+		createdPairs = append(createdPairs, &pair)
+	}
+	return nil
+}
+
+func DeleteLink(_ context.Context, link string) error {
+	l, err := netlink.LinkByName(link)
+	if err != nil {
+		return fmt.Errorf("failed to get network interface %s: %w", link, err)
+	}
+	if err := netlink.LinkDel(l); err != nil {
+		return fmt.Errorf("failed to delete network interface %s: %w", link, err)
+	}
+	return nil
+}
+
+func DeleteAllVeth(ctx context.Context, vethPairs []vbmctlapi.VethPairs) error {
+	var lastErr error
+	for _, pair := range vethPairs {
+		if err := DeleteLink(ctx, pair.Veth1); err != nil {
+			log.Printf("Error deleting veth pair %s: %v\n", pair.Veth1, err)
+			lastErr = err
+		}
+	}
+	return lastErr
+}

test/vbmctl/pkg/network/iptables.go

@@ -0,0 +1,82 @@
+package network
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"github.com/coreos/go-iptables/iptables"
+	vbmctlapi "github.com/metal3-io/baremetal-operator/test/vbmctl/pkg/api"
+)
+
+func AddForwardRules(_ context.Context, iface1, iface2 string) error {
+	ipt, err := iptables.New()
+	if err != nil {
+		return fmt.Errorf("failed to initialize iptables: %w", err)
+	}
+
+	// Add rule: iptables -I FORWARD -i iface1 -o iface2 -j ACCEPT
+	err = ipt.Insert("filter", "FORWARD", 1, "-i", iface1, "-o", iface2, "-j", "ACCEPT")
+	if err != nil {
+		return fmt.Errorf("failed to add forward rule from %s to %s: %w", iface1, iface2, err)
+	}
+
+	// Add reverse
+	err = ipt.Insert("filter", "FORWARD", 1, "-i", iface2, "-o", iface1, "-j", "ACCEPT")
+	if err != nil {
+		return fmt.Errorf("failed to add forward rule from %s to %s: %w", iface1, iface2, err)
+	}
+
+	return nil
+}
+
+func AddForwardRulesAll(ctx context.Context, vethPairs []vbmctlapi.VethPairs) error {
+	createdRules := make([]*vbmctlapi.VethPairs, 0, len(vethPairs))
+	for _, pair := range vethPairs {
+		err := AddForwardRules(ctx, pair.Master1, pair.Master2)
+		if err != nil {
+			// Clean up previously created rules
+			log.Printf("Failed to add forward rules between %s and %s, cleaning up %d previously created rule(s)\n", pair.Master1, pair.Master2, len(createdRules))
+			for _, created := range createdRules {
+				if delErr := DeleteForwardRules(ctx, pair.Master1, pair.Master2); delErr != nil {
+					log.Printf("Warning: failed to clean up rule between %s and %s: %v\n", created.Master1, created.Master2, delErr)
+				}
+			}
+			return fmt.Errorf("failed to create rule between %s and %s: %w", pair.Master1, pair.Master2, err)
+		}
+		createdRules = append(createdRules, &pair)
+	}
+	return nil
+}
+
+func DeleteForwardRules(_ context.Context, iface1, iface2 string) error {
+	ipt, err := iptables.New()
+	if err != nil {
+		return fmt.Errorf("failed to initialize iptables: %w", err)
+	}
+
+	// Delete rule: iptables -D FORWARD -i iface1 -o iface2 -j ACCEPT
+	err = ipt.Delete("filter", "FORWARD", "-i", iface1, "-o", iface2, "-j", "ACCEPT")
+	if err != nil {
+		return fmt.Errorf("failed to delete forward rule from %s to %s: %w", iface1, iface2, err)
+	}
+
+	// Delete reverse
+	err = ipt.Delete("filter", "FORWARD", "-i", iface2, "-o", iface1, "-j", "ACCEPT")
+	if err != nil {
+		return fmt.Errorf("failed to delete forward rule from %s to %s: %w", iface2, iface1, err)
+	}
+
+	return nil
+}
+
+func DeleteForwardRulesAll(ctx context.Context, vethPairs []vbmctlapi.VethPairs) error {
+	var lastErr error
+	for _, pair := range vethPairs {
+		if err := DeleteForwardRules(ctx, pair.Master1, pair.Master2); err != nil {
+			log.Printf("Error deleting forward rules between %s and %s: %v\n", pair.Master1, pair.Master2, err)
+			lastErr = err
+		}
+	}
+	return lastErr
+}