docs for network light #2397
docs for network light #2397
Conversation
Signed-off-by: Ashraf Fouda <ashraf.m.fouda@gmail.com>
Signed-off-by: Ashraf Fouda <ashraf.m.fouda@gmail.com>
Signed-off-by: Ashraf Fouda <ashraf.m.fouda@gmail.com>
Signed-off-by: Ashraf Fouda <ashraf.m.fouda@gmail.com>
Signed-off-by: Ashraf Fouda <ashraf.m.fouda@gmail.com>
bootstrap/bootstrap/src/config.rs
Outdated
| .arg( | ||
| Arg::with_name("light") | ||
| .short("l") | ||
| .takes_value(false) | ||
| .help("run in light mode, will use the bootstrap:development.flist"), | ||
| ) |
There was a problem hiding this comment.
The light flag same as the runmode should be parsed from the kernel cmdline arguments not from the bootstrap command arguments.
cmds/modules/netlightd/nft.go
Outdated
| @@ -16,6 +16,7 @@ func ensureHostFw(ctx context.Context) error { | |||
| nft 'add table inet filter' | |||
| nft 'add table arp filter' | |||
| nft 'add table bridge filter' | |||
| nft 'add table nat' | |||
There was a problem hiding this comment.
I really think this entire file can completely replaced now with a .nft file basically rewrite this as a ruleset (similar to what we have under nft/rules.nft)
It's way cleaner than executing individual commands
|
|
||
| // getVmMetrics will collect network consumption every 5 min and store | ||
| // it in the rrd database. | ||
| func (r *Reporter) getGwMetrics(ctx context.Context, slot rrd.Slot) error { |
There was a problem hiding this comment.
This will probably be re-added
There was a problem hiding this comment.
we decided to postpone gw and qsfs for later versions of zos light
etc/zinit/networkd.yaml
Outdated
| test: zbusdebug --module network | ||
| exec: netlightd --broker unix:///var/run/redis.sock --root /var/cache/modules/networkd | ||
|
|
||
| # test: zbusdebug --module network |
There was a problem hiding this comment.
We still have to have something here to let other modules know that this networking is ready. I am sure netlightd also has a "zbus" service which means we can use the same test command but with different module name (if the module name was changed even)
pkg/environment/environment.go
Outdated
| @@ -321,6 +321,10 @@ func getEnvironmentFromParams(params kernel.Params) (Environment, error) { | |||
| if e := os.Getenv("ZOS_BIN_REPO"); e != "" { | |||
| env.BinRepo = e | |||
| } | |||
| env.Light = false | |||
There was a problem hiding this comment.
This of course is not needed, since the zero value for bool in Go is false.
pkg/gridtypes/zos/types.go
Outdated
| // NetworkLightType type | ||
| NetworkLightType gridtypes.WorkloadType = "network-light" | ||
| // ZDBLightType type | ||
| ZDBLightType gridtypes.WorkloadType = "zdb-light" |
There was a problem hiding this comment.
Why do we need zdb-light? is it because it doesn't have ygg IP?
I think we should only use the "-light" suffix if the data type for input or output changes (like vm and network) but I don't believe this applies to zdb
| } | ||
|
|
||
| // myceliumIpSeed is 6 bytes | ||
| func (r *Resource) AttachPrivate(id string, vmIp net.IP) (device pkg.TapDevice, err error) { |
There was a problem hiding this comment.
I can't figure out if this an idempotent function or not. But it's usually important that such functions to be idempotent so recreation doesn't happen if the service was restarted for example
pkg/network_light.go
Outdated
| Name string | ||
| Mac net.HardwareAddr | ||
| IP *net.IPNet | ||
| Gateway *net.IPNet |
There was a problem hiding this comment.
I think this should be Routes instead so we can also have custom routes not only default GW. It's needed with mycelium for example and in other cases where custom routing is required
rename zdblight to zdb and do some hardening Signed-off-by: Ashraf Fouda <ashraf.m.fouda@gmail.com>
There was a problem hiding this comment.
Thanks @ashraffouda for the great work. I still have few comments in case you are interested
| @@ -26,15 +26,19 @@ fn bootstrap_zos(cfg: &config::Config) -> Result<()> { | |||
| let flist = match &cfg.runmode { | |||
| RunMode::Prod => match &cfg.version { | |||
| Version::V3 => "zos:production-3:latest.flist", | |||
| _ => bail!("unsupported version in old style"), | |||
There was a problem hiding this comment.
it's safe to completely remove the old style from code since ALL environments have been updated to new style. We needed to keep the old style for a while because bootstrap is shared between all environments (since it's part of base image) because some envs used new style and others didn't.
Anyway, you can assume that old style does no longer exist
| if err := nft.Apply(rules, ""); err != nil { | ||
| return fmt.Errorf("failed to apply host nft rules: %w", err) | ||
| } | ||
|
|
| @@ -0,0 +1,29 @@ | |||
| add table inet filter; | |||
There was a problem hiding this comment.
What I meant with this is to make it similar to other rules.nft (in the same PR here style. It doesn't have commands but instead the complete structure of the rule set
It contains simply the output of running nft list ruleset
If you don't get what I mean let me explain over DM
| if err := nft.Apply(rules, nsName); err != nil { | ||
| return nil, fmt.Errorf("failed to apply nft rules for namespace '%s': %w", name, err) | ||
| } | ||
|
|
| Name string | ||
| Mac net.HardwareAddr | ||
| IP *net.IPNet | ||
| Routes []Route |
| envName := mode.String() | ||
| if u.boot.Version().Major == 4 { | ||
| envName = fmt.Sprintf("%s-light", envName) | ||
| } |
There was a problem hiding this comment.
Since this is a fork and the entire fork knows that this is version 4. Hence you can always assume the envName to be "-light" without even the need to check for the major version
| @@ -24,43 +23,6 @@ const ( | |||
| cloudConsoleBin = "cloud-console" | |||
| ) | |||
|
|
|||
| // startCloudConsole Starts the cloud console for the vm on it's private network ip | |||
| func (m *Machine) startCloudConsole(ctx context.Context, namespace string, networkAddr net.IPNet, machineIP net.IPNet, ptyPath string, logs string) (string, error) { | |||
There was a problem hiding this comment.
I think the cloud console can stay since the user network will always have a mycelium IP. the console can still work over the mycelium IP in case the VM is not reachable for any reason.
- So the ip of the vm is the VM private ip (private range)
- The console listen port is calculated the same way
- The console IP itself is the mycelium IP assigned to this user mycelium instance.
| @@ -131,12 +93,16 @@ func (m *Machine) Run(ctx context.Context, socket, logs string) (pkg.MachineInfo | |||
|
|
|||
| for _, nic := range m.Interfaces { | |||
| var typ InterfaceType | |||
| typ, _, err = nic.getType() | |||
| typ, idx, err := nic.getType() | |||
There was a problem hiding this comment.
When you do Attach on the resource, you should create a tap device (not macvtap) which makes it easier to attach it to CH command line. The macvtap case was only used for public IPs specifically.
| } | ||
| _, getLinkErr := netlink.LinkByName(tapName) | ||
| if getLinkErr != nil { | ||
| mtap, err := macvtap.CreateMACvTap(tapName, privateNetBr, hw) |
There was a problem hiding this comment.
We create TAP devices for VMs not Macvtap. this makes it un0necessary complex to pass this device to the VM when it can just be a tap device
| myBr := fmt.Sprintf("m%s", r.name) | ||
| hw := ifaceutil.HardwareAddrFromInputBytes([]byte(tapName)) | ||
|
|
||
| _, err = macvtap.CreateMACvTap(tapName, myBr, hw) |
There was a problem hiding this comment.
Same for mycelium this can perfectly be a tap device (not macvtap) hence it becomes simpler to pass to the cloud-hypervisor command line
There was a problem hiding this comment.
macvtaps or macvlans are a disaster if they're more than one with a bridge interface as parent.
Somewhere since that dummy necessity version, macvlans have problems ... what they specifically are, I'm not sure yet, but I suspect seen that macvlans are also bridges in a lighter version, they don't cooperate well with regular bridges
There was a problem hiding this comment.
I felt like since the https://bugzilla.kernel.org/show_bug.cgi?id=214631 bug, macvlans went worse and worse over time.
probably because of their infrequent use.
let's see how much work it is, but I guess
| @@ -199,42 +187,14 @@ func (p *Manager) virtualMachineProvisionImpl(ctx context.Context, wl *gridtypes | |||
| if err != nil { | |||
There was a problem hiding this comment.
we only have/use one private network, why still looping all net interfaces instead of using the only used one?
| networkInfo.Ifaces = append(networkInfo.Ifaces, inf) | ||
| result.PlanetaryIP = inf.IPs[0].IP.String() | ||
| } | ||
|
|
||
| if config.Network.Mycelium != nil { |
There was a problem hiding this comment.
is it allowed to not have mycelium?
There was a problem hiding this comment.
it is not allowed according to the specs, CMIIW
|
|
||
| var _ pkg.NetworkerLight = (*networker)(nil) | ||
|
|
||
| func NewNetworker() (pkg.NetworkerLight, error) { |
There was a problem hiding this comment.
is it common to add er to the struct in zos?
because er suffix usually used for interface, not struct
| var addrs []netlink.Addr | ||
|
|
||
| if err = netNs.Do(func(_ ns.NetNS) error { | ||
| link, err := netlink.LinkByName(infPrivate) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| addrs, err = netlink.AddrList(link, netlink.FAMILY_V4) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| return nil | ||
| }); err != nil { | ||
| return | ||
| } | ||
| if len(addrs) != 1 { | ||
| return device, fmt.Errorf("expect addresses on private interface to be 1 got %d", len(addrs)) | ||
| } | ||
| gw := addrs[0].IPNet |
There was a problem hiding this comment.
for readability, i think we can move this block into separate func, maybe something like:
getAndValidateAddr()
And maybe including the code to get the namespace
nsName := fmt.Sprintf("n%s", r.name)
netNs, err := namespace.GetByName(nsName)There was a problem hiding this comment.
i think the code below it can also be included
if !gw.Contains(vmIp) {
return device, fmt.Errorf("ip not in range")
}
| Mask: gw.Mask, | ||
| } | ||
| _, getLinkErr := netlink.LinkByName(tapName) | ||
| if getLinkErr != nil { |
There was a problem hiding this comment.
so, is it OK if the tap already exists?
| } | ||
|
|
||
| func inspectMycelium(seed []byte) (inspection MyceliumInspection, err error) { | ||
| // we check if the file exists before we do inspect because mycelium will create a random seed |
There was a problem hiding this comment.
we check if the file exists
can't find the check
| return inspection, fmt.Errorf("failed to write seed: %w", err) | ||
| } | ||
|
|
||
| tmp.Close() |
There was a problem hiding this comment.
move to the above of the if block?
Signed-off-by: Ashraf Fouda ashraf.m.fouda@gmail.com### Description
Describe the changes introduced by this PR and what does it affect
Changes
List of changes this PR includes
Related Issues
List of related issues
Checklist