network, binding: Declare the SLIRP core binding as deprecated and remove it #11701
Conversation
|
Skipping CI for Draft Pull Request. |
|
/test pull-kubevirt-code-lint |
|
/test pull-kubevirt-manifests |
|
/test pull-kubevirt-e2e-k8s-1.29-sig-network |
@AlonaKaplan commented that migration with Slirp is not supported anyway, therefore we just need to confirm it is enough to block it. |
|
/test pull-kubevirt-code-lint |
|
/test pull-kubevirt-unit-test |
|
/test pull-kubevirt-e2e-k8s-1.29-sig-network |
|
/test all |
There was a problem hiding this comment.
Great work! looks good to me overall.
Regarding virt-controller: Add network validation for the VM and VMI controllers commit message these a typo at first line Ad -> 'Add'.
Could you please refer to the following migration scenarios (at least in PR description):
- What will happen there is a migration request by the user to slirp VMs?
- On post Kubevirt upgrade, what will happen to old slirp VMs?
In both scenarios, will virt-handler / controller will re-enqueuing syncVMI routine due to existing slirp interface?
Done.
I'll add to the description the migration scenario. The migration is blocked because SLIRP never supported migration.
I think I did:
Migration is not supported for SLIRP, it is blocked today. |
8fc69fa
to
539b237
Compare
| @@ -195,7 +195,7 @@ func DefaultSlirpNetworkInterface() *Interface { | |||
| iface := &Interface{ | |||
| Name: "default", | |||
| InterfaceBindingMethod: InterfaceBindingMethod{ | |||
| Slirp: &InterfaceSlirp{}, | |||
| DeprecatedSlirp: &DeprecatedInterfaceSlirp{}, | |||
There was a problem hiding this comment.
Should the DefaultSlirpNetworkInterface be removed?
There was a problem hiding this comment.
Yes, it should be removed as well. Thanks.
|
change: Rebase |
|
change: Ran |
|
change: Removed |
|
/test pull-kubevirt-unit-test |
|
/lgtm |
|
Required labels detected, running phase 2 presubmits: |
| NetworkInterface: string(v1.SlirpInterface), | ||
| PermitSlirpInterface: pointer.P(true), | ||
| NetworkInterface: string(v1.DeprecatedSlirpInterface), | ||
| DeprecatedPermitSlirpInterface: pointer.P(true), |
There was a problem hiding this comment.
Should the slirp be allowed to be default?
There was a problem hiding this comment.
On upgrade the KV spec does not change.
There is no restriction imposed to set KV in order not to break existing workloads or the upgrade itself.
New VM/VMI will not accept this configuration and the Admin will need to remove Slirp from the KV spec after the upgrade in order to avoid having Slirp.
There was a problem hiding this comment.
On upgrade the KV spec does not change.
There is no restriction imposed to set KV in order not to break existing workloads or the upgrade itself.
I don't think we would break compatibility, the config is internal, it would just drop to default. I am not sure how this works with other bindings....
New VM/VMI will not accept this configuration and the Admin will need to remove Slirp from the KV spec after the upgrade in order to avoid having Slirp.
Does this means that new VM/I will be denied or that they will no use the config?
There was a problem hiding this comment.
On upgrade the KV spec does not change.
There is no restriction imposed to set KV in order not to break existing workloads or the upgrade itself.I don't think we would break compatibility, the config is internal, it would just drop to default. I am not sure how this works with other bindings....
Internal? The Kubevirt CR is not internal.
Anything there will remain as is and it will be reflected when creating new VM/VMI.
If the configuration there is not supported, it will fail validation.
New VM/VMI will not accept this configuration and the Admin will need to remove Slirp from the KV spec after the upgrade in order to avoid having Slirp.
Does this means that new VM/I will be denied or that they will no use the config?
New VM/VMI are denied if the configuration is not supported (i.e. set Slirp interface based on the Kubevirt CR spec). Existing VM/VMI are not affected.
This is no different from defining Slirp explicitly on the VM/VMI.
There was a problem hiding this comment.
Internal? The Kubevirt CR is not internal.
Yes but I am commenting about virt-config that is either from configmap or kubevirt cr(the latter lately...). It also has an internal validation on these external sources as these sources can be submitted to the system in invalid form. What I was trying to say in the previous comments is that the validation still allows the slirp. This semantically doesn't make much sense to me.
Anything there will remain as is and it will be reflected when creating new VM/VMI.
If the configuration there is not supported, it will fail validation.
This doesn't sounds better than falling to default binding
There was a problem hiding this comment.
Yes but I am commenting about virt-config that is either from configmap or kubevirt cr(the latter lately...). It also has an internal validation on these external sources as these sources can be submitted to the system in invalid form. What I was trying to say in the previous comments is that the validation still allows the slirp. This semantically doesn't make much sense to me.
The validation of VM/VMI to reject Slirp is limited to creation and not updates.
The config is used to calculate defaults also for updates, which should continue passing.
Therefore, I do not think it will be correct to validate the config and reject Slirp at this level.
VM/VMI that are running should not get rejected.
If you still think it is possible to both reject Slirp here and keep existing workloads running (and not fail validation on update), we can improve as a follow up.
Anything there will remain as is and it will be reflected when creating new VM/VMI.
If the configuration there is not supported, it will fail validation.This doesn't sounds better than falling to default binding
It is not better, it is a limitation due to the requirement to support existing VMs running even when their manifest is updated (and therefore validated).
Existing Go structs and members names are prefixed with `Deprecated` on their names and added documentation comments to mark them as deprecated. The JSON naming has not changed, keeping API fields intact. Signed-off-by: Edward Haas <edwardh@redhat.com>
Given Kubevirt CR configuration to enable SLIRP and allow it to be set by default (in case no network interface is defined), return with an error. The default setting is performed on a mutating admitter webhook for both VM and VMI CRs. In addition, the defaulting is executed when the VM controller prepares a VMI for creation. We would expect the failure to be raised at the admitter, failing immediately the CR creation. However, even if it will fail at the VM controller, the outcome will be somehow similar: VMI will not be created, i.e. the VM will not be able to start. Signed-off-by: Edward Haas <edwardh@redhat.com>
Signed-off-by: Edward Haas <edwardh@redhat.com>
Signed-off-by: Edward Haas <edwardh@redhat.com>
Processing of SLIRP core binding is removed with care to preserve existing running VM/VMIs. New VM/VMIs which are configured to use the SLIRP core binding will fail to setup the vNIC. A follow up change will block such a spec at the creation validation admitter to assure early and stable failure for new VM/VMIs. Signed-off-by: Edward Haas <edwardh@redhat.com>
Validate at the validation admitters that new VM/VMI is not created with the SLIRP core binding. It has been added for both the VM and VMI admitters. Limited to the CREATE operation. Signed-off-by: Edward Haas <edwardh@redhat.com>
Add a network validation point at the: - VM controller, before creating a VMI. - VMI controller, before creating a Pod. The network validators, together with the create validator admitters assure no new VM/VMI is created with the SLIRP core binding. The reason to add the validation to the controllers in addition to the existing validation admitters is the async upgrade path of Kubevirt components. There may be a gap between the upgrade of the virt-controller and the virt-api (which holds the admitters). We need to assure that in the gap no new VM/VMI is created with a SLIRP core binding interface. Signed-off-by: Edward Haas <edwardh@redhat.com>
|
change: Rebase (again) |
|
/lgtm |
|
Required labels detected, running phase 2 presubmits: |
|
/test pull-kubevirt-e2e-k8s-1.29-sig-performance |
What this PR does
SLIRP binding has been part of Kubevirt from the early days.
With the introduction of the masquerade binding, SLIRP gradually lost interest due to the performance penalty it comes with.
Nowadays, Passt binding plugin [1] is considered an enhanced alternative to SLIRP and the closest in functionality (user-space connectivity).
The current SLIRP core binding [2] has a backend implementation that uses the SLIRP network binding plugin [3].
We have not encounter actual users who work with SLIRP binding for years now.
In addition, support for the binding is minimum (or nonexistence in practice).
Therefore, it seems reasonable to deprecate and remove SLIRP support.
In case there are users who still require SLIRP, the following mitigation exists:
This change renames slirp fields by prefixing
Deprecatedto their names but without changing their json naming.Then, it removed the logic of using the binding plugin backend to define a core SLIRP binding, including the definition of default SLIRP interfaces.
Logic is also removed from virt-launcher in regards to SLIRP binding.
The existing validation admitters and virt-handler SLIRP related logic is preserved to allow existing workloads to continue operating.
The migration scenario is nonexistent for SLIRP core binding because Kubevirt never allowed/supported it.
The migration availability is marked using a condition as not available [5] and therefore migration requests will fail.
[1] https://kubevirt.io/user-guide/virtual_machines/net_binding_plugins/passt/
[2] https://kubevirt.io/user-guide/virtual_machines/interfaces_and_networks/#slirp
[3] https://kubevirt.io/user-guide/virtual_machines/net_binding_plugins/slirp/#slirp-network-binding-plugin
[4] https://kubevirt.io/user-guide/virtual_machines/interfaces_and_networks/#masquerade
[5]
kubevirt/pkg/network/vmispec/interface.go
Line 57 in 6fd6313
Fixes #
Links to places where the discussion took place:
The deprecation and removal of the SLIRP core binding has been discussed and communicated through
the mailing list [5].
[5] https://groups.google.com/g/kubevirt-dev/c/Dp3GVw-Y-K8
Special notes for your reviewer
This change requires wide approver agreement due to its stable API backward incompatibility effect.
Checklist
This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.
Release note