Explicitly unmanage veth interfaces (#701)

nmstate 0.3 introduces a bug where all veths attached to nmstatectl configured bridge turn into "managed" by NetworkManager. This was not the case in 0.2. Due to this regression, NetworkManager deliberatelly detaches veth ifaces from the bridge and by doing that it disconnectecs Pods/VMs from the network. With this change, we explicitly set veth interfaces as unmanaged. Important: With this change, it is no longer possible to change configuration of bridges that have veths attached. Signed-off-by: Petr Horáček <[email protected]>
nmstate · Feb 24, 2021 · f717775 · f717775
1 parent 75c1346
commit f717775
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/build/bin/unmanaged-veth b/build/bin/unmanaged-veth
@@ -0,0 +1,6 @@
+#!/bin/bash -xe
+
+echo '[keyfile]
+unmanaged-devices=interface-name:veth*
+' > /host/etc/NetworkManager/conf.d/001-cnv-unmanaged-veth.conf
+dbus-send --system --dest=org.freedesktop.systemd1 --type=method_call  /org/freedesktop/systemd1 --print-reply org.freedesktop.systemd1.Manager.ReloadUnit string:NetworkManager.service string:replace
diff --git a/deploy/handler/operator.yaml b/deploy/handler/operator.yaml
@@ -153,6 +153,8 @@ spec:
           volumeMounts:
             - name: dbus-socket
               mountPath: /run/dbus/system_bus_socket
+            - name: networkmanager-config
+              mountPath: /host/etc/NetworkManager/conf.d
             - name: nmstate-lock
               mountPath: /var/k8s_nmstate
           securityContext:
@@ -162,6 +164,10 @@ spec:
           hostPath:
             path: /run/dbus/system_bus_socket
             type: Socket
+        - name: networkmanager-config
+          hostPath:
+            path: /etc/NetworkManager/conf.d
+            type: Directory
         - name: nmstate-lock
           hostPath:
             path: /var/k8s_nmstate

diff --git a/main.go b/main.go
@@ -17,11 +17,13 @@ limitations under the License.
 package main
 
 import (
+	"bytes"
 	"flag"
 	"fmt"
 	"net/http"
 	_ "net/http/pprof"
 	"os"
+	"os/exec"
 	"time"
 
 	"k8s.io/apimachinery/pkg/runtime"
@@ -45,6 +47,8 @@ import (
 	"github.com/nmstate/kubernetes-nmstate/pkg/webhook"
 )
 
+const unmanagedVethCommand = "unmanaged-veth"
+
 type ProfilerConfig struct {
 	EnableProfiler bool   `envconfig:"ENABLE_PROFILER"`
 	ProfilerPort   string `envconfig:"PROFILER_PORT" default:"6060"`
@@ -81,6 +85,8 @@ func main() {
 		}
 		defer handlerLock.Unlock()
 		setupLog.Info("Successfully took nmstate exclusive lock")
+
+		setVethInterfacesAsUnmanaged()
 	}
 
 	ctrlOptions := ctrl.Options{
@@ -214,3 +220,13 @@ func lockHandler() (lockfile.Lockfile, error) {
 	})
 	return handlerLock, err
 }
+
+func setVethInterfacesAsUnmanaged() {
+	cmd := exec.Command(unmanagedVethCommand)
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	if err := cmd.Run(); err != nil {
+		setupLog.Info(fmt.Sprintf("failed to execute %s: '%v', '%s', '%s'", unmanagedVethCommand, err, stdout.String(), stderr.String()))
+	}
+}