Use configurable netmask for Calico

deploy/virtlet-ds-dev.yaml

@@ -164,6 +164,12 @@ spec:
  name: virtlet-config
  key: loglevel
  optional: true
+ - name: VIRTLET_CALICO_SUBNET
+ valueFrom:
+ configMapKeyRef:
+ name: virtlet-config
+ key: calico-subnet
+ optional: true
  - name: IMAGE_REGEXP_TRANSLATION
  valueFrom:
  configMapKeyRef:

deploy/virtlet-ds.yaml

@@ -164,6 +164,12 @@ spec:
  name: virtlet-config
  key: loglevel
  optional: true
+ - name: VIRTLET_CALICO_SUBNET
+ valueFrom:
+ configMapKeyRef:
+ name: virtlet-config
+ key: calico-subnet
+ optional: true
  - name: IMAGE_REGEXP_TRANSLATION
  valueFrom:
  configMapKeyRef:

docs/networking.md

@@ -85,7 +85,10 @@ spawning it as a child process.
 as it tries to pass a routing configuration that cannot be passed
 over DHCP. For it to work Virtlet patches Calico-provided CNI result,
 replacing Calico's unreachable fake gateway with another fake gateway
-with an IP address acquired from Calico IPAM.
+with an IP address acquired from Calico IPAM. A proper node subnet must
+be set for Calico-based virtlet installations. It's controlled by
+`calico-subnet` key Virtlet configmap (denoting the number of 1s in
+the netmask) and defaults to `24`.
 
 **NOTE:** Virtlet doesn't support `hostNetwork` pod setting because it
 cannot be impelemnted for VM in a meaningful way.

examples/ubuntu-vm.yaml

@@ -6,6 +6,14 @@ metadata:
  kubernetes.io/target-runtime: virtlet
  VirtletCloudInitUserData: |
  ssh_pwauth: True
+ users:
+ - name: testuser
+ gecos: User
+ primary-group: testuser
+ groups: users
+ lock_passwd: false
+ passwd: "$6$rounds=4096$wPs4Hz4tfs$a8ssMnlvH.3GX88yxXKF2cKMlVULsnydoOKgkuStTErTq2dzKZiIx9R/pPWWh5JLxzoZEx7lsSX5T2jW5WISi1"
+ sudo: ALL=(ALL) NOPASSWD:ALL
  VirtletSSHKeys: |
  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCaJEcFDXEK2ZbX0ZLS1EIYFZRbDAcRfuVjpstSc0De8+sV1aiu+dePxdkuDRwqFtCyk6dEZkssjOkBXtri00MECLkir6FcH3kKOJtbJ6vy3uaJc9w1ERo+wyl6SkAh/+JTJkp7QRXj8oylW5E20LsbnA/dIwWzAF51PPwF7A7FtNg9DnwPqMkxFo1Th/buOMKbP5ZA1mmNNtmzbMpMfJATvVyiv3ccsSJKOiyQr6UG+j7sc/7jMVz5Xk34Vd0l8GwcB0334MchHckmqDB142h/NCWTr8oLakDNvkfC1YneAfAO41hDkUbxPtVBG5M/o7P4fxoqiHEX+ZLfRxDtHB53 me@localhost
 spec:

pkg/tapmanager/tapfdsource.go

@@ -21,6 +21,8 @@ import (
  "errors"
  "fmt"
  "net"
+ "os"
+ "strconv"
  "time"
 
  "github.com/containernetworking/cni/pkg/ns"
@@ -35,7 +37,9 @@ import (
 )
 
 const (
- calicoNetType = "calico"
+ calicoNetType = "calico"
+ calicoDefaultSubnet = 24
+ calicoSubnetVar = "VIRTLET_CALICO_SUBNET"
 )
 
 // PodNetworkDesc contains the data that are required by TapFDSource
@@ -151,6 +155,7 @@ func (s *TapFDSource) GetFD(key string, data []byte) (int, []byte, error) {
  if netConfig.IPs[0].Version != "4" {
  return 0, nil, errors.New("IPv4 config was expected")
  }
+ netConfig.IPs[0].Address.Mask = netmaskForCalico()
  netConfig.IPs[0].Gateway = s.dummyGateway
  netConfig.Routes = []*cnitypes.Route{
  {
@@ -304,20 +309,15 @@ func fixCNIResult(netConfig *cnicurrent.Result, csn *nettools.ContainerSideNetwo
  }
 }
 
-func calcNetmaskForCalico(ipA, ipB net.IP) (net.IPMask, error) {
- var a, b uint
- for _, v := range ipA {
- a = (a << 8) + uint(v)
- }
- for _, v := range ipB {
- b = (b << 8) + uint(v)
- }
- for n := 30; n >= 0; n-- {
- m := (uint(1) << uint(32-n)) - 1
- // avoid zero and broadcast addrs
- if (a&^m) == (b&^m) && (a&m) != 0 && (b&m) != 0 && (a&m) != m && (b&m) != m {
- return net.CIDRMask(n, 32), nil
+func netmaskForCalico() net.IPMask {
+ n := calicoDefaultSubnet
+ subnetStr := os.Getenv(calicoSubnetVar)
+ if subnetStr != "" {
+ n, err := strconv.Atoi(subnetStr)
+ if err != nil || n <= 0 || n > 30 {
+ glog.Warningf("bad calico subnet %q, using /%d", subnetStr, calicoDefaultSubnet)
+ n = calicoDefaultSubnet
  }
  }
- return nil, errors.New("addresses too different")
+ return net.CIDRMask(n, 32)
 }