Red Hat Summit5.2. Configuring and using multiple networks
After you have installed the MicroShift Multus Container Network Interface (CNI), you can use other networking plugins by using configurations.
5.2.1. IP address management types and additional networks
IP addresses are provisioned for an additional network through an IP Address Management (IPAM) CNI plugin that you configure. Supported IP address provisioning types in MicroShift are host-local, static, and dhcp.
5.2.1.1. bridge interface specifics
When using the bridge type interface and the dhcp IPAM, a DHCP server listening on the bridged network is required. If you are using a firewall, configuring the firewalld service by running the firewall-cmd --remove-service=dhcp command to allow DHCP traffic on the network zone is also required.
5.2.1.2. macvlan interface specifics
The macvlan type interface accesses the network that the host is connected to. This means that the interface can receive an IP address from the DHCP server on the host network if the dhcp IPAM plugin is used.
5.2.1.3. ipvlan interface specifics
The ipvlan interface also has direct access to the host network, but shares a MAC address with the host interface. The ipvlan type interface cannot be used with the dhcp plugin because of the shared MAC address. The IPAM plugin does not support the DHCP protocol with ClientID.
5.2.2. Creating a NetworkAttachmentDefinition for an additional network
Use the following procedure to create a NetworkAttachmentDefinition configuration file for an additional network. In this example, a bridge-type interface is used. You can also use the example workflow here that uses host-local IP address management (IPAM) to configure other supported additional network types.
If you use bridge and the dhcp IPAM, a DHCP server listening on the bridged network is required. If you are also using a firewall, configuring the firewalld service to allow DHCP traffic on the network zone is also required. You can run the firewall-cmd --remove-service=dhcp command in this case.
Prerequisites
- The MicroShift Multus CNI is installed.
-
The OpenShift CLI (
oc) is installed. - MicroShift is running.
Procedure
Optional: Verify that the MicroShift node is running with the Multus CNI by running the following command:
$ oc get pods -n openshift-multusExample output
NAME READY STATUS RESTARTS AGE dhcp-daemon-dfbzw 1/1 Running 0 5h multus-rz8xc 1/1 Running 0 5hCreate a
NetworkAttachmentDefinitionconfiguration file by running the following command and using the following example file for reference:$ oc apply -f network-attachment-definition.yamlExample
NetworkAttachmentDefinitionfileapiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: bridge-conf spec: config: '{ "cniVersion": "0.4.0", "type": "bridge",1 "bridge": "br-test",2 "mode": "bridge", "ipam": { "type": "host-local",3 "ranges": [ [ { "subnet": "10.10.0.0/24", "rangeStart": "10.10.0.20", "rangeEnd": "10.10.0.50", "gateway": "10.10.0.254" } ], [ { "subnet": "fd00:IJKL:MNOP:10::0/64",4 "rangeStart": "fd00:IJKL:MNOP:10::1", "rangeEnd": "fd00:IJKL:MNOP:10::9" "dataDir": "/var/lib/cni/br-test" } }'- 1
- The
typevalue specifies a name of the CNI plugin. This example uses thebridgetype. - 2
- The
bridgevalue is name of the bridge on the MicroShift host that is used. The additional interface of the pod is connected to that bridge. If the interface does not exist on the host, the Bridge CNI creates it. If the interface already exists, it is reused. In this example, the name of the interface isbr-test. - 3
- The IPAM type.
- 4
- IPv6 addresses can be added to the secondary interface.
注記Using the name of the bridge is specific to the
bridgetype of plugin. Other plugins use different fields in theirNetworkAttachmentDefinitions. For example, themacvlanandipvlanconfigurations usemasterto specify the host interface to attach.
5.2.3. Adding a pod to an additional network
You can add a pod to an additional network. At the time a pod is created, additional networks are attached to it. The pod continues to send normal node-related network traffic over the default network.
If you want to attach additional networks to a pod that is already running, you must restart the pod.
Prerequisites
-
The OpenShift CLI (
oc) is installed. - The node is running.
-
A network defined by a
NetworkAttachmentDefinitionobject that you want to attach the pod to exists.
Procedure
Add an annotation to a
PodYAML file. Only one of the following annotation formats can be used:To attach an additional network without any customization, add an annotation with the following format. Replace
<network>with the name of the additional network to associate with the pod:apiVersion: v1 kind: Pod metadata: annotations: k8s.v1.cni.cncf.io/networks: <network>[,<network>,...]1 # ...- 1
- Replace
<network>with the name of each additional network to associate with the pod. To specify more than one additional network, separate each network with a comma. Do not include whitespaces between the commas. If you specify the same additional network multiple times, that pod has multiple network interfaces attached to that network.
Example annotation for a bridge-type additional network
apiVersion: v1 kind: Pod metadata: annotations: k8s.v1.cni.cncf.io/networks: bridge-conf # ...To attach an additional network with customizations, add an annotation with the following format:
apiVersion: v1 kind: Pod metadata: annotations: k8s.v1.cni.cncf.io/networks: |- [ { "name": "<network>",1 "namespace": "<namespace>",2 "default-route": ["<default-route>"]3 } ] # ...
To create a
PodYAML file and add theNetworkAttachmentDefinitionannotation for an additional network, run the following command and use the example YAML:$ oc apply -f ./<test_bridge>.yaml1 - 1
- Replace
<test_bridge>with the pod name that you want to use.
Example output
pod/test_bridge createdExample
test_bridgepod YAMLapiVersion: v1 kind: Pod metadata: name: test_bridge annotations: k8s.v1.cni.cncf.io/networks: bridge-conf labels: app: test_bridge spec: terminationGracePeriodSeconds: 0 containers: - name: hello-microshift image: quay.io/microshift/busybox:1.36 command: ["/bin/sh"] args: ["-c", "while true; do echo -ne \"HTTP/1.0 200 OK\r\nContent-Length: 16\r\n\r\nHello MicroShift\" | nc -l -p 8080 ; done"] ports: - containerPort: 8080 protocol: TCP securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true runAsUser: 1001 runAsGroup: 1001 seccompProfile: type: RuntimeDefaultMake sure that the
NetworkAttachmentDefinitionannotation is correct:Example
NetworkAttachmentDefinitionannotationapiVersion: v1 kind: Pod metadata: annotations: k8s.v1.cni.cncf.io/networks: bridge-conf # ...Optional: To confirm that the
NetworkAttachmentDefinitionannotation exists in aPodYAML, run the following command, replacing<name>with the name of the pod.$ oc get pod <name> -o yaml1 - 1
- Replace
<name>with the pod name you want to use. In the following example,<test_bridge>is used.
In the following example, the
test_bridgeis attached to thenet1additional network:$ oc get pod <test_bridge> -o yaml1 - 1
- Replace <test_bridge> with the name of the bridge you want to use.
Example output
apiVersion: v1 kind: Pod metadata: annotations: k8s.v1.cni.cncf.io/networks: bridge-conf k8s.v1.cni.cncf.io/network-status: |-1 [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.42.0.18" ], "default": true, "dns": {} },{ "name": "bridge-conf", "interface": "net1", "ips": [ "20.2.2.100" ], "mac": "22:2f:60:a5:f8:00", "dns": {} }] name: pod namespace: default spec: # ... status: # ...- 1
- The
k8s.v1.cni.cncf.io/network-statusparameter is a JSON array of objects. Each object describes the status of an additional network attached to the pod. The annotation value is stored as a plain text value.
Verify that the pod is running by running the following command:
$ oc get podExample output
NAME READY STATUS RESTARTS AGE test_bridge 1/1 Running 0 81s
5.2.4. Configuring an additional network
After you have created the NetworkAttachmentDefinition object and applied it, use the following example procedure to configure an additional network. In this example, the bridge type additional network is used. You can also use this workflow for other additional network types.
Prerequisite
-
You created and applied the
NetworkAttachmentDefinitionobject configuration.
Procedure
Verify that the bridge was created on the host by running the following command:
$ ip a show br-testExample output
22: br-test: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 96:bf:ca:be:1d:15 brd ff:ff:ff:ff:ff:ff inet6 fe80::34e2:bbff:fed2:31f2/64 scope link valid_lft forever preferred_lft foreverConfigure an IP address for the bridge by running the following command:
$ sudo ip addr add 10.10.0.10/24 dev br-testVerify that the IP address configuration is added to the bridge by running the following command:
$ ip a show br-testExample output
22: br-test: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 96:bf:ca:be:1d:15 brd ff:ff:ff:ff:ff:ff inet 10.10.0.10/24 scope global br-test1 valid_lft forever preferred_lft forever inet6 fe80::34e2:bbff:fed2:31f2/64 scope link valid_lft forever preferred_lft forever- 1
- The IP address is configured as expected.
Verify the IP address of the pod by running the following command:
$ oc get pod test-bridge --output=jsonpath='{.metadata.annotations.k8s\.v1\.cni\.cncf\.io/network-status}'Example output
[{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.42.0.17" ], "mac": "0a:58:0a:2a:00:11", "default": true, "dns": {} },{ "name": "default/bridge-conf",1 "interface": "net1", "ips": [ "10.10.0.20" ], "mac": "82:01:98:e5:0c:b7", "dns": {}- 1
- The bridge additional network is attached as expected.
Optional: You can use
oc execto access the pod and confirm its interfaces by using theipcommand:$ oc exec -ti test-bridge -- ip aExample output
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0@if21: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 0a:58:0a:2a:00:11 brd ff:ff:ff:ff:ff:ff inet 10.42.0.17/24 brd 10.42.0.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::858:aff:fe2a:11/64 scope link valid_lft forever preferred_lft forever 3: net1@if23: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 82:01:98:e5:0c:b7 brd ff:ff:ff:ff:ff:ff inet 10.10.0.20/24 brd 10.10.0.255 scope global net11 valid_lft forever preferred_lft forever inet6 fe80::8001:98ff:fee5:cb7/64 scope link valid_lft forever preferred_lft forever- 1
- Pod is attached to the 10.10.0.20 IP address on the
net1 interfaceas expected.
Confirm that the connection is working as expected by accessing the HTTP server in the pod from the MicroShift host. Use the following command:
$ curl 10.10.0.20:8080Example output
Hello MicroShift
5.2.5. Removing a pod from a secondary network
You can remove a pod from a secondary network only by deleting the pod.
Prerequisites
- A secondary network is attached to the pod.
-
Install the OpenShift CLI (
oc). - Log in to the cluster.
Procedure
To delete the pod, enter the following command:
$ oc delete pod <name> -n <namespace>-
<name>is the name of the pod. -
<namespace>is the namespace that contains the pod.
-
5.2.6. Troubleshooting Multus networking
If the settings for multiple networks are not configured properly, pods can fail to start. The following steps can help you solve for a couple common scenarios.
5.2.6.1. Pod networking cannot be configured
If the Multus CNI plugin cannot apply networking annotations to a pod, the pod does not start. Pods can also fail to start if any of the additional network CNIs fail.
Example error
Warning NoNetworkFound 0s multus cannot find a network-attachment-definitio (asdasd) in namespace (default): network-attachment-definitions.k8s.cni.cncf.io "bad-ref-doesnt-exist" not foundIn this case, you can take the following steps to trouble CNI failures:
-
Verify the values in both the
NetworkAttachmentDefinitionsand the annotations. - Remove the annotation to verify whether the pod is created successfully with just the default network. If not, this might indicate a networking problem other than the Multus configuration.
If you are a device administrator, you can inspect the
crio.serviceormicroshift.servicelogs, paying special attention to those that are generated by thekubelet.For example, the following error from the
kubeletshows that the primary CNI is not running. This situation can be caused by pods not starting or because of a CRI-O misconfiguration such as an incorrectcni_default_networksetting.Example kubelet-generated error
Feb 06 13:47:31 dev microshift[1494]: kubelet E0206 13:47:31.163290 1494 pod_workers.go:1298] "Error syncing pod, skipping" err="network is not ready: container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:Network plugin returns error: No CNI configuration file in /etc/cni/net.d/. Has your network provider started?" pod="default/samplepod" podUID="fe0f7f7a-8c47-4488-952b-8abc0d8e2602"
5.2.6.2. Missing configuration file
Sometimes a pod cannot be created because the annotations reference a NetworkAttachmentDefinition configuration YAML that does not exist. In this case an error such as the following is usually produced:
Example log
cannot find a network-attachment-definition (bad-conf) in namespace (default): network-attachment-definitions.k8s.cni.cncf.io "bad-conf" not found" pod="default/samplepod"`Example error output
"CreatePodSandbox for pod failed" err="rpc error: code = Unknown desc = failed to create pod network sandbox k8s_samplepod_default_5fa13105-1bfb-4c6b-aee7-3437cfb50e25_0(7517818bd8e85f07b551f749c7529be88b4e7daef0dd572d049aa636950c76c6): error adding pod default_samplepod to CNI network \"multus-cni-network\": plugin type=\"multus\" name=\"multus-cni-network\" failed (add): Multus: [default/samplepod/5fa13105-1bfb-4c6b-aee7-3437cfb50e25]: error loading k8s delegates k8s args: TryLoadPodDelegates: error in getting k8s network for pod: GetNetworkDelegates: failed getting the delegate: getKubernetesDelegate: cannot find a network-attachment-definition (bad-conf) in namespace (default): network-attachment-definitions.k8s.cni.cncf.io \"bad-conf\" not found" pod="default/samplepod"
To fix this error, create and apply the NetworkAttachmentDefinitions YAML.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}