host-device: copy host interface IP addresses and routes into container#1257
Open
SchSeba wants to merge 1 commit intocontainernetworking:mainfrom
Open
host-device: copy host interface IP addresses and routes into container#1257SchSeba wants to merge 1 commit intocontainernetworking:mainfrom
SchSeba wants to merge 1 commit intocontainernetworking:mainfrom
Conversation
SchSeba
force-pushed
the
host-device-l3-info
branch
from
f19acf4 to
0feea32
Compare
Add a new configuration option `useInterfaceNetwork` that instructs the
host-device plugin to capture the interface's IP addresses and routes
from the host before moving the device into the container namespace,
and then apply them inside the container.
This is critical for virtual environments (AWS, IBM Cloud, GPC) where
the cloud provider configures IP addresses and routes directly on the
network device. In these environments, there is no traditional IPAM
source; the ground truth for L3 configuration lives on the host
interface itself.
When `useInterfaceNetwork` is enabled, the plugin:
- Captures all global-scope addresses and non-local routes from the
host device before moving it into the container namespace.
- Applies the captured addresses and routes to the interface inside
the container.
- Reports the addresses and routes in the CNI result (merged with
any IPAM result if an IPAM plugin is also configured).
NOTE: The interface configuration on the host node must be persistent.
When the device is moved back to the host (via DEL) and renamed to its
original name, the system's network management service (e.g.
NetworkManager, systemd-networkd, cloud-init, or cloud-specific agents)
is expected to detect the device and re-apply the IP addresses and
routes. This plugin does NOT re-configure the host interface on DEL; it
relies on the node's network configuration being declarative and
reconciled by the platform's networking stack.
Also implements the STATUS command to verify the host device exists,
replacing the previous TODO stub.
Signed-off-by: Sebastian Sch <sebassch@gmail.com>
SchSeba
force-pushed
the
host-device-l3-info
branch
from
0feea32 to
df398aa
Compare
Contributor
Author
|
Hi @s1061123 @squeed @LionelJouin if you have time please take a look on the PR. |
karampok
reviewed
May 5, 2026
| localRouteTable = 255 | ||
| ) | ||
|
|
||
| // HostNetworkStateFile holds the captured host-side L3 configuration |
Contributor
There was a problem hiding this comment.
personal preference no comment unless exported
|
|
||
| // HostNetworkStateFile holds the captured host-side L3 configuration | ||
| // (addresses, routes, and rules) that should be applied to the container interface. | ||
| type HostNetworkStateFile struct { |
Contributor
There was a problem hiding this comment.
prefix ^File$ not very nice not really a file. May InterfaceInfo, InterfaceConfig, or just Interface
| type HostNetworkStateFile struct { | ||
| HostIfName string `json:"hostIfName"` | ||
| HostLinkWasUp bool `json:"hostLinkWasUp"` | ||
| Addresses []string `json:"addresses,omitempty"` |
Contributor
There was a problem hiding this comment.
can we use netlink.Addr, netlink.routes, rule
|
|
||
| // applyNetworkStateToPod applies captured state to the moved interface inside the pod namespace. | ||
| func applyNetworkStateToPod(containerNs ns.NetNS, contDev netlink.Link, state *HostNetworkStateFile) error { | ||
| if state == nil { |
Contributor
There was a problem hiding this comment.
having that check, (imo) indicates that this function maybe should be method to the struct.
| }, | ||
| }, | ||
| } | ||
| mergeNetworkStateIntoResult(result, state) |
Contributor
There was a problem hiding this comment.
imo if user decides to keep network config from the host then we should ignore IPAM or block the combination witt IPAM in the config. I think is either IPAM, or host network config (no ip is also valid config)
| ) | ||
|
|
||
| // TestUseInterfaceNetwork verifies useInterfaceNetwork boolean behavior. | ||
| func TestUseInterfaceNetwork(t *testing.T) { |
Contributor
There was a problem hiding this comment.
what exactly this test is doing?
| } | ||
|
|
||
| // TestStateJSONHasNoNeighbors verifies state serialization excludes neighbors. | ||
| func TestStateJSONHasNoNeighbors(t *testing.T) { |
Contributor
There was a problem hiding this comment.
what exactly this test is doing? Not sure the tests in the file really add value
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a new configuration option
useInterfaceNetworkthat instructs the host-device plugin to capture the interface's IP addresses and routes from the host before moving the device into the container namespace, and then apply them inside the container.This is critical for virtual environments (AWS, IBM Cloud, GPC) where the cloud provider configures IP addresses and routes directly on the network device. In these environments, there is no traditional IPAM source; the ground truth for L3 configuration lives on the host interface itself.
When
useInterfaceNetworkis enabled, the plugin:NOTE: The interface configuration on the host node must be persistent. When the device is moved back to the host (via DEL) and renamed to its original name, the system's network management service (e.g. NetworkManager, systemd-networkd, cloud-init, or cloud-specific agents) is expected to detect the device and re-apply the IP addresses and routes. This plugin does NOT re-configure the host interface on DEL; it relies on the node's network configuration being declarative and reconciled by the platform's networking stack.
Also implements the STATUS command to verify the host device exists, replacing the previous TODO stub.