Merge pull request #5101 from npinaeva/test-kernel-2

Update github runners to use the new kernel

Author: trozet

.github/workflows/test.yml

@@ -38,7 +38,7 @@ jobs:
   # separate job for parallelism
   lint:
     name: Lint
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
     - name: Check out code
       uses: actions/checkout@v4
@@ -63,7 +63,7 @@ jobs:
 
   build-master:
     name: Build-master
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
     # Create a cache for the built master image
     - name: Restore master image cache
@@ -156,7 +156,7 @@ jobs:
 
   build-pr:
     name: Build-PR
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
     # Create a cache for the build PR image
     - name: Restore PR image cache
@@ -271,7 +271,7 @@ jobs:
   ovn-upgrade-e2e:
     name: Upgrade OVN from Master to PR branch based image
     if: github.event_name != 'schedule'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 120
     needs:
       - build-master
@@ -319,10 +319,9 @@ jobs:
         sudo rm -rf /usr/local/lib/android/sdk
         sudo apt-get update
         sudo eatmydata apt-get purge --auto-remove -y \
-          azure-cli aspnetcore-* dotnet-* ghc-* firefox \
+          azure-cli firefox \
           google-chrome-stable \
-          llvm-* microsoft-edge-stable mono-* \
-          msbuild mysql-server-core-* php-* php7* \
+          llvm-* microsoft-edge-stable \
           powershell temurin-* zulu-*
         # clean unused packages
         sudo apt-get autoclean
@@ -422,7 +421,7 @@ jobs:
 
   e2e:
     name: e2e
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     # 30 mins for kind, 180 mins for control-plane tests, 10 minutes for all other steps
     timeout-minutes: 220
     strategy:
@@ -495,7 +494,6 @@ jobs:
       OVN_SECOND_BRIDGE: "${{ matrix.second-bridge == '2br' }}"
       ENABLE_MULTI_NET: "${{ matrix.target == 'multi-homing' || matrix.target == 'kv-live-migration' || matrix.target == 'network-segmentation' || matrix.target == 'tools' || matrix.target == 'multi-homing-helm' || matrix.target == 'traffic-flow-test-only' || matrix.routeadvertisements != '' }}"
       ENABLE_NETWORK_SEGMENTATION: "${{ matrix.target == 'network-segmentation' || matrix.network-segmentation == 'enable-network-segmentation' }}"
-      DISABLE_UDN_HOST_ISOLATION: "true"
       PLATFORM_IPV4_SUPPORT: "${{ matrix.ipfamily == 'IPv4' || matrix.ipfamily == 'dualstack' }}"
       PLATFORM_IPV6_SUPPORT: "${{ matrix.ipfamily == 'IPv6' || matrix.ipfamily == 'dualstack' }}"
       KIND_INSTALL_KUBEVIRT: "${{ matrix.target == 'kv-live-migration' }}"
@@ -526,10 +524,9 @@ jobs:
         sudo rm -rf /usr/local/lib/android/sdk
         sudo apt-get update
         sudo eatmydata apt-get purge --auto-remove -y \
-          azure-cli aspnetcore-* dotnet-* ghc-* firefox \
+          azure-cli firefox \
           google-chrome-stable \
-          llvm-* microsoft-edge-stable mono-* \
-          msbuild mysql-server-core-* php-* php7* \
+          llvm-* microsoft-edge-stable \
           powershell temurin-* zulu-*
         # clean unused packages
         sudo apt-get autoclean
@@ -713,7 +710,7 @@ jobs:
   e2e-dual-conversion:
     name: e2e-dual-conversion
     if: github.event_name != 'schedule'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 60
     strategy:
       fail-fast: false
@@ -762,10 +759,9 @@ jobs:
         sudo rm -rf /usr/local/lib/android/sdk
         sudo apt-get update
         sudo eatmydata apt-get purge --auto-remove -y \
-          azure-cli aspnetcore-* dotnet-* ghc-* firefox \
+          azure-cli firefox \
           google-chrome-stable \
-          llvm-* microsoft-edge-stable mono-* \
-          msbuild mysql-server-core-* php-* php7* \
+          llvm-* microsoft-edge-stable \
           powershell temurin-* zulu-*
         # clean unused packages
         sudo apt-get autoclean

dist/images/ovnkube.sh

@@ -2162,7 +2162,6 @@ ovnkube-controller-with-node() {
     --nodeport \
     --ovn-metrics-bind-address ${ovn_metrics_bind_address} \
     --pidfile ${OVN_RUNDIR}/ovnkube-controller-with-node.pid \
-    --disable-udn-host-isolation \
     --zone ${ovn_zone} &
 
   wait_for_event attempts=3 process_ready ovnkube-controller-with-node
@@ -2814,7 +2813,6 @@ ovn-node() {
         --nodeport \
         --ovn-metrics-bind-address ${ovn_metrics_bind_address} \
         --pidfile ${OVN_RUNDIR}/ovnkube.pid \
-        --disable-udn-host-isolation \
         --zone ${ovn_zone} &
 
   wait_for_event attempts=3 process_ready ovnkube

go-controller/pkg/config/config.go

@@ -425,18 +425,15 @@ type OVNKubernetesFeatureConfig struct {
 	EnableNetworkSegmentation       bool `gcfg:"enable-network-segmentation"`
 	EnablePreconfiguredUDNAddresses bool `gcfg:"enable-preconfigured-udn-addresses"`
 	EnableRouteAdvertisements       bool `gcfg:"enable-route-advertisements"`
-	// This feature requires a kernel fix https://github.com/torvalds/linux/commit/7f3287db654395f9c5ddd246325ff7889f550286
-	// to work on a kind cluster. Flag allows to disable it for current CI, will be turned on when github runners have this fix.
-	DisableUDNHostIsolation      bool `gcfg:"disable-udn-host-isolation"`
-	EnableMultiNetworkPolicy     bool `gcfg:"enable-multi-networkpolicy"`
-	EnableStatelessNetPol        bool `gcfg:"enable-stateless-netpol"`
-	EnableInterconnect           bool `gcfg:"enable-interconnect"`
-	EnableMultiExternalGateway   bool `gcfg:"enable-multi-external-gateway"`
-	EnablePersistentIPs          bool `gcfg:"enable-persistent-ips"`
-	EnableDNSNameResolver        bool `gcfg:"enable-dns-name-resolver"`
-	EnableServiceTemplateSupport bool `gcfg:"enable-svc-template-support"`
-	EnableObservability          bool `gcfg:"enable-observability"`
-	EnableNetworkQoS             bool `gcfg:"enable-network-qos"`
+	EnableMultiNetworkPolicy        bool `gcfg:"enable-multi-networkpolicy"`
+	EnableStatelessNetPol           bool `gcfg:"enable-stateless-netpol"`
+	EnableInterconnect              bool `gcfg:"enable-interconnect"`
+	EnableMultiExternalGateway      bool `gcfg:"enable-multi-external-gateway"`
+	EnablePersistentIPs             bool `gcfg:"enable-persistent-ips"`
+	EnableDNSNameResolver           bool `gcfg:"enable-dns-name-resolver"`
+	EnableServiceTemplateSupport    bool `gcfg:"enable-svc-template-support"`
+	EnableObservability             bool `gcfg:"enable-observability"`
+	EnableNetworkQoS                bool `gcfg:"enable-network-qos"`
 }
 
 // GatewayMode holds the node gateway mode
@@ -1087,12 +1084,6 @@ var OVNK8sFeatureFlags = []cli.Flag{
 		Destination: &cliConfig.OVNKubernetesFeature.EnableMultiNetworkPolicy,
 		Value:       OVNKubernetesFeature.EnableMultiNetworkPolicy,
 	},
-	&cli.BoolFlag{
-		Name:        "disable-udn-host-isolation",
-		Usage:       "Configure to disable UDN host isolation with ovn-kubernetes.",
-		Destination: &cliConfig.OVNKubernetesFeature.DisableUDNHostIsolation,
-		Value:       OVNKubernetesFeature.DisableUDNHostIsolation,
-	},
 	&cli.BoolFlag{
 		Name:        "enable-network-segmentation",
 		Usage:       "Configure to use network segmentation feature with ovn-kubernetes.",

go-controller/pkg/node/default_node_network_controller.go

@@ -150,7 +150,7 @@ func newDefaultNodeNetworkController(cnnci *CommonNodeNetworkControllerInfo, sto
 		routeManager: routeManager,
 		ovsClient:    ovsClient,
 	}
-	if util.IsNetworkSegmentationSupportEnabled() && !config.OVNKubernetesFeature.DisableUDNHostIsolation {
+	if util.IsNetworkSegmentationSupportEnabled() {
 		c.udnHostIsolationManager = NewUDNHostIsolationManager(config.IPv4Mode, config.IPv6Mode,
 			cnnci.watchFactory.PodCoreInformer(), cnnci.name, cnnci.recorder)
 	}

test/e2e/network_segmentation.go

@@ -385,52 +385,50 @@ var _ = Describe("Network Segmentation", feature.NetworkSegmentation, func() {
 						}, 10*time.Second, 1*time.Second).Should(BeTrue())
 						Expect(udnPod.Status.ContainerStatuses[0].RestartCount).To(Equal(int32(0)))
 
-						if !isUDNHostIsolationDisabled() {
-							By("checking default network hostNetwork pod and non-kubelet host process can't reach the UDN pod")
-							hostNetPod, err := createPod(f, "host-net-pod", nodeName,
-								defaultNetNamespace, []string{}, nil, func(pod *v1.Pod) {
-									pod.Spec.HostNetwork = true
-								})
-							Expect(err).NotTo(HaveOccurred())
+						By("checking default network hostNetwork pod and non-kubelet host process can't reach the UDN pod")
+						hostNetPod, err := createPod(f, "host-net-pod", nodeName,
+							defaultNetNamespace, []string{}, nil, func(pod *v1.Pod) {
+								pod.Spec.HostNetwork = true
+							})
+						Expect(err).NotTo(HaveOccurred())
 
-							// positive check for reachable default network pod
-							for _, destIP := range []string{defaultIPv4, defaultIPv6} {
-								if destIP == "" {
-									continue
-								}
-								By("checking the default network hostNetwork can reach default pod on IP " + destIP)
-								Eventually(func() bool {
-									return connectToServer(podConfiguration{namespace: hostNetPod.Namespace, name: hostNetPod.Name}, destIP, podClusterNetDefaultPort) == nil
-								}).Should(BeTrue())
-								By("checking the non-kubelet host process can reach default pod on IP " + destIP)
-								Eventually(func() bool {
-									_, err := infraprovider.Get().ExecK8NodeCommand(nodeName, []string{
-										"curl", "--connect-timeout", "2",
-										net.JoinHostPort(destIP, fmt.Sprintf("%d", podClusterNetDefaultPort)),
+						// positive check for reachable default network pod
+						for _, destIP := range []string{defaultIPv4, defaultIPv6} {
+							if destIP == "" {
+								continue
+							}
+							By("checking the default network hostNetwork can reach default pod on IP " + destIP)
+							Eventually(func() bool {
+								return connectToServer(podConfiguration{namespace: hostNetPod.Namespace, name: hostNetPod.Name}, destIP, podClusterNetDefaultPort) == nil
+							}).Should(BeTrue())
+							By("checking the non-kubelet host process can reach default pod on IP " + destIP)
+							Eventually(func() bool {
+								_, err := infraprovider.Get().ExecK8NodeCommand(nodeName, []string{
+									"curl", "--connect-timeout", "2",
+									net.JoinHostPort(destIP, fmt.Sprintf("%d", podClusterNetDefaultPort)),
 									})
-									return err == nil
-								}).Should(BeTrue())
+								return err == nil
+							}).Should(BeTrue())
+						}
+						// negative check for UDN pod
+						for _, destIP := range []string{udnIPv4, udnIPv6} {
+							if destIP == "" {
+								continue
 							}
-							// negative check for UDN pod
-							for _, destIP := range []string{udnIPv4, udnIPv6} {
-								if destIP == "" {
-									continue
-								}
 
-								By("checking the default network hostNetwork pod can't reach UDN pod on IP " + destIP)
-								Consistently(func() bool {
-									return connectToServer(podConfiguration{namespace: hostNetPod.Namespace, name: hostNetPod.Name}, destIP, podClusterNetPort) != nil
-								}, 5*time.Second).Should(BeTrue())
+							By("checking the default network hostNetwork pod can't reach UDN pod on IP " + destIP)
+							Consistently(func() bool {
+								return connectToServer(podConfiguration{namespace: hostNetPod.Namespace, name: hostNetPod.Name}, destIP, podClusterNetPort) != nil
+							}, 5*time.Second).Should(BeTrue())
 
-								By("checking the non-kubelet host process can't reach UDN pod on IP " + destIP)
-								Consistently(func() bool {
-									_, err := infraprovider.Get().ExecK8NodeCommand(nodeName, []string{
-										"curl", "--connect-timeout", "2",
-										net.JoinHostPort(destIP, fmt.Sprintf("%d", podClusterNetPort)),
+							By("checking the non-kubelet host process can't reach UDN pod on IP " + destIP)
+							Consistently(func() bool {
+								_, err := infraprovider.Get().ExecK8NodeCommand(nodeName, []string{
+									"curl", "--connect-timeout", "2",
+									net.JoinHostPort(destIP, fmt.Sprintf("%d", podClusterNetPort)),
 									})
-									return err != nil
-								}, 5*time.Second).Should(BeTrue())
-							}
+								return err != nil
+							}, 5*time.Second).Should(BeTrue())
 						}
 
 						By("asserting UDN pod can reach the kapi service in the default network")
@@ -1646,12 +1644,10 @@ spec:
 					return connectToServer(podConfiguration{namespace: defaultClientPod.Namespace, name: defaultClientPod.Name}, destIP, podClusterNetPort) != nil
 				}, 5*time.Second).Should(BeTrue())
 
-				if !isUDNHostIsolationDisabled() {
-					By("checking the default hostNetwork pod can't reach UDN pod on IP " + destIP)
-					Consistently(func() bool {
-						return connectToServer(podConfiguration{namespace: hostNetPod.Namespace, name: hostNetPod.Name}, destIP, podClusterNetPort) != nil
-					}, 5*time.Second).Should(BeTrue())
-				}
+				By("checking the default hostNetwork pod can't reach UDN pod on IP " + destIP)
+				Consistently(func() bool {
+					return connectToServer(podConfiguration{namespace: hostNetPod.Namespace, name: hostNetPod.Name}, destIP, podClusterNetPort) != nil
+				}, 5*time.Second).Should(BeTrue())
 			}
 
 			By("Open UDN pod port")
@@ -1696,12 +1692,10 @@ spec:
 					return connectToServer(podConfiguration{namespace: defaultClientPod.Namespace, name: defaultClientPod.Name}, destIP, podClusterNetPort) != nil
 				}, 5*time.Second).Should(BeTrue())
 
-				if !isUDNHostIsolationDisabled() {
-					By("checking the default hostNetwork pod can't reach UDN pod on IP " + destIP)
-					Eventually(func() bool {
-						return connectToServer(podConfiguration{namespace: hostNetPod.Namespace, name: hostNetPod.Name}, destIP, podClusterNetPort) != nil
-					}, 5*time.Second).Should(BeTrue())
-				}
+				By("checking the default hostNetwork pod can't reach UDN pod on IP " + destIP)
+				Eventually(func() bool {
+					return connectToServer(podConfiguration{namespace: hostNetPod.Namespace, name: hostNetPod.Name}, destIP, podClusterNetPort) != nil
+				}, 5*time.Second).Should(BeTrue())
 			}
 			By("Verify syntax error is reported via event")
 			events, err := cs.CoreV1().Events(udnPod.Namespace).List(context.Background(), metav1.ListOptions{})

test/e2e/node_ip_mac_migration.go

@@ -953,26 +953,31 @@ func migrateWorkerNodeIP(nodeName, fromIP, targetIP string, invertOrder bool) (e
 
 	// Define a function to change the IP address for later use.
 	changeIPAddress := func() error {
-		// Add new IP first - this will preserve the default route.
 		newIPMask := targetIP + "/" + mask
-		framework.Logf("Adding new IP address %s to node %s", newIPMask, nodeName)
-		// Add cleanup command.
-		cleanupCmd := []string{"ip", "address", "del", newIPMask, "dev", iface}
+
+		// Delete current IP address. If you add a second ip from the same subnet to an interface, it will
+		// be considered a secondary IP address and will be deleted together with the primary (aka old) IP.
+		framework.Logf("Deleting current IP address %s from node %s", parsedNetIPMask.String(), nodeName)
+		// Add cleanup command to add original IP back to the end of the cleanupCommands list.
+		// This way, we preserve first delete then add new IP sequence.
+		cleanupCmd := []string{"ip", "address", "add", parsedNetIPMask.String(), "dev", iface}
 		cleanupCommands = append(cleanupCommands, cleanupCmd)
 		// Run command.
-		_, err = infraprovider.Get().ExecK8NodeCommand(nodeName, []string{"ip", "address", "add", newIPMask, "dev", iface})
+		_, err = infraprovider.Get().ExecK8NodeCommand(nodeName, []string{"ip", "address", "del", parsedNetIPMask.String(), "dev", iface})
 		if err != nil {
-			return fmt.Errorf("failed to add new IP %s to interface %s on node %s: %v", newIPMask, iface, nodeName, err)
+			return err
 		}
-		// Delete current IP address. On rollback, first add the old IP and then delete the new one.
-		framework.Logf("Deleting current IP address %s from node %s", parsedNetIPMask.String(), nodeName)
-		// Add cleanup command.
-		cleanupCmd = []string{"ip", "address", "add", parsedNetIPMask.String(), "dev", iface}
+
+		// Now add new IP.
+		framework.Logf("Adding new IP address %s to node %s", newIPMask, nodeName)
+		// Add cleanup command to remove the new IP address to the beginning of the cleanupCommands list.
+		cleanupCmd = []string{"ip", "address", "del", newIPMask, "dev", iface}
 		cleanupCommands = append([][]string{cleanupCmd}, cleanupCommands...)
+
 		// Run command.
-		_, err = infraprovider.Get().ExecK8NodeCommand(nodeName, []string{"ip", "address", "del", parsedNetIPMask.String(), "dev", iface})
+		_, err = infraprovider.Get().ExecK8NodeCommand(nodeName, []string{"ip", "address", "add", newIPMask, "dev", iface})
 		if err != nil {
-			return err
+			return fmt.Errorf("failed to add new IP %s to interface %s on node %s: %v", newIPMask, iface, nodeName, err)
 		}
 		return nil
 	}

test/e2e/util.go

@@ -1144,11 +1144,6 @@ func isInterconnectEnabled() bool {
 	return present && val == "true"
 }
 
-func isUDNHostIsolationDisabled() bool {
-	val, present := os.LookupEnv("DISABLE_UDN_HOST_ISOLATION")
-	return present && val == "true"
-}
-
 func isNetworkSegmentationEnabled() bool {
 	val, present := os.LookupEnv("ENABLE_NETWORK_SEGMENTATION")
 	return present && val == "true"