Merge pull request #99 from almaslennikov/module-check

Add MOFED driver pre-flight checks: module deps and userspace users

Author: e0ne

cmd/network-operator-init-container/app/app.go

@@ -17,6 +17,7 @@ package app
 import (
 	"context"
 	"fmt"
+	"strings"
 	"sync"
 	"time"
 
@@ -40,6 +41,7 @@ import (
 
 	"github.com/Mellanox/network-operator-init-container/cmd/network-operator-init-container/app/options"
 	configPgk "github.com/Mellanox/network-operator-init-container/pkg/config"
+	"github.com/Mellanox/network-operator-init-container/pkg/modules"
 	"github.com/Mellanox/network-operator-init-container/pkg/utils/version"
 )
 
@@ -137,6 +139,13 @@ func RunNetworkOperatorInitContainer(ctx context.Context, config *rest.Config, o
 	}
 	logger.Info("network-operator-init-container configuration", "config", initContCfg.String())
 
+	// Module dependency check — fail fast before safe driver loading
+	if initContCfg.ModuleDependencyCheck.Enable {
+		if err := runModuleDependencyCheck(ctx, initContCfg, logger); err != nil {
+			return err
+		}
+	}
+
 	if !initContCfg.SafeDriverLoad.Enable {
 		logger.Info("safe driver loading is disabled, exit")
 		return nil
@@ -234,6 +243,97 @@ func writeCh(ch chan error, err error) {
 	}
 }
 
+// runModuleDependencyCheck performs the module dependency pre-flight check and reports any issues.
+func runModuleDependencyCheck(ctx context.Context, initContCfg *configPgk.Config, logger logr.Logger) error {
+	logger.Info("running module dependency check",
+		"modules", initContCfg.ModuleDependencyCheck.Modules)
+
+	procPath := initContCfg.ModuleDependencyCheck.HostProcPath
+	if procPath == "" {
+		procPath = "/proc"
+	}
+	sysPath := initContCfg.ModuleDependencyCheck.HostSysPath
+	if sysPath == "" {
+		sysPath = "/sys"
+	}
+
+	if initContCfg.ModuleDependencyCheck.UnloadThirdPartyRDMA {
+		logger.Info("UNLOAD_THIRD_PARTY_RDMA_MODULES is enabled; known third-party RDMA modules will be skipped")
+	}
+
+	checker := modules.NewChecker(
+		initContCfg.ModuleDependencyCheck.Modules,
+		initContCfg.ModuleDependencyCheck.UnloadThirdPartyRDMA,
+		procPath, sysPath, logger)
+
+	report, err := checker.RunAllChecks(ctx)
+	if err != nil {
+		return fmt.Errorf("module dependency check failed: %w", err)
+	}
+
+	if err := reportPreFlightIssues(logger, report); err != nil {
+		return err
+	}
+	logger.Info("module dependency check passed")
+	return nil
+}
+
+// reportPreFlightIssues logs all pre-flight check issues and returns an error if any were found.
+func reportPreFlightIssues(logger logr.Logger, report *modules.DependencyReport) error {
+	totalIssues := len(report.ThirdPartyRDMA) + len(report.UnknownKernelModules) + len(report.UserspaceIssues)
+	if totalIssues == 0 {
+		return nil
+	}
+
+	// Category 1: known third-party RDMA modules (automatable)
+	if len(report.ThirdPartyRDMA) > 0 {
+		for _, dep := range report.ThirdPartyRDMA {
+			logger.Error(fmt.Errorf("third-party RDMA module dependency"),
+				"third-party RDMA module blocking MOFED driver reload",
+				"mofedModule", dep.MofedModule,
+				"dependents", strings.Join(dep.Dependents, ", "))
+		}
+		logger.Error(fmt.Errorf("third-party RDMA modules require configuration change"),
+			"Recommended action: set UNLOAD_THIRD_PARTY_RDMA_MODULES=\"true\" in "+
+				"NicClusterPolicy ofedDriver env vars to automatically unload known third-party "+
+				"RDMA modules before driver reload. Verify that no running workloads depend on "+
+				"these modules before enabling.")
+	}
+
+	// Category 2: unknown kernel modules (error level — manual intervention)
+	if len(report.UnknownKernelModules) > 0 {
+		for _, dep := range report.UnknownKernelModules {
+			logger.Error(fmt.Errorf("unknown kernel module dependency"),
+				"unrecognized module(s) blocking MOFED driver reload",
+				"mofedModule", dep.MofedModule,
+				"dependents", strings.Join(dep.Dependents, ", "))
+		}
+		logger.Error(fmt.Errorf("unknown kernel modules require manual intervention"),
+			"Required action: manually unload or blacklist these modules "+
+				"before deploying the DOCA driver. Automatic unloading is not supported "+
+				"for unrecognized modules.")
+	}
+
+	// Category 3: userspace processes (error level — manual intervention)
+	if len(report.UserspaceIssues) > 0 {
+		for _, issue := range report.UserspaceIssues {
+			logger.Error(fmt.Errorf("userspace process holding module"),
+				"userspace reference(s) blocking MOFED module unload",
+				"module", issue.Module,
+				"refcount", issue.Refcount,
+				"kernelHolders", issue.HolderCount,
+				"holders", strings.Join(issue.Holders, ", "),
+				"userspaceRefs", issue.UserspaceCount)
+		}
+		logger.Error(fmt.Errorf("userspace processes require manual intervention"),
+			"Required action: identify and stop processes using MOFED modules. "+
+				"Run on host: lsof /dev/infiniband/* or fuser -v /dev/infiniband/*. "+
+				"Common culprits: opensm, ibacm, rdma-ndd, srpd")
+	}
+
+	return fmt.Errorf("pre-flight check found %d issue(s); cannot safely reload MOFED drivers", totalIssues)
+}
+
 // SetupWithManager sets up the controller with the Manager.
 func (r *NodeReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).

cmd/network-operator-init-container/app/app_test.go

@@ -47,7 +47,7 @@ func createNode(name string) *corev1.Node {
 	return node
 }
 
-func createConfig(cfg configPgk.Config) {
+func createConfig(cfg *configPgk.Config) {
 	data, err := json.Marshal(cfg)
 	ExpectWithOffset(1, err).NotTo(HaveOccurred())
 	err = k8sClient.Create(ctx, &corev1.ConfigMap{
@@ -91,7 +91,7 @@ var _ = Describe("Init container", func() {
 			defer GinkgoRecover()
 			opts := newOpts()
 			opts.NodeName = testNodeName
-			createConfig(configPgk.Config{SafeDriverLoad: configPgk.SafeDriverLoadConfig{
+			createConfig(&configPgk.Config{SafeDriverLoad: configPgk.SafeDriverLoadConfig{
 				Enable:     true,
 				Annotation: testAnnotation,
 			}})
@@ -123,7 +123,7 @@ var _ = Describe("Init container", func() {
 			defer GinkgoRecover()
 			opts := newOpts()
 			opts.NodeName = "unknown-node"
-			createConfig(configPgk.Config{SafeDriverLoad: configPgk.SafeDriverLoadConfig{
+			createConfig(&configPgk.Config{SafeDriverLoad: configPgk.SafeDriverLoadConfig{
 				Enable:     true,
 				Annotation: testAnnotation,
 			}})
@@ -145,7 +145,7 @@ var _ = Describe("Init container", func() {
 			defer GinkgoRecover()
 			opts := newOpts()
 			opts.NodeName = testNodeName
-			createConfig(configPgk.Config{SafeDriverLoad: configPgk.SafeDriverLoadConfig{
+			createConfig(&configPgk.Config{SafeDriverLoad: configPgk.SafeDriverLoadConfig{
 				Enable:     true,
 				Annotation: testAnnotation,
 			}})
@@ -186,7 +186,7 @@ var _ = Describe("Init container", func() {
 			defer GinkgoRecover()
 			opts := newOpts()
 			opts.NodeName = testNodeName
-			createConfig(configPgk.Config{SafeDriverLoad: configPgk.SafeDriverLoadConfig{
+			createConfig(&configPgk.Config{SafeDriverLoad: configPgk.SafeDriverLoadConfig{
 				Enable: false,
 			}})
 			var err error

pkg/config/config.go

@@ -36,6 +36,22 @@ func Load(config string) (*Config, error) {
 type Config struct {
 	// configuration options for safeDriverLoading feature
 	SafeDriverLoad SafeDriverLoadConfig `json:"safeDriverLoad"`
+	// configuration options for module dependency checking feature
+	ModuleDependencyCheck ModuleDependencyCheckConfig `json:"moduleDependencyCheck"`
+}
+
+// ModuleDependencyCheckConfig contains configuration options for module dependency checking feature
+type ModuleDependencyCheckConfig struct {
+	// enable module dependency checking feature
+	Enable bool `json:"enable"`
+	// list of MOFED kernel modules to check for external dependencies
+	Modules []string `json:"modules"`
+	// when true, all known third-party RDMA modules are treated as allowed (driver will handle them)
+	UnloadThirdPartyRDMA bool `json:"unloadThirdPartyRdma"`
+	// path to the host's /proc filesystem mount inside the container
+	HostProcPath string `json:"hostProcPath"`
+	// path to the host's /sys filesystem mount inside the container
+	HostSysPath string `json:"hostSysPath"`
 }
 
 // SafeDriverLoadConfig contains configuration options for safeDriverLoading feature
@@ -51,6 +67,9 @@ func (c *Config) Validate() error {
 	if c.SafeDriverLoad.Enable && c.SafeDriverLoad.Annotation == "" {
 		return fmt.Errorf(".safeDriverLoad.annotation is required if safeDriverLoad feature is enabled")
 	}
+	if c.ModuleDependencyCheck.Enable && len(c.ModuleDependencyCheck.Modules) == 0 {
+		return fmt.Errorf(".moduleDependencyCheck.modules is required if moduleDependencyCheck feature is enabled")
+	}
 	return nil
 }
 

pkg/config/config_test.go

@@ -22,22 +22,22 @@ import (
 	configPgk "github.com/Mellanox/network-operator-init-container/pkg/config"
 )
 
-func createConfig(cfg configPgk.Config) string {
+func createConfig(cfg *configPgk.Config) string {
 	data, err := json.Marshal(cfg)
 	ExpectWithOffset(1, err).NotTo(HaveOccurred())
 	return string(data)
 }
 
 var _ = Describe("Config test", func() {
 	It("Valid - safeDriverLoad disabled", func() {
-		cfg, err := configPgk.Load(createConfig(configPgk.Config{SafeDriverLoad: configPgk.SafeDriverLoadConfig{
+		cfg, err := configPgk.Load(createConfig(&configPgk.Config{SafeDriverLoad: configPgk.SafeDriverLoadConfig{
 			Enable: false,
 		}}))
 		Expect(err).NotTo(HaveOccurred())
 		Expect(cfg.SafeDriverLoad.Enable).To(BeFalse())
 	})
 	It("Valid - safeDriverLoad enabled", func() {
-		cfg, err := configPgk.Load(createConfig(configPgk.Config{SafeDriverLoad: configPgk.SafeDriverLoadConfig{
+		cfg, err := configPgk.Load(createConfig(&configPgk.Config{SafeDriverLoad: configPgk.SafeDriverLoadConfig{
 			Enable:     true,
 			Annotation: "something",
 		}}))
@@ -50,9 +50,64 @@ var _ = Describe("Config test", func() {
 		Expect(err).To(HaveOccurred())
 	})
 	It("Logical validation failed - no annotation", func() {
-		_, err := configPgk.Load(createConfig(configPgk.Config{SafeDriverLoad: configPgk.SafeDriverLoadConfig{
+		_, err := configPgk.Load(createConfig(&configPgk.Config{SafeDriverLoad: configPgk.SafeDriverLoadConfig{
 			Enable: true,
 		}}))
 		Expect(err).To(HaveOccurred())
 	})
+	It("Valid - moduleDependencyCheck disabled", func() {
+		cfg, err := configPgk.Load(createConfig(&configPgk.Config{
+			ModuleDependencyCheck: configPgk.ModuleDependencyCheckConfig{
+				Enable: false,
+			},
+		}))
+		Expect(err).NotTo(HaveOccurred())
+		Expect(cfg.ModuleDependencyCheck.Enable).To(BeFalse())
+	})
+	It("Valid - moduleDependencyCheck enabled", func() {
+		cfg, err := configPgk.Load(createConfig(&configPgk.Config{
+			ModuleDependencyCheck: configPgk.ModuleDependencyCheckConfig{
+				Enable:       true,
+				Modules:      []string{"mlx5_core", "mlx5_ib"},
+				HostProcPath: "/host/proc",
+				HostSysPath:  "/host/sys",
+			},
+		}))
+		Expect(err).NotTo(HaveOccurred())
+		Expect(cfg.ModuleDependencyCheck.Enable).To(BeTrue())
+		Expect(cfg.ModuleDependencyCheck.Modules).To(Equal([]string{"mlx5_core", "mlx5_ib"}))
+		Expect(cfg.ModuleDependencyCheck.HostProcPath).To(Equal("/host/proc"))
+		Expect(cfg.ModuleDependencyCheck.HostSysPath).To(Equal("/host/sys"))
+	})
+	It("Valid - moduleDependencyCheck enabled with UnloadThirdPartyRDMA", func() {
+		cfg, err := configPgk.Load(createConfig(&configPgk.Config{
+			ModuleDependencyCheck: configPgk.ModuleDependencyCheckConfig{
+				Enable:               true,
+				Modules:              []string{"mlx5_core", "ib_core"},
+				UnloadThirdPartyRDMA: true,
+				HostProcPath:         "/host/proc",
+				HostSysPath:          "/host/sys",
+			},
+		}))
+		Expect(err).NotTo(HaveOccurred())
+		Expect(cfg.ModuleDependencyCheck.Enable).To(BeTrue())
+		Expect(cfg.ModuleDependencyCheck.Modules).To(Equal([]string{"mlx5_core", "ib_core"}))
+		Expect(cfg.ModuleDependencyCheck.UnloadThirdPartyRDMA).To(BeTrue())
+	})
+	It("Logical validation failed - moduleDependencyCheck enabled with no modules", func() {
+		_, err := configPgk.Load(createConfig(&configPgk.Config{
+			ModuleDependencyCheck: configPgk.ModuleDependencyCheckConfig{
+				Enable: true,
+			},
+		}))
+		Expect(err).To(HaveOccurred())
+	})
+	It("Backward compatible - old config without moduleDependencyCheck field", func() {
+		// Simulate an old ConfigMap that only has safeDriverLoad
+		oldJSON := `{"safeDriverLoad":{"enable":false,"annotation":""}}`
+		cfg, err := configPgk.Load(oldJSON)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(cfg.ModuleDependencyCheck.Enable).To(BeFalse())
+		Expect(cfg.ModuleDependencyCheck.Modules).To(BeNil())
+	})
 })