adding interface bridge

paigerube14 · paigerube14 · commit 219f38907641 · 2026-04-29T11:46:36.000-04:00
diff --git a/krkn/scenario_plugins/network_chaos_ng/modules/utils.py b/krkn/scenario_plugins/network_chaos_ng/modules/utils.py
@@ -18,7 +18,6 @@
 import yaml
 from jinja2 import FileSystemLoader, Environment
 from krkn_lib.k8s import KrknKubernetes
-from krkn_lib.models.k8s import Pod
 
 from krkn.scenario_plugins.network_chaos_ng.models import (
     BaseNetworkChaosConfig,
@@ -110,6 +109,64 @@ def get_pod_default_interface(
     return output.replace("\n", "")
 
 
+def find_virt_launcher_netns_pid(
+    chaos_pod_name: str, namespace: str, pids: list[str], kubecli: KrknKubernetes
+) -> str:
+    """Return the first PID that is in the virt-launcher's network namespace.
+
+    get_pod_pids returns all PIDs from the compute container's cgroup.  Some of
+    those processes (helpers, privileged threads) run in the HOST network
+    namespace rather than the pod's netns.  nsenter-ing one of those would
+    target the node's physical interfaces (e.g. ens4) instead of the
+    virt-launcher's bridge slave.
+
+    tap0 is a KubeVirt-specific tap device that only exists inside the
+    virt-launcher's netns, so its presence is a reliable probe.
+    """
+    for pid in pids:
+        cmd = f"nsenter --target {pid} --net -- ip link show tap0 2>/dev/null"
+        try:
+            out = kubecli.exec_cmd_in_pod([cmd], chaos_pod_name, namespace)
+            if "tap0" in out:
+                return pid
+        except Exception:
+            continue
+    return ""
+
+
+def get_vmi_tap_interface(
+    chaos_pod_name: str, namespace: str, pid: str, kubecli: KrknKubernetes
+) -> str:
+    """Find the VMI's primary tap interface inside the virt-launcher network namespace.
+
+    The tap device is the VM-facing member of the KubeVirt bridge:
+        ovn-udn1-nic -> k6t-ovn-udn1 (bridge) -> tap0 -> QEMU (VM guest)
+
+    We locate it by finding the tap member of the k6t-* bridge rather than
+    grepping for any tap-prefixed device, so the detection works regardless
+    of how many interfaces the VM has.
+
+    Blocking the tap interface isolates only this VMI.  Blocking the bridge
+    slave (ovn-udn1-nic) would also sever OVN's BFD heartbeats and trigger
+    a node-wide network reconvergence.
+    """
+    # Find the k6t-* bridge name first, then find its tap member.
+    bridge_cmd = (
+        f"nsenter --target {pid} --net -- "
+        f"ip link show | grep ': k6t-' | head -1 | cut -d: -f2 | tr -d ' '"
+    )
+    bridge = kubecli.exec_cmd_in_pod([bridge_cmd], chaos_pod_name, namespace).strip()
+    if not bridge:
+        return ""
+
+    tap_cmd = (
+        f"nsenter --target {pid} --net -- "
+        f"ip link show master {bridge} | grep ': tap' | head -1 | cut -d: -f2 | tr -d ' '"
+    )
+    output = kubecli.exec_cmd_in_pod([tap_cmd], chaos_pod_name, namespace)
+    return output.strip()
+
+
 def setup_network_chaos_ng_scenario(
     config: BaseNetworkChaosConfig,
     node_name: str,
diff --git a/krkn/scenario_plugins/network_chaos_ng/modules/utils_network_filter.py b/krkn/scenario_plugins/network_chaos_ng/modules/utils_network_filter.py
@@ -25,17 +25,29 @@ def generate_rules(
     input_rules = []
     output_rules = []
     for interface in interfaces:
-        for port in config.ports:
+        if config.ports:
+            for port in config.ports:
+                if config.egress:
+                    for protocol in set(config.protocols):
+                        output_rules.append(
+                            f"iptables -I OUTPUT 1 -p {protocol} --dport {port} -m state --state NEW,RELATED,ESTABLISHED -j DROP"
+                        )
+                if config.ingress:
+                    for protocol in set(config.protocols):
+                        input_rules.append(
+                            f"iptables -I INPUT 1 -i {interface} -p {protocol} --dport {port} -m state --state NEW,RELATED,ESTABLISHED -j DROP"
+                        )
+        else:
+            # empty ports means block all traffic on all ports
             if config.egress:
                 for protocol in set(config.protocols):
                     output_rules.append(
-                        f"iptables -I OUTPUT 1 -p {protocol} --dport {port} -m state --state NEW,RELATED,ESTABLISHED -j DROP"
+                        f"iptables -I OUTPUT 1 -p {protocol} -m state --state NEW,RELATED,ESTABLISHED -j DROP"
                     )
-
             if config.ingress:
                 for protocol in set(config.protocols):
                     input_rules.append(
-                        f"iptables -I INPUT 1 -i {interface} -p {protocol} --dport {port} -m state --state NEW,RELATED,ESTABLISHED -j DROP"
+                        f"iptables -I INPUT 1 -i {interface} -p {protocol} -m state --state NEW,RELATED,ESTABLISHED -j DROP"
                     )
     return input_rules, output_rules
 
@@ -115,3 +127,64 @@ def generate_namespaced_rules(
         namespaced_output_rules.extend(ns_output_rules)
 
     return namespaced_input_rules, namespaced_output_rules
+
+
+def apply_tc_vmi_chaos(
+    kubecli: KrknKubernetes,
+    chaos_pod_name: str,
+    namespace: str,
+    pid: str,
+    iface: str,
+    parallel: bool,
+    vmi_name: str,
+):
+    """Block all traffic on the VMI's tap interface using tc.
+
+    Targets tap0 (the VM-facing end of the KubeVirt bridge) rather than the
+    bridge slave (ovn-udn1-nic).  Blocking the bridge slave also cuts OVN's
+    BFD heartbeats and causes a node-wide network reconvergence; tap0 only
+    connects to QEMU so blocking it isolates only this VMI.
+
+    tc operates at the device layer below iptables and works without br_netfilter:
+      - root netem loss 100%  -> drops traffic sent toward the VM
+      - ingress + matchall    -> drops traffic sent by the VM
+    Only one pid is needed because all processes in the container share a netns.
+    """
+    ns = f"nsenter --target {pid} --net --"
+    log_info(f"applying tc block on {iface} (egress netem + ingress drop)", parallel, vmi_name)
+    kubecli.exec_cmd_in_pod(
+        [f"{ns} tc qdisc add dev {iface} root netem loss 100%"],
+        chaos_pod_name,
+        namespace,
+    )
+    kubecli.exec_cmd_in_pod(
+        [f"{ns} tc qdisc add dev {iface} ingress"],
+        chaos_pod_name,
+        namespace,
+    )
+    kubecli.exec_cmd_in_pod(
+        [f"{ns} tc filter add dev {iface} parent ffff: protocol all matchall action drop"],
+        chaos_pod_name,
+        namespace,
+    )
+
+
+def clean_tc_vmi_chaos(
+    kubecli: KrknKubernetes,
+    chaos_pod_name: str,
+    namespace: str,
+    pid: str,
+    iface: str,
+):
+    """Remove tc qdiscs applied by apply_tc_vmi_chaos."""
+    ns = f"nsenter --target {pid} --net --"
+    for cmd in [
+        f"{ns} tc qdisc del dev {iface} root",
+        f"{ns} tc qdisc del dev {iface} ingress",
+    ]:
+        try:
+            kubecli.exec_cmd_in_pod([cmd], chaos_pod_name, namespace)
+        except Exception:
+            pass
+
+
diff --git a/krkn/scenario_plugins/network_chaos_ng/modules/vmi_network_chaos.py b/krkn/scenario_plugins/network_chaos_ng/modules/vmi_network_chaos.py
