addinig vmi network outages

Signed-off-by: Paige Patton <[email protected]>

Author: paigerube14

config/config.yaml

@@ -53,6 +53,7 @@ kraken:
                - scenarios/kube/node-network-chaos.yml
                - scenarios/kube/pod-network-chaos.yml
                - scenarios/kube/node_interface_down.yaml
+               - scenarios/openshift/virt_network.yaml
        -  kubevirt_vm_outage:
               - scenarios/kubevirt/kubevirt-vm-outage.yaml
        - http_load_scenarios:

krkn/scenario_plugins/network_chaos_ng/models.py

@@ -20,6 +20,7 @@
 class NetworkChaosScenarioType(Enum):
     Node = 1
     Pod = 2
+    VMI = 3
 
 
 @dataclass

krkn/scenario_plugins/network_chaos_ng/modules/abstract_network_chaos_module.py

@@ -91,6 +91,35 @@ def get_pod_targets(self, config: BaseNetworkChaosConfig):
                 )
             return [config.target]
 
+    def get_vmi_targets(self, config: BaseNetworkChaosConfig) -> list[str]:
+        """
+        Returns the list of VMI targets in "namespace/vmi-name" format.
+        Supports regex matching on both name (via `target`) and namespace,
+        and optional post-filtering by `label_selector` in "key=value" format.
+        """
+        if not config.namespace:
+            raise Exception("namespace not specified for VMI scenario, aborting")
+        name_regex = config.target if config.target else ".*"
+        vmis = self.kubecli.get_lib_kubernetes().get_vmis(name_regex, config.namespace)
+        if not vmis:
+            return []
+        if config.label_selector:
+            try:
+                label_key, label_value = config.label_selector.split("=", 1)
+            except ValueError:
+                raise Exception(
+                    f"invalid label_selector format: '{config.label_selector}', expected 'key=value'"
+                )
+            vmis = [
+                vmi
+                for vmi in vmis
+                if vmi.get("metadata", {}).get("labels", {}).get(label_key) == label_value
+            ]
+        return [
+            f"{vmi['metadata']['namespace']}/{vmi['metadata']['name']}"
+            for vmi in vmis
+        ]
+
     def __init__(
         self,
         base_network_config: BaseNetworkChaosConfig,

krkn/scenario_plugins/network_chaos_ng/modules/node_interface_down.py

@@ -1,3 +1,17 @@
+# Copyright 2025 The Krkn Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 import queue
 import time
 from typing import Tuple
@@ -101,13 +115,6 @@ def run(self, target: str, error_queue: queue.Queue = None):
                 target,
             )
 
-            log_info(
-                f"waiting {self.config.test_duration} seconds for interface(s) to recover",
-                parallel,
-                target,
-            )
-            time.sleep(self.config.test_duration)
-
             log_info(
                 f"waiting for node {target} to become Ready after interface recovery",
                 parallel,

krkn/scenario_plugins/network_chaos_ng/modules/utils.py

@@ -18,7 +18,6 @@
 import yaml
 from jinja2 import FileSystemLoader, Environment
 from krkn_lib.k8s import KrknKubernetes
-from krkn_lib.models.k8s import Pod
 
 from krkn.scenario_plugins.network_chaos_ng.models import (
     BaseNetworkChaosConfig,
@@ -110,6 +109,64 @@ def get_pod_default_interface(
     return output.replace("\n", "")
 
 
+def find_virt_launcher_netns_pid(
+    chaos_pod_name: str, namespace: str, pids: list[str], kubecli: KrknKubernetes
+) -> str:
+    """Return the first PID that is in the virt-launcher's network namespace.
+
+    get_pod_pids returns all PIDs from the compute container's cgroup.  Some of
+    those processes (helpers, privileged threads) run in the HOST network
+    namespace rather than the pod's netns.  nsenter-ing one of those would
+    target the node's physical interfaces (e.g. ens4) instead of the
+    virt-launcher's bridge slave.
+
+    tap0 is a KubeVirt-specific tap device that only exists inside the
+    virt-launcher's netns, so its presence is a reliable probe.
+    """
+    for pid in pids:
+        cmd = f"nsenter --target {pid} --net -- ip link show tap0 2>/dev/null"
+        try:
+            out = kubecli.exec_cmd_in_pod([cmd], chaos_pod_name, namespace)
+            if "tap0" in out:
+                return pid
+        except Exception:
+            continue
+    return ""
+
+
+def get_vmi_tap_interface(
+    chaos_pod_name: str, namespace: str, pid: str, kubecli: KrknKubernetes
+) -> str:
+    """Find the VMI's primary tap interface inside the virt-launcher network namespace.
+
+    The tap device is the VM-facing member of the KubeVirt bridge:
+        ovn-udn1-nic -> k6t-ovn-udn1 (bridge) -> tap0 -> QEMU (VM guest)
+
+    We locate it by finding the tap member of the k6t-* bridge rather than
+    grepping for any tap-prefixed device, so the detection works regardless
+    of how many interfaces the VM has.
+
+    Blocking the tap interface isolates only this VMI.  Blocking the bridge
+    slave (ovn-udn1-nic) would also sever OVN's BFD heartbeats and trigger
+    a node-wide network reconvergence.
+    """
+    # Find the k6t-* bridge name first, then find its tap member.
+    bridge_cmd = (
+        f"nsenter --target {pid} --net -- "
+        f"ip link show | grep ': k6t-' | head -1 | cut -d: -f2 | tr -d ' '"
+    )
+    bridge = kubecli.exec_cmd_in_pod([bridge_cmd], chaos_pod_name, namespace).strip()
+    if not bridge:
+        return ""
+
+    tap_cmd = (
+        f"nsenter --target {pid} --net -- "
+        f"ip link show master {bridge} | grep ': tap' | head -1 | cut -d: -f2 | tr -d ' '"
+    )
+    output = kubecli.exec_cmd_in_pod([tap_cmd], chaos_pod_name, namespace)
+    return output.strip()
+
+
 def setup_network_chaos_ng_scenario(
     config: BaseNetworkChaosConfig,
     node_name: str,

krkn/scenario_plugins/network_chaos_ng/modules/utils_network_filter.py

@@ -25,17 +25,29 @@ def generate_rules(
     input_rules = []
     output_rules = []
     for interface in interfaces:
-        for port in config.ports:
+        if config.ports:
+            for port in config.ports:
+                if config.egress:
+                    for protocol in set(config.protocols):
+                        output_rules.append(
+                            f"iptables -I OUTPUT 1 -p {protocol} --dport {port} -m state --state NEW,RELATED,ESTABLISHED -j DROP"
+                        )
+                if config.ingress:
+                    for protocol in set(config.protocols):
+                        input_rules.append(
+                            f"iptables -I INPUT 1 -i {interface} -p {protocol} --dport {port} -m state --state NEW,RELATED,ESTABLISHED -j DROP"
+                        )
+        else:
+            # empty ports means block all traffic on all ports
             if config.egress:
                 for protocol in set(config.protocols):
                     output_rules.append(
-                        f"iptables -I OUTPUT 1 -p {protocol} --dport {port} -m state --state NEW,RELATED,ESTABLISHED -j DROP"
+                        f"iptables -I OUTPUT 1 -p {protocol} -m state --state NEW,RELATED,ESTABLISHED -j DROP"
                     )
-
             if config.ingress:
                 for protocol in set(config.protocols):
                     input_rules.append(
-                        f"iptables -I INPUT 1 -i {interface} -p {protocol} --dport {port} -m state --state NEW,RELATED,ESTABLISHED -j DROP"
+                        f"iptables -I INPUT 1 -i {interface} -p {protocol} -m state --state NEW,RELATED,ESTABLISHED -j DROP"
                     )
     return input_rules, output_rules
 
@@ -115,3 +127,64 @@ def generate_namespaced_rules(
         namespaced_output_rules.extend(ns_output_rules)
 
     return namespaced_input_rules, namespaced_output_rules
+
+
+def apply_tc_vmi_chaos(
+    kubecli: KrknKubernetes,
+    chaos_pod_name: str,
+    namespace: str,
+    pid: str,
+    iface: str,
+    parallel: bool,
+    vmi_name: str,
+):
+    """Block all traffic on the VMI's tap interface using tc.
+
+    Targets tap0 (the VM-facing end of the KubeVirt bridge) rather than the
+    bridge slave (ovn-udn1-nic).  Blocking the bridge slave also cuts OVN's
+    BFD heartbeats and causes a node-wide network reconvergence; tap0 only
+    connects to QEMU so blocking it isolates only this VMI.
+
+    tc operates at the device layer below iptables and works without br_netfilter:
+      - root netem loss 100%  -> drops traffic sent toward the VM
+      - ingress + matchall    -> drops traffic sent by the VM
+    Only one pid is needed because all processes in the container share a netns.
+    """
+    ns = f"nsenter --target {pid} --net --"
+    log_info(f"applying tc block on {iface} (egress netem + ingress drop)", parallel, vmi_name)
+    kubecli.exec_cmd_in_pod(
+        [f"{ns} tc qdisc add dev {iface} root netem loss 100%"],
+        chaos_pod_name,
+        namespace,
+    )
+    kubecli.exec_cmd_in_pod(
+        [f"{ns} tc qdisc add dev {iface} ingress"],
+        chaos_pod_name,
+        namespace,
+    )
+    kubecli.exec_cmd_in_pod(
+        [f"{ns} tc filter add dev {iface} parent ffff: protocol all matchall action drop"],
+        chaos_pod_name,
+        namespace,
+    )
+
+
+def clean_tc_vmi_chaos(
+    kubecli: KrknKubernetes,
+    chaos_pod_name: str,
+    namespace: str,
+    pid: str,
+    iface: str,
+):
+    """Remove tc qdiscs applied by apply_tc_vmi_chaos."""
+    ns = f"nsenter --target {pid} --net --"
+    for cmd in [
+        f"{ns} tc qdisc del dev {iface} root",
+        f"{ns} tc qdisc del dev {iface} ingress",
+    ]:
+        try:
+            kubecli.exec_cmd_in_pod([cmd], chaos_pod_name, namespace)
+        except Exception:
+            pass
+
+