1906307 – Bond iface API doesn't provide means for selecting MAC used for the bond iface

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1906307 - Bond iface API doesn't provide means for selecting MAC used for the bond iface

Summary: Bond iface API doesn't provide means for selecting MAC used for the bond iface

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	nmstate
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Gris Ge
QA Contact:	Mingyu Shi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1933538
TreeView+	depends on / blocked

Reported:	2020-12-10 08:53 UTC by Radim Hrazdil
Modified:	2022-01-06 14:08 UTC (History)
CC List:	9 users (show)
Fixed In Version:	nmstate-1.0.2-0.3.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1933538 (view as bug list)
Environment:
Last Closed:	2021-05-18 15:18:22 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
latest nmstate failing on unmanaged iface (6.74 KB, text/plain) 2021-02-12 15:50 UTC, Petr Horáček	no flags	Details
Data collected before applying the config (40.00 KB, application/x-tar) 2021-03-01 09:14 UTC, Petr Horáček	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	nmstate nmstate pull 1512	0	None	closed	bridge/bond: New property `Interface.COPY_MAC_FROM`	2021-02-20 07:25:36 UTC

Description Radim Hrazdil 2020-12-10 08:53:42 UTC

Description of problem:

When creating a bond in active-backup or balance-rr mode with multiple slave ifaces, the newly created bond uses MAC address of randomly chosen slave interface.
This causes issues when one of the slave interface was previously used as a default interface
and it had an IP address assigned from a DHCP server.
When a bond is created, it uses MAC address of any of the provided slave ifaces, which may result in using other MAC than the MAC of the previously default interface. In that case, a new
IP address is assigned from the DHCP.

It would be preffered to have a way to define, which MAC address will be used by the bond, so that in such a scenario the DHCP can re-assign the same IP address.


And example workflow:

Consider a host with the following interfaces eth0 and eth1 (MACs differ in the last two octets)

--8<--
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:55:00:d1:55:03 brd ff:ff:ff:ff:ff:ff
    inet 192.168.66.103/24 brd 192.168.66.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:55:00:d1:56:04 brd ff:ff:ff:ff:ff:ff
-->8--

Now I apply the following desiredState:
--8<--
desiredState:
  interfaces:
  - name: bond0
    type: bond
    state: up
    ipv4:
      dhcp: true
      enabled: true
    link-aggregation:
      mode: active-backup
      options:
        miimon: '140'
        primary: eth0
      slaves:
      - eth0
      - eth1
-->8--

The state after applying the desiredState:
--8<--
2: eth0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc fq_codel master bond0 state UP group default qlen 1000
    link/ether 52:55:00:d1:56:04 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc fq_codel master bond0 state UP group default qlen 1000
    link/ether 52:55:00:d1:56:04 brd ff:ff:ff:ff:ff:ff
11: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:55:00:d1:56:04 brd ff:ff:ff:ff:ff:ff
    inet 192.168.66.130/24 brd 192.168.66.255 scope global noprefixroute bond0
       valid_lft forever preferred_lft forever
-->8--


As you can observe, the bond interface took over the MAC address of eth1, which results in
having a new IP address (192.168.66.130 instead of 192.168.66.103).
We would like to have a way to describe from which interface would the MAC address to use for the bond.

A way to overcome this is creating the bond with only one slave iface, which is the one with assigned IP address, and only then add another interfaces to the bond.
However, this is not user-friendly and it goes against the declarative concept.


Version-Release number of selected component (if applicable):
nmstate-0.3.6-2
NetworkManager-1.26.2-1.el8.x86_64

How reproducible:
randomly, but easy

Steps to Reproduce:
1. apply the desiredState given in the description section above


Actual results:
The created bond has MAC address of any of the slave ifaces

Expected results:
We would like to have a way to select which MAC address to use


Additional info:

Comment 1 Dan Kenigsberg 2020-12-23 11:33:40 UTC

Setting severity to High, as inconsistent MAC means inconsistent dhcp-provided address, which may mean lost nodes.

Comment 2 Petr Horáček 2021-02-01 13:48:52 UTC

Hello Gris, any chance this would make it to 1.0?

Comment 3 Gris Ge 2021-02-02 13:02:03 UTC

Hi guys,

When you did not define MAC address for a bond, you are expecting nmstate/NetworkManager/udev/kernel to choose whatever mac address fits.


The systemd-udev has its reputation on alter the algorithm which cause the MAC address of virtual device's MAC address altered.
So I would suggest you set the MAC address explicitly.

```yaml
---
interfaces:
- name: bond99
  type: bond
  state: up
  mac-address: ee:24:e8:8b:1b:ff
  link-aggregation:
    mode: balance-rr
    port:
    - eth1
    - eth2
```

Comment 4 Radim Hrazdil 2021-02-02 13:37:54 UTC

Hello Gris,

specifying the MAC address explicitly indeed makes sure that the specified address is used, but this is not a solution for OCP Clusters.
We can't specify the same MAC for all nodes in an OCP cluster.
We cannot make users create a separate policy for each node in the cluster either. 

I believe we need a way to indicate, from which interface the MAC address should be used.
It makes the most sense to me to expose this feature/option at nmstate.

Comment 5 Gris Ge 2021-02-04 06:11:38 UTC

(In reply to Radim Hrazdil from comment #4)
> Hello Gris,
> 
> specifying the MAC address explicitly indeed makes sure that the specified
> address is used, but this is not a solution for OCP Clusters.
> We can't specify the same MAC for all nodes in an OCP cluster.
> We cannot make users create a separate policy for each node in the cluster
> either. 
> 
> I believe we need a way to indicate, from which interface the MAC address
> should be used.
> It makes the most sense to me to expose this feature/option at nmstate.


Is it make sense that nmstate will use the __first__ slave/port listed in
desire state for bond/bridge/etc interface?

Comment 6 Radim Hrazdil 2021-02-04 08:04:34 UTC

> Is it make sense that nmstate will use the __first__ slave/port listed in
> desire state for bond/bridge/etc interface?


So if I take the following desiredState for example:

```yaml
---
interfaces:
- name: bond99
  type: bond
  state: up
  link-aggregation:
    mode: balance-rr
    port:
    - eth1
    - eth2
```

The mac address used for the bond interface would be taken from eth1 because it's at the top of the list?
If so, than I think this is a viable option.

The downside is that it's not self-explanatory, meaning that users need to consult documentation to learn about this behaviour.
On the other hand I understand that you probably don't want to introduce a new field for this, because that would deviate from the kernel driver API, right?

Comment 9 Gris Ge 2021-02-09 12:32:14 UTC

I prefer the idea of explicit, so let's go with `copy-mac-from: eth1`.

Does it work for you also, Radim?

Comment 10 Radim Hrazdil 2021-02-09 12:57:02 UTC

Sounds great to me, thank you.

Comment 14 Gris Ge 2021-02-10 14:29:04 UTC

Patch posted to upstream. https://github.com/nmstate/nmstate/pull/1512

Please try `dnf copr enable packit/nmstate-nmstate-1512` to see whether it meet your needs.


Example yaml:

```yaml
---
interfaces:
- name: bond99
  type: bond
  state: up
  copy-mac-from: eth1
  link-aggregation:
    mode: balance-rr
    port:
    - eth2
    - eth1
```


Both bond and bridge is supporting this.

Comment 19 Petr Horáček 2021-02-12 15:49:21 UTC

@ferferna I have tried to verify this, but the packit RPM you shared introduces a regression.

I used following config:

cat <<EOF | ./cluster/kubectl.sh apply -f -
apiVersion: nmstate.io/v1alpha1
kind: NodeNetworkConfigurationPolicy
metadata:
  name: test
spec:
  nodeSelector:
    kubernetes.io/hostname: node02
  desiredState:
    interfaces:
    - name: bond0
      type: bond
      state: up
      link-aggregation:
        mode: balance-rr
        options:
          miimon: '140'
        slaves:
        - eth1
        - eth2
EOF

It worked fine with 1.0.1. With the new build it failed with:

        libnmstate.error.NmstateLibnmError: Activate profile uuid:0f17245f-1bc1-4ab9-831f-9daa612e1be4 iface:calibe48e194813 type: ethernet failed: error=nm-manager-error-quark: Connection 'calibe48e194813' is not available on device calibe48e194813 because device is strictly unmanaged (2)

Full log is in the attachment.

Comment 20 Petr Horáček 2021-02-12 15:50:17 UTC

Created attachment 1756642 [details]
latest nmstate failing on unmanaged iface

Comment 21 Mingyu Shi 2021-02-18 02:25:55 UTC

Verified with versions:
nmstate-1.0.2-0.3.el8.noarch
nispor-1.0.1-3.el8.x86_64
NetworkManager-1.30.0-0.10.el8.x86_64

Basically the feature works well, notice there are some expanded test issues:
#bz1928745
#bz1929132
#bz1929946

Comment 22 Gris Ge 2021-02-18 03:43:54 UTC

Hi Mingyu,

Thanks for the test feedback. I have made proper action plans for these bugs.

Comment 23 Gris Ge 2021-02-18 03:47:13 UTC

Hi Petr,

This sounds like a know issue of NetworkManager. Could you try it again with NetworkManager-1.30.0-0.10.el8.x86_64?

If still fails, please kindly provides:
 1. The network state before nmstate applies. The output of `npc` could be really helpfull.
 2. How to configure this unmanaged network?
 3. The type of `calibe48e194813`, veth?
 4. The desired state been passed to nmstate.


Thank you very much on performing regression test!

Comment 26 Petr Horáček 2021-03-01 09:12:45 UTC

(In reply to Gris Ge from comment #23)
> Hi Petr,
> 
> This sounds like a know issue of NetworkManager. Could you try it again with
> NetworkManager-1.30.0-0.10.el8.x86_64?

I have tried it now with 1.30.0-0.7.el8, is it good enough?

> 
> If still fails, please kindly provides:
>  1. The network state before nmstate applies. The output of `npc` could be
> really helpfull.

I attached a tarball with this and other data obtained before the config.

>  2. How to configure this unmanaged network?

This is part of the Calico CNI that handles networking within my Kubernetes cluster. I don't know how they setup the network.

>  3. The type of `calibe48e194813`, veth?

I believe so.

>  4. The desired state been passed to nmstate.


This is my reproducer:

echo 'interfaces:
- name: bond0
  type: bond
  state: up
  link-aggregation:
    mode: balance-rr
    options:
      miimon: '140'
    slaves:
    - eth1
    - eth2' > config.yaml

nmstatectl show > nmstatectl-show.yaml
npc > npc.yaml
ip l > ip-l.txt
nmcli c > nmcli-c.txt
nmcli d > nmcli-c.txt

nmstatectl apply config.yaml > nmstatectl-apply.log


> 
> 
> Thank you very much on performing regression test!

Comment 27 Petr Horáček 2021-03-01 09:14:00 UTC

Created attachment 1759905 [details]
Data collected before applying the config

Comment 28 Gris Ge 2021-03-02 06:43:26 UTC

Hi Petr,

I failed to find the root cause from the tarball.
Could you try NetworkManager-1.30.0-2.el8.x86_64.rpm and nmstate-1.0.2-2.el8?
If still fails, please open a new bug as current one is for `copy_mac_from` property.

Thank you very much!

Comment 30 errata-xmlrpc 2021-05-18 15:18:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (nmstate bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1748

Note You need to log in before you can comment on or make changes to this bug.