 All right. Hello everyone. My name is Petro Horacek, and I've been working. Hello Yeah, there is no speakers Okay, if I lose my voice between we finish sorry about it. So Hello again, my name is Petro Horacek, and I've been working in Red Hat for over four years now. I Spent three years on a project called over over aka rather virtualization and a year ago I joined a new project called Kubert now both of these projects deal with One task on the fifth task maybe two of them. The first one is virtualization, but another one not so obvious is managing quite complex scenarios for networking being configuration of host networking for storage or management and connecting of VMs all together and there are another Other other virtualization project that will with the same problems the problem is that all of them or most of them Develop their own solutions to manage networking and that's where nm state or Kubernetes nm state came so Kubernetes nm state is a tool that can be used by all these projects or nm state at least and it allows you to It provides you a simple tool to configure your networking in a declarative way so In this talk, I will tell you about nm state Kubernetes nm state, and I will try to do a live demo so In Kubernetes Usually what is enough for you is the default networking which connects all your pots or VMs with the Kuvert Together to one interoperable network. However, sometimes you need something more complex like connecting your pots to multiple L2 networks using SROV and so on and The need for this kind of configuration is not necessarily on day one sometimes you decide that you need multiple networks on the second week of your Kubernetes cluster running and then What do you use Ansible or you SSH to the host and configure it manually? You can do it, but it's tedious so You you can use nm state to just describe the state desired state of the network and it applies it for you Compared to network manager, which it works in an imperative way when you say I want to add this profile to configure this or remove the profile and remove interfaces for instance and Network managers is basically a thin layer on top of network manager in this case and Then we have Kubernetes nm state It It is a tool for host networking driven by Kubernetes and configured by nm state Meaning you use your cube CTL to control your Kubernetes at pots Managed nodes and with this add-on you can also configure networking just using cube CTL without accessing those nodes explicitly and Kubernetes nm state introduces two new objects to Kubernetes The first one is called node network state which reflects state of networking on a single node and You can also use it to configure networking on that note however, it would require you to Do this configuration per each node and to make it easier you can use another object called node network configuration policy and It gives you an option to describe to say that if this Interface or if this connection is available on the note, please configure it in this way and I will get to it later So let's imagine we have this one single node and it has two interfaces Controlled by network manager the eth0 is used for management as a default network and it has IP address already configured the eth1 doesn't however so we deploy our add-on for Kubernetes nm state and It's just a simple daemon set that has nm state in it to which communicates with network manager and it has daemon kubernetes nm state that creates an object per each node called network node network state and It updates it and monitors it for changes. So Once this is created it reflects the node network state of the node Saying and this is not the API we use. It's just a simplified version It says that eth0 has IP address 10.001 and there is no IP address on eth1 So a user can come and see the current state They also can configure a spec for this node saying I want eth1 to have this IP address This change is picked up by kubernetes nm state and applied on eth1 and This change is then again notice by kubernetes nm state and the node network state is updated to reflect this this new IP address So this may be alright if you have just a single node However, if you have multiple of them you can use the same mechanism to configure IP address on every single node but we also edit an additional layer with node network configuration policy in this case it's it has this obscure name eth1 DHCP and the the pink object in the middle is just a controller that monitors this object and updates the node network state accordingly for instance if I can have this specification that says if you find an interface called eth1 and it's an internet interface then configure a DHCP Use DHCP to configure IP address on it So what the control in the middle does it iterates all node network states and if it finds this eth1 interface it updates this node network state with a new specification to get the desired state now Then starts the mechanism already described Daemon set picks it up and to runs DH use this network manager to run DH client on the interface It obtains interface the state is updated and so on and so on This is just a real simple and stupid case, but you might use it for More interesting scenarios like Let's say you have SRIOV cards available on some of our nodes You can use node network configuration policy to say if you find an SRIOV card Activate it and configure it so it exposes eight physical virtual functions or If you have LLDP running on in your cluster you can say if you find an Interface that exposes this network using LLDP then configure a bridge on top of it or Maybe you have multiple interfaces connected to the same network So you can just say if there are multiple of them, but you bind them together using a bonding interface and Give me this connectivity All right now for the demo In this demo, I will show you how can I Check the current state of node networking and how do I configure the networking and I will Create a virtual machine using Kuvert and connected to a default Kubernetes network but also to an additional one and Just briefly Kuvert is an add-on for Kubernetes that allows you to run virtual machines side by side with your pods so you use the same infrastructure to handle both VMs and containers and Then MULTUS is Networking plug-in in Kubernetes that allows you to connect your pod to multiple networks and finally OVS CNI is a plug-in again networking plug-in that Connects your pod to an OVS bridge Okay, so this will be I hope we will end up in this state of with the demo, but we start with this Okay, so Let me get to terminal as you can see we have just one note and I can use Qubectl to To see the current state of the node networking Guys in the back. Is it this the font big enough? All right, so I say Qubectl get node network state in my Namespace Okay, so I have this object in Kubernetes of kind node network state and In the current specification, there's nothing Because it was just created it reflects the current state, but User didn't specify any extra configuration yet and in the status part We see that there is a list of interfaces I can you look for it a zero and as you can see It is there. It has IPv4 address IPv6 and it's up so this works now in Kubernetes for multiple networks. We have something called network attachment definition, which says that if user asks for To be connected to net this network. It will be done in this way. I will Show you how it looks um Okay, this is just a simple one. It's network attachment definition The network is called blue network and it says that if someone asks for it The pot should be connected to an obvious bridge called bridge one and the traffic should be tagged with some villain IDs now I can create this on Kubernetes and I can use it for a virtual machine now How does the virtual machine specification look like? It's called test VMI. I was really creative thinking of this name and then there is Some not really interesting from the network some fields not interesting for networking part, but we have This We have network stage section that says we want additional connect We want connectivity to the default pod network But also to our blue network, which is a multis network called blue network and then We specify how do we want to attach VM to this? To these networks and in both cases we just use a bridge interface To connect to the default network and to the blue one Let's create it It's there, but it is being scheduled so let's look in the Just the sidestep when with Kuvert the virtual machine is just a process running in a pot So for each virtual machine there is a pot created and virtual machine is started in that so we can look at the state of This this pot hopefully Come on it give me a split of a second to pull up the snapshot of the Virtual machine. I'm really sorry Okay, I just recreated and Saved, okay so the The pot for the virtual machine is spending and what does it mean? Kubernetes wasn't able to find a note that has requested resources available so if I look into description of this VM or a pot it says Zero notes notes are available and there is insufficient bridge one resource because I'm I although I defined the noted for attachment definition and the virtual machine We still have just it a zero and one. There is no bridge available and I can prove it to you using Kubernetes and I'm state again. This is the current state of the note And if I look for bridge one it is not it is not there. So we can create it This is not the current state on Kubernetes. This is my description of node network state and it has in the status field there is nothing because we don't want to update status just the spec and In there we say the desired state has two interfaces one of them being OBS bridge called bridge one and it has some bridge options and it is attached to a port eth 2 I'm not on those pictures. I use eth one. I'll forget about it and There is configuration for the downlink For eth 2 and we don't want any IP address on it. We just want it to be up. So if I apply this now Okay, this is a state that is applied on on Kubernetes. The spec is in there and hopefully It will be also reflected in the state So if I look for bridge one It is this is the spec This is the status so you see here and There is an interface as a bridge interface connected to eth 2 yada yada yada it is in there So now if we are lucky the pot should be already being Starting on the note Okay, I guess we are in offline demo. So I ask you to again forget about this and I will get to my backup slides to show how it's supposed to look like now the This isn't okay. The image that hosts the virtual machine is hosted Docker Hub or on some remote registry. So we failed to download it on this network so Yeah Thanks for pointing out. I'm in the flight mode. So it's there's This is the demo. So if you want to re-watch it again at home, you could okay, here we Applied the note network state We checked that it was configured. That's has been already done and as you can see the pot is running right now and How does it look like on the note? We already have the bridge one and There is just the pot and no virtual machine in it And the pot has access to the default network on eth 0 interface now thanks to the multis and network attachment definition we are also got access to the secondary network on eth 1 and Then we start our process that happens to be our virtual machine there and we connect it to these networks and Here I can also show you that the VM is running and if I connect to it using console and Login with password Fedora and look for IP address You can see that there is eth 1 and 0 and both of them have IP addresses assigned so As I said in the beginning For some use cases of Kubernetes or virtual machines The default network is just not enough and we need access to secondary networks to provide private connections between pots and between containers and VMs or access to some high throughput networks and These requirements if you know about them on day zero one You can pre-configure it using ansible and forget about it But if you need to dynamically reconfigure your notes You might be interested in using Kubernetes and I'm state that gives you a simple access to configure your notes and networking just using Cube CTL and definitions of states Instead of accessing those machines and manually configuring adding and removing interfaces there So that was it and thank you for listening if you have any questions or comments now it's I Didn't upload it yet. I repeat the question. Is the presentation or slides available online not yet But they will be uploaded to the FOSDEM webpage Guys we are not done here. Please close the door. We are not done here. Thank you Can you repeat the last part, please So the question is whether we can use this to redirect traffic with from one VM to another like in instead of in the The destination won't be VM one, but VM two well the Yes, so and this tool is to configure the node networking not networking between between like from a point From a VM. How do I explain it? So it you use this to configure your bridges and stuff like that on a note but in your case you probably need some overlay or a way to Tell the VM on the other side to now don't talk with this one, but another one Well the thing I don't think that and I'm state solves this for you or gives you tools to do that I think that's for another layer of networking This is for the notepad and you probably need some layer on top of it for the VM part If it answers your question Well right now it doesn't but Thank you. So the question is whether we support configuring DP DK or Virtual functions on interfaces on the note right now we don't but we aim on providing the SRV configuration because we need it in our projects right now and even the DP DK can be configured there and Patches out our welcome. It's the the tool is definitely open for it and there is place to define such Attributes, it's just not implemented yet. All right, that's that's it. Thank you very much