Avoid failure to add interface when XFRM is not supported by the kern…

…el (projectcalico#8710) Avoid failing to create interface when XFRM is not supported by the kernel By default, netlink.NewHandle() will return a handle with all netlink families supported by the library (currently, ROUTE, XFRM, NETFILTER). This causes calico to error out on kernels that don't support XFRM. This fix limits the handle to the ROUTE netlink family only.
caseydavenport · Apr 17, 2024 · 80f0ad1 · 80f0ad1
1 parent 1f3e081
commit 80f0ad1
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 4 deletions.
diff --git a/cni-plugin/pkg/dataplane/linux/dataplane_linux.go b/cni-plugin/pkg/dataplane/linux/dataplane_linux.go
@@ -67,7 +67,7 @@ func (d *linuxDataplane) DoNetworking(
 
 	d.logger.Infof("Setting the host side veth name to %s", hostVethName)
 
-	hostNlHandle, err := netlink.NewHandle()
+	hostNlHandle, err := netlink.NewHandle(syscall.NETLINK_ROUTE)
 	if err != nil {
 		return "", "", fmt.Errorf("failed to create host netlink handle: %v", err)
 	}

diff --git a/cni-plugin/tests/calico_cni_test.go b/cni-plugin/tests/calico_cni_test.go
@@ -847,7 +847,7 @@ var _ = Describe("CalicoCni", func() {
 				containerID, result, _, _, _, contNs, err := testutils.CreateContainerWithId(netconf, "", testutils.TEST_DEFAULT_NS, "", "meep1337")
 				Expect(err).ShouldNot(HaveOccurred())
 
-				hostNlHandle, err := netlink.NewHandle()
+				hostNlHandle, err := netlink.NewHandle(syscall.NETLINK_ROUTE)
 				Expect(err).ShouldNot(HaveOccurred())
 				defer hostNlHandle.Close()
 

diff --git a/felix/dataplane/linux/vxlan_mgr.go b/felix/dataplane/linux/vxlan_mgr.go
@@ -126,7 +126,7 @@ func newVXLANManager(
 	ipVersion uint8,
 	featureDetector environment.FeatureDetectorIface,
 ) *vxlanManager {
-	nlHandle, _ := netlink.NewHandle()
+	nlHandle, _ := netlink.NewHandle(syscall.NETLINK_ROUTE)
 
 	blackHoleProto := defaultVXLANProto
 	if dpConfig.DeviceRouteProtocol != syscall.RTPROT_BOOT {

diff --git a/felix/k8sfv/pod.go b/felix/k8sfv/pod.go
@@ -21,6 +21,7 @@ import (
 	"os/exec"
 	"strings"
 	"sync"
+	"syscall"
 	"time"
 
 	"github.com/containernetworking/plugins/pkg/ns"
@@ -66,7 +67,7 @@ func createPod(clientset *kubernetes.Clientset, d deployment, nsName string, spe
 	// the link but then LinkByName wouldn't find it.  It's not clear why doing that helps but it
 	// may be that the kernel enforces consistency when you re-use the same socket, or, it may be
 	// that load causes the issue and we put less load on the kernel.
-	handle, err := netlink.NewHandle()
+	handle, err := netlink.NewHandle(syscall.NETLINK_ROUTE)
 	panicIfError(err)
 	defer handle.Close()