feat(vm): add disable-tap-veth-bridge setting

build/components/versions.yml

@@ -3,7 +3,7 @@ firmware:
   libvirt: v10.9.0
   edk2: stable202411
 core:
-  3p-kubevirt: v1.6.2-v12n.49
+  3p-kubevirt: feat/vm/disable-tap-veth-bridge
   3p-containerized-data-importer: v1.60.3-v12n.20
   distribution: 2.8.3
 package:

images/virt-artifact/werf.inc.yaml

@@ -13,8 +13,10 @@ secrets:
 - id: SOURCE_REPO
   value: {{ $.SOURCE_REPO }}
 shell:
+  installCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}"
   install:
   - |
+    echo "$date rebuild 4"
     echo "Git clone {{ $gitRepoName }} repository..."
     git clone --depth=1 $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} --branch {{ $tag }} /src/kubevirt
 
@@ -28,6 +30,8 @@ altPackages:
 - pkg-config
 - libtool
 - gcc-c++
+- clang
+- libbpf-devel
 packages:
 - libmnl
 - ncurses
@@ -113,6 +117,7 @@ shell:
     - export GOOS=linux
     - export GOARCH=amd64
     - export CGO_ENABLED=0
+    - export BPF_CLANG=clang
 
     - echo ============== Build container-disk ===================
     {{- $_ := set $ "ProjectName" (list .ImageName "container-disk" | join "/") }}
@@ -201,6 +206,13 @@ shell:
     - |
     {{- include "image-build.build" (set $ "BuildCommand" `go build -ldflags="-s -w" -o /kubevirt-binaries/sidecars ./cmd/sidecars/`) | nindent 6 }}
 
+    - echo ============== Build bpf_bridge.o =====================
+    {{- $_ := set $ "ProjectName" (list $.ImageName "bpf-bridge-obj" | join "/") }}
+    - mkdir -p /kubevirt-binaries/network-bpf-bridge-binding-assets
+    - |
+    {{- include "image-build.build" (set $ "BuildCommand" `clang -O2 -g -target bpf -I/usr/include -c ./pkg/network/bpfbridge/bpf/bpf_bridge.c -o /kubevirt-binaries/network-bpf-bridge-binding-assets/bpf_bridge.o`) | nindent 6 }}
+    - echo "Built bpf object:" && ls -l /kubevirt-binaries/network-bpf-bridge-binding-assets/ && file /kubevirt-binaries/network-bpf-bridge-binding-assets/bpf_bridge.o || true
+
     - echo ============== Build virtctl ==========================
     {{- $_ := set $ "ProjectName" (list .ImageName "virtctl" | join "/") }}
     - |

images/virt-handler/werf.inc.yaml

@@ -31,6 +31,12 @@ import:
   after: install
   includePaths:
   - .version
+- image: {{ .ModuleNamePrefix }}virt-artifact
+  add: /kubevirt-binaries/network-bpf-bridge-binding-assets/
+  to: /usr/share/network-bpf-bridge-binding
+  after: install
+  includePaths:
+  - bpf_bridge.o
 - image: {{ .ModuleNamePrefix }}virt-artifact
   add: /kubevirt/cmd/{{ .ImageName }}/
   to: /etc

images/virtualization-artifact/pkg/common/annotations/annotations.go

@@ -209,6 +209,8 @@ const (
 	AnnNetworksSpec = "network.deckhouse.io/networks-spec"
 	// AnnNetworksStatus is the annotation for view current network configuration into Pod.
 	AnnNetworksStatus = "network.deckhouse.io/networks-status"
+	// AnnTapProvisionByDVPSupported is the annotation that indicates DVP supports TAP provision for the Pod.
+	AnnTapProvisionByDVPSupported = "network.deckhouse.io/tap-provision-by-dvp-supported"
 
 	// AnnVirtualDiskOriginalAnnotations is the annotation for storing original VirtualDisk annotations.
 	AnnVirtualDiskOriginalAnnotations = AnnAPIGroupV + "/vd-original-annotations"

images/virtualization-artifact/pkg/controller/kvbuilder/kvvm.go

@@ -810,8 +810,9 @@ func (b *KVVM) SetNetworkInterface(name, macAddress string, acpiIndex int) {
 		Name:      name,
 		Model:     devPreset.InterfaceModel,
 		ACPIIndex: acpiIndex,
+		Binding:   &virtv1.PluginBinding{Name: "bpfbridge"},
 	}
-	iface.Bridge = &virtv1.InterfaceBridge{}
+
 	if macAddress != "" {
 		iface.MacAddress = macAddress
 	}

images/virtualization-artifact/pkg/controller/kvbuilder/kvvm_utils.go

@@ -500,5 +500,10 @@ func setNetworksAnnotation(kvvm *KVVM, networkSpec network.InterfaceSpecList) er
 		return err
 	}
 	kvvm.SetKVVMIAnnotation(annotations.AnnNetworksSpec, networkConfigStr)
+	// Signal that DVP provisions TAP devices natively (bpfbridge). Without this annotation
+	// SDN falls back to legacy tap+bridge wiring for additional interfaces, which conflicts
+	// with the bpfbridge binding and breaks L2 connectivity for VMs created with secondary
+	// networks from the start (as opposed to hotplugged later).
+	kvvm.SetKVVMIAnnotation(annotations.AnnTapProvisionByDVPSupported, "true")
 	return nil
 }

images/virtualization-artifact/pkg/controller/vm/internal/sync_kvvm.go

@@ -1176,7 +1176,8 @@ func (h *SyncKvvmHandler) patchPodNetworkAnnotation(ctx context.Context, s state
 		return nil, fmt.Errorf("failed to serialize network spec: %w", err)
 	}
 
-	if pod.Annotations[annotations.AnnNetworksSpec] == networkConfigStr {
+	if pod.Annotations[annotations.AnnNetworksSpec] == networkConfigStr &&
+		pod.Annotations[annotations.AnnTapProvisionByDVPSupported] == "true" {
 		return desired, nil
 	}
 
@@ -1185,6 +1186,7 @@ func (h *SyncKvvmHandler) patchPodNetworkAnnotation(ctx context.Context, s state
 		pod.Annotations = make(map[string]string)
 	}
 	pod.Annotations[annotations.AnnNetworksSpec] = networkConfigStr
+	pod.Annotations[annotations.AnnTapProvisionByDVPSupported] = "true"
 	if err := h.client.Patch(ctx, pod, patch); err != nil {
 		return nil, fmt.Errorf("failed to patch pod %s network annotation: %w", pod.Name, err)
 	}

templates/kubevirt/kubevirt.yaml

@@ -39,6 +39,11 @@ spec:
       {{- end }}
     evictionStrategy: LiveMigrate
     vmRolloutStrategy: LiveUpdate
+    network:
+      binding:
+        bpfbridge:
+          domainAttachmentType: tap
+          migration: {}
     developerConfiguration:
       logVerbosity:
         virtLauncher: {{ $logVerbosity }}