OCPBUGS-64771: Force Global IP forwarding for DPU host mode

[tsorya]

Ensure DPU host nodes always use Global IP forwarding mode regardless of cluster-wide configuration.

• Force ip_forwarding_mode="Global" for dpu-host mode
• Add comprehensive test cases for IP forwarding behavior
• Document DPU host IP forwarding requirements and rationale

DPU hosts require IP forwarding enabled to allow traffic flow between management and data plane interfaces. This change ensures proper DPU operation even when cluster-wide IPForwarding is set to Restricted.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@tsorya: This pull request references Jira Issue OCPBUGS-64771, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @anuragthehatter

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Ensure DPU host nodes always use Global IP forwarding mode regardless of cluster-wide configuration.

• Force ip_forwarding_mode="Global" for dpu-host mode
• Add comprehensive test cases for IP forwarding behavior
• Document DPU host IP forwarding requirements and rationale

DPU hosts require IP forwarding enabled to allow traffic flow between management and data plane interfaces. This change ensures proper DPU operation even when cluster-wide IPForwarding is set to Restricted.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Node startup script centralizes per-node IP forwarding handling, forcing ip_forwarding_mode="Global" on DPU host nodes; README and docs updated to document per-node forwarding behavior; unit tests added to validate the templated script output for the DPU-host override.

Changes

Cohort / File(s)	Summary
Documentation README.md, docs/ovn_node_mode.md	Adds per-node IP forwarding behavior and explicit note that DPU host nodes force ip_forwarding_mode="Global"; updates migration notes and per-node feature enforcement text.
Node startup script bindata/network/ovn-kubernetes/common/008-script-lib.yaml	Adds templated ip_forwarding_mode="{{.IP_FORWARDING_MODE}}"; forces Global for dpu-host mode; centralizes forwarding logic using ip_forwarding_flag; applies sysctl for IPv4/IPv6 when Global; removes duplicated computation and adjusts ovnkube-node launch flags/feature disables for DPU-host.
Tests pkg/network/ovn_kubernetes_test.go	Adds tests asserting the generated script contains ip_forwarding_mode="Global" for dpu-host, includes forwarding/sysctl logic and ip_forwarding_flag assignments in script output.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Review conditional handling for dpu-host vs full node modes in 008-script-lib.yaml to ensure correct override and flags.
• Verify sysctl reads/writes and ip_forwarding_flag semantics for IPv4/IPv6.
• Run and inspect the new tests in pkg/network/ovn_kubernetes_test.go.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 44a0219 and e33ac3a.

📒 Files selected for processing (4)

• README.md (1 hunks)
• bindata/network/ovn-kubernetes/common/008-script-lib.yaml (2 hunks)
• docs/ovn_node_mode.md (3 hunks)
• pkg/network/ovn_kubernetes_test.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/network/ovn_kubernetes_test.go
• bindata/network/ovn-kubernetes/common/008-script-lib.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• README.md
• docs/ovn_node_mode.md

🔇 Additional comments (2)

docs/ovn_node_mode.md (1)

27-27: Comprehensive IP forwarding documentation is well-structured and clearly explains the override mechanism.

The documentation effectively explains why DPU hosts require forced Global mode (line 107's rationale about traffic flow between interfaces is compelling), how Full mode respects cluster-wide settings, and clarifies the migration path. The distinction between system-level forwarding (net.ipv4.ip_forward=1) and the ip_forwarding_mode variable is clear, and the note that --disable-forwarding is never passed to DPU host nodes (line 105) is an important operational detail.

Also applies to: 91-118

README.md (1)

170-170: Clear summary with appropriate cross-reference to detailed documentation.

The README correctly communicates that DPU hosts override cluster-wide IPForwarding settings and appropriately directs users to docs/ovn_node_mode.md for implementation details and rationale. This keeps the README concise while ensuring readers can find complete information when needed.

Also applies to: 172-172

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tsorya
Once this PR has been reviewed and has the lgtm label, please assign jacobtanenbaum for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

bindata/network/ovn-kubernetes/common/008-script-lib.yaml (1)

583-596: Based on the web search results and code analysis, the original review comment is incorrect. While the bash syntax will function in this specific case, the code violates established bash best practices.

Add quotes around variable expansion in the string comparison

The variable ${ip_forwarding_mode} should be quoted in the conditional: [ "${ip_forwarding_mode}" == "Global" ] instead of [ ${ip_forwarding_mode} == "Global" ].

Always use double quotes around variable names to avoid any word splitting or globbing issues. While the code functions correctly in this instance because "Global" contains no spaces, quoting variables is a crucial best practice in Bash scripting and prevents unexpected errors from word splitting and glob expansion.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 05d6f46 and c22a0e2.

📒 Files selected for processing (4)

• README.md (1 hunks)
• bindata/network/ovn-kubernetes/common/008-script-lib.yaml (2 hunks)
• docs/ovn_node_mode.md (3 hunks)
• pkg/network/ovn_kubernetes_test.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• docs/ovn_node_mode.md
• pkg/network/ovn_kubernetes_test.go
• README.md
• bindata/network/ovn-kubernetes/common/008-script-lib.yaml

🪛 LanguageTool

docs/ovn_node_mode.md

[grammar] ~27-~27: Did you mean “too Global to”?
Context: ...- ip_forwarding_mode="Global" (forced to Global to allow traffic forwarding across interfa...

(TOO_ADJECTIVE_TO)

🔇 Additional comments (5)

docs/ovn_node_mode.md (1)

91-108: LGTM: Clear documentation of IP forwarding behavior

The new IP Forwarding Mode Behavior section clearly documents the differences between Full and DPU Host modes, with good rationale for why DPU hosts require Global mode. The documentation correctly explains that this is required for proper traffic flow between management and data plane interfaces.

bindata/network/ovn-kubernetes/common/008-script-lib.yaml (2)

551-552: Initial IP forwarding mode assignment

The ip_forwarding_mode variable is correctly initialized from the template variable, which can then be overridden for specific node modes.

---

574-581: Correct implementation of forced Global mode for DPU hosts

The override logic properly forces IP forwarding to Global mode for DPU host nodes, regardless of cluster-wide configuration. The detailed comments clearly explain the rationale.

README.md (1)

170-172: LGTM: Concise documentation of DPU host IP forwarding

The README appropriately documents the forced Global IP forwarding for DPU host nodes and correctly references the detailed documentation in docs/ovn_node_mode.md.

pkg/network/ovn_kubernetes_test.go (1)

4458-4517: LGTM: Comprehensive test coverage for IP forwarding behavior

The new test cases thoroughly validate the IP forwarding implementation across all relevant scenarios:

1. DPU host mode with default/empty config - Correctly verifies that Global mode is forced and forwarding is enabled
2. DPU host mode with Restricted template - Validates the override behavior, ensuring Global takes precedence
3. Full mode with Global - Confirms that explicit Global configuration is respected
4. Full mode with default/Restricted - Validates default Restricted behavior

The tests use appropriate assertions for both positive (mustContain) and negative (mustNotContain) cases, ensuring the rendered scripts contain the expected sysctl commands and flags.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

bindata/network/ovn-kubernetes/common/008-script-lib.yaml (1)

583-596: Consider quoting the variable for consistency

The IP forwarding logic is correct and handles both Global and Restricted modes appropriately. However, on line 589, ${ip_forwarding_mode} should be quoted for consistency with line 558 where ${OVN_NODE_MODE} is quoted.

Apply this diff:

-      if [ ${ip_forwarding_mode} == "Global" ]; then
+      if [ "${ip_forwarding_mode}" == "Global" ]; then

This follows shell scripting best practices and maintains consistency with other conditionals in the script.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between c22a0e2 and 01bbbb4.

📒 Files selected for processing (4)

• README.md (1 hunks)
• bindata/network/ovn-kubernetes/common/008-script-lib.yaml (2 hunks)
• docs/ovn_node_mode.md (3 hunks)
• pkg/network/ovn_kubernetes_test.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• README.md

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• docs/ovn_node_mode.md
• pkg/network/ovn_kubernetes_test.go
• bindata/network/ovn-kubernetes/common/008-script-lib.yaml

🪛 LanguageTool

docs/ovn_node_mode.md

[grammar] ~27-~27: Did you mean “too Global to”?
Context: ...- ip_forwarding_mode="Global" (forced to Global to allow traffic forwarding across interfa...

(TOO_ADJECTIVE_TO)

🔇 Additional comments (4)

bindata/network/ovn-kubernetes/common/008-script-lib.yaml (2)

551-552: LGTM: IP forwarding mode initialization

The template variable initialization is clean and allows cluster-wide configuration to be passed to the node startup script.

---

575-581: LGTM: DPU host mode override is well-documented

The forced override to Global mode for DPU hosts is clearly justified in the comments. The rationale about traffic flow between management and data plane interfaces is helpful for future maintainers.

pkg/network/ovn_kubernetes_test.go (1)

4458-4478: Excellent test coverage for IP forwarding logic

The new test case comprehensively validates all aspects of the IP forwarding feature:

• Template variable initialization
• DPU-host mode override to Global
• Conditional sysctl commands for IPv4/IPv6
• Forwarding flag assignment

This ensures the generated script will correctly handle IP forwarding across different node modes.

docs/ovn_node_mode.md (1)

91-108: Comprehensive IP forwarding documentation

The new "IP Forwarding Mode Behavior" section clearly documents the differences between Full and DPU Host modes. The rationale explaining why DPU hosts require Global mode (traffic flow between management and data plane interfaces) is particularly helpful for operators troubleshooting connectivity issues.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

bindata/network/ovn-kubernetes/common/008-script-lib.yaml (1)

551-596: Consolidate and quote the ip_forwarding_mode variable for robustness.

The new IP forwarding logic is sound: initializing from a templated value, overriding to "Global" for dpu-host, then applying sysctl settings and passing flags accordingly. However, the variable comparison at line 589 is unquoted, which is inconsistent with the pattern used elsewhere in the file (e.g., line 598: "{{.OVN_GATEWAY_MODE}}") and could cause a bash syntax error if the template variable {{.IP_FORWARDING_MODE}} expands to an empty string.

Apply this diff to quote the variable and improve safety:

-      if [ ${ip_forwarding_mode} == "Global" ]; then
+      if [ "${ip_forwarding_mode}" == "Global" ]; then

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 01bbbb4 and 44a0219.

📒 Files selected for processing (4)

• README.md (1 hunks)
• bindata/network/ovn-kubernetes/common/008-script-lib.yaml (2 hunks)
• docs/ovn_node_mode.md (3 hunks)
• pkg/network/ovn_kubernetes_test.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/network/ovn_kubernetes_test.go
• README.md

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• docs/ovn_node_mode.md
• bindata/network/ovn-kubernetes/common/008-script-lib.yaml

🔇 Additional comments (3)

bindata/network/ovn-kubernetes/common/008-script-lib.yaml (1)

575-581: Rationale and DPU-host override are clear and correct.

The comment clearly documents why DPU hosts must force Global forwarding, and the override is placed appropriately in the mode-specific conditional. The logic correctly forces this setting regardless of cluster-wide configuration, which aligns with the PR objectives.

docs/ovn_node_mode.md (2)

91-108: IP Forwarding Mode Behavior section is well-documented and accurate.

The new documentation clearly explains the difference between Full mode (respects cluster-wide config) and DPU Host mode (always forces Global), with explicit rationale. The section accurately describes the system-level sysctl changes and app-level flag behavior, and remains consistent with the script implementation.

---

27-27: Node mode table updated correctly.

The addition of ip_forwarding_mode="Global" to the dpu-host row maintains consistency with the detailed section below and matches the script logic.

[tsorya]

/retest-required

[openshift-ci]

@tsorya: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.21-upgrade-from-stable-4.20-e2e-azure-ovn-upgrade	e33ac3a	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-azure-ovn-upgrade
ci/prow/4.21-upgrade-from-stable-4.20-e2e-gcp-ovn-upgrade	e33ac3a	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-gcp-ovn-upgrade
ci/prow/4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade	e33ac3a	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade
ci/prow/security	e33ac3a	link	false	/test security

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[tsorya]

/hold