Skip to content

feat(vm): switch VM network datapath to eBPF bpfbridge binding#2212

Draft
LopatinDmitr wants to merge 6 commits into
mainfrom
feat/vm/disable-tap-veth-bridge
Draft

feat(vm): switch VM network datapath to eBPF bpfbridge binding#2212
LopatinDmitr wants to merge 6 commits into
mainfrom
feat/vm/disable-tap-veth-bridge

Conversation

@LopatinDmitr

@LopatinDmitr LopatinDmitr commented Apr 14, 2026

Copy link
Copy Markdown
Contributor

Description

Integrates the new bpfbridge network binding plugin (kubevirt side: deckhouse/3p-kubevirt#99) into the virtualization module and switches VM network interfaces to it, replacing the classic tap + veth + Linux-bridge datapath used for VM networks.

Module-side changes in this PR:

  • Pin 3p-kubevirt to the branch that adds the bpfbridge binding plugin (feat(vm): add bpfbridge network binding plugin 3p-kubevirt#99).
  • Build the eBPF datapath object bpf_bridge.o in virt-artifact (adds clang / libbpf-devel) and ship it into virt-handler at /usr/share/network-bpf-bridge-binding/bpf_bridge.o.
  • Register the bpfbridge network binding plugin in the KubeVirt CR (domainAttachmentType: tap, migration enabled).
  • Build VM interfaces with binding: bpfbridge instead of Bridge.
  • Add the network.deckhouse.io/tap-provision-by-dvp-supported annotation to coordinate TAP provisioning by DVP.

Why do we need it, and what problem does it solve?

The classic tap + veth + Linux-bridge wiring for VM networks adds a per-packet bridge hop and extra devices inside the pod. The bpfbridge plugin replaces it with a small eBPF (tc) L2 proxy (tc_l2_proxy) that redirects frames directly between the VM tap and the pod/CNI veth by ifindex. This gives a leaner datapath for the Main network and, importantly, makes additional ClusterNetwork interfaces work: VMs can talk over an additional network, keep it across live migration, and hotplug/hotunplug ClusterNetworks — including VMs that have only an additional network and no Main.

What is the expected result?

  • VMs with a Main + additional ClusterNetwork reach each other over the additional network, before and after live migration.
  • A VM with only an additional network (no Main) also gets additional-network connectivity.
  • Additional ClusterNetwork interfaces can be hotplugged/hotunplugged on a running VM without reboot.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: vm
type: feature
summary: "VM networks moved to an eBPF datapath: stable additional-network connectivity with lower overhead."

@LopatinDmitr LopatinDmitr self-assigned this Apr 14, 2026
@LopatinDmitr LopatinDmitr modified the milestone: v1.8.0 Apr 14, 2026
@LopatinDmitr LopatinDmitr force-pushed the feat/vm/disable-tap-veth-bridge branch from 5de385a to ba5c9bb Compare April 16, 2026 19:38
@LopatinDmitr LopatinDmitr force-pushed the feat/vm/disable-tap-veth-bridge branch 3 times, most recently from d647add to 71140af Compare April 28, 2026 20:02
@LopatinDmitr LopatinDmitr added this to the v1.9.0 milestone Apr 28, 2026
@LopatinDmitr LopatinDmitr force-pushed the feat/vm/disable-tap-veth-bridge branch 7 times, most recently from 6260cbb to 6d276fd Compare May 5, 2026 20:12
@LopatinDmitr LopatinDmitr force-pushed the feat/vm/disable-tap-veth-bridge branch 2 times, most recently from 2476389 to 011d989 Compare May 12, 2026 14:37
@LopatinDmitr LopatinDmitr force-pushed the feat/vm/disable-tap-veth-bridge branch 3 times, most recently from c602ae8 to f73c46f Compare May 20, 2026 16:35
@LopatinDmitr LopatinDmitr force-pushed the feat/vm/disable-tap-veth-bridge branch 4 times, most recently from b80dc91 to bce14c5 Compare May 27, 2026 16:58
@LopatinDmitr LopatinDmitr force-pushed the feat/vm/disable-tap-veth-bridge branch 2 times, most recently from 8cd0998 to b281e23 Compare June 4, 2026 17:29
@universal-itengineer universal-itengineer modified the milestones: v1.9.0, v1.10.0 Jun 10, 2026
@LopatinDmitr LopatinDmitr force-pushed the feat/vm/disable-tap-veth-bridge branch 2 times, most recently from 2e51d62 to db90cbc Compare June 19, 2026 07:54
@LopatinDmitr LopatinDmitr force-pushed the feat/vm/disable-tap-veth-bridge branch 5 times, most recently from daf411d to b3ac7fd Compare June 26, 2026 04:30
@LopatinDmitr LopatinDmitr force-pushed the feat/vm/disable-tap-veth-bridge branch 2 times, most recently from 1df8bc7 to 6ce6259 Compare July 2, 2026 11:47
LopatinDmitr and others added 6 commits July 2, 2026 14:48
Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
Signed-off-by: Maksim Garmonov <maksim.garmonov@flant.com>
Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr LopatinDmitr force-pushed the feat/vm/disable-tap-veth-bridge branch from 6ce6259 to 9d20d01 Compare July 2, 2026 11:48
@LopatinDmitr LopatinDmitr changed the title feat(vm): add disable-tap-veth-bridge setting feat(vm): switch VM network datapath to eBPF bpfbridge binding Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants