feat(machined): add ONEGATE proxy route and deterministic interface iteration for OpenNebula

mcanevet · smira · commit ba20c7c120e9 · 2026-03-18T20:57:23.000+04:00
When ONEGATE_ENDPOINT contains a link-local IPv4 address (169.254.x.x), emit a /32 scope-link host route via the first static interface, matching the reference add_onegate_proxy_route behavior. Without this route, VMs using link-local OneGate endpoints cannot reach the metadata service. Interface names are now collected and sorted before processing, matching the reference env | grep ... | sort behavior (ETH0, ETH1, ...). This makes DNS server ordering and ONEGATE route attachment deterministic regardless of Go map iteration order. The interface loop is extracted into processInterfaces to keep ParseMetadata within cyclomatic complexity limits. Signed-off-by: Mickaël Canévet <mickael.canevet@proton.ch> Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit 5d3a326)
diff --git a/internal/app/machined/pkg/runtime/v1alpha1/platform/opennebula/onegate_test.go b/internal/app/machined/pkg/runtime/v1alpha1/platform/opennebula/onegate_test.go
@@ -0,0 +1,153 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package opennebula_test
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/cosi-project/runtime/pkg/state"
+	"github.com/cosi-project/runtime/pkg/state/impl/inmem"
+	"github.com/cosi-project/runtime/pkg/state/impl/namespaced"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/platform/opennebula"
+	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
+	"github.com/siderolabs/talos/pkg/machinery/resources/network"
+)
+
+// staticIfaceContext builds a minimal context with a static ETH0 and an
+// optional ONEGATE_ENDPOINT.
+func staticIfaceContext(endpoint string) []byte {
+	ctx := `ETH0_MAC = "02:00:c0:a8:01:5c"
+ETH0_IP = "192.168.1.92"
+ETH0_MASK = "255.255.255.0"
+`
+
+	if endpoint != "" {
+		ctx += `ONEGATE_ENDPOINT = "` + endpoint + `"` + "\n"
+	}
+
+	return []byte(ctx)
+}
+
+func linkLocalRoute(ip, outLink string) network.RouteSpecSpec {
+	return network.RouteSpecSpec{
+		ConfigLayer: network.ConfigPlatform,
+		Destination: netip.PrefixFrom(netip.MustParseAddr(ip), 32),
+		OutLinkName: outLink,
+		Table:       nethelpers.TableMain,
+		Protocol:    nethelpers.ProtocolStatic,
+		Type:        nethelpers.TypeUnicast,
+		Family:      nethelpers.FamilyInet4,
+		Scope:       nethelpers.ScopeLink,
+	}
+}
+
+func scopeLinkRoutes(routes []network.RouteSpecSpec) []network.RouteSpecSpec {
+	var out []network.RouteSpecSpec
+
+	for _, r := range routes {
+		if r.Scope == nethelpers.ScopeLink {
+			out = append(out, r)
+		}
+	}
+
+	return out
+}
+
+func TestOnegateProxyRoute(t *testing.T) {
+	t.Parallel()
+
+	o := &opennebula.OpenNebula{}
+	st := state.WrapCore(namespaced.NewState(inmem.Build))
+
+	tests := []struct {
+		name      string
+		endpoint  string
+		wantRoute *network.RouteSpecSpec
+	}{
+		{
+			name:     "link-local with port and path emits scope-link /32 route",
+			endpoint: "http://169.254.16.9:5030/RPC2",
+			wantRoute: func() *network.RouteSpecSpec {
+				r := linkLocalRoute("169.254.16.9", "eth0")
+
+				return &r
+			}(),
+		},
+		{
+			name:     "link-local without port emits route",
+			endpoint: "http://169.254.16.9/RPC2",
+			wantRoute: func() *network.RouteSpecSpec {
+				r := linkLocalRoute("169.254.16.9", "eth0")
+
+				return &r
+			}(),
+		},
+		{
+			name:      "non-link-local IP emits no route",
+			endpoint:  "http://10.0.0.1:5030/RPC2",
+			wantRoute: nil,
+		},
+		{
+			name:      "absent ONEGATE_ENDPOINT emits no route",
+			endpoint:  "",
+			wantRoute: nil,
+		},
+		{
+			name:      "IPv6 URL emits no route",
+			endpoint:  "http://[::1]:5030/RPC2",
+			wantRoute: nil,
+		},
+		{
+			name:      "malformed endpoint emits no route without panic",
+			endpoint:  "not-a-url",
+			wantRoute: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			cfg, err := o.ParseMetadata(st, staticIfaceContext(tt.endpoint))
+			require.NoError(t, err)
+
+			routes := scopeLinkRoutes(cfg.Routes)
+
+			if tt.wantRoute == nil {
+				assert.Empty(t, routes)
+			} else {
+				require.Len(t, routes, 1)
+				assert.Equal(t, *tt.wantRoute, routes[0])
+			}
+		})
+	}
+}
+
+func TestOnegateRouteAttachedToFirstStaticInterface(t *testing.T) {
+	t.Parallel()
+
+	o := &opennebula.OpenNebula{}
+	st := state.WrapCore(namespaced.NewState(inmem.Build))
+
+	// ETH0=dhcp, ETH1=static — route must be on eth1 (first static).
+	ctx := []byte(`ETH0_MAC = "02:00:c0:a8:01:5c"
+ETH0_METHOD = "dhcp"
+ETH1_MAC = "02:00:c0:a8:01:5d"
+ETH1_IP = "192.168.1.92"
+ETH1_MASK = "255.255.255.0"
+ONEGATE_ENDPOINT = "http://169.254.16.9:5030/RPC2"
+`)
+
+	cfg, err := o.ParseMetadata(st, ctx)
+	require.NoError(t, err)
+
+	routes := scopeLinkRoutes(cfg.Routes)
+	require.Len(t, routes, 1)
+	assert.Equal(t, "eth1", routes[0].OutLinkName)
+}
diff --git a/internal/app/machined/pkg/runtime/v1alpha1/platform/opennebula/opennebula.go b/internal/app/machined/pkg/runtime/v1alpha1/platform/opennebula/opennebula.go
@@ -693,6 +693,99 @@ func resolveHostname(oneContext map[string]string) string {
 	return sanitizeHostname(oneContext["SET_HOSTNAME"])
 }
 
+// extractIPv4FromEndpoint extracts the host IPv4 address from a URL-like
+// string (e.g. "http://169.254.16.9:5030"). Returns an invalid Addr if no
+// IPv4 address can be parsed from the host portion.
+func extractIPv4FromEndpoint(endpoint string) netip.Addr {
+	s := endpoint
+
+	// Strip scheme (e.g. "http://").
+	if idx := strings.Index(s, "://"); idx >= 0 {
+		s = s[idx+3:]
+	}
+
+	// Strip path, query, and port in order to isolate the bare host.
+	for _, sep := range []string{"/", "?", ":"} {
+		if idx := strings.Index(s, sep); idx >= 0 {
+			s = s[:idx]
+		}
+	}
+
+	addr, err := netip.ParseAddr(s)
+	if err != nil {
+		return netip.Addr{}
+	}
+
+	return addr
+}
+
+// parseOnegateProxyRoute emits a /32 scope-link host route to the ONEGATE
+// endpoint when its host is a link-local IPv4 address (169.254.x.x). The
+// route is attached to outLink (the first static interface), matching the
+// reference add_onegate_proxy_route behavior.
+func parseOnegateProxyRoute(oneContext map[string]string, outLink string, networkConfig *runtime.PlatformNetworkConfig) {
+	endpoint := oneContext["ONEGATE_ENDPOINT"]
+	if endpoint == "" {
+		return
+	}
+
+	ip := extractIPv4FromEndpoint(endpoint)
+	if !ip.IsValid() || !ip.Is4() || !ip.IsLinkLocalUnicast() {
+		return
+	}
+
+	route := network.RouteSpecSpec{
+		ConfigLayer: network.ConfigPlatform,
+		Destination: netip.PrefixFrom(ip, 32),
+		OutLinkName: outLink,
+		Table:       nethelpers.TableMain,
+		Protocol:    nethelpers.ProtocolStatic,
+		Type:        nethelpers.TypeUnicast,
+		Family:      nethelpers.FamilyInet4,
+		Scope:       nethelpers.ScopeLink,
+	}
+
+	route.Normalize()
+
+	networkConfig.Routes = append(networkConfig.Routes, route)
+}
+
+// processInterfaces iterates ETHn interfaces in sorted order, configures each
+// one, and returns the name of the first static interface link (used to attach
+// the ONEGATE proxy route). Sorted order matches the reference behavior of
+// env | grep ... | sort (ETH0, ETH1, ETH2, ...).
+func processInterfaces(
+	oneContext map[string]string,
+	networkConfig *runtime.PlatformNetworkConfig,
+	allDNSIPs *[]netip.Addr,
+	allSearchDomains *[]string,
+) (firstStaticLink string, err error) {
+	var ifaceNames []string
+
+	for key := range oneContext {
+		if ifaceName, ok := ethInterfaceName(key); ok {
+			ifaceNames = append(ifaceNames, ifaceName)
+		}
+	}
+
+	slices.Sort(ifaceNames)
+
+	for _, ifaceName := range ifaceNames {
+		if err := parseInterface(oneContext, ifaceName, networkConfig, allDNSIPs, allSearchDomains); err != nil {
+			return "", err
+		}
+
+		if firstStaticLink == "" {
+			method := strings.ToLower(oneContext[ifaceName+"_METHOD"])
+			if method == "" || method == "static" {
+				firstStaticLink = strings.ToLower(ifaceName)
+			}
+		}
+	}
+
+	return firstStaticLink, nil
+}
+
 // ParseMetadata converts opennebula metadata to platform network config.
 func (o *OpenNebula) ParseMetadata(st state.State, oneContextPlain []byte) (*runtime.PlatformNetworkConfig, error) {
 	networkConfig := &runtime.PlatformNetworkConfig{}
@@ -721,19 +814,13 @@ func (o *OpenNebula) ParseMetadata(st state.State, oneContextPlain []byte) (*run
 
 	allSearchDomains := append([]string(nil), strings.Fields(oneContext["SEARCH_DOMAIN"])...)
 
-	// The presence of ETHn_MAC is the sole trigger for interface configuration,
-	// matching the behavior of the official OpenNebula guest contextualization
-	// scripts (one-apps/context-linux: get_context_interfaces() uses ETH*_MAC
-	// presence exclusively).
-	for key := range oneContext {
-		ifaceName, ok := ethInterfaceName(key)
-		if !ok {
-			continue
-		}
+	firstStaticLink, err := processInterfaces(oneContext, networkConfig, &allDNSIPs, &allSearchDomains)
+	if err != nil {
+		return nil, err
+	}
 
-		if err := parseInterface(oneContext, ifaceName, networkConfig, &allDNSIPs, &allSearchDomains); err != nil {
-			return nil, err
-		}
+	if firstStaticLink != "" {
+		parseOnegateProxyRoute(oneContext, firstStaticLink, networkConfig)
 	}
 
 	if len(allDNSIPs)+len(allSearchDomains) > 0 {
