Remove Docker Support for Antrea Windows

This commit removes the support for Docker from the Antrea Windows Agent.
The specific changes made in this commit include modifying the CNI call to return an error when the runtime is identified as Docker on Windows.

Signed-off-by: Shuyang Xin <gavinx@vmware.com>

pkg/agent/cniserver/interface_configuration_linux.go

@@ -647,7 +647,3 @@ func isVeth(link netlink.Link) bool {
 	_, isVeth := link.(*netlink.Veth)
 	return isVeth
 }
-
-func getOVSInterfaceType(ovsPortName string) int {
-	return defaultOVSInterfaceType
-}

pkg/agent/cniserver/interface_configuration_windows.go

@@ -51,7 +51,6 @@ var (
 	getNamespaceEndpointIDsFunc     = hcn.GetNamespaceEndpointIds
 	hotAttachEndpointFunc           = hcsshim.HotAttachEndpoint
 	attachEndpointInNamespaceFunc   = attachEndpointInNamespace
-	isContainerAttachOnEndpointFunc = isContainerAttachOnEndpoint
 	getHcnEndpointByIDFunc          = hcn.GetEndpointByID
 	deleteHnsEndpointFunc           = deleteHnsEndpoint
 	removeEndpointFromNamespaceFunc = hcn.RemoveNamespaceEndpoint
@@ -224,45 +223,20 @@ func (ic *ifConfigurator) createContainerLink(endpointName string, result *curre
 //   - Docker runtime: HNS API
 //   - containerd runtime: HCS API
 func attachContainerLink(ep *hcsshim.HNSEndpoint, containerID, sandbox, containerIFDev string) (*current.Interface, error) {
-	var attached bool
 	var err error
 	var hcnEp *hcn.HostComputeEndpoint
-	if isDockerContainer(sandbox) {
-		// Docker runtime
-		attached, err = isContainerAttachOnEndpointFunc(ep, containerID)
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		// containerd runtime
-		if hcnEp, err = getHcnEndpointByIDFunc(ep.Id); err != nil {
-			return nil, err
-		}
-		attachedEpIds, err := getNamespaceEndpointIDsFunc(sandbox)
-		if err != nil {
-			return nil, err
-		}
-		for _, existingEP := range attachedEpIds {
-			if existingEP == hcnEp.Id {
-				attached = true
-				break
-			}
-		}
+
+	// containerd runtime
+	if hcnEp, err = getHcnEndpointByIDFunc(ep.Id); err != nil {
+		return nil, err
 	}
 
-	if attached {
-		klog.V(2).Infof("HNS Endpoint %s already attached on container %s", ep.Id, containerID)
+	if hcnEp == nil {
+		return nil, fmt.Errorf("failed to get hcnEp on container %s", containerID)
 	} else {
-		if hcnEp == nil {
-			// Docker runtime
-			if err := hotAttachEndpointFunc(containerID, ep.Id); err != nil {
-				return nil, err
-			}
-		} else {
-			// containerd runtime
-			if err := attachEndpointInNamespaceFunc(hcnEp, sandbox); err != nil {
-				return nil, err
-			}
+		// containerd runtime
+		if err := attachEndpointInNamespaceFunc(hcnEp, sandbox); err != nil {
+			return nil, err
 		}
 	}
 	containerIface := &current.Interface{
@@ -273,10 +247,6 @@ func attachContainerLink(ep *hcsshim.HNSEndpoint, containerID, sandbox, containe
 	return containerIface, nil
 }
 
-func isContainerAttachOnEndpoint(endpoint *hcsshim.HNSEndpoint, containerID string) (bool, error) {
-	return endpoint.IsAttached(containerID)
-}
-
 func attachEndpointInNamespace(hcnEp *hcn.HostComputeEndpoint, sandbox string) error {
 	return hcnEp.NamespaceAttach(sandbox)
 }
@@ -485,15 +455,6 @@ func (ic *ifConfigurator) getInterceptedInterfaces(
 	return nil, nil, errors.New("getInterceptedInterfaces is unsupported on Windows")
 }
 
-// getOVSInterfaceType returns "internal". Windows uses internal OVS interface for container vNIC.
-func getOVSInterfaceType(ovsPortName string) int {
-	ifaceName := fmt.Sprintf("vEthernet (%s)", ovsPortName)
-	if !hostInterfaceExistsFunc(ifaceName) {
-		return defaultOVSInterfaceType
-	}
-	return internalOVSInterfaceType
-}
-
 func (ic *ifConfigurator) addPostInterfaceCreateHook(containerID, endpointName string, containerAccess *containerAccessArbitrator, hook postInterfaceCreateHook) error {
 	if containerAccess == nil {
 		return fmt.Errorf("container lock cannot be null")

pkg/agent/cniserver/pod_configuration.go

@@ -56,7 +56,6 @@ const (
 
 const (
 	defaultOVSInterfaceType int = iota //nolint suppress deadcode check for windows
-	internalOVSInterfaceType
 
 	defaultIFDevName = "eth0"
 )
@@ -265,15 +264,11 @@ func (pc *podConfigurator) configureInterfacesCommon(
 func (pc *podConfigurator) createOVSPort(ovsPortName string, ovsAttachInfo map[string]interface{}, vlanID uint16) (string, error) {
 	var portUUID string
 	var err error
-	switch getOVSInterfaceType(ovsPortName) {
-	case internalOVSInterfaceType:
-		portUUID, err = pc.ovsBridgeClient.CreateInternalPort(ovsPortName, 0, "", ovsAttachInfo)
-	default:
-		if vlanID == 0 {
-			portUUID, err = pc.ovsBridgeClient.CreatePort(ovsPortName, ovsPortName, ovsAttachInfo)
-		} else {
-			portUUID, err = pc.ovsBridgeClient.CreateAccessPort(ovsPortName, ovsPortName, ovsAttachInfo, vlanID)
-		}
+
+	if vlanID == 0 {
+		portUUID, err = pc.ovsBridgeClient.CreatePort(ovsPortName, ovsPortName, ovsAttachInfo)
+	} else {
+		portUUID, err = pc.ovsBridgeClient.CreateAccessPort(ovsPortName, ovsPortName, ovsAttachInfo, vlanID)
 	}
 	if err != nil {
 		klog.Errorf("Failed to add OVS port %s, remove from local cache: %v", ovsPortName, err)

pkg/agent/cniserver/pod_configuration_windows.go

@@ -26,7 +26,6 @@ import (
 	"antrea.io/antrea/pkg/agent/cniserver/ipam"
 	"antrea.io/antrea/pkg/agent/interfacestore"
 	"antrea.io/antrea/pkg/agent/types"
-	"antrea.io/antrea/pkg/agent/util"
 	"antrea.io/antrea/pkg/util/k8s"
 )
 
@@ -72,20 +71,10 @@ func (pc *podConfigurator) connectInterfaceToOVS(
 	// Use the outer veth interface name as the OVS port name.
 	ovsPortName := hostIface.Name
 	containerConfig := buildContainerConfig(ovsPortName, containerID, podName, podNamespace, containerIface, ips, vlanID)
-	hostIfAlias := util.VirtualAdapterName(ovsPortName)
 	// - For containerd runtime, the container interface is created after CNI replying the network setup result.
 	//   So for such case we need to use asynchronous way to wait for interface to be created: we create the OVS port
 	//   and set the OVS Interface type "" first, and change the OVS Interface type to "internal" to connect to the
 	//   container interface after it is created. After OVS connects to the container interface, an OFPort is allocated.
-	// - For Docker runtime, the container interface is created after antrea-agent attaches the HNSEndpoint to the
-	//   sandbox container, so we create OVS port synchronously.
-	// - Here antrea-agent determines the way of OVS port creation by checking if container interface is yet created.
-	//   If one day containerd runtime changes the behavior and container interface can be created when attaching
-	//   HNSEndpoint/HostComputeEndpoint, the current implementation will still work. It will choose the synchronized
-	//   way to create OVS port.
-	if hostInterfaceExistsFunc(hostIfAlias) {
-		return containerConfig, pc.connectInterfaceToOVSCommon(ovsPortName, netNS, containerConfig)
-	}
 	klog.V(2).Infof("Adding OVS port %s for container %s", ovsPortName, containerID)
 	ovsAttachInfo := BuildOVSPortExternalIDs(containerConfig)
 	portUUID, err := pc.createOVSPort(ovsPortName, ovsAttachInfo, containerConfig.VLANID)

pkg/agent/cniserver/server.go

@@ -442,6 +442,10 @@ func (s *CNIServer) CmdAdd(ctx context.Context, request *cnipb.CniCmdRequest) (*
 
 	result := &ipam.IPAMResult{Result: current.Result{CNIVersion: current.ImplementedSpecVersion}}
 	netNS := s.hostNetNsPath(cniConfig.Netns)
+	if !validateRuntime(netNS) {
+		// Support for Docker runtime has been deprecated in Antrea 2.0.
+		return nil, fmt.Errorf("failed to process CmdAdd request because Docker runtime is not supported after Antrea 2.0")
+	}
 	isInfraContainer := isInfraContainer(netNS)
 
 	success := false
@@ -563,6 +567,12 @@ func (s *CNIServer) CmdDel(ctx context.Context, request *cnipb.CniCmdRequest) (*
 		return response, nil
 	}
 
+	netNS := s.hostNetNsPath(cniConfig.Netns)
+	if !validateRuntime(netNS) {
+		// Support for Docker runtime has been deprecated in Antrea 2.0.
+		return nil, fmt.Errorf("failed to process CmdDel request because Docker runtime is not supported after Antrea 2.0")
+	}
+
 	return s.cmdDel(ctx, cniConfig)
 }
 
@@ -575,6 +585,12 @@ func (s *CNIServer) CmdCheck(_ context.Context, request *cnipb.CniCmdRequest) (
 		return response, nil
 	}
 
+	netNS := s.hostNetNsPath(cniConfig.Netns)
+	if !validateRuntime(netNS) {
+		// Support for Docker runtime has been deprecated in Antrea 2.0.
+		return nil, fmt.Errorf("failed to process CmdCheck request because Docker runtime is not supported after Antrea 2.0")
+	}
+
 	infraContainer := cniConfig.getInfraContainer()
 	s.containerAccess.lockContainer(infraContainer)
 	defer s.containerAccess.unlockContainer(infraContainer)

pkg/agent/cniserver/server_linux.go

@@ -37,6 +37,12 @@ func isInfraContainer(netNS string) bool {
 	return true
 }
 
+// validateRuntime returns true if the container runtime is supported by Antrea.
+// Always return true on Linux platform, because both Docker and Containerd are supported.
+func validateRuntime(netNS string) bool {
+	return true
+}
+
 // getInfraContainer returns the sandbox container ID of a Pod.
 // On Linux, it's always the ContainerID in the request.
 func (c *CNIConfig) getInfraContainer() string {

pkg/agent/cniserver/server_windows.go

@@ -64,6 +64,12 @@ func isDockerContainer(netNS string) bool {
 	return netNS == dockerInfraContainerNetNS || strings.Contains(netNS, ":")
 }
 
+// validateRuntime returns false if a container is created by Docker with the provided network namespace
+// because the Docker support has been removed since Antrea 2.0.
+func validateRuntime(netNS string) bool {
+	return !isDockerContainer(netNS)
+}
+
 func getInfraContainer(containerID, netNS string) string {
 	if isInfraContainer(netNS) {
 		return containerID