Skip to main content

Browse the archive

https://github.com/cilium/cilium
12 July 2024, 03:14:21 UTC
sort by:
Revision Author Date Message Commit Date
c5049a5 Michal Rostecki 19 November 2020, 15:46:12 UTC helm: Add promethus.metrics value The new prometheus.metrics value allows to disable and enable Prometheus metrics (+metric_foo to enable metric_foo, -metric_bar to enable metric_bar) and is used in the ConfigMap. Example of usage: helm template cilium cilium \ --namespace=kube-system \ --set prometheus.enabled=true \ --set prometheus.metrics="{-cilium_bpf_map_ops_total,+cilium_bpf_map_pressure}" \ --set operator.prometheus.enabled=true \ --set hubble.tls.enabled=false > with_custom_metrics.yaml Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 19 November 2020, 17:07:44 UTC
e067b50 Jaime Caamaño Ruiz 17 November 2020, 17:00:44 UTC Add map pressure metric for bpf maps with cache 17 November 2020, 17:31:59 UTC
7b55915 Gilberto Bertin 17 November 2020, 13:43:18 UTC docs: document --nodes and --since cilium-sysdump's options Explain when the --nodes and --since cilium-sysdump's options should be used in order to collect all relevant logs and reduce the time required for this operation. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 17 November 2020, 14:36:15 UTC
9153a87 Daniel Borkmann 03 November 2020, 21:47:35 UTC cilium, docs: add note to upgrade guide on host routing Add note to upgrade guide with regards to host routing probing. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 17 November 2020, 13:56:24 UTC
7436d3c Daniel Borkmann 03 November 2020, 22:05:40 UTC cilium, status: add clock source status Add a Cilium status dump on this datapath feature in order to allow for easier introspection. Clock source will show up under --verbose. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 17 November 2020, 13:56:24 UTC
d170ce8 Daniel Borkmann 03 November 2020, 21:58:40 UTC cilium, api: extend openapi to dump clock source status Dump info on whether we use ktime or jiffies in BPF datapath. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 17 November 2020, 13:56:24 UTC
3ce28c0 Daniel Borkmann 03 November 2020, 21:20:45 UTC cilium, helm: add helm option for host routing setting Allow this knob to be configured for Helm users. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 17 November 2020, 13:56:24 UTC
bbd6886 Daniel Borkmann 06 November 2020, 01:11:29 UTC cilium: reenable host routing on endpoint routes and ipsec ... since both need to go up the stack for packet handling. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 17 November 2020, 13:56:24 UTC
92edccf Daniel Borkmann 03 November 2020, 13:25:33 UTC bpf: lift multi dev restriction on fast redirect Refactor current redirect_neigh() code into redirect_direct_{v4,v6}() and add multi-device support. The latter performs a route lookup and only calls into redirect_neigh() if L2 addresses must be resolved. It also passes the GW information from the fib_lookup() to redirect_neigh() to avoid a second lookup for the latter. This now enabled to use the fast redirect in the more general case. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 17 November 2020, 13:56:24 UTC
8b0c892 Daniel Borkmann 13 November 2020, 23:28:02 UTC bpf: derive identity from ipcache for external traffic under fast redirect We're in a similar situation as ipvlan datapath here in that we must derive the secid for policy enforcement via SECCTX_FROM_IPCACHE. This is needed as now we do not push the packet up the stack anymore where it will take the tc egress path of the bpf_lxc dev where it would resolve the secid, but instead we pass it onwards via ipv{4,6}_local_delivery() from bpf_host given we do not have skip_redirect. So in the latter this gets encoded via CB_SRC_LABEL before tail calling into ep->lxc_id. In bpf_host resolve_srcid_ipv4() was always picking WORLD (2) which will fail CIDR-based enforcement, e.g. hubble logs revealed this: {"time":"2020-11-13T13:53:09.636444980Z","verdict":"DROPPED","drop_reason":133,"ethernet":{"source":"0a:4b:c4:b6:2d:4b","destination":"92:79:4f:8e:96:4f"},"IP":{"source":"192.168.36.13","destination":"10.0.1.190","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":56228,"destination_port":80,"flags":{"SYN":true}}},"source":{"identity":2,"labels":["reserved:world"]},"destination":{"ID":1091,"identity":41849,"namespace":"default","labels":["k8s:io.cilium.k8s.policy.cluster=default","k8s:io.cilium.k8s.policy.serviceaccount=default","k8s:io.kubernetes.pod.namespace=default","k8s:zgroup=testDS"],"pod_name":"testds-944zc"},"Type":"L3_L4","node_name":"k8s2","event_type":{"type":5},"traffic_direction":"INGRESS","drop_reason_desc":"POLICY_DENIED","Summary":"TCP Flags: SYN"} The source identity in this case should have been 16777217 as per ipcache dump of ... [...] 192.168.36.13/32 16777217 0 0.0.0.0 [...] ... and thus it failed CI test 'Suite-k8s-1.12.K8sPolicyTest Multi-node policy test validates ingress CIDR-dependent L4 connectivity is restored after importing ingress policy' where a non-Cilium managed node (192.168.36.13) made a request to the backend Pod directly via curl. It succeeded before policy to allow 192.168.36.13 to port 80 was installed but failed after the latter was set in place due to secid mismatch. Fix it by enabling SECCTX_FROM_IPCACHE so that it can assign correct identity in resolve_srcid_ipv{4,6}(). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 17 November 2020, 13:56:24 UTC
6b53c86 Daniel Borkmann 16 November 2020, 12:39:46 UTC bpf: Fix ENABLE_EXTRA_HOST_DEV logic on host_id check Commit a695f532d060 ("Endpoint for host") changed the logic for the HOST_ID check to ... [...] #ifndef ENABLE_EXTRA_HOST_DEV - if (sec_label != HOST_ID) + if (from_host && sec_label != HOST_ID) #endif [...] ... with the rationale of: [...] ENABLE_EXTRA_HOST_DEV was only defined in init.sh for the from_host path. It is now defined from the Go side for all paths, and we check whether from_host is true in the C code instead. [...] Lets review the situation before a695f532d060: The reason we added the ENABLE_EXTRA_HOST_DEV define came from back when ipvlan was added via 7fbfe1cd92de (cilium, ipvlan: implement base host connectivity). The logic was placed in handle_ipv4() of bpf_netdev and invoked via from-netdev. When in direct routing or ipvlan mode, we would load the latter via 'bpf_load $NATIVE_DEV "$OPTS" "ingress" bpf_netdev.c bpf_netdev.o from-netdev $CALLS_MAP' to the native netdev facing external world and 'bpf_load $HOST_DEV1 "$OPTS" "egress" bpf_netdev.c bpf_host.o from-netdev $CALLS_MAP' to the cilium_host dev and in case of ipvlan where cilium_host is a ipvlan slave dev in hostns, the latter additionally has ENABLE_EXTRA_HOST_DEV set. This means for the veth case 'sec_label != HOST_ID' was always present, and for the ipvlan case 'sec_label != HOST_ID' was only compiled in for cilium_host / egress path. The change into 'from_host && sec_label != HOST_ID' has two issues after a695f532d060 transformation: i) The 'srcid_from_ipcache = *sec_label' assignment under this check is never invoked for traffic in case of veth datapath which is !from_host, that is, for outside world traffic arriving on the node. ii) Given after a695f532d060 the ENABLE_EXTRA_HOST_DEV is now defined from the Go side for all paths for ipvlan, the 'from_host && sec_label != HOST_ID' test is now compiled out and external traffic could wrongly assign HOST_ID. Meaning, for external traffic arriving on the node, the 'sec_label != HOST_ID' guard needs to stay intact. Fixes: a695f532d060 ("Endpoint for host") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 17 November 2020, 13:56:24 UTC
7ffff79 Martynas Pumputis 16 November 2020, 13:56:56 UTC test: Bump migrate-svc-test image In the new version [1], the client sends a request to the server every 0.5s over the long-lived connection, and it expects a reply from the server in 1s. The change can help to catch intermittent connection failures during Cilium upgrades. [1]: https://github.com/cilium/migrate-svc-test/commit/edc628b2df7bd1002d3499c7f65df8c0396502ff Signed-off-by: Martynas Pumputis <m@lambda.lt> 17 November 2020, 13:12:33 UTC
7dc5a57 Robin Hahling 16 November 2020, 13:20:46 UTC doc/hubble-internals: update Relay section to reflect its current state Hubble Relay is no more in-progress and is declared stable with the release of Cilium v1.9 thus remove the "work in progress" note Also update the Hubble internals doc section for Hubble Relay and complete the section with technical information. While here, fix a few typos in the whole doc section. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 17 November 2020, 10:25:13 UTC
a15a50d Paul Chaignon 16 November 2020, 11:07:30 UTC docker: Update references to cilium-builder Signed-off-by: Paul Chaignon <paul@cilium.io> 17 November 2020, 10:00:27 UTC
a629120 Paul Chaignon 09 November 2020, 21:12:21 UTC docker: Include llvm-objcopy in cilium-builder image The llvm-objcopy binary is retrieved from the cilium-llvm image which now compiles it. This binary is required to remove sections from object files loaded with bpftool in the K8sVerifier test. Signed-off-by: Paul Chaignon <paul@cilium.io> 17 November 2020, 10:00:27 UTC
188b16d Paul Chaignon 16 November 2020, 10:53:01 UTC docker: Update references to cilium-runtime Signed-off-by: Paul Chaignon <paul@cilium.io> 17 November 2020, 10:00:27 UTC
94aafd4 Paul Chaignon 09 November 2020, 21:10:29 UTC docker: Update references to cilium-llvm Signed-off-by: Paul Chaignon <paul@cilium.io> 17 November 2020, 10:00:27 UTC
659da4b Tam Mach 17 November 2020, 07:26:45 UTC ci/github: Replace set-env command by echo Related to https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/ Signed-off-by: Tam Mach <sayboras@yahoo.com> 17 November 2020, 09:26:45 UTC
493451f Kornilios Kourtis 16 November 2020, 15:29:51 UTC alignchecker: git should not ignore bpf_foo.o For better or for worse, we include `pkg/alignchecker/testdata/bpf_foo.o` into our tree so it should not be ignored by git. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> 17 November 2020, 08:50:40 UTC
19c1818 Tom Payne 16 November 2020, 12:14:28 UTC cilium: Use strings, not byte slices, for JSON dumps As suggested by tklauser: https://github.com/cilium/cilium/pull/13759/files#r512232115 Signed-off-by: Tom Payne <tom@isovalent.com> 17 November 2020, 08:15:12 UTC
9e48678 Michal Rostecki 05 November 2020, 18:14:08 UTC bpf: datapath: Rewite base devices setup in Go This change removes the part of init.sh responsible for base devices setup and remplements it in Go. Ref: #920 Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 16 November 2020, 17:19:01 UTC
a774963 Michal Rostecki 15 September 2020, 12:32:38 UTC sysctl: Add ApplySettings function The new function writes sysctl settings provided as a slice. Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 16 November 2020, 17:19:01 UTC
a78f75e Gilberto Bertin 11 November 2020, 13:57:37 UTC bpf: reduce complexity of logic to handle IPv4 fragments Refactor the logic to handle IPv4 fragments to have only a single call to `ctx_load_bytes()` in order to load the l4 ports tuple. This change fixes a complexity issue in 5.4 kernels which prevents the BPF program from being loaded by the verifier as it would reach the maximum amount of instructions that can be processed. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 16 November 2020, 17:04:09 UTC
e9bf184 Gilberto Bertin 09 November 2020, 10:34:22 UTC bpf: fix complexity issue on kernels <5.3 This commit reduces the complexity of the "to-container" section by introducing a few state pruning points with the help of relax_verifier(). Pruning points have been determined by looking at the instructions that the verifier is spending the most passes on. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 16 November 2020, 17:04:09 UTC
bb001bd Gilberto Bertin 02 November 2020, 14:49:55 UTC bpf: optimize relax_verifier() Replace the call to `csum_diff` with `get_smp_processor_id()` as with the latter we can avoid having to init r1-r5 registers. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 16 November 2020, 17:04:09 UTC
49aac62 Gilberto Bertin 04 November 2020, 10:30:36 UTC bpf: reintroduce relax_verifier() relax_verifier() is a dummy helper call to introduce a pruning checkpoint to help relax the verifier to avoid reaching complexity limits on older kernels. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 16 November 2020, 17:04:09 UTC
18d64a4 Gilberto Bertin 12 November 2020, 13:50:50 UTC datapath/probes: add support for misc features This commit adds support for the "misc" features reported by bpftool. This is exposed by the ProbeManager object through the GetMisc() method. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 16 November 2020, 17:04:09 UTC
938b494 Gilberto Bertin 11 November 2020, 13:55:42 UTC bpf: add metrics for fragmented IPv4 packets This commit introduces 2 new metrics in the datapath logic related to fragmented IPv4 packets: * `REASON_FRAG_PACKET`: number of received fragmented packets * `REASON_FRAG_PACKET_UPDATE`: number of failures in updating the `IPV4_FRAG_DATAGRAMS_MAP` map to register the first logical fragment of a datagram Fixes: #11179 Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 16 November 2020, 17:04:09 UTC
38ab8f0 Gilberto Bertin 12 October 2020, 19:37:00 UTC bpf: add support for SERVICE metrics This change introduces a new bpf metric (`METRIC_SERVICE`) which maps to the CT_SERVICE direction of a flow. Moreover, instead of having 2 different sets of constants for CT and metrics directions (requiring some logic to convert one into another), change the metrics directions so that they match the CT ones. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 16 November 2020, 17:04:09 UTC
2f38bfb Kornilios Kourtis 11 November 2020, 16:55:35 UTC runtime: specify ICMP ids on connectivity test The RuntimeConntrackInVethModeTest failed transiently (#12891). The test sends pings from client->server and expects them to work, and pings from server->client and expects them to not work (based on cilium policies). If the ICMP ids for these two case match, current CT code allows packets in both directions. This patch uses a modified ping utility (called xping) that allows to specify the ICMP id when executing a ping to produce determenistic results. Currently, we only test the case where the ids do not match. Once the CT code is modified to address the above issue, we can add a test where the ids match. Related: #12891 Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> 16 November 2020, 13:18:16 UTC
8bb5a2d Gilberto Bertin 12 November 2020, 17:46:27 UTC cilium/cmd: improve 'bpf metrics list' JSON output This commit changes the JSON output for the 'bpf metrics list' command from the current format: ```js { "reason:0 dir:1": [ "count:63752 bytes:20913476" ], "reason:0 dir:2": [ "count:29697 bytes:2489416" ], "reason:132 dir:2": [ "count:27 bytes:1930" ] } ``` which is hard to parse even with tools such as jq to a more structured format: ```js [ { "reason": 0, "description": "Success", "values": { "egress": { "packets": 29921, "bytes": 2508163 }, "ingress": { "packets": 64220, "bytes": 21064892 } } }, { "reason": 132, "description": "Invalid source ip", "values": { "egress": { "packets": 27, "bytes": 1930 } } } ] ``` Fixes: #13492 Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 16 November 2020, 12:05:15 UTC
4a2c709 Gilberto Bertin 23 October 2020, 12:32:55 UTC mockmaps: add support for metricsmap Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 16 November 2020, 12:05:15 UTC
b59f139 John Fastabend 28 October 2020, 20:46:09 UTC cilium: Drop encryption with tunnel support beta tag Encryption with tunnel support has been working for some time and we've never dropped the beta tag. Lets drop it now for v1.10 seeing its in use and working as expected. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 16 November 2020, 12:04:46 UTC
2815b78 Tobias Klauser 12 November 2020, 16:06:39 UTC datapath/iptables: de-duplicate program argument construction Merge common code for constructing iptables arguments. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 16 November 2020, 11:59:54 UTC
05eabc7 Tom Payne 13 November 2020, 16:03:15 UTC backporting: Stop scripts from running on non-Linux This is mainly for the benefit of macOS users typing in the wrong terminal. Signed-off-by: Tom Payne <tom@isovalent.com> 16 November 2020, 11:58:18 UTC
a553f79 Tom Payne 13 November 2020, 16:02:52 UTC dev-doctor: Add hub binary check Signed-off-by: Tom Payne <tom@isovalent.com> 16 November 2020, 11:58:18 UTC
ec41677 Tom Payne 21 October 2020, 19:07:17 UTC pkg: Use strings.Builder instead of bytes.Buffer where possible strings.Builder is optimized for building strings and performs a little better than bytes.Buffer. Signed-off-by: Tom Payne <tom@isovalent.com> 16 November 2020, 11:50:41 UTC
c158fb1 Tam Mach 21 October 2020, 05:06:46 UTC refactor(metrics): Cleanup deprecated metrics This commit is to clean up all deprecated metrics in 1.9. Signed-off-by: Tam Mach <sayboras@yahoo.com> 14 November 2020, 05:11:43 UTC
eb97aeb Tobias Klauser 13 November 2020, 09:58:01 UTC Update Go to 1.15.5 Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 14 November 2020, 05:08:14 UTC
ada413f André Martins 12 November 2020, 09:40:14 UTC pkg/k8s: trim spaces from loadBalancerSourceRanges Similarly to what is being done in upstream kube-proxy [1], but unfortunately without explaining why, loadBalancerSourceRanges might contain spaces which prevents the CIDR from being parsed correctly. [1] https://github.com/kubernetes/kubernetes/pull/94107 Fixes: 31956817bbd4 ("k8s: Add and parse LoadBalancerSourceRanges field") Signed-off-by: André Martins <andre@cilium.io> 14 November 2020, 05:06:49 UTC
f0f948d Chris Tarazi 03 November 2020, 00:31:37 UTC ipam: Fix ENI IPAM on smaller instance types This commit fixes the ENI IPAM mode when the instance types are very limited [1]. The problem was that Cilium by default was attempting to allocate 8 IPs (PreAllocate). However, on smaller instance types such as "t3a.micro" or similar, the maximum number of IPs that can be attached to one ENI device is 4. On top of that, Cilium by default does not use eth0 as an ENI device (default interface index is 1), which could further restrict itself from having enough ENIs for pods in the cluster. This commit fixes this by checking the instance type limits and adjusting the PreAllocate value. Additionally, we likely also need to include eth0 as an ENI device to give more buffer for Cilium to allocate IPs by setting the first interface index to 0. [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html?shortFooter=true#AvailableIpPerENI Signed-off-by: Chris Tarazi <chris@isovalent.com> 14 November 2020, 05:05:28 UTC
379ce1e Chris Tarazi 05 November 2020, 01:33:53 UTC ipam: Clarify purpose of (*Node).syncToAPIServer() Signed-off-by: Chris Tarazi <chris@isovalent.com> 14 November 2020, 05:05:28 UTC
623dcd3 Chris Tarazi 05 November 2020, 00:41:36 UTC ipam: Consolidate logic to sync to K8s apiserver In (*Node).syncToAPIServer(), there are two main loops (operations) which update the CiliumNode status and spec, respectively. The code was exactly the same except for this difference. This commit refactors the logic to consolidate the code when syncing to the CiliumNode resource to the apiserver. In addition, this refactor allows these two operations to have the same erorr handling flow [see commit a7451f82d4 ("ipam: Warn when failing to update CN status")]. The main motivation for that commit is to fix the swallowing of the error when update fails and the subsequent Get succeeds. Before this commit, the error handling flow was different between the two operations (update spec & status). Signed-off-by: Chris Tarazi <chris@isovalent.com> 14 November 2020, 05:05:28 UTC
6d9cfe4 Chris Tarazi 03 November 2020, 23:18:34 UTC eni: Refactor limits package This commit refactors the limits package. The biggest change is consolidating the limits map and its mutex into a single type. Functions with "limit" in the name have been removed because it is now redundant since these functions live under the limits package. The reason why this commit wasn't squashed with the previous is because git wouldn't consider the new file as a rename from the old, likely because of too many refactoring changes. Signed-off-by: Chris Tarazi <chris@isovalent.com> 14 November 2020, 05:05:28 UTC
d69045a Chris Tarazi 03 November 2020, 23:03:07 UTC eni: Move limits to seperate package This commit was necessary to prevent an import cycle in a future commit. Signed-off-by: Chris Tarazi <chris@isovalent.com> 14 November 2020, 05:05:28 UTC
51826b3 Paul Chaignon 13 November 2020, 14:35:41 UTC vagrant: Bump all Vagrant box versions Signed-off-by: Paul Chaignon <paul@cilium.io> 14 November 2020, 05:00:22 UTC
f65bee5 Maxime VISONNEAU 13 November 2020, 14:09:08 UTC helm/hubble-ui: fixed ingress configuration on EKS clusters fixes #14018 Signed-off-by: Maxime VISONNEAU <maxime.visonneau@gmail.com> 14 November 2020, 04:55:27 UTC
db43f04 Tom Payne 12 November 2020, 11:28:00 UTC dev-doctor: Add Helm check Helm is needed to generate files in install/kubernetes. Signed-off-by: Tom Payne <tom@isovalent.com> 13 November 2020, 14:28:44 UTC
54c716b Tom Payne 13 November 2020, 10:40:12 UTC dev-doctor: Add --backporting flag for backporters Signed-off-by: Tom Payne <tom@isovalent.com> 13 November 2020, 14:27:32 UTC
87b56a4 Jarno Rajahalme 05 November 2020, 19:35:36 UTC fqdn: Optimize KeepUniqueNames Not sure if this is of any actual significance, but KeepUniqueNames() is called from couple of places. Modify it to filter out duplicates in place so that no memory allocations are needed. Using naive search for duplicates instead of a map is about 5x faster for small sets of names. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 13 November 2020, 07:32:43 UTC
df9f66e Nate Sweet 12 November 2020, 03:18:37 UTC Hubble-Relay: proxy metadata from originating client PR-12865 attempted to accomplish this by proxying the context object without modifying it, which is incorrect. The incoming and outgoing metadata keys are actually different and must be explicitly set in order for the metadata to be properly proxied. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 13 November 2020, 07:26:52 UTC
2df0d9d Sebastian Wicki 29 October 2020, 16:51:47 UTC api/hubble: Explicitly mark unused fields as reserved All of these fields were used in older versions of the Hubble API. To avoid accidental re-use, this commit explicitly mark these fields as reserved. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 12 November 2020, 19:09:11 UTC
0d514ea Tom Payne 11 November 2020, 13:31:50 UTC docs: Replace outdated backporting docs with link README.md contained outdated instructions, so replace its contents with a link to the more up-to-date backporting guide. Signed-off-by: Tom Payne <tom@isovalent.com> 12 November 2020, 19:08:36 UTC
800b374 Tobias Klauser 11 November 2020, 16:15:06 UTC cilium/cmd: remove unnecessary parseLabels func The parseLabels func mereley checks for the slice passed to it not to be empty. All call sites are already protected by "if len(slice) > 0", so drop parseLabels entirely and directly append the checked slice to srcSlices/dstSlices. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 12 November 2020, 19:07:51 UTC
b115c54 Kornilios Kourtis 11 November 2020, 17:52:14 UTC dnsproxy: print total number of rules if too many GetRules() will not process more than 1000 rules per port. Print how many are the total rules in the message. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> 12 November 2020, 19:06:48 UTC
1a67948 Paul Chaignon 02 November 2020, 14:27:49 UTC docs: Recommend use of backport scripts Backport scripts are recommended over the manual approach because they avoid most errors (forgetting to update the labels, opening against the master branch, etc.) and it makes the format of our backport PRs consistent, which simplifies reviews. Signed-off-by: Paul Chaignon <paul@cilium.io> 12 November 2020, 19:06:20 UTC
a626db4 Paul Chaignon 02 November 2020, 14:25:16 UTC docs: Title case for backports guide Signed-off-by: Paul Chaignon <paul@cilium.io> 12 November 2020, 19:06:20 UTC
d70a4e8 Tobias Klauser 11 November 2020, 10:11:06 UTC test/k8sT/manifests: use image hash with cilium-builder image Tags can be arbitrarily changed without the user noticing, potentially making the tag point to a completely different image. Instead, reference the cilium-builder image by its unique sha256 hash which is already done in all other places using the image. While at it, also bump the image to the latest version which was bumped to Go 1.15.4 in #13945. Fixes: 417cded995a7 ("test: Move RuntimeVerifier to K8sVerifier") Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 12 November 2020, 17:30:41 UTC
fe433b1 Chris Tarazi 22 October 2020, 19:01:12 UTC k8s: Disable K8s with LB mode This allows users to run with LB mode with Cilium deployed as a daemonset without needing to modify our charts. Our charts will inject the "K8S_NODE_NAME" environment variable which trigger the previous logic to enable K8s. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Chris Tarazi <chris@isovalent.com> 12 November 2020, 17:29:08 UTC
6a18ef2 Martynas Pumputis 20 October 2020, 15:21:58 UTC daemon: Add LB-only mode (--datapath-mode=lb-only) The LB-only mode is intended to be run on load-balancing nodes which have connectivity neither to kube-apiserver nor kvstore. In this mode services are supposed to be configured via Cilium REST API. Chris has successfully figured out that disabling the identity allocator is enough for cilium-agent to run such on nodes (no connectivity to kube-apiserver/kvstore). Therefore, the LB-only mode disabled it. In addition, when running in the LB-only mode, cilium-agent will configure some flags to achieve the following: * Enable kube-proxy replacement's NodePort and ExternalIPs implementation for access from outside, and HostReachableServices - from inside LB node. * Do not install iptables-rules and disable L7 proxy. * Disable the tunnel mode. * Disable health-checking (it's going to be implemented separately). An example how to run cilium-agent in the LB-only mode: # ./daemon/cilium-agent \ --enable-ipv4=true --enable-ipv6=false \ --datapath-mode=lb-only --node-port-algorithm=maglev \ --devices=eth0 Afterwards, a service can be added with: # ./cilium/cilium service update \ --frontend '7.7.7.7:80' \ --backends '192.168.34.11:80,192.168.34.12:80' \ --id 101 --k8s-external Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 November 2020, 17:29:08 UTC
0c83c28 Martynas Pumputis 10 November 2020, 14:33:56 UTC ctmap: Iterate SNAT map once when doing GC Previously, after receiving the signal from the datapath, we iterated NAT map twice: first to compare against CT TCP map, second - against CT any map. Obviously, doing the iterations two times was inefficient. This commit fixes that by passing both CT {TCP,any} maps to the NAT GC routine. This allows the NAT GC to iterate once. Suggested-by: Joe Stringer <joe@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 November 2020, 15:06:43 UTC
c9810bf Martynas Pumputis 05 November 2020, 00:03:10 UTC ctmap: GC orphan SNAT entries This commit adds a mechanism to remove orphan SNAT entries. We call an SNAT entry orphan if it does not have either a corresponding CT entry or an SNAT entry in a reverse order. Both cases can happen due to LRU eviction heuristics (both CT and NAT maps are of the LRU type). The mechanism for the removal is based on the GC signaling in the datapath. When the datapath SNAT routine fails to find a free mapping after SNAT_SIGNAL_THRES attempts, it sends the signal via the perf ring buffer. The consumer of the buffer is the daemon. After receiving the signal it invokes the CT GC. The newly implemented GC addition iterates over all SNAT entries and checks whether a corresponding CT entry is found, and if not, it tries to remove both SNAT entries (for original and reverse flows). For now, I didn't add GC of orphan SNAT entries created by DSR to keep complexity of changes as low as possible. This will come as a follow up. Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 November 2020, 15:06:43 UTC
ec64380 Tobias Klauser 11 November 2020, 17:28:46 UTC fqdn: pass CIDR matcher to (*DNSZombieMappings).DumpAlive The only caller of (*DNSZombieMappings).DumpAlive takes the returned slice and proceeds only if its IP matches. Rather than potentially wasting memory by returning zombie mappings which aren't used further, pass the matcher function and call it to determine whether the mapping should be included in the result. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 12 November 2020, 12:50:20 UTC
f5da1bc Tobias Klauser 11 November 2020, 17:19:33 UTC fqdn: add test for (*DNSZombieMappings).DumpAlive Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 12 November 2020, 12:50:20 UTC
871e7e1 Jarno Rajahalme 12 November 2020, 00:55:43 UTC fqdn: Make maximum number of IPs per restored rule configurable Only count the number of IPs for each FQDN selector/rule when storing rules for restoration, rather than ignoring later rules on a port after previous rules have hit the maximum number of IPs. Make the maximum number of IPs per restored rule configurable with the new option '--tofqdns-max-ips-per-restored-rule' (default 1000). Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 November 2020, 12:37:46 UTC
e8605f8 Nate Sweet 09 November 2020, 21:17:41 UTC Add Registry Credentials to Tests In order to get around image registry pull limits, credentials can be set. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 12 November 2020, 10:46:10 UTC
2ae3f92 Tom Payne 04 November 2020, 21:18:51 UTC dev-doctor: Add check for go to Makefile target Signed-off-by: Tom Payne <tom@isovalent.com> 12 November 2020, 10:14:35 UTC
63b3421 Tom Payne 04 November 2020, 17:41:39 UTC dev-doctor: Check docker, docker-compose, and VBoxHeadless versions Signed-off-by: Tom Payne <tom@isovalent.com> 12 November 2020, 10:14:35 UTC
0c5af78 Tom Payne 04 November 2020, 10:07:05 UTC dev-doctor: Add alternative name for VirtualBox Signed-off-by: Tom Payne <tom@isovalent.com> 12 November 2020, 10:14:35 UTC
64462cc Tom Payne 27 October 2020, 00:30:04 UTC docs: Add dev-doctor to dev setup guide Signed-off-by: Tom Payne <tom@isovalent.com> 12 November 2020, 10:14:35 UTC
58e8d22 Tom Payne 27 October 2020, 00:29:30 UTC build: Add dev-doctor target Signed-off-by: Tom Payne <tom@isovalent.com> 12 November 2020, 10:14:35 UTC
ffbb209 Tom Payne 27 October 2020, 00:28:52 UTC tools: Initial commit of dev-doctor Signed-off-by: Tom Payne <tom@isovalent.com> 12 November 2020, 10:14:35 UTC
2757d9b Tom Payne 27 October 2020, 00:28:24 UTC vendor: Add gopkg.in/ini.v1 Signed-off-by: Tom Payne <tom@isovalent.com> 12 November 2020, 10:14:35 UTC
a77a075 Gilberto Bertin 11 November 2020, 11:26:59 UTC hubble/ring: add more context to error message When a user specifies a HubbleEventBufferCapacity which is not one less than a power of 2 integer, provide an explicit error for that. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 11 November 2020, 17:41:16 UTC
68265b0 Gilberto Bertin 11 November 2020, 11:20:21 UTC daemon/cmd: fix typo on -> one Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 11 November 2020, 17:41:16 UTC
6350cc1 kaitoii11 11 November 2020, 09:03:30 UTC fix broken link on readme Signed-off-by: kaitoii11 <kaitoii1111@gmail.com> 11 November 2020, 10:49:51 UTC
3ca315d Quentin Monnet 10 November 2020, 16:45:47 UTC checkpatch: update image tag to latest Update the tag for the checkpatch image in order to benefit from the latest changes when running the GitHub action: - Fix and update the issues reported by checkpatch. - Allow for passing arguments directly to checkpatch.pl (not just the bash script), such as --fix-inplace. See https://github.com/cilium/image-tools/pull/85. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 11 November 2020, 10:24:40 UTC
1d8763d Robin Hahling 04 November 2020, 14:37:38 UTC hubble/container: fix Ring reported length and capacity One slot of the ring buffer is always reserved as the next slot to be written to and is thus unavailable for reading. This means that the actual ring buffer capacity is one less than the underlying slice. Up until now, `Cap()` was always lying about the actual capacity, which is now addressed by this commit. Similarly, with a buffer full, the buffer length reported by `Len()` was off by one. This is now fixed and `Len()` reports `Cap()` once the buffer is full. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 11 November 2020, 10:20:15 UTC
2ee91dd Robin Hahling 04 November 2020, 14:05:59 UTC helm: use new hubble-event-buffer-capacity This new flag replaces `hubble-flow-buffer-size`. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 11 November 2020, 10:20:15 UTC
0c539b9 Robin Hahling 04 November 2020, 13:52:34 UTC daemon|hubble: use container.Capacity to instantiate a new ring buffer The new Capacity type restricts the set of possible values that can be provided to `NewRing` to values that are actually valid. This prevents from silently auto-adjusting the value to a valid one which results in a different capacity than the one specified by the caller. This also requires to use the newly introduced flag `HubbleEventBufferCapacity` in the daemon. The old flag (`HubbleFlowBufferSize`) is being deprecated. When the user specifies an invalid value using the old flag, it is automatically rounded up to the closest valid value in order to retain the old behavior as found in previous versions of Cilium. A warning is emitted when using the old flag which is set for deprecation in Cilium 1.11. The actual default value of `MaxFlows` has been 4095 for a while (overriden by the CLI default). Thus, Update the default value in `hubble/observer` to better reflect this. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 11 November 2020, 10:20:15 UTC
9357b3b Robin Hahling 04 November 2020, 13:50:49 UTC daemon: introduce new flag to specify Hubble events buffer capacity Mark the old flag as deprecated as well. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 11 November 2020, 10:20:15 UTC
6aff70a Robin Hahling 04 November 2020, 13:00:16 UTC hubble/container: add Capacity type and constants The new Capacity type will be used as a parameter for `NewRing()`. This type restricts the set of capacity values to accepted ones. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 11 November 2020, 10:20:15 UTC
6e4b475 Manuel Buil 26 October 2020, 14:02:26 UTC test: Switch from Cilium test logger to Ginkgo When executing ginkgo according to the instructions[0], the only error output was: FAIL: Cannot connect to vmName 'k8s1-1.18' After this change, the logs show the underlying error: cat: ssh-config: No such file or directory [0] https://docs.cilium.io/en/v1.8/contributing/testing/e2e/#running-end-to-end-tests-in-other-environments-via-ssh Signed-off-by: Manuel Buil <mbuil@suse.com> 11 November 2020, 10:07:56 UTC
13ac099 Tom Payne 21 October 2020, 19:02:20 UTC cilium/cmd: Fix skipping of .git directories Before this change, directory names were compared against the regular expression .git, which is unanchored and the dot matches any character, so this skipped directories like "foogitbar". This commit simplifies the initialization code and uses strings instead of regular expressions. Signed-off-by: Tom Payne <tom@isovalent.com> 11 November 2020, 09:57:50 UTC
72ac471 Tom Payne 26 October 2020, 15:05:11 UTC cilium/cmd: Replace exit code -1 with exit code 1 In two cases, cilium could exit with code -1, which gets converted to 255. Instead, always exit with code 1 in the event of failure. Also, remove an unnecessary os.Exit(0). Signed-off-by: Tom Payne <tom@isovalent.com> 11 November 2020, 09:57:23 UTC
ae2c145 Tom Payne 28 October 2020, 12:58:04 UTC test: Replace exit code -1 with exit code 1 Signed-off-by: Tom Payne <tom@isovalent.com> 11 November 2020, 09:56:46 UTC
6ab3f3c Tom Payne 28 October 2020, 12:57:53 UTC plugins/cilium-docker: Replace exit code -1 with exit code 1 Signed-off-by: Tom Payne <tom@isovalent.com> 11 November 2020, 09:56:46 UTC
8bf61aa Tom Payne 28 October 2020, 12:57:35 UTC operator: Replace exit code -1 with exit code 1 Signed-off-by: Tom Payne <tom@isovalent.com> 11 November 2020, 09:56:46 UTC
cf121f7 Tom Payne 28 October 2020, 12:57:24 UTC daemon/cmd: Replace exit code -1 with exit code 1 Signed-off-by: Tom Payne <tom@isovalent.com> 11 November 2020, 09:56:46 UTC
9e6cd0d Tom Payne 28 October 2020, 12:57:10 UTC clustermesh-apiserver: Replace exit code -1 with exit code 1 Signed-off-by: Tom Payne <tom@isovalent.com> 11 November 2020, 09:56:46 UTC
ae609c6 Tom Payne 28 October 2020, 12:56:03 UTC cilium-health: Replace exit code -1 with exit code 1 Signed-off-by: Tom Payne <tom@isovalent.com> 11 November 2020, 09:56:46 UTC
a02744c André Martins 10 November 2020, 17:00:47 UTC README: update security releases Signed-off-by: André Martins <andre@cilium.io> 10 November 2020, 18:45:08 UTC
238262f Maciej Kwiek 10 November 2020, 11:20:20 UTC ci: log in to docker in vagrant boxes Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 10 November 2020, 18:42:31 UTC
019cd51 Sebastian Wicki 10 November 2020, 12:58:40 UTC install/kubernetes: Remove manifest sha from image tag for certgen The switch to quay.io as the default docker registry made the `certgen` image tag invalid, as images built on quay.io and docker.io have a different SHA (they are built independently on both Quay and DockerHub). Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 10 November 2020, 18:00:47 UTC
bb796e2 Tobias Klauser 06 November 2020, 13:37:05 UTC test: disable fqdn connectivity test during restart From the focused testing in #13896 it seems that the connectivity test only fails during restart on kernel 4.9. However, when run as part of the full test suite, the connectivity check also seems to fail on e.g. GKE and 4.19. Thus, disable the connectivity test during restart altogether. If this turns out to make the test stable in quarantine we could as a follow-up move the "Restart Cilium validate that FQDN is still working" test out of quarantine and only restrict the restart connectivity test to quarantine. For #11213 Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 10 November 2020, 16:07:51 UTC
10a2a1f Robin Hahling 10 November 2020, 09:33:19 UTC tools/licensegen: include licenses that have file extension Some projects in `vendor` use a file extension for their `LICENSE` file. Make sure to include them as well. A quick `find | grep` gave me the following list which I used as a basis for file extension to include (not including `.sh` and `.go`): $ find vendor -iname '*license*' | grep -oiE 'license\.[a-zA-Z0-9]+' | sort | uniq LICENSE.code LICENSE.docs license.go LICENSE.libyaml LICENSE.md license.sh LICENSE.txt When running `make licenses-all` again, the following licenses of previously missed license files are now also added to `LICENSE.all`: vendor/github.com/aws/aws-sdk-go-v2/LICENSE.txt vendor/github.com/cespare/xxhash/v2/LICENSE.txt vendor/github.com/cpuguy83/go-md2man/v2/LICENSE.md vendor/github.com/fatih/color/LICENSE.md vendor/github.com/go-stack/stack/LICENSE.md vendor/github.com/hpcloud/tail/LICENSE.txt vendor/github.com/opencontainers/go-digest/LICENSE.code vendor/github.com/opencontainers/go-digest/LICENSE.docs vendor/github.com/russross/blackfriday/LICENSE.txt vendor/github.com/russross/blackfriday/v2/LICENSE.txt vendor/github.com/spf13/afero/LICENSE.txt vendor/github.com/spf13/cobra/LICENSE.txt vendor/go.uber.org/atomic/LICENSE.txt vendor/go.uber.org/multierr/LICENSE.txt vendor/go.uber.org/zap/LICENSE.txt vendor/gopkg.in/yaml.v2/LICENSE.libyaml Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 10 November 2020, 11:12:51 UTC
6f420c2 Robin Hahling 10 November 2020, 09:36:48 UTC .gitignore: ignore LICENSE.all Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 10 November 2020, 11:12:51 UTC
375a57e Joe Stringer 09 November 2020, 19:13:48 UTC make: Fix dev-docker-image make target The pull of docker images during the dev-docker-image make target would previously mess up because of a lack of escaping of the $ in the grep statement, resulting in this message: $ make dev-docker-image [315/979] "docker pull" requires exactly 1 argument. See 'docker pull --help'. Usage: docker pull [OPTIONS] NAME[:TAG|@DIGEST] Pull an image or a repository from a registry [+] Building 6.2s (16/24) ... Fix it to ensure that environment variables are not used for pulling docker images, but that the grep statement doesn't exclude all of the other legitimate docker image targets. Fixes: 8a5bc179e08a ("build: Suppress warnings about invalid image names") Signed-off-by: Joe Stringer <joe@cilium.io> 10 November 2020, 08:28:27 UTC
ddbe42a Jarno Rajahalme 06 November 2020, 23:02:55 UTC docs: Add VM support GSG Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 10 November 2020, 05:08:22 UTC
e123227 Jarno Rajahalme 05 November 2020, 00:59:17 UTC helm: Do not deploy clustermesh-apiserver for clustermesh by default Require explicit setting of helm value 'clustermesh.useAPIServer=true' to deploy clustermesh-apiserver when using clustermesh. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 10 November 2020, 03:37:27 UTC
back to top