Skip to main content

Browse the archive

https://github.com/cilium/cilium
12 July 2024, 03:14:21 UTC
sort by:
Revision Author Date Message Commit Date
0b6ecd9 Daniel Borkmann 10 March 2021, 13:11:14 UTC dbg 17 March 2021, 08:37:50 UTC
1552a10 Daniel Borkmann 10 March 2021, 13:11:14 UTC bpf: fix skb pacing for traffic from pods On top of [0] patches. Consider a socket which has SO_MAX_PACING_RATE of 4Gbit/s & the socket being part of a Pod. This is currently broken given skb->tstamps are cleared on redirect even though fq in hostns manages the socket's pacing. This fixes BBR and SO_MAX_PACING_RATE for Pods. Before (rates un{stable,predictable}): root@apoc:~/go/src/github.com/cilium/cilium# netperf -H 10.217.1.19 -t TCP_STREAM -l40 -s2 MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.217.1.19 () port 0 AF_INET : demo Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 16384 16384 40.04 655.52 root@apoc:~/go/src/github.com/cilium/cilium# netperf -H 10.217.1.19 -t TCP_STREAM -l40 -s2 MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.217.1.19 () port 0 AF_INET : demo Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 16384 16384 40.07 1274.70 root@apoc:~/go/src/github.com/cilium/cilium# netperf -H 10.217.1.19 -t TCP_STREAM -l40 -s2 MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.217.1.19 () port 0 AF_INET : demo Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 16384 16384 40.07 1519.32 root@apoc:~/go/src/github.com/cilium/cilium# netperf -H 10.217.1.19 -t TCP_STREAM -l40 -s2 MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.217.1.19 () port 0 AF_INET : demo Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 16384 16384 40.06 849.96 After, stable at 4Gbit/s: root@apoc:~/go/src/github.com/cilium/cilium# netperf -H 10.217.1.19 -t TCP_STREAM -l40 -s2 MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.217.1.19 () port 0 AF_INET : demo Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 16384 16384 40.01 3976.04 root@apoc:~/go/src/github.com/cilium/cilium# netperf -H 10.217.1.19 -t TCP_STREAM -l40 -s2 MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.217.1.19 () port 0 AF_INET : demo Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 16384 16384 40.01 3961.40 root@apoc:~/go/src/github.com/cilium/cilium# netperf -H 10.217.1.19 -t TCP_STREAM -l40 -s2 MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.217.1.19 () port 0 AF_INET : demo Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 16384 16384 40.01 3957.66 root@apoc:~/go/src/github.com/cilium/cilium# netperf -H 10.217.1.19 -t TCP_STREAM -l40 -s2 MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.217.1.19 () port 0 AF_INET : demo Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 16384 16384 40.01 3977.37 [0] https://git.kernel.org/pub/scm/linux/kernel/git/dborkman/bpf.git/log/?h=pr/bpf-fix-pacing Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 11 March 2021, 21:56:14 UTC
a9ecab1 Paul Chaignon 05 March 2021, 18:56:51 UTC endpoint: Overwrite endpoint datapath config. on restore On agent restarts, we serialize the endpoints to their header file to be able to restore them afterward. That means we also restore their datapath configuration regardless of any change in the agent's settings (e.g., status of per-endpoint routes). We therefore ignores changes to the per-endpoint routes setting (enable-endpoint-routes). Signed-off-by: Paul Chaignon <paul@cilium.io> 10 March 2021, 08:46:38 UTC
6ca568a Paul Chaignon 05 March 2021, 18:49:22 UTC endpoint: Fix datapath config. of host endpoint The host endpoint's EndpointDatapathConfiguration wasn't properly initialized and its header files are therefore missing some macros such as ENABLE_ROUTING. Fixes: a695f53 ("Endpoint for host") Signed-off-by: Paul Chaignon <paul@cilium.io> 10 March 2021, 08:46:38 UTC
0875453 Paul Chaignon 05 March 2021, 18:38:56 UTC endpoint: Refactor init of EndpointDatapathConfiguration EndpointDatapathConfiguration is initialized for every new endpoint based on whether per-endpoint routes are enabled. As commit dd59d1f ("health: Disable routing in BPF when per-endpoint routes are enabled") illustrates, this can lead to error where some initializations are updated and not others. This commit consolidates all initializations under a new helper function. Signed-off-by: Paul Chaignon <paul@cilium.io> 10 March 2021, 08:46:38 UTC
72e6238 Paul Chaignon 08 March 2021, 09:53:52 UTC loader: Remove program and route when disable endpoint routes When per-endpoint routes are enabled, a route is added for each endpoint. A BPF program is also attached to the lxc devices on the path to the containers. When per-endpoint routes are disabled, we need to remove the routes and the programs. Signed-off-by: Paul Chaignon <paul@cilium.io> 10 March 2021, 08:46:38 UTC
991fd55 Martynas Pumputis 15 February 2021, 07:25:20 UTC cli: Rename kpr Protocols status field This commit renames the "Protocols" field to Socket LB Protocols" to better reflect the fact that the field indicates which protocols are handled by the host reachable svc (aka socket-lb). The example output: $ cilium status --verbose [..] KubeProxyReplacement Details: Status: Strict Socket LB Protocols: TCP, UDP Devices: wlp3s0 192.168.178.29 (Direct Routing) Mode: SNAT Backend Selection: Random Session Affinity: Enabled XDP Acceleration: Disabled Services: - ClusterIP: Enabled - NodePort: Enabled (Range: 30000-32767) - LoadBalancer: Enabled - externalIPs: Enabled - HostPort: Enabled Also, I'm using socket-lb instead of host-reachable svc, as in v1.10 we are planning to rename the feature (it's used not only for reaching services from a host nents). Reported-by: Joe Stringer <joe@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 March 2021, 08:46:01 UTC
2b6e04f Sean Winn 02 March 2021, 23:03:00 UTC adds a getting started guide for Rancher Signed-off-by: Sean Winn <sean@isovalent.com> 10 March 2021, 08:45:23 UTC
f6806f8 unixdaddy 09 March 2021, 17:44:20 UTC gettingstarted: Corrected typos in memcached.rst Signed-off-by: darren mackintosh unixdaddy@gmail.com 10 March 2021, 08:44:36 UTC
206f3ae Maxime VISONNEAU 08 February 2021, 20:20:49 UTC ipam/aws: updated EC2 instances ENI limits In this change, I also added an helper function as a comment to make it easier to update in the future. Signed-off-by: Maxime VISONNEAU <maxime.visonneau@gmail.com> 10 March 2021, 08:44:04 UTC
602e5ce Paul Chaignon 02 March 2021, 17:07:51 UTC nat: Create SNAT maps only if BPF NodePort is enabled The IPv4 and IPv6 SNAT maps are only used if BPF NodePort is enabled. Commit cac5218 ("datapath: remove SNAT maps entries when kube-proxy is enabled") removed the maps on startup if BPF NodePort is disabled. We were however still creating them regardless of the BPF NodePort status. The creation started a controller which then fails once the actual map is removed. This commit fixes the issue by not creating the userspace object, including the controller, for the SNAT maps when BPF NodePort is disabled. Fixes: cac5218 ("datapath: remove SNAT maps entries when kube-proxy is enabled") Fixes: https://github.com/cilium/cilium/issues/15141 Signed-off-by: Paul Chaignon <paul@cilium.io> 10 March 2021, 02:16:15 UTC
37ab40e Paul Chaignon 09 March 2021, 10:20:04 UTC daemon: Init KPR options early, before map info inits Initialize the kube-proxy replacement options earlier in the agent startup, to ensure all options have reach their final state (based on kernel probes and option conflict) when we initialize the BPF map information (e.g., create or not NAT maps based on whether BPF NodePort is enabled). Signed-off-by: Paul Chaignon <paul@cilium.io> 10 March 2021, 02:16:15 UTC
2a62b83 Paul Chaignon 09 March 2021, 10:36:47 UTC ctmap: Remove NatMap interface Using the NatMap interface was causing issues when trying to check if the natMap attribute is nil. We don't need the NatMap interface and can simply use *nat.Map directly. Suggested-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Paul Chaignon <paul@cilium.io> 10 March 2021, 02:16:15 UTC
93962ed Jarno Rajahalme 05 March 2021, 20:36:04 UTC envoy: Silently discard expected warnings if flowdebug is not enabled Envoy 1.17 keeps warning about a known runtime singleton issue which will not be fixed before Envoy release 1.18. Silently drop this warnings unless flowdebug is enabled (via --debug-verbose=flow). Remove this special treatment when the upstream envoy issue https://github.com/envoyproxy/envoy/issues/13504 is fixed. Fixes: #14919 Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 10 March 2021, 00:48:48 UTC
a374c3e Daniel Borkmann 09 March 2021, 20:56:40 UTC bpf: fix collect_md mode for cilium_ipip6 device Previously, when creating a cilium_ipip6 device in collect_md mode, the kernel driver would auto-load and ignore the collect_md mode. This is in contrast to cilium_ipip4 where this is possible for the default device. While for v4 the trick ... ip link add name tunl0 type ipip external || true ip link set tunl0 name $ENCAP_DEV ... does the job, it is not the case for v6. Given we now set the sysctl net.core.fb_tunnels_only_for_init_net to ignore device creation on module auto-load, we only need to deal with the case of cilium_ipip6 where the CONFIG_IPV6_TUNNEL=y is set in kernel configs. For this scenario, we have to 'dummy/waste' devices now, but therefore we reliably get the cilium_ipip6 into collect_md mode: [...] 9: cilium_ipip4@NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 promiscuity 0 minmtu 0 maxmtu 0 ipip external numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 10: cilium_ipip6@NONE: <NOARP,UP,LOWER_UP> mtu 1452 qdisc noqueue state UNKNOWN group default qlen 1000 link/tunnel6 :: brd :: promiscuity 0 minmtu 68 maxmtu 65407 ip6tnl external numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 inet6 fe80::880a:cdff:fe36:e0e2/64 scope link valid_lft forever preferred_lft forever [...] Health probes for plain v6 work as expected now [0]. [0] https://github.com/cilium/health-examples/blob/master/v6.c Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 10 March 2021, 00:14:47 UTC
43eb0e0 Daniel Borkmann 09 March 2021, 16:56:27 UTC bpf, base: set fb_tunnels_only_for_init_net to 2 for lb-only For v5.10+ kernels, set fb_tunnels_only_for_init_net to 2 in order to prevent default tunnel (fallback) device creation on module auto-load. This helps to avoid useless creation of v6/sit tunnel device which sits in hostns and is immutable aka cannot be set to collect_md mode. Make this non-fatal given older kernel don't support mode 2. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 10 March 2021, 00:14:47 UTC
fde0bda dependabot[bot] 09 March 2021, 19:12:11 UTC build(deps): update helm/kind-action requirement to v1.1.0 Updates the requirements on [helm/kind-action](https://github.com/helm/kind-action) to permit the latest version. - [Release notes](https://github.com/helm/kind-action/releases) - [Commits](https://github.com/helm/kind-action/commits/7a937c0fb648064a83b8b9354151e5e543d9fcec) Signed-off-by: dependabot[bot] <support@github.com> 09 March 2021, 20:56:56 UTC
1ef1dd5 André Martins 04 March 2021, 12:25:58 UTC install/kubernetes: remove quick-install from master branches Since `:latest` tags are no longer available in the docker image repositories, we will remove the quick-install.yaml from the master branch. However, this will still be valid for stable branches so we will keep the GH action to still run on those branches. Signed-off-by: André Martins <andre@cilium.io> 09 March 2021, 19:08:31 UTC
e2d9cbb dependabot[bot] 01 March 2021, 07:22:00 UTC build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds Bumps [github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://github.com/aws/aws-sdk-go-v2) from 1.0.0 to 1.0.2. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.0.0...feature/ec2/imds/v1.0.2) Signed-off-by: dependabot[bot] <support@github.com> 09 March 2021, 12:13:54 UTC
b24ab59 Martynas Pumputis 01 March 2021, 08:17:22 UTC contrib: Convert consolidate_go_stacktrace.py to python3 Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 09 March 2021, 10:31:59 UTC
88099ab Joe Stringer 08 March 2021, 19:03:48 UTC policy: Fix typo in issue link The feature is to have user-defined policy *entities* that match a set of identities, not to override the underlying identities for pods. Signed-off-by: Joe Stringer <joe@cilium.io> 09 March 2021, 10:28:29 UTC
553e965 Anish Shah 05 March 2021, 18:31:22 UTC azure: Add Gateway field to AzureInterface and deprecate GatewayIP field The JSON tag for GatewayIP field does not follow the same convention as other field. Inorder to have the same consistency across all JSON tags, we introduce Gateway field and deprecate GatewayIP field. Signed-off-by: Anish Shah <anishshah@google.com> 09 March 2021, 10:26:56 UTC
ba06970 Anish Shah 03 March 2021, 05:40:15 UTC azure: Add the correct JSON tag to GatewayIP field in CiliumNode CRD The incorrect JSON tag "-" was added to GatewayIP field in commit 8de6dc5 that was causing GatewayIP field to not get populated in CiliumNode CRD. Signed-off-by: Anish Shah <anishshah@google.com> 09 March 2021, 10:26:56 UTC
7ae8c44 Jaff Cheng 10 February 2021, 04:14:52 UTC hubble: distinguish AUDIT policy verdict from FORWARDED This patch allows hubble to distinguish whether a packet is allowed due to the audit mode or because it complies with the security policy. Only affect events of type `policy-verdict` in L3/L4. Fixes: #14692 Signed-off-by: Jaff Cheng <jaff.cheng.sh@gmail.com> 09 March 2021, 10:03:59 UTC
f35430d Thomas Graf 04 March 2021, 12:12:38 UTC CI 3.0: A New Hope This is the beginning of 3.0 - A New Hope. A first test is added which utilizes kind to create a Kubernetes cluster and cilium/cilium-cli to perform the Cilium installation and perform connectivity tests. This test has the following coverage: - Kubernetes 1.19 - Connectivity test (pod, services, NodePort, world) - With and without encryption - Hubble + Relay flow collection and API usage The test takes 10min to run As cilium/cilium-cli is expanded with additional connectivity tests, this test automatically gains in coverage. Signed-off-by: Thomas Graf <thomas@cilium.io> 09 March 2021, 09:29:56 UTC
c8d7b82 Joe Stringer 25 February 2021, 23:46:05 UTC .github: Improve digest formatting in workflow This just adjusts the formatting slightly to follow the digest formats that we have used to report recent releases. Cosmetic only. Signed-off-by: Joe Stringer <joe@cilium.io> 09 March 2021, 01:42:46 UTC
3560ec7 Joe Stringer 25 February 2021, 23:56:02 UTC contrib: Submit release PRs via user repo Rather than depending on the ability to push release PRs via the main cilium repo, rely on the release manager's repo for this instead. Signed-off-by: Joe Stringer <joe@cilium.io> 09 March 2021, 01:42:46 UTC
216dc75 Joe Stringer 25 February 2021, 23:47:00 UTC contrib: Move contributor remote detection to lib Move this function into the common lib area so that it can be reused by other scripts such as the release scripts. Signed-off-by: Joe Stringer <joe@cilium.io> 09 March 2021, 01:42:46 UTC
f330af5 Joe Stringer 25 February 2021, 23:48:07 UTC contrib: Use 'get_remote' shell fn to fetch remote This helps when you have multiple remotes like 'upstream', 'origin'. Signed-off-by: Joe Stringer <joe@cilium.io> 09 March 2021, 01:42:46 UTC
79d0719 Jarno Rajahalme 08 March 2021, 19:28:52 UTC docs: Clarify external workload docs Instruct users to pull the Cilium image before disabling 'systemd-resolved.service'. Mention that the port 2379 needs to be explicitly given in LoadBalancer instructions. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 08 March 2021, 19:50:27 UTC
8105ca4 Jarno Rajahalme 06 March 2021, 05:49:02 UTC envoy: Do not use deprecated fields Use new options instead of these deprecated fields to avoid deprecation warnings: - RouteAction.max_grpc_timeout - Cluster.protocol_selection - Cluster.http2_protocol_options Define runtime option "overload.global_downstream_max_connections" to avoid a warning like: "there is no configured limit to the number of allowed active connections. Set a limit via the runtime key overload.global_downstream_max_connections" Fixes: #14919 Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 08 March 2021, 19:21:43 UTC
4880792 André Martins 08 March 2021, 11:36:20 UTC .github: remove comments of GH action versions Dependabot will update those commit SHAs automatically and the version number will quickly outdated. To avoid confusion, we will remove the comments related with the versions a SHA points to from all GH actions. Signed-off-by: André Martins <andre@cilium.io> 08 March 2021, 16:58:45 UTC
892212a André Martins 03 March 2021, 11:13:48 UTC .github/ISSUE_TEMPLATE/release_template.md re-write release process to have more automation Signed-off-by: André Martins <andre@cilium.io> 08 March 2021, 16:58:45 UTC
14a9087 André Martins 02 March 2021, 13:53:29 UTC contrib/release: do not require images to be download locally The SHAs are available in the GH run, so we can use the GH API to retrieve them automatically. Signed-off-by: André Martins <andre@cilium.io> 08 March 2021, 16:58:45 UTC
cca3f1e André Martins 02 March 2021, 16:15:04 UTC .github: generate release files automatically Having files with the right format will make it easier to download them locally and use them as part of the release process. Signed-off-by: André Martins <andre@cilium.io> 08 March 2021, 16:58:45 UTC
95012eb André Martins 02 March 2021, 13:47:38 UTC images/scripts: fix get-image-digest to work on any image Signed-off-by: André Martins <andre@cilium.io> 08 March 2021, 16:58:45 UTC
4ebe592 André Martins 02 March 2021, 10:23:22 UTC install: add digests into helm charts This commit adds a simple way to add the image digests into the official helm charts. Signed-off-by: André Martins <andre@cilium.io> 08 March 2021, 16:58:45 UTC
e38b242 dependabot[bot] 08 March 2021, 16:00:16 UTC build(deps): bump golangci/golangci-lint-action from v2.5.0 to v2.5.1 Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from v2.5.0 to v2.5.1. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](https://github.com/golangci/golangci-lint-action/compare/v2.5.0...d9f0e73c0497685d68af8c58280f49fcaf0545ff) Signed-off-by: dependabot[bot] <support@github.com> 08 March 2021, 16:03:12 UTC
3697692 dependabot[bot] 08 March 2021, 15:53:31 UTC build(deps): bump KyleMayes/install-llvm-action from v1 to v1.1.1 Bumps [KyleMayes/install-llvm-action](https://github.com/KyleMayes/install-llvm-action) from v1 to v1.1.1. - [Release notes](https://github.com/KyleMayes/install-llvm-action/releases) - [Commits](https://github.com/KyleMayes/install-llvm-action/compare/v1...32c4866ebb71e0949e8833eb49beeebed48532bd) Signed-off-by: dependabot[bot] <support@github.com> 08 March 2021, 15:59:49 UTC
44b9943 dependabot[bot] 01 March 2021, 07:03:04 UTC build(deps): update docker/build-push-action requirement to 9379083e426e2e84abb80c8c091f5cdeb7d3fd7a Updates the requirements on [docker/build-push-action](https://github.com/docker/build-push-action) to permit the latest version. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/commits/9379083e426e2e84abb80c8c091f5cdeb7d3fd7a) Signed-off-by: dependabot[bot] <support@github.com> 08 March 2021, 15:53:09 UTC
08d0af4 Daniel Borkmann 08 March 2021, 10:46:34 UTC bpf: disable bpf host routing when we disable bpf nodeport We should really just disable BPF host routing when we generally disable BPF based NodePort handling given the latter is a hard dependency of the former. Fixes: 67f2c88e5cc2 ("daemon: Fix ordering of BPF host routing detection") Fixes: 7e0cb3333303 ("bpf: do not enable host routing when kpr is disabled") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 08 March 2021, 14:53:45 UTC
e68305f Daniel Borkmann 08 March 2021, 10:37:45 UTC bpf: clean up bpf host routing availability checks After 67f2c88e5cc2 ("daemon: Fix ordering of BPF host routing detection") moved the checks, we're now at a code path where we know that BPF NodePort handling is enabled and cannot be disabled from that point onwards. Therefore, the !option.Config.EnableNodePort test serves no purpose anymore and should just be removed. Also clean up the comments and log messages to order them a bit from the case where the host stack is required to where it is not and still needs implementation. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 08 March 2021, 14:53:45 UTC
6b654d2 Daniel Borkmann 08 March 2021, 10:29:40 UTC bpf: unbreak bpf host routing for tunnels Commit ffd02dd37aeb ("bpf: enable bpf host routing for tunnels") enabled BPF host routing for encaps. However, this got broken via rebase from 67f2c88e5cc2 ("daemon: Fix ordering of BPF host routing detection") where it added the check to the switch case again. :/ Lets have another attempt and (hopefully finally) enable BPF host routing for tunnels. Fixes: 67f2c88e5cc2 ("daemon: Fix ordering of BPF host routing detection") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 08 March 2021, 14:53:45 UTC
bacc2c1 Michi Mutsuzaki 24 February 2021, 04:22:25 UTC Optimize Label.String() Currently Hubble calls Label.String() for each label in every flow. This PR micro-optimizes Label.String() by using the plus operator instead of fmt.Sprintf. ``` // Before BenchmarkLabel_String-8 5566522 214 ns/op 96B/op 4 allocs/op // After BenchmarkLabel_String-8 19522693 60.6 ns/op 48 B/op 1 allocs/op ``` Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 08 March 2021, 12:10:50 UTC
3ab0710 Paul Chaignon 05 March 2021, 09:29:21 UTC test: Respect cilium.holdEnvironment on Cilium status check In local tests, when -cilium.holdEnvironment=true, the tests don't pause if Cilium pods fail to become ready. That is because we fail the test with ginkgo.Fail instead of our wrapper function helpers.Fail. This commit fixes it. Signed-off-by: Paul Chaignon <paul@cilium.io> 08 March 2021, 11:58:44 UTC
fec3c36 Paul Chaignon 05 March 2021, 13:59:20 UTC docs: Fix ginkgo commands for e2e tests in GKE/EKS This commit fixes the ginkgo command used to run end-to-end tests in cloud environments (e.g., GKE or EKS). Fixes: 1141308 ("test: add `ciliu.operator-suffix` cli option") Signed-off-by: Paul Chaignon <paul@cilium.io> 08 March 2021, 11:58:33 UTC
b658690 Paul Chaignon 05 March 2021, 22:36:06 UTC docs: Fix commands to build dev. docker images Fixes: bc7945d ("build: Fix buildx use") Signed-off-by: Paul Chaignon <paul@cilium.io> 08 March 2021, 11:45:48 UTC
2aa1ebc Tobias Klauser 08 March 2021, 10:07:11 UTC .github/workflows: remove `go version` commands from golangci-lint job These commands were used to debug why Go 1.16 wasn't used while working on #15080, but weren't removed before submitting. Fixes: 3e0fcd4fb0b9 (".github/workflows: update golangci-lint GitHub action for Go 1.16 support") Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 08 March 2021, 11:44:01 UTC
9ae3e30 Tobias Klauser 08 March 2021, 10:12:53 UTC tools/licensegen: consider COPYING files Some projects use a COPYING file for their license. Consider these as well. Currently, the only vendored dependency using such a file is github.com/BurntSushi/toml: $ diff -u LICENSE.all LICENSE.all.new --- LICENSE.all 2021-03-08 11:12:05.281088204 +0100 +++ LICENSE.all.new 2021-03-08 11:11:38.757023948 +0100 @@ -2132,6 +2132,29 @@ See the License for the specific language governing permissions and limitations under the License. +Name: vendor/github.com/BurntSushi/toml/COPYING +License: The MIT License (MIT) + +Copyright (c) 2013 TOML authors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + Name: vendor/github.com/Microsoft/go-winio/LICENSE License: The MIT License (MIT) Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 08 March 2021, 11:43:25 UTC
1378bb1 ArthurChiao 05 March 2021, 03:34:34 UTC config: remove POLICY_AUDIT_MODE from node_config.h Fix: #15197 If audit mode is enabled at agent startup, the POLICY_AUDIT_MODE macro in node_config.h will override the corresponding settings in each endpoint's header file, which leads to runtime changes (via CLI/API) don't work. Looking at the code, the macro in node_config.h seems to be unnecessary and can be removed. And this can solve the problem described above. Signed-off-by: ArthurChiao <arthurchiao@hotmail.com> 08 March 2021, 10:28:29 UTC
5e7b8fc Paul Chaignon 05 March 2021, 14:08:54 UTC docs: Remove -noColor from ginkgo flags I checked the git logs and couldn't find any stated reason for passing -noColor by default. If developers have issues with the color rendering, they can of course always disable it with -noColor. Signed-off-by: Paul Chaignon <paul@cilium.io> 08 March 2021, 10:28:11 UTC
6986c55 Dmitry Savintsev 04 March 2021, 14:54:04 UTC Documentation: update iproute2 git URL in bpf.rst Signed-off-by: Dmitry Savintsev <dsavints@verizonmedia.com> 08 March 2021, 10:27:46 UTC
31a98a8 Timo Beckers 09 February 2021, 16:08:41 UTC docs: upgrade - make CNI exclusivity notice more explicit Provide clearer workarounds for the change of behaviour. Link to the PR that introduced it since it links to relevant issues. Signed-off-by: Timo Beckers <timo@isovalent.com> 08 March 2021, 10:27:21 UTC
c40b8cd Timo Beckers 09 February 2021, 15:29:52 UTC plugins/cilium-cni: don't touch CNI dir if CILIUM_CUSTOM_CNI_CONF is set Fixes https://github.com/cilium/cilium/issues/14838. Setting CILIUM_CUSTOM_CNI_CONF on the container now provides full control for the user to manage their own CNI configs. The cilium-cni binary is still installed during agent startup unconditionally. This patch makes CILIUM_CUSTOM_CNI_CONF skip the CNI exclusivity behaiour as well as the Cilium config removal during both startup and shutdown. The agent can still be used with `--read-cni-conf` and `--write-cni-conf-..`. Signed-off-by: Timo Beckers <timo@isovalent.com> 08 March 2021, 10:27:21 UTC
db2ad2a Martynas Pumputis 05 March 2021, 10:35:31 UTC daemon: Disable BPF host routing when L2-less detected Until https://github.com/cilium/cilium/issues/15075 has been resolved. Signed-off-by: Martynas Pumputis <m@lambda.lt> 05 March 2021, 22:53:59 UTC
9d36e9c Martynas Pumputis 01 March 2021, 10:40:55 UTC datapath: Only make ETH_HLEN as static data if L3 dev exist This should eliminate a datapath perf penalty introduced by the L2-less changes when running on systems which all involved devices have L2 addrs. Signed-off-by: Martynas Pumputis <m@lambda.lt> 05 March 2021, 22:53:59 UTC
67f2c88 Martynas Pumputis 23 February 2021, 14:21:50 UTC daemon: Fix ordering of BPF host routing detection Fix a bug when NodePort BPF is disabled after the device detection, and BPF host routing is kept enabled. Fixes: 7e0cb333 ("bpf: do not enable host routing when kpr is disabled") Signed-off-by: Martynas Pumputis <m@lambda.lt> 05 March 2021, 22:53:59 UTC
f4b52aa Martynas Pumputis 23 February 2021, 14:05:14 UTC daemon: Do not ignore L2-less devices in dev auto detection The previous commit added a support for L2-less devices. Signed-off-by: Martynas Pumputis <m@lambda.lt> 05 March 2021, 22:53:59 UTC
a977392 Martynas Pumputis 28 January 2021, 13:22:19 UTC datapath: Support NodePort BPF on L2-less devices This commit extends NodePort BPF by making it possible to run it on L3 network devices (without L2 addr). One prominent case is the Wireguard tunnel device (wg0). The main idea of the change is to make ETH_HLEN configurable via ELF templating (on L2-less devices we set it to 0 during the load time), and to craft an L2 hdr when forwarding from L2-less to L2 device. Signed-off-by: Martynas Pumputis <m@lambda.lt> 05 March 2021, 22:53:59 UTC
29f01fd Jarno Rajahalme 04 March 2021, 15:51:36 UTC test: update internal lyft certificate These files are generated by $ cd test/k8sT/manifests ## openssl genrsa -out internal-lyft.key 2048 # already existed $ openssl req -new -key internal-lyft.key -out internal-lyft.csr $ openssl x509 -req -days 3600 -in internal-lyft.csr -CA testCA.crt -CAkey testCA.key -CAcreateserial -out internal-lyft.crt -sha256 common name needs to be `www.lyft.com`. testCA.key password is `cilium` Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 05 March 2021, 13:08:40 UTC
e883120 Jarno Rajahalme 29 January 2021, 22:16:50 UTC build: Allow arbitrary docker references for cilium-envoy Parse envoy reference from Dockerfile with sed to allow port numbers separated by ':' as well as any number of arguments starting with '--'. This allows testing with a private docker hub repository or with a private docker registry on a non-standard port number. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 05 March 2021, 13:08:40 UTC
56cb78d Jarno Rajahalme 27 January 2021, 21:32:43 UTC envoy: Update cilium/proxy dependency. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 05 March 2021, 13:08:40 UTC
0d5c1a0 Jarno Rajahalme 27 January 2021, 17:59:57 UTC envoy: Update to release 1.17.1 Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 05 March 2021, 13:08:40 UTC
b8fab81 Tobias Klauser 04 March 2021, 16:30:01 UTC images: update cilium-{runtime,builder} Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 05 March 2021, 11:27:30 UTC
d66c4fe Tobias Klauser 04 March 2021, 16:28:23 UTC images, vendor: update gops to 0.3.16 Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 05 March 2021, 11:27:30 UTC
667e963 Paul Chaignon 04 March 2021, 13:31:34 UTC test: Unquarantine the random-fully test It doesn't seem to be flaky anymore [1]. Could have been fixed by the split of k8s-all or by https://github.com/cilium/cilium/pull/14913. 1 - https://datastudio.google.com/s/lDk0zKOzBO8 Signed-off-by: Paul Chaignon <paul@cilium.io> 05 March 2021, 11:20:40 UTC
a537ae3 Gilberto Bertin 04 March 2021, 09:46:18 UTC daemon: do not allow --auto-direct-node-routes when tunneling is enabled Enabling --auto-direct-node-routes when tunneling is enabled can cause traffic to leave the node through a physical interface (i.e. not encapsulated) rather than via the tunnel. Reported-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 05 March 2021, 11:18:37 UTC
5436ffc Tobias Klauser 04 March 2021, 10:47:04 UTC envoy, proxylib: use errors.Is(..., net.ErrClosed) instead of string matching Instead of comparing error strings use errors.Is to check whether err or some error that it wraps is net.ErrClosed (available since Go 1.16, see https://golang.org/pkg/net/#ErrClosed). Same for syscall.EINVAL. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 05 March 2021, 10:29:28 UTC
3e0fcd4 Tobias Klauser 04 March 2021, 10:46:52 UTC .github/workflows: update golangci-lint GitHub action for Go 1.16 support Bump the GH action and golangci-lint to latest versions for Go 1.16 support. Disable installation of Go from the GH action and reuse the one already provided. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 05 March 2021, 10:29:28 UTC
0c5dc5a Quentin Monnet 03 March 2021, 14:31:41 UTC docs: remove -v flag from ginkgo invocations in e2e documentation This is a partial revert of commit dd6acf821414 ("docs: Advice running ginkgo in verbose for e2e tests") (with another updated command), where the -v flag had been consistently added to all ginkgo invocations on the document. Now that we enforce the verbose mode by default, there is no need to pass the flag on the command line. Let's revert the document to keep the command line as simple as possible. Passing the flag on the command line is harmless, so the Jenkinsfiles and the few other files where we pass the flag are not updated. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 05 March 2021, 10:27:44 UTC
aa68e96 Quentin Monnet 03 March 2021, 14:22:18 UTC test: make ginkgo run in verbose mode by default In most cases, it is useful to get the verbose information provided by ginkgo [citation needed]. For example, this lets the user know when provisioning is stuck on downloading an image, instead of providing no feedback when running in non-verbose mode. This commit enforces the verbose mode (-v flag) by default. Do not enforce verbose mode if -succinct is provided. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 05 March 2021, 10:27:44 UTC
66dc917 Daniel Borkmann 04 March 2021, 13:53:06 UTC bpf: Fix bpf masquerade issue when host connecting to remote pod Invoking the agent as following on two nodes ... # ./daemon/cilium-agent --identity-allocation-mode=crd --enable-ipv6=true \ --enable-ipv4=true --disable-envoy-version-check=true --tunnel=disabled \ --k8s-kubeconfig-path=$HOME/.kube/config --kube-proxy-replacement=strict \ --enable-l7-proxy=false --enable-bpf-masquerade=true \ --enable-host-legacy-routing=false --auto-direct-node-routes=true \ --enable-bandwidth-manager=true --native-routing-cidr=10.217.0.0/16 ... I ran into the issue that the hostns (192.168.180.29) cannot connect to a remote Pod (10.217.1.175): # tcpdump -i enp2s0np0 -n [...] 11:59:01.002065 IP 192.168.180.29.38233 > 10.217.1.175.12865: Flags [S], seq 3173960079, win 64240, options [mss 1460,sackOK,TS val 444671211 ecr 0,nop,wscale 7], length 0 11:59:01.002113 IP 192.168.180.28.59227 > 192.168.180.29.38233: Flags [S.], seq 2874324629, ack 3173960080, win 65160, options [mss 1460,sackOK,TS val 3030265373 ecr 444671211,nop,wscale 7], length 0 11:59:01.002242 IP 192.168.180.29.38233 > 192.168.180.28.59227: Flags [R], seq 3173960080, win 0, length 0 What can be seen is that the SYN/ACK reply from remote gets wrongly masqueraded to the node IP address (192.168.180.28) of the Pod, hence the subsequent RST. Debugging further, what can be seen is that in snat_v4_needed() we do find an ipcache entry (the catchall case) where info->sec_label == REMOTE_NODE_ID does not match, and therefore we masq for the remote node. By default from daemon side, --enable-remote-node-identity is false which then also does not have an ipcache entry: # ./cilium/cilium bpf ipcache list | grep 192.168.180.29 10.217.0.152/32 4 0 192.168.180.29 10.217.0.208/32 23768 0 192.168.180.29 10.217.0.50/32 16762 0 192.168.180.29 10.217.0.69/32 104 0 192.168.180.29 f00d::a1d:0:0:a1bf/128 104 0 192.168.180.29 f00d::a1d:0:0:1be3/128 23768 0 192.168.180.29 f00d::a1d:0:0:ce91/128 104 0 192.168.180.29 10.217.0.91/32 104 0 192.168.180.29 10.217.0.219/32 42983 0 192.168.180.29 f00d::a1d:0:0:3088/128 16762 0 192.168.180.29 f00d::a1d:0:0:ae10/128 42983 0 192.168.180.29 f00d::a1d:0:0:dfe1/128 4 0 192.168.180.29 10.217.0.85/32 1 0 192.168.180.29 f00d::a1d:0:0:9dc8/128 1 0 192.168.180.29 Rerunning the agent with ... # ./daemon/cilium-agent --identity-allocation-mode=crd --enable-ipv6=true \ --enable-ipv4=true --disable-envoy-version-check=true --tunnel=disabled \ --k8s-kubeconfig-path=$HOME/.kube/config --kube-proxy-replacement=strict \ --enable-l7-proxy=false --enable-host-legacy-routing=false \ --auto-direct-node-routes=true --enable-bandwidth-manager=true \ --native-routing-cidr=10.217.0.0/16 --enable-bpf-masquerade=true \ --enable-remote-node-identity=true ... fixes the situation, and connectivity works as expected. ipcache then has the entry as well with REMOTE_NODE_ID sec label: # ./cilium/cilium bpf ipcache list | grep 192.168.180.29 10.217.0.85/32 6 0 192.168.180.29 10.217.0.91/32 104 0 192.168.180.29 10.217.0.50/32 16762 0 192.168.180.29 10.217.0.219/32 42983 0 192.168.180.29 10.217.0.152/32 4 0 192.168.180.29 f00d::a1d:0:0:dfe1/128 4 0 192.168.180.29 10.217.0.69/32 104 0 192.168.180.29 f00d::a1d:0:0:3088/128 16762 0 192.168.180.29 f00d::a1d:0:0:4a54/128 4 0 192.168.180.29 f00d::a1d:0:0:9dc8/128 6 0 192.168.180.29 f00d::a1d:0:0:a1bf/128 104 0 192.168.180.29 f00d::a1d:0:0:ae10/128 42983 0 192.168.180.29 f00d::a1d:0:0:1be3/128 23768 0 192.168.180.29 10.217.0.32/32 4 0 192.168.180.29 10.217.0.208/32 23768 0 192.168.180.29 192.168.180.29/32 6 0 0.0.0.0 <----- f00d::a1d:0:0:ce91/128 104 0 192.168.180.29 Given the code, make --enable-remote-node-identity=true a hard dependency for the --enable-bpf-masquerade=true option. If the latter could not be enabled, we also need to disable BPF host routing here. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 04 March 2021, 20:38:24 UTC
2eb841a André Martins 04 March 2021, 15:09:58 UTC .github: update GH actions on stable branches Signed-off-by: André Martins <andre@cilium.io> 04 March 2021, 16:21:00 UTC
75632a3 André Martins 04 March 2021, 11:51:30 UTC .travis: fail Travis if race detection builds also fail The race detection builds shouldn't be allowed to fail on master branch to make it easier detect if race detection tests are failing. Signed-off-by: André Martins <andre@cilium.io> 04 March 2021, 11:59:34 UTC
683c04c Tobias Klauser 02 March 2021, 08:39:02 UTC vendor: switch github.com/shirou/gopsutil to v3 Use the v3 API of github.com/shirou/gopsutil which is implemented as a properly versioned Go module. This will allow dependabot to bump the module automatically for future versions. Additionally, this version of the module fixes an issue with inefficient use of memory buffers leading to reallocations in github.com/shirou/gopsutil/v3/process. Cilium uses this functionality in pkg/loadinfo in a background goroutine, so it potentially benefits as well from these fixes. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 04 March 2021, 10:38:37 UTC
ad61343 Paul Chaignon 18 February 2021, 11:57:32 UTC service: Skip upsert of service for disabled IP family The following panic can happen when trying to upsert e.g. an IPv6 service in the datapath when IPv6 is disabled in the agent. The corresponding IPv6 lbmap doesn't exist so we get a nil pointer reference. panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1cd5900] goroutine 147 [running]: github.com/cilium/cilium/pkg/bpf.(*Map).OpenOrCreate(0x0, 0x0, 0x0, 0x0) /go/src/github.com/cilium/cilium/pkg/bpf/map_linux.go:464 +0x40 github.com/cilium/cilium/pkg/maps/lbmap.updateRevNatLocked(0x2b1b5a0, 0xc000b365fc, 0x2b07380, 0xc000ae7e80, 0xc000b365f0, 0x1) /go/src/github.com/cilium/cilium/pkg/maps/lbmap/lbmap.go:331 +0x68 github.com/cilium/cilium/pkg/maps/lbmap.(*LBBPFMap).UpsertService(0xc0009f5040, 0xc000b3a1e0, 0x0, 0xc000b47470) /go/src/github.com/cilium/cilium/pkg/maps/lbmap/lbmap.go:130 +0x5b7 github.com/cilium/cilium/pkg/service.(*Service).upsertServiceIntoLBMaps(0xc00065a280, 0xc00066b420, 0x421e500, 0x0, 0x421e540, 0x0, 0x0, 0x421e540, 0x0, 0x0, ...) /go/src/github.com/cilium/cilium/pkg/service/service.go:749 +0x3de github.com/cilium/cilium/pkg/service.(*Service).UpsertService(0xc00065a280, 0xc000661a40, 0x0, 0x0, 0x0) /go/src/github.com/cilium/cilium/pkg/service/service.go:324 +0xc85 github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).addK8sSVCs(0xc000974480, 0xc0009a34c0, 0x1d, 0xc0009b2a96, 0x7, 0x0, 0xc000b22f30, 0xc00012be48, 0x10, 0x7ffff7fb9108) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/watcher.go:743 +0x47b github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).k8sServiceHandler.func1(0x0, 0xc0009a34c0, 0x1d, 0xc0009b2a96, 0x7, 0xc000b22f30, 0x0, 0xc00012be48, 0xc0009b0390) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/watcher.go:447 +0xbc7 github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).k8sServiceHandler(0xc000974480) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/watcher.go:490 +0x95 created by github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).RunK8sServiceHandler /go/src/github.com/cilium/cilium/pkg/k8s/watchers/watcher.go:495 +0x3f This commit fixes it by exiting early from UpsertService if trying to upsert a service for an IP family that is disabled in the agent. Fixes: https://github.com/cilium/cilium/issues/15000 Fixes: https://github.com/cilium/cilium/pull/14607 Signed-off-by: Paul Chaignon <paul@cilium.io> 04 March 2021, 10:28:49 UTC
6536f5f Robin Hahling 24 February 2021, 10:00:11 UTC pkg/loadbalancer: Optimize L3n4Addr.Hash for performance (2) The output of the L3n4Addr.Hash function is used as a key in maps. In particular, it is used during service lookup in Hubble's hot path. Commit 6754e8e9b already optimized it. This commit goes even further by assuming that the resulting string does not have to be printable/human readable as it is only used as a key in maps. Before this commit: BenchmarkL3n4Addr_Hash_IPv4-32 8503980 140.9 ns/op BenchmarkL3n4Addr_Hash_IPv4_4bytes-32 9090421 131.9 ns/op BenchmarkL3n4Addr_Hash_IPv6_Short-32 5407434 222.5 ns/op BenchmarkL3n4Addr_Hash_IPv6_Long-32 3053773 397.3 ns/op BenchmarkL3n4Addr_Hash_IPv6_Max-32 2272474 517.8 ns/op After this commit: BenchmarkL3n4Addr_Hash_IPv4-32 26500321 50.62 ns/op BenchmarkL3n4Addr_Hash_IPv4_4bytes-32 21352604 57.11 ns/op BenchmarkL3n4Addr_Hash_IPv6_Short-32 23257256 50.77 ns/op BenchmarkL3n4Addr_Hash_IPv6_Long-32 24479526 51.06 ns/op BenchmarkL3n4Addr_Hash_IPv6_Max-32 23630030 50.47 ns/op Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 04 March 2021, 10:28:37 UTC
9ff6d52 Tobias Klauser 03 March 2021, 13:47:22 UTC vagrant: bump box versions The previous box version bump in commit bc9998f13343 ("vagrant: bump box versions") did not include the Go 1.16 update, despite mentioning it in the commit message. This time update it to a box containing Go 1.16 for real. Note that this also bumps the patch version for kernel 4.9 and 4.19 in the VM images to 4.9.212 (see https://github.com/cilium/packer-ci-build/pull/257) and 4.19.177, respectively (see https://github.com/cilium/packer-ci-build/pull/256/). The reason for this is that the old versions are no longer available from https://kernel.ubuntu.com/~kernel-ppa/mainline Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 04 March 2021, 10:27:09 UTC
29da448 André Martins 01 March 2021, 15:18:41 UTC Makefile: add install-bash-completion-only target As it was done before 6fb045dc3dac ("Makefile: add install-bash-completion target") the install target did not depend on TARGET. This fixes up the change to have the same behavior as before the change. Fixes: 6fb045dc3dac ("Makefile: add install-bash-completion target") Signed-off-by: André Martins <andre@cilium.io> 04 March 2021, 10:26:53 UTC
adb941b Chris Tarazi 02 March 2021, 01:20:17 UTC vendor: Pin github.com/optiopay/kafka to commit before fork This dependency has been causing a lot of issues for those who are consuming the Cilium code as a module. It required consumers to duplicate the `replace` directive for `optiopay/kafka` in their respective go.mod file. This commit fixes this by pinning the original `optiopay/kafka` to the commit when it was forked by Cilium developers (and hence the `replace` directive). Suggested-by: Glib Smaga <code@gsmaga.com> Signed-off-by: Chris Tarazi <chris@isovalent.com> 04 March 2021, 10:26:40 UTC
7715446 Paul Chaignon 02 March 2021, 08:44:44 UTC docs: Fix max. number of tail calls The Linux kernel allows for 33 chained tail calls, not 32 as currently documented. The difference comes from what looks like an off-by-one error that was then generalized to all JIT compilers [1]. 1 - https://lore.kernel.org/bpf/20191218095825.GA15840@Omicron/T/ Signed-off-by: Paul Chaignon <paul@cilium.io> 04 March 2021, 10:25:45 UTC
8cc3e4f Paul Chaignon 02 March 2021, 16:30:09 UTC CODEOWNERS: Assign Travis files to ci-structure team Signed-off-by: Paul Chaignon <paul@cilium.io> 04 March 2021, 10:22:14 UTC
ffd02dd Daniel Borkmann 01 March 2021, 13:04:18 UTC bpf: enable bpf host routing for tunnels Lift this constraint now that it is working for tunnels, too. We also transparently get the local Pod->Pod optimization through this. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 03 March 2021, 15:05:28 UTC
fcf61a7 Daniel Borkmann 03 March 2021, 10:40:29 UTC bpf: generally return after endpoint lookup when !from_host After the endpoint lookup, we should generally punt up to the stack when traffic arrives on phy dev from external (!from_host). The remainder of the handle_ipv{4,6}() code really only deals with the case when traffic was egressing from cilium_host device. Note that the tunnel encap handling for the nodeport case is done elsewhere in tail_nodeport_nat_ipv{4,6}(). Suggested-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 03 March 2021, 15:05:28 UTC
8b0a9a8 Daniel Borkmann 02 March 2021, 12:23:51 UTC bpf: do not blindly push to stack for bpf host routing on encap Also in case of vxlan/geneve, let the bpf_host perform local delivery into Pods, for example, for the case of K8s services where traffic arrives on the phys dev and does not go via vxlan/geneve dev. For this scenario, the same optimizations can be performed as with the direct routing case. Hence lift the skip_redirect constraints for encaps given the return path in bpf_lxc will also support this. Typical case for this is cloud LB pushing inbound traffic to a node's NodePort service as one example where this will improve performance. For the bpf_host prog attached to the phy dev, this means that we perform the ipv4_local_delivery() into a local Pod backend for a service more efficiently compared to before where it gets pushed up the stack, then routed into cilium_host and pushed from there. Note that in tunnel mode the Pod's host-facing lxc devices do not have a policy tc egress program attached, so the tail call into the v{4,6} policy prog of the bpf_lxc is now done at an earlier point which also becomes visible in the RR numbers. Only if there's no local endpoint for the target address, we push up the stack via CTX_ACT_OK as before. Before: root@apoc:~# netperf -H 192.168.180.28 -t TCP_RR -l20 -- -P 13000,12866 MIGRATED TCP REQUEST/RESPONSE TEST from 0.0.0.0 (0.0.0.0) port 13000 AF_INET to 192.168.180.28 () port 12866 AF_INET : demo : first burst 0 Local /Remote Socket Size Request Resp. Elapsed Trans. Send Recv Size Size Time Rate bytes Bytes bytes bytes secs. per sec 16384 131072 1 1 20.00 8709.14 16384 131072 After: root@apoc:~# netperf -H 192.168.180.28 -t TCP_RR -l20 -- -P 13000,12866 MIGRATED TCP REQUEST/RESPONSE TEST from 0.0.0.0 (0.0.0.0) port 13000 AF_INET to 192.168.180.28 () port 12866 AF_INET : demo : first burst 0 Local /Remote Socket Size Request Resp. Elapsed Trans. Send Recv Size Size Time Rate bytes Bytes bytes bytes secs. per sec 16384 131072 1 1 20.00 21983.21 16384 131072 If Pod <-> Pod traffic needs to go over vxlan/geneve, the gains will be smaller since bpf_host needs to push to upper stack for triggering bpf_overlay. We still do the redirect_peer() from the overlay, just that the gain might be less visible in the big picture since the path with vxlan/geneve needs to travere upper layers like routing/netfilter. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 03 March 2021, 15:05:28 UTC
dd7805a Daniel Borkmann 01 March 2021, 14:11:00 UTC bpf: fix up pkt for bpf host routing in tunneling mode When switching netns when coming from overlay the packet type is not set to HOST, so we need to do it here in order to avoid being dropped in IP layer. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 03 March 2021, 15:05:28 UTC
67eb9de Daniel Borkmann 03 March 2021, 07:50:13 UTC bpf: disable bpf host routing for flannel chaining When Cilium's datapath is chained in any way, all bets are off. Lets not bother for such niche case for bpf host routing. Based on recent issues (#15095, #15170) it seems like users might still run with flannel. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 03 March 2021, 15:05:28 UTC
7691233 stimmerman 02 March 2021, 08:58:10 UTC add L7 warning Signed-off-by: stimmerman <stimmerman@schubergphilis.com> 03 March 2021, 10:04:25 UTC
9bcc821 Joe Stringer 27 February 2021, 08:33:27 UTC Makefile: Remove microk8s.registry dependency The "make microk8s" target used to depend on deploying the registry addon into the microk8s cluster, but since commit 1eedfb3af646e ("Makefile: Remove microk8s prepull script") we've just relied on importing the image directly so the registry is no longer necessary. Signed-off-by: Joe Stringer <joe@cilium.io> 03 March 2021, 10:03:47 UTC
0a3fabb Paul Chaignon 01 March 2021, 12:36:40 UTC docs: Clarify titles for allow-all-endpoints examples The previous titles may reinforce the impression that the examples allow all, that is including world, remote nodes, etc., when they actually only allow all endpoints. Signed-off-by: Paul Chaignon <paul@cilium.io> 03 March 2021, 10:02:51 UTC
40db0b0 Thomas Graf 01 March 2021, 09:20:03 UTC api: Fix status compatibility: SNAT exclusion CIDR This partially reverts e7d11509bcaf ("datapath: masquerade IPv6 traffic when using iptables masquerading mode") to re-estasblish API compatibility of the status call so it will work correctly when a <= 1.9 client queries the status API. Fixes: e7d11509bcaf ("datapath: masquerade IPv6 traffic when using iptables masquerading mode") Signed-off-by: Thomas Graf <thomas@cilium.io> 03 March 2021, 10:02:24 UTC
e5fbe23 Thomas Graf 24 February 2021, 16:39:22 UTC api: Fix status compatibility: masquerading This partially reverts 14ced84f7e ("daemon: add separate flags to enable masquerading for ipv4 and ipv6 traffic") to re-estasblish API compatibility of the status call so it will work correctly when a <= 1.9 client queries the status API. Fixes: 14ced84f7e ("daemon: add separate flags to enable masquerading for ipv4 and ipv6 traffic") Signed-off-by: Thomas Graf <thomas@cilium.io> 03 March 2021, 10:02:24 UTC
dfb9e45 Thomas Graf 24 February 2021, 15:53:30 UTC api: Fix status compatibility: KPR devices This partially reverts f462603d51 ("cli: Add LB IP to cilium status") to re-estasblish API compatibility of the status call so it will work correctly when a <= 1.9 client queries the status API. Fixes: f462603d51 ("cli: Add LB IP to cilium status") Signed-off-by: Thomas Graf <thomas@cilium.io> 03 March 2021, 10:02:24 UTC
a07fd85 Thomas Graf 24 February 2021, 15:39:39 UTC Revert "api: remove unused container runtime status from StatusResponse" This reverts commit d9fb6fe2e52eba2bd70650f44771d3efd14e5741. Signed-off-by: Thomas Graf <thomas@cilium.io> 03 March 2021, 10:02:24 UTC
87caf1e Thomas Graf 24 February 2021, 15:38:36 UTC Revert "api: remove unused DNSPollNames property" This reverts commit 14bb37216e098825fb63628a0289394c1e27f322. Removing the field breaks compatibility in unmarshaling older versions of the status. Signed-off-by: Thomas Graf <thomas@cilium.io> 03 March 2021, 10:02:24 UTC
92a2d0c André Martins 26 February 2021, 11:59:56 UTC jenkinsfiles: remove unused environment variables As we are no longer building images in ginkgo, we can remove these environment variables. Signed-off-by: André Martins <andre@cilium.io> 03 March 2021, 09:32:59 UTC
637a025 Maciej Kwiek 02 March 2021, 11:59:08 UTC ci: remove params from upstream k8s job These params are not compatible with our master job configuration, which causes master builds to fail. These params are stored in jenkins PR upstream k8s job config, so there is no need for them to be in jenkinsfile. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 02 March 2021, 17:48:16 UTC
dd6acf8 Paul Chaignon 22 February 2021, 17:32:03 UTC docs: Advice running ginkgo in verbose for e2e tests We should always recommend to run end-to-end tests with ginkgo in verbose mode. Otherwise the provisioning may get stuck downloading some image without the contributor noticing. Signed-off-by: Paul Chaignon <paul@cilium.io> 02 March 2021, 15:59:57 UTC
49e0fbb Paul Chaignon 26 February 2021, 13:23:27 UTC test: Reenable debug mode for monitor tests Debug mode was explicitly disabled in monitor tests, presumably to disable the datapath's debug mode which would change the traces collected by cilium monitor. Datapath debug mode is now disabled by default in all tests independently of the agent's debug mode. We can therefore reenable the later. Signed-off-by: Paul Chaignon <paul@cilium.io> 02 March 2021, 15:58:10 UTC
9ff2b3d Paul Chaignon 01 March 2021, 18:08:07 UTC test: Unquarantine tunneling + endpoint routes test Our tunneling + per-endpoint routes test was fixed by 2ceb386 ("iptables: Fix incorrect SNAT bypass with endpoint routes and tunneling"). We can unquarantine it. Signed-off-by: Paul Chaignon <paul@cilium.io> 02 March 2021, 15:57:44 UTC
back to top