Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
1a002e8 Thomas Graf 26 September 2017, 10:13:43 UTC examples: Fix client/agent mismatch in getting started guide Fixes: #1640 Backports: 0daf6ff4314f69cf63fb2b4b7b57b51f3ec0095e Signed-off-by: Thomas Graf <thomas@cilium.io> 30 September 2017, 22:21:39 UTC
03a573f Thomas Graf 25 September 2017, 09:38:49 UTC doc: Improve Kubernetes installation guide titles Backports: 102b47eebfb9a1fc8fc0ea50895d036b0146ab53 Signed-off-by: Thomas Graf <thomas@cilium.io> 30 September 2017, 08:25:49 UTC
1c31ec9 Thomas Graf 25 September 2017, 09:33:18 UTC doc: Document CNI configuration varaiables including MTU Backports: dcf859ed968bb251e2422d831c60630111d9e7d7 Signed-off-by: Thomas Graf <thomas@cilium.io> 30 September 2017, 08:25:49 UTC
62c63e6 Thomas Graf 25 September 2017, 09:18:03 UTC doc: Mark BPF mounting step optional Backports: b883fca4282e94a4308b24a154762a44bdace6aa Signed-off-by: Thomas Graf <thomas@cilium.io> 30 September 2017, 08:25:49 UTC
e80729b Thomas Graf 25 September 2017, 09:55:51 UTC bpf: Add allocated IPv4 node address with link scope This avoids the stack to pick this address for communication outside of the host. Backports: 2d099f479c3a8697038014115f340b85d0bbc7ef Signed-off-by: Thomas Graf <thomas@cilium.io> 30 September 2017, 08:25:49 UTC
7392bb2 f0 27 September 2017, 21:50:51 UTC Remove backslashes from coreos kubelet.service (#1605) Fix bfs mount command Backports: dea325bf915318595cbcafcbf05b2416eb6b6371 30 September 2017, 08:25:49 UTC
65fdb43 Joe Stringer 27 September 2017, 00:59:13 UTC l4: Fix policy trace for udp/tcp policies (#1596) The L4Policy map is indexed by "port/proto", not "proto/port". Fix it, and add some basic unit tests to validate the functionality. Fixes: #1587 Backports: d0c3c0ca9ff76fa7168c31b6761f79bf2877b944 Signed-off-by: Joe Stringer <joe@covalent.io> 30 September 2017, 08:25:49 UTC
1bf07aa Thomas Graf 23 September 2017, 12:00:21 UTC doc: Add kube-proxy installation instructions on CoreOS Backports: b99c29db5e0b23f9f89551bd510152dd893e117d Signed-off-by: Thomas Graf <thomas@cilium.io> 30 September 2017, 08:25:49 UTC
41e3c16 Maciej Kwiek 22 September 2017, 15:02:18 UTC Add CiliumNetworkPolicy examples Backports: dc700a427a2da2b1bb89626f4b1a8227f80efcf0 Signed-off-by: Maciej Kwiek <maciej@covalent.io> 30 September 2017, 08:25:49 UTC
3f755b7 Thomas Graf 22 September 2017, 03:43:36 UTC bpf: Mark 169.254.254.1 address as link scope This should prevent kubeadm from picking it up as InternalIP candidate. Backports: 0c7811bc2bf4a8a46df187e44ab192167107af57 Signed-off-by: Thomas Graf <thomas@cilium.io> 30 September 2017, 08:25:49 UTC
7a7f00a André Martins 22 September 2017, 10:19:31 UTC k8s: removed OK error message from CNP status Backports: 6db9569d7ea0052e9b8b87ff039d4080d4dc531c Signed-off-by: André Martins <andre@cilium.io> 22 September 2017, 16:00:12 UTC
5c695ca Thomas Graf 21 September 2017, 23:01:22 UTC agent: Masquerade traffic from host to agent with ExternalIP This ensures that packets which are later routed over the overlay to other nodes can properly respond to the traffic. Backports: 4db5f50d9dd005d99a08de0bb397d964ec4dd219 Signed-off-by: Thomas Graf <thomas@cilium.io> 22 September 2017, 16:00:12 UTC
23db090 Thomas Graf 21 September 2017, 11:22:15 UTC k8s: Add max limit when updating node resource Current code would retry forever with an increasing timeout, thus leaking go subroutines that never exit. Also improves logging message by improving field names Backports: 1ad8ac2c531dd6ec3f592a2dd9dd90c0f9bb3c65 Signed-off-by: Thomas Graf <thomas@cilium.io> 22 September 2017, 16:00:12 UTC
561255d Thomas Graf 21 September 2017, 11:05:25 UTC k8s: Use updated node struct when annotating node Current code uses the original node for consecutive updates on error which prevents the update from ever succeeding. Backports: 5b373be9e41671d74579ee9489f340e270c65b58 Signed-off-by: Thomas Graf <thomas@cilium.io> 22 September 2017, 16:00:12 UTC
0bc4177 Thomas Graf 21 September 2017, 10:49:07 UTC k8s: Create Annotations map if necessary Resolves: ``` k8s: unable to update node node2 with IPv6 CIDR annotation: nodes \"node2\" is forbidden: node node1 cannot modify node node2, retrying... k8s: unable to update node with IPv6 CIDR annotation: nodes \"node2\" is forbidden: node node1 cannot modify node node2, retrying... panic: assignment to entry in nil map goroutine 55 [running]: github.com/cilium/cilium/pkg/k8s.AnnotateNodeCIDR.func1(0xc4203a22c0, 0x2a096a0, 0xc42025e8f0, 0xc4203a3600, 0xc4202ea090, 0xc4202ea180, 0x29e1220, 0xc420483900) /tmp/cilium-net-build/src/github.com/cilium/cilium/pkg/k8s/client.go:366 +0x179 created by github.com/cilium/cilium/pkg/k8s.AnnotateNodeCIDR /tmp/cilium-net-build/src/github.com/cilium/cilium/pkg/k8s/client.go:374 +0x467 ``` Backports: 4b70982cc57520090d1ed4486f1e4011042dd21f Fixes: #1563 Signed-off-by: Thomas Graf <thomas@cilium.io> 22 September 2017, 16:00:12 UTC
a55591f Joe Stringer 21 September 2017, 22:11:03 UTC cmd: Fix policy trace --dport The local variable was hiding the originally-parsed commandline argument, which would cause L4 policy not to be traced even when you specify "--dport" on the 'cilium policy trace' commandline. Backports: ca62dc7de397c2771f48f10b83891490497a35c9 Fixes: 31266bd17f50 ("cmd: policy trace src/dst eID, secid, k8s-pod options") Signed-off-by: Joe Stringer <joe@covalent.io> 22 September 2017, 16:00:12 UTC
91d7dee Joe Stringer 19 September 2017, 18:31:49 UTC Documentation: Expand developer BPF debug reference I found some of these commands useful when debugging datapath issues, so document them in the contributing guide. Given that users aren't expected to run this stuff, keep it out of the troubleshooting guide for now. Backports: 9db75fcb86b2504128722b192f9354849b4e9598 Signed-off-by: Joe Stringer <joe@covalent.io> 22 September 2017, 16:00:12 UTC
6aa9613 Maciej Kwiek 19 September 2017, 06:52:18 UTC Restart CiliumRulesCtl after unparsable policy k8s.io/apimachinery/pkg/watch/streamwatcher.go receive function loops until a decode error occurs. This causes the controller to stop receiving new events. Decode error can be triggerred by malformed policy manifest. This change expands k8s error handling in k8s watcher to detect whether decode error occurred, tries to close running CiliumRulesController gracefully by sending information to its stop channel and closing the channel. Then a new identical controller is created and it can be restarted in the same way. Backports: d4e4125c045e223bc04b29b86de0e764dc6800ca Signed-off-by: Maciej Kwiek <maciej@covalent.io> 22 September 2017, 16:00:12 UTC
abbe548 Alexander Alemayhu 18 September 2017, 07:23:07 UTC cilium: change default client error messages When the agent is down the new output looks like this Get http:///var/run/cilium/cilium.sock/v1beta/healthz: dial unix /var/run/cilium/cilium.sock: connect: no such file or directory Is the agent running? The other cases might differ a little depending on what the prefix is, but the error strings are now unescaped so output with `%` should not show up. Backports: a5585db43f00e05dd5f521e442708aafc2e1c70e Closes: #1522 (Improve error message if UDS does not exist) Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com> 22 September 2017, 16:00:12 UTC
f225202 Joe Stringer 12 September 2017, 20:31:17 UTC Documentation/bpf.rst: Add iproute2 dependencies Backports: f7790a075517c669bdd0341935645d0d83bae68c Signed-off-by: Joe Stringer <joe@covalent.io> 22 September 2017, 16:00:12 UTC
b636cb4 Joe Stringer 12 September 2017, 20:29:48 UTC Documentation: Update XDP dependencies in BPF guide XDP was introduced with Linux 4.11, requiring specific driver support, however with Linux 4.12 a "generic XDP" implementation was introduced so it no longer requires specific hardware to test out. Update the documentation to reflect this status. Backports: 8891aa6b6a76e0377e4f3dca639c929e3c574d0c Signed-off-by: Joe Stringer <joe@covalent.io> 22 September 2017, 16:00:12 UTC
ab825ff Fred Hsu 15 September 2017, 21:06:17 UTC Fixed type of BPG -> BGP and bpgd -> bgpd Backports: dc5913efd14d15b19925f8774081e2728d43b34b 22 September 2017, 16:00:12 UTC
471e687 André Martins 20 September 2017, 14:00:41 UTC daemon: bug fix for out of sync with kvstore On a multi node environment, cilium could get out of sync with the identities localy stored and the kvstore. Steps to reproduce the issue: 1 - Have 2 nodes running with cilium 2 - Set a container running with the same set of labels on each node. `docker run -ti -d --net cilium --label id.server busybox sleep 999s` 3 - Check with `cilium endpoint list` they have the same identity ``` $ cilium endpoint list ENDPOINT POLICY IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS ENFORCEMENT 3978 Disabled 443 container:id.server fd02::1:0:f8a 10.12.251.95 ready ``` 4 - Disconnect one of the nodes from the network, without stopping cilium. 5 - On the other node, stop / remove the container running. 6 - Wait at least 120 seconds (kvstore label timeout to be considered unused) 7 - Start the container with the exact same labels and check the identity is different than before. 8 - Reconnect the disconnected node from step 4. 9 - Both nodes have 2 different identities for the same set of labels. This commit fixes the out of sync issue by comparing if the identity stored in the kvstore differs from the container's identity. Once cilium is reconnected with the kvstore, it can take up to 30 seconds to detect the new identity Backports: 93ddd19f3d37720a6e4d399b0e3c51780500e37a Signed-off-by: André Martins <andre@cilium.io> 20 September 2017, 20:05:16 UTC
7b4f7e5 Romain Lenglet 17 September 2017, 05:51:02 UTC bpf: Don't notify TRACE_TO_LXC if redirecting to proxy Backports: 5c74ba0d10edb75fdf077e2ed91d71f7b24b5b7f Signed-off-by: Romain Lenglet <romain@covalent.io> 17 September 2017, 21:18:42 UTC
76038c4 Joe Stringer 17 September 2017, 05:51:02 UTC bpf: Tidy up output of BPF reqs/features Tidy up the output of the BPF probing: * Split each line of probing into a separate line in the Cilium log * Split "Warning" about kernel config flags missing vs. "Info" about runtime probes of feature availability. Fixes: #1253 Backports: b11a405e5a29957a7b61217bd4fb0ed67be6485f Signed-off-by: Joe Stringer <joe@covalent.io> 17 September 2017, 21:18:42 UTC
8c0c356 Romain Lenglet 17 September 2017, 05:51:02 UTC proxy: Set the TransportProtocol in access log records (#1511) Closes #1509 Backports: 0282ee62c394315062ddfd8372c6611bec5e7d10 Signed-off-by: Romain Lenglet <romain@covalent.io> 17 September 2017, 21:18:42 UTC
8ba00e9 Tony Lambiris 17 September 2017, 05:51:02 UTC Fix for maintainer label Backports: 7a67d04c891af62d0537d838799e183ecfb597ec 17 September 2017, 21:18:42 UTC
a9c016f Tobias Klauser 17 September 2017, 05:51:02 UTC pkg/bpf: avoid leaking C strings C strings created using C.CString are allocated in the C heap using malloc. It is the callers responsibility to free them. See https://golang.org/cmd/cgo/#hdr-Go_references_to_C for details. Avoid leaking C strings in bpf.ObjPin and bpf.ObjGet by calling C.free accordingly. Backports: f747a81f20d761cadfe560faee1987c413b578f6 Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 17 September 2017, 21:18:42 UTC
78974af Romain Lenglet 17 September 2017, 05:51:02 UTC tests: Only enable NAT46 on client in tests/08-nat46.sh Only enable NAT46 on client. It's not required on server. Backports: caefe47f9991e7f0089087bc31dd152cfeea662f Signed-off-by: Romain Lenglet <romain@covalent.io> 17 September 2017, 21:18:42 UTC
62e5d47 Romain Lenglet 17 September 2017, 05:51:02 UTC bpf: Extend trace messages to include the forwarding reason Reformat the drop and trace message monitor output for consistency. Backports: 756bd41dcc13b2218572b4075458e666f08fa4c1 Signed-off-by: Romain Lenglet <romain@covalent.io> 17 September 2017, 21:18:42 UTC
9176dcc Romain Lenglet 17 September 2017, 05:51:02 UTC tests: Fix dump_cli_output helper to handle multiple labels Backports: 88b09b335966c82ce8f9264ccda175fadf9626d6 Signed-off-by: Romain Lenglet <romain@covalent.io> 17 September 2017, 21:18:42 UTC
d32ff04 Romain Lenglet 17 September 2017, 05:51:02 UTC bpf: Move the TRACE_TO_PROXY traces to pre-NAT Move the trace from post-NAT ("proxy post") to pre-NAT ("proxy pre") to send the original packets in traces. Backports: b7168d618deffa2ab2f48c722b57c6a82c00748c Signed-off-by: Romain Lenglet <romain@covalent.io> 17 September 2017, 21:18:42 UTC
2be3b27 Thomas Graf 17 September 2017, 05:51:02 UTC bpf: Add debugging when proxy injection is skipped Backports: 9ea7835004a83c30b9ed0f9130a19e7edb922ba3 Signed-off-by: Thomas Graf <thomas@cilium.io> 17 September 2017, 21:18:42 UTC
7e3fe9b Alexander Alemayhu 17 September 2017, 05:51:02 UTC bpf/init.sh: use grep instead of argument to iproute Tested on Ubuntu with `ip utility, iproute2-ss161009` and kernel `4.8.0-22-generic`. Fixes: f89a22c (proxy: Distinguish between proxy and other local processes, 2017-09-01) Closes: #1474 (iproute2-4.8.0 does not support `lookup local`) Backports: d001872b263f93f87cbbce8053ad4ee6441e7014 Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com> 17 September 2017, 21:18:42 UTC
dd25a64 Romain Lenglet 17 September 2017, 05:51:02 UTC bpf: Use DEBUG instead of ENABLE_TRACE for debug captures Enable debug capture messages if DEBUG is defined, instead of ENABLE_TRACE which is always defined. Remove the unused disable-trace option which allowed undefining ENABLE_TRACE. Backports: 8fba0acdb6c0d3a39b13923b52486db29e83ab14 Signed-off-by: Romain Lenglet <romain@covalent.io> 17 September 2017, 21:18:42 UTC
5a52901 Romain Lenglet 17 September 2017, 05:51:02 UTC bpf: Define new CILIUM_NOTIFY_TRACE perf ring buffer msg type Define CILIUM_NOTIFY_TRACE with the same struct as CILIUM_NOTIFY_DROP, as a replacement for the DBG_CAPTURE_DELIVERY debug capture type, to collect additional information about forwarded packets: * Source security ID. * Destination security ID. * Destination endpoint ID. Replace DBG_CAPTURE_DELIVERY dbg messages with trace messages in bpf_lxc.c. Backports: f2669860fa7dc5a41956b6e8580849483df75023 Signed-off-by: Romain Lenglet <romain@covalent.io> 17 September 2017, 21:18:42 UTC
23cec30 Romain Lenglet 17 September 2017, 05:51:02 UTC bpf: Use configurable trace capture length for DROP events Backports: 78c4917d950f1571f91550edf2d2715bad2fc3fd Signed-off-by: Romain Lenglet <romain@covalent.io> 17 September 2017, 21:18:42 UTC
05bb76c Romain Lenglet 17 September 2017, 05:51:02 UTC bpf: Rename debug tracing functions Rename cilium_trace* into cilium_dbg* to reflect the actual message type's name. Backports: 4be27b018d41fda18098f8643ebe0f431099b98c Signed-off-by: Romain Lenglet <romain@covalent.io> 17 September 2017, 21:18:42 UTC
5ffdf3c Maciej Kwiek 17 September 2017, 05:51:02 UTC [Docs] minikube apiserver use http, demo warning Minikube command is changed to make apiserver serve via http Added warning to make users not use demo DS manifest for production purposes Removed whitespace Backports: b530fe0db8174ab4463d74363c7519112598def5 Signed-off-by: Maciej Kwiek <maciej@covalent.io> 17 September 2017, 21:18:42 UTC
e38ebd5 Joe Stringer 17 September 2017, 05:51:02 UTC Documentation: Minor fixes for gettingstarted. (#1493) The policies have been changed slightly, in particular the API versions in use. Copy the snippets over from their current versions elsewhere in the tree. Also fix up some simple whitespace/grammar bits. Backports: f84120f9b350e1ac0c7e2f31add2c3ecd124b0b9 Signed-off-by: Joe Stringer <joe@covalent.io> 17 September 2017, 21:18:42 UTC
6725f0c Thomas Graf 07 September 2017, 00:34:28 UTC NEWS: Update for 0.11 relese Signed-off-by: Thomas Graf <thomas@cilium.io> 08 September 2017, 01:42:00 UTC
4284f8c Thomas Graf 01 September 2017, 05:16:39 UTC bpf: Only attempt to install routing rules if available minikube VMs have IPv6 enabled but IPv6 routing rules disabled Signed-off-by: Thomas Graf <thomas@cilium.io> 06 September 2017, 02:01:49 UTC
9217702 Thomas Graf 31 August 2017, 22:47:30 UTC bpf: Fix calls map definition of bpf_lb Fixes: #1447 Signed-off-by: Thomas Graf <thomas@cilium.io> 05 September 2017, 20:42:54 UTC
f89a22c Thomas Graf 31 August 2017, 22:26:55 UTC proxy: Distinguish between proxy and other local processes The datapath used a simple sip == HOST_IP to detect local proxy traffic to bypass the proxy on the second pass through. This logic is flawed and causes the proxy to be bypassed in the following legitimate situations: * local process uses HOST_IP as source and talks to local endpoint * both egress and ingress proxy are injected between two local endpoints This commit fixes this situation by: * Introducing a new custom dialer for the proxy. This is required because net.Dial() does not allow to set a socket option between creating the socket and calling connect(). Access to the socket is required to set the SO_MARK before the connect() to ensure that the first SYN packet contains the proper SO_MARK. * Replace net.Listen() with custom code so we can set the SO_MARK before calling syscall.Listen() to ensure that all child sockets inherit the SO_MARK. This ensures that even the SYN+ACK generated by the kernel will haver proper packet markings. * Extending the SO_MARK to contain a magic marker in the lower 12 bits of skb->mark (0xFEA for ingress proxy, 0xFEB for egress proxy). Thus allowing to detect packets from the proxy by matching against the magic marker. The identity is moved to the upper 16 bits of skb->mark The skb->mark is cleared on veth traversal so we match against the magic marker at egress on the way out to cilium_host and set a flag in tc_index to indicate skipping the proxy. tc_index is preserved across veth boundaries. The mark is matched in a IP routing rule and causes packets from the proxies to use a different routing table. This allows to route all packets from proxies through cilium_host regardless of their destination. The BPF program attached to cilium_host can then perform the proxy reverse translation and route accordingly. * Only skipping the ingress proxy if the packet is coming from the ingress proxy. If the packet is coming from an egress proxy, it may still need to go through the ingress proxy of the destination endpoint. * Fixing the BPF program attached to cilium_host to recognize host IPs which are outside of the cluster prefix so it can route back into the host. * Adding a test to tests/10-proxy.sh which covers both an egress and ingress proxy in the path. Signed-off-by: Thomas Graf <thomas@cilium.io> 05 September 2017, 18:09:25 UTC
3ab2ea9 Alexander Alemayhu 30 August 2017, 21:41:25 UTC Makefile: run 00-fmt as part of build process A couple of changes were made so that we can detect formatting issues before building anything and error out early. Mainly there are three new targets. Two of them are for checking and reformatting code. The third one is for splitting building and formatting. Since the docker scripts doesn't add any tests files, calling the formatting target would cause a failure. Using the build target prevents this and behaves the same way the all target did before. Closes: #1445 (Run gofmt as part of the regular build) Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com> 02 September 2017, 17:20:04 UTC
8bfca7f Alexander Alemayhu 01 September 2017, 14:15:44 UTC Documentation/concepts: a couple of minor nitpicks and rewording o mention installation guide Assuming it was a typo to refer to the admin_guide which is currently just the new troubleshooting section. o update list of supported k/v stores local storage support was removed in d16b599aa4f4 (kvstore: Remove local backend, 2017-07-30). o add mesos to list of supported label sources o use bold font for table header o s/along of/along/g Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com> 02 September 2017, 03:55:49 UTC
49ef1ea Alexander Alemayhu 28 August 2017, 10:16:38 UTC Documentation/{gettingstarted,policy,install}: minor reword and typos o bump curl max time in examples, was timing out all the time on test vm curl: (7) Failed to connect to app1 port 80: Operation timed out o remove reference to start.sh script It will not start the VM in the examples directory but instead affect what is in the top level directory by default. o s/specifies/documents/g o s/Instsallation/Installation/g o s/contaimer/container/g o s/represent/that represent/g o s/replacment/replacement Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com> 02 September 2017, 03:55:49 UTC
b693d4e Alexander Alemayhu 01 September 2017, 11:40:02 UTC Documentation/intro: roadmap mention the recent policy spec changes Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com> 02 September 2017, 03:55:49 UTC
1f19794 Manali Bhutiyani 01 September 2017, 21:03:29 UTC Issue 1453 :Fix another test TestSHA256Sum to test only 32bytes SHA and not the big incorrect length SHA Signed-off by: Manali Bhutiyani manali@covalent.io 01 September 2017, 22:40:42 UTC
800c9a1 Manali Bhutiyani 01 September 2017, 20:29:55 UTC Issue 1453 : Get rid of the now redundant LabelSliceSHA256Sum and TestLabelSliceSHA256Sum Signed-off by: Manali Bhutiyani manali@covalent.io 01 September 2017, 22:40:42 UTC
8b8ec82 Manali Bhutiyani 01 September 2017, 20:21:35 UTC Issue 1453 : Fix SHA256Sum to return 32 byte SHA correctly. Signed-off by: Manali Bhutiyani manali@covalent.io 01 September 2017, 22:40:42 UTC
0e0b62d Alexander Alemayhu 24 August 2017, 12:41:39 UTC tests: use separate function for creating cilium docker network This fixes some local failures I have seen when running `16-cidr-ingress-policy`. 01 September 2017, 22:29:42 UTC
198c560 Alexander Alemayhu 29 August 2017, 22:03:20 UTC cmd/policy: run validation on all rules Valid json is not enough to detect all syntax errors, f. ex. when using {to,from}CIDR. Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com> 01 September 2017, 22:29:42 UTC
4da427c Alexander Alemayhu 24 July 2017, 10:03:25 UTC policy: reject policies with more than 40 ports Also updated policy import test with check for ingress but the validation is performed on the `PortRule` so works for egress as well. Closes: #922 (L4 policy with more than 40 ports doesn't work) Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com> 01 September 2017, 22:29:42 UTC
4a73a90 Alexander Alemayhu 31 August 2017, 21:31:01 UTC Documentation/troubleshooting: show new monitor output Also while at it fix broken link to policy tracing section. Closes: #1316 (Documentation: update monitor output in administrator guide) Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com> 01 September 2017, 01:08:00 UTC
a82c9f7 Romain Lenglet 31 August 2017, 22:31:44 UTC tests: Quote grep's regexp arg in 00-no-newlines-in-log-call.sh Signed-off-by: Romain Lenglet <romain@covalent.io> 01 September 2017, 00:01:10 UTC
ad50643 Romain Lenglet 30 August 2017, 01:36:27 UTC proxy: Extend log record format Add fields to support L3/L4 flow export. Move logging functions and log record format into a separate accesslog package to reduce dependencies from the logging package. Signed-off-by: Romain Lenglet <romain@covalent.io> 01 September 2017, 00:01:10 UTC
efc8f2c Ashwin Paranjpe 31 August 2017, 21:17:24 UTC Add a newline in the proxy access log - Add a newline after logging each record in the proxy access log. Signed-off-by: ashwin@covalent.io 31 August 2017, 21:40:47 UTC
7088043 Ian Vernon 18 August 2017, 15:00:06 UTC Jenkinsfile: remove cilium-files directory from workspace We also need to remove the cilium-files directory after each build is complete to avoid buildup of cruft over time in a given workspace. Signed-off by: Ian Vernon <ian@covalent.io> 31 August 2017, 19:07:06 UTC
81a00fc Ian Vernon 08 August 2017, 20:24:40 UTC Add src-k8s-yaml, dst-k8s-yaml as parameters to `cilium policy trace` * Add ability to pass in a path to a YAML file containing Deployments, ReplicaSets, and ReplicationControllers to `cilium policy trace`. The set of labels provided to the YAML are extracted, and are used as the source and destination labels to test whether the currently imported policies allow for L3 or L4 communication. * Added more informative output for when policy enforcement is not enabled between two endpoints. * Updated tests to account for new formatting in `cilium policy trace` output. * Move YAML parsing functions into a new pkg, pkg/policy/trace. Signed-off by: Ian Vernon <ian@cilium.io> 31 August 2017, 15:50:51 UTC
25b407a Ian Vernon 28 June 2017, 23:29:44 UTC cmd: refactor policy trace helper functions Signed-off by: Ian Vernon <ian@cilium.io> 31 August 2017, 15:50:51 UTC
3973b79 Ian Vernon 30 August 2017, 15:25:14 UTC Synchronize compilation of base, endpoint programs Add a new mutex for the daemon, compilationMU, which is Locked when the daemon's base programs are being compiled. This mutex is RLocked when endpoints are having their BPF programs generated. Signed-off by: Ian Vernon <ian@covalent.io> 31 August 2017, 14:34:13 UTC
316a1ae Manali Bhutiyani 31 August 2017, 05:13:37 UTC Add SHA256 to access log and identity API (#1425) * Issue :#1348 Add SHA256 to access log and GET /identity API #1348. This achieves the second half of the issue i.e calculate the SHA256 of the labels and display it as part of CLI % cilium identity get <id> Signed-off-by: Manali Bhutiyani <manali@covalent.io> * Issue #1348: Fix a bug in LookupIdentity, so that we produce unique sha256 hash for reserved:world and reserved:host Signed-off-by: Manali Bhutiyani <manali@covalent.io> * Issue #1348: Add SHA256 of identity labels to access log records Signed-off-by: Manali Bhutiyani <manali@covalent.io> * Nit formatting by go Signed-off-by: Manali Bhutiyani <manali@covalent.io> * Issue 1425 Address review comments and extend 19-identity-get.sh to take into account the SHA256 Signed-off-by: Manali Bhutiyani <manali@covalent.io> * Issue :#1348 LabelSHA256 --> LabelsSHA256. Missed one Signed-off-by: Manali Bhutiyani <manali@covalent.io> * Issue :#1348 LabelSHA256 make generate-api to make structs consistent Signed-off-by: Manali Bhutiyani <manali@covalent.io> * Issue :#1348 Missed $ in script. Signed-off-by: Manali Bhutiyani <manali@covalent.io> 31 August 2017, 05:13:37 UTC
3361224 André Martins 30 August 2017, 13:23:38 UTC daemon/k8s: wait for TPR resource definitions to be install in k8s Since cilium was not checking if the TPR resource definition after being created, it could cause false positives in the detection of conflicting TPR and CRDs installed in the same cluster. With this commit, cilium makes sure it TPR is installed before continue any operation. Signed-off-by: André Martins <andre@cilium.io> 30 August 2017, 22:31:19 UTC
f266db6 André Martins 24 August 2017, 22:26:17 UTC tests: adding e2e tests for CNP in kubernetes Signed-off-by: André Martins <andre@cilium.io> 30 August 2017, 22:31:19 UTC
1fd4f57 André Martins 23 August 2017, 03:12:24 UTC adding CRD cilium network policy policy status When using kubernetes to manage CRD CNP, it was difficult to know on which nodes was the policy being placed. With this commit it will be possible to check with `kubectl get ciliumnetworkpolicies <name> -o json` or with `kubectl describe ciliumnetworkpolicies <name>` when was the policy received by which node. Signed-off-by: André Martins <andre@cilium.io> 30 August 2017, 22:31:19 UTC
4c73646 André Martins 23 August 2017, 02:48:07 UTC Create CNP dedicated client with public interface Signed-off-by: André Martins <andre@cilium.io> 30 August 2017, 22:31:19 UTC
d1e86a1 André Martins 23 August 2017, 02:17:44 UTC k8s: moved CreateCustomResourceDefinitions to pkg/k8s Signed-off-by: André Martins <andre@cilium.io> 30 August 2017, 22:31:19 UTC
6ef48ec Thomas Graf 29 August 2017, 15:16:41 UTC bpf: Consistent drop notifications Consolidates the code to emit drop notifications to include as much metadata as possible. Fixes: #1427 Signed-off-by: Thomas Graf <thomas@cilium.io> 30 August 2017, 22:20:38 UTC
e24ecdf Thomas Graf 29 August 2017, 12:51:19 UTC proxy: Improve access log error handling and debug messages Signed-off-by: Thomas Graf <thomas@cilium.io> 30 August 2017, 21:04:43 UTC
9481e0d Eloy Coto 28 August 2017, 19:26:15 UTC [k8s] daemonset scheduling on master node Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 30 August 2017, 18:09:16 UTC
5fa3518 Thomas Graf 29 August 2017, 08:58:42 UTC endpoint: Add policy direction to ProxyID This is required to ensure unique allocation of proxies for ingress and egress direction. Fixes: #1432 Signed-off-by: Thomas Graf <thomas@cilium.io> 30 August 2017, 18:08:48 UTC
c5c2450 Thomas Graf 29 August 2017, 12:17:58 UTC bpf: Use __be16 consistently to indicate ports in network byteorder Signed-off-by: Thomas Graf <thomas@cilium.io> 30 August 2017, 18:08:30 UTC
49b750f Ian Vernon 30 August 2017, 05:15:07 UTC tests: be more strict in wait_ep_gen Previously, wait_for_ep_gen waited until all endpoints were listed as being in 'ready' state. However, there was a possibility that all endpoints were briefly in 'ready' state before one starts regenerating, resulting in the function prematurely returning. Add a stricter check for endpoints being in ready state by making sure that the output of `cilium endpoint list` shows all endpoints in 'ready' state 10 times in a row after sleeping briefly between each check. Signed-off by: Ian Vernon <ian@cilium.io> 30 August 2017, 14:52:52 UTC
081880c Alexander Alemayhu 30 August 2017, 07:08:22 UTC cmd/config: daemon/status: check NodeMonitor before accessing properties Related-to: #1429 (cilium config segfaults) Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com> 30 August 2017, 14:50:55 UTC
915433a André Martins 30 August 2017, 13:29:39 UTC tests/k8s: fixed k8s bash typo Signed-off-by: André Martins <andre@cilium.io> 30 August 2017, 14:49:53 UTC
582a3c7 Alexander Alemayhu 27 August 2017, 21:16:00 UTC tests: bump ping count for cidr test Trying to see if resolves a local build issue Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com> 30 August 2017, 00:35:54 UTC
8c2a78e Romain Lenglet 28 August 2017, 17:39:25 UTC monitor: Reduce number of buffers and objects created Refactor the Meta and Payload encoding/decoding methods to implement the encoding.BinaryMarshaler and encoding.BinaryUnmarshaler interfaces. Implement WriteBinary/ReadBinary methods to write/read Meta and Payload values without creating extra buffers and objects. Signed-off-by: Romain Lenglet <romain@covalent.io> 29 August 2017, 22:50:22 UTC
c3b0682 Romain Lenglet 28 August 2017, 16:53:35 UTC monitor: Ensure Meta and Payload buffers are read fully Signed-off-by: Romain Lenglet <romain@covalent.io> 29 August 2017, 22:50:22 UTC
3543a87 André Martins 29 August 2017, 14:05:10 UTC tests/k8s: fix syntax error in guesbook test Signed-off-by: André Martins <andre@cilium.io> 29 August 2017, 19:49:07 UTC
005dd1e Cynthia Thomas 29 August 2017, 15:59:34 UTC Mesos GSG Image, output, script and text updates; stable Cilium release. (#1419) Signed-off-by: Cynthia Thomas <cynthia@covalent.io> 29 August 2017, 15:59:34 UTC
5d43ac2 Ian Vernon 28 August 2017, 15:06:40 UTC tests: get Consul logs from runtime-tests Previously, if the tests errored out due to Consul-related errors, we had no information for debugging. Gather the Consul logs as well for debugging if needed. Signed-off by: Ian Vernon <ian@cilium.io> 29 August 2017, 15:32:29 UTC
801e696 Thomas Graf 28 August 2017, 14:19:22 UTC Revert "bpf: Merge bpf_lb and bpf_netdev" This reverts commit 31203bc2196ff32e752389a735b0a3fe9ef2490c. 28 August 2017, 23:55:36 UTC
d4635a7 Thomas Graf 28 August 2017, 14:18:21 UTC Revert "bpf_netdev: Limit captured messages to packets to in cluster packets" This reverts commit e80d769a8f31a331f5245dacc161dedb55d330c5. 28 August 2017, 23:55:36 UTC
db0ff58 Thomas Graf 28 August 2017, 14:17:58 UTC Revert "agent: Validate tunnel mode" This reverts commit 5ba177f519888327c92d0e6c2ccba6f61d2791a0. 28 August 2017, 23:55:36 UTC
dc25fbe Thomas Graf 28 August 2017, 14:16:24 UTC Revert "agent: Support for parallel tunnel & direct mode" This reverts commit 56e1a51f24a9e161d2c3506ed341fee2114841f5. 28 August 2017, 23:55:36 UTC
c7e47b4 Thomas Graf 28 August 2017, 14:14:46 UTC Revert "agent: Attach a bpf_netdev to the main interface automatically" This reverts commit d275b5fef0a999bf5f1cf55cadeb7919ec5a837a. 28 August 2017, 23:55:36 UTC
bfe2953 Thomas Graf 28 August 2017, 14:12:14 UTC Revert "agent: Remove --lb flag" This reverts commit 0bd4748751907d1097ff3df5cd5c5965c2a93669. 28 August 2017, 23:55:36 UTC
50d0f7b Thomas Graf 28 August 2017, 14:12:05 UTC Revert "agent: Limit routing of non-local cluster IPs to tunneling mode" This reverts commit 6d91a9e5ebaa6949e430be9d99f4efe5a7d1ebe1. 28 August 2017, 23:55:36 UTC
3613d38 Thomas Graf 28 August 2017, 14:11:49 UTC Revert "bpf: Fix incorrect TC_ACT_REDIRECT overwrite" This reverts commit 9a412b975f88fb6cbff328ee5c3f2a1c5bcb0801. 28 August 2017, 23:55:36 UTC
03debb8 Ian Vernon 28 August 2017, 15:31:05 UTC tests: put `cilium endpoint list` output in var In tests/96-restore-endpoint.sh, we took the md5sum of `cilium enpdoint list`, and then ran `cilium endpoint list` again to store its output in a variable. However, inbetween getting the md5sum and storing the output in a variable, the output of `cilium endpoint list` may have changed. Store the output of `cilium endpoint list` in a variable, then find the md5sum of the contents of that variable. Signed-off by: Ian Vernon <ian@cilium.io> 28 August 2017, 17:21:35 UTC
e9fd179 André Martins 27 August 2017, 15:16:31 UTC tests/k8s: removing policy inserted on each k8s version Since we only install some policies depending on which k8s version is running we should also remove the policies created based on the k8s version used. Signed-off-by: André Martins <andre@cilium.io> 28 August 2017, 13:12:05 UTC
9a412b9 Thomas Graf 22 August 2017, 13:49:34 UTC bpf: Fix incorrect TC_ACT_REDIRECT overwrite Signed-off-by: Thomas Graf <thomas@cilium.io> 27 August 2017, 19:12:21 UTC
c3832e3 Thomas Graf 22 August 2017, 10:34:27 UTC kvstore: Better init procedure - Start keepalive go subroutine from initClient - Use sync.Once and sync.Mutex to ensure proper Setup() ordering - Remove duplicate dummy setup test Signed-off-by: Thomas Graf <thomas@cilium.io> 27 August 2017, 15:03:22 UTC
c54ad79 Thomas Graf 22 August 2017, 10:34:27 UTC bpf: Replace definitions in node_config.h instead of adding them Fixes: #1265 Signed-off-by: Thomas Graf <thomas@cilium.io> 27 August 2017, 15:03:22 UTC
d831c78 Thomas Graf 22 August 2017, 10:34:27 UTC bpf: Remove calls BPF map before loading program This map never contains persistent data and can thus be removed before loading to allow for structrucal changes. Signed-off-by: Thomas Graf <thomas@cilium.io> 27 August 2017, 15:03:22 UTC
5bd8c17 Thomas Graf 22 August 2017, 10:34:27 UTC agent: Masquerade when tunneling is disabled We currently only add a masquerade rule for endpoint traffic in overlay mode. Direct routing mode has been expected to use public IP addresses where masquerading is not required. The majority of users tend to use private IPs though which makes endpoints unroutable outside of the internal network. A possible solution here is to add a masquerade rule which only applies if: - the source address is within local node prefix - the destination address is outside of the cluster and service prefix - the packet is routed to the outside of the local node Fixes: #1164 Signed-off-by: Thomas Graf <thomas@cilium.io> 27 August 2017, 15:03:22 UTC
60c8a63 Thomas Graf 22 August 2017, 10:34:27 UTC vendor: Pull in github.com/mattn/go-shellwords Signed-off-by: Thomas Graf <thomas@cilium.io> 27 August 2017, 15:03:22 UTC
6d91a9e Thomas Graf 22 August 2017, 10:34:27 UTC agent: Limit routing of non-local cluster IPs to tunneling mode Now that we support attaching a BPF prog to a native device while also tunneling, limit the relaxed routing rule of local endpoints to only when tunneling is disabled completely. Signed-off-by: Thomas Graf <thomas@cilium.io> 27 August 2017, 15:03:22 UTC
0bd4748 Thomas Graf 22 August 2017, 10:34:27 UTC agent: Remove --lb flag Signed-off-by: Thomas Graf <thomas@cilium.io> 27 August 2017, 15:03:22 UTC
back to top