Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
142d6d6 Paul Chaignon 08 November 2021, 09:44:01 UTC .github: Increase reporting threshold for new flakes [ upstream commit 693163e45335077b1a20bf465a2a711ab013233f ] MLH assumes a flake is a new one if the similarity to existing flakes is below 75%. This threshold is a bit low for flakes affecting the same test but failing with a different error message. We can adjust to 85% and see. Related: https://github.com/cilium/cilium/issues/17270. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 29 November 2021, 09:40:03 UTC
4898cbd Paul Chaignon 08 September 2021, 15:29:08 UTC .github: Rename project/ci-force to ci/flake [ upstream commit 988e26e29329807d269e715904e72221f46aed09 ] Following discussion in the community meeting, we decided to rename the project/ci-force label to ci/flake. We need to rename it in MLH and the issue template. [ Backport note: .github/ISSUE_TEMPLATE/failing_test_template.md did not have the project/ci-force label on v1.8. To solve the conflict, we add label ci/flake anyway. ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 29 November 2021, 09:40:03 UTC
d3867e8 Jarno Rajahalme 03 November 2021, 16:57:57 UTC test: Do not require netpols in 'waitNextPolicyRevisions()' [ upstream commit c8d2fc7129bcc236c130141a680861e56908fad4 ] 'waitNextPolicyRevisions()' currently returns 'true' when no k8s network policies are applied, bypassing the Cilium agent policy revision wait in this case. As our tests typically (never?) have no NPs applied, we have not actually waited for CNP or CCNP changes to take place in all Cilium PODs before proceeding with the tests. This may have caused CI flakes. Fix this by removing the code that checks for the presence of NPs. Reported-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> 15 November 2021, 10:58:40 UTC
4989104 Joe Stringer 05 November 2021, 23:22:47 UTC install: Update image digests for v1.8.13 Generated from https://github.com/cilium/cilium/actions/runs/1427711285. `docker.io/cilium/cilium:v1.8.13@sha256:070a57faa72ca55b045861453a2f1697e4d582a75cf2b24937e0397684abcb3f` `quay.io/cilium/cilium:v1.8.13@sha256:070a57faa72ca55b045861453a2f1697e4d582a75cf2b24937e0397684abcb3f` `docker.io/cilium/docker-plugin:v1.8.13@sha256:6ee38e8d87a3e41f175163cbc093ff10061db3864d9a483cb75a9937c3ca506d` `quay.io/cilium/docker-plugin:v1.8.13@sha256:6ee38e8d87a3e41f175163cbc093ff10061db3864d9a483cb75a9937c3ca506d` `docker.io/cilium/hubble-relay:v1.8.13@sha256:ddb57b1f0cb5953bb090853f72334a11a59d1732f685baac191dea0ff2acefd0` `quay.io/cilium/hubble-relay:v1.8.13@sha256:ddb57b1f0cb5953bb090853f72334a11a59d1732f685baac191dea0ff2acefd0` `docker.io/cilium/operator-aws:v1.8.13@sha256:1829d3cbcbf7541a6960f6cea7991fd4a55e921936a9d67636928f6481070162` `quay.io/cilium/operator-aws:v1.8.13@sha256:1829d3cbcbf7541a6960f6cea7991fd4a55e921936a9d67636928f6481070162` `docker.io/cilium/operator-azure:v1.8.13@sha256:3e8c511cf17791b37f90afe502d39e62d4cfa7c891fa76c7347317a58d5e0652` `quay.io/cilium/operator-azure:v1.8.13@sha256:3e8c511cf17791b37f90afe502d39e62d4cfa7c891fa76c7347317a58d5e0652` `docker.io/cilium/operator-generic:v1.8.13@sha256:9e6677599565637d479886d038c366b40ce4acded54ab7bca1c7ad660b0c0a83` `quay.io/cilium/operator-generic:v1.8.13@sha256:9e6677599565637d479886d038c366b40ce4acded54ab7bca1c7ad660b0c0a83` `docker.io/cilium/operator:v1.8.13@sha256:4e865ab71494c27df6c6f4f1ba113bdcdfa1313e2d69c4cfe54eed7fa13bde14` `quay.io/cilium/operator:v1.8.13@sha256:4e865ab71494c27df6c6f4f1ba113bdcdfa1313e2d69c4cfe54eed7fa13bde14` Signed-off-by: Joe Stringer <joe@cilium.io> 05 November 2021, 23:40:38 UTC
0c580bd Joe Stringer 05 November 2021, 22:32:09 UTC Prepare for release v1.8.13 Signed-off-by: Joe Stringer <joe@cilium.io> 05 November 2021, 23:03:05 UTC
96e3fdb Joe Stringer 05 November 2021, 21:16:29 UTC Update Cilium base images Signed-off-by: Joe Stringer <joe@cilium.io> 05 November 2021, 22:19:16 UTC
274c346 dependabot[bot] 03 November 2021, 14:07:55 UTC build(deps): bump actions/checkout from 2.3.5 to 2.4.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 2.3.5 to 2.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2.3.5...v2.4.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 04 November 2021, 17:22:14 UTC
8deacd0 dependabot[bot] 18 October 2021, 14:07:18 UTC build(deps): bump actions/checkout from 2.3.4 to 2.3.5 Bumps [actions/checkout](https://github.com/actions/checkout) from 2.3.4 to 2.3.5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2.3.4...v2.3.5) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 25 October 2021, 06:02:15 UTC
c498e35 André Martins 28 September 2021, 15:30:45 UTC test: bump coredns version to 1.7.0 [ upstream commit f6f2406017ca6cca537400bc6fbf4b32ebec42e2 ] coredns < 1.7.0 has a bug that makes the services resolution to become out-of-sync with the last state from Kubernetes in case coredns suffers from a disconnection with kube-apiserver [1]. This bug is fixed on all versions equal and above 1.7.0. [2] In our CI this affects all Kubernetes jobs 1.18 and below and can result in flaky tests that have the result in the following similar logs: ``` service IP retrieved from DNS (10.101.253.144) does not match the IP for the service stored in Kubernetes (10.108.15.225) ``` [1] https://github.com/coredns/coredns/issues/3587 [2] https://github.com/coredns/coredns/pull/3924 Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 11 October 2021, 10:36:36 UTC
badc144 André Martins 16 September 2021, 12:40:47 UTC pkg/k8s: fix User-Agent for kubernetes client [ upstream commit 9e4d84b17c1e1e52ba5413763c44a62510f84675 ] The Kubernetes' client User-Agent was never set and it would always fallback to the default value. This commit fixes this issue and now all Cilium components will correctly present their User-Agent. Fixes: b31ed337090a ("Add k8s client qps and burst as cli flags for the operator") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 11 October 2021, 10:36:36 UTC
89d5c70 André Martins 16 September 2021, 22:15:54 UTC contrib/backporting: add environment variables to set ORG and REPO [ upstream commit 83d30deca58251e7246039ed100183d68c7a0d6a ] Having these environment variables allows the cherry-pick script to be used on other projects that are not Cilium. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 11 October 2021, 10:36:36 UTC
275fc03 Stijn Smits 21 May 2021, 14:24:16 UTC Fix overwriting iptables for kube-proxy free installation [ upstream commit 27fd5cc0f7177e62e7facaeec70ed9eae9ac7a00 ] Signed-off-by: Stijn Smits <stijn@stijn98s.nl> Signed-off-by: Glib Smaga <code@gsmaga.com> 11 October 2021, 10:36:36 UTC
288cfee bluikko 22 July 2021, 08:26:55 UTC Update language on libceph with kubeproxy-free [ upstream commit a8b34806e2905c675b90b61f5c9d8ae7609057f2 ] It was not clear if kernel v5.8 has problem with libceph or if 5.8 fixes the problem. Redo the sentence based on feedback to make it more clear and easy to read. Signed-off-by: Ville Ojamo <bluikko@users.noreply.github.com> Signed-off-by: Glib Smaga <code@gsmaga.com> 11 October 2021, 10:36:36 UTC
ee0f125 Tom Payne 13 September 2021, 11:45:08 UTC jenkinsfiles: Don't display nulls in current build display name [ upstream commit e0da2e441e506279bdc9d3089024655abfbebb8d ] Signed-off-by: Tom Payne <tom@isovalent.com> Co-authored-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 07 October 2021, 15:35:55 UTC
447187e Paul Chaignon 20 July 2020, 05:17:21 UTC test: Use newer versions of istio bookinfo example images [ upstream commit a197641f97efe51e2a83cc34d642fe05dc53ae71 ] Using these two newer versions allows us to save at least 121MB. The image size of examples-bookinfo-reviews-v1 increased in latest versions, so let's not update it. Latest versions of examples-bookinfo-productpage-v1 do not contain wget, which we need for tests, so we can't update it. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 07 October 2021, 15:35:55 UTC
fb3ed8a Jarno Rajahalme 21 September 2021, 08:15:21 UTC test: Skip Istio test on k8s <1.17 [ upstream commit 3992048f6ac44b2e44f4c2d9d157a3987b883af0 ] Istio 1.10 requires at least k8s version 1.17. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 07 October 2021, 15:35:55 UTC
25cdb4d Jarno Rajahalme 02 July 2021, 16:28:02 UTC istio: Update to release 1.10.4 [ upstream commit 4c87394b7a2380909d86ffa3e8da47df0fff2e98 ] Update Cilium Istio integration to Istio release 1.10.4. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 07 October 2021, 15:35:55 UTC
4a288f3 Jarno Rajahalme 14 January 2021, 23:00:03 UTC istio: Update to 1.8.2 [ upstream commit ee18c90e28308b5816b9cfb73aa0acfcecfb802d ] Update Istio integration to Istio release 1.8.2. Istioctl no longer lists the service name for an inbound port. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 07 October 2021, 15:35:55 UTC
3a60164 Jarno Rajahalme 14 January 2021, 23:00:03 UTC istio: Update to 1.7.6 [ upstream commit 2423a0c849d22f06c6d2e7de7e31df7ab117ce76 ] Update Istio integration to Istio release 1.7.6. Istioctl CLI syntax has changed slightly, instead of `cilium-istioctl manifest apply -y` we now use `cilium-istioctl install -y`. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 07 October 2021, 15:35:55 UTC
6a969fd Jarno Rajahalme 10 December 2020, 19:03:27 UTC Istio: Update to 1.6.14 [ upstream commit ae9f5eab8ce849575642d260f152bb98fd6c8d5c ] Istio CI test was quarantined on K8s 1.19 and 1.20 due to `istioctl` using deprecated k8s features and then returning a non-zero exit code due to deprecation warnings from k8s. This release of `istioctl` fixes that so the test can be unquarantined. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 07 October 2021, 15:35:55 UTC
524687f André Martins 24 August 2021, 16:19:11 UTC vendor: update mongo-driver to 1.5.1 to fix CVE-2021-20329 [ upstream commit 1695d9c59ac4e78b5a02a96e83a57ec07ddbaa7f ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 07 October 2021, 15:35:55 UTC
b0e419a Nicolas Busseneau 16 September 2021, 17:31:59 UTC fix MLH config trigger Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 20 September 2021, 07:36:27 UTC
da56ab9 Joe Stringer 07 September 2021, 18:24:39 UTC .github: Remove conformance test from lint workflow Recently, upstream gomega moved to Go 1.16 which is apparently not available in the workflow environment here. This causes problems like: # github.com/onsi/gomega/matchers go/src/github.com/onsi/gomega/matchers/have_http_body_matcher.go:84:30: undefined: io.ReadAll go/src/github.com/onsi/gomega/matchers/have_http_status_matcher.go:81:16: undefined: io.ReadAll # github.com/onsi/gomega/gmeasure go/src/github.com/onsi/gomega/gmeasure/cache.go:69:18: undefined: os.ReadDir go/src/github.com/onsi/gomega/gmeasure/cache.go:90:18: undefined: os.ReadDir We already run the K8sConformance one-node test as part of the regular jenkins runs, so this run in the GitHub workflow is duplicate. Newer releases don't run this test as part of the linting since it's not linting anyway, so we can just drop these steps to resolve the issue and rely on Jenkins to provide feedback on this particular test. For what it's worth, I did briefly try pinning to ginkgo@v1.15.2 and gomega@v1.15.0 to resolve this but Go would complain about not wanting to pull a specific version into the $GOPATH, or otherwise complain about the vendor dependencies conflicting if I tried to use GO111MODULE. Seemed simpler in the end to just drop this logic from the GitHub action. Signed-off-by: Joe Stringer <joe@cilium.io> 15 September 2021, 20:40:35 UTC
f922479 dependabot[bot] 06 September 2021, 14:08:57 UTC build(deps): bump docker/setup-buildx-action from 1.5.1 to 1.6.0 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1.5.1 to 1.6.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/abe5d8f79a1606a2d3e218847032f3f2b1726ab0...94ab11c41e45d028884a99163086648e898eed25) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 13 September 2021, 19:34:59 UTC
b719c4b Joe Stringer 03 September 2021, 00:13:22 UTC install: Update image digests for v1.8.12 Generated from https://github.com/cilium/cilium/actions/runs/1196156124. `docker.io/cilium/cilium:v1.8.12@sha256:2ff5e167ae861cc0301de0b4aab3e44a6ed375731ad5652894e89fb9aa216643` `quay.io/cilium/cilium:v1.8.12@sha256:2ff5e167ae861cc0301de0b4aab3e44a6ed375731ad5652894e89fb9aa216643` `docker.io/cilium/docker-plugin:v1.8.12@sha256:8786fc604a4cedd46dd6900031f0441a991734fa5907858f5fb293b95623fc3a` `quay.io/cilium/docker-plugin:v1.8.12@sha256:8786fc604a4cedd46dd6900031f0441a991734fa5907858f5fb293b95623fc3a` `docker.io/cilium/hubble-relay:v1.8.12@sha256:63e7612a4cf9222a0b465895e06bfd6d91dfe6225543f38648a7836a4e0a9e8c` `quay.io/cilium/hubble-relay:v1.8.12@sha256:63e7612a4cf9222a0b465895e06bfd6d91dfe6225543f38648a7836a4e0a9e8c` `docker.io/cilium/operator-aws:v1.8.12@sha256:b4c5696438c7d29c533c7177eca563afc444483fad44d87752a4076dee035a92` `quay.io/cilium/operator-aws:v1.8.12@sha256:b4c5696438c7d29c533c7177eca563afc444483fad44d87752a4076dee035a92` `docker.io/cilium/operator-azure:v1.8.12@sha256:f280b8cb8222edaffa327124053981096abecd8b715b9314567473a660a56f9a` `quay.io/cilium/operator-azure:v1.8.12@sha256:f280b8cb8222edaffa327124053981096abecd8b715b9314567473a660a56f9a` `docker.io/cilium/operator-generic:v1.8.12@sha256:0fce5d11c3f9c40f7347eca3a558c7bc9c6ac45b2c8c1e513da97258e54c3e36` `quay.io/cilium/operator-generic:v1.8.12@sha256:0fce5d11c3f9c40f7347eca3a558c7bc9c6ac45b2c8c1e513da97258e54c3e36` `docker.io/cilium/operator:v1.8.12@sha256:885577181ea1734d4e155bb3a5e64199dc58f59d452413d6f0d3edb3776e0316` `quay.io/cilium/operator:v1.8.12@sha256:885577181ea1734d4e155bb3a5e64199dc58f59d452413d6f0d3edb3776e0316` Signed-off-by: Joe Stringer <joe@cilium.io> 03 September 2021, 00:31:09 UTC
b00a133 Joe Stringer 01 September 2021, 19:51:30 UTC Prepare for release v1.8.12 Signed-off-by: Joe Stringer <joe@cilium.io> 01 September 2021, 21:03:17 UTC
5b0d3e7 dependabot[bot] 26 August 2021, 14:06:34 UTC build(deps): bump actions/setup-go from 2.1.3 to 2.1.4 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2.1.3 to 2.1.4. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v2.1.3...v2.1.4) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 01 September 2021, 18:02:19 UTC
f696bb3 Joe Stringer 31 August 2021, 00:27:11 UTC Update cilium base images Signed-off-by: Joe Stringer <joe@cilium.io> 31 August 2021, 15:39:40 UTC
a10f638 Jarno Rajahalme 22 August 2021, 07:27:51 UTC envoy: Update to 1.18.4 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 30 August 2021, 21:58:24 UTC
4d59591 Jarno Rajahalme 30 July 2021, 15:06:07 UTC envoy: Update to release 1.18.3 [ upstream commit 74e89a4d55b774c5c95853f522c9a7bc63c5e692 ] Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 30 August 2021, 21:58:24 UTC
402cfc7 André Martins 21 August 2021, 00:34:19 UTC update Cilium base images Update images to get some potential security updates. Signed-off-by: André Martins <andre@cilium.io> 23 August 2021, 11:34:44 UTC
047b91c dependabot[bot] 20 August 2021, 14:06:30 UTC build(deps): bump docker/build-push-action from 2.6.1 to 2.7.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.6.1 to 2.7.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/1bc1040caef9e604eb543693ba89b5bf4fc80935...a66e35b9cbcf4ad0ea91ffcaf7bbad63ad9e0229) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 23 August 2021, 07:12:20 UTC
d9f346d André Martins 03 August 2021, 00:06:43 UTC node-neigh: Wait instead of sleeping in unit tests [ upstream commit 2017e04b6bf40291e3e6e8cbd0ce5537fe5d0110 ] We can inspect the neighLastPingByNextHop map to check when insertNeighbor() or deleteNeighbor() was called. Fixes: e68848b98004 ("remove ARP entries left from previous Cilium run") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 10 August 2021, 20:31:56 UTC
356a7fe André Martins 03 August 2021, 15:18:41 UTC .github: add MLH config for flake tracking Signed-off-by: André Martins <andre@cilium.io> 04 August 2021, 21:40:12 UTC
30a1362 Joe Stringer 15 July 2021, 23:03:27 UTC backporting: Detect only one related commit [ upstream commit 9abbbbfef0431f0e54dbe863648329c7bf138ee4 ] Recently, the check-stable script has suggested every single possible match for commits where the name does not uniquely identify the commit. This can be a bit confusing to backporters since it looks like there are many commits to backport as part of this PR, but the second and later ones are not necessary to backport. * PR: 16589 -- vagrant: Bump all Vagrant box versions (@pchaigno) -- https://github.com/cilium/cilium/pull/16589 Merge with 1 commit(s) merged at: Tue, 22 Jun 2021 12:36:17 -0700! Branch: master (!) refs/pull/16589/head ---------- ------------------- v (start) | edf76fb1ef6b58d5ef90b439d54134f314ed086e 5bef5d77137a9ecc5d3f2b72149307ffdd52cd42 4dc60e6faf654d7424ee959867a774205b3fed13 816b3231cdbc39f4bcdd3e6f5b40a056459a478c 51826b31087496d108044f3bffbf304580fffb4a df8238d451d755d5be75e202be89b4f88067c77b a4e7bc6c1f0e96078793458b6719b9a3999b89db via fb723f8133c40faa068a5a401f594622668b2753 ("vagrant: Bump all Vagrant box versions") v (end) Probably within the last year of commits, we should be able to correlate the exact commit that needs backporting, so iterate through those to find the exact commit. If none of those are the correct commit, fail out and push back to the backporter to figure out. This allows us to now accurately pick the correct commit in most cases: * PR: 16589 -- vagrant: Bump all Vagrant box versions (@pchaigno) -- https://github.com/cilium/cilium/pull/16589 Merge with 1 commit(s) merged at: Tue, 22 Jun 2021 12:36:17 -0700! Branch: master (!) refs/pull/16589/head ---------- ------------------- v (start) | edf76fb1ef6b58d5ef90b439d54134f314ed086e via fb723f8133c40faa068a5a401f594622668b2753 ("vagrant: Bump all Vagrant box versions") v (end) Manually tested by substituting a known commit into 'related_commits', and by checking the current v1.8 backports which includes an ambiguous commit due to a revert+reapply in the master branch. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Paul Chaignon <paul@cilium.io> 30 July 2021, 07:12:16 UTC
bd5c699 Joe Stringer 20 July 2021, 00:09:15 UTC contrib: Improve release script guard rails [ upstream commit 189cf7f4f73e49618ae8975fc9d297c9a107872b ] * Print help if zero args are provided * Pick up on invalid URLs with a simple regex to avoid failing early * Add the actions URL to the commit and PR messages. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Paul Chaignon <paul@cilium.io> 30 July 2021, 07:12:16 UTC
e5e7a0a Jarno Rajahalme 06 July 2021, 04:29:30 UTC wip: Add WaitGroup for SelectorCache user notifications [ upstream commit fc6ef4d5cd0764c7e67a72ed62b105e4c1c80263 ] Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> 30 July 2021, 07:12:16 UTC
8934db2 Jarno Rajahalme 04 June 2021, 06:30:21 UTC policy: Make selectorcache callbacks lock-free [ upstream commit 7e91f36c5c9845af8de62a652a5406c206b0bb24 ] Make IdentitySelectionUpdated() callbacks lock-free by queueing them while still holding selectorcache lock (to keep FIFO order) and calling from a goroutine not holding any locks. This prevents deadlocks caused by the implementation of IdentitySelectionUpdated() taking locks such as endpoint or selectorcache locks. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> 30 July 2021, 07:12:16 UTC
4ab279a Jarno Rajahalme 10 August 2020, 12:05:28 UTC policy: Do not dump selections on logs [ upstream commit be6c9c378cfac6d6bb1424e634c6261630e2d21b ] Dumping all security identities selected by a cached selectors can make for huge logs if there are a thousands of PODs in the cluster. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Paul Chaignon <paul@cilium.io> 30 July 2021, 07:12:16 UTC
dc573c8 Joe Stringer 23 July 2021, 17:04:56 UTC install: Update image digests for v1.8.11 Generated from https://github.com/cilium/cilium/actions/runs/1060395363. `docker.io/cilium/cilium:v1.8.11@sha256:e3bbf73ee39703dd88c97b445175947f7f3d6e4bc50717a4c51cd21e1334439a` `quay.io/cilium/cilium:v1.8.11@sha256:e3bbf73ee39703dd88c97b445175947f7f3d6e4bc50717a4c51cd21e1334439a` `docker.io/cilium/docker-plugin:v1.8.11@sha256:f6d26e10fdb784d6f6b3e7c26b2909dbde3a157277e110e5d2e96d7a93b0ac90` `quay.io/cilium/docker-plugin:v1.8.11@sha256:f6d26e10fdb784d6f6b3e7c26b2909dbde3a157277e110e5d2e96d7a93b0ac90` `docker.io/cilium/hubble-relay:v1.8.11@sha256:f8ce4b623b577d907fc945dbe02c21a4c7245d7449e64ff1e0adf83e060e7826` `quay.io/cilium/hubble-relay:v1.8.11@sha256:f8ce4b623b577d907fc945dbe02c21a4c7245d7449e64ff1e0adf83e060e7826` `docker.io/cilium/operator-aws:v1.8.11@sha256:a5aefdf9dca71c3f251831a3cdc7f45fdd73f14b86ecf3e9021d34f5440646fa` `quay.io/cilium/operator-aws:v1.8.11@sha256:a5aefdf9dca71c3f251831a3cdc7f45fdd73f14b86ecf3e9021d34f5440646fa` `docker.io/cilium/operator-azure:v1.8.11@sha256:22f1f37680473018f9b2c4d676d2b0153d68499b47fcc684d96bff1156cecaf9` `quay.io/cilium/operator-azure:v1.8.11@sha256:22f1f37680473018f9b2c4d676d2b0153d68499b47fcc684d96bff1156cecaf9` `docker.io/cilium/operator-generic:v1.8.11@sha256:0fc719983cbb7d18ceabd356a6db463fc83630bca951f6961630abbc7102ac7a` `quay.io/cilium/operator-generic:v1.8.11@sha256:0fc719983cbb7d18ceabd356a6db463fc83630bca951f6961630abbc7102ac7a` `docker.io/cilium/operator:v1.8.11@sha256:8a6dd59f64ea33341087277b2c3affa33a8627b530ae922ee64ade4c448fa926` `quay.io/cilium/operator:v1.8.11@sha256:8a6dd59f64ea33341087277b2c3affa33a8627b530ae922ee64ade4c448fa926` Signed-off-by: Joe Stringer <joe@cilium.io> 23 July 2021, 17:29:59 UTC
fcbbc8b André Martins 23 July 2021, 11:52:32 UTC github: fix GH workflows to handle push events to stable branches As these workflows exist in the stable branches, they should be executed whenever a push is made into the respective stable branch. Signed-off-by: André Martins <andre@cilium.io> 23 July 2021, 12:45:12 UTC
3449e52 Joe Stringer 22 July 2021, 23:54:59 UTC Prepare for release v1.8.11 Signed-off-by: Joe Stringer <joe@cilium.io> 23 July 2021, 11:41:06 UTC
dcd2fb7 Joe Stringer 22 July 2021, 23:46:39 UTC docker: Bump runtime image to 2021-07-22 Signed-off-by: Joe Stringer <joe@cilium.io> 23 July 2021, 11:41:06 UTC
bb547b4 Sebastian Wicki 16 June 2021, 10:08:41 UTC ci: Disable NFS locking [ upstream commit 1dd477dd4198b5bf5e20d8d6b3d4a55d46bc8e89 ] This is an attempt to fix the recent issues with NFS locking in CI, e.g. issue #16551 From the nfs(5) manpage: > When using the nolock option, applications can lock files, but such > locks provide exclusion only against other applications running on > the same client. Remote applications are not affected by these locks. Since in CI, we do not have any remote applications accessing the shared folder, only using local locks should be safe and more robust than using distributed locking. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> 22 July 2021, 22:26:10 UTC
80bb60e Kornilios Kourtis 20 July 2021, 09:27:05 UTC bpf: unconditionally enable tail calls in bpf_lxc The following cilium agent configuration [1] leads to the health endpoint lxc program to fail to load on 5.4 (tested using the dev VMs). The configuration does not enable IPv6, which means that the tailcalls on bpf_lxc are not enabled. This patch fixes this issue by unconditionally enabling tailcalls. The patch keeps the compile-time checks in case we want to modify this behaviour at a later time. [1]: --enable-hubble --hubble-listen-address :4244 --enable-k8s-event-handover --k8s-require-ipv4-pod-cidr --kube-proxy-replacement=partial --enable-remote-node-identity=false --enable-ipv6=false -t vxlan --k8s-kubeconfig-path/var/lib/cilium/cilium.kubeconfig --identity-allocation-mode=crd --enable-k8s-event-handover=false --enable-session-affinity --enable-node-port=false --enable-bpf-clock-probe=true --enable-bpf-masquerade=true --bpf-map-dynamic-size-ratio='0.0' --bpf-policy-map-max='65536' --disable-cnp-status-updates='true' --disable-endpoint-crd='true' --enable-api-rate-limit='true' --enable-external-ips='false' --enable-host-port='false' --enable-k8s-event-handover='true' --identity-allocation-mode=crd --enable-remote-node-identity='false' --enable-well-known-identities='false' --mtu=1500 --preallocate-bpf-maps='false' --monitor-aggregation='medium' --monitor-aggregation-flags=all" Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> 22 July 2021, 21:01:09 UTC
0b972ae Tom Payne 06 July 2021, 12:00:35 UTC contrib: Explicitly set remote for backport branches [ upstream commit eea7f9c3903da135675c0d2e1566067a89706e10 ] Before this change, the backporting scripts would correctly push to the user's remote, but the default remote for the backport branch was left as origin (typically cilium/cilium). This commit sets the backporting branch's remote to the user's remote, so further pushes from the command line (e.g. after adding more commits or rebasing) go by default to the correct remote. Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 July 2021, 00:05:44 UTC
bfafc53 André Martins 02 July 2021, 01:04:48 UTC contrib/docs: rename 'cilium-actions.yml' with 'maintainers-little-helper.yaml" [ upstream commit d936ebf18cc329628529d7881cf5c86082de3fec ] [ Backporter's notes: Resolved docs conflict by taking upstream version. ] Commit a93c0ed53691 renamed the MLH configuration file. Unfortunately in a lot of places this filename was set and this commit renames those locations with this new filename. Fixes: a93c0ed53691 (".github: Rename maintainer's little helper's config file") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 July 2021, 00:05:44 UTC
89221f9 André Martins 01 July 2021, 04:15:16 UTC test/helpers: retrieve kube-apiserver logs [ upstream commit 445af9a1b4e32038ffda698f3f7583d30741149c ] To help debug certain flakes, we need kube-apiserver logs available in the test sysdump. This commit adds the ability to retrieve such logs. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 July 2021, 00:05:44 UTC
4560fb3 André Martins 01 July 2021, 04:13:18 UTC test/k8sT: set imagePullPolicy for cilium/log-gatherer stable tag [ upstream commit f470a071bd5df373578f720f852a0bd1c53731d8 ] [ Backporter's notes: Bump container to v1.1 as well ] cilium/log-gatherer:v1.1 is not mutable thus we don't need to always performing a pull of that docker image from docker hub. Fixes: a9285f49ca65 ("[CI] Move vagrant start script to separate file") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 July 2021, 00:05:44 UTC
a5f4a5b André Martins 01 July 2021, 04:10:47 UTC test: fix gathering of kubelet logs [ upstream commit da0fbad0b3be3ccfad8d73f599140b36470e484f ] When using journalctl to read the logs of another system, one need to explicitly pass -D and the directory containing the logs to successfully read the log messages. Fixes: a9285f49ca65 ("[CI] Move vagrant start script to separate file") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 July 2021, 00:05:44 UTC
389ef7f André Martins 15 July 2021, 22:56:19 UTC .github: harden permissions on GH workflows [ upstream commit 4286608cba1e973be832618d41d438e80784596a ] None of the GH workflows need the GITHUB_TOKEN to have write permissions for all scopes. This commit hardens the access values for each GH workflow accordingly their needs. Signed-off-by: André Martins <andre@cilium.io> 21 July 2021, 15:59:17 UTC
3dcf3cc Jarno Rajahalme 07 July 2021, 11:19:33 UTC iptables: Remove leading zeroes [ upstream commit d5ff6879dbc50de93cde07b4e6c87f2581106f34 ] Remove leading zeroes from marks, as 'iptables' is not formatting them. This allows proper matching of existing rules and avoids appending duplicate rules. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 15 July 2021, 18:06:29 UTC
a5ef47a Jarno Rajahalme 02 June 2021, 03:08:52 UTC endpoint: Do not panic in Finalize() [ upstream commit 28e7e39047622a317670638e40b69b4aa4087811 ] Panicing in Finalize functions may leave endpoint locked and brick the whole agent. Better avoid itt and log errors instead, and unlock the Endpoint in defer if it still happens. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 15 July 2021, 18:06:29 UTC
e1e6cfe Jarno Rajahalme 01 June 2021, 04:27:37 UTC iptables: Keep old rules while adding new ones [ upstream commit 5839d2322f3b691e419fcad25a01c29373d96996 ] Keep old iptables rules by renaming Cilium chains so that new rules can be added while old are still in use. Copy old TPROXY rules from the renamed old rules. Remove the backups only after new rules have been successfully added. This change makes it possible to keep old rules in effect while adding new ones without special consideration for transient rules. On first initialization only copy over the DNS proxy TPROXY rules, as other proxies can't reuse old proxy ports across restarts. Pick the last applicable proxy port from iptables, if multiple are present. Remove stale TPROXY rules once the current port is known. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 15 July 2021, 18:06:29 UTC
59296d3 Jarno Rajahalme 18 June 2021, 19:07:09 UTC iptables: Add rudimentary unit testing [ upstream commit 537715af01ae560e950563ab866751098d433e59 ] Wrap "iptables" and "ip6tables" programs with iptablesInterface so that unit testing can mock up the executables. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 15 July 2021, 18:06:29 UTC
e30329f dependabot[bot] 12 July 2021, 14:07:07 UTC build(deps): bump docker/setup-buildx-action from 1.5.0 to 1.5.1 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1.5.0 to 1.5.1. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/e673438944759779e411a0f7ceef3ba437dccfa0...abe5d8f79a1606a2d3e218847032f3f2b1726ab0) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 12 July 2021, 15:04:08 UTC
a5a7bb0 Chris Tarazi 29 June 2021, 00:21:48 UTC ipam: Add extra debug info when blacklisting routes In order to debug failures such as https://github.com/cilium/cilium/issues/16677, we need more information in the logs to understand why the route was blacklisted. Signed-off-by: Chris Tarazi <chris@isovalent.com> 07 July 2021, 21:04:33 UTC
7bfcf80 André Martins 17 May 2021, 22:08:56 UTC pkg/k8s: add pod IP event change [ upstream commit e92dc6ac6b766e793091410d0cf58c61b01d424d ] This is a follow up of 6bd98ad7e443 ("handle IP addresses modification in running nodes and CEPs") for more information read the commit description of that commit. Signed-off-by: André Martins <andre@cilium.io> 06 July 2021, 13:12:26 UTC
8236481 dependabot[bot] 05 July 2021, 14:05:53 UTC build(deps): bump docker/build-push-action from 2.5.0 to 2.6.1 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.5.0 to 2.6.1. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/ad44023a93711e3deb337508980b4b5e9bcdc5dc...1bc1040caef9e604eb543693ba89b5bf4fc80935) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 05 July 2021, 20:47:48 UTC
08152d3 dependabot[bot] 02 July 2021, 14:06:16 UTC build(deps): bump docker/setup-buildx-action from 1.4.1 to 1.5.0 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1.4.1 to 1.5.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/a1c666d855a037f439ebb7bf701ee144fcadd307...e673438944759779e411a0f7ceef3ba437dccfa0) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 02 July 2021, 16:16:37 UTC
e0994bc Nicolas Busseneau 30 June 2021, 16:51:58 UTC workflows: update Kind version to 0.11.1 This is necessary to work around a probable GH infrastructure issue where 0.9.0 suddenly started not to work in GH Actions: https://github.com/helm/kind-action/issues/42 Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 30 June 2021, 18:05:22 UTC
15d3f81 dependabot[bot] 30 June 2021, 14:06:33 UTC build(deps): bump helm/kind-action from 1.1.0 to 1.2.0 Bumps [helm/kind-action](https://github.com/helm/kind-action) from 1.1.0 to 1.2.0. - [Release notes](https://github.com/helm/kind-action/releases) - [Commits](https://github.com/helm/kind-action/compare/v1.1.0...v1.2.0) --- updated-dependencies: - dependency-name: helm/kind-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 30 June 2021, 18:05:22 UTC
45906d6 dependabot[bot] 29 June 2021, 14:08:21 UTC build(deps): bump docker/setup-buildx-action from 1.3.0 to 1.4.1 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1.3.0 to 1.4.1. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/0d135e0c2fc0dba0729c1a47ecfcf5a3c7f8579e...a1c666d855a037f439ebb7bf701ee144fcadd307) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 29 June 2021, 21:57:27 UTC
456b091 Paul Chaignon 16 June 2021, 22:13:33 UTC contrib: Identify upstream commits by author and date [ upstream commit 4ddb158e2189fd4298d8adb92200b6937122cb5f ] When listing the commits of pull requests to backport, GitHub doesn't offer a way to find the corresponding commits merged in master. We therefore have to do it manually. To that end, we first retrieve a candidate commit by matching on the exact commit title. Several commits can have the same title however, so we need another check to confirm the candidate commit is the same commit as the pull request's. We currently use 'git patch-id' for the second check. That command computes a unique ID for a patch. It can however have false negatives. For example, 9515d1e ("docs: add a reference of helm values") and de62fa3 ("docs: add a reference of helm values") refer to the same patch, the first being from the pull request and the second from master (i.e., once merged). Nevertheless, when we run 'git patch-id', we get two different IDs: $ git show 9515d1e | git patch-id 5d928411d72fcdb5c9c24ab2138896e6709e578c 9515d1ea37f1d1122ece73cf061cf47590e90f9e $ git show de62fa3 | git patch-id de14f63774d0f56ecc1e22db615987bedffe1e4b de62fa37c9ac679fd45bb617e8759dd7a4918ccb Comparing the two commits shows that the difference is actually due to changes not introduced by this commit: $ diff <(git show 9515d1e) <(git show de62fa3) [...] 1997,1998c1997,1998 < @@ -118,7 +118,7 @@ contributors across the globe, there is almost always someone available to help. < | debug.enabled | bool | `false` | Enable debug logging | --- > @@ -119,7 +119,7 @@ contributors across the globe, there is almost always someone available to help. > | disableEndpointCRD | string | `"false"` | Disable the usage of CiliumEndpoint CRD | [...] We however don't need to use 'git patch-id'. Using the author's email address and date (+ commit title) is usually enough to uniquely identify commits on master. If someone sends two commits with the same title and author date (to the second), then they are definitely trying to game the system. In that unlikely event, we have two rounds of reviews (original pull request and backport pull request) to catch it. This commit implements that change. "%ae%at" (author email followed by author date without spaces) is used as the commit ID instead of the ID generated by git patch-id. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 28 June 2021, 23:14:07 UTC
cb95ffa Martynas Pumputis 17 June 2021, 09:54:19 UTC node-neigh: Use arping ts in last ping hashmap [ upstream commit 4c4a5dc5d5aa80a26de8ea589ac51014f7057480 ] The change is probably noop, but itshould improve the last ping timestamp precision. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Tobias Klauser <tobias@cilium.io> 28 June 2021, 23:14:07 UTC
20cedbc Martynas Pumputis 17 June 2021, 09:34:24 UTC node-neigh: Add retry for concurrent arping test case [ upstream commit 8260f9dd72bee0a62708128d71194e9d4eb6887b ] The test became notoriously flaky. It seems that some goroutines were lagging behind with the updates and they were overwritting the new MAC addr entry with the obsolete. To fix this, retry multiple times until the correct entry is found. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Tobias Klauser <tobias@cilium.io> 28 June 2021, 23:14:07 UTC
18a7ca0 Martynas Pumputis 17 June 2021, 09:33:33 UTC testutils: Add WaitUntilWithSleep [ upstream commit 128f0f8db3c2bb53f041c02c3ca8f866a8b2dc55 ] As for some cases WaitUntil() is a DoS tool. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Tobias Klauser <tobias@cilium.io> 28 June 2021, 23:14:07 UTC
a3ffdf1 Daniel Borkmann 21 June 2021, 11:54:59 UTC bpf: fix hw_csum issue for icmp probe packets [ upstream commit 27122d4d666be42b564a06200c32647ca3c73405 ] Example trace seen in dmesg: [...] [ 7710.165608] enp10s0f0np0: hw csum failure [ 7710.165621] skb len=84 headroom=78 headlen=84 tailroom=30 mac=(64,14) net=(78,20) trans=98 shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0)) csum(0x0 ip_summed=2 complete_sw=0 valid=0 level=0) hash(0x14006e3a sw=0 l4=0) proto=0x0800 pkttype=0 iif=4 [ 7710.165631] dev name=enp10s0f0np0 feat=0x0x0032b18217514ba9 [ 7710.165635] skb headroom: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 7710.165638] skb headroom: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 7710.165641] skb headroom: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 7710.165644] skb headroom: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 7710.165646] skb headroom: 00000040: b8 ce f6 05 e7 62 b8 ce f6 05 e7 76 08 00 [ 7710.165649] skb linear: 00000000: 45 00 00 54 8a 07 00 00 40 01 84 e8 c0 a8 a0 04 [ 7710.165652] skb linear: 00000010: 0a 9a 00 73 00 00 23 57 00 f8 15 db cd 74 d0 60 [ 7710.165654] skb linear: 00000020: 00 00 00 00 5c 2d 0d 00 00 00 00 00 10 11 12 13 [ 7710.165657] skb linear: 00000030: 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 [ 7710.165660] skb linear: 00000040: 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 [ 7710.165663] skb linear: 00000050: 34 35 36 37 [ 7710.165665] skb tailroom: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 7710.165668] skb tailroom: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 7710.165672] CPU: 26 PID: 0 Comm: swapper/26 Not tainted 5.13.0-rc3+ #174 [ 7710.165674] Hardware name: Gigabyte Technology Co., Ltd. X570 AORUS MASTER/X570 AORUS MASTER, BIOS F22 08/20/2020 [ 7710.165676] Call Trace: [ 7710.165677] <IRQ> [ 7710.165680] dump_stack+0x7d/0x9c [ 7710.165683] netdev_rx_csum_fault.part.0+0x41/0x45 [ 7710.165686] netdev_rx_csum_fault.cold+0xb/0x10 [ 7710.165687] __skb_checksum_complete+0xdd/0xf0 [ 7710.165690] ? skb_send_sock_locked+0x20/0x20 [ 7710.165692] ? reqsk_fastopen_remove+0x190/0x190 [ 7710.165693] nf_ip_checksum+0x5b/0x120 [ 7710.165697] nf_conntrack_icmpv4_error+0x112/0x160 [nf_conntrack] [ 7710.165706] nf_conntrack_in.cold+0x1d/0x74 [nf_conntrack] [ 7710.165714] ? nft_do_chain_inet_ingress+0x280/0x2e0 [nf_tables] [ 7710.165722] ipv4_conntrack_in+0x14/0x20 [nf_conntrack] [ 7710.165731] nf_hook_slow+0x44/0xb0 [ 7710.165733] nf_hook_slow_list+0x71/0xf0 [ 7710.165735] ip_sublist_rcv+0x1d1/0x1f0 [ 7710.165737] ? ip_sublist_rcv+0x1f0/0x1f0 [ 7710.165739] ip_list_rcv+0xf5/0x120 [ 7710.165741] __netif_receive_skb_list_core+0x228/0x250 [ 7710.165745] netif_receive_skb_list_internal+0x1a1/0x2b0 [ 7710.165747] napi_complete_done+0x7a/0x1b0 [ 7710.165749] mlx5e_napi_poll+0x16e/0x730 [mlx5_core] [ 7710.165795] __napi_poll+0x31/0x170 [ 7710.165796] net_rx_action+0x22f/0x280 [ 7710.165798] __do_softirq+0xce/0x281 [ 7710.165800] irq_exit_rcu+0xa2/0xd0 [ 7710.165803] common_interrupt+0x8d/0xa0 [ 7710.165805] </IRQ> [ 7710.165806] asm_common_interrupt+0x1e/0x40 [ 7710.165808] RIP: 0010:cpuidle_enter_state+0xcc/0x360 [...] The trace was only reproducible with NICs using CHECKSUM_COMPLETE as csum type for inbound packets. It has been observed with mlx5, for example. The hw csum failure was only reproducible under the following conditions: - Protocol is ICMP, e.g. triggered by Cilium health probe packets - Pod from one node was pinging a remote node address - BPF based masquerading was used to SNAT Pod IP to node IP - BPF NAT engine found a collision in the NAT table such that it was forced to select a different ICMP id, and hence caused L4 rewrites In the case of ICMPv4 the bug was that BPF_F_PSEUDO_HDR was used for updating the L4 checksum. However, ICMPv4 does not have a pseudo header, only ICMPv6. The packet based csum was okay either way, but the flag caused to have a buggy skb->csum. Setting flag to 0 for ICMPv4 stopped the hw csum traces. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Co-developed-by: Kornilios Kourtis <kornilios@isovalent.com> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 28 June 2021, 23:14:07 UTC
d3a0682 Jarno Rajahalme 15 June 2021, 00:32:22 UTC k8s: Fix logging [ upstream commit db06a64c3e0ecb87a5d7ba23dd33c09628f78456 ] Log the correct field for HostIP. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 28 June 2021, 23:14:07 UTC
8470f79 Mauricio Vásquez 04 June 2021, 15:36:36 UTC pkg/option: Fix default assignment of EnableWellKnownIdentities [ upstream commit 67b946de0539edea49e7fd1079c5b83681a30f74 ] Fixes: 09d9e1e0e2d9 ("policy: Disable well-known identities for non-managed etcd") Signed-off-by: Mauricio Vásquez <mauricio@accuknox.com> Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 28 June 2021, 23:14:07 UTC
785f28a Maciej Kwiek 11 June 2021, 10:25:18 UTC ci: restart portmap service on ci nodes [ upstream commit ad65c7939cb75e362aa24012b4a99f1db3e2a3a3 ] Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 28 June 2021, 23:14:07 UTC
0c6ba9b dependabot[bot] 23 June 2021, 14:07:15 UTC build(deps): bump docker/login-action from 1.9.0 to 1.10.0 Bumps [docker/login-action](https://github.com/docker/login-action) from 1.9.0 to 1.10.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/28218f9b04b4f3f62068d7b6ce6ca5b26e35336c...f054a8b539a109f9f41c372932f1ae047eff08c9) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 23 June 2021, 17:01:43 UTC
92e2ab2 dependabot[bot] 18 June 2021, 14:06:17 UTC build(deps): bump actions/download-artifact from 2.0.9 to 2.0.10 Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 2.0.9 to 2.0.10. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/158ca71f7c614ae705e79f25522ef4658df18253...3be87be14a055c47b01d3bd88f8fe02320a9bb60) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 21 June 2021, 12:09:48 UTC
8805a44 dependabot[bot] 17 June 2021, 14:06:27 UTC build(deps): bump actions/upload-artifact from 2.2.3 to 2.2.4 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2.2.3 to 2.2.4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/ee69f02b3dfdecd58bb31b4d133da38ba6fe3700...27121b0bdffd731efa15d66772be8dc71245d074) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 17 June 2021, 18:47:29 UTC
c1d9f08 Paul Chaignon 07 June 2021, 14:27:35 UTC .github: Rename maintainer's little helper's config file This commit renames the config. file to better clarify its purpose. Signed-off-by: Paul Chaignon <paul@cilium.io> 17 June 2021, 12:14:12 UTC
ce997f7 Sebastian Wicki 17 May 2021, 17:02:08 UTC docs: ENIs should not be unmanaged by the OS [ upstream commit b15cee151fc70274125bfbc122fb1c7c60e0671b ] When ENIs are managed by services such as NetworkManager or systemd-networkd, it can happen that they interfere with Cilium's configuration. For example, systemd-networkd can remove the ENI IP assigned by Cilium if the carrier is temporarily down, thus breaking SNAT. We previously had a similar section regarding NetworkManager and DHCP in the EKS installation guide, but the EKS guide has since been replaced by the Cilium CLI installation guide. This section here therefore acts as a replacement and states that the devices need to be unmanaged (e.g. disabling DHCP is not enough for systemd-networkd). Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 June 2021, 18:39:50 UTC
07c615b Quentin Monnet 07 May 2021, 10:41:24 UTC docs: add a "Copy Commands" button for shell-session snippets [ upstream commit 869e678b1ae3461b169259155e3bb52b6b4fa072 ] Add a "Copy Commands" to some code blocks. This new button attempts to copy only commands (and not their output) to the clipboard. The distinction between commands and output relies on the presence of a prompt symbol, either "$" or "#", at the beginning of the commands. If a command ends with a trailing backslash, copy the next line as well. For example, the following snippet: .. code-block:: shell-session $ ls -l foo cat $ echo 1 \ 2 \ 3\ 4 $nospace # exit should place the following text into the clipboard: ls -l echo 1 2 3 4 exit The button is added for the following blocks, when they contain several lines and at least one command is found in the block: - "code-block", but with language "shell-session" only, - Literal blocks ("::"), - Parsed literals. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 June 2021, 18:39:50 UTC
b393660 Gilberto Bertin 04 June 2021, 15:12:45 UTC node: fix arpping test [ upstream commit 5a418a372f38004dae12275a5a3c0df6338cbd16 ] In TestArpPingHandling, wait for all goroutines that are inserting the new neighbors to finish before deleting the node. Fixes: #16221 Suggested-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 June 2021, 18:39:50 UTC
12a01e9 Chris Tarazi 04 May 2021, 23:48:40 UTC docs: Recommend use of dev VM for backporting [ upstream commit 7a4184f1195c0dd81a84cd3b265de19fb0f0fbb8 ] This will reduce chances of users using their own vagrant VMs which may come with libraries that are incompatible with our dependencies. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 June 2021, 18:39:50 UTC
1623d68 Chris Tarazi 04 May 2021, 23:41:02 UTC docs: Update requirements for backporting [ upstream commit 6032268f7d815f858c7135cb61e8bd8afae39b95 ] Since we want to move forward with using the GitHub CLI for creating backports, the previously listed optional items are actually required. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 June 2021, 18:39:50 UTC
328313f Martynas Pumputis 12 May 2021, 13:51:58 UTC daemon: Improve log msg of device auto-detection [ upstream commit 117be40f577d71ac542fccfb595d3cc97ebbdae5 ] Previously, the msg was misleading by stating that devices were being derived for the NodePort BPF. It's no longer the case, as the same devices are used by host-fw and bwm. Reported-by: Gilberto Bertin <gilberto@isovalent.com> Reported-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 June 2021, 18:39:50 UTC
7278b0f Martynas Pumputis 12 May 2021, 13:50:20 UTC daemon: Remove redundant device derivation for host-fw [ upstream commit b0e2881d6a2614cc6ba387e384a3dda39a0d7ee5 ] The devices are being derived by handleNativeDevices() invoked above. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 June 2021, 18:39:50 UTC
9af0749 Gaurav Genani 07 May 2021, 20:16:18 UTC bugtool: add missing bpftool map dumps [ upstream commit c573ff85c02a3a404bfd6873baf65b5ea408cdf0 ] Fixes:#16008 Signed-off-by: Gaurav Genani <h3llix.pvt@gmail.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 June 2021, 18:39:50 UTC
1b1f096 Quentin Monnet 13 May 2021, 11:31:06 UTC docs: document the policy for backporting documentation changes [ upstream commit 2a356d98c878a8cb8767b72aa1167fd11225a822 ] Documentation changes should be backported "as far as they go" on the supported branches, so that users can get relevant information from the documentation branch associated to the software version they run. Document this as part as the criteria for backports. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 June 2021, 18:39:50 UTC
d243748 André Martins 17 May 2021, 12:50:52 UTC contrib: simplify check-docker-images script [ upstream commit 8e1ef9c2dd97518247c9e9d315c7e0d65f0ccae2 ] The curl URL fails if the sha256 is no longer part of the tag. Running with `docker buildx imagetools inspect` it is possible to verify if an image digest exists regardless even if no longer belongs to a tag. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 June 2021, 18:39:50 UTC
99381bf Jarno Rajahalme 21 May 2021, 17:56:19 UTC endpoint: Skip waiting-to-regenerate -> waiting-for-identity transitions [ upstream commit 1e5f74d64ffd01626ac29166972ca44e0c3c3412 ] Regeneration logic fails if waiting-for-identity changes to ready state in a scenario like this: builder: ready -> waiting-to-regenerate .. label change etc: waiting-to-regenerate -> waiting-for-identity .. labels resolved: waiting-for-identity -> ready .. builder: (ready) -> regenerating (FAILS as this is not expected) Resolve this by giving precedence to the waiting-to-regenerate state over the waiting-for-identity state. Compensate for possibly blocking this state change in Cilium endpoint PATCH API. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 June 2021, 18:39:50 UTC
dc301a8 André Martins 21 May 2021, 17:20:54 UTC pkg/k8s: ignore namespace events that do not change labels [ upstream commit 83391b41d23c3e4fb0941a7e15bd4c45e035cd41 ] As we can receive different type of namespace events, like difference in the annotations. We can ignore all of these events unless the labels are different. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 June 2021, 18:39:50 UTC
2d6436c Jarno Rajahalme 12 January 2021, 19:46:47 UTC datapath: Do not use proxy original source address with tunneling [ upstream commit 4b769cb53a15a7dcc30b8d2eac36094cb4cc071e ] Tunnel headers carry the source security ID so the use of original source address on Envoy upstream connections is not needed when tunneling. This commit disables the use of original source address when tunneling is used, which allows Envoy redirection to work also when using Kind to simulate multiple nodes in a single docker host. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 June 2021, 18:39:50 UTC
437d47e Joe Stringer 21 April 2021, 19:34:59 UTC docs: Update release process against template [ upstream commit a14bf9e213bb8fbaaa3b7b27dc178790c3a8ff33 ] Some recent template changes have not yet been propagated into the docs, update the docs with the latest steps. Signed-off-by: Joe Stringer <joe@cilium.io> 11 June 2021, 21:17:47 UTC
eb70f3e Joe Stringer 20 April 2021, 23:48:18 UTC contrib: Automate digest PR creation [ upstream commit 893d0e7ec5766c03da2f0e7b8c548f7c4d89fcd7 ] [ Backporter's notes: Dropped conflicts in .github/ issue template ] There's still some interactive bits here just for safety, but one less step in the template. Signed-off-by: Joe Stringer <joe@cilium.io> 11 June 2021, 21:17:47 UTC
ab5bd61 Joe Stringer 20 April 2021, 23:44:36 UTC contrib: Make docker digest pull more idempotent [ upstream commit ef199d851e2077b8568df9fc79463ea7daaff9db ] Check the args properly so we don't require a version to be specified, and recreate the digest file every time the script is run. Signed-off-by: Joe Stringer <joe@cilium.io> 11 June 2021, 21:17:47 UTC
c94c4f4 Joe Stringer 14 May 2021, 18:39:41 UTC contrib: Make upstream commit check more generic [ upstream commit 8a2d2d3d2ff4df24eac37b565869f45c3dda7d8f ] This bash function is super close to being generically useful across different repositories, by allowing to check whether a commit is in any particular upstream (including hubble repos). Make it a bit more generic without changing the default args, that way we don't have to update any of the existing scripts. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 03 June 2021, 00:11:54 UTC
391fe49 Bruno Miguel Custódio 12 May 2021, 17:09:23 UTC docs: add ids to the list of special identities [ upstream commit 519fa82d18e4c59a882c65f078b17dfe7c9a3fbd ] A few users have been asking about where to find the numeric IDs associated with a given identity, so maybe it's worth adding them to the table. Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 03 June 2021, 00:11:54 UTC
1423919 Joe Stringer 28 April 2021, 02:25:36 UTC AUTHORS: Fix up some author names [ upstream commit 6d128d201bbecfdc06a809a17bf3e89fbd494a71 ] Bokang Li informed me out-of-band that this is the correct representation of their name, fix it up. Yurii Komar has their name on their github profile. Signed-off-by: Joe Stringer <joe@cilium.io> Authors updated with `make update-authors`, but no changes. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 03 June 2021, 00:11:54 UTC
1c57fd7 Joe Stringer 28 April 2021, 00:43:47 UTC .mailmap: Update authors for v1.10 dev cycle [ upstream commit acba9d12dc09fd925c16abf69f02626709f8ba4d ] [ upstream commit 622d841c9b5408f33170179eabdc71923d8a2b28 ] Pull this commit from the v1.10 branch used during that release, and re-generate the authors file based on it. Signed-off-by: Joe Stringer <joe@cilium.io> Authors updated with `make update-authors`. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 03 June 2021, 00:11:54 UTC
7a0e2e9 Joe Stringer 18 May 2021, 00:01:39 UTC contrib: Skip vagrant authors in extract_authors [ upstream commit 6d6ff65dc767b459864e616cac32ed9c1161d84d ] Authors in the git log who have used the vagrant VM have always been repeat contributors who have resolved invalid git authorship issues in subsequent submissions, so there is no need to take these authors into account when calculating the authors list. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 03 June 2021, 00:11:54 UTC
1d8d6bc Joe Stringer 17 May 2021, 23:52:53 UTC contrib: Optimize extract_authors.sh script [ upstream commit 1cd5be9e79d6094b4b472a1d0e9073ad0d834480 ] By using built-in formatting primitives instead of independently fetching names and emails from git in separate commands, we can reduce git history iteration by 50%, saving 30s per authors update on my system. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 03 June 2021, 00:11:54 UTC
38c555a Chris Tarazi 03 May 2021, 21:25:46 UTC docs: Clarify coordination for backporting process [ upstream commit 946f52cf100c87668fb97ccf91659df1b4d24fe3 ] Document the common workflow that we've been working under. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 03 June 2021, 00:11:54 UTC
63c505f Christian Hörtnagl 19 May 2021, 05:11:20 UTC Specify scrape interval for Hubble metrics [ upstream commit 45689ece6f242c4c2546a3f32ddd80f6464f6e24 ] Fixes: #16148 I have checked that 30s (instead of 10s) works as well. Signed-off-by: Christian Hörtnagl <christian2@univie.ac.at> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 03 June 2021, 00:11:54 UTC
6b25083 Joe Stringer 27 April 2021, 21:31:20 UTC bpf: Test build with -DHAVE_FIB_LOOKUP [ upstream commit 4722a2bdde99bbadf68f94dbc08ebdb977ef3e57 ] Add extra build options with this to catch build-time errors with/without this option. This is normally controlled by kernel version support, but we don't currently factor variants of such feature detection into the build testing. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 03 June 2021, 00:11:54 UTC
back to top