Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
7f69b28 Sebastian Wicki 03 February 2021, 13:24:55 UTC Merge 292595edbe082d2ff8f9d8b95b0abcda544a098a into e567f8bfa7e8cc4d71566f224f60d7222d3d874b 03 February 2021, 13:24:55 UTC
292595e Sebastian Wicki 03 February 2021, 13:19:52 UTC docs: Add `dns` context option for Hubble metrics Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 03 February 2021, 13:24:45 UTC
bbd3ce5 Sebastian Wicki 03 February 2021, 13:09:49 UTC hubble/metrics: Add dns context option This adds a new context option to the Hubble metrics, which adds the DNS name as the source or destination label. If multiple DNS names are associated with an IP address, all of them are added. Example metric for `--hubble-metrics=flow:destinationContext=dns` in the `connectivity-check.yaml`: ``` hubble_flows_processed_total{destination="www.google.com",protocol="TCP",subtype="",type="PolicyVerdict",verdict="FORWARDED"} 57 ``` Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 03 February 2021, 13:24:45 UTC
95ac34a Sebastian Wicki 03 February 2021, 12:49:05 UTC hubble/metrics: Handle policy verdict and capture correctly Flow events can originate from trace, drop, capture or policy verdict events. The metrics code did not have the necessary cases to deal with the latter two and treated them as unknown events instead. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 03 February 2021, 13:24:45 UTC
e567f8b Chris Tarazi 14 January 2021, 23:50:58 UTC maglev: Allocate permutations slice ahead of time Previously, the Maglev permutations slice is allocated inside `getPermutation()`, which means every time `maglev.GetLookupTable()` is called, the slice will be recreated. That means it would recreated on every Service creation or update. This commit allocates the slice ahead of time when the Maglev subsystem is initialized (`maglev.Init()`). This gives a rough improvement in time of around 15%. The slice is allocated based on a heuristic computation, involving the M size. Nodes running with less than 8GB of RAM do not apply and Cilium will not be preallocate the slice ahead of time. For nodes with more than the aforementioned threshold, the formula for the heuristic is: (M / 100) * 100 This is derived from the maximum backends property from Maglev where |backends| * 100 < M. This gives the following memory pressure profile based on M (left-hand side): 251: 0.004806594848632812 MB 509: 0.019766311645507812 MB 1021: 0.07953193664550783 MB 2039: 0.3171936798095703 MB 4093: 1.2781256866455077 MB 8191: 5.118750076293945 MB 16381: 20.472500686645507 MB 32749: 81.82502754211426 MB 65521: 327.5300171661377 MB 131071: 1310.700000076294 MB If the user has more backends than the preallocated size, we will adjust the allocation to be |backends| * M. This is because we want to ensure that the Maglev subsystem isn't thrashing trying to reallocate the slice on each Service create or update. Benchmark timings: Before ``` $ go test -v ./pkg/maglev -check.v -check.b -check.btime 5s -check.bmem === RUN Test PASS: maglev_test.go:91: MaglevTestSuite.BenchmarkGetMaglevTable 50 341255883 ns/op1049633800 B/op 12 allocs/op OK: 1 passed --- PASS: Test (17.42s) PASS ok github.com/cilium/cilium/pkg/maglev 17.475s ``` After ``` $ go test -v ./pkg/maglev -check.v -check.b -check.btime 5s -check.bmem === RUN Test PASS: maglev_test.go:91: MaglevTestSuite.BenchmarkGetMaglevTable 50 282792516 ns/op 1057899 B/op 11 allocs/op OK: 1 passed --- PASS: Test (17.89s) PASS ok github.com/cilium/cilium/pkg/maglev 17.943s ``` Suggested-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 February 2021, 12:50:45 UTC
4eb7708 Sami 30 January 2021, 17:01:57 UTC docs: fix llvm git repo and clang folder Fixing with the correct llvm git repo and moving clang folder to allow cmake working fine Signed-off-by: Sami Yessou <me@sami.pw> 03 February 2021, 11:29:34 UTC
26b33f3 Joe Stringer 01 February 2021, 20:19:35 UTC endpoint: Move event start/stop to events.go This is a pure code move, no functional changes. Signed-off-by: Joe Stringer <joe@cilium.io> 03 February 2021, 09:24:06 UTC
60598bc Joe Stringer 27 January 2021, 02:06:07 UTC Remove dummy endpoint managers from tests These dummy structures are no longer used after recent refactoring. Signed-off-by: Joe Stringer <joe@cilium.io> 03 February 2021, 09:24:06 UTC
dae07b5 Joe Stringer 29 January 2021, 22:04:19 UTC endpointmanager: Remove goroutine for ID release Previously, this code did two things in a separate goroutine: * Release the endpoint ID, a numeric identifier for the endpoint which is allocated in-memory by the Cilium agent * Get the state of the endpoint to decide whether failures to deallocate are worthy of a log message. Given that the endpoint ID allocation is handled in-memory, modulo any potential locking issues, it should be possible to handle deallocation of the endpoint ID within a reasonable period inside the daemon. Until recently, this code would be called while holding the endpoint lock; this would prevent the GetState() call here from grabbing the state to determine whether to log; if this was run in the same goroutine as the outer logic, it would have caused a deadlock. However, now that the locking is changed (and also there is now a SetState() call earlier in this same function which invalidates the check), we can simplify the logging here. Signed-off-by: Joe Stringer <joe@cilium.io> 03 February 2021, 09:24:06 UTC
eb3f3b5 Joe Stringer 29 January 2021, 22:00:41 UTC endpointmanager: Reorganize endpoint delete locking Prior to this commit, endpoint deletion was organized like this: 1. Grab the Endpoint lock, 2. Stop all event-processing goroutines, 3. Deregister the endpoint from the EndpointManager, thereby hiding the endpoint from other subsystems, 4. Clean up the rest of the endpoint state on the filesystem etc., 5. Then notifies the monitor of the endpoint deletion. 6. Release lock This commit aims to flip this the other way so that first, endpoint deletion is triggered through EndpointManager.RemoveEndpoint() which: 1. Grabs the EndpointManager lock, 2. Deregisters the endpoint from the EndpointManager, 3. Stops all event-processing goroutines, 4. Clean up the rest of the endpoint state on the filesystem etc., 5. Then notifies the monitor of the endpoint deletion. 6. Release lock e.aliveCancel() is a CancelFunc and hence is idempotent, so safe to call outside of holding the Endpoint lock (multiple times doesn't matter). Signed-off-by: Joe Stringer <joe@cilium.io> 03 February 2021, 09:24:06 UTC
64e1094 Joe Stringer 29 January 2021, 03:51:45 UTC endpoint: Refactor RemoveEndpoint() to manager Shift the core entrypoint into the package code for endpoint deletion away from the Endpoint package into the EndpointManager. No functional changes. Signed-off-by: Joe Stringer <joe@cilium.io> 03 February 2021, 09:24:06 UTC
6046592 Joe Stringer 29 January 2021, 03:07:42 UTC endpoint: Move endpoint.Unexpose to EndpointManager This commit moves the logic for unexposing an endpoint from the manager into the endpointmanager package without changing any of the locking logic, so that the next commit will have fewer changes to better emphasize the changes in locking behaviour. Signed-off-by: Joe Stringer <joe@cilium.io> 03 February 2021, 09:24:06 UTC
a09ab3a Joe Stringer 27 January 2021, 00:18:47 UTC endpoint: Move endpoint.Expose to EndpointManager The EndpointManager, as its name suggests, is intended to handle the management of endpoints: Addition, deletion, etc. Due to ~historic reasons~, up until now the code to handle exposing the endpoint to other subsystems in Cilium was encoded inside the endpoint package, and the endpoint manager was passed down to the endpoint to facilitate this. This commit flips this around, such that the EndpointManager is now in charge, and it calls enough logic in the Endpoint to prepare it to handle events from the rest of the system, then subsequently exposes the endpoint in the manager to allow other subsystems to find it. Signed-off-by: Joe Stringer <joe@cilium.io> 03 February 2021, 09:24:06 UTC
9211caa Joe Stringer 26 January 2021, 23:05:12 UTC endpointmanager: Stop() handling events before Unexpose() The Unexpose() function that this is being factored out of is only called from two places: Endpoint.Delete() which already calls Endpoint.Stop(), and EndpointManager.WaitEndpointRemoved() which waits for this goroutine to complete. Endpoint.Stop() itself performs the two steps being refactored here, plus one extra step: closeBPFProgramChannel() which idempotently preempts ongoing builds. Due to the idempotent nature of Stop() and the fact that EndpointManager.WaitEndpointRemoved() is waiting on the results of the Endpoint.Stop() anyway, we are safe to rearrange the ordering of these steps here. Furthermore, EndpointManager.WaitEndpointRemoved() is only used from unit tests so the runtime impact of this should be zero. Signed-off-by: Joe Stringer <joe@cilium.io> 03 February 2021, 09:24:06 UTC
e254833 Joe Stringer 26 January 2021, 23:49:49 UTC endpoint: Refactor identifiers to separate files To assist the sharing of code and appropriate locking access, move this code around such that there is a dedicated endpointid.Identifiers type to collect Identifiers for endpoint, such as the Cilium Endpoint ID, container ID, k8s namespace/name, etc. Furthermore, move the access and handling of these types all to a single file so they're in one place rather than spread across multiple files. Signed-off-by: Joe Stringer <joe@cilium.io> 03 February 2021, 09:24:06 UTC
1b1686b Aditi Ghag 26 January 2021, 23:09:28 UTC daemon: Extend Endpoint related interfaces External plugins can use these interfaces to get Endpoint state. Signed-off-by: Aditi Ghag <aditi@cilium.io> 03 February 2021, 09:22:27 UTC
935ca28 Aditi Ghag 26 January 2021, 23:12:51 UTC test: Refactor interface implementation Embed interface into a mock so that all the methods are inherited, and only the relevant methods can be implemented in tests in order to override real code. Signed-off-by: Aditi Ghag <aditi@cilium.io> 03 February 2021, 09:22:27 UTC
f513477 Chris Tarazi 02 February 2021, 22:22:28 UTC lbmap: Initialize maps before test suite runs This commit adds the missing initialization needed for BPF maps à la d9fa628ea ("daemon, lbmap: Avoid premature init of BPF maps"). This fixes the following test failure in the privileged tests: ``` $ sudo -E make -j $(nproc) TESTPKGS=pkg/maps/lbmap tests-privileged ... === RUN Test START: maglev_test.go:43: MaglevSuite.SetUpSuite PASS: maglev_test.go:43: MaglevSuite.SetUpSuite 0.000s START: maglev_test.go:73: MaglevSuite.TestInitMaps level=info msg="Deleting Maglev outer map due to different M or empty map" bpfMapName=cilium_lb4_maglev subsys=map-lb level=info msg="Deleting Maglev outer map due to different M or empty map" bpfMapName=cilium_lb4_maglev subsys=map-lb level=info msg="Deleting Maglev outer map due to different M or empty map" bpfMapName=cilium_lb4_maglev subsys=map-lb ... Panic: runtime error: invalid memory address or nil pointer dereference (PC=0x4399D8) /usr/lib/go/src/runtime/panic.go:969 in gopanic /usr/lib/go/src/runtime/panic.go:212 in panicmem /usr/lib/go/src/runtime/signal_unix.go:742 in sigpanic /home/chris/code/cilium/cilium/pkg/bpf/map_linux.go:464 in Map.OpenOrCreate lbmap.go:551 in updateServiceEndpoint lbmap.go:119 in LBBPFMap.UpsertService maglev_test.go:103 in MaglevSuite.TestInitMaps /usr/lib/go/src/reflect/value.go:337 in Value.Call /usr/lib/go/src/runtime/asm_amd64.s:1374 in goexit PANIC: maglev_test.go:73: MaglevSuite.TestInitMaps OOPS: 0 passed, 1 PANICKED --- FAIL: Test (0.11s) FAIL coverage: 10.4% of statements in github.com/cilium/cilium/pkg/maps/lbmap FAIL github.com/cilium/cilium/pkg/maps/lbmap 0.123s FAIL make: *** [Makefile:146: tests-privileged] Error 1 ``` Fixes: d9fa628ea Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 February 2021, 09:13:11 UTC
1d3cc9c dependabot[bot] 02 February 2021, 16:07:49 UTC build(deps): bump github.com/go-openapi/runtime from 0.19.24 to 0.19.26 Bumps [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) from 0.19.24 to 0.19.26. - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](https://github.com/go-openapi/runtime/compare/v0.19.24...v0.19.26) Signed-off-by: dependabot[bot] <support@github.com> 03 February 2021, 09:11:03 UTC
67dc983 Chris Tarazi 04 December 2020, 01:19:44 UTC routing: Fix route collisions in AWS ENI [ upstream commit 332a3fd41; forward-ported from v1.7 tree ] This commit fixes a potential route collision in AWS ENI IPAM modes, where the ifindex could equal the main routing table ID (from 253-255) [1], causing traffic to be subject to these routes incorrectly. This is admittedly rare, but we've seen this from a user report. The impact is that most traffic on the node is suddenly blackholed. To fix this, we say that each device or interface (ENI) will have their own dedicated routing table. The table ID will start with an offset of 10 because it is highly unlikely to collide with the main routing table ID (from 253-255). We grab the number associated with the ENI device (`Number`) and add the offset. For example, if we have an ENI device "eni-0" which has a `Number` of 5, then the table ID will be 10 + 5 = 15. Another important piece to note is that only the egress rule will reside inside the per-device tables, whereas the ingress rule will stay in the main routing table. This is because we want the main routing table to hold the routes to the endpoint. Moving forward, the ENI datapath will now create rules under a new egress priority value (RulePriorityEgressv2), as long as the egress-multi-home-ip-rule-compat flag is false. If it's true, then the datapath will create rules under the original egress priority value (RulePriorityEgress). This helps disambiguate when running with the older or newer ENI datapath. See https://github.com/cilium/cilium/issues/14336. [1]: See ip-route(8) Reported-by: Vlad Ungureanu <vladu@palantir.com> Suggested-by: Joe Stringer <joe@cilium.io> Suggested-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 February 2021, 02:46:33 UTC
0d9dbc2 Chris Tarazi 09 December 2020, 05:48:48 UTC routing: Add ENI route table migration logic [ upstream commit 1b9ed4452; forward-ported from v1.7 tree ] This commit will fixup the ENI datapath depending on the egress-multi-home-ip-rule-compat flag (see previous commits for context). The migration logic supports both upgrading and downgrading the ENI datapath. This logic must run on startup before the API is served and before the health endpoint is created, so that no endpoints are prematurely crreated before Cilium has had the chance to migrate the entire datapath. See https://github.com/cilium/cilium/issues/14336. Suggested-by: Joe Stringer <joe@cilium.io> Suggested-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 February 2021, 02:46:33 UTC
1374e3b Chris Tarazi 22 January 2021, 20:12:29 UTC daemon: Auto-set egress-multi-home-ip-rule-compat for Azure This is required because the Azure IPAM datapath does not yet support the new scheme that the ENI IPAM datapath now supports (see earlier commits). The motivation to make it impossible for Azure users to accidentally (or otherwise) set this flag to false, which would break the Azure datapath. Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 February 2021, 02:46:33 UTC
6dfe032 Chris Tarazi 11 December 2020, 19:53:46 UTC revert: Add ability to extend the revert stack [ upstream commit db23c506f; forward-ported from v1.7 tree ] This is useful to aggregate the items to revert in one stack, so that it can all be done at once. Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 February 2021, 02:46:33 UTC
10b2074 Chris Tarazi 11 December 2020, 19:59:52 UTC linux_defaults: Add RouteTableInterfacesOffset [ upstream commit e0525602b; forward-ported from v1.7 tree ] This new value is the table ID for the per-ENI routing tables in the new ENI datapath. Upcoming commits will use this value and implement the new datapath. See https://github.com/cilium/cilium/issues/14336. Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 February 2021, 02:46:33 UTC
5988258 Chris Tarazi 10 December 2020, 19:37:57 UTC linux_defaults: Add RulePriorityEgressv2 [ upstream commit aec2d8f24; forward-ported from v1.7 tree ] This new priority value is vital for disambiguating which rules are still under the old scheme. Without this, upgrading to the new scheme would be difficult, as we aren't able to identify which rules have been fixed up [1]. Furthermore, this would also allow us to enable downgrades from the new scheme, because we would be able to identify which rules need to be modified. [1]: https://github.com/cilium/cilium/issues/14336 Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 February 2021, 02:46:33 UTC
4d50ae7 Chris Tarazi 09 December 2020, 19:38:48 UTC cni, routing: Plumb interface number [ upstream commit b86bf9368; forward-ported from v1.7 tree ] In the previous commit, we added the interface number to the IPAM response for ENI mode. This commit plumbs this new field into the CNI to set up the ENI datapath. Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 February 2021, 02:46:33 UTC
269da55 Chris Tarazi 12 January 2021, 00:58:02 UTC datapath, cni: Refactor masquerade parameter Previously, we required `masquerade` to be passed in as a parameter in multiple places, rather than passing it in once and storing it in `RoutingInfo`. This commit refactors the code to do as such. Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 February 2021, 02:46:33 UTC
ff6b5ff Chris Tarazi 09 December 2020, 19:34:53 UTC api: Extend IPAM to accept interface number [ upstream commit a5d696a4e; forward-ported from v1.7 tree ] This is needed in ENI mode. In upcoming commits, the interface number (ENI.Number) will be used to compute the per-ENI table ID in order to store rules and routes for the ENI datapath. Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 February 2021, 02:46:33 UTC
f06341f Chris Tarazi 16 December 2020, 22:49:46 UTC api: Expose egress-multi-home-ip-rule-compat flag [ upstream commit d5ad26c10; forward-ported from v1.7 tree ] This is important for use in the CNI to decide whether to use the new ENI datapath (see previous commit for context) or the original datapath. Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 February 2021, 02:46:33 UTC
d022d0b Chris Tarazi 09 December 2020, 01:29:19 UTC daemon, option: Add flag egress-multi-home-ip-rule-compat [ upstream commit 549c256f9; forward-ported from v1.7 tree ] This flag is needed to control the behavior of Cilium when it starts up under ENI mode. If the flag is false, meaning "do not maintain compatibility", then Cilium will attempt to migrate the ENI datapath (`ip rule`s and routes) created under the aforementioned IPAM mode to a new table ID scheme. The table ID refers to the Linux routing policy database tables, aka "routing table". If the flag is true, meaning "maintain compatibility", then Cilium will not attempt to migrate the ENI datapath under the aforementioned IPAM mode to the new table ID scheme. It will continue to use the original scheme. Additionally, when the flag is true and Cilium finds the rules under the newer scheme (by checking the priority of the rule), it will attempt to migrate back to the original scheme. This allows downgrading Cilium without affecting connectivity. Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 February 2021, 02:46:33 UTC
b7c1d41 Chris Tarazi 23 December 2020, 00:13:10 UTC routing: Remove unnecessary debug logs from test Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 February 2021, 02:46:33 UTC
b9efe2f Chris Tarazi 23 December 2020, 00:10:31 UTC routing: Refactor helper to run function in netns [ upstream commit 18da31432; forward-ported from v1.7 tree ] This makes it usable for an upcoming commit which adds a new test suite to this package. Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 February 2021, 02:46:33 UTC
7cdf802 dependabot[bot] 02 February 2021, 09:39:39 UTC build(deps): bump github.com/onsi/gomega from 1.10.3 to 1.10.5 Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.10.3 to 1.10.5. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.10.3...v1.10.5) Signed-off-by: dependabot[bot] <support@github.com> 02 February 2021, 16:26:57 UTC
45e0b50 dependabot[bot] 02 February 2021, 13:32:09 UTC build(deps): bump github.com/go-openapi/spec from 0.20.0 to 0.20.2 Bumps [github.com/go-openapi/spec](https://github.com/go-openapi/spec) from 0.20.0 to 0.20.2. - [Release notes](https://github.com/go-openapi/spec/releases) - [Commits](https://github.com/go-openapi/spec/compare/v0.20.0...v0.20.2) Signed-off-by: dependabot[bot] <support@github.com> 02 February 2021, 13:49:53 UTC
2a4d8d1 Tobias Klauser 02 February 2021, 13:17:01 UTC dependabot: limit number of open PRs to 1 By default, dependabot opens up to 5 PRs for version updates, see https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates#open-pull-requests-limit This can leads to merge conflicts between these PRs (e.g. as recently seen with the openapi updates) and need to rebase and retest these PRs. In order to simplify the review process and avoid frequent rebases, limit the maximum number of open PRs to 1, so they will keep coming in one at a time. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 02 February 2021, 13:23:51 UTC
e002762 dependabot[bot] 01 February 2021, 17:42:00 UTC build(deps): bump github.com/go-openapi/validate from 0.20.0 to 0.20.1 Bumps [github.com/go-openapi/validate](https://github.com/go-openapi/validate) from 0.20.0 to 0.20.1. - [Release notes](https://github.com/go-openapi/validate/releases) - [Commits](https://github.com/go-openapi/validate/compare/v0.20.0...v0.20.1) Signed-off-by: dependabot[bot] <support@github.com> 02 February 2021, 13:08:52 UTC
d324be6 dependabot[bot] 30 January 2021, 15:52:03 UTC build(deps): bump github.com/shirou/gopsutil Bumps [github.com/shirou/gopsutil](https://github.com/shirou/gopsutil) from 2.20.4+incompatible to 2.20.9+incompatible. - [Release notes](https://github.com/shirou/gopsutil/releases) - [Commits](https://github.com/shirou/gopsutil/compare/v2.20.4...v2.20.9) Signed-off-by: dependabot[bot] <support@github.com> 02 February 2021, 12:17:50 UTC
ab24b93 yuriydzobak 28 January 2021, 07:35:37 UTC added flag for proxy.prometheus.enabled in helm chart Signed-off-by: yuriydzobak <yurii.dzobak@lotusflare.com> 02 February 2021, 09:25:38 UTC
b0dccb1 Deepesh Pathak 07 January 2021, 12:18:48 UTC operator: use logfields in cilium operator logging Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 02 February 2021, 09:25:18 UTC
482a639 Sebastian Wicki 26 January 2021, 16:14:54 UTC hubble: Support --{last,since,until} on agent and debug events This commit ensures that the `Number`, `Until` and `Since` filters on the `GetFlowsRequest` are treated the same on agent and debug events as they are on flow events. Previously, the observer API would only stop reading from the ring buffer once it had collected enough flows. All interleaved debug and agent events were returned without proper accounting (assuming they were allows by the event type filter). This meant that if a request was only requesting agent and/or debug events, that it would try to dump all such events in the ring buffer. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 02 February 2021, 09:23:09 UTC
10db8d0 Sebastian Wicki 26 January 2021, 16:00:59 UTC hubble: Rename flowsReader to eventsReader With the introduction of agent and debug events, this reader, while implementing the GetFlows API, actually now returns events which are different from flows. This commit renames the involved types and variables to reflect that. This commit contains no functional changes. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 02 February 2021, 09:23:09 UTC
afa3d67 Paul Chaignon 29 January 2021, 16:05:01 UTC docs: Updates steps when using submit-backport The submit-backport script takes care of pushing the local branch to the remote repository. So, when using that script, the push step is unnecessary. Signed-off-by: Paul Chaignon <paul@cilium.io> 02 February 2021, 09:22:12 UTC
f818d45 André Martins 01 February 2021, 20:43:25 UTC images/runtime: fix loopback CNI installation plugin Fixes: f4dd2d7de1da ("build: New runtime image with multi-platform support") Signed-off-by: André Martins <andre@cilium.io> 02 February 2021, 09:19:59 UTC
cd4e5eb dependabot[bot] 01 February 2021, 17:52:21 UTC build(deps): bump k8s.io/klog/v2 from 2.4.0 to 2.5.0 Bumps [k8s.io/klog/v2](https://github.com/kubernetes/klog) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/kubernetes/klog/releases) - [Changelog](https://github.com/kubernetes/klog/blob/master/RELEASE.md) - [Commits](https://github.com/kubernetes/klog/compare/v2.4.0...v2.5.0) Signed-off-by: dependabot[bot] <support@github.com> 02 February 2021, 09:19:16 UTC
c7ec844 Mathias Herzog 02 February 2021, 08:36:43 UTC Update USERS.md Signed-off-by: Mathias Herzog <mathias.herzog@postfinance.ch> 02 February 2021, 09:18:09 UTC
1dbc3c2 Manuel Buil 01 February 2021, 14:40:57 UTC Fix wrong url The logs point to a url which was wrong Signed-off-by: Manuel Buil <mbuil@suse.com> 01 February 2021, 20:59:02 UTC
0c760d8 Tobias Klauser 01 February 2021, 16:46:28 UTC dependabot: ignore ginkgo updates Updating ginkgo to newer versions leads to CI breakages. Ignore updates for now until we have time to investigate these. Also see https://github.com/cilium/cilium/pull/14820#issuecomment-770993659 Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 01 February 2021, 19:41:44 UTC
29d0679 Tobias Klauser 01 February 2021, 18:03:33 UTC dependabot: disable automatic rebasing of PRs dependabot will automatically rebase PRs by default, however this might interfere with PRs which are currently run through Jenkins CI as the CI jobs might be canceled in the middle of the run and would need to be restarted, potentially wasting a lot of CI cycles. dependabot can still be instructed to rebase PRs manually using `@dependabot rebase` comments if needed. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 01 February 2021, 18:11:43 UTC
fc78909 dependabot[bot] 01 February 2021, 17:12:13 UTC build(deps): bump k8s.io/apiextensions-apiserver from 0.20.1 to 0.20.2 Bumps [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) from 0.20.1 to 0.20.2. - [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases) - [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.20.1...v0.20.2) Signed-off-by: dependabot[bot] <support@github.com> 01 February 2021, 17:46:36 UTC
c6048b1 dependabot[bot] 01 February 2021, 16:37:26 UTC build(deps): bump k8s.io/client-go from 0.20.1 to 0.20.2 Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.20.1 to 0.20.2. - [Release notes](https://github.com/kubernetes/client-go/releases) - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.20.1...v0.20.2) Signed-off-by: dependabot[bot] <support@github.com> 01 February 2021, 17:04:31 UTC
90f1618 AdamKorcz 30 January 2021, 17:32:21 UTC Mofified path of fuzzer Signed-off-by: AdamKorcz <adam@adalogics.com> 01 February 2021, 16:28:55 UTC
868604c dependabot[bot] 30 January 2021, 15:52:31 UTC build(deps): bump k8s.io/apimachinery from 0.20.1 to 0.20.2 Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.20.1 to 0.20.2. - [Release notes](https://github.com/kubernetes/apimachinery/releases) - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.20.1...v0.20.2) Signed-off-by: dependabot[bot] <support@github.com> 01 February 2021, 16:25:46 UTC
8c3f76f Gilberto Bertin 29 January 2021, 10:31:23 UTC CODEOWNERS: assign @bpf to pkg/ebpf Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 01 February 2021, 12:30:52 UTC
3196057 Gilberto Bertin 26 January 2021, 15:44:42 UTC tests: add CLI test for cilium bpf metrics list command Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 01 February 2021, 12:30:52 UTC
922ef3f Gilberto Bertin 11 January 2021, 15:03:25 UTC metricsmap: don't serialize keys/values into a string There's no need to serialize the keys and values of the metrics map into a string since the only consumer of that data is the "bpf metrics list" command, which has to deserialize the data in order to use it anyway. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 01 February 2021, 12:30:52 UTC
464e618 Gilberto Bertin 08 January 2021, 15:45:08 UTC metricsmap: switch to cilium/ebpf to access BPF map Switch the maps/metricsmap package to cilium/ebpf (or more precisely, the ebpf package) to access the BPF metrics map. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 01 February 2021, 12:30:52 UTC
a18f01d Gilberto Bertin 08 January 2021, 15:43:32 UTC Add initial ebpf package implementation This package is a wrapper around cilium/ebpf. It currently implements a minimal set of the bpf package (while still relying on that) to allow the migration of the maps/metricsmap package to cilium/ebpf. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 01 February 2021, 12:30:52 UTC
f9846c8 Youssef Azrak 24 January 2021, 01:25:49 UTC Helm: Respect serviceAccounts.*.create value We are currently deploying the cilium-operator serviceAccount by only following the global operator.enabled value. The serviceAccounts.operator.create has no impact on the creation of the serviceAccount. Fixes: #14681 Signed-off-by: Youssef Azrak <yazrak.tech@gmail.com> 01 February 2021, 09:15:16 UTC
90ad56f Joe Stringer 29 January 2021, 22:43:20 UTC allocator: Quieten local key allocation logging These logs were intended for developer use and are not important for user logging[0], reduce the logging level to Debug. [0] https://github.com/cilium/cilium/pull/12313#discussion_r566581165 Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2021, 15:57:11 UTC
41b22c9 Robin Hahling 29 January 2021, 12:59:51 UTC all: bump Alpine base image to 3.13.1 and add meta image SHA256 sum Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 30 January 2021, 15:52:06 UTC
d617f73 Tobias Klauser 29 January 2021, 09:30:04 UTC dependabot: ignore grpc and miekg/dns updates We cannot update the grpc beyond 1.29.1 until we bump etcd to 3.04, see https://github.com/cilium/cilium/pull/13405#issuecomment-704766707, https://github.com/etcd-io/etcd/issues/12124 and https://github.com/cilium/cilium/pull/14787#issuecomment-769681327 for more information. We also ignore github.com/miekg/dns because we use our own fork of it via replace and it seems the long-term plan is to replace the DNS proxy with Envoy, see https://github.com/cilium/cilium/pull/14790#issuecomment-769738905 Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 30 January 2021, 15:50:50 UTC
011fbdf dependabot[bot] 28 January 2021, 12:47:39 UTC build(deps): bump github.com/Azure/go-autorest/autorest/azure/auth Bumps [github.com/Azure/go-autorest/autorest/azure/auth](https://github.com/Azure/go-autorest) from 0.5.5 to 0.5.6. - [Release notes](https://github.com/Azure/go-autorest/releases) - [Changelog](https://github.com/Azure/go-autorest/blob/master/CHANGELOG.md) - [Commits](https://github.com/Azure/go-autorest/compare/autorest/azure/auth/v0.5.5...autorest/azure/auth/v0.5.6) Signed-off-by: dependabot[bot] <support@github.com> 30 January 2021, 15:46:13 UTC
80b265c Andrey Devyatkin 27 January 2021, 20:40:02 UTC expand description of IPSec configuration format and encryption options Signed-off-by: Andrey Devyatkin <andrey.devyatkin@fivexl.io> 30 January 2021, 15:36:59 UTC
84a181d lyveng 27 January 2021, 09:17:15 UTC Adding labels k8s-app and io.cilium/app to the scraped prometheus metrics of cilium agent and cilium operator respectively Signed-off-by: Livingstone S E <livingstone.s.e@gmail.com> 30 January 2021, 15:36:32 UTC
cac5218 Salvatore Mazzarino 26 January 2021, 21:36:15 UTC datapath: remove SNAT maps entries when kube-proxy is enabled This path remove SNAT maps entries to support the case when the user toggles off from using BPF to kube-proxy. Fixes: #13835 Signed-off-by: Salvatore Mazzarino <salvatore@accuknox.com> 30 January 2021, 15:15:11 UTC
185bd4e Alexandre Perrin 25 January 2021, 11:12:25 UTC doc: Update AUTHORS file Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 30 January 2021, 15:11:17 UTC
e0b41fe Martynas Pumputis 25 January 2021, 16:58:15 UTC arping: Improve response correlation The arping library sends ARP requests via a raw socket (proto set to ARP). It means that the socket can can receive any ARP packet. Previously, the library was filtering responses based on whether a packet is ARP response AND response source IP addr == arpinged IP addr. Improve the filter by adding a check whether destination IP addr == ARP request source IP addr. Signed-off-by: Martynas Pumputis <m@lambda.lt> 30 January 2021, 15:07:52 UTC
a8441fa Martynas Pumputis 29 January 2021, 12:03:37 UTC node-neigh: Unconditionally remove neigh entry from BPF map Otherwise, we risk to silently blackhole packets instead of emitting DROP_NO_FIB when inserting a neigh via netlink fails. Signed-off-by: Martynas Pumputis <m@lambda.lt> 30 January 2021, 15:07:52 UTC
fea84ed Martynas Pumputis 22 January 2021, 16:48:33 UTC node-neigh: Fix insertNeighbor logging - Use "node-neigh" subsystem field to better identify sometimes cryptic arping related warnings. - Set proper IP addr for nexthop. Signed-off-by: Martynas Pumputis <m@lambda.lt> 30 January 2021, 15:07:52 UTC
ff6c8a6 Martynas Pumputis 22 January 2021, 16:43:03 UTC node-neigh: Do not refresh neighbors if node is not ready Wait until the node is initialized. When it's not, insertNeighbor() is not called, thus there is no neighbor entries to be refreshed. Signed-off-by: Martynas Pumputis <m@lambda.lt> 30 January 2021, 15:07:52 UTC
549ee71 Martynas Pumputis 22 January 2021, 10:40:07 UTC node-neigh: Merge {insert,refresh}Neighbor() This commit fixes two issues via refactoring. Previously, refreshNeighbor() was very similar to insertNeighor(). This commit refactors insertNeighbor() so that it can be invoked by refreshNeighbor(), and thus DRY. Besides refactoring, this commit fixes the following issues: - The linuxNodeHandler.mutex is being held during the whole insertNeighor() execution. Previously, refreshNeighbor() took the lock twice which opened a window for a race when n.neighByNextHop[nextHopStr] could have been set to an obsolete neigh if insertNeighor() and refreshNeighbor() were executed at the same time. Also, the old arping library sends requests via a raw socket, so it might mix responses resulting in mixed neigh entries (will be fixed and explained in a separate PR). - refreshNeighbor() won't increment the refcount. We expect insertNeighor() to do so. Otherwise, we risk with both methods incrementing. Fixes: 5ec4d51f980 ("daemon, node: refresh neighbor by sending arping periodically") Signed-off-by: Martynas Pumputis <m@lambda.lt> 30 January 2021, 15:07:52 UTC
0483ba0 Martynas Pumputis 22 January 2021, 07:28:24 UTC node-neigh: Do not inc neighbor refcount for the same node (*linuxNodeHandler).NodeUpdate() can be called multiple times for the same remote node. This could lead to the neighbor refcount being incremented if the nextHop of the node had not changed. The consequence of the invalid refcount is that upon (*linuxNodeHandler).NodeDelete(), a related neighbor entry might not be deleted. Fix this by checking whether the node has been previously considered for arpinging. An alternative solution would be to pass the firstAddition param to insertNeighbor(). However, as we are going to merge refreshNeighbor(), the taken approach is more robust and requires less assertions in the upcoming merged method. Fixes: 6c06c51926b ("node: Remove permanent ARP entry when remote node is deleted") Signed-off-by: Martynas Pumputis <m@lambda.lt> 30 January 2021, 15:07:52 UTC
e1066a7 Tobias Klauser 29 January 2021, 09:17:21 UTC crypto/certloader: fix tests comparing crypto/x509.CertPool for Go 1.16 Using Go 1.16rc1, the tests in crypto/certloader comparing x509.CertPool fail due to the fact that certs are loaded lazily now (see https://golang.org/cl/229917 for details) and internal state of the compared CertPools thus differing despite containing the same certs. To fix this, instead of comparing the complete CertPool objects including unexported internal state, compare them using the DER-encoded certs as returned by the Subjects method. This is all the tests should really care about. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 29 January 2021, 15:24:23 UTC
4cc699d André Martins 28 January 2021, 18:52:59 UTC install/kubernetes: set k8s min version manually With helm 3.5.0, the default k8s version set was bumped to 1.20.0. Because of this, when generating k8s manifests all the logic designed to handle the behavior on different k8s versions default to 1.20.0, which is not the minimal k8s version that Cilium supports. Thus, this commit sets the minimal k8s version that Cilium supports by passing values when generating the quick-install*.yaml files. The user, when install Cilium with helm will not be affected since the charts will still default to the values provided by the k8s version of the cluster which helm is install Cilium. Signed-off-by: André Martins <andre@cilium.io> 29 January 2021, 12:48:02 UTC
986a1af romanspb80 27 January 2021, 18:06:36 UTC Agent: consistent 'containerID' field in the log of the requests EP-delete and EP-create Previously, it was difficult to find creates and deletes based on container ID due to non-consistent container ID field in the log: 'EP create' used short-form container ID, 'EP delete' used standart form. For examle: 'EP create': level=info msg="New endpoint" containerID=77ce9db8c9 datapathPolicyRevision=0 desiredPolicyRevision=0 endpointID=3100 identity=5 ipv4=172.18.12.151 ipv6= k8sPodName=default/pod subsys=endpoint vs 'EP delete': level=info msg="Delete endpoint request" id="container-id:7eab59b2e768e9845af3988be879558186e3215e018577c139a3405cbd424e37" subsys=daemon This patch fixes it: 'EP delete' uses short-form container ID as 'EP create'. Fixes: #13658 Signed-off-by: Roman Ptitcyn <romanspb@yahoo.com> 29 January 2021, 08:57:25 UTC
c8aa15b dependabot[bot] 28 January 2021, 12:47:11 UTC build(deps): bump github.com/go-openapi/strfmt from 0.19.11 to 0.20.0 Bumps [github.com/go-openapi/strfmt](https://github.com/go-openapi/strfmt) from 0.19.11 to 0.20.0. - [Release notes](https://github.com/go-openapi/strfmt/releases) - [Commits](https://github.com/go-openapi/strfmt/compare/v0.19.11...v0.20.0) Signed-off-by: dependabot[bot] <support@github.com> 29 January 2021, 08:55:54 UTC
1f55af1 dependabot[bot] 28 January 2021, 12:47:17 UTC build(deps): bump k8s.io/code-generator from 0.20.1 to 0.20.2 Bumps [k8s.io/code-generator](https://github.com/kubernetes/code-generator) from 0.20.1 to 0.20.2. - [Release notes](https://github.com/kubernetes/code-generator/releases) - [Commits](https://github.com/kubernetes/code-generator/compare/v0.20.1...v0.20.2) Signed-off-by: dependabot[bot] <support@github.com> 29 January 2021, 08:55:40 UTC
1fbd25a dependabot[bot] 28 January 2021, 12:47:44 UTC build(deps): bump github.com/stretchr/testify from 1.6.1 to 1.7.0 Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.6.1 to 1.7.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.6.1...v1.7.0) Signed-off-by: dependabot[bot] <support@github.com> 29 January 2021, 08:55:29 UTC
dc0841e Joe Stringer 22 January 2021, 22:00:08 UTC contrib: Add script to fetch docker manifests This script pulls all of the tagged cilium images from docker.io and quay.io and fetches the official manifests from the images, and generates text output for adding to the github release announcement to allow users to use and/or audit the docker digests that are deployed in the cluster. Signed-off-by: Joe Stringer <joe@cilium.io> 28 January 2021, 20:02:01 UTC
d9fa628 Chris Tarazi 13 January 2021, 20:17:39 UTC daemon, lbmap: Avoid premature init of BPF maps There is a flag called `--bpf-lb-map-max` that controls the maximum number of entries in BPF LB maps. When this is set, it updates `lbmap.MaxEntries` which is a package-level variable. All LB maps use this variable to configure their maximum size. However, due to `bpf.NewMap()` being called at the package-level (to initialize "cilium_lb4_services_v2", "cilium_lb4_backends", etc.) because it's in a `var()` block, `lbmap.MaxEntries` has not been updated yet with the value passed from the aforementioned flag. Ultimately, this means that the flag was never respected, meaning the user was never able to change the maximum size of their BPF LB maps. The reason `lbmap.MaxEntries` wasn't updated is because Golang will initialize variables defined in the `var()` block as soon as the package is imported, aka before `main()` [1]. In this case, whenever the `lbmap` package was first imported, then the call to `bpf.NewMap()` was made with the yet-to-be updated `lbmap.MaxEntries`. Only after this has happened (`main()` begins execution), then Cilium will eventually get to reading the flag value and updating `lbmap.MaxEntries`. This commit avoids the initialization at the `var()` block and instead defines explicit initialization functions to be called when appropriate, in this case, after reading the flag and updating `lbmap.MaxEntries`, inside `lbmap.Init()`. This was found by running scale tests against the service code, e.g. creating 1000+ backends per service. The following error was observed and has been fixed with this commit: ``` [PUT /service/{id}][500] putServiceIdFailure Unable to update service entry 1.1.0.131:36895 => 2871 (37415) [FLAGS: 0x0]: Unable to update element for map with file descriptor 14: argument list too long ``` [1]: See below for excerpt. Source: https://golang.org/ref/spec#Program_initialization_and_execution Within a package, package-level variable initialization proceeds stepwise, with each step selecting the variable earliest in declaration order which has no dependencies on uninitialized variables. [...] A package with no imports is initialized by assigning initial values to all its package-level variables followed by calling all init functions in the order they appear in the source, possibly in multiple files, as presented to the compiler. If a package has imports, the imported packages are initialized before initializing the package itself. If multiple packages import a package, the imported package will be initialized only once. The importing of packages, by construction, guarantees that there can be no cyclic initialization dependencies. Package initialization—variable initialization and the invocation of init functions—happens in a single goroutine, sequentially, one package at a time. An init function may launch other goroutines, which can run concurrently with the initialization code. However, initialization always sequences the init functions: it will not invoke the next one until the previous one has returned. Signed-off-by: Chris Tarazi <chris@isovalent.com> 28 January 2021, 17:28:51 UTC
f71bc25 Robin Hahling 28 January 2021, 13:05:19 UTC ci/dependabot: fix labels A `release-note/` label is required and `enhancement` does not exist (but there's `kind/enhancement` instead). Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 28 January 2021, 17:21:25 UTC
53d4147 Tobias Klauser 26 January 2021, 11:13:11 UTC vagrant: bump box versions These new box images include Go 1.15.7 (cilium/packer-ci-build#249) and pre-pull all Docker images which are currently used to build and test Cilium (cilium/packer-ci-build#249 and cilium/packer-ci-build#250). Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 28 January 2021, 12:48:51 UTC
fb6697c Jarno Rajahalme 27 January 2021, 20:03:06 UTC docker: Pre-pull images correctly Docker buildkit sometimes fails to actually pull images referenced on FROM lines. We mitigate for this by pre-pulling all images before docker build. A recent change to allow for multi-arch image builds caused cilium-builder image to not be pre-pulled due to additional filtering of Dockerfiles. Fix this by scanning the FROM lines from the original dockerfiles instead of the generated ones. Fixes: #14208 Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 28 January 2021, 12:41:51 UTC
57a4831 Chris Tarazi 26 January 2021, 22:16:35 UTC datapath/linux: Fix clang version regex check This fixes the following error when the machine has clang 11.0.1 installed: ``` level=info msg="Cilium 1.9.90 0bffe8b39 2021-01-26T11:16:34+01:00 go version go1.15.7 linux/amd64" subsys=daemon level=info msg="Envoy version check disabled" subsys=daemon level=fatal msg="clang: NOT OK" error="Invalid character(s) found in patch number \"1\\nTarget:\"" subsys=linux-datapath ``` The issue was that the regex pattern was matching only against " " and not any other kind of whitespace, especially newlines. Changing the regex to match against all whitespace, including newlines, the pattern is able to stop the match at the correct spot. The output it was trying to match against was: ``` clang version 11.0.1 Target: x86_64-pc-linux-gnu Thread model: posix InstalledDir: /usr/bin ``` Signed-off-by: Chris Tarazi <chris@isovalent.com> 28 January 2021, 12:41:37 UTC
e69af83 Joe Stringer 27 January 2021, 23:38:32 UTC Update stable releases Signed-off-by: Joe Stringer <joe@cilium.io> 28 January 2021, 12:41:25 UTC
7c6dff7 Youssef Azrak 27 January 2021, 19:42:44 UTC Doc: Add note to open tcp:4244 for Hubble Relay Hubble Relay will fail to connect to peers if a host firewall is blocking tcp:4244. The documentation should contain a heads-up/note about this so that users using a host firewall don't forget to open tcp:4244 when enabling Hubble Relay. Fixes: #14402 Signed-off-by: Youssef Azrak <yazrak.tech@gmail.com> 28 January 2021, 12:41:13 UTC
28a8b47 Chris Tarazi 27 January 2021, 17:17:19 UTC vendor: Update sigs.k8s.io/structured-merge-diff/v4 This updates the dependency to 9f9c77085dec, as it was previously a temporary fork. This includes the fix to https://github.com/kubernetes-sigs/structured-merge-diff/pull/173. At the time of this commit, there hasn't been a release made including this fix, so we are explicitly using the latest commit. Signed-off-by: Chris Tarazi <chris@isovalent.com> 28 January 2021, 12:41:03 UTC
dd59d1f Paul Chaignon 26 January 2021, 21:48:44 UTC health: Disable routing in BPF when per-endpoint routes are enabled This commit fixes a datapath configuration discrepancy between the health endpoint and other endpoints. ENABLE_ROUTING should be undefined if per-endpoint routes are enabled [1]; for the health endpoint, the macro is defined regardless of the settings. Quite surprisingly, I'm not aware of any bug caused by this oversight, although it probably requires one more template and full compilation than necessary when per-endpoint routes are enabled. 1 - https://github.com/cilium/cilium/blob/e463cfe80102486d1a3423b77f9c54afd0be94a2/daemon/cmd/endpoint.go#L309-L327 Signed-off-by: Paul Chaignon <paul@cilium.io> 28 January 2021, 12:40:50 UTC
287e888 Tobias Klauser 25 January 2021, 10:45:56 UTC Bump alpine base image to 3.13.0 Consistently use the explicit stable 3.13.0 version tag rather than the rolling 3.13. Suggested-by: Alexandre Perrin <alex@kaworu.ch> Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 28 January 2021, 10:23:22 UTC
a9325ce Timo Beckers 18 January 2021, 17:12:52 UTC install/kubernetes: add cni.exclusive Helm flag This exposes auto-management of the /etc/cni/net.d directory to the end user to allow Cilium to be used with CNI managers like CNI-Genie. Also document this as a breaking change to be released in 1.10. Signed-off-by: Timo Beckers <timo@isovalent.com> 27 January 2021, 16:48:16 UTC
226af4b Timo Beckers 14 January 2021, 22:26:25 UTC plugins/cilium-cni: cni-install - document CILIUM_CUSTOM_CNI_CONF purpose Signed-off-by: Timo Beckers <timo@isovalent.com> 27 January 2021, 16:48:16 UTC
86e22e6 Timo Beckers 14 January 2021, 12:36:06 UTC cmd/cleanup: add long description to cilium cleanup command Signed-off-by: Timo Beckers <timo@isovalent.com> 27 January 2021, 16:48:16 UTC
fa8554c Timo Beckers 18 November 2020, 10:17:46 UTC plugins/cilium-cni: clean up Cilium CNI configs on start/stop The uninstall script cleans up CNI binaries, but not the CNI config(list)s pointing to them. This causes kubelet to spam the following log output: ``` Error validating CNI config list {.. full cni config here ...}: [failed to find plugin "cilium-cni" in path [/opt/cni/bin]] ``` This commit cleans up CNI configs containing 'cilium' in the host's CNI config directory when the Cilium agent is stopped. This cleanup was previously omitted to prevent Pods from being scheduled by other CNI plugins during a Cilium upgrade (when the agent is down). It turns out that, since we remove the CNI binary during agent shutdown, the Cilium CNI plugin is simply skipped, and Pod creation continues using the node/cloud's next working CNI plugin. A similar generic removal step was also added during CNI installation to prevent backing up old Cilium CNI configs that would later be incorrectly restored by the `cilium cleanup` command. Fixes https://github.com/cilium/cilium/issues/13152. Signed-off-by: Timo Beckers <timo@isovalent.com> 27 January 2021, 16:48:16 UTC
2cd4705 André Martins 26 November 2020, 21:19:13 UTC plugins/cilium-cni: make Cilium's CNI conf the only one available The initial implementation of CNI in Kubelet was made by checking for a valid configuration file, *.conf, in the configuration directory, which has the default of /etc/cni/net.d. This behavior allowed Cilium to be safely upgraded while other CNI configuration files were available as Kubelet would keep retrying Cilium’s configuration file until the Cilium CNI binary was available, since this binary is removed and re-added for each upgrade. Unfortunately, this behavior has changed and Kubelet now picks the first valid CNI configuration file with a valid CNI binary. In a machine where multiple CNI configuration files are available, this might cause issues during a Cilium upgrade where Kubelet will use a different CNI plugin, for application pods, making those application pods to never be managed by Cilium. To avoid this issue this commit changes he file extension of existing non-Cilium CNI configuration files from *.conf and *.conflist to *.conf.cilium_bak and *.conflist.cilium_bak respectively. These files will be reverted when the user wants to explicitly uninstall Cilium by performing a cilium cleanup command in the host. Since Kubelet only checks for the presence of *.conf and *.conflist it will not consider any other CNI configuration when setting up the application pods. This new behavior can be reverted by passing `--backup-cni-conf=false` to the postStart exec command in Cilium's DaemonSet. Tested locally: ``` $ minikube start --network-plugin=cni --memory=4096 && minikube ssh -- sudo mount bpffs -t bpf /sys/fs/bpf docker@minikube:~$ ls -la /etc/cni/net.d/ total 48 drwxr-xr-x. 1 root root 4096 Nov 26 21:07 . drwxr-xr-x. 1 root root 4096 Aug 25 22:55 .. -rw-r--r--. 1 root root 438 Jul 29 11:12 100-crio-bridge.conf -rw-r--r--. 1 root root 54 Jun 22 18:23 200-loopback.conf -rw-r--r--. 1 root root 639 May 25 2020 87-podman-bridge.conflist docker@minikube:~$ ls -la /etc/cni/net.d/ total 52 drwxr-xr-x. 1 root root 4096 Nov 26 21:07 . drwxr-xr-x. 1 root root 4096 Aug 25 22:55 .. -rw-r--r--. 1 root root 97 Nov 26 21:07 05-cilium.conf -rw-r--r--. 1 root root 438 Jul 29 11:12 100-crio-bridge.conf.cilium_bak -rw-r--r--. 1 root root 54 Jun 22 18:23 200-loopback.conf.cilium_bak -rw-r--r--. 1 root root 639 May 25 2020 87-podman-bridge.conflist.cilium_bak docker@minikube:~$ ls -la /etc/cni/net.d/ total 52 drwxr-xr-x. 1 root root 4096 Nov 26 21:07 . drwxr-xr-x. 1 root root 4096 Aug 25 22:55 .. -rw-r--r--. 1 root root 97 Nov 26 21:07 05-cilium.conf -rw-r--r--. 1 root root 438 Jul 29 11:12 100-crio-bridge.conf.cilium_bak -rw-r--r--. 1 root root 54 Jun 22 18:23 200-loopback.conf.cilium_bak -rw-r--r--. 1 root root 639 May 25 2020 87-podman-bridge.conflist.cilium_bak docker@minikube:~$ ls -la /etc/cni/net.d/ total 52 drwxr-xr-x. 1 root root 4096 Nov 26 21:07 . drwxr-xr-x. 1 root root 4096 Aug 25 22:55 .. -rw-r--r--. 1 root root 438 Jul 29 11:12 100-crio-bridge.conf -rw-r--r--. 1 root root 54 Jun 22 18:23 200-loopback.conf -rw-r--r--. 1 root root 639 May 25 2020 87-podman-bridge.conflist ``` Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Timo Beckers <timo@isovalent.com> 27 January 2021, 16:48:16 UTC
4cf4951 André Martins 26 November 2020, 21:16:59 UTC cmd/cleanup: remove 05-cilium.conf The 05-cilium.conf file is the default file use for CNI configuration, this file should also be removed as part of the cleanup sub-command. Signed-off-by: André Martins <andre@cilium.io> 27 January 2021, 16:48:16 UTC
cc12ccc Han Zhou 26 January 2021, 00:03:23 UTC bpf: Send packet drop notify for ipv6 lb nat mode failures. Same change for ipv4 was added in commit 8d575af1b8. This patch ensures the consistent behavior for ipv6. Signed-off-by: Han Zhou <hzhou8@ebay.com> 26 January 2021, 22:24:27 UTC
0bffe8b Paul Chaignon 26 January 2021, 10:16:34 UTC docs: Rename priority/release-blocker to release-blocker/1.X Moving forward, the priority/release-blocker label is replaced by release-blocker/1.X labels, specific to each minor version. Signed-off-by: Paul Chaignon <paul@cilium.io> 26 January 2021, 18:46:27 UTC
7e0cb33 Daniel Borkmann 26 January 2021, 13:16:57 UTC bpf: do not enable host routing when kpr is disabled Given we rely on this for the case where kpr is enabled, we must strictly disable host routing for the case when not. Fixes: b9e44f3feec5 ("bpf: optimize datapath through host netns") Reported-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 26 January 2021, 18:28:15 UTC
08a14ad Paul Chaignon 22 January 2021, 14:31:08 UTC test: Respect cilium.holdEnvironment on DNS check The DNS check is one of the first things we check when starting a new test. As such, the following error is common in CI and local tests. Kubernetes DNS did not become ready in time In local tests however, when -cilium.holdEnvironment=true, the tests don't pause after such failures. That is because we fail the test with ginkgo.Fail instead of our wrapper function helpers.Fail. This commit fixes it. Signed-off-by: Paul Chaignon <paul@cilium.io> 26 January 2021, 12:59:33 UTC
804e7fd dependabot[bot] 25 January 2021, 10:35:33 UTC build(deps): bump actions/setup-go from v1 to v2.1.3 Bumps [actions/setup-go](https://github.com/actions/setup-go) from v1 to v2.1.3. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v1...37335c7bb261b353407cff977110895fa0b4f7d8) Signed-off-by: dependabot[bot] <support@github.com> 25 January 2021, 21:29:33 UTC
back to top