https://github.com/cilium/cilium
- HEAD
- refs/heads/1.2.7-hotfix1-fqdn-regen
- refs/heads/EndpointPolicyEnformcement
- refs/heads/add_metrics_to_scale_test
- refs/heads/all-scalability-improvements
- refs/heads/beta/service-mesh
- refs/heads/bpf-metrics
- refs/heads/brb/brb-patch-2
- refs/heads/cilium-envoy-crd-pre-beta
- refs/heads/cilium-no-gopath
- refs/heads/cli-upgrade-v1.12-ci-test
- refs/heads/clustermesh511-upgrade-test
- refs/heads/committers-codeowners
- refs/heads/dev/joe/v1.8-with-hostfw-fixes
- refs/heads/encrypt-node-fixes
- refs/heads/encrypted-overlay-xfrm-policies
- refs/heads/ensure-macos-build-succeeds
- refs/heads/envoy-policy-precedence
- refs/heads/envoy-warnings-cleanup
- refs/heads/extension-mysql
- refs/heads/feature/cep-scalability
- refs/heads/feature/devices-and-addresses
- refs/heads/feature/devices-reconciliation-v1.16
- refs/heads/feature/main/svc-icmp-response
- refs/heads/feature/service-refactor
- refs/heads/feature/service-refactor-fresh
- refs/heads/feature/v1.11/beta-test
- refs/heads/feature/v1.11/k8s-ingress
- refs/heads/fix-error-wrapping-1.13
- refs/heads/fix-error-wrapping-1.14
- refs/heads/fix-error-wrapping-1.15
- refs/heads/fix-iphealth
- refs/heads/fqdn-fixl3-wildcard
- refs/heads/fristonio/iptables-manager-fix
- refs/heads/ft/main/chancez/push-dev-charts
- refs/heads/ft/main/push_chart_stable_branches_fix
- refs/heads/ft/main/test_push_chart_updates
- refs/heads/gce-example
- refs/heads/gh-readonly-queue/main/pr-27509-78a5f177693fb443cd946441f45826bf7fa2437a
- refs/heads/ginkgo-better-timeout
- refs/heads/graduation
- refs/heads/hf/main/ipam-pools-build-230605
- refs/heads/hf/master/v1.12-rc2-health-dbg-v1
- refs/heads/hf/master/wg-fix-ipam-k8s-v2
- refs/heads/hf/v1.10/cls-prio2
- refs/heads/hf/v1.10/debug-taint-removal
- refs/heads/hf/v1.10/v1.10.10-with-19452
- refs/heads/hf/v1.10/v1.10.2-fix-ipsec-ep-routes
- refs/heads/hf/v1.10/v1.10.5-with-identity-leak-fix
- refs/heads/hf/v1.10/v1.10.7-additional-logs
- refs/heads/hf/v1.10/v1.10.7-exclude-local
- refs/heads/hf/v1.10/v1.10.7-exclude-loopback
- refs/heads/hf/v1.10/v1.10.7-extra-logs
- refs/heads/hf/v1.10/v1.10.7-more-logs
- refs/heads/hf/v1.10/v1.10.8-deadlock-and-complexity-fix
- refs/heads/hf/v1.10/v1.10.8-deadlock-fix
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v3
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v4
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v5
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v6
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v7
- refs/heads/hf/v1.11/1.11.4-custom-taint
- refs/heads/hf/v1.11/19247-custom-taint-key
- refs/heads/hf/v1.11/dbg-svc-restore
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attach-and-logging
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attachment
- refs/heads/hf/v1.11/v1.11.3-with-19259
- refs/heads/hf/v1.11/v1.11.4-custom-taint
- refs/heads/hf/v1.11/v1.11.5-and-19247-eed5544
- refs/heads/hf/v1.11/xdp-multidev-v1
- refs/heads/hf/v1.11/xdp-multidev-v2-ipcache-fix
- refs/heads/hf/v1.12/next-net-v1
- refs/heads/hf/v1.12/v1.12.18-994
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat-v2
- refs/heads/hf/v1.13/bpf-sock-l7-fix
- refs/heads/hf/v1.13/v1.13.2-with-24875
- refs/heads/hf/v1.13/v1.13.3-with-26242
- refs/heads/hf/v1.14/cidr-identity-refcnt-fix
- refs/heads/hf/v1.14/v1.14-with-27327
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix-2
- refs/heads/hf/v1.8/v1.8.13-with-19452
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-15303
- refs/heads/hf/v1.8/v1.8.7-with-fqdn-underscore-fix
- refs/heads/hf/v1.8/v1.8.8-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.8-with-encrypt-fixes
- refs/heads/hf/v1.9/v1.9.8-azure-ipam-fix
- refs/heads/hf/v1.9/v1.9.9-azure-pod-egress-fix
- refs/heads/images/runtime/20210830
- refs/heads/ipc-demo
- refs/heads/ktls-tx-only
- refs/heads/ktls-tx-only-v2
- refs/heads/ktls-tx-rx
- refs/heads/ktls-tx-rx-v2
- refs/heads/ktls-tx-rx-v3
- refs/heads/ktls-tx-rx-v4
- refs/heads/ktls-tx-rx-v5
- refs/heads/ldelossa/feat/bgp-control-plane
- refs/heads/ldelossa/segment-makefiles
- refs/heads/ldelossa/segment-makefiles-v2
- refs/heads/ldelossa/srv6-encap-fib
- refs/heads/lizrice/pr/cli-confusion
- refs/heads/main
- refs/heads/marseel-modularize_scale_test
- refs/heads/marseel_scale_test_100_nodes
- refs/heads/multi-stack-dev-vm
- refs/heads/pr/1-9-ci-test
- refs/heads/pr/aanm-update-k8s-conformance
- refs/heads/pr/aanm/bisect
- refs/heads/pr/aanm/test-31027
- refs/heads/pr/add-controller-identity
- refs/heads/pr/aditighag/lrp-skip-lb
- refs/heads/pr/asauber/link-local-as-host
- refs/heads/pr/asauber/max-ifindex-metric
- refs/heads/pr/avoid-ct-for-dsr
- refs/heads/pr/backend-state
- refs/heads/pr/bbb-cpy
- refs/heads/pr/bimmlerd/modularize-bandwidth-manager
- refs/heads/pr/bimmlerd/v1.12-backport-quay-org-from-env
- refs/heads/pr/bounded-loops
- refs/heads/pr/bpf-based-masquerading
- refs/heads/pr/bpf-edt-proxy
- refs/heads/pr/brb/arping-nexthop
- refs/heads/pr/brb/arping-via-gw
- refs/heads/pr/brb/auto-multi-dev-v2
- refs/heads/pr/brb/backport-1.8.5-nat-gc
- refs/heads/pr/brb/bpf-host-routing-wg
- refs/heads/pr/brb/bpf-lxc-no-redirect
- refs/heads/pr/brb/bpf-masq-veth
- refs/heads/pr/brb/bpf-multihoming
- refs/heads/pr/brb/cgroup-v2-test
- refs/heads/pr/brb/check-errors-in-logs
- refs/heads/pr/brb/ci
- refs/heads/pr/brb/ci-1111
- refs/heads/pr/brb/ci-2
- refs/heads/pr/brb/ci-4.19
- refs/heads/pr/brb/ci-arping-flake
- refs/heads/pr/brb/ci-bigtcp
- refs/heads/pr/brb/ci-bpf-netdev-without-egress
- refs/heads/pr/brb/ci-cleanup-svc
- refs/heads/pr/brb/ci-dbg-conformance-kind
- refs/heads/pr/brb/ci-dbg-external
- refs/heads/pr/brb/ci-dbg-flake-from-outside
- refs/heads/pr/brb/ci-demo
- refs/heads/pr/brb/ci-disable-ces-for-egress-gw
- refs/heads/pr/brb/ci-dp-disable-bpf-host-routing
- refs/heads/pr/brb/ci-dp-hubble-flows
- refs/heads/pr/brb/ci-dp-more-diversity
- refs/heads/pr/brb/ci-dp-v1.13
- refs/heads/pr/brb/ci-dp-v6
- refs/heads/pr/brb/ci-dp-verifier
- refs/heads/pr/brb/ci-e2e-enable-debug-ipsec
- refs/heads/pr/brb/ci-e2e-helm-mode-v1.13
- refs/heads/pr/brb/ci-e2e-lvh-retry
- refs/heads/pr/brb/ci-e2e-more-nodes
- refs/heads/pr/brb/ci-e2e-new-cli
- refs/heads/pr/brb/ci-e2e-nft
- refs/heads/pr/brb/ci-e2e-unsafe
- refs/heads/pr/brb/ci-e2e-unsafe-v2
- refs/heads/pr/brb/ci-e2e-upgrade-tests
- refs/heads/pr/brb/ci-e2e-upgrade-tests-ipsec
- refs/heads/pr/brb/ci-eks-ipsec-upgrade
- refs/heads/pr/brb/ci-fix-ip-masq-dry-run
- refs/heads/pr/brb/ci-ipsec-upgrade-fix
- refs/heads/pr/brb/ci-ipsec-upgrade-missed-tail-calls
- refs/heads/pr/brb/ci-ipsec-upgrade-v1.13
- refs/heads/pr/brb/ci-ipsec-upgrade-vol2
- refs/heads/pr/brb/ci-keep-missed-tail-calls
- refs/heads/pr/brb/ci-l7-nodeport
- refs/heads/pr/brb/ci-lvh-4.19
- refs/heads/pr/brb/ci-lvh-5.4
- refs/heads/pr/brb/ci-lvh-5.4-v2
- refs/heads/pr/brb/ci-lvh-bpf-next
- refs/heads/pr/brb/ci-no-self-hosted
- refs/heads/pr/brb/ci-pass-kernel-env
- refs/heads/pr/brb/ci-prepull-l4lb
- refs/heads/pr/brb/ci-refactor-svc-suite
- refs/heads/pr/brb/ci-rm-smoke-tests
- refs/heads/pr/brb/ci-sanity
- refs/heads/pr/brb/ci-test
- refs/heads/pr/brb/ci-test-2
- refs/heads/pr/brb/ci-test-k8s-vsn-swap
- refs/heads/pr/brb/ci-test-large-runners
- refs/heads/pr/brb/ci-uffff
- refs/heads/pr/brb/ci-upgrade-vol-2
- refs/heads/pr/brb/ci-upgrade-vol-3
- refs/heads/pr/brb/cilium-host-v6-from-ipam
- refs/heads/pr/brb/cli-bump-test
- refs/heads/pr/brb/datapath-loop-dbg
- refs/heads/pr/brb/dbg-ci
- refs/heads/pr/brb/dbg-conformance-gke
- refs/heads/pr/brb/dbg-master-np-vxlan-ipcache-ci
- refs/heads/pr/brb/debug-nodeport-bpf-flake
- refs/heads/pr/brb/do-not-derive-pod-cidrs-from-dev
- refs/heads/pr/brb/do-not-query-dev-for-arping
- refs/heads/pr/brb/docs--wg-what-encrypted
- refs/heads/pr/brb/docs-clarify-egress-gw-ip-addr-dp
- refs/heads/pr/brb/drop-notify
- refs/heads/pr/brb/dsr
- refs/heads/pr/brb/dsr-v2
- refs/heads/pr/brb/dualstack-ci
- refs/heads/pr/brb/enable-ipv6-per-endpoint-routes
- refs/heads/pr/brb/fib-lookup-src
- refs/heads/pr/brb/fix-backend-id-u32
- refs/heads/pr/brb/fix-ci-dp-deprecation-warn
- refs/heads/pr/brb/fix-clang-vsn-regexp
- refs/heads/pr/brb/fix-egress-ip-16147
- refs/heads/pr/brb/fix-external-ip-dp
- refs/heads/pr/brb/fix-maglev-del
- refs/heads/pr/brb/fix-nodeport-hostnetns
- refs/heads/pr/brb/fix-np-redir-l3-to-tunnel
- refs/heads/pr/brb/fix-stale-dsr
- refs/heads/pr/brb/fix-svc-backend-selection
- refs/heads/pr/brb/fix-third-host
- refs/heads/pr/brb/gh-action-cgr
- refs/heads/pr/brb/gh-action-lvh
- refs/heads/pr/brb/gh-install-cli-backup
- refs/heads/pr/brb/ginkgo-kpr-strict
- refs/heads/pr/brb/ginkgo-rm-update-tests
- refs/heads/pr/brb/go-crazy
- refs/heads/pr/brb/hubble-tcp-ack-seq-no
- refs/heads/pr/brb/improve-svc-restore
- refs/heads/pr/brb/istio-getsockopt
- refs/heads/pr/brb/it-cannot-be-truth
- refs/heads/pr/brb/kpr-svc-mesh
- refs/heads/pr/brb/kubeproxy-free-ci
- refs/heads/pr/brb/l7-np-bpf
- refs/heads/pr/brb/l7-rerevert
- refs/heads/pr/brb/lets-be-friends-with-ipsec
- refs/heads/pr/brb/lvh-kind-127
- refs/heads/pr/brb/lvh-kind-ipsec-upgrade
- refs/heads/pr/brb/meyskens/auth-ep-gc-locks
- refs/heads/pr/brb/multi-network
- refs/heads/pr/brb/no-cache-snat
- refs/heads/pr/brb/no-rev-nat-bpf-lxc-ingress
- refs/heads/pr/brb/node-id-per-fam
- refs/heads/pr/brb/nodeport-xlr-flag
- refs/heads/pr/brb/perf-wg
- refs/heads/pr/brb/pin-lvh
- refs/heads/pr/brb/push-ci-charts
- refs/heads/pr/brb/pwru
- refs/heads/pr/brb/rm-arping-l2-addr-check
- refs/heads/pr/brb/rm-no-redirect
- refs/heads/pr/brb/rm-np-deadcode
- refs/heads/pr/brb/rm-partial-host-svc
- refs/heads/pr/brb/rm-test-gke
- refs/heads/pr/brb/test-bpf-masq
- refs/heads/pr/brb/test-ci-e2e
- refs/heads/pr/brb/test-ci-e2e-v1.13
- refs/heads/pr/brb/test-kind
- refs/heads/pr/brb/third-host-more-pain
- refs/heads/pr/brb/timing-l4lb-gh-action
- refs/heads/pr/brb/triage-flake-v2
- refs/heads/pr/brb/triage-lb-flake
- refs/heads/pr/brb/unquarantine-svc
- refs/heads/pr/brb/v1.10-istio-snat
- refs/heads/pr/brb/v1.12-ci-e2e
- refs/heads/pr/brb/v1.12-ci-ipsec-upgrade
- refs/heads/pr/brb/v1.12-test-ipsec-upgrade
- refs/heads/pr/brb/v1.13-ci-e2e
- refs/heads/pr/brb/v1.13-remote-np
- refs/heads/pr/brb/v1.13-upgrade-fixes
- refs/heads/pr/brb/v1.14-ci-e2e-upgrade
- refs/heads/pr/brb/v1.14-drop-notify
- refs/heads/pr/brb/v1.6.9-iptables-W
- refs/heads/pr/brb/v1.8-fix-icmp-port-check
- refs/heads/pr/brb/wg-encrypt-node-test
- refs/heads/pr/brb/wg-hack
- refs/heads/pr/brb/wg-ipam-fix
- refs/heads/pr/brb/wg-kpr
- refs/heads/pr/brb/wg-test
- refs/heads/pr/brb/wip
- refs/heads/pr/brb/wip-ci
- refs/heads/pr/brb/wip-sync-policy-map
- refs/heads/pr/brb/xdp-egress-gw
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming-v2
- refs/heads/pr/brlbil/ci-remove-unsupported-k8s-version-1.13
- refs/heads/pr/bruno/sleepy-pawn
- refs/heads/pr/bugtool-systemd
- refs/heads/pr/bwm-base2
- refs/heads/pr/bwm-priority
- refs/heads/pr/chancez/add_hubble_l7_dashboard_prometheus_example
- refs/heads/pr/chancez/fix_websocket_l7_policies
- refs/heads/pr/chancez/flow_filter_namespace
- refs/heads/pr/chancez/hubble_cel
- refs/heads/pr/chancez/hubble_plus_plus
- refs/heads/pr/chancez/static_peers_hubble_relay
- refs/heads/pr/christarazi/controlplane-fqdn
- refs/heads/pr/christarazi/ipcache-async-cep-pods-namedports
- refs/heads/pr/christarazi/k8s-1.30
- refs/heads/pr/christarazi/prep-from-cidr-tests
- refs/heads/pr/datapath-opt
- refs/heads/pr/dbkm/nodeport-lb
- refs/heads/pr/debug-dns-timeout
- refs/heads/pr/eproutes-redir
- refs/heads/pr/example/neigh-state-manager
- refs/heads/pr/fastdp
- refs/heads/pr/fastdp2
- refs/heads/pr/fib-consolidation
- refs/heads/pr/fix-aks-workflow
- refs/heads/pr/fix-k8s-all-sha1
- refs/heads/pr/fix-pod-pacing
- refs/heads/pr/fix-tail-call-replace
- refs/heads/pr/fristonio/feat-19038
- refs/heads/pr/fristonio/fix-istio-k8sT
- refs/heads/pr/fristonio/ipv6-masquerading
- refs/heads/pr/fristonio/test-dual-stack
- refs/heads/pr/fristonio/test-ipv6-dualstack
- refs/heads/pr/gandro+brb/fix-monitor-aggregation-np-v2
- refs/heads/pr/gandro+brb/mv-trace-point-to-rev-nodeport
- refs/heads/pr/gandro+brb/wg-host-encryption-v3
- refs/heads/pr/gandro+brb/wg-host2host
- refs/heads/pr/gandro+brb/wg-host2host-kind
- refs/heads/pr/gandro/bump-hubble-2020-03-25
- refs/heads/pr/gandro/ci-conformance-multicluster-fix-log-gathering
- refs/heads/pr/gandro/ci-delete-crds-in-cleanupcomponents
- refs/heads/pr/gandro/ci-fix-status-if-workflows-are-skipped
- refs/heads/pr/gandro/ci-wait-for-all-relevant-images-do-not-merge-test
- refs/heads/pr/gandro/enable-hubble-by-default
- refs/heads/pr/gandro/portmap-refcount
- refs/heads/pr/gandro/re-enable-wireguard-in-multicluster-ci
- refs/heads/pr/gandro/svc-healthchecknodeport
- refs/heads/pr/gc-on-svc-update
- refs/heads/pr/getname-hooks
- refs/heads/pr/giorio94/1.14/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/gha-cluster-name
- refs/heads/pr/giorio94/main/gha-clustermesh-endpointslice-sync
- refs/heads/pr/giorio94/main/gha-fully-qualified-dns
- refs/heads/pr/giorio94/main/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/tests-clustermesh-upgrade-interrupted
- refs/heads/pr/gray/30837-with-pwru
- refs/heads/pr/gray/pwru-action
- refs/heads/pr/health-data-path
- refs/heads/pr/hubble-tls-cert-gen-via-k8s-job
- refs/heads/pr/ianvernon/kvstore-client-type
- refs/heads/pr/ianvernon/kvstore-context
- refs/heads/pr/ianvernon/more-endpoint-cleanup
- refs/heads/pr/ianvernon/resolve-cidr-policy-perf-improvement
- refs/heads/pr/increase-verifier-test-build-timeout
- refs/heads/pr/ipip
- refs/heads/pr/ipip-encap
- refs/heads/pr/ipip-encap2
- refs/heads/pr/ipip2
- refs/heads/pr/ipip4
- refs/heads/pr/ipip6
- refs/heads/pr/jibi/fix-differentiate-udp-tcp-svc-upgrade
- refs/heads/pr/jibi/ip-list-contains-addr
- refs/heads/pr/joamaki/gather-network-info
- refs/heads/pr/joamaki/idless-service-restapi
- refs/heads/pr/joe/ariane-scheduled-cilium-only
- refs/heads/pr/joe/backport-28007-1.11
- refs/heads/pr/joe/bump-ginkgo-seed
- refs/heads/pr/joe/docker-build-log-tracing
- refs/heads/pr/joe/ipcache-cidr-policy
- refs/heads/pr/joe/lost-identity
- refs/heads/pr/joe/sw-quay
- refs/heads/pr/joe/test-lvh-fix
- refs/heads/pr/joe/v1.13-stability-check
- refs/heads/pr/joe/v1.7-dev-env
- refs/heads/pr/jrajahalme/gh-filter-test-files
- refs/heads/pr/jrfastab/backport-ooo-ipsec-fixes
- refs/heads/pr/jrfastab/backport-v111-loopback
- refs/heads/pr/jrfastab/backport-v115
- refs/heads/pr/jrfastab/dbgNodeId
- refs/heads/pr/jrfastab/dbgNodeId111
- refs/heads/pr/jrfastab/dbgNodeId111v2
- refs/heads/pr/jrfastab/dbgv114
- refs/heads/pr/jrfastab/eks-encrypt-ipamupdate
- refs/heads/pr/jrfastab/fix-encrypt-subnets
- refs/heads/pr/jrfastab/fix-ixsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/fixes-ipsec-init
- refs/heads/pr/jrfastab/v1.8-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v1.9-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v111-debug-ooo
- refs/heads/pr/jrfastab/v111-debug-ooo-v2
- refs/heads/pr/jwi/main/ipsec-rhel8
- refs/heads/pr/jwi/main/test
- refs/heads/pr/jwi/v1.13/test
- refs/heads/pr/jwi/v1.14/test
- refs/heads/pr/jwi/v1.15/bpf-complexity
- refs/heads/pr/jwi/v1.15/test
- refs/heads/pr/k8s-nat46x64
- refs/heads/pr/k8s-nat46x64-2
- refs/heads/pr/kaworu/helm-hubble-cli.yaml
- refs/heads/pr/kkourt/azure-ipam-test-race
- refs/heads/pr/kkourt/bpftool-update
- refs/heads/pr/kkourt/ct-rst-timeout-wip
- refs/heads/pr/kkourt/v1.11-backport-2022-01-26
- refs/heads/pr/kkourt/v1.9-lxc-complexity
- refs/heads/pr/learnitall/add-pprofs-scale-tests
- refs/heads/pr/learnitall/ginkgo-race-workflow
- refs/heads/pr/marga/v1.11-without-deny-precedence
- refs/heads/pr/max/ci-clang-builder
- refs/heads/pr/max/llvm17-fixes-2
- refs/heads/pr/max/llvm17-fixes-3
- refs/heads/pr/max/upgrade-llvm-17-2
- refs/heads/pr/max/upgrade-llvm-17-3
- refs/heads/pr/max/upgrade-llvm-17-3-test
- refs/heads/pr/max/upgrade-llvm-17-3-test-alt
- refs/heads/pr/meyskens/renovate-gha
- refs/heads/pr/mhofstetter/guestbook-registry
- refs/heads/pr/mhofstetter/junit-fetch-nullglob
- refs/heads/pr/mhofstetter/ssh-store-consolelog
- refs/heads/pr/mhofstetter/test-ingress
- refs/heads/pr/michi/circular-struggle
- refs/heads/pr/michi/crdregister
- refs/heads/pr/michi/debug
- refs/heads/pr/michi/description
- refs/heads/pr/michi/dns-refactor12
- refs/heads/pr/michi/l7drop
- refs/heads/pr/michi/majestic-ketchup
- refs/heads/pr/michi/mega-ketchup
- refs/heads/pr/michi/peerapi
- refs/heads/pr/michi/sleep-on-it
- refs/heads/pr/michi/test
- refs/heads/pr/michi/weekly-bot
- refs/heads/pr/monitor-wait-ci
- refs/heads/pr/move-image-to-one-repo
- refs/heads/pr/nat-gw-tests
- refs/heads/pr/nathanjsweet/add-complex-allow-test-to-policy-map-tests
- refs/heads/pr/nathanjsweet/add-lockdown-mode-for-policy-map-overflows
- refs/heads/pr/nathanjsweet/add-packet-size-to-flow-structure
- refs/heads/pr/nathanjsweet/add-policy-port-range-mapping
- refs/heads/pr/nathanjsweet/backport-fix-fqdn-proxy-restore-check-to-1-13
- refs/heads/pr/nathanjsweet/backport-fix-fqdn-proxy-restore-check-to-1-14
- refs/heads/pr/nathanjsweet/backport-fix-fqdn-proxy-restore-check-to-1-15
- refs/heads/pr/nathanjsweet/differentiate-protocol-in-services
- refs/heads/pr/nathanjsweet/document-test-and-fix-descendants-bug
- refs/heads/pr/nathanjsweet/node-port-addresses
- refs/heads/pr/nathanjsweet/refactor-mapstate
- refs/heads/pr/nathanjsweet/update-k8s-control-plane-tests-to-1-27
- refs/heads/pr/nebril/add-dns-concurrency-limit
- refs/heads/pr/nebril/fix-precheck
- refs/heads/pr/nebril/fqdn-proxy-ha
- refs/heads/pr/nebril/fqdn-proxy-interface
- refs/heads/pr/nebril/gke-workflow-migrate-from-cli
- refs/heads/pr/nebril/quarantine-1.14-nodeport
- refs/heads/pr/nebril/test-bottlerocket
- refs/heads/pr/nebril/test-helm-gke-fix
- refs/heads/pr/nebril/test-our-ghaction-shenanigans
- refs/heads/pr/nebril/test-rebase-helm
- refs/heads/pr/nebril/trololo
- refs/heads/pr/nebril/update-cli-9.1-test
- refs/heads/pr/netkit
- refs/heads/pr/netns-switch
- refs/heads/pr/netns-switch-no-peer
- refs/heads/pr/nodeport-fix
- refs/heads/pr/nodeport-improvements2
- refs/heads/pr/nodeport-nat-improvements
- refs/heads/pr/nodeport-nat-improvements2
- refs/heads/pr/nodeport-retry-sport
- refs/heads/pr/pchaigno/deprecate-bpf_network-f
- refs/heads/pr/pchaigno/fix-4.19-bpf-program-size
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix-brb-v0
- refs/heads/pr/pchaigno/ipsec-kpr
- refs/heads/pr/pchaigno/optim-complexity-ipcache-lookup
- refs/heads/pr/pchaigno/rework-config-probes
- refs/heads/pr/pchaigno/tmp-base-branch
- refs/heads/pr/pin-1.10-workflows-k8s-version
- refs/heads/pr/pin-1.11-workflows-k8s-version
- refs/heads/pr/pin-1.12-workflows-k8s-version
- refs/heads/pr/pin-1.13-workflows-k8s-version
- refs/heads/pr/pin-cloud-provider-master-workflows
- refs/heads/pr/pr/fix-ipam-node-manager-semaphore-error-handling
- refs/heads/pr/publish-test-images
- refs/heads/pr/qmonnet/docs-20230224
- refs/heads/pr/qmonnet/docs-bump
- refs/heads/pr/qmonnet/ipsec/no-missed-tail-call-1.13
- refs/heads/pr/qmonnet/ipsec/test-1.13
- refs/heads/pr/qmonnet/ipsec/test-1.14
- refs/heads/pr/qmonnet/ipsec/test-1.15
- refs/heads/pr/qmonnet/ipsec/test-main
- refs/heads/pr/qmonnet/standalone-lb-docs
- refs/heads/pr/qmonnet/sync-joblists
- refs/heads/pr/ray/late-dns-proxy
- refs/heads/pr/rgo3/1.12-run-no-unexpected-drops-for-patch
- refs/heads/pr/rgo3/fix-k8s-vm-provisioning-1.13
- refs/heads/pr/rolinh/better-policy-verdict
- refs/heads/pr/rolinh/hubble-dump-all
- refs/heads/pr/rolinh/hubble-fix-maxflows-rounding
- refs/heads/pr/rolinh/mitchellh
- refs/heads/pr/route-test
- refs/heads/pr/run-tests-in-parallel
- refs/heads/pr/scalability-crd-only
- refs/heads/pr/squeed/make-ccache
- refs/heads/pr/squeed/per-node-config
- refs/heads/pr/squeed/remote-cluster-leak
- refs/heads/pr/stacy/docs-update
- refs/heads/pr/tammach/ci-tunnel
- refs/heads/pr/tammach/cni-logging-improvement
- refs/heads/pr/tammach/envoy-1.28.2
- refs/heads/pr/tammach/fun-with-flake-xds
- refs/heads/pr/tammach/sync-up-gwapi
- refs/heads/pr/tc-np-test
- refs/heads/pr/test-419-ci
- refs/heads/pr/test-increase-update-delete-timeout
- refs/heads/pr/test-k8s-all-tests
- refs/heads/pr/test-lb-super-netperf
- refs/heads/pr/test-nightly
- refs/heads/pr/test-upstream-timeout
- refs/heads/pr/tgraf/chaos-testing
- refs/heads/pr/tgraf/clustermesh-stale-state
- refs/heads/pr/tgraf/eni-ipam
- refs/heads/pr/tgraf/new-endpoint-state
- refs/heads/pr/tgraf/new-policy
- refs/heads/pr/tgraf/remove-tunnel-map
- refs/heads/pr/tgraf/scoped-ipam
- refs/heads/pr/tgraf/sctp
- refs/heads/pr/tgraf/split-lxc-prog
- refs/heads/pr/thorn3r/clustermesh511
- refs/heads/pr/tklauser/labelsfilter-silence-logs
- refs/heads/pr/tklauser/rm-contexthelper
- refs/heads/pr/tklauser/rm-safe-rand
- refs/heads/pr/tommyp1ckles/debugging-aks-conformance
- refs/heads/pr/tp/add-logging-for-wait-for-pods-term-condition
- refs/heads/pr/tp/backport-31380
- refs/heads/pr/tp/bump-cilium-cli
- refs/heads/pr/tp/complexity-issue-verifier-case-main
- refs/heads/pr/tp/eps-modular-health
- refs/heads/pr/tp/fix-stuck-ginko-pod-v2
- refs/heads/pr/tp/forward-hubble-for-e2e
- refs/heads/pr/tp/forward-hubble-for-e2e-v2
- refs/heads/pr/tp/switch-1.24-eks-region
- refs/heads/pr/tp/switch-1.24-eks-region-v1.13
- refs/heads/pr/tp/use-helm-default-vars-for-clustermesh-downgrade-c1
- refs/heads/pr/tweak-github-action-ref
- refs/heads/pr/twpayne/hubble-recent-events-buffer
- refs/heads/pr/twpayne/hubble-ring-buffer-benchmarks
- refs/heads/pr/update-tm-network
- refs/heads/pr/v1.10-backport-2022-06-13
- refs/heads/pr/v1.10-backport-2022-10-03
- refs/heads/pr/v1.10-eni-stability-improvements-v1
- refs/heads/pr/v1.10-neigh-clean
- refs/heads/pr/v1.11-backport-2022-10-03
- refs/heads/pr/v1.11-test/issue-692
- refs/heads/pr/v1.12-backport-2023-10-10
- refs/heads/pr/v1.12-test/issue-692
- refs/heads/pr/v1.13-backport-2023-10-31
- refs/heads/pr/v1.13-test/issue-692
- refs/heads/pr/v1.14.1
- refs/heads/pr/v1.7-stability-test
- refs/heads/pr/v1.7.9-hf-13205
- refs/heads/pr/v3-cpu
- refs/heads/pr/v6-host-addr2
- refs/heads/pr/vk/azure/oidc
- refs/heads/pr/vk/doc/ipsec
- refs/heads/pr/vk/ipsec/key/rotate
- refs/heads/regex_improved
- refs/heads/renovate/main-all-dependencies
- refs/heads/renovate/main-all-go-deps-main
- refs/heads/renovate/main-patch-all-lvh-images-main
- refs/heads/renovate/main-patch-go
- refs/heads/renovate/v1.13-all-github-action
- refs/heads/renovate/v1.13-patch-stable-lvh-images
- refs/heads/renovate/v1.14-patch-stable-lvh-images
- refs/heads/renovate/v1.15-patch-stable-lvh-images
- refs/heads/revert-29086-2023-11-09-backport-1.14
- refs/heads/rib
- refs/heads/run-ci-wihout-building-cilium
- refs/heads/sh-dep-test-l4lb
- refs/heads/sidecar-http-proxy
- refs/heads/sockmap-v5
- refs/heads/sockops-build-fix
- refs/heads/tam/integration-tests
- refs/heads/tam/more-ingress-tests
- refs/heads/tam/proxy-tunnel
- refs/heads/tb/bpf-remove-bear
- refs/heads/test-branch
- refs/heads/test-ipsec
- refs/heads/test-sig-bgp-notifs
- refs/heads/test/brlbil/upload
- refs/heads/test/skip-workflows
- refs/heads/test_scale
- refs/heads/testing_envoy_default
- refs/heads/tgraf/process-policy
- refs/heads/tklauser+brb/wip/multi-homing
- refs/heads/unit-test-ipsec
- refs/heads/v0.10
- refs/heads/v0.11
- refs/heads/v0.12
- refs/heads/v0.13
- refs/heads/v0.8
- refs/heads/v0.9
- refs/heads/v1.0
- refs/heads/v1.0.0-rc2
- refs/heads/v1.0.0-rc3
- refs/heads/v1.1
- refs/heads/v1.10
- refs/heads/v1.11
- refs/heads/v1.12
- refs/heads/v1.12.11-base
- refs/heads/v1.13
- refs/heads/v1.14
- refs/heads/v1.15
- refs/heads/v1.2
- refs/heads/v1.3
- refs/heads/v1.3.1
- refs/heads/v1.3.1-release
- refs/heads/v1.3.7-release
- refs/heads/v1.4
- refs/heads/v1.4.5-release
- refs/heads/v1.5
- refs/heads/v1.5.2-rc1-with-clusterip-fix
- refs/heads/v1.5.4-release
- refs/heads/v1.6
- refs/heads/v1.7
- refs/heads/v1.7.9-1
- refs/heads/v1.7.9.1
- refs/heads/v1.8
- refs/heads/v1.9
- refs/heads/verify-external-workload-dns-setup-redux
- refs/heads/vladu/identity-type-metrics
- refs/heads/weavescope
- refs/heads/wip-ktls-tx-rx
- refs/heads/wip-sockmap
- refs/heads/wip-sockmap-v2
- refs/heads/wip-sockmap-v3
- refs/heads/wip-sockmap-v4
- refs/heads/xfrm-subnet-test
- refs/heads/yutaro/bgp-cplane-etp-local/doc
- refs/heads/yutaro/oss/eni-overlapping-mark
- refs/remotes/bruno/hf/v1.10/v1.10.3-bpf-snat-and-masq-fixes
- refs/remotes/joe/submit/quarantine-etcd
- refs/remotes/origin/1.2-backports-18-09-12
- refs/remotes/origin/ipvlan3
- refs/remotes/origin/pr/add-reserved-health
- refs/remotes/origin/pr/brb/nodeport-lb
- refs/remotes/origin/pr/ianvernon/5859
- refs/remotes/origin/pr/ianvernon/dynamic-ep-cfg
- refs/remotes/origin/pr/tgraf/kube-dns-fixed-identity
- refs/semaphoreci/6384f501b324813e55cfbe818c04a40f2a923765
- refs/semaphoreci/7f69b285bac8a1be414e8769799962ae1408d9e1
- refs/semaphoreci/b5eb6622da121ad36b8f375a084392f7feeec64a
- refs/semaphoreci/d9e7e28f39d34a7050a9c1cad2a26d84f5f4eff1
- refs/semaphoreci/f55ec535d85f387ef981265967fabb3c1b5f1ec6
- refs/tags/0.10.1
- refs/tags/1.1.1
- refs/tags/1.9.0-rc0
- refs/tags/v0.11
- refs/tags/v0.12.0
- refs/tags/v0.13.1
- refs/tags/v0.8.0
- refs/tags/v0.8.1
- refs/tags/v0.8.2
- refs/tags/v0.9.0
- refs/tags/v0.9.0-rc1
- refs/tags/v1.0.0-rc2
- Branches list truncated to 652 entries, 4 were omitted.
- v1.11.0-rc0
- v1.11.0
- v1.10.9
- v1.10.8
- v1.10.7
- v1.10.6
- v1.10.5
- v1.10.4
- v1.10.3
- v1.10.20
- v1.10.2
- v1.10.19
- v1.10.18
- v1.10.17
- v1.10.16
- v1.10.15
- v1.10.14
- v1.10.13
- v1.10.12
- v1.10.11
- v1.10.10
- v1.10.1
- v1.10.0-rc2
- v1.10.0-rc1
- v1.10.0-rc0
- v1.10.0
- v1.1.6
- v1.1.5
- v1.1.4
- v1.1.3
- v1.1.2
- v1.1.1
- v1.1.0-rc4
- v1.1.0-rc3
- v1.1.0-rc2
- v1.1.0-rc1
- v1.1.0-rc0
- v1.1.0
- v1.0.7
- v1.0.6
- v1.0.5
- v1.0.4
- v1.0.3
- v1.0.2
- v1.0.1
- v1.0.0-rc9
- v1.0.0-rc8
- v1.0.0-rc7
- v1.0.0-rc6
- v1.0.0-rc5
- v1.0.0-rc4
- v1.0.0-rc14
- v1.0.0-rc13
- v1.0.0-rc11
- v1.0.0-rc10
- v1.0.0-rc1
- v1.0.0
- v0.13.9
- v0.13.8
- v0.13.7
- v0.13.6
- v0.13.5
- v0.13.4
- v0.13.3
- v0.13.28
- v0.13.25
- v0.13.24
- v0.13.23
- v0.13.22
- v0.13.21
- v0.13.20
- v0.13.2
- v0.13.19
- v0.13.18
- v0.13.17
- v0.13.16
- v0.13.15
- v0.13.14
- v0.13.13
- v0.13.12
- v0.13.11
- v0.13.10
- v0.10.0
- 1.9.9
- 1.9.8
- 1.9.7
- 1.9.6
- 1.9.5
- 1.9.4
- 1.9.3
- 1.9.2
- 1.9.18
- 1.9.17
- 1.9.16
- 1.9.15
- 1.9.14
- 1.9.13
- 1.9.12
- 1.9.11
- 1.9.10
- 1.9.1
- 1.9.0-rc3
- 1.9.0-rc2
- 1.9.0-rc1
- 1.9.0
- 1.8.9
- 1.8.8
- 1.8.7
- 1.8.6
- 1.8.5
- 1.8.4
- 1.8.3
- 1.8.2
- 1.8.13
- 1.8.12
- 1.8.11
- 1.8.10
- 1.8.1
- 1.8.0-rc4
- 1.8.0-rc3
- 1.8.0-rc2
- 1.8.0-rc1
- 1.8.0
- 1.7.9
- 1.7.8
- 1.7.7
- 1.7.6
- 1.7.5
- 1.7.4
- 1.7.3
- 1.7.2
- 1.7.16
- 1.7.15
- 1.7.14
- 1.7.13
- 1.7.12
- 1.7.11
- 1.7.10
- 1.7.1
- 1.7.0-rc4
- 1.7.0-rc3
- 1.7.0
- 1.6.9
- 1.6.8
- 1.6.7
- 1.6.6
- 1.6.5
- 1.6.4
- 1.6.3
- 1.6.2
- 1.6.12
- 1.6.11
- 1.6.10
- 1.6.1
- 1.6.0
- 1.5.9
- 1.5.8
- 1.5.7
- 1.5.6
- 1.5.5
- 1.5.4
- 1.5.3
- 1.5.2
- 1.5.13
- 1.5.12
- 1.5.11
- 1.5.10
- 1.5.1
- 1.5.0-rc6
- 1.5.0-rc5
- 1.5.0-rc4
- 1.5.0-rc3
- 1.5.0-rc2
- 1.5.0
- 1.4.9
- 1.4.8
- 1.4.7
- 1.4.6
- 1.4.5
- 1.4.4
- 1.4.3
- 1.4.2
- 1.4.10
- 1.4.1
- 1.4.0-rc9
- 1.4.0-rc8
- 1.4.0-rc7
- 1.4.0-rc6
- 1.4.0-rc5
- 1.4.0-rc2
- 1.4.0
- 1.3.8
- 1.3.7
- 1.3.6
- 1.3.5
- 1.3.4
- 1.3.3
- 1.3.2
- 1.3.1
- 1.3.0-rc5
- 1.3.0-rc4
- 1.3.0
- 1.2.8
- 1.2.7
- 1.2.6
- 1.2.5
- 1.2.4
- 1.2.3
- 1.2.2
- 1.2.1
- 1.2.0-rc3
- 1.2.0-rc2
- 1.2.0-rc1
- 1.2.0
- 1.16.0-pre.1
- 1.16.0-pre.0
- 1.15.3
- 1.15.2
- 1.15.1
- 1.15.0-rc.1
- 1.15.0-rc.0
- 1.15.0-pre.3
- 1.15.0-pre.2
- 1.15.0-pre.1
- 1.15.0-pre.0
- 1.15.0
- 1.14.9
- 1.14.8
- 1.14.7
- 1.14.6
- 1.14.5
- 1.14.4
- 1.14.3
- 1.14.2
- 1.14.1
- 1.14.0-snapshot.4
- 1.14.0-snapshot.3
- 1.14.0-snapshot.2
- 1.14.0-snapshot.1
- 1.14.0-snapshot.0
- 1.14.0-rc.1
- 1.14.0-rc.0
- 1.14.0-pre.2
- 1.14.0
- 1.13.9
- 1.13.8
- 1.13.7
- 1.13.6
- 1.13.5
- 1.13.4
- 1.13.3
- 1.13.2
- 1.13.14
- 1.13.13
- 1.13.12
- 1.13.11
- 1.13.10
- 1.13.1
- 1.13.0-rc5
- 1.13.0-rc4
- 1.13.0-rc3
- 1.13.0-rc2
- 1.13.0-rc1
- 1.13.0-rc0
- 1.13.0
- 1.12.9
- 1.12.8
- 1.12.7
- 1.12.6
- 1.12.5
- 1.12.4
- 1.12.3
- 1.12.2
- 1.12.19
- 1.12.18
- 1.12.17
- 1.12.16
- 1.12.15
- 1.12.14
- 1.12.13
- 1.12.12
- 1.12.11
- 1.12.10
- 1.12.1
- 1.12.0-rc3
- 1.12.0-rc2
- 1.12.0-rc1
- 1.12.0-rc0
- 1.12.0
- 1.11.9
- 1.11.8
- 1.11.7
- 1.11.6
- 1.11.5
- 1.11.4
- 1.11.3
- 1.11.20
- 1.11.2
- 1.11.19
- 1.11.18
- 1.11.17
- 1.11.16
- 1.11.15
- 1.11.14
- 1.11.13
- 1.11.12
- 1.11.11
- 1.11.10
- 1.11.1
- 1.11.0-rc3
- 1.11.0-rc2
- 1.11.0-rc1
- 1.11.0-rc0
- 1.11.0
- 1.10.9
- 1.10.8
- 1.10.7
- 1.10.6
- 1.10.5
- 1.10.4
- 1.10.3
- 1.10.20
- 1.10.2
- 1.10.19
- 1.10.18
- 1.10.17
- 1.10.16
- 1.10.15
- 1.10.14
- 1.10.13
- 1.10.12
- 1.10.11
- 1.10.10
- 1.10.1
- 1.10.0-rc2
- 1.10.0-rc1
- 1.10.0-rc0
- 1.10.0
- 1.1.6
- 1.1.5
- 1.1.4
- 1.1.3
- 1.1.2
- 1.1.0
- 1.0.7
- 1.0.6
- 1.0.5
- 1.0.4
- Releases list truncated to 348 entries, 258 were omitted.
Take a new snapshot of a software origin
If the archived software origin currently browsed is not synchronized with its upstream version (for instance when new commits have been issued), you can explicitly request Software Heritage to take a new snapshot of it.
Use the form below to proceed. Once a request has been submitted and accepted, it will be processed as soon as possible. You can then check its processing state by visiting this dedicated page.
Processing "take a new snapshot" request ...
Permalinks
To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.
| Revision | Author | Date | Message | Commit Date |
|---|---|---|---|---|
| 7e6cfee | Joe Stringer | 25 January 2019, 17:45:54 UTC | daemon: Fix failure on first health EP start [ upstream commit 6d55daca69e16a63c284a37ccd6d3945afb00345 ] Previously, due to a static global definition of the client object in the health launch package, the daemon had no way to determine whether the client is already initialized, and would always fail to start the endpoint the first time the controller runs, then succeed afterwards. Fix this by pushing the client out to the daemon package, where we can then switch on whether the client exists to create it the first time without treating that case as an error, then only if the client already exists, attempt to ping it and treat failure to ping as an error worthy of failing the controller and restarting the endpoint. Fixes: #6754 Signed-off-by: Joe Stringer <joe@cilium.io> | 29 January 2019, 16:49:19 UTC |
| 46ea68e | Joe Stringer | 25 January 2019, 17:38:54 UTC | launch: Use node type for addressing information [ upstream commit 8f64280aa652bd9834eb98903af03769075ce210 ] Signed-off-by: Joe Stringer <joe@cilium.io> | 29 January 2019, 16:49:19 UTC |
| 2cba452 | Joe Stringer | 25 January 2019, 17:36:33 UTC | launch: Remove unused Annotator interface [ upstream commit 2a67816298ffebf1e9716754ab5587a07f3e27b9 ] Signed-off-by: Joe Stringer <joe@cilium.io> | 29 January 2019, 16:49:19 UTC |
| f217850 | Joe Stringer | 25 January 2019, 17:34:47 UTC | node: Simplify GetModel() api [ upstream commit 8badece869b67102fcb0a432ec4eb0510fbc6aea ] The IPv4 bool passed in here was confusing and unnecessary, remove it in favour of the global options setting. Signed-off-by: Joe Stringer <joe@cilium.io> | 29 January 2019, 16:49:19 UTC |
| 9f21398 | Thomas Graf | 25 January 2019, 15:36:14 UTC | kvstore: Fix panic in `cilium kvstore` CLI [ upstream commit 60db32bc98a03b07e3dade50ca2c11dcb3e51241 ] Fix the following panic when the kvstore client cannot be created via the CLI: ``` panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x50 pc=0x1a306d0] goroutine 1 [running]: github.com/cilium/cilium/pkg/kvstore.Get(0x0, 0x0, 0x8, 0x8, 0x8, 0x7, 0x7) /home/vagrant/go/src/github.com/cilium/cilium/pkg/kvstore/kvstore.go:40 +0x40 github.com/cilium/cilium/cilium/cmd.glob..func32(0x44e3c80, 0x4ada920, 0x0, 0x0) /home/vagrant/go/src/github.com/cilium/cilium/cilium/cmd/kvstore_get.go:55 +0x2e7 github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).execute(0x44e3c80, 0x4ada920, 0x0, 0x0, 0x44e3c80, 0x4ada920) /home/vagrant/go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:766 +0x2cc github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0x44e7f00, 0x2f, 0xffffffffffffffff, 0xc0004c2f30) /home/vagrant/go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:852 +0x2fd github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).Execute(0x44e7f00, 0xc0007a7f58, 0x1164e30) /home/vagrant/go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:800 +0x2b github.com/cilium/cilium/cilium/cmd.Execute() /home/vagrant/go/src/github.com/cilium/cilium/cilium/cmd/root.go:46 +0x2d main.main() /home/vagrant/go/src/github.com/cilium/cilium/daemon/main.go:32 +0xd0 ``` Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> | 29 January 2019, 16:49:19 UTC |
| 882c1fb | Thomas Graf | 27 January 2019, 19:33:41 UTC | test: Add IPv4 only test [ upstream commit b17aeb9980b5937b992f0fe9972524417f9304e7 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> | 29 January 2019, 16:49:19 UTC |
| 454b014 | Thomas Graf | 27 January 2019, 19:33:41 UTC | cilium: Fix cilium lb list when IPv4 or IPv6 are disabled [ upstream commit 2922601a41edc78af27f071e418f7e3813218664 ] Fixes: #6800 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> | 29 January 2019, 16:49:19 UTC |
| 6ef1809 | Maciej Kwiek | 24 January 2019, 13:52:49 UTC | CLI for clearing FQDN proxy cache [ upstream commit 691079d92128c90050cc9adc9214e7639ee06b26 ] Signed-off-by: Maciej Kwiek <maciej@covalent.io> Signed-off-by: Joe Stringer <joe@cilium.io> | 29 January 2019, 16:49:19 UTC |
| 7c2eef7 | André Martins | 24 January 2019, 21:15:06 UTC | plugins/cilium-cni: uninstall cilium-flannel CNI configuration if user opt-in [ upstream commit 306b6b31c56847bb43ce5b2ea9ce9eaaf74b9d3c ] This avoids containers to accidentally be created and starting being managed only by Flannel if Cilium is in the process of being upgraded where the CNI configuration is always removed during the upgrade. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> | 29 January 2019, 16:49:19 UTC |
| 272713c | André Martins | 24 January 2019, 15:22:48 UTC | addons/flannel: add more flannel documentation [ upstream commit 923e054e6d55469d3b1dffa49c5ed0fd7a0ff490 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> | 29 January 2019, 16:49:19 UTC |
| be15ec4 | André Martins | 24 January 2019, 14:33:38 UTC | pkg/client: wait until the client has connectivity with daemon [ upstream commit d48af6ab5c286fd91b751eed90a7d1b715a55231 ] Fixes: c6518190de30 ("client: Add NewDefaultClientWithTimeout function") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> | 29 January 2019, 16:49:19 UTC |
| 30f0bb4 | André Martins | 24 January 2019, 12:10:58 UTC | daemon: stop waiting for flannel device to be ready if process is terminated [ upstream commit 2262a7aa0a4d50d94f5da9bd6e719a0f435e0fce ] When running in flannel mode, cilium-agent would ignore the sigterms as it would be infinitely waiting for the flannel interface to be ready. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> | 29 January 2019, 16:49:19 UTC |
| 9bb831a | André Martins | 23 January 2019, 12:22:04 UTC | plugins/cilium-cni: change CNI channing name to cbr0 [ upstream commit 80ea41a1701450f57f052ad64865af5e0149dd71 ] As flannel runs with the name "cbr0" by default in its cni configuration, in order for Cilium to be able to run on top of flannel with existing containers, the flannel-cilium CNI configuration file needs to have the same name. By having the same name it prevents the flannel IPAM assigning existing addresses as they are stored on each node under the directory `/var/lib/cni/networks/cbr0/`. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> | 29 January 2019, 16:49:19 UTC |
| 35b554c | André Martins | 23 January 2019, 10:43:27 UTC | pkg/datapath: ignore iptables MASQUERADE rules in flannel mode [ upstream commit 7740e3914ebf2bb36860369aeda585a94b2c17c1 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> | 29 January 2019, 16:49:19 UTC |
| b9eb92e | André Martins | 21 January 2019, 15:27:25 UTC | daemon: append bpf programs to existing flannel running containers [ upstream commit ad5ae3843b4497bea72c09c111d5f89f058b906c ] [ Backporter's notes: Re-ran "make -C examples/kubernetes" to handle conflicts ] As Cilium has the ability to install BPF programs in already running interfaces we can enable this option by default environments where Cilium is deployed on top of Kubernetes. This requires Cilium DaemonSet to run with `hostPID: true` so that cilium-agent process can access already running network namespaces. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> | 29 January 2019, 16:49:19 UTC |
| 8bcb935 | André Martins | 21 January 2019, 14:42:21 UTC | plugins/cilium-cni: rely on flannel response [ upstream commit a67df9f6ff07df999a6f98dd48f18bc8f1ddaf68 ] With CNI chaining, the response from the previous CNI plugin, flannel, is sent to the previous CNI plugin, Cilium, we can rely on the flannel response to create a Cilium endpoint instead of entering the network namespace of the container. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> | 29 January 2019, 16:49:19 UTC |
| e5f5c6f | Thomas Graf | 26 January 2019, 01:29:27 UTC | Prepare for 1.4.0-rc5 release Signed-off-by: Thomas Graf <thomas@cilium.io> | 26 January 2019, 01:33:09 UTC |
| 374c483 | Ray Bejjani | 20 January 2019, 13:34:42 UTC | fqdn/rulegen: per-name regeneration via ForceGenerateDNS [ upstream commit c8375f8dbbd75c8d617709fb61b8a3454c75ad27 ] There are circumstances to trigger a rule regeneration without new IP information (such as a cache clear or TTL expiration without a new DNS event). ForceGenerateDNS allows running logic similar to UpdateGenerateDNS, where DNS names are matched against rules and new versions generated. Signed-off-by: Ray Bejjani <ray@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 26 January 2019, 01:11:22 UTC |
| 365c907 | Ray Bejjani | 18 January 2019, 17:57:47 UTC | api: Add DELETE /fqdn/cache API [ upstream commit 274d782c32f4d04e16809b2a3171226d705f4f38 ] Signed-off-by: Ray Bejjani <ray@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 26 January 2019, 01:11:22 UTC |
| 91a062f | Ray Bejjani | 18 January 2019, 16:02:03 UTC | daemon: Implement DELETE /fqdn/cache API [ upstream commit 770ebd596fcde6a175933dd98d7c337b6bc808a3 ] This removes entries that match the matchName or CIDR, removing lookups that occurred before the time the API call was issued. No-parameter invocations will clear the entire cache. Signed-off-by: Ray Bejjani <ray@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 26 January 2019, 01:11:22 UTC |
| 0ec824c | Ray Bejjani | 20 January 2019, 13:34:54 UTC | fqdn/cache: Implement .ForceExpire to delete entries [ upstream commit 8f1f949abc1cd719a8ee5bba360c7ba24d6c91f1 ] In normal operation, the cache will only expire entries after the TTL. In some circumstances, we will need to forcibly clear part of the cache without removing all the data within it. ForceExpire and the updated removeExpired allow doing this per-name and by LookupTime. Signed-off-by: Ray Bejjani <ray@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 26 January 2019, 01:11:22 UTC |
| 5c29ff7 | Thomas Graf | 25 January 2019, 03:13:22 UTC | k8s: Don't list identities in CEP for default-allow [ upstream commit c8846bc1a1e4ec9fed88e591d33f0ec7f336769c ] This lowers the size of the CEP and reduces the number of updates required for pods that are running in default-allow policy enforcement mode. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 26 January 2019, 01:11:22 UTC |
| 3ce41ce | Martynas Pumputis | 25 January 2019, 17:36:43 UTC | node: Do not require ipv6AllocRange in ipv4-only mode [ upstream commit d52f6ed0378a314138a724ac6142a9a0ddcb39cc ] Otherwise, cilium-agent cannot start when only ipv4 is enabled. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 26 January 2019, 01:11:22 UTC |
| a0a34f5 | Martynas Pumputis | 25 January 2019, 18:38:37 UTC | daemon: Set ROUTER_IP only if IPv6 is enabled [ upstream commit 59d6eddbf0e538c0f3aa5d55f612754aa88a6566 ] Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 26 January 2019, 01:11:22 UTC |
| e9e5c29 | Martynas Pumputis | 25 January 2019, 16:41:52 UTC | bpf: Enable some IPv6 code only if ENABLE_IPV6 is set [ upstream commit b1ce2bc831c3d25b02403ff5456a27b8b02f26e4 ] 75028e4bcb14 ("ipam: Only allocate IPs if address family is enabled") made setting of `ROUTER_IP` conditional, i.e. it is non-empty only if IPv6 is enabled. In the case of ipv4-only mode, `ROUTER_IP` in node_config.h is empty which leads to compilation errors of BPF functions which calls `BPF_V6(<..>, ROUTER_IP)`. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 26 January 2019, 01:11:22 UTC |
| 1b26f11 | Eloy Coto | 25 January 2019, 15:31:07 UTC | Jenkins: delete docker-compose networks [ upstream commit c1b0e3d91b4fd8c395be8f5678c3ca163a4870c2 ] On commit `eb3b298849bc72b283034e13ab32e57130260758` target clean-ginkgo-test was deleted, but the jenkins-precheck is still using the docker-compose, so the docker networks never got deleted and Jenkins failed after a while With this change, after each build a delete will happens. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 26 January 2019, 01:11:22 UTC |
| a23ab40 | Ray Bejjani | 25 January 2019, 14:04:48 UTC | daemon: Sanitize fqdn/cache API matchpattern parameter [ upstream commit a964e923541dc21333334ce96909503f873e6ef1 ] When parsing policy .Sanitize ensures a name or pattern is a FQDN. The FQDN API code now also does this, allow the same patterns in policies to match in-cache names. Signed-off-by: Ray Bejjani <ray@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 26 January 2019, 01:11:22 UTC |
| 00180ce | Eloy Coto | 22 January 2019, 09:00:32 UTC | Jenkins: Add Flannel job [ upstream commit 39f6982aeaf742da13099feb3ae65208810d11c6 ] Add a new flannel job with the new trigger test-flannel in the PR and with the new jenkinsfile. It'll run once a day in the CI. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 26 January 2019, 01:11:22 UTC |
| c9295a0 | Nirmoy Das | 25 January 2019, 10:56:40 UTC | daemon: sockops: delay sockops init till node_config.h gets generated [ upstream commit fc25dbe2454815456cefab4f34807ab3ec270b47 ] SockmapEnable and SkmsgEnable require node_config.h which generated in Daemon.init(). level=error msg="Failed to compile bpf_sockops.o: exit status 1" compiler-pid=23550 linker-pid=23551 subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/sockops/bpf_sockops.c:21:10: fatal error: 'node_config.h' file not found" subsys=datapath-loader level=warning msg="#include <node_config.h>" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~~~~~~" subsys=datapath-loader level=warning msg="1 error generated." subsys=datapath-loader level=error msg="failed compile sockops/bpf_sockops.c: Failed to compile bpf_sockops.o: exit status 1" subsys=sockops level=error msg="Failed to compile bpf_redir.o: exit status 1" compiler-pid=23553 linker-pid=23554 subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/sockops/bpf_redir.c:21:10: fatal error: 'node_config.h' file not found" subsys=datapath-loader level=warning msg="#include <node_config.h>" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~~~~~~" subsys=datapath-loader Fixes: ac55c6a (daemon: Create BPF maps before restoring service IDs) Signed-off-by: Nirmoy Das <ndas@suse.de> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 26 January 2019, 01:11:22 UTC |
| ec183bd | Michal Rostecki | 23 January 2019, 13:52:40 UTC | proxylib: Add SONAME, create .so* files and symlinks [ upstream commit 6b785067216e64b4b08bb6bf8fc4ea312a4cebb7 ] The common pattern in the most of Linux distributions is to have SONAME field in shared object files and to keep the library version as its suffix. The name of shared object file should be the same as SONAME and .so file without suffix should be a symlink to the versioned file. In this case, SONAME contains only the major version as a suffix, which is acceptable by the most of projects and Linux distributions. After this change, executing `make` and `make install` produces the following results: ``` $ make [...] $ ls -la proxylib/ | grep libcilium.so lrwxrwxrwx 1 mrostecki users 14 Jan 23 14:04 libcilium.so -> libcilium.so.1 -rw-r--r-- 1 mrostecki users 21362336 Jan 23 14:04 libcilium.so.1 $ readelf -a proxylib/libcilium.so | grep SONAME 0x000000000000000e (SONAME) Library soname: [libcilium.so.1] $ make install PREFIX=~/.local LIBDIR=~/.local/lib64 [...] $ ls -la ~/.local/lib64/ total 20988 drwxr-xr-x 3 mrostecki users 188 Jan 23 14:57 . drwx------ 9 mrostecki users 91 Jan 23 14:40 .. lrwxrwxrwx 1 mrostecki users 14 Jan 23 14:57 libcilium.so -> libcilium.so.1 -rwxr-xr-x 1 mrostecki users 21362336 Jan 23 14:57 libcilium.so.1 ``` Signed-off-by: Michal Rostecki <mrostecki@suse.de> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 26 January 2019, 01:11:22 UTC |
| 0f9fb59 | Martynas Pumputis | 25 January 2019, 13:04:51 UTC | workloads: Set options per runtime [ upstream commit 0035477ca593f1855ad77a0b61a86b39b38546af ] Previously, all workloads runtime options passed to `workloads.Setup/2` were passed to each individual runtime implementation. This led to some runtimes returning an error during the setup step, because not all options were supported by them (e.g. "datapath-mode" is not supported by the containerd workloads runtime). This commit changes the runtime options in a way that they are defined per runtime. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 26 January 2019, 01:11:22 UTC |
| 68e5fe7 | Martynas Pumputis | 25 January 2019, 10:58:28 UTC | workloads: Export WorkloadRuntimeType type [ upstream commit f9174de1a6896833237202c21b470a7b8a3a4268 ] Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 26 January 2019, 01:11:22 UTC |
| 4c8ec20 | Eloy Coto | 25 January 2019, 12:14:43 UTC | Kubernetes: CEP fixes. [ upstream commit 9c744603631024b7484a0718d066ee92ae187667 ] Due the changes on commit `c5e50eb57be837b6b90c601c990fb6834d96d33b` the get cep list is not reporting correctly. With this change the list is reporting correctly: ``` NAME ENDPOINT ID IDENTITY ID INGRESS ENFORCEMENT EGRESS ENFORCEMENT ENDPOINT STATE IPV4 IPV6 testclient-m894b 3216 4397 false false ready 10.10.0.218 f00d::a0a:0:0:f testds-2p4hq 3644 645 false false ready 10.10.0.120 f00d::a0a:0:0:f521 ``` Also, make ingress/egress enforcement value in the json as non-empty, due is good to report that the value is false for jsonpath utilities. Due the changes, I also changed the CI report to make it easy to understand if the test failed, the new behaviour looks like this: ``` <Checks> Number of 'context deadline exceeded' in logs: 0 Number of 'level=error' in logs: 0 Number of 'level=warning' in logs: 0 Number of 'Cilium API handler panicked' in logs: 0 Number of 'Goroutine took lock for more than' in logs: 0 Cilium pods: [cilium-rmcw9] Netpols loaded: CiliumNetworkPolicies loaded: Endpoint Policy Enforcement: Pod Ingress Egress coredns-fff89c9b9-cfkvb false false etcd-operator-5cf67779fd-hmkcv false false testclient-m894b false false testds-2p4hq false false cilium-etcd-8nwlbq9cvq false false cilium-etcd-wgptgl2gt5 false false cilium-etcd-xxh29gps5m false false ``` Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 26 January 2019, 01:11:22 UTC |
| 10c96b6 | Eloy Coto | 21 January 2019, 16:34:14 UTC | Contrib: Add prometheus and grafana dashboards. [ upstream commit 8308b07dce9fb14341e904868c7b59d31e742865 ] Added a new prometheus manifest that includes a fully functional Prometheus, grafana and kube-metrics to deploy in a single command. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 4d2452d | Ian Vernon | 23 January 2019, 19:31:40 UTC | endpoint: fix logic to finalize proxy state in dry mode [ upstream commit fa240b46ae3e14a12afed369702f49d13de90b59 ] The logic was inverted for checking whether proxy state should be finalized or not. Fixes: 4045887122c11827977956abda8c7c28684538f8 Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| f2d32fa | Thomas Graf | 24 January 2019, 19:22:38 UTC | health: Annotate k8s node with health IPs in intial annotation call [ upstream commit 45b4a5c3d20b6c476a1592585f23550a48f9f7d9 ] Related: #6728 Fixes: be7d5cb4b919 ("node: Use new routing datapath for node events") Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 58183c8 | Thomas Graf | 24 January 2019, 19:23:28 UTC | vendor: Remove now unused dependency code [ upstream commit 4d533b3c2d2ed7f3ad61bd848625d82abf75b3ae ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 0a6b5d5 | Thomas Graf | 24 January 2019, 19:23:28 UTC | node: Remove unused ipv4HealthAddress and ipv6HealthAddress [ upstream commit a26b64b7319f0a6ebc2bf589e257a0f878ded82b ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 8be972e | Thomas Graf | 24 January 2019, 19:23:28 UTC | ipam: Only allocate IPs if address family is enabled [ upstream commit 75028e4bcb1491042e94f30490857ba75d842d38 ] Only initialize the IP allocator for a particular address family if that address family is actually enabled. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| e06d846 | Thomas Graf | 24 January 2019, 19:23:28 UTC | agent: Fail if loopback IPv4 address cannot be allocated [ upstream commit f0653858bd73f6d97529710d6bebeb929d6d0e18 ] Make sure that allocation fails if the allocator is not available Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| e609b0a | Thomas Graf | 24 January 2019, 19:23:28 UTC | health: Support running IPv6 only health endpoints [ upstream commit d92a362c13c58e15d0e9768bfdec9db1c05cf35a ] The cleanup was limited to IPv4 only so far Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| d33e9e9 | Thomas Graf | 24 January 2019, 19:23:28 UTC | health: Only allocate health IP if address family is enabled [ upstream commit 35bf51763c96196d22d9b3458a3c8988d9f34aec ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| a99acb7 | Thomas Graf | 24 January 2019, 19:23:28 UTC | ipam: Remove unused IPAMConfig [ upstream commit dec2dbada2b417862f74ebf0712a3fcf5194ab25 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| f4cf7ab | Thomas Graf | 24 January 2019, 19:23:28 UTC | ipam: Add AllocateNextFamily() to allocate IPs of individual families [ upstream commit 2581cab845d6d3c898dc33262a2fc703e259ae06 ] AllocateNext() allows to allocate for a specific family but the allocation does not fail if the allocator is unavailable. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| c4d0ff2 | Thomas Graf | 24 January 2019, 19:23:28 UTC | ipam: Stop using global ipamConfig variable [ upstream commit 4a1701a183383b6620a3bbf2a351b1ba507bd153 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 2608259 | Thomas Graf | 24 January 2019, 19:23:28 UTC | workloads: Fix init race condition between workloads and IPAM init [ upstream commit f3932a1a69b729530b83debcd42f840f26fd5afa ] The workloads system requires IP allocation. Initialize the workloads system after initializing IPAM. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 142e371 | Ian Vernon | 24 January 2019, 18:32:46 UTC | endpoint: do not return error if endpoint RLock fails due to endpoint being removed [ upstream commit 73aafb818b564b673116af008497c28121d1794e ] The Cilium CI has failed recently on multiple occasions due to errors appearing for controllers for endpoints which resolve the identity for said endpoints. The errors were "rlock failed: endpoint is in the process of being removed". Handle this case specially in both cases where \`identityLabelsChanged\` is called for endpoints by adding a new error variable which is returned if \`RLockAlive\` fails, and handle this error being returned in callers to \`identityLabelsChanged\`. In the case where \`identityLabelsChanged\` is called within the \`resolve-identity\` controller for an endpoint, do not return an error in the controller if \`RLockAlive\` fails because the endpoint is being deleted, so there is no purpose in allocating a new identity for it. Fixes: #6721 Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| e2553f5 | John Fastabend | 18 January 2019, 16:50:00 UTC | cilium: ipsec, bpf add receive side ipsec [ upstream commit 6fd8f36a6eb5a5b05107a83f15f34f70b543b23d ] If we did nothing here cilium_vxlan will pop the vxlan header then the outer header will route to cilium_host (assuming tunnel mode) this route would hit the ipsec decrypt path so cilium host would get decrypted packet. These would process using normal host logic and be locally redirected to lxc endpoint via BPF program. However, when mixed with non-ipsec traffic some flows were getting encrypted/decrypted unexpectedly. So instead of hopping through multiple BPF programs this changes the flow as follows. Set the mark decrypt bit and pass to stack. The routing stack decrypts the packet and routes it back to cilium vxlan after decryption is complete. After this cilium_vxlan "sees" the decrypted bit is set and does redirect to lxc. We keep the ipsec traffic localized this way. IMO its easier to trace the flow. We had to pull in a portion of if_packet to get magic numbers for PACKET_* values. Only pulled in required defines for now. Finally, in the next set of patches we drop the tunnel mode flag and this becomes even more relavent to avoid (re)routing. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 8077110 | John Fastabend | 23 January 2019, 01:41:03 UTC | cilium: Add IPv4GW to node discovery [ upstream commit e1438518b192cbf56bb46ce2b3977d4f2d19293f ] This adds the IPv4 gateway address to the localNode so that on node events we can use the gateway address to populate the IPSec context. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 6ea2cdb | John Fastabend | 22 January 2019, 19:32:36 UTC | cilium: ipsec, bind nodeUpdate to ipsec upsert to install ipsec state [ upstream commit 29536aeef82948a9aa720b4b8f6716230991206b ] This hooks into nodeUpdate events using it to add/remote IPSec policies and states when new endpoints come online/offline. For node based ipsec this is sufficient, if we want finer grained IPSe policies. Possibly per identity we will need to hook into ipache most likely. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| a6e3a83 | John Fastabend | 17 January 2019, 20:34:57 UTC | cilium: ipsec, add BPF datapath encryption direction [ upstream commit 3b6245843aeff0509bf0781ef88658ae7a69b9f8 ] This enables encryption on TX path for traffic that is sent over a vxlan tunnel. Currently, we use tunneled IPSec but the datapath should work regardless. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 1fae864 | John Fastabend | 18 January 2019, 18:58:08 UTC | cilium: ipsec, import keys via certs file [ upstream commit a7beef597de252fdc008b3e34612410857c9c7dd ] Initially, we will support a pre-shared key model where all endpoints have a pre-shared keys loaded from a file. The file layout is as follows with a key per line. authname authkey encname enckey [scope] This allows keys to be scoped so that it is possible to have a key per node if desired. If scope is omitted the key is considered a default key used if a more specific key is not found. My three node testing file reads as follows, hmac(sha256) abcdefghijklmnopqrstuvwzyzABCDEF cbc(aes) abcdefghijklmnopqrstuvwzyzABCDEF ubuntu-kvm1 hmac(sha256) abcdefghijklmnopqrstuvwzyzABCDEF cbc(aes) abcdefghijklmnopqrstuvwzyzABCDEF ubuntu-kvm2 hmac(sha256) abcdefghijklmnopqrstuvwzyzABCDEF cbc(aes) abcdefghijklmnopqrstuvwzyzABCDEF The file is loaded at init time so any changes will have to be consumed by a restart. In the future we can add watchers for the file and allow using etcd secrets (files). Also note the logic is built so that other methods of key exchanges can be added later if folks want a different model. Looking forward we can more specific scope types to do per identity keys if needed. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 8cafbc6 | John Fastabend | 17 January 2019, 21:29:53 UTC | cilium: ipsec, add option and #define for ENABLE_IPSEC enablement [ upstream commit 7593ee5f1e9634ff2d2314509fd0847291753f97 ] Add a command line option to enable inter-cilium-node IPSec encryption. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 12ce33a | John Fastabend | 17 January 2019, 21:18:23 UTC | cilium: ipsec, bpf fix mark comments and func names to reflect current usage [ upstream commit 7a597cf8326ac2b528b852771de4566479fd9738 ] The current skb->mark comment is out of date and no longer reflects the actual usage of the 32bit mark field. Fix this and generalize get_identity_via_proxy to simply get_identity it will be used in IPSec case now as well. The cluster ID was removed here, 661062fec8a1 ("bpf: Remove cluster identity"). Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 2a911ac | John Fastabend | 17 January 2019, 20:16:01 UTC | cilium: ipsec, qualify iptables rules to avoid colliding with ipsec [ upstream commit 05a48aced3283313343f2a2cd0660960cae563e4 ] Cilium uses a handful of IPTable rules to mark local packets to/from the proxy along with a few other cases. We need to ensure that these rules do not interfere with packets that need to be encrypted or decrypted. This patch adds qualifiers to the iptables rules added to ensure the encrypt/decrypt mark bits are not set before taking any actions. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 94a491e | John Fastabend | 17 January 2019, 20:00:48 UTC | cilium: ipsec, add ip route needed to decrypt/encrypt traffic [ upstream commit 99a6e33d3ddd99606ad858350779593aa6d3e3f3 ] IPSec datapath pushes packets into IP stack for encryption and decryption. This adds the routing rules used to enforce this. These are inserted once per node so overhead should not be concerning. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 6122654 | John Fastabend | 17 January 2019, 19:39:50 UTC | cilium: ipsec, insert 'ip rules' for ipsec [ upstream commit 48961ade2cc88b79ae9c90e7cd742225bb4ea1bf ] IPSec will be isolated from the "normal" routing tables via a set of marks to direct traffic to an IPSec table. When an endpoint has IPSec enabled the datapath will first set the mark bit to endicate MARK_ENCRYPTED or MARK_DECRYPTED to depending on expected direction. Once the encryption or decryption has occured the mark fields will be cleared and normal processing will happen. In this patch add the mark based 'ip rules' to segregate the IPSec traffic. Also decided on adding default const to ./pkg/datapath/linux/datapath.go becaause (a) as defaults they only make sense on linux datapath it seems and (b) originally I pushed them in via ./pkg/option/ and ./pkg/defaults but this got a bit ugly IMO to translate through to lower datapath after latest changes to separate fake/linux dp. Sure we can push them through NewDaemon but do Daemon creators really want this control? Anyways its easy to go back to pushing at Daemon create time if anyone cares. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 3b84929 | John Fastabend | 17 January 2019, 18:59:44 UTC | cilium: ipsec, add go API to configure xfrm (IPSec) [ upstream commit b2b901fb191634fe971bdec4f24f1a145f62b923 ] This adds a new datapath directory ipsec to configure ipsec for Cilium. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| a98836b | John Fastabend | 17 January 2019, 18:56:31 UTC | cilium: ipsec, add support for inserting rules via golang API [ upstream commit b97804ea33051ef0ace1c1d0c577c3e850a694c9 ] Currently, existing route rules are inserted via init script. Because we are going to start adding more rules for IPSec this patch adds a proper route API that we can call directly. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| e5a3dfd | John Fastabend | 17 January 2019, 18:44:09 UTC | cilium: ipsec, extend datapath route pkg to support more specifiers [ upstream commit fdf560711c549e64b113ceda034d1340dddb9aa7 ] In order to support IPSec we use specific routes inserted into a table designated for IPSec. To further isolate these entries we also constrain the routes using the proto (proto=50 for ESP) field and insert as a "local" route to ensure traffic is processed by the IPSec in kernel code on the correct device. Details on IPSec implementation in documentation and subsequent patches. To facilitate this add support in route pkg to program these from the API. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 313b189 | John Fastabend | 17 January 2019, 18:33:19 UTC | cilium: ipsec, report flags with endpoint maps [ upstream commit bfb4bf304a56179c54c7f603781dbc2f0a06291f ] Reporting flags with endpoint maps helps debugging by allocwing us to ensure the datapath and control path are in sync. Useful when ipsec becomes enabled and host/endpoint flags determine IPSec flows. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 13a4d0e | Moritz Johner | 24 January 2019, 00:39:44 UTC | cleanup: proper integration test for stdout/err [ upstream commit de302a07906a05ce72737253aa3091314077af31 ] shell scripts in tests/ are deprecated (#6709) Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 2dd4504 | Moritz Johner | 20 January 2019, 22:01:01 UTC | fix: redirect help text to stderr [ upstream commit a98fa8ee7dd2e97e5943d84198ba8f64025adeef ] The help text should be printed to stderr to avoid confusion when piping the stdout to another program. e.g. cilium endpoint confi 173 | grep Conntrack Fixes: #2498 Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 7e529f3 | Thomas Graf | 24 January 2019, 19:20:09 UTC | node/manager: Disable unstable unit test [ upstream commit 2b3494efea8f7878c3ee4857dfe44d9df7741ffd ] Related: #6751 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 9727344 | Michal Rostecki | 21 January 2019, 15:12:02 UTC | kvstore: Add Hint function for extending error messages [ upstream commit 3eedf38256636e90bd0d90da44dbf051995e70af ] Error message `context deadline exceeded` is not descriptive and does not show what component has a connectivity issue. This change introduces the Hint function which should be used in etcdClient methods to extend DeadlineExceeded error with information that it comes from etcd. Fixes: #6458 Signed-off-by: Michal Rostecki <mrostecki@suse.de> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 111dafb | Michal Rostecki | 21 January 2019, 15:07:34 UTC | client: Extend DeadlineExceeded error [ upstream commit 005f3fd3d4049ac3951210d3a424f45c84873918 ] Error message `context deadline exceeded` is not descriptive and does not show what component has a connectivity issue. This change extends DeadlineExceeded errors with information that it comes from Cilium API client. Fixes: #6458 Signed-off-by: Michal Rostecki <mrostecki@suse.de> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 83f97ff | Martynas Pumputis | 24 January 2019, 12:27:58 UTC | daemon: Skip existence check for ipvlan slave when restoring [ upstream commit 06b55eee4fe652bad44c0f8239d087443c8398e2 ] We cannot check from a host network namespace whether an ipvlan slave exists, and in some cases we cannot enter container's netns, as it requires bind mounting /proc to cilium-agent container (e.g. when running with k8s). Instead, check whether ipvlan datapath tail call map exists. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 3182af3 | Martynas Pumputis | 24 January 2019, 11:19:08 UTC | endpoint: Make endpoint.DataPathMapID public [ upstream commit 585fafcba65cf59de786d3afd354371827b49f73 ] Otherwise, the field is not written into `/var/run/cilium/state/${EP_ID}/lxc_config.h` due to the JSON encoder skipping private fields. The missing field led cilium-agent to treat an ipvlan-based endpoint as a veth-based one (`ep.MustGraft()` returned false) which made the restoration of the endpoint to fail. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| ee5b4a7 | Thomas Graf | 23 January 2019, 23:42:57 UTC | test: Adjust CI for new CEP structure [ upstream commit bb7d7a812ebd9b5e8b8d1eac06683c16b9864925 ] The policy revision is no longer provided in the CEP as updating the CEP that often does not scale to a large number of pods. Rely on the CNP status instead which is already verified. One validation of the status.policy.{ingress|egress}.enforcing is kept to test the functionality. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 4cbe5a9 | Thomas Graf | 23 January 2019, 23:42:57 UTC | k8s: Restructure and optimize CEP [ upstream commit 99f0136e65cb02360a76cc0dfba5d40ebcb141d1 ] This commit creates a native type for the CiliumEndpoint CRD. It still uses a couple of structures from api/v1/models but the majority of the types are native. * CiliumEndpoint.Status.Spec is deprecated and no longer populated. The labe configuration is typically available in the pod. The endpoint configuration is almost never changed and if performed, it is done via CLI which means the CLI can also be used to query it. * CiliumEndpoint.Status.Status is deprecated but some fields which we know have users are preserved. All fields are mirrored to CiliumEndpoint.Status and new fields should only be added there. * The endpoint log is limited to the last 5 errors or warnings. Successful transitions are no longer included. * The list of controllers is limited to failing controllers and the list is sorted by controller name. * The endpoint networking field is reduced and the list of addressess is sorted. * The policy field is completely restructured and now contains a list of identities + L4 port + protocol for ingress and egress. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 29d430f | Thomas Graf | 24 January 2019, 01:54:33 UTC | health: Fix health check to local health agent [ upstream commit 65e5d07f044a2e88e755f759888e3f6de2c04cb7 ] Fixes: #6728 Fixes: be7d5cb4b919 ("node: Use new routing datapath for node events") Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 25f7db3 | Eloy Coto | 24 January 2019, 12:17:26 UTC | Test: Increase curl timeout [ upstream commit c6218d74f4d9e60f6f8bda53cb711c61e3f23161 ] Due DNS proxy each time that a DNS request happens creates a new regeneration happens, so conenct timeout of 3 seconds was not enough in the CI because of the CI load. Fix #6727 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 1e6b3eb | Eloy Coto | 23 January 2019, 17:56:30 UTC | Test: Kubectl wait until CNP has status. [ upstream commit 8dbe9b5219e3414b20d98f80805ccf162844bb76 ] Change jq filter to wait until status is present to make sure that no race conditions happens. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 0bfb4a8 | André Martins | 23 January 2019, 22:56:05 UTC | test: test upgrades against v1.3 instead of v1.3.0 [ upstream commit 31b2dc975fc939fe5fca2bd5d83e3ba1b2298d7e ] Fixes: 2ddf05339621 ("Test: Bump stable image to 1.3") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 727a355 | André Martins | 23 January 2019, 21:28:16 UTC | docs: cleaning up leftover in minikube gsg [ upstream commit a696c28d18209a83aea0fc9f75f6a277216bba4c ] Fixes: e331e92613a1 ("docs: update minikube gsg") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| a1bd3ad | Daniel Borkmann | 21 January 2019, 22:05:03 UTC | cilium, ipvlan: implement base host connectivity [ upstream commit 7fbfe1cd92de1f1c0a573b56e5cfd70b9a4e26de ] This patch creates a ipvlan slave device named cilium_host in the init network namespace such that container/pods are enabled to talk to the host. Going through cilium monitor, I can see ping working with correct identities for the packet flow. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 20:35:12 UTC |
| 7f24c38 | Joe Stringer | 08 January 2019, 23:36:19 UTC | helpers: Limit ep gathering to 5m for all cilium pods [ upstream commit 1c62070f1523137d7d6a46957813559ad914cf0c ] Rather than allowing a limit of 5 minutes per cilium pod for gathering the endpoints list, restrict it to 5 minutes for all cilium pods. Existing test cases only ever use up to 2 cilium instances so this still leaves a reasonable amount of time. This doesn't have much impact with the current implementation which terminates at the first error while fetching endpoint status from cilium instances, but an upcoming commit will change this so we change it here. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| 07989a4 | Joe Stringer | 08 January 2019, 23:20:40 UTC | helpers: Collect errors when EndpointWaitReady fails [ upstream commit 66ec8d6a7843478d78b8099e9be13bd44bd4c242 ] Previously only one cilium instance would be attempted to be contacted, and if unavailable, an error would be returned. In case the other Cilium instance is actually available, collect the error from the first instance then attempt to continue and print the state for the endpoints in the other instance. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| ada08e0 | Joe Stringer | 08 January 2019, 19:24:14 UTC | helpers: Use proper time types [ upstream commit 92f83a5fb927ca6bc5a0360eea9286faded5c5d0 ] Several places in the test code are using times as int64 values rather than using the native golang types for dealing with time durations. Fix these up and replace all of the existing hard-coded timeouts with variables which should make them easier to adjust in future. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| 239c471 | Joe Stringer | 08 January 2019, 23:25:55 UTC | helpers: Fix function name in panic [ upstream commit 3f7604bf554165a74a5bef47cd89f46ccc593d8a ] This line was copy-pasted from a similar function and the error message was not updated. Fix it to reflect where the panic occurs. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| ad5b1a9 | André Martins | 23 January 2019, 12:43:30 UTC | docs: update minikube gsg [ upstream commit bbe8aec8076cab9cb5b65bcdceb3df49a46044b5 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| 931bf4c | Thomas Graf | 22 January 2019, 20:36:35 UTC | ipam: Release IPv6 IP when AllocateNext() is requested to allocate both and fails [ upstream commit 3e625be3c6c2c49d94ebb6261d7b3f85d585db26 ] The IPv6 address was leaked so far Reported-by: Andre Martins <andre@cilium.io> Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| 6a44ead | Ray Bejjani | 22 January 2019, 15:58:16 UTC | fqdn: Do not report stats on nil Endpoint [ upstream commit 2512266701a1415c21dc93bcff7e5a66a3aa8786 ] This was a bug. We cannot update statistics on an endpoint when it is nil. Now we don't. Fixes b39b72f5f400eaaa19212bbdfe3e773144e055af Signed-off-by: Ray Bejjani <ray@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| a34d0f4 | Martynas Pumputis | 22 January 2019, 10:49:12 UTC | cilium-docker: Refactor setup of container link device [ upstream commit 17f945350af127ed58aa105487140509fad7d646 ] - Refactor out common error handling bits. - In the case of an error, do not try to remove link device if it hasn't been created. Otherwise, netlink.LinkDel will panic. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| a0a3164 | Martynas Pumputis | 22 January 2019, 10:42:47 UTC | workloads: Move ipvlan post init steps to a separate function [ upstream commit c0112bb3f7476ab199039c7f06c75c67b57c9354 ] This commit tries to improve readability: - Move the ipvlan slave post initialization steps to the `finishIpvlanInit` function. - Reduce nesting of `finishIpvlanInit`. - Unlock `ep` in the defer. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| f818785 | Martynas Pumputis | 22 January 2019, 10:40:25 UTC | endpoint: Refactor MapPinLocked [ upstream commit 6ae9f13e359ddffae47657992321bf6762be1986 ] Move deferred closing of mapFd closer to the expression which sets it in order to improve readability. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| cca4db8 | Daniel Borkmann | 21 January 2019, 11:48:51 UTC | cilium, ipvlan: allow to derive secctx from ipcache in bpf_netdev [ upstream commit 6f360e52a81d08cc3fdc0bb7d81086acefb46d10 ] In order to enforce policies from Cilium managed containers on remote host allow to derive secctx from ipcache data if the packet info does not contain any useful information on ipvlan master device e.g. as in ipv4 case since we operate in direct routing. Use ipcache as fallback for deriving ingress source identity (see also ae0979728214 ("bpf: Add ipcache based fallback to derive ingress source identity")). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| 0aac081 | Thomas Graf | 19 January 2019, 10:01:00 UTC | kvstore: Decrease stale lock timeout from 2 minutes to 30 seconds [ upstream commit 06a4c4ec17b28cc7a2081f98526d444347ef43c0 ] Even 30 seconds is an incredibly long time to hold a distributed lock and should never happen. Lowering this timeout ensures that Cilium recovers quickly when the local locking state gets out of sync. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| 4542b5a | Thomas Graf | 19 January 2019, 09:53:11 UTC | kvstore: Release local kvstore lock after timeout [ upstream commit 8267b5b086f9a7cde9b1fc126d156900eeaf1415 ] Cilium does distributed locking via etcd. For this purpose we first acquire a local lock indexed by the etcd key path. This is needed because etcd locks only protect against other clients and not from mutual access from the same etcd client. We then acquire the lock in etcd itself. We store locally that we are currently holding the etcd lock. When the etcd lock is unlocked, this local state is removed. For some reason, it’s unclear why, the local state was left behind and the local unlocking never took place. etcd was identified to have crashed several times based on logs which could have caused the etcd client returning something unexpected. When unable to acquire the local lock, we ignore this state and ask etcd directly. Unfortunately the original request requiring the etcd lock, in this case identity allocation, has typically already timed out. The current code never corrects the local state until the cilium pod is restarted. The new behavior is to release the lock lock forcefully after the timeout and start a new lock acquisition cycle with a new timeout. This ensures that if multiple local consumers are waiting, only one will be able to acquire the lock. Fixes: #6667 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| 8ec1cd8 | André Martins | 18 January 2019, 19:05:22 UTC | plugins/cilium-cni: do not error if variable unset [ upstream commit 6e222053f90498ff4d41e1063614d4deb5817a57 ] As some users will not have the CILIUM_FLANNEL_MASTER_DEVICE nor CILIUM_FLANNEL_UNINSTALL_ON_EXIT environment labels set in their environments, the cni installation scripts will fail to run preventing cilium from starting. Fixes: a5b011fb4891 ("plugins/cni: add installation script for policy enforcement mode") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| d61cb0c | Michal Rostecki | 18 January 2019, 18:43:40 UTC | daemon: Create BPF maps before restoring service IDs [ upstream commit ac55c6a435d22d98085c64c6ef6f1b2aa27b1a14 ] Restoring service IDs is an operation which includes reading from a BPF map, but it was done before any BFP map was created. It was always failing with error on the first run of Cilium. This change ensures that daemon initialization keeps the following steps in the following order: 1. Creating BPF maps. 2. Restoring service IDs. 3. Configuring Kubernetes client and any operation on Kubernetes API. 4. IPAM initialization. 5. Compilation of base BPF programs. Before this change, creating BPF maps and compilation of base BPF programs were done in one step as the last operation of daemon initialization. Fixes: 3b5133ad5476 ("service: Restore service IDs before connecting to Kubernetes apiserver") Fixes: #6642 Signed-off-by: Michal Rostecki <mrostecki@suse.de> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| 22b65ed | Nirmoy Das | 18 January 2019, 17:03:35 UTC | workloads/crio: do not print StatusResponse struct [ upstream commit 61858e42e2f147b17bc81cee5d161259162f52b7 ] StatusResponse.String() spit out raw struct ./daemon/cilium status KVStore: Ok Consul: 172.17.0.2:8300 ContainerRuntime: Ok cri-o client: Ok - &StatusResponse{Status:&RuntimeStatus{Conditions:[&RuntimeCondition{Type:RuntimeReady,Status:true,Reason:,Message:,} &RuntimeCondition{Type:NetworkReady,Status:false,Reason:NetworkPluginNotReady,Message:Network plugin returns error: cni config uninitialized,}],},Info:map[string]string{},}%!(EXTRA string=Ok) Kubernetes: Disabled With this PR: sudo ./daemon/cilium status KVStore: Ok Consul: 172.17.0.2:8300 ContainerRuntime: Failure cri-o client: Failure - Network plugin returns error: cni config uninitialized Kubernetes: Disabled Cilium: Failure Container runtime is not ready NodeMonitor: Disabled Signed-off-by: Nirmoy Das <ndas@suse.de> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| d91e501 | Joe Stringer | 17 January 2019, 18:34:56 UTC | bpf: Simplify and fix ENABLE_NAT46 dependencies [ upstream commit 255a46c3e36994b99dbb5ab311b0e6bb4be2d064 ] Update both the daemon configuration for NAT46 and the datapath code to consistently check and use the same macros: * Require ENABLE_IPV6 for ENABLE_NAT46. * Userspace defines ENABLE_NAT46, and only if the prerequisites are set. * Make the same prerequisite checks in the datapath in a simpler way. * Make the datapath consistently use ENABLE_NAT46, not LXC_NAT46. * Remove the ENABLE_NAT46 definition in lib/common.h which isn't used. (it couldn't be, because common.h is included before LXC_NAT46 is defined). Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| 4b892f5 | André Martins | 16 January 2019, 12:57:14 UTC | test: bump k8s version to v1.13.2 [ upstream commit ce64e81e65f80ba84b8809fc546d729e8cb14289 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| ae9167b | André Martins | 16 January 2019, 12:56:38 UTC | vendor: bump k8s version to v1.13.2 [ upstream commit b393081e7dc2b4a2db94266ea9fa11830f338be9 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| 215884d | Martynas Pumputis | 21 January 2019, 11:16:47 UTC | endpoint: rename method MapPin to MapPinLocked [ upstream commit 867881a7c2efcb813ce220c7b55d2f9b86cba31e ] This makes a user of the method aware that the lock should be taken before calling the method. Also, call the method in daemon/endpoint.go after acquiring the lock. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| 614d3d0 | Martynas Pumputis | 17 January 2019, 13:18:12 UTC | cilium-docker: Add support for ipvlan [ upstream commit 962c55902fd00e486eb93c045f0ee94a656aa9e7 ] This change enables ipvlan for the Cilium Docker libnetwork plugin. In opposite to CNI, libnetwork moves container's netdev (ipvlan slave) to container's network namespace by itself. This complicates our implementation a lot, because the kernel resets qdisc's of the netdev after the move. Therefore, the BPF object used for ipvlan gets removed. To overcome this limitation, we split the ipvlan slave initialization into two parts. The first one creates the ipvlan slave in the host network namespace, and it's executed in the JoinEndpoint context. The second one attaches the BPF objects to the device in the container network namespace, and is executed asynchronously by the Docker workloads monitors. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| c8fd83b | Martynas Pumputis | 17 January 2019, 12:47:04 UTC | endpoint: Add isDatapathMapPinned field [ upstream commit e7b81c35ac53d16ca60ed2fdb674f8860c2a270f ] The field denotes whether the datapath map has been pinned for the given endpoint. In the case of libnetwork+ipvlan, this can be used to detect (hack) whether all BPF-related initialization has been done for an ipvlan slave device, as we will pin the map only afterwards. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| 415bfef | Martynas Pumputis | 17 January 2019, 12:42:34 UTC | connector: Unify ipvlan iface name creation [ upstream commit 0e9e8c84ab512cccac29ec5d3a4e99197c1d7c54 ] Use the same function as for veth to generate deterministic ipvlan iface name. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
| 7ced32f | Martynas Pumputis | 17 January 2019, 12:38:33 UTC | connector: Do not rename ipvlan iface if not target name is the same [ upstream commit 031dff029271f65a0c923650b80d3f7c5f45bf38 ] In the case of libnetwork plugin, ipvlan iface name does not change, so let's avoid calling netlink to save some CPU cycles. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 25 January 2019, 05:46:05 UTC |
