Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
da88a34 Ian Vernon 02 February 2019, 02:24:46 UTC Prepare for v1.4.0-rc6 release Signed-off by: Ian Vernon <ian@cilium.io> 02 February 2019, 02:26:09 UTC
817a136 John Fastabend 01 February 2019, 18:20:11 UTC cilium: fix fd leak from ObjClose being omitted on ConfigMap [ upstream commit 7cdcc8a32c07146981c03c7e128ea2781b5c0736 ] Watching bpftool maps via 'bpftool show map' shows the ConfigMap is not being removed when an endpoint is deleted. This results in the number of active fd's growing until eventually fd space is exhausted. This fix copies the policymap approach and similarly adds the Close hook to ConfigMap and calls it from LeaveLocked() Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
122d293 André Martins 01 February 2019, 17:35:13 UTC examples/kubernetes: clean k8s descriptors [ upstream commit edb624efc1d3b29c378fec620fd8f643726b069e ] Clean up the k8s descriptors in particular removing non-existing fields (namespace) for non-namespaced objects and setting the right API Version. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
5582fbb André Martins 01 February 2019, 15:14:07 UTC daemon: only fatal if err != nil [ upstream commit 637adf46aed3d0a854931e80567906e2ac157006 ] This commit avoids cilium-agent from fatal itself on an expected exit signal such as: ``` cilium-agent[11272]: level=info msg="Stopped serving cilium at unix:///var/run/cilium/cilium.sock" subsys=daemon cilium-agent[11272]: level=fatal msg="Error returned from non-returning Serve() call" error="<nil>" subsys=daemon ``` Fixes: 894365fc6b0e ("daemon: Handle listen/serve errors with channels") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
13eea01 Daniel Borkmann 01 February 2019, 12:58:03 UTC cilium, ipvlan, docs: add note about ipvlan tech preview [ upstream commit c0987a6923c5865ae251f300ac87627691d8d248 ] ... and also required kernel fix to run in L3S mode. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
638dc54 Daniel Borkmann 01 February 2019, 10:49:05 UTC bpf: get rid of all builtins for packet access [ upstream commit 70277b966fd5fcf38c86376dd0fb2aa257366803 ] Existance of load_byte() in our code forces JIT to generate real crappy code for every helper call that potentially changes packet data since it has to recache skb->data/hlen or push/pop registers to stack (see [0]) otherwise (due to calling convention), not to speak that exception handling is a mess with LD_ABS/IND. Lets get rid of this crazy madness to allow for better (smaller) JIT code generation. [0] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e782bdcf58c5ace7b7d58b2436177de9785a18e8 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
5e5b6c3 Daniel Borkmann 01 February 2019, 09:54:21 UTC cilium, ipvlan: loop back icmp6 requests to router on slave device [ upstream commit e738f7781e96e14f32282dc9fb4035ad3eeee0a3 ] In ipvlan case we need to loop the packet back on the same slave device as opposed to veth where we xmit on the host dev for having it end up in the peer dev. Also rename datapath_redirect while at it to a better name which lets us also have both prefixed as redirect_*() helpers. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
5ae7f20 Martynas Pumputis 01 February 2019, 10:20:10 UTC api: Rename DataPathMapID to DatapathMapID [ upstream commit c5c103bfc809d50493db8746560fe8f5d6457935 ] To be consistent with DatapathMap related methods of the endpoint pkg. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
c84cfeb Martynas Pumputis 01 February 2019, 07:32:43 UTC endpoint: Refactor ipvlan related method names [ upstream commit b277ab4d565d4750a9ee1d67e93917ac0806a0cd ] The previously used names were too generic, so the following renames: - MustGraft() -> MustGraftDatapathMap(). - MapPin() -> PinDatapathMap(). Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
4c1d2d5 Martynas Pumputis 01 February 2019, 07:21:55 UTC daemon: Fix usage of logfields.Device [ upstream commit bfccda59c97f188a116e6d326dc810e7712396b2 ] In some cases, we want to be explicit that the device is used as the ipvlan master device, so use logfields.IpvlanMasterDevice instead. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
4f521a7 Thomas Graf 01 February 2019, 07:56:41 UTC endpoint: Avoid harmless controller failures when endpoint disappears [ upstream commit 8eb1698b2f2ac8980b2d8a4a58bf581f1de70279 ] When the endpoint is no longer alive during a controller run, stop the controller gracefully and wait for it to be deleted. Avoids a spam of controller failures when pods are restarted or endpoints disappear for another reason. Example: ``` msg="Controller run failed" consecutiveErrors=1 error="rlock failed: endpoint is in the process of being removed" name="sync-identity-to-k8s-pod (3558)" subsys=controller uuid=0ea5b9e4-25d6-11e9-8745-080027d2d952 msg="Controller run failed" consecutiveErrors=2 error="rlock failed: endpoint is in the process of being removed" name="sync-identity-to-k8s-pod (3558)" subsys=controller uuid=0ea5b9e4-25d6-11e9-8745-080027d2d952 msg="Controller run failed" consecutiveErrors=3 error="rlock failed: endpoint is in the process of being removed" name="sync-identity-to-k8s-pod (3558)" subsys=controller uuid=0ea5b9e4-25d6-11e9-8745-080027d2d952 msg="Controller run failed" consecutiveErrors=4 error="rlock failed: endpoint is in the process of being removed" name="sync-identity-to-k8s-pod (3558)" subsys=controller uuid=0ea5b9e4-25d6-11e9-8745-080027d2d952 msg="Controller run failed" consecutiveErrors=1 error="rlock failed: endpoint is in the process of being removed" name="sync-identity-to-k8s-pod (1507)" subsys=controller uuid=0ec539f5-25d6-11e9-8745-080027d2d952 msg="Controller run failed" consecutiveErrors=2 error="rlock failed: endpoint is in the process of being removed" name="sync-identity-to-k8s-pod (1507)" subsys=controller uuid=0ec539f5-25d6-11e9-8745-080027d2d952 msg="Controller run failed" consecutiveErrors=3 error="rlock failed: endpoint is in the process of being removed" name="sync-identity-to-k8s-pod (1507)" subsys=controller uuid=0ec539f5-25d6-11e9-8745-080027d2d952 msg="Controller run failed" consecutiveErrors=4 error="rlock failed: endpoint is in the process of being removed" name="sync-identity-to-k8s-pod (1507)" subsys=controller uuid=0ec539f5-25d6-11e9-8745-080027d2d952 msg="Controller run failed" consecutiveErrors=1 error="rlock failed: endpoint is in the process of being removed" name="sync-identity-to-k8s-pod (2287)" subsys=controller uuid=6ada57c4-25d6-11e9-8745-080027d2d952 msg="Controller run failed" consecutiveErrors=2 error="rlock failed: endpoint is in the process of being removed" name="sync-identity-to-k8s-pod (2287)" subsys=controller uuid=6ada57c4-25d6-11e9-8745-080027d2d952 ``` Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
5d5f5ff Thomas Graf 01 February 2019, 10:07:09 UTC iptables: Fix 127.0.0.1:NodePort to remote pods [ upstream commit 0a98231a0b3a926f2c6470b832d9b361a25765a4 ] Commit c6888d48780 fixed 127.0.0.1:NodePort redirection by adding an additional clause to the kube-proxy masquerade bit clearing rule to ensure that kube-proxy masquerades all traffic with a source IP of 127.0.0.1. This fixes NodePort redirection to local pods but it can cause problem when running in encapsulation mode depending on the rp_filter settings of nodes because the source IP of the traffic will have a source IP equal to any of the node IPs which are not routable on the overlay. This causes reply traffic to be routed back via the underlay which the reverse path filter can potentially drop. Fixes: c6888d48780 ("iptables: Ensure NAT for locally-sourced packets") Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
0ad5f27 André Martins 31 January 2019, 19:24:08 UTC pkg/k8s: consider 2 CNPs different if they have different annotations [ upstream commit 2a1c21a119939f9beb9211106b04cef5d2ab8b50 ] Fixes: 7e96576f0ffd ("k8s: create Equalness and Missing Functions for CNP and NP") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
ed4936c Joe Stringer 01 February 2019, 01:44:49 UTC backporting: Add set-labels commands to check-stable [ upstream commit 0c1dbad17c2ddb13697d889787b8f0bac3f2fc0f ] Output the full set-labels.py one-liner command when running check-stable to assist backporters attempting to backport. It's up to the backporter to exclude particular PRs if the PR is not included in the PR. Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
40e33f3 Joe Stringer 30 January 2019, 23:56:26 UTC docs: Fix backporting shell example formatting [ upstream commit bf17c1b8dd9ab07a1d5127e5bb02127623e818c8 ] Sphinx seems to expect indents of three spaces, make each indentation in this section conform with this standard. Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
aa7038a Joe Stringer 30 January 2019, 23:51:46 UTC Makefile: Serve render-docs on port 9080. [ upstream commit c75b9609f3da2b38d5cc202ca949acbe662f864d ] When running `make render-docs`, serve it on port 9080 so it's less likely to conflict with other local web servers running on port 8080. Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
74d14be Joe Stringer 30 January 2019, 23:50:35 UTC docs: Update backporting for the latest scripts [ upstream commit 0b40eba0dd61bd6b547bd14cb53b4fdae5f8894b ] Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
2c16ed3 Joe Stringer 30 January 2019, 23:36:23 UTC backporting: Add summary log option to check-stable [ upstream commit f6b46388de4ad7a012670bbeea91d4e786c98133 ] Allow writing a nicely-formatted PR message to a file: ``` $ check-stable 1.4 my-pr.txt $ cat my-pr.txt v1.4 backports 2019-01-30 * #xxxx -- commit title (@author) ... ``` Signed-off-by: Joe Stringer <joe@cilium.io> 02 February 2019, 02:15:28 UTC
dfa4b36 Daniel Borkmann 24 January 2019, 13:43:55 UTC cilium, bpf: config depdendent tail call emission in fast path [ upstream commit e847d018490216dbc5d2b04d06ec83846d13fb85 ] Tail calls are expensive due to being an indirect call and thus subject to speculative execution which is mitigated these days via retpoline in JIT. Lets add some macros that can be used with is_defined(...) to switch between tail call and more performant direct inlined call for fast-path. Given verifier complexity limits we need to be selective when to enable. For now, go for avoiding tail calls when either v4 or v6 is set but not both as it has highest complexity. x86-64 JIT retpoline code-gen output: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a493a87f38cfa48caaa95c9347be2d914c6fdf29 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
0681b1c Daniel Borkmann 24 January 2019, 13:43:55 UTC cilium, bpf: explicitly set defines to 1 [ upstream commit 3971de806ffd34ecb4c2a1abcdf1015252254bc7 ] This is needed as it looks like clang has different behavior as gcc on this regard wrt upcoming macro hackery for tail calls. We should make it consistent for all ifdef type checks in general though, right now it's a bit of a mixture in the code emission. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
cd16b00 Daniel Borkmann 25 January 2019, 10:43:13 UTC cilium, ipvlan: drop masquerade restriction [ upstream commit d78a86a4836e3ecf91468cb401d27780f57d3a86 ] In Cilium ipvlan datapath mode, it can be enabled just fine since there are two devices ipvlan master and cilium_host. Traffic leaving the node via ipvlan master gets masqueraded with --masquerade=true set but not traffic leaving cilium_host. Traffic back into the latter is only from local traffic but not external hence the extra -DENABLE_EXTRA_HOST_DEV for bpf_netdev attached there on egress in order to match HOST_ID. For the ipvlan master device, the external traffic is pushed right into one of the slaves. The bpf_netdev on ingress comes before reverse address translation on masquerade, but the bpf_netdev.o has neither -DFROM_HOST nor -DENABLE_EXTRA_HOST_DEV set, so secctx will be taken from packet if available (fallback to WORLD_ID e.g. in IPv4) or from local ipcache if we only found WORLD_ID. For the latter however, we only derive the secctx if it was not found to be HOST_ID given masquerade. Note, ipvlan l3s mode requires the following kernel commit in order to work properly (it's being queued for stable kernel's as well): https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=d5256083f62e2720f75bb3c5a928a0afe47d6bc3 With that applied, --masquerade=true works fine. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
f949adc Daniel Borkmann 24 January 2019, 17:48:56 UTC bpf: unquote MAX_LXC_OPTIONS in build test [ upstream commit aff22ca0b5e6f64c4864ae6ffb5bed2d33273817 ] We need to unquote it as otherwise this doesn't compile when used in macros. Unquoted they are in any case properly passed to clang. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
e96cda8 Ray Bejjani 30 January 2019, 20:33:08 UTC fqdn: Fix repeat UUID insertion [ upstream commit 1350624f40d6c6274e9fcc8b85a1e80216632318 ] This code path is never hit because UUIDs are always randomized. Nonetheless, fqdn.RuleGen.addRule shouldn't assume that and it should actually work correctly when the same UUID is used. It did not. Previously, re-inserting a UUID would skip adding this rule's UUID to a DNS matchName/Pattern that already had UUIDs associated with it (not necessarily this one!). The code now ensures that this UUID is associated with matchName/Pattern entries in the ToFQDNs rule even on updates that partially modify the rule. Signed-off-by: Ray Bejjani <ray@covalent.io> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
bdc8e6a André Martins 30 January 2019, 20:42:29 UTC add DebugLB option to the daemon config options [ upstream commit 39ae2dc80faf0a92591f3a7d944ce64a9686e5df ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
9cec573 André Martins 30 January 2019, 20:39:59 UTC daemon: do not allow LB mode to run with tunneling [ upstream commit 944e3670a42a0b4c62f32f123177ba58978f7659 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
9160a54 Eloy Coto 31 January 2019, 14:48:37 UTC Test: Report a kubernetes summary to a single file. [ upstream commit 081510d8ba6c0345270ba717a03b0b4d08837a5c ] To make it faster to debug print all resources in a single file in a human friendly format. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
28ba32c Martynas Pumputis 31 January 2019, 15:24:06 UTC health: Use ipvlan slave device in ipvlan-mode [ upstream commit 5f1c2e63c8b0b900f1c50eb43c633a2c9478c51e ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
69096de Martynas Pumputis 31 January 2019, 15:16:51 UTC bpf: Make netns initialization in spawn_netns.sh optional [ upstream commit a5b7fbc0aa49bdd5db62442ea2bbe50ed322bac3 ] This commit makes creation of a netns and moving of a netdev to it option. The script is going to be used with an ipvlan slave device which has a limitation - moving the ipvlan slave to a netns resets its qdisc. To prevent from this happening, we create the ipvlan slave, move it to the netns, and only afterwards we add the qdisc. Thus, we can call the script only the ipvlan slave has been successfully initialized. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
0041219 Martynas Pumputis 31 January 2019, 15:10:46 UTC connector: Add function for single step ipvlan slave initialization [ upstream commit d0b1d3dc5c19831e0e2ff1ce950706e5a31ee8ab ] This commit introduces the CreateAndSetupIpvlanSlave function which can be used to initialize an ipvlan slave in a single step, so some boilerplate code can be avoided. Next, we rename SetupIpvlan to CreateIpvlanSlave to better reflect what it actually does: it only creates an ipvlan slave device w/o doing any initialization. Finally, we allow the empty endpoint identifier to be passed to the functions which makes them to generate a random ipvlan slave device name. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
c5f8d1a Martynas Pumputis 31 January 2019, 15:09:30 UTC cilium-cni: Use netns pkg in the plugin [ upstream commit 5615c0931e8565bfa7a73ebeaf186f951c1626cc ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
ab85ff5 Martynas Pumputis 31 January 2019, 15:02:32 UTC netns: Add package [ upstream commit 99a2d55c3ed9367ba0a860394cbdcd1ce62a4c53 ] netns is a package which contains various utility functions used to work with network namespaces. Unfortunately, neither containernetworking/plugins/pkg/ns nor vishvananda/netlink has a proper support for named network namespaces (i.e. a netns which is bind-mounted on /var/run/netns/$NAME), therefore we shell out to "ip netns". Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
e07f10f Martynas Pumputis 24 January 2019, 17:06:23 UTC daemon: Enable health check for ipvlan datapath [ upstream commit 14d4acafbffe144f2f2dec8572455f3c761379af ] Currently, it runs in the veth mode which makes probes to remote endpoints to fail because Docker sets the default policy of the FORWARD chain in the filter table of iptables to DROP, and we don't install any rules (w/ `--install-iptables-rules=false`) to allow forwarded traffic to a subnet managed by Cilium. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
f757682 Eloy Coto 29 January 2019, 17:45:10 UTC Test: Delete invalid policies when install. [ upstream commit ab4dfd012e8b02bd4dd4475f5ac9ded18143128e ] Due the changes in ciliumPolicyAction invalid policies need to be deleted to be able to validate that all policies are enforcing correctly. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
8bb1427 Eloy Coto 29 January 2019, 09:59:46 UTC Test: Set gracePeriod to 0 to avoid delays on delete. [ upstream commit 929c55cc98e734525ec00c0d24e8e8654499ccd7 ] Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
b6b0064 Thomas Graf 31 January 2019, 04:29:28 UTC operator: Pace kube-dns pod restarts to every 5 minutes [ upstream commit 493b10a83e7ea067172dcb6269b7d309152a107a ] Give a restarted pod 5 minutes to come up before restarting it again. Fixes: #6839 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
5eb58dd Eloy Coto 17 January 2019, 12:11:19 UTC FQDN/Proxy: Add request.Id on the log. [ upstream commit 580670e17e0e8b0f141ee97c50a1c040b70ea7ea ] Added request id on the scoped log to be able to debug easily in case of an error. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
495ae23 Eloy Coto 17 January 2019, 12:10:20 UTC Endpoint: Fix typo [ upstream commit d767568d6910b787a11637621b472933b3b9f1be ] Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
f9403a0 Eloy Coto 17 January 2019, 12:09:13 UTC Metrics: Add a proxy upstream histogram. [ upstream commit 6ea9577ccf3debec19aecb009591aed0d49cb445 ] Added a new upstream histogram for proxy reply on DNS case. This metric will help to understand how long the server took to reply. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 01 February 2019, 05:41:25 UTC
e2b9d58 André Martins 30 January 2019, 16:27:52 UTC pkg/client: set new client structure in case of failure [ upstream commit ffce5f8a300dba42e1e40dc422993f2590eaf4c9 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 31 January 2019, 11:32:00 UTC
1884ed6 Thomas Graf 30 January 2019, 16:35:52 UTC kubernetes: Bump cilium-etcd-operator version to 2.0.5 [ upstream commit 256f5860ae8efafdfa08291c2c2ab4d07556025e ] Fixes: #6838 Required-for: #6853 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 31 January 2019, 11:32:00 UTC
30f1122 Nirmoy Das 29 January 2019, 19:06:18 UTC cilium: ipsec: add IPSecKeyFileName option [ upstream commit 64d159747f201729103832ab3357ab195fba325d ] Signed-off-by: Nirmoy Das <ndas@suse.de> Signed-off-by: Joe Stringer <joe@cilium.io> 31 January 2019, 11:32:00 UTC
c38e772 Nirmoy Das 29 January 2019, 18:11:03 UTC cilium: return formatted error on ipsec-key-file open failure [ upstream commit 62553e195f1b4a92ed4f741fa4a418d633788c98 ] before this PR the cilium-agent error was not so clear: level=fatal msg="Error while creating daemon" error="open : no such file or directory" subsys=daemon Fixes: a7beef597d (cilium: ipsec, import keys via certs file) Signed-off-by: Nirmoy Das <ndas@suse.de> Signed-off-by: Joe Stringer <joe@cilium.io> 31 January 2019, 11:32:00 UTC
7b87c87 Nirmoy Das 29 January 2019, 16:22:46 UTC datapath/linux: fix updateTunnelMapping when old and new CIDR are nil [ upstream commit 157791dbef5b75566401fb0ada5b91bb53e8ef7c ] node with single IP stack can cause below segfault panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x265d554] goroutine 1 [running]: github.com/cilium/cilium/pkg/datapath/linux.updateTunnelMapping(0x0, 0x0, 0x0, 0x0, 0x0, 0xc000190b20, 0x10, 0x10, 0xc000cc0101) /home/nirmoy/go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:76 +0x454 github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).nodeUpdate(0xc0001d5dc0, 0x0, 0xc000ad8420, 0x0, 0x0) /home/nirmoy/go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:480 +0x68a github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).NodeConfigurationChanged(0xc0001d5dc0, 0x5dc, 0x5aa, 0x1, 0x49ac080, 0x0, 0x0, 0x10001000101, 0x0, 0x0) /home/nirmoy/go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:660 +0x1e1 main.(*Daemon).compileBase(0xc000528c40, 0x0, 0x0) /home/nirmoy/go/src/github.com/cilium/cilium/daemon/daemon.go:533 +0x7a9 main.(*Daemon).init(0xc000528c40, 0xc000528c40, 0x20) /home/nirmoy/go/src/github.com/cilium/cilium/daemon/daemon.go:675 +0x126 main.NewDaemon(0x300c6a0, 0xc00094c810, 0x1, 0x1, 0xc000827928, 0x11fd242) /home/nirmoy/go/src/github.com/cilium/cilium/daemon/daemon.go:1191 +0x1177 main.runDaemon() /home/nirmoy/go/src/github.com/cilium/cilium/daemon/daemon_main.go:1062 +0x214 main.glob..func1(0x43bb060, 0xc000948000, 0x0, 0x9) /home/nirmoy/go/src/github.com/cilium/cilium/daemon/daemon_main.go:108 +0x30 github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).execute(0x43bb060, 0xc00004c0b0, 0x9, 0x9, 0x43bb060, 0xc00004c0b0) /home/nirmoy/go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:766 +0x2cc github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0x43bb060, 0x2fef610, 0x3016ee0, 0x2fef630) /home/nirmoy/go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:852 +0x2fd github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).Execute(0x43bb060, 0x0, 0x0) /home/nirmoy/go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:800 +0x2b main.daemonMain() /home/nirmoy/go/src/github.com/cilium/cilium/daemon/daemon_main.go:126 +0x14c main.main() /home/nirmoy/go/src/github.com/cilium/cilium/daemon/main.go:30 +0xc9 nirmoy@chapman:~/go/src/github.com/cilium/cilium> fg vim /home/nirmoy/go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go Fixes: #6842 Signed-off-by: Nirmoy Das <ndas@suse.de> Signed-off-by: Joe Stringer <joe@cilium.io> 31 January 2019, 11:32:00 UTC
942d930 Maciej Kwiek 29 January 2019, 13:41:26 UTC Don't put empty node ips into special identities [ upstream commit dd5595b1f58425c7d1aa880a735c2abe9144394c ] This change causes `lxcmap-bpf-host-sync` controller to not sync internal ips until they are set by AllocateInternalIPs in daemon Signed-off-by: Maciej Kwiek <maciej@covalent.io> Signed-off-by: Joe Stringer <joe@cilium.io> 31 January 2019, 11:32:00 UTC
96cadc2 Eloy Coto 29 January 2019, 11:18:48 UTC Flannel: Fix Jenkins jobs. [ upstream commit e1ec8cdf9aef435fe9220ffe5a85da9ffe4854b7 ] Fix jenkins jobs related with Flannel and report status to Github. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 31 January 2019, 11:32:00 UTC
8420a00 Joe Stringer 29 January 2019, 01:23:10 UTC docs: Document ConfigMap option changes in v1.4 [ upstream commit f2453b1b79f83eaf365336ff334e3daae050f77e ] Fixes: #6590 Signed-off-by: Joe Stringer <joe@cilium.io> 31 January 2019, 11:32:00 UTC
7a79a89 Nirmoy Das 29 January 2019, 11:07:50 UTC daemon: exit agent if ipv6 is enabled in the agent but not in kernel [ upstream commit 7bb6728b930ff863c65dced7de5a1959c8a1d465 ] Fixes: #6815 Signed-off-by: Nirmoy Das <ndas@suse.de> Signed-off-by: Joe Stringer <joe@cilium.io> 31 January 2019, 11:32:00 UTC
12208f9 Thomas Graf 30 January 2019, 03:20:37 UTC doc: Restructure getting started guides [ upstream commit 9abbd9f361cd1bf400126fb1f28d6c844c654269 ] This completely restructures the installation relevant getting started guides and puts them all in one place. It also provides detailed instructions for the etcd-operator and provides a separate guide when using an external etcd. * New EKS guide using eksctl, relies on #6805 * GKE guide Fixes: #6783 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 31 January 2019, 11:32:00 UTC
e195f53 Thomas Graf 30 January 2019, 03:20:37 UTC kubernetes: Generate all-in-one yaml for node init [ upstream commit c0d8caa05f6c0de35cd16d2a820754f9218bf7f9 ] Diff to github.com/cilium/gke/cilium-deployment.yaml for easier review: ``` --- cilium-deployment.yaml 2019-01-28 19:56:35.000000000 -0800 +++ 1.12/cilium-with-node-init.yaml 2019-01-28 20:07:02.000000000 -0800 @@ -131,6 +131,12 @@ # a container. When the Cilium DaemonSet is removed, the BPF programs will # be kept in the interfaces unless this option is set to "true". flannel-uninstall-on-exit: "false" + # Installs a BPF program to allow for policy enforcement in already running + # containers managed by Flannel. + # NOTE: This requires Cilium DaemonSet to be running in the hostPID. + # To run in this mode in Kubernetes change the value of the hostPID from + # false to true. Can be found under the path `spec.spec.hostPID` + flannel-manage-existing-containers: "false" --- apiVersion: apps/v1 kind: DaemonSet @@ -271,8 +277,14 @@ key: flannel-uninstall-on-exit name: cilium-config optional: true - image: docker.io/cilium/cilium:v1.4.0-rc4 - imagePullPolicy: IfNotPresent + - name: CILIUM_FLANNEL_MANAGE_EXISTING_CONTAINERS + valueFrom: + configMapKeyRef: + key: flannel-manage-existing-containers + name: cilium-config + optional: true + image: docker.io/cilium/cilium:latest + imagePullPolicy: Always lifecycle: postStart: exec: @@ -339,6 +351,7 @@ readOnly: true dnsPolicy: ClusterFirstWithHostNet hostNetwork: true + hostPID: false initContainers: - command: - /init-container.sh @@ -505,8 +518,8 @@ key: AWS_DEFAULT_REGION name: cilium-aws optional: true - image: docker.io/cilium/operator:v1.4.0-rc4 - imagePullPolicy: IfNotPresent + image: docker.io/cilium/operator:latest + imagePullPolicy: Always name: cilium-operator volumeMounts: - mountPath: /var/lib/etcd-config @@ -534,9 +547,10 @@ defaultMode: 420 optional: true secretName: cilium-etcd-secrets + --- -apiVersion: v1 kind: ServiceAccount +apiVersion: v1 metadata: name: cilium-operator namespace: cilium @@ -545,6 +559,7 @@ kind: ClusterRole metadata: name: cilium-operator + namespace: cilium rules: - apiGroups: - "" @@ -591,6 +606,7 @@ kind: ClusterRole metadata: name: cilium-etcd-operator + namespace: cilium rules: - apiGroups: - etcd.database.coreos.com @@ -660,6 +676,7 @@ kind: ClusterRoleBinding metadata: name: cilium-etcd-operator + namespace: cilium roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -673,6 +690,7 @@ kind: ClusterRole metadata: name: etcd-operator + namespace: cilium rules: - apiGroups: - etcd.database.coreos.com @@ -726,6 +744,7 @@ kind: ClusterRoleBinding metadata: name: etcd-operator + namespace: cilium roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -735,8 +754,8 @@ name: cilium-etcd-sa namespace: cilium --- -apiVersion: v1 kind: ServiceAccount +apiVersion: v1 metadata: name: cilium-etcd-operator namespace: cilium ``` Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 31 January 2019, 11:32:00 UTC
98e9438 Thomas Graf 30 January 2019, 03:20:37 UTC kubernetes: Provide a node-init DaemonSet for GKE [ upstream commit 3c8cb176cdfae4b52b0aae0aa48224d7889f8c73 ] This enables auto-scaling and automatic enablement of nodes without requiring to execute additional commands. It can be further improved with tolerations to avoid scheduling before the node-init DaemonSet has run. It is also potentially useful to EKS. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 31 January 2019, 11:32:00 UTC
b671e8b Thomas Graf 30 January 2019, 03:20:37 UTC kubernetes: Provide all-on-one YAML for external etcd [ upstream commit 42b53a7b32fdc2e6bb4150f7d08421a81c4b748b ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 31 January 2019, 11:32:00 UTC
506068f John Fastabend 24 January 2019, 20:41:24 UTC cilium: ipsec, ipv6 recv support [ upstream commit 2cddea1bbfb54aa234a09d36fb930ebfc7c184b0 ] Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
c127e67 John Fastabend 24 January 2019, 15:45:37 UTC cilium: ipsec, ipv6 support [ upstream commit 34e49dfb5ffbcc3211511eab1e39ea0c6002bcab ] Add ipv6 support to BPF programs Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
b255489 John Fastabend 25 January 2019, 17:09:32 UTC cilium: ipsec, add IPv6 route rules [ upstream commit 2c98f20c416ea6fb6e798cddf1120c8edf10e3e8 ] Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
099a133 John Fastabend 25 January 2019, 16:58:38 UTC cilium: ipsec, improve route rules updates to prep for IPv6 [ upstream commit e1adfa19fda80fdce99da695b727047cbfd548d6 ] In preperation for IPv6 rules add family and masks to the route rules replacement. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
f6dbf97 John Fastabend 24 January 2019, 17:03:06 UTC cilium: ipsec, add xfrm rules for IPv6 [ upstream commit f3fc874cf1cc05198835642031601a92f5c840d2 ] Add policy and state rules for IPv6. Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
d735867 John Fastabend 27 January 2019, 00:17:08 UTC cilium: ipsec, enable ipv6 forwarding "all" when IPSec is enabled [ upstream commit 0117f05fe0704ad2e04deb738f98ff8d7cc3902a ] Check IPSec status at daemon start and enable IPv6 forwarding if required. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
e26a529 John Fastabend 24 January 2019, 20:14:12 UTC cilium: ipsec, configure cilium_overlay for encrypt support [ upstream commit a9ed32324e2feb70b4e94cddf0560052eb71dcd8 ] The cilium_overlay device also needs rp_filter disabled and forwarding enabled. Pass it through same setup as cilium_{host|net}. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
6636bb2 John Fastabend 23 January 2019, 19:23:33 UTC cilium: ipsec, check for key instead of segfault [ upstream commit 72e80d98f765435161a2018672623f0f201b1652 ] In general keys must be loaded before state/policy from ipsec is added. However, if a state/policy is attempted before the key file is loaded and/or the key file omits a default key currently the ipsec code will segfault. Instead of segfaulting this patch will now throw an error. Found when I added unit tests in future patch. This segfault does not actually happen with cilium-agent but its nice to have and make the code a bit more resilient. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
3257370 John Fastabend 28 January 2019, 05:08:07 UTC cilium: ipsec, replace node ip addrs with addr types [ upstream commit 11b8f7389412b9127c72c4649eb8bd58f402b470 ] Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
fec4c71 Maciej Kwiek 28 January 2019, 11:29:21 UTC fqdn proxy cache list CLI [ upstream commit 8ec7e6d1562d9c03598a0cd351b464caec9de245 ] Add `cilium fqdn cache list` cli command Signed-off-by: Maciej Kwiek <maciej@covalent.io> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
6ebb3ef Joe Stringer 29 January 2019, 00:45:16 UTC contrib: Accept multiple commits in 'cherry-pick' [ upstream commit 8b74d6b7139a992b3905f26f886d1317a749f5ae ] Update the 'cherry-pick' commit to accept multiple commits, which it will attempt to apply one-by-one until either they all apply or a patch fails to apply. When a patch fails to apply, it will terminate and not continue applying the rest of the commits in the list. Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
a254acd Ian Vernon 29 January 2019, 03:07:40 UTC Documentation: add "fqdn" to allowed wordlist [ upstream commit 4997925bc8f48a4f4f82d02060cd25680e60bd51 ] Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
801cb34 Thomas Graf 28 January 2019, 19:19:27 UTC operator: Don't restart kube-dns when running in HostNetwork mode [ upstream commit 2e7186c45e1be576e8ddd4abae80befc70c674cd ] Fixes: #6819 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
cab4348 André Martins 24 January 2019, 14:33:38 UTC pkg/client: add missing comment [ upstream commit a20e6b8acaa92d8bed9c1b3a5415b4d4340031b3 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
762c99b Michal Rostecki 28 January 2019, 12:02:50 UTC client: Use one err variable in client with timeout [ upstream commit 6b09f010ac0b40968bb5a52b44772a58807f16ac ] Before this change, `GetConfig` call in `NewDefaultClientWithTimeout` was using its own `err` variable, which was never returned and nil error was returned instead. Fixes: d48af6ab5c28 ("pkg/client: wait until the client has connectivity with daemon") Fixes: #6801 Signed-off-by: Michal Rostecki <mrostecki@suse.de> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
deaf0e3 Eloy Coto 28 January 2019, 11:27:57 UTC Test: Assertion helper change order. [ upstream commit f57d450678ff2c49fea088705e00e132bf16aac5 ] At the moment, Cilium is validated that all is ok before etcd pods and the dns pods are ready. So Cilium can be restarted due timeoUt on etcd connection and pre-flight checks does not happens afterwards. With this change we make sure that Cilium is installed correctly after etcd-operator and the pre-flight errors are ok before doing any test. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
4d55159 Thomas Graf 28 January 2019, 06:09:19 UTC allocator: Remove kvstore refresh on failure watermark [ upstream commit 3b1b58245898012183a7014bd2c1cff199d0d661 ] Logs have proven that we have never hit this watermark so far. The code behind it is hard to test and only complicates the logic. Remove it. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
85da38b Michal Rostecki 13 December 2018, 15:28:14 UTC idpool: Use checker.DeepEquals in unit tests [ upstream commit 1e91684f22474b44ced8cd9ed8fc72aa1a86e05b ] Signed-off-by: Michal Rostecki <mrostecki@suse.de> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
37ca613 Thomas Graf 28 January 2019, 05:25:30 UTC idpool: Remove erroneous index cache [ upstream commit e91fb0a85131c2e7ad2dd5cde076cc40e4a0cec0 ] The index was trying to act as an index to the ids slice. However, the index was not properly fixed up when an ID was removed from the middle of the slice. There is no need for the complicated index mechanism, simply use a hashtable and leverage the random map range behavior to pick a random number. Fixes: #6632 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
0017076 Thomas Graf 28 January 2019, 05:11:42 UTC idpool: Add additional testing and benchmarks [ upstream commit db21531aaa0fdfe6f8eda02ddfd00d2440d279fc ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
fc60ccd Thomas Graf 28 January 2019, 04:42:10 UTC idpool: Remove unused and unprotected Dump() function [ upstream commit fa17ba5fd3304b03e3214e56bd7d8cd1b123140b ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
2ccb396 Thomas Graf 28 January 2019, 04:27:27 UTC store: Fix race condition when access store keys [ upstream commit a16c854d18363702406748e14aa56b4d256ebdd4 ] This fixes two race conditions: * The shared keys in the store are no longer updated in place but replaced with new objections. Users of the store continue to be notified via the OnUpdate() interface * The local keys continue to be collected but are deep copied so the deep copy can continously be pushed into the kvstore. The only user of UpdateLocalKey() is the node discovery, the local node is never changing after the initial registration so no further changes are needed. Fixes: #6422 Fixes: #6572 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
28a3d4d Michal Rostecki 13 December 2018, 16:20:33 UTC kvstore: Use checker.DeepEquals in unit tests [ upstream commit a35399e6c6a995c929bf36b66e4915f9efcbb46f ] Signed-off-by: Michal Rostecki <mrostecki@suse.de> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
708032a Thomas Graf 28 January 2019, 04:18:50 UTC service: Generate DeepCopy() function for ClusterService [ upstream commit 967f9a3973352b4bc2a5b134ce3fbd5926703971 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
d5c6b6a Thomas Graf 28 January 2019, 03:26:30 UTC endpoint: Fix old endpoint identity release [ upstream commit f7b768bcbe5107ad763a86bc4828a3134bd74709 ] The old identity release logic mistakenly released the identity in some of the error paths which could lead to an endpoint identity no longer being reference counted. Fixes: #6308 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
a18b5c5 Thomas Graf 28 January 2019, 03:19:58 UTC operator: Allow running operator before kvstore connectivity is achieved [ upstream commit b59f72598c67234b20c12f377f894593ed8ca04b ] It is possible to provide CEP garbage collection and other services before the kvstore is connected. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
e459cdb Thomas Graf 27 January 2019, 21:18:56 UTC operator: Automatically restart unmanaged kube-dns pods [ upstream commit f616d20685cb638ab2fd8819d2a7e84faa7bd716 ] Check for unmanaged kube-dns pods every 15 seconds and restart these pods automatically. This avoids requiring to document the need to restart kube-dns during installation and helps bring up the etcd-operator a lot smoother. In order to avoid restarting cycles, a minimal age of the kube-dns pod is required before restarting. This is set to 30 seconds for now. Log example message ``` level=info msg="Restarting unmanaged kube-dns pod kube-system/coredns-cd9c8565f-tq4mc started 58.414470847s ago" subsys=cilium-operator ``` Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
ea14baf André Martins 26 January 2019, 20:07:47 UTC pkg/endpoint: restore endpoints that were being regenerated [ upstream commit bb099df4c32ae454ce1e70db1ab4d1f5b4930d04 ] If cilium-agent got terminated while an endpoint was being created for the first time, Cilium could not restore that endpoint from previous life as the endpoint was never considered "alive" in the first place. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
45e2227 Thomas Graf 26 January 2019, 20:38:21 UTC datapath/linux: Explode node handling datapath unit tests to IPv4/IPv6 only [ upstream commit a227a0298b8a421c75770534c77e44cf2053ede7 ] Run all unit tests and benchmarks with the following three addressing configurations: * IPv4 only * IPv6 only * IPv4 & IPv6 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
cc042f2 Thomas Graf 26 January 2019, 20:36:10 UTC datapath/linux: Fix node route creation when allocation CIDR is nil [ upstream commit 5d20ca7e8322268320ee37096e19b8c7563e6a6f ] Ensure that the allocation CIDR is non-nil and verify that the required nodeAddressing requirements are fulfilled. Fixes the following panic: ``` [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x259ebf1] goroutine 1 [running]: github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).createNodeRoute(0xc00017d650, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...) /go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:292 +0x71 github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).lookupNodeRoute(0xc00017d650, 0x0, 0xc0004804e0, 0x10, 0x10) /go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:309 +0x50 github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).nodeUpdate(0xc00017d650, 0x0, 0xc000e94c60, 0x0, 0x4adf920) /go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:456 +0x4b8 github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).NodeConfigurationChanged(0xc00017d650, 0x5dc, 0x5aa, 0x0, 0x4adf920, 0x0, 0x0, 0x10000000100, 0x0, 0x0) /go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:622 +0x1e1 main.(*Daemon).compileBase(0xc0007be700, 0x0, 0x0) /go/src/github.com/cilium/cilium/daemon/daemon.go:533 +0x7a9 main.(*Daemon).init(0xc0007be700, 0xc000e332b8, 0x1) /go/src/github.com/cilium/cilium/daemon/daemon.go:675 +0x126 main.NewDaemon(0x2f49b80, 0xc0004c8de0, 0x1, 0x1, 0xc00088f928, 0x113d542) /go/src/github.com/cilium/cilium/daemon/daemon.go:1191 +0x1177 main.runDaemon() /go/src/github.com/cilium/cilium/daemon/daemon_main.go:1062 +0x214 main.glob..func1(0x44ee920, 0xc0007e67d0, 0x0, 0x5) /go/src/github.com/cilium/cilium/daemon/daemon_main.go:108 +0x30 github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).execute(0x44ee920, 0xc00004c1f0, 0x5, 0x5, 0x44ee920, 0xc00004c1f0) /go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:766 +0x2cc github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0x44ee920, 0x2f2caf0, 0x2f543c0, 0x2f2cb10) /go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:852 +0x2fd github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).Execute(0x44ee920, 0x0, 0x0) /go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:800 +0x2b main.daemonMain() /go/src/github.com/cilium/cilium/daemon/daemon_main.go:126 +0x14c main.main() /go/src/github.com/cilium/cilium/daemon/main.go:30 +0xc9 ``` Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
25a1a91 André Martins 27 January 2019, 12:33:56 UTC cilium-cni: build endpoint synchronously in flannel mode [ upstream commit bfd55185173cb5e363fad05fcf02a7c33f0b7185 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
c1126c1 André Martins 26 January 2019, 17:44:29 UTC flannel.Jenkinsfile: test against k8s 1.9 as k8s 1.8 is not supported [ upstream commit 79a05b50f56d2c019e7378621dd1df742fe6929f ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
69bbe58 André Martins 26 January 2019, 17:31:05 UTC Revert "pkg/datapath: ignore iptables MASQUERADE rules in flannel mode" [ upstream commit e7c587b1df4a0780590c1f6bfa2eb701bd181fc5 ] This reverts commit 7740e3914ebf2bb36860369aeda585a94b2c17c1. Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
0d32552 André Martins 26 January 2019, 14:01:37 UTC daemon: syncLBMapsWithK8s - delete k8s service once if not found [ upstream commit 853fec659702b724295b83e0df8b282c033933f6 ] As lbmap.DumpServiceMapsToUserspace returns a list of backend services, this list of backend services can contain duplicated entries as BPF lb map can contain multiple entries for the same service as showned from the following log messages: ``` level=debug msg="parsing service mapping" bpfMapKey="10.98.234.114:9125" bpfMapValue="0.0.0.0:0 (0)" subsys=map-lb level=debug msg="converting ServiceKey and ServiceValue to frontend and backend" obj="0.0.0.0:0 (0)" serviceID="10.98.234.114:9125" subsys=map-lb level=debug msg="creating L3n4Addr for ServiceKey" serviceID="10.98.234.114:9125" subsys=map-lb level=debug msg="adding frontend and backend to SVCMap" backend="0.0.0.0:0, weight: 0" backendIndex=0 frontend="10.98.234.114:9125" subsys=loadbalancer level=debug msg="parsing service mapping" bpfMapKey="10.98.234.114:9125" bpfMapValue="10.10.1.222:9125 (29)" subsys=map-lb level=debug msg="converting ServiceKey and ServiceValue to frontend and backend" obj="10.10.1.222:9125 (29)" serviceID="10.98.234.114:9125" subsys=map-lb ``` In order to correctly remove this list of services that are no longer being managed by k8s one should use a Set to avoid trying to delete multiple times the same LB service which results in controller errors such as: ``` msg="Controller run failed" consecutiveErrors=2 error="Errors deleting BPF map entries: key 10.98.234.114:42275 is not in lbmap... ``` Fixes: cc4be8e37107 ("daemon: sync BPF maps with in-memory K8s service maps") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
1576284 Joe Stringer 26 January 2019, 20:52:50 UTC bpf: Remove GetLRUMapType() [ upstream commit bc911162fb7bc62dd718350caa06049f7b85e5fe ] Previously the ctmap used a dedicated additional helper, GetLRUMapType(), to determine the map type of the conntrack maps whenever the objects were created, however a recent patch has introduced such logic into the main OpenOrCreate() function, so this is no longer necessary. Rely on the automatic fallback to MapTypeHash provided by OpenOrCreate() instead. Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
0586c44 Joe Stringer 25 January 2019, 23:47:02 UTC bpf: Autodetect map type support on open [ upstream commit ab721bc6d5eaad40a9377064b853758aa8dd0d3c ] Use the BPF probes of the LPM support in the kernel to set the map type during OpenOrCreate of the map before attempting to create the map. This should avoid situations on older kernels where a previous Cilium instance creates the ipcache map as a hash map, then Cilium is re-run and on startup it first sees the wrong map type and attempts to delete it because the type is wrong (hash, not LPM), then attempts to create the LPM map, fails, and falls back to hash map. This would create unnecessary churn and recreation of IPCache maps, potentially leading to some amount of network connectivity downtime. Fixes: #6775 Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
0c9c673 Joe Stringer 25 January 2019, 02:46:37 UTC endpoint: Properly cache ipvlan option [ upstream commit 4bf03dbb438e301e7d99e7d91285581ee10f5e8f ] This option was being dereferenced while the endpoint was unlocked and could (in theory) disappear. Cache it instead. Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
d07ce86 Thomas Graf 25 January 2019, 21:21:49 UTC agent: Announce both IPv4 and IPv6 node address via node discovery [ upstream commit 3ff455e1ced5836790155beaedc2b3493f2861ce ] No real functional differences as the IPv6 node address is not used in the datapath but it ensures that the IPv6 node address is listed in `cilium node list`. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
42d8348 Thomas Graf 25 January 2019, 20:29:02 UTC cli: Only print address range in cilium status when enabled [ upstream commit 9e0aca07c657fdb75a11c49221ee9c234c779bfa ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
7dfa8e5 Thomas Graf 25 January 2019, 19:02:34 UTC node: Only require external IPv4 node address when IPv4 or encapsulation is enabled [ upstream commit 0c22956df3f1ab873a2763e4d3fb7d464b612309 ] The external IPv4 node address is not required in pure IPv6 direct routing mode. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
3ff1569 Thomas Graf 25 January 2019, 18:47:01 UTC cni: Check if NodeAddressing.IPv* is nil [ upstream commit 9c70fee985d76595a4e9d0216de4929c27c2f534 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
7ec6835 Thomas Graf 25 January 2019, 18:43:59 UTC node: Only return node addressing for address families that are enabled [ upstream commit f3ede032ed7df8a781e37d47968608d959acdc16 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
6afbffd Thomas Graf 25 January 2019, 18:37:52 UTC node: Only auto-generate allocation prefix when address family is enabled [ upstream commit d858c9cf75823086431d4ece6a6931ca8e60cff9 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
8a22743 Thomas Graf 25 January 2019, 21:24:10 UTC fqdn: Prepare DNS proxy for node IPs to be nil [ upstream commit dd09d30ead3225682015516a6bd1cb77e8678370 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
3818f6f Thomas Graf 25 January 2019, 21:22:45 UTC proxy: Prepare proxy layer for node IPs to be nil [ upstream commit 91d7a7be8ab0d65f90c2c363f7ebf0dc9946760e ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
f654289 Thomas Graf 25 January 2019, 18:55:30 UTC bpf: Only define IPV4_MASK when IPv4 is enabled [ upstream commit 889fd1d0c40a18873227776e883c85315c89866f ] Prepare for GetIPv4AllocRange() to potentially return nil and only use it when IPv4 is enabled. The BPF datapath has also become capable of not requiring IPv4 so the workaround can be removed. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
708b219 Thomas Graf 25 January 2019, 18:30:06 UTC agent: Support IPv6 NodeSuffix() [ upstream commit 845ba0311d2fc68afcdcc6fb7f7aab28d1c8a094 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
2a66b2b Thomas Graf 25 January 2019, 17:14:35 UTC node: Do not restore NodeIP from node_config.h for disabled address family [ upstream commit 2abbfa8b40a440fa8318d8c8c89ed1570df93866 ] This is required to stop using a NodeIP for an address family that has been disabled. This can happen if a user is switch on/off address families on a node. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
9f86014 Thomas Graf 25 January 2019, 17:10:44 UTC k8s: Do not inherit PodCIDR for disabled address family from k8s node [ upstream commit be469fea38f3601c1e729cd5c4374d695a87718c ] The node IPs should be derived. The IPv4 external IP can be used for encapsulation of an IPv6 only PodCIDR environment. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
back to top