Skip to main content

Browse the archive

https://github.com/cilium/cilium
12 July 2024, 03:14:21 UTC
sort by:
Revision Author Date Message Commit Date
e47b37c Ian Vernon 26 April 2019, 03:20:13 UTC Prepare for v1.5.0 Signed-off by: Ian Vernon <ian@cilium.io> 26 April 2019, 03:21:47 UTC
9e1b804 Ian Vernon 24 April 2019, 20:52:47 UTC Prepare v1.5.0-rc6 Signed-off by: Ian Vernon <ian@cilium.io> 24 April 2019, 20:53:54 UTC
11f2de8 Thomas Graf 23 April 2019, 16:48:27 UTC iptables: Correctly remove Cilium chains when IPv6 is disabled [ upstream commit e4849ea9046093751bb9fdf311f93d85d91386b8 ] The Cilium chain removal in RemoveRules() was made dependent on IPv6 being enabled, this is incorrect and leads to the following error when Ipv6 is disabled: ``` level=warning msg="iptables: Chain already exists." subsys=iptables level=error msg="Error while initializing daemon" error="cannot add custom chain CILIUM_OUTPUT: exit status 1" subsys=daemon ``` Fixes: 5b17c993e57 ("datapath/iptables: Check iptables kernel modules") Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 24 April 2019, 15:09:00 UTC
1cf8902 Joe Stringer 22 April 2019, 23:54:57 UTC k8s: Fix unformatted go source code [ upstream commit c6548df941b48462441c653c3531fdff6f49dd56 ] make complains: ``` Unformatted Go source code: ./pkg/k8s/json_patch.go Signed-off-by: Joe Stringer <joe@cilium.io> 24 April 2019, 15:09:00 UTC
ffc84af Martynas Pumputis 23 April 2019, 14:06:03 UTC examples: Do not bind mount /sbin/modprobe [ upstream commit e2b3db3bc33fcffa70fc4c5e1a7955d56f664cc9 ] The host's modprobe might be dynamically linked which running from a container might not work as expected. E.g.: [ 1112.449703] modprobe[10018]: segfault at 1a010 ip 00007f31ba4598b8 sp 00007fff6848d1d8 error 4 in libc-2.27.so[7f31ba2ef000+1e7000] (Experienced on GKE) Fixes: 464978c0 ("k8s: Add SYS_MODULE capability, module paths") Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io> 24 April 2019, 15:09:00 UTC
fa09137 Martynas Pumputis 23 April 2019, 12:07:20 UTC Update cilium-runtime image [ upstream commit a12e489d125e390b2f133ef9ca418b64168f5435 ] The updated image includes `modprobe`. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io> 24 April 2019, 15:09:00 UTC
047d7b0 Martynas Pumputis 23 April 2019, 10:39:35 UTC contrib: Install modprobe to cilium-runtime image [ upstream commit 03414984883ee94c796b80971b72fd9f4708e7fd ] Currently, the cilium-agent relies on `modprobe` to install missing kernel modules. The `kmod` package for Ubuntu installs the `modprobe` executable and we currently do not ship it with the Cilium container image which can lead to the following error (reported by a user): ``` IPv6 is enabled and ip6tables modules could not be initialized" error="could not load module ip6_tables: exec: \"modprobe\": executable file not found in $PATH" subsys=iptables ``` Fixes: e45c4b2 ("datapath/iptables: Check iptables kernel modules") Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io> 24 April 2019, 15:09:00 UTC
f0330a9 André Martins 23 April 2019, 09:11:51 UTC k8s: fix panic of closed channel [ upstream commit 218f4dc5ff9019d78b896e452a93c2491854ee6a ] The channel was previously closed and it does not need to be re-closed again. Fixes: a63342e75944 ("k8s: Fix leak of k8s controller on kvstore connect & disconnect") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 24 April 2019, 15:09:00 UTC
8257ba7 André Martins 12 April 2019, 18:43:41 UTC operator: GC nodes from existing CNPs [ upstream commit 0cd1be0e64dc848ea9db83a90e6e2564a4a22f9f ] As nodes can be removed from the cluster their status in the CNP can be left behind. The operator will be checking if nodes are still running and if not, they will be removed from the CNP Node Status. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Ian Vernon <ian@cilium.io> 23 April 2019, 07:01:38 UTC
371ae43 Joe Stringer 22 April 2019, 18:44:16 UTC contrib: Fix cherry-pick script [ upstream commit d1c258aa45ecd28920102193e7d42ed1c4dceec8 ] This script doesn't work currently because it invokes bash-only features (BASH_SOURCE) when the top of the script states it's supposed to be a generic 'sh' script. Fix it by relying on bash. Fixes: 65b001f43779 ("contrib: Exit early if no git remote is found") Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Ian Vernon <ian@cilium.io> 23 April 2019, 07:01:38 UTC
8c0ddf5 Martynas Pumputis 22 April 2019, 17:06:33 UTC daemon: Log duration of service restoration and migration [ upstream commit b2f70aaf6fc28789d62fa5674f7f5053c351380b ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Ian Vernon <ian@cilium.io> 23 April 2019, 07:01:38 UTC
4785644 André Martins 11 April 2019, 08:51:13 UTC operator: GC leftover nodes in the kvstore [ upstream commit cc11f4d97ed51a9ef2046366487e7ddacdb98dde ] If the operator stops running and at the same time nodes are evicted from the cluster, those nodes will never be removed from the kvstore as the operator is the entity that handles the synchronization of nodes from k8s to the kvstore. With this change the operator will remove the nodes from the KVStore that are no longer running in a k8s cluster. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Ian Vernon <ian@cilium.io> 23 April 2019, 07:01:38 UTC
00c9339 André Martins 11 April 2019, 08:48:44 UTC kvstore/store: add SharedKeysMap() method [ upstream commit 24309166d9b7b89e01a3d79b64f46df603577f1d ] SharedKeysMap will be used to access the SharedKeys map without holding the lock of the shared map. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Ian Vernon <ian@cilium.io> 23 April 2019, 07:01:38 UTC
3263d8b André Martins 11 April 2019, 08:45:57 UTC pkg/kvstore: refactored GetKeyName() to own interface [ upstream commit a3b8f7d50d4366ad42fd0ee8efd933b0d95e8a32 ] As DeleteLocalKey only requires the name of the Key it does not actually need a structure to implement the LocalKey interface. This allows to delete LocalKeys based on the name. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Ian Vernon <ian@cilium.io> 23 April 2019, 07:01:38 UTC
839b826 Martynas Pumputis 18 April 2019, 08:50:54 UTC test: Add test for service migration between legacy and v2 [ upstream commit 0581293e7a4176258e196a724a027b6bdd60799a ] The test is based on a dummy TCP listener and sender [1] which panic if recv or send fails. Running those in containers make a container to restart if there were any failures. So, by inspecting restart count we can see whether there were any interruptions in established connections after we migrate between legacy and v2 services. We set bpf-ct-global-tcp-max=1000000 and preallocate-bpf-maps=true to make sure that CT does not get recreated due to different size to avoid losing connections. [1]: https://github.com/cilium/migrate-svc-test Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Ian Vernon <ian@cilium.io> 23 April 2019, 07:01:38 UTC
48c9930 Jarno Rajahalme 22 April 2019, 14:55:02 UTC istio: Update to release 1.1.3 [ upstream commit 08d1cfd851070e22a2b9d3c52a192653a06cba34 ] Update the CI and the getting started guide to Istio 1.1.3. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Joe Stringer <joe@wand.net.nz> 22 April 2019, 21:19:22 UTC
c4f761c Maciej Kwiek 19 April 2019, 11:01:04 UTC Check for dup container id before ep creation [ upstream commit 3c71bc7b029899ad2c88ac82c55632e6c0d876e9 ] Endpoint creation fails if there already exists endpoint with the same ContainerID. Signed-off-by: Maciej Kwiek <maciej@covalent.io> Signed-off-by: Joe Stringer <joe@wand.net.nz> 22 April 2019, 21:19:22 UTC
00512c3 Ian Vernon 19 April 2019, 17:09:46 UTC examples: do not specify "type: Directory" for mounting `/lib/modules` [ upstream commit f417f31e15501f7130fdb4db8c8ebd80cc42270d ] On some distributions, the path to `/lib/modules` is a symlink, not a directory. In such cases, deploying the Cilium DaemonSet with "type: Directory" for the volumeMount for mounting `/lib/modules` will fail because a symlink is not a directory. Such cases will result in the following errors when deploying the Cilium DaemonSet: ``` Warning FailedMount 1m (x9 over 3m) kubelet,<IP redacted> MountVolume.SetUp failed for volume "lib-modules" : hostPath type check failed: /lib/modules is not a directory ``` To resolve this issue, do not specify the type of the volumeMount. If `/lib/modules` is a symlink, the actual path will be resolved and the volume will be mounted correctly. This was tested manually. Fixes: #7785 Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: Joe Stringer <joe@wand.net.nz> 22 April 2019, 21:19:22 UTC
409ff03 Joe Stringer 19 April 2019, 21:34:37 UTC docs: Update kubernetes compatibility list [ upstream commit 9cfd5303cfc60c45fffd4a823709ef1309e9046b ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Joe Stringer <joe@wand.net.nz> 22 April 2019, 21:19:22 UTC
3753ed3 Jarno Rajahalme 19 April 2019, 19:52:29 UTC docs: Update urllib3 dependency to address CVE-2019-11324 [ upstream commit 27483b9277fd41b06735c558eff7eb8508e2c39f ] Update urllib3 dependency to 1.24.2 to address CVE-2019-11324 (https://nvd.nist.gov/vuln/detail/CVE-2019-11324). Note that this only affects the documentation build process, which requires the manual steps for installing the required Python dependencies as documented in Documentation/contributing.rst. We do not depend on urllib3 otherwise. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Joe Stringer <joe@wand.net.nz> 22 April 2019, 21:19:22 UTC
ae9ef6a Joe Stringer 18 April 2019, 23:25:05 UTC bugtool: Add tests for filepath walk [ upstream commit e92cf2f2155153ba6472e12d61fe8abcde6336c6 ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Joe Stringer <joe@wand.net.nz> 22 April 2019, 21:19:22 UTC
92d78b5 Joe Stringer 18 April 2019, 23:25:48 UTC bugtool: Copy symlinks as-is [ upstream commit 0797609dfd95b84cd98892a803ffa9c4fe2247b9 ] If a symlink can't be followed, then just copy the symlink itself rather than the underlying file. Fixes: #7774 Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Joe Stringer <joe@wand.net.nz> 22 April 2019, 21:19:22 UTC
0f7927a Joe Stringer 18 April 2019, 21:46:53 UTC bugtool: Be more resilient to file errors [ upstream commit bd194665adf17c9be2bb5ea5323b6caa7de54dc9 ] When walking paths, if there are any problems while attempting to open or read the file, skip that file and continue; only fail out on creation of the archive if there is an error after writing the header, ie specifically when copying the content of the file into the tar. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Joe Stringer <joe@wand.net.nz> 22 April 2019, 21:19:22 UTC
9353ec3 Joe Stringer 18 April 2019, 18:22:08 UTC bugtool: Factor out path walk function [ upstream commit 5a9d6b514932f8787647acf63b1c13511eef944f ] By factoring out the walk function into a receiver function on an object, we can mock it out and unit test. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Joe Stringer <joe@wand.net.nz> 22 April 2019, 21:19:22 UTC
b1b6a9b Joe Stringer 17 April 2019, 23:29:37 UTC bugtool: Fix up newline characters in error messages [ upstream commit 4011e5af7e90fc20b3f163dee281cc1c6ca41ec2 ] Prior to this commit, multiple error messages would often get concatenated together rather than printed once per line. Fix this up by ensuring that the `Fprintf()` calls end with a newline character. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Joe Stringer <joe@wand.net.nz> 22 April 2019, 21:19:22 UTC
f560bab Daniel Borkmann 18 April 2019, 23:08:40 UTC docs: clarify kernel version for BPF based masquerading [ upstream commit 20a824066380335b2fb398bbfcdbd5f53e4ebd1c ] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Joe Stringer <joe@wand.net.nz> 22 April 2019, 21:19:22 UTC
858eb7b Joe Stringer 18 April 2019, 17:55:40 UTC loader: Improve logging of template build failures [ upstream commit 6465c2aac3efc2e49349578836e2917812fc4350 ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Joe Stringer <joe@wand.net.nz> 22 April 2019, 21:19:22 UTC
826d75a Ian Vernon 19 April 2019, 00:16:28 UTC Prepare for v1.5.0-rc5 Signed-off by: Ian Vernon <ian@cilium.io> 19 April 2019, 00:18:12 UTC
9c4b907 Martynas Pumputis 18 April 2019, 09:10:05 UTC test: Allow Cilium 1.4 to be run with K8s 1.14 [ upstream commit 2cdda25c5d1cd6239f0427f98e8fffaa4fa675ea ] This commit makes it possible to run upgrade tests on k8s 1.14 with Cilium 1.4. Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 April 2019, 00:02:12 UTC
89d8833 Daniel Borkmann 17 April 2019, 22:12:38 UTC cilium, template: add cilium_encrypt_state to ignored prefixes [ upstream commit 8fe063a3d2030ea2f7c69016efcea028d8ab9326 ] Seen several warnings in the cilium agent log files as the following: 2019-04-17T20:11:25.804796408Z level=warning msg="Skipping symbol substitution" subsys=elf symbol=cilium_encrypt_state The map is a global one, therefore add it to ignored prefixes to silence the warning. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 April 2019, 00:02:12 UTC
441864b Thomas Graf 17 April 2019, 21:48:30 UTC cni: Stop removing CNI_CONF_NAME on preStop [ upstream commit 14affce7c973e7240b954474c20ede0c578e0eeb ] The idea behind removing the CNI_CONF_NAME on preStop has been to leave no trace behind when the DaemonSet is removed. This strategy has caused two reocurring problems: * When Cilium is restarted, kubelet may fall-back to a different CNI configuration during a short race window, this may cause pods to be managed by a CNI which does not provide network security policy enforcement which then leads to unexpected protection loss. * When users provide a manual CNI configuration, the manual file is kept untouched on start but then removed when the agent restarts. Stop removing the CNI configuration Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 April 2019, 00:02:12 UTC
7146cd7 John Fastabend 15 April 2019, 17:06:35 UTC cilium: enable encrypt + vxlan test again [ upstream commit 69d6e812c9311200734c1156967f778e5fc844dd ] Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 April 2019, 00:02:12 UTC
9784a3c Michal Rostecki 21 March 2019, 16:29:34 UTC datapath/iptables: Check iptables kernel modules [ upstream commit 5b17c993e57963a86bfa4887b58018e055624086 ] Before this change, ip6tables was called for rules removal even if ip6tables modules were not loaded. After this change, iptables module is going to: - fail if iptables modules are not loaded - fail if ip6tables modules are not loaded, but IPv6 is enabled - not use ip6tables if its modules are not loaded and IPv6 is disabled Fixes: #7453 Fixes: 65cfe4a6cf49 ("iptables: Add support for IPv6, make IPv4 optional.") Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 April 2019, 00:02:12 UTC
02945fe Michal Rostecki 22 March 2019, 17:59:45 UTC modules: Add utility for checking loaded kernel modules [ upstream commit 6d19ee3cb14794aaa3c667a22b435767c96c2a73 ] This package provides a manager for checking and searching loaded kernel modules. It's going to be used for checking whether iptables and ip6tables are usable. Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 April 2019, 00:02:12 UTC
4691362 Michal Rostecki 22 March 2019, 17:58:02 UTC set: Add utility for subset checks [ upstream commit 2ce94b1b30891471b346634320d397c0ea812c8a ] This package provides a function which checks whether the first slice of strings is a subset of the second one. It's going for searching loaded kernel modules. Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 April 2019, 00:02:12 UTC
5774b5b Thomas Graf 17 April 2019, 19:07:09 UTC k8s: Fix leak of k8s controller on kvstore connect & disconnect [ upstream commit a63342e75944a3c43548ce53ee40d22c01176cf4 ] A go channel plus a k8s controller was leaked on each kvstore connect + disconnect event as the minimal k8s event controller was replaced with a full-scope controller. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 April 2019, 00:02:12 UTC
8150036 Thomas Graf 17 April 2019, 10:01:06 UTC k8s: Disable k8s event handover to kvstore by default [ upstream commit bf613204203a85809ac0bee9effeb368694c69a0 ] This is a new feature and primiarly targeted at larger scale. It requires the operator to be functional. This adds complexity which is only required once k8s apiserver event handling at scale becomes a concern. Require users to opt-in. Fixes: #7722 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 April 2019, 00:02:12 UTC
f095c92 Martynas Pumputis 17 April 2019, 16:37:43 UTC daemon: Panic if executable name does not match cilium{-agent,-node-monitor,} [ upstream commit 3459f051deb55b6005781bb6181bc12ea540db4f ] Previously, if the executable name of cilium didn't match neither from the above, the executable exited with 0 and didn't log anything. This could have confused users who downloaded the released cilium executables which were suffixed with `-x86_64` and due to the suffix were failing silently. Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 April 2019, 00:02:12 UTC
cfd06bb Maciej Kwiek 12 April 2019, 13:23:36 UTC Add `dep check` to travis build [ upstream commit 61960adfba101bec0c231575c7c4b77c585d02f3 ] This ensures that Gopkg.lock and Gopkg.yaml are not committed to repository malformed Signed-off-by: Maciej Kwiek <maciej@covalent.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 April 2019, 00:02:12 UTC
6777d2a David Birks 17 April 2019, 14:52:38 UTC docs: Add containerd to self-managed installation section [ upstream commit 7b21c8350335f6e42c87f79114703f5fe548049d ] Adds a tabbed section for containerd to the self-managed installation section, next to Docker and CRI-O. Signed-off-by: David Birks <davidebirks@gmail.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 April 2019, 00:02:12 UTC
bb4d546 Martynas Pumputis 16 April 2019, 16:03:47 UTC test: Check whether v2 and legacy svc maps are in sync [ upstream commit 3c302b8c8d4a51c44ba54344cec86a313389bc73 ] Signed-off-by: Martynas Pumputis <m@lambda.lt> 17 April 2019, 23:41:26 UTC
875241e Martynas Pumputis 16 April 2019, 16:02:44 UTC test: Extend BpfLBList to list legacy svc BPF maps [ upstream commit 1e8ec20e04bd7fd865ab92c3bf1f0f04d890955c ] Also, add an option to remove duplicate endpoint entries from the legacy svc BPF maps. Signed-off-by: Martynas Pumputis <m@lambda.lt> 17 April 2019, 23:41:26 UTC
a73655b Martynas Pumputis 16 April 2019, 14:41:49 UTC cli: Add flag to list legacy service BPF maps [ upstream commit 93768ed585565688b88c93ea46d69dd25900a343 ] This commits adds the `--legacy` flag which can be passed to the `cilium bpf lb list` command in order to dump the legacy service BPF maps. Also, it moves the dumping code to separate functions. Signed-off-by: Martynas Pumputis <m@lambda.lt> 17 April 2019, 23:41:26 UTC
dbc2e59 Daniel Borkmann 17 April 2019, 09:08:28 UTC bpf, snat: dump external v4/v6 addresses more clearly into node config [ upstream commit 74ab809120953a923f91aee68bbea178f95fa51a ] It's useful for debugging, so make it clear what Cilium daemon has selected for node_config.h such that this can be introspected easily from the usual locations (/var/run/cilium/state/globals/node_config.h). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Martynas Pumputis <m@lambda.lt> 17 April 2019, 23:41:26 UTC
f3c8587 Daniel Borkmann 16 April 2019, 12:42:06 UTC node, address: fix bug where internal IP is selected over external [ upstream commit 08a33486cb819c37cabaebc2c7c55c2063b255b8 ] Commit df63d9b20be1 unfortunately broke SNAT due to selecting an private IP with global scope over a public one. The interface I had specified had two globally scoped IPs, one of them had a 10.0.0.0/8 prefix, the other one not. However, since prior node_config.h was present on the system, it selected the 10.0.0.0/8 one. As a consequence NAT broke since host local communication which was using the public address got then NATed by using the private one and thus machine looses connectivity. Rework firstGlobal*Addr() to prefer public over private addresses. If there is a preferredIP passed, then it's only preferred pick within the set of public resp. private ones. For IPv6 add similar logic. Also, the findIPv6NodeAddr() function comment mentions an interface that can be passed, however there is no such parameter. Rework the IPv6 logic to reuse all of the IPv4 one such that global scope address of a provided interface is picked if device is configured. The fallback logic is then first trying to find a reduced scope if a device was specified, and if that breaks down, the second fallback is to find the IP considering all interfaces with universe scope (and again, falling back to reduced scope before giving up completely). Fixes: df63d9b20be1 ("Node: Try to prioritize the InternalIPv[46] from restore.") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Martynas Pumputis <m@lambda.lt> 17 April 2019, 23:41:26 UTC
403886b Daniel Borkmann 12 April 2019, 21:51:14 UTC bpf, snat: select lru map if available otherwise fall back to htab [ upstream commit 92cd032bf7b183241c0e248bd101258474f1c5c8 ] Same principle as in conntrack table. In case of evicting old NAT entries from active connection via LRU mechanism, we could run into two scenarios wrt TCP connections: i) packet coming in via ingress. If there is no state for the given connection, the packet will be dropped. Node might resend in which case we'll have an outgoing connection. In case of the latter, we'll then re-create a new mapping via snat_v{4,6}_new_mapping(). Try to retain evicted 5-tuple mapping if possible such that there is a chance connections would keep working before we try completely random ones. Lift the short interval for GC cleanup when NAT is enabled to not interfere with stale NAT entries in LRU. NAT hash-tab would normally piggy-back on GC. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Martynas Pumputis <m@lambda.lt> 17 April 2019, 23:41:26 UTC
e816028 Daniel Borkmann 14 April 2019, 23:00:10 UTC bpf, snat: reject unknown ethertypes early [ upstream commit 7de434985f89bd0bd0e0100db397462af3c1ce5b ] Move the test out of do_netdev() and into each entry point, so we don't even attempt to try SNAT in the first place. This also fixes a verifier issue for older kernels where LLVM is generating ctx+off in a register which is not allowed. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Martynas Pumputis <m@lambda.lt> 17 April 2019, 23:41:26 UTC
a34ad8f Daniel Borkmann 13 April 2019, 23:40:11 UTC bpf, snat: add cilium monitor support for pre/post snat engine [ upstream commit e84065655c26f7083ad15f1d1845800a578b73e1 ] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Martynas Pumputis <m@lambda.lt> 17 April 2019, 23:41:26 UTC
eb861a8 Maciej Kwiek 17 April 2019, 11:10:36 UTC Replace deprecated provider [ upstream commit d8474e499ad1fb779827e506890fa327194e56e7 ] Signed-off-by: Maciej Kwiek <maciej@covalent.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 17 April 2019, 23:41:26 UTC
4f57f75 Martynas Pumputis 16 April 2019, 10:49:41 UTC examples: Add --enable-legacy-service=false to ConfigMap [ upstream commit 201d72fa595bdfddb91f756fc4b45f00456252f0 ] This commit adds the `enable-legacy-services` flag to the ConfigMap and sets it to false, so that new users won't need to maintain unnecessary legacy services. Signed-off-by: Martynas Pumputis <m@lambda.lt> 17 April 2019, 23:41:26 UTC
faca16d John Fastabend 15 April 2019, 19:16:50 UTC cilium: Encryption overhead MTU accounting [ upstream commit 658f232b3cabe19316c113037697fdb42a49ff50 ] Account for MTU overhead associated with encryption. Depending on key length this may vary, these calculation use default key size of 128B unless other size is known from reading encryption secrets. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 17 April 2019, 23:41:26 UTC
16528a0 Ian Vernon 16 April 2019, 18:27:19 UTC update Vagrantfiles to version 145 [ upstream commit 707129e16ced46b81e212cf418d1ed3a852ed8a4 ] This version contains the cached Docker images for increasing the throughput of the Cilium CI. Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 17 April 2019, 23:41:26 UTC
b84eb52 Joe Stringer 15 April 2019, 22:06:09 UTC daemon: Improve config file log handling [ upstream commit ca9397b08ed1a890f745bcf9beb0706b96d1e7de ] The config file log handling would always complain if the user doesn't specify a config file (the default). Lower that complaint to info level. Furthermore, fix up the log usage to properly make use of logrus Fields. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 17 April 2019, 15:07:54 UTC
209a585 Joe Stringer 15 April 2019, 22:18:25 UTC daemon: Only invoke daemon init in daemon [ upstream commit b5f1d9f2f0d2293f15fdb1f11f4275be28b47807 ] Previously, the daemon init function would be invoked in non-daemon settings such as when running the cilium cli, or the monitor. Avoid this with a simple Args check at the beginning of the init function. Fixes: #7732 Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 17 April 2019, 15:07:54 UTC
4c84f1b Martynas Pumputis 15 April 2019, 19:06:49 UTC contrib: Exit early if no git remote is found [ upstream commit 65b001f4377904768be03384b68a3324f00a072e ] Previously, if no git remote pointing to git@github.com:cilium/cilium.git or https://github.com/cilium/cilium was found, the `check-stable` and `cherry-pick` scripts continued to execute nevertheless which lead to cryptic errors. This commit makes both scripts to exit early and also to print an error to stderr that the git remote could not have been found. Also, factor out the common code into the `get_remote` function which can be shared by sourcing common.sh. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 17 April 2019, 15:07:54 UTC
452231a Martynas Pumputis 16 April 2019, 09:12:11 UTC daemon: Set backend ID in local LB cache [ upstream commit 43fc56301183e78e7b01f87a5b6234faf180968b ] Currently, the allocation of backend IDs is triggered inside `lbmap` methods. This is far from ideal, as this breaks a separation of concerns between different layers (i.e. the allocation should be really controlled by `daemon`; this is going to be changed in the nearest future). One bug which slipped unnoticed was that we didn't populate the daemon's local LB cache with the acquired backend IDs which lead to non-consistent ordering of service endpoints reported by `cilium service list`, and, as a consequence, this made some CI tests flaky which were expecting some exact service endpoint ordering. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 17 April 2019, 15:07:54 UTC
3655af4 Martynas Pumputis 16 April 2019, 09:10:59 UTC service: Add LookupBackendID method [ upstream commit f462059f4386727d4761952087de6d75d6144759 ] The method is used to look up already allocated backend IDs. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 17 April 2019, 15:07:54 UTC
b8566d0 Ian Vernon 16 April 2019, 00:39:14 UTC Prepare for release v1.5.0-rc4 Signed-off by: Ian Vernon <ian@cilium.dev> 16 April 2019, 00:51:13 UTC
1524131 Martynas Pumputis 12 April 2019, 10:08:08 UTC daemon,lbmap: Remove orphan backends [ upstream commit 3d471a5d41a7eea689eea6002e36232ac46658b5 ] This commit removes orphan backends (i.e. backends which are not used by any service) and releases their IDs. Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
8523844 Martynas Pumputis 12 April 2019, 10:03:30 UTC daemon,lbmap: Remove orphan v2 services [ upstream commit 1c5ac0557abaa086e686fbf4079ffa2915f6f3ff ] It's possible to end up in a situation when a v2 service does not have an equivalent legacy service. Consider the following: 1. cilium-agent upgraded to >= v1.5. 2. cilium-agent downgraded to < v1.5. 3. The service is removed (only from the legacy BPF map). 4. cilium-agent upgraded to >= 1.5. If this happen, in the 4. step v2 service won't be restored from legacy. To avoid it, we remove orphan services after we have migrated legacy services to v2. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
64864cb Martynas Pumputis 12 April 2019, 09:57:46 UTC lbmap: Add BackendAddrID.IsIPv6 method [ upstream commit f6a3e506e408518da07a50f1749743416d5ea512 ] This method detects (in a dirty way) whether a backend identified with the given addrID is of the ipv6 type. It will be used when removing orphan backends from the BPF maps. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
fad2e8c Martynas Pumputis 12 April 2019, 09:52:26 UTC lbmap: Fix BackendAddrID of IPv6 backend [ upstream commit f7d43a1e2fb48ed2da2e069b0e5850a5644d9059 ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
5e9fa41 Martynas Pumputis 12 April 2019, 09:36:37 UTC logfields: Fix BackendID logfield value [ upstream commit 151d4ddc0f705eeb2545db84c9ffecb92cbac04e ] The field is used when logging a single instance of backend. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
2c44b8f Martynas Pumputis 11 April 2019, 10:07:15 UTC daemon: Use v2 services when syncing with k8s [ upstream commit 33e836c52ffe041c5c662e59b6e0b93e3272396a ] The syncing (`syncLBMapsWithK8s`) happens after the v2 services have been created from the legacy ones, so we can use the v2 for comparing against the k8s ones when syncing. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
9b49c53 Martynas Pumputis 10 April 2019, 12:48:14 UTC daemon: Remove legacy svc BPF maps if they are disabled [ upstream commit b96869fcbfcd71e927ba2e0021da2cd6e1278472 ] This commit tries to remove the legacy svc related maps if the legacy services are disabled. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
ef827fe Martynas Pumputis 10 April 2019, 12:44:31 UTC daemon,lbmap: Do not update legacy svc if they are disabled [ upstream commit 2766bc1273682d1663860c2c9e595d35d1eba336 ] This commit disables updating of the legacy services if they are disabled (`--enable-legacy-services=false`). Two other changes: - Restoring from the legacy services is disabled if the legacy services are disabled. - As we do not support the weighted services, the calculation of the service endpoint weights is disabled to simplify the code. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
6dae468 Martynas Pumputis 10 April 2019, 12:40:26 UTC lbmap: Update revNAT table from v2 routines [ upstream commit 5ab551c7354ef973ca021d458ab901b86914c1ad ] This commit moves the creation and update of rev nat tables from the update function of the legacy services to the update function of the v2 services. This is needed, because we will optionally disable the legacy services. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
7a3e36b Martynas Pumputis 10 April 2019, 12:35:12 UTC lbmap: Exclude master service earlier in dump function [ upstream commit 6a90432f76ab9dce3f334dd5185e9c0c577658fa ] As we do not use master service to extract a service ID [1], we can ignore parsing of the master service earlier which makes the `lbmap.DumpServiceMapsToUserspaceV2` function smaller. [1]: https://github.com/cilium/cilium/pull/7540#discussion_r272913219 Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
2341571 Martynas Pumputis 10 April 2019, 12:29:25 UTC lbmap,daemon: Make removal of lbmap cache more explict [ upstream commit b791ed867af34a87bc77dd417cb977a6b11fe6c0 ] This commit introduces the `lbmap.DeleteServiceCache` function which is responsible for the removal of the lbmap cache svc entry. Also, the removal is moved from a function which was called when a legacy svc has been removed to a function which manages the removal of both types of services, so that we still remove the cache entry even when the legacy services are disabled. Once we stop support the legacy services, we can move the removal to the `lbmap.DeleteServiceV2` function. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
234d851 Martynas Pumputis 10 April 2019, 12:20:32 UTC daemon,bpf: Add --enable-legacy-services flags [ upstream commit d5bc02ecc942f578933f84e1553ac4bc316744ba ] The flag (by default set to "true") enables or disables the legacy services. This can be useful to avoid unnecessary memory usage and to save some CPU cycles when doing a service lookup in the datapath for those deployments which are going to use Cilium v1.5 from the beginning, i.e. won't do an upgrade from v1.4 to v1.5. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
8354070 Martynas Pumputis 10 April 2019, 12:13:22 UTC loadbalancer: Sort backends by ID when listing [ upstream commit 27d82b5ab006a9fa38f8beffcc593a0f491072a1 ] When listing services with `cilium service list`, the order of backends might not reflect the actual order of service values in the svc v2 BPF maps. After the cilium agent has been restarted, it restores the loadbalancer cache from the BPF maps. So, the service value entries might be in a different order than it used to be before the restart. This is fine, but it makes some integrations test to fail which expect service values to be in the same order as before the restart. This commit ensures that the service values are listed always in the same order (i.e. sorted by the backend ID). Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
e48c2c4 Martynas Pumputis 10 April 2019, 12:11:20 UTC cli: Use svc v2 maps when listing [ upstream commit 99bf44a02c1a2ff8e8c0e7f2792658196e1639be ] This commit changes the source maps of the `cilium bpf lb list` cmd - instead of the legacy svc BPF maps, the v2 BPF are used. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
2781acc Martynas Pumputis 10 April 2019, 12:10:15 UTC bpf: Add Map.UnpinIfExists method [ upstream commit 496ba15f4e74cb54b25a4bc1d21ac87fc5238aab ] This method is going to be used for removal of the legacy svc related maps which might not exist during the removal. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
17b07cd Martynas Pumputis 10 April 2019, 12:08:44 UTC bpf: Add Map.DumpWithCallbackIfExists method [ upstream commit ceee83340e8555d2eb10b57df11b531c51797d90 ] This method is going to be used by the `cilium service list` handler to dump and parse svc v2 entries. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
1fe60f0 Maciej Kwiek 12 April 2019, 16:54:39 UTC Fix backporting scripts for https users [ upstream commit 4cc1799a47fa4869feaaa554620024a947b7eb56 ] Signed-off-by: Maciej Kwiek <maciej@covalent.io> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
5cfb995 Jarno Rajahalme 14 April 2019, 16:56:53 UTC test: Update Istio test to 1.1.2 with proxy 1.1.3. [ upstream commit 3c4c3c22c8c09fcdc6a6e196515f32afa2c8175e ] Replace the istio-cilium.yaml file with a new one, generated with helm using the updated Istio GSG. Replace the bookinfo manifests with ones newly generated with helm. Istio release 1.1.3 is not out yet, but we can use the 1.1.3 proxy with Istio 1.1.2 to get the path normalization fix in. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
172e1d8 Jarno Rajahalme 14 April 2019, 16:48:32 UTC istio: Update istio proxy to 1.1.3 [ upstream commit 343dc518cdf2e8c984b240d9e3fc29eec3ca70d1 ] Use proxy with path normalization (1.1.3) Istio release 1.1.3 is not out yet, but we can use the 1.1.3 proxy with Istio 1.1.2 to get the path normalization fix in. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
cc36fde Jarno Rajahalme 14 April 2019, 19:07:29 UTC CI: Enforce sensible timeouts. [ upstream commit a1f1d0ff5f2ff158badd24f31122845d97764dc8 ] Default timeout/duration unit is nanoseconds, so specify time.Second where the unit was missing, and enforce minimum timeout of 10 seconds and minimum ticker interval of 1 second in WithTimeout(). The default Ticker duration in WithTimeout was 5 nanoseconds, which may have caused all calls to mysteriously fail if the furst call to body() was not successful. Ginkgo functions have optional timeouts (that we usually do not use), expressed in seconds. These should not be mixed up! Istio test may have been failing due to this. Microscope test also had both timeouts and ticker durations without units (defaulting to nanoseconds), which may have contributed to the fact that microscope test had to be disabled. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
7a6ae69 Jarno Rajahalme 13 April 2019, 21:54:03 UTC envoy: Update to enable path normalization [ upstream commit 8b4f3cead8b8a0786a0939a6b0f7bf886b0ff993 ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
458666b Ian Vernon 13 April 2019, 20:09:27 UTC test: Disable flaky encapsulation encryption test [ upstream commit 087abbd318d16a7f2ac4f069d6e26c936d3f0c58 ] The test is not reliable enough to be enabled right now Related: #7615 Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
9a9ee27 John Fastabend 10 April 2019, 15:09:55 UTC Revert "test: Disable flaky encapsulation encryption test" [ upstream commit 6c08f085eeffca1207ddf2681728d712c323e626 ] After fix to correctly handle peer and local keys during key transitions e.g. enabling/disabling encryption like this test. And reducing instruction count to get this running on all kernels and LLVM7. Lets enable now. This reverts commit 08e4dde73a327bf693422df76a67e99f5d5a8655. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
c01bc3c John Fastabend 12 April 2019, 15:47:59 UTC cilium: fix dropping Health node IP updates [ upstream commit 3ed410362178ea7d88644416e6af76406c157b25 ] In my failing ginkgo test for cillium + vxlan + encryption I see Preflight failure. After reviewing the logs I noticed that one node is emmitting an event with only the Health IPs changing and in this case the peer is complaining that it is already in the ipcache and therefore is not updating its node map. This results in a situation where the map has the old Health IPs and when we run cilium-health we try to http/ping the old non-existing IP and as expected get a timeout. Running 'cilium node list' on each node shows that the two nodes disagree on the Health IPs. It is also always exactly one of the two nodes in my setup. To fix this update the node map (but don't do datpath reconfigs) on all nodes even if the ipcache has an entry for the node. We can skip the datapath configuration to avoid churn because the datapath does not use the health IPs. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
d40fb20 John Fastabend 11 April 2019, 18:46:31 UTC cilium: combine tunnel and non-tunnel cases into single branch [ upstream commit c8d084775af057641ea2dd6ecea55288f0afeef0 ] Refactoring tunnel and non-tunnel cases in encap.h reduces the insn count a reasonable amount. It also helps identify in encap.h where each call is from. We now have a _lxc encap call and a _netdev encap call to handle calls from ingress of veth pair attached to pods and the cilium_host running bpf_netdev. Before: Prog section '2/10' (tail_call IPV6_FROM_LXC) loaded (40)! - Instructions: 3735 (0 over limit) processed 49451 insnser: After: Prog section '2/10' (tail_call IPV6_FROM_LXC) loaded (40)! - Instructions: 3711 (0 over limit) processed 48850 insns Gain another 24 instructions. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
e8975a2 John Fastabend 11 April 2019, 18:15:12 UTC cilium: remove relax() calls to get more free insns [ upstream commit d19889561aedd4c06365277ca06325f7f1db3619 ] This paticular relax() call does little for complexity limits and I need the extra instructions more. Testing on Vagrant box provided with cilium/test which is using a 4.9 kernel. Before: Prog section '2/10' (tail_call IPV6_FROM_LXC) - Instructions: 3743 (0 over limit) processed 48977 insns After: Prog section '2/10' (tail_call IPV6_FROM_LXC) loaded (40)! - Instructions: 3735 (0 over limit) processed 49451 insns For the win +8 instructions!!! =) Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
e1efa49 John Fastabend 11 April 2019, 17:13:20 UTC cilium: remove unecessary zero'ing of ip6 endpoint key [ upstream commit abd3a3c88c1448f81519283c2e4833f6ec985c5f ] The structure is initialized at initialization no need to zero the fields yet again. Apparently compiler does emit these instructions. To verify change reduces complexity use Vagrant box provided with Cilium and the following command, #make -C bpf && ./test/bpf/check-complexity.sh Before Prog section '2/10' (tail_call IPV6_FROM_LXC) loaded (40)! - Instructions: 3746 (0 over limit) processed 49004 insns After Prog section '2/10' (tail_call IPV6_FROM_LXC) loaded (40)! - Instructions: 3743 (0 over limit) processed 48977 insns Note, the max instruction limit is 4096 and we will be using the remaining instructions for fixing tunnel keys when encryption keys are changing. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
afc753e John Fastabend 10 April 2019, 15:05:32 UTC cilium: transparent encryption, use correct keys during key rotation [ upstream commit 22e5c6d232dfdfd5186386b02e9a62bf309b8972 ] When keys are being changed from previous key to new key its possible that nodes will have different sets of keys installed in the datapath. This is a result of either a rolling update and/or because secrets are not propagated at the same time through all the nodes. The result is a peer key ID (e.g. the one looked up in the ipcache) may represent a key that has not yet been installed on the node. Trying to encrypt with that key will result in dropped traffic because the key is not known. So this patch keeps the state of the last key installed in the datapath and uses that. The assumption key updates only happen after all nodes have sync'd the prevous update. This required implementing another map to hold the state. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: vagrant <vagrant@k8s1> 16 April 2019, 00:15:51 UTC
8020677 Thomas Graf 12 April 2019, 22:53:19 UTC Doc: Update jinja dependency for documentation building [ upstream commit 32414bd4daeaf931ea94a276b8f441e91517ff6c ] Fixes: CVE-2019-10906 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Ian Vernon <ian@cilium.io> 13 April 2019, 19:34:08 UTC
95d58d8 Ronald van Zantvoort 11 April 2019, 23:08:42 UTC Various bugfixes & improvements to daemon config handling [ upstream commit 54e3c5b765f080a3e40fe644b74fe17981307954 ] Signed-off-by: Ronald van Zantvoort <the.loeki@gmail.com> Signed-off-by: Ian Vernon <ian@cilium.io> 13 April 2019, 19:34:08 UTC
4ca0c31 Thomas Graf 11 April 2019, 21:26:16 UTC ipam: Provide ownership information of IP allocations [ upstream commit b2ff83adff68a557e12119ebb2cdf9d89a6cf017 ] Keeps track of who owns an allocated IP and provides it as part of cilium status: ``` IPv4 address pool: 13/65535 allocated from 10.16.0.0/16 IPv6 address pool: 13/65535 allocated from f00d::a10:0:0:0/112 Allocated addresses: 10.16.0.1 (router) 10.16.113.196 (default/echo-79b5fcd4d9-2qlrn [restored]) 10.16.126.206 (default/probe-7b4494bd59-m5222 [restored]) 10.16.139.230 (default/echo-79b5fcd4d9-vwc6l [restored]) 10.16.163.105 (loopback) 10.16.174.44 (default/echo-79b5fcd4d9-cfrgn [restored]) 10.16.183.123 (default/echo-79b5fcd4d9-nk9ln [restored]) 10.16.23.213 (health) 10.16.5.111 (default/probe-7b4494bd59-8rrs2 [restored]) 10.16.71.7 (default/probe-7b4494bd59-whqv8 [restored]) 10.16.76.95 (default/probe-7b4494bd59-pqvx4 [restored]) 10.16.88.220 (default/probe-7b4494bd59-lcd9s [restored]) 10.16.92.82 (default/echo-79b5fcd4d9-bxgw5 [restored]) f00d::a10:0:0:1 (router) f00d::a10:0:0:13ba (default/probe-7b4494bd59-8rrs2 [restored]) f00d::a10:0:0:19f5 (default/probe-7b4494bd59-m5222 [restored]) f00d::a10:0:0:2601 (health) f00d::a10:0:0:69d6 (default/probe-7b4494bd59-whqv8 [restored]) f00d::a10:0:0:71 (default/echo-79b5fcd4d9-bxgw5 [restored]) f00d::a10:0:0:722c (default/probe-7b4494bd59-lcd9s [restored]) f00d::a10:0:0:8e65 (default/echo-79b5fcd4d9-2qlrn [restored]) f00d::a10:0:0:ab5e (default/echo-79b5fcd4d9-nk9ln [restored]) f00d::a10:0:0:b3ec (default/probe-7b4494bd59-pqvx4 [restored]) f00d::a10:0:0:ca90 (default/echo-79b5fcd4d9-cfrgn [restored]) f00d::a10:0:0:d8d4 (default/echo-79b5fcd4d9-vwc6l [restored]) ``` Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Ian Vernon <ian@cilium.io> 13 April 2019, 19:34:08 UTC
71cf99c André Martins 10 April 2019, 13:18:22 UTC kubernetes-upstream: update to k8s 1.14 [ upstream commit 50ebcf33e94d16b83f22bedba7af0e61aa2b1086 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Ian Vernon <ian@cilium.io> 13 April 2019, 19:34:08 UTC
1c06ff2 Thomas Graf 12 April 2019, 13:07:43 UTC k8s: Don't bother to create CEP if endpoint is already disconnecting [ upstream commit 4a0c9844e1503be083af9386a48cf8076b49286f ] A common pattern is that an entire namespcae is deleted while pods are still being created. This will trigger a lot of errors like the one below. Fix this by not even bothering to create a CEP if the endpoint is already disconnecting again. This will not completely avoid the error but make it less likely. ``` level=error msg="Cannot create CEP" containerID=1c0bc02ec5 controller="sync-to-k8s-ciliumendpoint (1032)" datapathPolicyRevision=43 desiredPolicyRevision=43 endpointID=1032 error="ciliumendpoints.cilium.io \"client2\" is forbidden: unable to create new content in namespace staging-couchdb because it is being terminated" identity=25422 ipv4= ipv6= k8sPodName=staging-couchdb/client2 subsys=endpointsynchronizer ``` Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Ian Vernon <ian@cilium.io> 13 April 2019, 19:34:08 UTC
5055967 Thomas Graf 12 April 2019, 12:59:03 UTC k8s: Don't error when CEP does not exist on endpoint exit [ upstream commit 97e550f5673a26c9bd83b1143d07f38a4dc2e912 ] An endpoint may be deleted before the CEP was ever created. Skip logging any errors if the error is NotFound and avoid returning an error as the controller was successfully stopped either way. This avoids errors like: ``` level=error msg="Unable to delete CEP" containerID=8ac6da9fb1 controller="sync-to-k8s-ciliumendpoint (963)" datapathPolicyRevision=43 desiredPolicyRevision=43 endpointID=963 error="ciliumendpoints.cilium.io \"couchdb-server\" not found" identity=15353 ipv4= ipv6= k8sPodName=staging-couchdb/couchdb-server subsys=endpointsynchronizer level=warning msg="Error on Controller stop" consecutiveErrors=2 error="ciliumendpoints.cilium.io \"couchdb-server\" not found" name="sync-to-k8s-ciliumendpoint (963)" subsys=controller uuid=8845cc2c-5d17-11e9-916d-02b2f5c938d8 ``` Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Ian Vernon <ian@cilium.io> 13 April 2019, 19:34:08 UTC
e39a323 Eloy Coto 12 April 2019, 07:47:08 UTC Node: Try to prioritize the InternalIPv[46] from restore. [ upstream commit df63d9b20be1bed432da09490865a1aa0cd4aaad ] On case of Cilium restore can choose different Node CIDR, and the endpoints will no restore correctly due to the IP CIDR mismatch. This change will list all IPS, and if the IP that it is on `node_config.h` is present in the list of the IPs will be selected, in case that it is not present (new installation) will list all the address with the RT_SCOPE_UNIVERSE and sort that to try to return always the same results. Fix #7637 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: Ian Vernon <ian@cilium.io> 13 April 2019, 19:34:08 UTC
4560095 Maciej Kwiek 10 April 2019, 09:15:12 UTC Don't use local remote in backporting scripts [ upstream commit 521ee8357011958d9a099413a7b64688e1180df8 ] I have several local remotes set up on my machine, which helps in parallel development of features. When backporting, check-stable script took my local remotes instead of github origin because path to local remote contained `github.com/cilium/cilium` Signed-off-by: Maciej Kwiek <maciej@covalent.io> 12 April 2019, 12:18:47 UTC
bc40025 Joe Stringer 11 April 2019, 21:12:46 UTC endpointmanager: Avoid regenerating restoring endpoints [ upstream commit 69b90d33381db757e4d35a8e5ef37e39d8217e10 ] If an endpoint is currently being restored, ensure that its state reflects this for the duration of the restoration, and avoid triggering regeneration during this time. Otherwise this could cause the endpoint to be regenerated using intermediate state (eg wrong security identity), rather than continuing to run the previously configured datapath until the newly started Cilium is ready to fully regenerate the endpoint. Related: #7358 Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Maciej Kwiek <maciej@covalent.io> 12 April 2019, 12:18:47 UTC
c576944 Joe Stringer 11 April 2019, 20:40:46 UTC endpoint: Sanitize ep.SecurityIdentity on restore [ upstream commit 85e25bcc22bdcc0163a7b581de14cd7658caf69d ] When deserializing an endpoint from json, we previously didn't ensure that the security identity is properly restored. Other users of the security identity would rely upon the `ep.SecurityIdentity.LabelArray` being properly populated at all times, however this field was previously (1) not serialized, and (2) not repopulated upon restore. Sanitize the identity when restoring the endpoint from json. Fixes: #7358 Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Maciej Kwiek <maciej@covalent.io> 12 April 2019, 12:18:47 UTC
7b40d32 Thomas Graf 11 April 2019, 00:57:58 UTC cni: Fix CNI delete side-effects [ upstream commit 19115f53270c93ccb77991fdd41ae92e8e759a88 ] Fail the CNI delete request if the agent cannot be contacted to delete the endpoint. Also, don't blindly release the IP address as return by the endpoint get. This is racy, rely on the delete endpoint call to release the IPs. It will do so in an atomic manner while ensuring that the respective endpoint really owns those IP addresses. Differentiate between errors that can be recovered from such as failure to reach the agent or timeouts and errors which are guaranteed to be permanent such as endpoint or interface nonexistence. Only return an error on recoverable errors to avoid kubelet retrying for a long timeout while minimizing the risk of leaving behind resources. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Maciej Kwiek <maciej@covalent.io> 12 April 2019, 12:18:47 UTC
6525eb5 Thomas Graf 11 April 2019, 00:57:58 UTC endpoint: Delegate IP release on endpoint creation failure [ upstream commit f1b06d593406e6a7f952f7a66844f2a2c7443804 ] The caller of PUT /endpoint/{id} provides the IP. Do not attempt to release the IP provided by the caller. The caller is responsible to release the IP as it has to do so anyway. By releasing in the agent as well, a race window exists when the IP is becoming available after the agent release, gets allocated and the original owner then releases the IP. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Maciej Kwiek <maciej@covalent.io> 12 April 2019, 12:18:47 UTC
e4832e9 Thomas Graf 11 April 2019, 00:57:58 UTC cni: Always release created resources on failure of CNI ADD [ upstream commit 1be1df03ef088f332133806d38728326028ba247 ] * ep.Addressing was not set in all error paths which could lead to leaking IP addresses * err variable was shadowed or not set in some cases, causing the deferred cleanup to not work correctly. This could lead to leaking of IP address and created interfaces. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Maciej Kwiek <maciej@covalent.io> 12 April 2019, 12:18:47 UTC
e4827c2 Joe Stringer 11 April 2019, 23:10:41 UTC endpoint: Improve logging around headerfile writes [ upstream commit b60d512501f089854e25370fbc6768f20c1656d6 ] We haven't been performing any logging around header file writes, even when errors occur during filesystem interaction. Add a debug log before writing, and log any errors that may occur at debug level. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Maciej Kwiek <maciej@covalent.io> 12 April 2019, 12:18:47 UTC
back to top