Skip to main content

Browse the archive

https://github.com/cilium/cilium
12 July 2024, 03:14:21 UTC
sort by:
Revision Author Date Message Commit Date
adeaf8c André Martins 18 February 2020, 20:41:10 UTC Prepare for release v1.7.0 Signed-off-by: André Martins <andre@cilium.io> 18 February 2020, 22:32:45 UTC
ee9af4b Daniel Borkmann 17 February 2020, 12:53:35 UTC test: Fix getNodeInfo in NodePort tests [ upstream commit 7290ad44f7210ddf017a62dec468f600a0331e8e ] The k8s1 node was used to determine k8s2{Name,IP}, sigh. Commit 8333039e1f71 ("test: Fix externalTrafficPolicy=Local test cases") fixed the other occurence some time ago from 11bb75df1d76. Fixes: 11bb75df1d76 ("CI: Add GetNodeNameByLabel helpers") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 18 February 2020, 17:24:44 UTC
a75fc09 André Martins 17 February 2020, 12:34:46 UTC update cilium-runtime with golang 1.13.8 [ upstream commit dabf93beae605b7c5fa2f2a51697324d527dbe08 ] Fixes: 459925361e4a ("golang: update to 1.13.8") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 18 February 2020, 17:24:44 UTC
b0f70e1 André Martins 17 February 2020, 14:27:23 UTC test: update k8s versions to 1.17.3, 1.16.7 and 1.15.10 [ upstream commit cd84b6ff53a42c3f838586bcd53e20d0ba70e370 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 18 February 2020, 17:24:44 UTC
1ca21a7 André Martins 17 February 2020, 14:26:58 UTC deps: update k8s dependencies to 1.17.3 [ upstream commit 475e367a6e1a4abbc712dd8f7624cdaf2cdb9af2 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 18 February 2020, 17:24:44 UTC
ea21510 Maciej Kwiek 17 February 2020, 16:33:46 UTC Mark TLS policy test as pending [ upstream commit 44217d1de72bc55cea98c31638b058a9666db489 ] Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 18 February 2020, 17:24:44 UTC
9418949 Daniel Borkmann 17 February 2020, 13:48:05 UTC test: fix ClusterIP IPv6 connectivity checks [ upstream commit 45cebce3c84f9e2dcf53c07531cecc31541ca2d7 ] From time to time in our CI connectivity to {tftp,http}://[fd03::100]/ failed. Related service map dump looks like: [...] 10069 [fd03::100]:69 ClusterIP 1 => [f00d::a0b:0:0:eb33]:69 2 => [f00d::a0b:0:0:ce1a]:69 3 => [f00d::a0b:0:0:3d75]:69 10080 [fd03::100]:80 ClusterIP 1 => [f00d::a0b:0:0:3d75]:80 2 => [f00d::a0b:0:0:eb33]:80 3 => [f00d::a0b:0:0:ce1a]:80 20069 [fd03::200]:69 ClusterIP 1 => [f00d::a0c:0:0:172d]:69 20080 [fd03::200]:80 ClusterIP 1 => [f00d::a0c:0:0:172d]:80 [...] And endpoint list: ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS ENFORCEMENT ENFORCEMENT [...] 45 Disabled Disabled 27884 k8s:id=app1 f00d::a0b:0:0:ce1a 10.10.0.178 ready k8s:io.cilium.k8s.policy.cluster=default k8s:io.cilium.k8s.policy.serviceaccount=default k8s:io.kubernetes.pod.namespace=external-ips-test 510 Disabled Disabled 12623 k8s:id=app1 f00d::a0b:0:0:3d75 10.10.0.105 ready k8s:io.cilium.k8s.policy.cluster=default k8s:io.cilium.k8s.policy.serviceaccount=app1-account k8s:io.kubernetes.pod.namespace=default k8s:zgroup=testapp 688 Disabled Disabled 12623 k8s:id=app1 f00d::a0b:0:0:eb33 10.10.0.126 ready k8s:io.cilium.k8s.policy.cluster=default k8s:io.cilium.k8s.policy.serviceaccount=app1-account k8s:io.kubernetes.pod.namespace=default k8s:zgroup=testapp [...] As can be seen the selection based on `k8s:id=app1` is not sufficient as Cilium label selector works slightly different than K8s label selector in that the former needs to specify the K8s namespace. Hence, for the IPv6 tests, add `k8s:io.kubernetes.pod.namespace=default` namespace selector. Fixes: d1a61479eae3 ("test/k8s: Add tests for same-node IPv6 service connectivity") Fixes: a6c62bae969c ("test/k8s: Test IPv6 ClusterIP service connectivity across nodes") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 18 February 2020, 17:24:44 UTC
e317054 Thomas Graf 17 February 2020, 12:22:37 UTC plugins: Enable address allocation expiration [ upstream commit 82a8c71556820af2fd74329ce68169c25f4ce00b ] This is a replacement fix for ab61853ca3 which turned out to be racy, leading to alive PodIPs to be freed. Instead of attempting to reconstruct the context for potential release in CNI DEL for any failure scenarios, introduce an expiration timer that is enabled when any IP is allocated via the CNI plugin. The expiration timer must be explicitly stopped by the endpoint creation following the allocation to avoid releasing the IP again after a timeout. This ensures that IPs are always either used or released without requiring any cleanup from the CNI plugin itself. In the event that an IP is released due to expiration but then the endpoint still succeeds to be created, the endpoint creation will fail, triggering a re-creation of the endpoint. Fixes: #10065 Fixes: ab61853ca32 ("cni: Release IP even when endpoint deletion fails") Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 18 February 2020, 17:24:44 UTC
2b15e76 Thomas Graf 17 February 2020, 12:20:20 UTC api: Add ability to return and specify address expiration [ upstream commit 76a572782b48f5474f385a9436341b9fa7c16f93 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 18 February 2020, 17:24:44 UTC
8e7be92 Thomas Graf 17 February 2020, 11:05:54 UTC ipam: Add AllocateNextWithExpiration [ upstream commit 81f34e15244d40c17ba108f1a7f5bee6171eaca0 ] Adds a helper function to allocate required addresses and start the expiration timer for all allocated IPs. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 18 February 2020, 17:24:44 UTC
af622e2 Thomas Graf 17 February 2020, 10:35:04 UTC ipam: Add expiration functionality [ upstream commit b66a0f1c1133de969319b305a2b32c169698fedc ] Introduce the ability to mark an IP to be expired after a certain time unless usage is confirmed in a later step. Protect IP reuse with active expiration timers with the help of an UUID. Updates: #10065 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 18 February 2020, 17:24:44 UTC
cfb3ebe John Fastabend 16 February 2020, 08:16:50 UTC cilium: set output mark for tunnel case [ upstream commit b6f2e75d5b98bc200817da41f96c6522866cdd4a ] We currently set the output mark only for subnet enabled cases. But, we actually want it in tunnel cases as well. And to simplify design we can enable it in all cases. This will cause the encryption route table to be used after encryption, which now after previous patch will use the correct route MTU, for both tunnel and routing modes. Otherwise encrypted packets could use the main table again which has route MTU set to encryption overhead + tunnel overhead which results in dropping (sending icmp MSS exceeded) packets that are close to the MTU limits before encryption. The result is a smaller MTU than expected. With the output mark set we instead use the routing table which will have the high mtu set. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 18 February 2020, 17:24:44 UTC
9953492 John Fastabend 16 February 2020, 07:09:01 UTC cilium: encryption route table need to account for tunnel headers [ upstream commit 25a890ca67968f06ab5667159a7ea4dbbbce4d04 ] The encryption table is used after encrypting packet. Here the packet is encrypted but in the tunnel case must still account for encap overhead. To ensure this set the mtu of routes here subtracted by the tunnel overhead. After this patch on a typical deployment with MTU=1500. $ kubectl exec -ti -n kube-system cilium-9k9bk -- ip r s t 200 local 10.26.0.0/16 dev cilium_vxlan proto 50 scope host 10.250.0.0/16 dev cilium_host mtu 1450 Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 18 February 2020, 17:24:44 UTC
38fdd12 John Fastabend 14 February 2020, 17:05:11 UTC cilium: set mtu on tunnel device [ upstream commit 6ce55626e436c2831892941801143cda03c6e754 ] Currently the tunnel device MTU will not be set. If the underlying device is running some other mtu size this creates a case where mtu on tunnel device is not in-sync. For example on system with 9000 mtu, 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 00:01:02:03:04:05 brd ff:ff:ff:ff:ff:ff 7: cilium_net@cilium_host: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 56:92:81:65:04:b6 brd ff:ff:ff:ff:ff:ff 8: cilium_host@cilium_net: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether f6:9f:7e:fd:be:4a brd ff:ff:ff:ff:ff:ff 9: cilium_vxlan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/ether de:d3:72:2a:69:8a brd ff:ff:ff:ff:ff:ff Or going the other way with network facing interface <1500 my GKE setup is the following, 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 link/ether 42:01:0a:8a:00:19 brd ff:ff:ff:ff:ff:ff 13: cilium_net@cilium_host: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 82:80:8c:7a:36:4a brd ff:ff:ff:ff:ff:ff 14: cilium_host@cilium_net: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether ca:98:07:56:a1:2f brd ff:ff:ff:ff:ff:ff 15: cilium_vxlan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/ether 52:a7:67:e4:53:e4 brd ff:ff:ff:ff:ff:ff Sending 1500 MTU on a 1460 interface doesn't make sense. But the routes configured in the main table will help, $ kubectl exec -ti -n cilium cilium-cwcbc -- ip r s default via 10.138.0.1 dev eth0 proto dhcp src 10.138.0.25 metric 100 10.36.0.0/24 via 10.36.1.3 dev cilium_host src 10.36.1.3 mtu 1333 10.36.1.0/24 via 10.36.1.3 dev cilium_host src 10.36.1.3 mtu 1333 10.36.1.3 dev cilium_host scope link 10.138.0.1 dev eth0 proto dhcp scope link src 10.138.0.25 metric 100 169.254.123.0/24 dev docker0 proto kernel scope link src 169.254.123.1 linkdown Still it would be best if the tunnel interface uses the same mtu size as cilium_{host|net}. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 18 February 2020, 17:24:44 UTC
e01dd97 Thomas Graf 12 February 2020, 13:19:14 UTC clustermesh: Add cilium status section [ upstream commit 1bf235a4cecbc844740e949165607cd25b33e1a4 ] Brief status: ``` ClusterMesh: 1/1 clusters ready, 1 global-services ``` Verbose status: ``` ClusterMesh: 1/1 clusters ready, 1 global-services cluster2: ready, 2 nodes, 3 identities, 1 services └ etcd: 1/1 connected, lease-ID=19b870354bdf4432, lock lease-ID=19b870354bdf4434, has-quorum=true: https://cluster2.mesh.cilium.io:2379 - 3.3.12 ``` Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 17 February 2020, 20:00:46 UTC
ea7e543 Paul Chaignon 14 February 2020, 10:05:52 UTC vagrant: Install temporary forked bpftool [ upstream commit 1810709a25e50d8db9101d1ede71be8568220317 ] Provisioning of the Vagrant development environment fails due to the missing forked bpftool: $ ./contrib/vagrant/start.sh [...] runtime1: Feb 13 17:26:23 runtime1 cilium-agent[20863]: level=error msg="Command execution failed" cmd="[bpftool -j feature probe filter_out \\(trace\\|write_user\\)]" error="exit status 255" subsys=probes runtime1: Feb 13 17:26:23 runtime1 cilium-agent[20863]: level=warning msg="{\"error\":\"expected no more arguments, 'kernel', 'dev', 'macros' or 'prefix', got: 'filter_out'?\"}" subsys=probes runtime1: Feb 13 17:26:23 runtime1 cilium-agent[20863]: level=fatal msg="could not run bpftool" error="exit status 255" subsys=probes runtime1: Cilium failed to start [...] This provisioning failure was introduced by #10164. Cilium now expects bpftool to be Cilium's (temporary) forked version, but the VirtualBox VM has the upstream bpftool. This commit installs the forked bpftool as part of the Vagrant provisioning. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 17 February 2020, 20:00:46 UTC
b175cd7 Tobias Klauser 13 February 2020, 11:39:36 UTC docs: fix link for Cilium-PR-Kubernetes-Upstream job [ upstream commit 5b9002d61500b674c04b5bdd4aa00f91619af8e0 ] Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 17 February 2020, 20:00:46 UTC
fa66793 André Martins 13 February 2020, 12:30:54 UTC golang: update to 1.13.8 [ upstream commit 459925361e4a05f83c4366df93830c017e9a0425 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 17 February 2020, 20:00:46 UTC
a5f0a06 André Martins 14 February 2020, 14:52:47 UTC maps/nat: return NatEntry6 for NatKey6 NewValue() instead of NatEntry4 [ upstream commit 8408128c2504ecd263fba6d8d7f9ea6fe158302a ] When Cilium performs a connection tracking garbage collection it will also purge NAT entries from the NAT bpf map. To perform this action, Cilium will execute BPF map lookups from userspace by giving the memory location of a golang structure, previously NatEntry4 now NatEntry6. The kernel will then write into this memory location the value of the NAT entry being looked up. As the size of NatEntry4 is only 38 bytes, as oppose the NatEntry6 which is 50 bytes, the kernel would then write 12 bytes in random memory locations of the Cilium agent. This could cause Cilium agent to crash or to have errors such as: ``` msg="Cannot create CEP" ... error="CiliumEndpoint.cilium.io \"��\\x00\\x00\\x00\\x00\\x00\\x00-multi-node-headless-854b65674d-lj45r\" is invalid: metadata.name: Invalid value: \"��\\x00\\x00\\x00\\x00\\x00\\x00-multi-node-headless-854b65674d-lj45r\": ``` Fixes: b9d2a0a9dcbd ("maps/nat: Add NatKey{4,6} types") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 17 February 2020, 20:00:46 UTC
594109c Martynas Pumputis 14 February 2020, 14:59:09 UTC bugtool: Dump NAT BPF maps entries with bpftool [ upstream commit 5e01fb62e1818a1067917c17bd586c82dca28a20 ] If "cilium bpf nat list" fails, then we will be able to rely to the raw dumps when debugging. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 17 February 2020, 20:00:46 UTC
e35955e Ray Bejjani 15 February 2020, 20:23:33 UTC clustermesh: Handle no-first connection in status [ upstream commit b3a0bf3aeb54c47098b1ab8a051477818e1b72d5 ] When the initial connection is being made and it is slow, or fails, the remoteCluster is not fully initialized. This causes a segfault in the status function. This is now handled. Signed-off-by: Ray Bejjani <ray@isovalent.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 17 February 2020, 20:00:46 UTC
ddb8211 Ray Bejjani 12 February 2020, 22:37:03 UTC clustermesh: Use remote kvstore backend [ upstream commit f28f6cd887f6699bc023fdee9e5f5be51429a31c ] Clustermesh remote-cluster watching accidentally used the local caching identity allocator in cilium-agent. This meant that while ipcache and nodes were sycned correctly, identities were not. This was because the watch was called on the main identity allocator, adding itself to itself as a remote cluster. This resulted in two connections to the local etcd, and double entries when listing identities. A new allocator instance is created to use the remote cluster etcd backend. This is then added to the main allocators remote clusters list. Signed-off-by: Ray Bejjani <ray@isovalent.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 17 February 2020, 20:00:46 UTC
beea442 Ray Bejjani 12 February 2020, 22:37:03 UTC kvstore/allocator: Keep internal reference to backend [ upstream commit 913ed2294c7edaf4984f129c64f1b36b02abe04a ] We previously only used single pkg/kvstore/allocator.kvstoreBackend instance system-wide. This also used a single, global, etcd/consul backend instance (in this case a backend to allocator.kvstoreBackend, itself the kvstore backend for the identity allocator). With clustermesh, cilium-agent needs to sync with remote etcd instances. This means that multiple etcd clients can exist, and that the identity allocator may use different ones. This is now possible by keeping an internal reference instead of using the global one. Signed-off-by: Ray Bejjani <ray@isovalent.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 17 February 2020, 20:00:46 UTC
f171da1 Ray Bejjani 13 February 2020, 15:47:26 UTC kvstore: Replace package calls with .Client.function [ upstream commit 76c7fcad95a651f22128af96aa8d546682da3cd9 ] We need to use different backends at the same time. Currently we assume a single connected backend instance by using the package level functions. We now direclty call these functions on the default client instead, allowing future changes to use non-global instances of the backends. Signed-off-by: Ray Bejjani <ray@isovalent.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 17 February 2020, 20:00:46 UTC
11d6d66 Ray Bejjani 13 February 2020, 14:01:16 UTC kvstore: Move Trace calls into backends [ upstream commit f868f97525d4d8c973981f7f889310ae36ed46a6 ] We need to avoid using the package level functions but need to keep the tracing for debug. Moving the trace calls into the kvstore backends is verbose but is the simplest way to do this. Signed-off-by: Ray Bejjani <ray@isovalent.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 17 February 2020, 20:00:46 UTC
b43e4e0 Martynas Pumputis 12 February 2020, 15:42:11 UTC bpf: Protect each uintptr with runtime.KeepAlive [ upstream commit 9f492a1b9ed8f8d665bc885fca02a7b9e521c96d ] The Go's GC is unable to track objects referred by uintptr [1] [2]. A consequence of this is that the GC might collect such objects when a blocking syscall is executed. This might corrupt memory of other Go objects e.g. if the reclaimed memory is used for new objects and the kernel modifies the objects in the context of the blocking syscall. To prevent from this, we protect each pointer to objects with runtime.KeepAlive() which marks the objects as alive at least until runtime.KeepAlive() has been called. [1]: https://github.com/golang/go/issues/13372#issuecomment-160655731 [2]: https://utcc.utoronto.ca/~cks/space/blog/programming/GoUintptrVsUnsafePointer Co-developed-by: André Martins <andre@cilium.io> Co-developed-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 17 February 2020, 20:00:46 UTC
6843735 Martynas Pumputis 13 February 2020, 06:47:59 UTC bpf: Fix space hack in Makefile [ upstream commit 46300783b166ac13300d78113e99a2a6e1cbf534 ] Fix the space hack which stopped working with make v4.3 (works with v4.2 though): [..] " [-DENABLE_HOST_REDIRECT-DENABLE_IPV4-DENABLE_IPV6-DENABLE_NAT46]"; clang -DENABLE_HOST_REDIRECT-DENABLE_IPV4-DENABLE_IPV6-DENABLE_NAT46 -I/home/brb/sandbox/gopath/src/github.com/cilium/cilium/bpf/include -I/home/brb/sandbox/gopath/src/github.com/cilium/cilium/bpf -D__NR_CPUS__=8 -O2 -g -target bpf -emit-llvm -Wall -Werror -Wno-address-of-packed-member -Wno-unknown-warning-option -c bpf_lxc.c -o bpf_lxc.ll; llc -march=bpf -mcpu=probe -mattr=dwarfris -o /dev/null bpf_lxc.ll; \ fi In file included from <built-in>:323: <command line>:1:20: error: ISO C99 requires whitespace after the macro name [-Werror,-Wc99-extensions] #define ENABLE_IPV4-DHAVE_LPM_MAP_TYPE 1 Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 14 February 2020, 23:39:04 UTC
e561ae2 Joe Stringer 13 February 2020, 00:39:10 UTC charts: Generate versions from VERSION file [ upstream commit 640b7a6cb35905ca1aafd3010baf9b8265d383c9 ] Use the top-of-tree VERSION file to generate the chart versions and update the pull policy using the following rules: * Set the helm chart versions to the VERSION in the file * If the VERSION file ends with ".90": - Set the cilium tag to 'latest' - Set the pullPolicy to 'Always' * If the VERSION file does not end with ".90": - Set the cilium tag to the VERSION in the file - Set the pullPolicy to 'IfNotPresent' * Set the managed-etcd version tag to the version specified at the top of this Makefile. This must be manually bumped, it does not appear to follow the standard Cilium docker image tag process. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 14 February 2020, 23:39:04 UTC
cd943b8 Michal Rostecki 12 February 2020, 16:40:44 UTC ci: Install bpftool from Cilium fork of the kernel [ upstream commit c4b6095d69fca4b9875d2c222bba434e818632d6 ] This should be done in packer-ci-build, but to get the fix faster, we install patched bpftool here as a temporary hack... Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 14 February 2020, 23:39:04 UTC
3585b7a Michal Rostecki 12 February 2020, 10:48:13 UTC Dockerfile: Use Cilium fork of the kernel to build bpftool [ upstream commit 780393d48f31292fc33d887bd9adb06284a26287 ] Cilium fork of the Linux kernel contains necessary enhancements for bpftool which are not avalavle upstream yet. Ref: #10048 Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 14 February 2020, 23:39:04 UTC
f7aa388 Michal Rostecki 12 February 2020, 10:43:24 UTC datapath: Filter out bpftool probes emitting dmesg messages [ upstream commit 3f18897f19ec5eac8c2b0b1abe1278c26ddb7cf0 ] bpftool feature probes related to trace, perf and write_user helpers are emitting dmesg messages with warnings which may be confusing for operators running Cilium on production environments. After this change, those probes will be not performed. Fixes #10048 Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 14 February 2020, 23:39:04 UTC
32f2449 Paul Chaignon 12 February 2020, 10:33:19 UTC docs: De-duplicate Connectivity Test section [ upstream commit a4ce0e1872e397acc50857f7b51accc35b8b3b26 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 14 February 2020, 23:39:04 UTC
7c37a23 Paul Chaignon 12 February 2020, 09:41:58 UTC docs: Clarify why global.restartPods is not the default [ upstream commit 09fc8da0525485e53f439236f600972955acac20 ] Users might not want to restart pods as soon as the Cilium daemonset is installed, so we provide a separate step for that. Since we also mention the global.restartPods flag, let's clarify why that's not always a good idea and not our default. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 14 February 2020, 23:39:04 UTC
3047f43 Paul Chaignon 11 February 2020, 18:04:14 UTC docs: Duplicate validation step [ upstream commit 5dde03ae860f06eab0d44b78fd0b2144d93688ee ] Since we deploy Cilium in its own cilium namespace, we need to change the Validation section accordingly. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 14 February 2020, 23:39:04 UTC
5111fc3 Paul Chaignon 11 February 2020, 17:50:44 UTC docs: Fix formatting of link to GCloud SDK [ upstream commit 7d7a3db5a828d56244147138481da4d7ca9f880e ] Link format was Markdown instead of reStructuredText. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 14 February 2020, 23:39:04 UTC
47f390a Thomas Graf 12 February 2020, 14:37:25 UTC api: Add missing annotations to generate DeepCopy for new status fields [ upstream commit f5c42e7e0cda0c2a0ee46a8467382c8acc6fd388 ] The referenced commits below did not add the annotations required to generate the DeepCopy() code. Add the annotations and autogenerate the code. Fixes: b2271f74c0f ("api: Extend proxy redirect status") Fixes: 06add2d8ba7 ("api: Add KubeProxyReplacement field to StatusResponse") Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 14 February 2020, 23:39:04 UTC
cbf5efc André Martins 11 February 2020, 11:36:46 UTC pkg/eventqueue: fix concurrent access of waitConsumeOffQueue [ upstream commit da2e6526b8da79ce8948399fca23691ef0b62be2 ] spanStart of waitConsumeOffQueue could be read before being written in case the buffered event was executed before the execution of waitConsumeOffQueue.Start() in the modified lines of this commit. To fix this we should execute waitConsumeOffQueue.Start() even before the event is put into the queue. Although it does not give the correct span stat, the developer or user can derive it by subtracting the waitEnqueue span to retrieve the real waitConsumeOffQueue span. Fixes: add0d65b0a90 ("add eventqueue package") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 14 February 2020, 23:39:04 UTC
75231d5 André Martins 11 February 2020, 12:51:39 UTC pkg/endpoint: access endpoint state safely across go routines [ upstream commit 4b61dd512f5df89647f6143dda5ef068b1861ccb ] getState function should only be called when the endpoint mutex is being held which was not always the case. Changed the function call so that it can be accessed concurrently for the data race detected bellow: ``` ================== WARNING: DATA RACE Write at 0x00c000544f30 by goroutine 56: github.com/cilium/cilium/pkg/endpoint.(*Endpoint).SetStateLocked() /go/src/github.com/cilium/cilium/pkg/endpoint/endpoint.go:1641 +0xe9 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).LeaveLocked() /go/src/github.com/cilium/cilium/pkg/endpoint/endpoint.go:1386 +0x333 main.(*Daemon).deleteEndpointQuiet() /go/src/github.com/cilium/cilium/daemon/endpoint.go:651 +0x3e4 main.(*Daemon).regenerateRestoredEndpoints.func2() /go/src/github.com/cilium/cilium/daemon/state.go:388 +0x49 Previous read at 0x00c000544f30 by goroutine 165: github.com/cilium/cilium/pkg/endpointmanager.releaseID() /go/src/github.com/cilium/cilium/pkg/endpoint/endpoint.go:1549 +0xb5 github.com/cilium/cilium/pkg/endpointmanager.Remove.func1() /go/src/github.com/cilium/cilium/pkg/endpointmanager/manager.go:335 +0x88 Goroutine 56 (running) created at: main.(*Daemon).regenerateRestoredEndpoints() /go/src/github.com/cilium/cilium/daemon/state.go:382 +0x916 main.(*Daemon).initRestore() /go/src/github.com/cilium/cilium/daemon/state.go:454 +0xf3 main.runDaemon() /go/src/github.com/cilium/cilium/daemon/daemon_main.go:1441 +0xa17 main.NewDaemon() /go/src/github.com/cilium/cilium/daemon/daemon.go:894 +0x23a4 main.runDaemon() /go/src/github.com/cilium/cilium/daemon/daemon_main.go:1396 +0x314 main.glob..func1() /go/src/github.com/cilium/cilium/daemon/daemon_main.go:121 +0xbf github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).execute() /go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:766 +0x8eb github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).ExecuteC() /go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:850 +0x41b main.daemonMain() /go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:800 +0x237 main.main() /go/src/github.com/cilium/cilium/daemon/main.go:18 +0x2f Goroutine 165 (finished) created at: github.com/cilium/cilium/pkg/endpointmanager.Remove() /go/src/github.com/cilium/cilium/pkg/endpointmanager/manager.go:324 +0x121 main.(*Daemon).deleteEndpointQuiet() /go/src/github.com/cilium/cilium/daemon/endpoint.go:614 +0x1a8 main.(*Daemon).regenerateRestoredEndpoints.func2() /go/src/github.com/cilium/cilium/daemon/state.go:388 +0x49 ================== ``` Fixes: f71d87a71c99 ("endpointmanager: signal when work is done") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 14 February 2020, 23:39:04 UTC
d9748ef Martynas Pumputis 12 February 2020, 08:49:12 UTC docs: Update kube-router getting started guide [ upstream commit dcaaca27d7662f3b1aceb5827ab344b50e9a7694 ] - Use the latest version of kube-router (v0.4.0). Otherwise, the installation of it fails with: error: unable to recognize "generic-kuberouter-only-advertise-routes.yaml": no matches for kind "DaemonSet" in version "extensions/v1beta1" - Put args into quotes to be consistent with kube-router's DaemonSet file. - Update connectivity check output. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 14 February 2020, 23:39:04 UTC
6162b5f Paul Chaignon 12 February 2020, 10:16:35 UTC docs: Use kube-system namespace consistently in Encryption guide [ upstream commit 9d00914c0b0575622e4e393a5909425778c53b59 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 14 February 2020, 23:39:04 UTC
0a055dc Joe Stringer 12 February 2020, 01:40:17 UTC test: bpf: Fix load for cgroups progs [ upstream commit b4cd2bceb95af789a8cea24e9241d3799875e752 ] Fix the following failure: $ TC=/path/to/cilium/tc/binary sudo -E test/bpf/verifier-test.sh ... => Loading sockops/bpf_sockops.c:sockops... ... Error: unable to find map 'test_cilium_signals Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 14 February 2020, 23:39:04 UTC
7487deb Deepesh Pathak 10 February 2020, 09:18:58 UTC tests: update complexity check script to include new calls [ upstream commit bdb6d71aed2e52f44b57a850ef773918a5a57f63 ] Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 14 February 2020, 23:39:04 UTC
de22bfd Joe Stringer 12 February 2020, 23:54:15 UTC Prepare for release v1.7.0-rc4 Signed-off-by: Joe Stringer <joe@cilium.io> 13 February 2020, 00:21:13 UTC
24ad899 Thomas Graf 11 February 2020, 13:59:21 UTC ipcache: Add probe to check for dump capability to support delete [ upstream commit 69a6fcea473487c08ccc9701c99c79ff944118d3 ] Besides the ability to delete, the ipcache garbage collector also requires the ability to dump the table. Add this to the existing probe which feeds `SupportsDelete()`. level=debug msg="Detected IPCache delete operation support: true" subsys=map-ipcache level=debug msg="Detected IPCache dump operation support: true" subsys=map-ipcache Fixes: #10080 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
1742391 Sebastian Wicki 10 February 2020, 16:34:59 UTC test/k8s: Test IPv6 ClusterIP service connectivity across nodes [ upstream commit a6c62bae969c43b87a0c160c18b4fdabdbb4a326 ] This tests the ClusterIP IPv6 reachability for the service tests across nodes. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
5f23c39 Sebastian Wicki 10 February 2020, 16:52:03 UTC test/k8s: Bump cilium/echoserver to 1.10.1 [ upstream commit aee3c0a67d1b2a708b3b399e6f9bd727784e938c ] The new tag listens on IPv4 and IPv6 connections, used in subsequent service tests for IPv6 connectivity. Since the server can observe the client addresses now in the 4-in-6 format, we make sure to compare the parsed IP addresses in the source IP test. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
731b983 Sebastian Wicki 10 February 2020, 14:21:53 UTC test/k8s: Add tests for same-node IPv6 service connectivity [ upstream commit d1a61479eae3e1d3d83d598f3e7bfbbceaebac3b ] This adds tests for Kubernetes ClusterIP services with IPv6. It mirrors the existing IPv4 versions. Because the deployed Kubernetes is not running in IPv4/IPv6 dual-stack mode, we are using the Cilium CLI to install the service rules for the services deployed in the existing IPv4 tests. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
8b7b8ba Sebastian Wicki 10 February 2020, 14:14:29 UTC test/k8s: Bump cilium/json-mock to 1.2 [ upstream commit fefff1f01f17856fc3ee971876b3ebcdf4c60ef9 ] The new version listens to both IPv4 and IPv6 connections. This is required for the IPv6 tests added in a subsequent commit. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
2e2a561 Sebastian Wicki 10 February 2020, 14:09:46 UTC test/k8s: Add helper to get IPv6 addresses of Cilium endpoints [ upstream commit afb38e86b9092bea7e88fc163f6e9791a7ee4f80 ] This is will be used to fetch the IPv6 backends for endpoints with a certain Kubernetes or Cilium label. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
677d725 Sebastian Wicki 10 February 2020, 14:06:22 UTC test/k8s: Add helpers to create Cilium services via CLI [ upstream commit 08e4d14e4624df6ca8150e05a5c12cbb1aa939c0 ] This adds helpers to invoke `cilium service update` and `cilium service delete` via kubectl. It will be used to install IPv6 services for tests on Kubernetes deployments that have not yet dual-stack mode enabled. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
2367453 Thomas Graf 11 February 2020, 13:03:26 UTC doc: Update guides to include new connectivity check [ upstream commit cf516592a7de38fc4ca172d8c256dc693e74efc4 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
76eb53d Thomas Graf 11 February 2020, 13:09:18 UTC connectivity-check: Generate all-in-one connectivity-check.yaml [ upstream commit 2ac5f30bc9f1f88695da9e524289cb090ae616c3 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
2f42a47 Thomas Graf 11 February 2020, 12:56:05 UTC connectivity-check: Add additional test cases [ upstream commit ea35e2695040cde6349c2a501bcfcb5d26e8fded ] * Add host to pod via clusterIP * Add host to pod via headless service * Add pod to pod via headless service Also use a more optimized base image for all clients which will not run a HTTP server and thus won't listen to any ports. Doing so complicates running hostNetworking pods to simulate host traffic. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
8efa088 Jarno Rajahalme 11 February 2020, 00:30:41 UTC ginkgo: Bump all timeouts [ upstream commit adfa9e7c915bbb0f18a391be59929ca9a98d2424 ] Have been hit by back to back provisioning failures due to timeouts being hit on processes that seem to have been progressing, albeit maybe slower than normal. After timeout VM provisioning is tried again, but overall we seem to be using more time due to cutting progressing processes off too eagerly. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
4da20d6 Jarno Rajahalme 10 February 2020, 23:33:38 UTC Address review comments (round 2) [ upstream commit 565dca4d9bb8e998f739cbd8adee414aea2deba0 ] Addressing Joe's review comments. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
97065f8 Jarno Rajahalme 10 February 2020, 18:09:20 UTC policy: Skip generating L3/L4 keys in some cases [ upstream commit 3dc57685e1146aed401a7a26c1bc84181d0b518d ] Skip generating L3/L4 keys if L4-only key (for the same L4 port and protocol) has the same effect w.r.t. redirecting to the proxy or not, considering that L3/L4 key should redirect if L4-only key does. In summary, if have both L3/L4 and L4-only keys: L3/L4 L4-only Skip generating L3/L4 key redirect no redirect no (redirection is not needed for the L4 port in general) no redirect no redirect yes (same entry in both keys) redirect redirect yes (same entry in both keys) no redirect redirect yes (redirection is needed for the L4 port) Signed-off-by: Jarno Rajahlame <jarno@covalent.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
48a8d15 Jarno Rajahalme 10 February 2020, 18:08:28 UTC policy: Add wildcard member to L4Filter [ upstream commit 5bfae92885ef9f2c053b8bd3d1956eaeac74c5a4 ] Keep track if the L4Filter has a wildcard (cached) selector. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
5a5aca4 Jarno Rajahalme 08 February 2020, 01:21:00 UTC policy: Add on-demand wildcarding for generic L7 [ upstream commit 5c7344e1338229df7b57ba52dceffce45f3d1248 ] Generic L7 also needs to be wildcarded with an empty key-value map if an L3/L4 rule is merged with a generic L7 rule. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
b475f9e Jarno Rajahalme 11 February 2020, 14:01:22 UTC bpf: Look up L4 before L3 and redirect to proxy if either L4 result redirects [ upstream commit d3edaec1978939dd57314d6e637bbda186ba110a ] Always look up both L3/L4 and L4-only to find out if either of them redirects to proxy. This allows elimination of additionally generated policy map entries that would otherwise needed to ensure L4-only policy redirects to the proxy in the presence of L3/L4 policies that do not redirect. This implementation is somewhat constrained by the bpf verifier not being able to handle two policy lookup results at the same time. This is why the packet is accounted towards both rules if it matches both an L3/L4 rule that does not redirect and an L4-only rule. This double-accounting could be eliminated by repeating the first policy map lookup, but that would add otherwise unnecessary overhead. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
5140097 Jarno Rajahalme 11 February 2020, 13:58:44 UTC Address review comments (round 1) [ upstream commit 872b3b53988d4b0c2aa35c3f8325a13fbf895efd ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
cbe3bd7 Ray Bejjani 11 February 2020, 13:58:44 UTC Apply all full-path-dependence rules at the same time. [ upstream commit 9c61db741d70e8ab870a27b4b9a9c31a1fd525a7 ] Signed-off-by: Ray Bejjani <ray@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
97f9887 Jarno Rajahalme 11 February 2020, 13:58:44 UTC policy: Give priotity for L7 redirect entries [ upstream commit 015d90ce1066c5843c65cc86928fb8516ffa3725 ] Two selectors can select the same security identity, and the policy can specify L7-rules for one of them, but not the other. While L7 enforcement would make this policy inconsistent, such a policy is valid for L7 visibility. To ensure consistent behavior give priority to redirect in the case the same map key has both a redirect and non-redirect. The implementation requires updates on a given security ID to happen atomically. To achive this ConsumeMapChanges() is moved to the endpoint policy, which can lock the selectorcache to guarantee that concurrent updates on any new security ID have completed. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
63927d6 Jarno Rajahalme 11 February 2020, 13:58:44 UTC test: Add test with multiple ingress rules on the same port [ upstream commit c8c311840a249117291a1f9c7ba8bd0765e84d2b ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
7e529fc Jarno Rajahalme 11 February 2020, 13:58:43 UTC policy: Rename PerEpData to PerSelectorPolicy [ upstream commit 3c4095f3c5dcd7eb9cd241d9b8d010ed7e83dd4e ] This data has never been per Endpoint, renaming should clarify this. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
2144150 Jarno Rajahalme 11 February 2020, 13:58:43 UTC policy: Remove AllowsAllAtL3() and HasL3DependentL7Rules() [ upstream commit 88a73248a6dba5328189fb96240e17589518c00f ] These are no longer needed so remove them. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
ff76dd2 Jarno Rajahalme 11 February 2020, 13:58:43 UTC test: Make FQDN runtime tests more robust. [ upstream commit 00f151ff66e5cbf90a1fbfd8cfd2352ac783ab4e ] Allow docker network "world" to exist in advance. This is helpful when focus testing different test on the same VM. Do not expect FQDN selectors to have selected any IDs right after the policy is first imported. It is common to have no IDs when the policy is first imported, but no IPs have yet been resoved via the DNS proxy. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
68ff5d3 Jarno Rajahalme 11 February 2020, 13:58:43 UTC policy: Change ToKeys() to ToMapState() [ upstream commit cb4c1df37ea949eb8e3fac623f032e1934bd4be6 ] Rename ToKeys() to ToMapState() and return a map instead just the keys. A map value with 0 port number means no redirection, while a map value with any other port number signifies proxy redirection. The port value returned (for entires that need proxy redirection) will be replaced by the actual proxy listening port numbers by the caller of ToMapState(). This allows different bpf policy map entiries derived from the same L4 filter redirect to the proxy or not. To help separate these two cases we have to remove the mass wildcarding of policy rules by removing the calls to wildcardL3L4Rule() and wildcardL3L4Rules(). These changes revealed a policy evaluation bug in cilium-envoy. Use a new Envoy image to address this. Note that this bug does not trigger with the provious "mass wildcarding" behavior of cilium-agent. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
36fb5da Jarno Rajahalme 11 February 2020, 13:58:42 UTC policy: Always pass CachedSelectors as the implmenation type. [ upstream commit d84ee5215c7a695a8c23bcfa41098d8860de58e5 ] The CachedSelector interface values passed from the selector cache are used as map keys in the policy implementation. To properly function as map keys, they must always be passed as the pointer to the implementation of the same type. 'notifyUsers' was implemented by the "base class" (selectorManager), so when it passed pointer to itself as a CachedSelector, the type inside the interface pointed to the selectorManager type, not the original fqdnSelector or labelIdentitySelector, causing map lookup failures. The CachedSelector passed by 'notifyUsers' was not previously used as a map key, so this error did not surface earlier. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
147a438 Jarno Rajahalme 11 February 2020, 13:58:42 UTC policy: Unify CachedSelectors and L7RulesPerEp [ upstream commit ba98f0ea3ead15c9a0816ea65166cb741b6daa72 ] Currently all selectors used by a policy are stored in 'CachedSelectors', while a subset of them having L7 rules are present in the L7RulesPerEp. Moving to an on-demand L7 wildcarding sceme requires keeping track of selectors without L7 rules (as those need wildcarding if merged with a filter with L7 rules). Do this by placing all selectors into L7RulesPerEp, while renaming it to 'L7RulesPerSelector'. Selectors without L7 rules have a value 'nil' in this map, which now represents "L7 wildcard". Remove 'CachedSelectors' as it is now fully redundant. Proxies (DNS, Kafka, Envoy) are updated to accept 'nil' as a wildcard rule. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
d597869 Jarno Rajahalme 11 February 2020, 13:58:42 UTC daemon: Add L3-dependent L7 policy test [ upstream commit 55be11b58e72cc7745042b0cafffffe08627c49f ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
be75b4a Jarno Rajahalme 11 February 2020, 13:58:42 UTC policy: Fix test combining of L4 and L7. [ upstream commit aff13556af9aa8c62138d54dc6d2d0de91bf97b4 ] Specify slice size as 0 when making it so that it is not full of zero entries to begin with. This has no effect on test results, but fixing this reduces confusion in reading the test output. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
d8c2916 Thomas Graf 11 February 2020, 13:29:49 UTC doc: Mark encryption as stable for direct-routing and ENI mode [ upstream commit 3fd7a6a25125d7d1f1c8e9025539e206f7add2e3 ] Fixes: #10123 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
263efea André Martins 08 February 2020, 16:03:14 UTC docs: reclarify upgrade guide for deprecated label [ upstream commit dd534bc55947d54b8071ae067238ae9cdbe1b66b ] As removing the labels is an operation extreamly complex we should warn the users that the label was removed but still give them the option to keep the label to upgrade from older versions to v1.7. During testing it was found that following the existing upgrade guide could leave 2 Cilium pods running per each node when performing a downgrade. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
32bead2 André Martins 08 February 2020, 09:55:40 UTC test: fix upgrade-downgrade test with helm instalation [ upstream commit 25ee77eb9c3e524ff6001d79cd2b566e30d2d124 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
44e8afe Dmitry Kharitonov 11 February 2020, 13:51:43 UTC fixed padding after code blocks [ upstream commit 5f62b560e64843492423be0fd297019571b7207d ] Signed-off-by: Dmitry Kharitonov <geakstr@me.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
ce63b88 Sebastian Wicki 11 February 2020, 15:32:46 UTC docs: Mention direct routing mode requirement for DSR [ upstream commit 02aba8bff4356c664c61bb15ce1f8eeca9a67a29 ] Direct Server Return (DSR) currently requires Cilium to be deployed in direct routing mode. This patch updates the kube-proxy-free documentation to reflect this. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
8837798 Thomas Graf 11 February 2020, 08:57:03 UTC doc: Document L7 limitation in azure-cni chaining mode [ upstream commit 6b9559ecf021ef2a73025243fa1833fbfdc6b1b1 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
9ddda6d Maciej Kwiek 11 February 2020, 14:47:03 UTC Add required etcd version for external etcd guide [ upstream commit 7b03642caeb64fc00d02e0a7c2c586b0f7c6498a ] Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
e973565 Thomas Graf 10 February 2020, 12:59:47 UTC bpf: Fix proxy redirection for egress programs [ upstream commit c58d749816d943c4f9426f67738013f4e8778463 ] * Handling of the proxy redirection was missing entirely in the to-container section for IPv6. Add it. * The to-container section case was assuming that any proxy redirection is indicated by ipv{46}_policy() returning a non-zero proxy port. This is no longer true since commit 830adba. Fix this by using a separate return code to indicate proxy redirection and treating the proxy port as optional. The above deficits lead to proxy redirection being ineffective when the setting EnableEndpointRoutes was set. Fixes: 830adba1c02 ("bpf: Support proxy using original source address and port.") Fixes: 25a80dfdd5e ("bpf: Add to-container section to bpf_lxc") Fixes: #10105 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
1cb5650 Thomas Graf 09 February 2020, 22:07:44 UTC kubernetes: Updated connectivity check [ upstream commit 54d9254abba5b4bb76df58f7074a0aaa4895253b ] Improved connectivity check with the ability to test various connectivity and policy variations. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 12 February 2020, 11:25:28 UTC
a659819 Martynas Pumputis 07 February 2020, 11:16:17 UTC test: Do not remove tc filter from native dev [ upstream commit 7fc73b855d9198a3cdf76232b65096c9aee45a4b ] The programs will be removed by cilium-agent during its bootstrap. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
e63ff1e Martynas Pumputis 07 February 2020, 11:14:18 UTC bpf: Remove bpf_netdev.o from previously used devices [ upstream commit 1239278985e54d21c1ce38712e6bd811d46e1f5d ] This commit makes cilium-agent to remove bpf_netdev.o from devices which no longer suppose to have the program attached. This can happen when e.g. a user has specified a different device for NodePort via `--device` or they switched from the direct routing mode to the tunnel mode. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
81f4dd7 Daniel Borkmann 10 February 2020, 17:37:28 UTC bpf, sock: fix post-bind-sock{4,6} not found in ELF file [ upstream commit 022673fa29dc19a42800694d1d2e8f1442df1a5e ] If kube-proxy replacement is in partial mode and only host-reachable services are enabled, the agent will bail out with the following error: [...] level=warning msg="+ tc exec bpf pin /sys/fs/bpf/tc/globals/cilium_cgroups_post_bind4 obj bpf_sock.o type sock attach_type post_bind4 sec post-bind-sock4" subsys=datapath-loader level=warning msg="Program section 'post-bind-sock4' not found in ELF file!" subsys=datapath-loader [...] Given externalIPs depends on NodePort, we can reuse $NODE_PORT in init.sh. Also fix up some small code nits in bpf_sock in bind sections. Fixes: #10120 Fixes: b25663e65d31 ("bpf: Add post_bind{4,6} programs to block NodePorts") Reported-by: Paul Chaignon <paul@isovalent.com> Reported-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
f45fff5 André Martins 08 February 2020, 10:15:30 UTC install/kubernetes: add option to hold cilium agent on clean [ upstream commit a86c3a1ffa81482500eec0868aa3ad089a8e9cc7 ] In the upgrade test we clean up all Cilium state to perform a clean upgrade test. Since that clean up requires that a Cilium agent is not running we need to change the arguments of the Cilium container image to avoid running Cilium at the same time we are clean its state. Thus, this commit introduces a new helm option that changes the Cilium container image cmd argument to not perform any action in the node while cleaning up its state. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
88f72ce Thomas Graf 10 February 2020, 17:55:50 UTC Documentation: Switch EKS documentation to default to ENI [ upstream commit 074b092685aff1797ed0224d060b6997f82aabc5 ] ENI has been rock-solid and it is time to point the default EKS documentation to use ENI mode. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
aa3bc88 Daniel Borkmann 10 February 2020, 12:26:21 UTC daemon, probe: whether CONFIG_CGROUP_BPF is compiled in [ upstream commit abf5366a5d4418f01432563d8e402fb957cd12e7 ] Given for new deployments, we probe the kernel and selectivly disable kube-proxy replacement features, we need to dig a bit deeper to check whether CONFIG_CGROUP_BPF is compiled in as otherwise we'd try to proceed with host-reachable services and will later fail to start-up in init.sh given we cannot attach: [...] level=warning msg="+ bpftool cgroup attach /var/run/cilium/cgroupv2 post_bind6 pinned /sys/fs/bpf/tc/globals/cilium_cgroups_post_bind6" subsys=datapath-loader level=warning msg="Error: failed to attach program" subsys=datapath-loader I went improving TestDummyProg() rather than relying on a .config to determine availability of CONFIG_CGROUP_BPF since a config may not necessarily be available on the underlying system. I've explicitly used an invalid fd as target cgroup fd to probe on EBADFD code. When compiled out, we'll simply always get an EINVAL for all kernels. Fixes: #10097 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
8764e7c Daniel Borkmann 10 February 2020, 09:35:48 UTC bpf: fix incompatible pointer type warning on mac addr [ upstream commit 211883c85c45f65d76c3e2f81c5b2d283f115278 ] [...] level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:52:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/nodeport.h:1057:26: warning: incompatible pointer types passing 'uint8_t (*)[6]' to parameter of type 'uint8_t *' (aka 'unsigned char *') [-Wincompatible-pointer-types]" subsys=datapath-loader level=warning msg=" if (eth_load_saddr(skb, &smac.addr, 0) < 0)" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/eth.h:63:63: note: passing argument to parameter 'mac' here" subsys=datapath-loader level=warning msg="static inline int eth_load_saddr(struct __sk_buff *skb, __u8 *mac, int off)" subsys=datapath-loader level=warning msg=" ^" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:52:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/nodeport.h:1151:32: warning: incompatible pointer types passing 'uint8_t (*)[6]' to parameter of type 'uint8_t *' (aka 'unsigned char *') [-Wincompatible-pointer-types]" subsys=datapath-loader level=warning msg=" if (eth_store_daddr(skb, &dmac->addr, 0) < 0)" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~~" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/eth.h:78:64: note: passing argument to parameter 'mac' here" subsys=datapath-loader level=warning msg="static inline int eth_store_daddr(struct __sk_buff *skb, __u8 *mac, int off)" subsys=datapath-loader level=warning msg=" ^" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:52:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/nodeport.h:1153:32: warning: incompatible pointer types passing 'uint8_t (*)[6]' to parameter of type 'uint8_t *' (aka 'unsigned char *') [-Wincompatible-pointer-types]" subsys=datapath-loader level=warning msg=" if (eth_store_saddr(skb, &mac->addr, 0) < 0)" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/eth.h:68:64: note: passing argument to parameter 'mac' here" subsys=datapath-loader level=warning msg="static inline int eth_store_saddr(struct __sk_buff *skb, __u8 *mac, int off)" subsys=datapath-loader level=warning msg=" ^" subsys=datapath-loader [...] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
4f4f77a Daniel Borkmann 10 February 2020, 09:19:53 UTC bpf, daemon: fix CT_REPORT_FLAGS truncation warning [ upstream commit 5c8537cb09aad56ad0f1774c1a6ce5e1651a2d32 ] The value really needs to be 0xff. We got that correct in the shipped bpf/node_config.h file, but not for the go generated header where it is currently ^uint16(0). Therefore fix up TCPFlags. [...] level=warning msg="+ clang -O2 -g -target bpf -emit-llvm -Wno-address-of-packed-member -Wno-unknown-warning-option -I. -I/run/cilium/state/globals -I/var/lib/cilium/bpf -I/var/lib/cilium/bpf/include -D__NR_CPUS__=2 -DENABLE_ARP_RESPONDER -DHANDLE_NS -DSECLABEL=2 -DLB_L3 -DLB_L4 -DBPF_PKT_DIR=0 '-DNODE_MAC={.addr={0x42,0x09,0x4d,0x59,0x33,0xe9}}' -DCALLS_MAP=cilium_calls_netdev_2 -c /var/lib/cilium/bpf/bpf_netdev.c -o -" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:50:" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/lib/nat.h:32:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/conntrack.h:178:8: warning: implicit conversion from 'int' to 'uint8_t' (aka 'unsigned char') changes value from 65535 to 255 [-Wconstant-conversion]" subsys=datapath-loader level=warning msg=" CT_REPORT_FLAGS);" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~~~~~~" subsys=datapath-loader level=warning msg="/run/cilium/state/globals/node_config.h:28:25: note: expanded from macro 'CT_REPORT_FLAGS'" subsys=datapath-loader level=warning msg="#define CT_REPORT_FLAGS 0xffff" subsys=datapath-loader level=warning msg=" ^~~~~~" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:50:" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/lib/nat.h:32:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/conntrack.h:296:22: warning: implicit conversion from 'int' to 'uint8_t' (aka 'unsigned char') changes value from 65535 to 255 [-Wconstant-conversion]" subsys=datapath-loader level=warning msg=" seen_flags, CT_REPORT_FLAGS);" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~~~~~~" subsys=datapath-loader level=warning msg="/run/cilium/state/globals/node_config.h:28:25: note: expanded from macro 'CT_REPORT_FLAGS'" subsys=datapath-loader level=warning msg="#define CT_REPORT_FLAGS 0xffff" subsys=datapath-loader level=warning msg=" ^~~~~~" subsys=datapath-loader [...] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
bfe0676 Maciej Kwiek 10 February 2020, 12:45:27 UTC Fix path to print-node-ip script in jenkinsfile [ upstream commit 20f7a79b53ad16b467b41e9e0a3c8f86d72e64d3 ] Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
a1dfaf9 Martynas Pumputis 07 February 2020, 15:49:05 UTC test: Refactor deleteCiliumDS() usage [ upstream commit 2a8cbab0e6a9e8847abf15fc81643ee3383ffee0 ] - Move the function to helpers/kubectl.go. - Make sure that the function is called in AfterAll() of each suite. - Remove redundant deleteCiliumDS() calls. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
f58408a Martynas Pumputis 04 February 2020, 10:08:50 UTC test: Remove cilium DS before installing a new one [ upstream commit 39b243aea095807f60fb51a1e109a9c6e84dad65 ] Previously, when installing Cilium via "ciliumInstallHelm()", changes to ConfigMap were not applied if Cilium DaemonSet had already been installed. An example of such occurrence in test logs: time="2020-02-01T21:01:58Z" level=debug msg="running command: kubectl apply --force=true -f cilium-15ef6310fc44caf0.yaml -n kube-system" cmd: "kubectl apply --force=true -f cilium-15ef6310fc44caf0.yaml -n kube-system" exitCode: 0 duration: 118.450977ms stdout: configmap/cilium-config configured serviceaccount/cilium unchanged serviceaccount/cilium-operator unchanged clusterrole.rbac.authorization.k8s.io/cilium unchanged clusterrole.rbac.authorization.k8s.io/cilium-operator unchanged clusterrolebinding.rbac.authorization.k8s.io/cilium unchanged clusterrolebinding.rbac.authorization.k8s.io/cilium-operator unchanged daemonset.apps/cilium unchanged deployment.apps/cilium-operator configured Missing removal of the Cilium DS were causing some flakes, e.g. when the test suite k8sT/external_ips.go was ran before k8sT/Services.go. The former in some test cases were using `--device=enp0s9` instead of `--device=enp0s8`, and k8sT/Services.go required the latter device setting. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
e65fbb3 Dan Sexton 07 February 2020, 12:32:25 UTC ServiceMonitor should default to release namespace [ upstream commit 629db726d96d8dddc5206b021170510d8ab0fc6d ] Signed-off-by: Dan Sexton <dan.b.sexton@gmail.com> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
a639ad4 Joe Stringer 07 February 2020, 22:16:46 UTC ipcache: Fix ipcache pod IP update [ upstream commit 3526d4efb0138e60774eeb333c42ab50f703deea ] If an IP was reused by another pod, then a bug in the pod/namespace comparison logic would prevent the ipcache being updated for the pod. Fix it. Reported-at: https://lgtm.com/projects/g/cilium/cilium/alerts Fixes: 348051e7aaaf ("ipcache: Associate IPs with K8s namespace and pod name") Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
776e60a Joe Stringer 05 February 2020, 23:27:17 UTC client: Print detailed redirect info in status [ upstream commit cad36abc7e67c704936186b275525527d05207e9 ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
773900f Joe Stringer 05 February 2020, 23:26:29 UTC proxy: Populate proxy redirects in status model [ upstream commit 2ec34864cd0a47e41e987cf6d7d68e8b48b1167a ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
4dcf521 Joe Stringer 05 February 2020, 23:22:39 UTC api: Extend proxy redirect status [ upstream commit b2271f74c0fafdd0bbef2cdf95a1ca69d4b0b1bc ] Extend the proxy redirect status to include more useful debugging information including a detailed breakdown of each redirect. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
3a9f97b Daniel Borkmann 06 February 2020, 23:03:43 UTC docs: add setup validation howto to kube-proxy-free guide [ upstream commit 1130d454a35e62774ad43ddbbf182dd657700ae5 ] Also moved all the configuration which goes beyond regular quick-start into 'Advanced Configuration' section for now to make this more clear to readers. We can still discuss whether we would want to have this sit in a completely new page or not. Also, add a 'Validate the Setup' step. Suggested-by: Joe Stringer <joe@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
93e91d5 Martynas Pumputis 07 February 2020, 09:08:08 UTC docs: Update docs to reflect kubeProxyReplacement status change [ upstream commit d9f01ca13a6d3432ee59e9e29b01d4b9f0107936 ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
b2f1ffe Martynas Pumputis 06 February 2020, 18:36:23 UTC daemon, cli: Extend kubeProxyReplacement status [ upstream commit 18bd0eb0371ed0fc8772cf6c79c4c58de1d673b7 ] - Add NodePort mode and port range. - Reformat the host-reachable services output. The example: $ cilium status KVStore: Ok Disabled Kubernetes: Ok 1.17 (v1.17.2) [linux/amd64] Kubernetes APIs: ["CustomResourceDefinition", "cilium/v2::CiliumClusterwideNetworkPolicy", "cilium/v2::CiliumEndpoint", "cilium/v2::CiliumNetworkPolicy", "cilium/v2::CiliumNode", "core/v1::Endpoint", "core/v1::Namespace", "core/v1::Pods", "core/v1::Service", "networking.k8s.io/v1::NetworkPolicy"] KubeProxyReplacement: Probe [NodePort (SNAT, 30000-32767), ExternalIPs, HostReachableServices (TCP, UDP)] Cilium: Ok OK NodeMonitor: Disabled Cilium health daemon: Ok IPAM: IPv4: 2/65535 allocated from 10.1.0.0/16, Controller Status: 11/11 healthy Proxy Status: OK, ip 10.1.178.143, port-range 10000-20000 Cluster health: 0/1 reachable (2020-02-07T10:01:53+01:00) Name IP Reachable Endpoints reachable ceuse (localhost) 10.5.57.1 false false Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Ray Bejjani <ray@isovalent.com> 11 February 2020, 15:57:55 UTC
06d55c6 Martynas Pumputis 05 February 2020, 15:04:55 UTC cli: Remove nodePort BPF prog from netdev upon cleanup [ upstream commit 4836b2ab7639abbecb783a9be449e350c2358636 ] This commit extends "cilium cleanup" by making it to remove tc filters (bpf_netdev.o) from a nodeport netdev. The iface of the netdev is obtained from /var/run/cilium/state/globals/node_config.h (NATIVE_DEV_IFINDEX) which is set by bpf/init.sh. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 07 February 2020, 16:19:57 UTC
back to top