Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
4e26039 Joe Stringer 01 September 2021, 19:57:41 UTC Prepare for release v1.9.10 Signed-off-by: Joe Stringer <joe@cilium.io> 01 September 2021, 21:03:23 UTC
e540204 Paul Chaignon 19 August 2021, 12:12:44 UTC routing: Fix incorrect detection of Linux slave devices [ upstream commit 37d6c8d9c41766c356534ddbf2572c4b0f1ef019 ] Using method Slave() exposed by the netlink package doesn't always work. In particular, it doesn't work on AKS, maybe because there's no master bond interface in that case. We should instead rely on the flags passed by Linux's netlink API. Fixes: 3e245517 ("routing: Fix incorrect interface selection for pod routes") Signed-off-by: Paul Chaignon <paul@cilium.io> 01 September 2021, 18:37:37 UTC
f62ccd1 Paul Chaignon 16 August 2021, 19:33:01 UTC routing: Fix incorrect interface selection for pod routes [ upstream commit 3e245517c9112b664e01cd47c0900beacbdedf93 ] The Configure method relies on the MAC address to select the proper egress interface for new pods (EKS and AKS). Several interfaces can however have the same MAC address in the case of slave devices. In such a case, the wrong interface may be selected. To avoid this, we skip Linux slave devices during the lookup by MAC address. Thus, in case of slave devices, we will select the master device. Fixes: 26308b63 ("Implement support for cilium-health in ENI mode") Signed-off-by: Paul Chaignon <paul@cilium.io> 01 September 2021, 18:37:37 UTC
79bf6e7 Paul Chaignon 16 August 2021, 19:29:51 UTC routing: Throw error if MAC lookup finds several devices [ upstream commit 11c0faa94730d489a1fa5dc989410d5e12009ee2 ] When setting up the Linux routes and rules for ENI and Azure, we lookup the interfaces by their MAC addresses. In that case, we want to ensure a single interface is found for the given MAC address. If several are found, we throw an error now rather than to fail in a more obscure way down the line. Signed-off-by: Paul Chaignon <paul@cilium.io> 01 September 2021, 18:37:37 UTC
ef3914a Aditi Ghag 19 May 2021, 07:39:58 UTC pkg/redirectpolicy: Make code robust against incorrect policy configurations [ upstream commit fbeb5c819abb70b985eb105542b8290c4f44883b ] If an incorrect service name is specified in an LRP, we need to guard against this case when service IP can't be retrieved. Also, when a valid LRP is applied before the service it selects, service information won't be available in the manager callback to add an LRP. The LRP will be applied when the service callback is later received by the manager. Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Paul Chaignon <paul@cilium.io> 01 September 2021, 18:37:37 UTC
f05ee9f Joe Stringer 30 August 2021, 23:39:05 UTC Update cilium base images Signed-off-by: Joe Stringer <joe@cilium.io> 01 September 2021, 17:31:15 UTC
ad47c08 Jarno Rajahalme 22 August 2021, 07:27:51 UTC envoy: Update to 1.18.4 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 30 August 2021, 22:21:29 UTC
3f79229 Jarno Rajahalme 30 July 2021, 15:06:07 UTC envoy: Update to release 1.18.3 [ upstream commit 74e89a4d55b774c5c95853f522c9a7bc63c5e692 ] Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 30 August 2021, 22:21:29 UTC
39435c8 dependabot[bot] 26 August 2021, 14:06:34 UTC build(deps): bump actions/setup-go from 2.1.3 to 2.1.4 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2.1.3 to 2.1.4. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v2.1.3...v2.1.4) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 30 August 2021, 20:49:29 UTC
9e3bb92 André Martins 21 August 2021, 00:39:58 UTC update Cilium base images Update images to get some potential security updates. Signed-off-by: André Martins <andre@cilium.io> 23 August 2021, 16:37:28 UTC
8827676 dependabot[bot] 20 August 2021, 14:06:33 UTC build(deps): bump docker/build-push-action from 2.6.1 to 2.7.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.6.1 to 2.7.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/1bc1040caef9e604eb543693ba89b5bf4fc80935...a66e35b9cbcf4ad0ea91ffcaf7bbad63ad9e0229) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 23 August 2021, 07:12:44 UTC
ad897af Tobias Klauser 12 August 2021, 13:14:35 UTC Update Go to 1.15.15 Signed-off-by: Tobias Klauser <tobias@cilium.io> 19 August 2021, 10:52:00 UTC
b72e8ea Sebastian Wicki 10 August 2021, 12:34:09 UTC docs: Regenerate helm values Regenerates the helm values documentation on the v1.9 branch, as some entires were out of date. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 August 2021, 10:18:05 UTC
8a50026 Bruno Miguel Custódio 02 August 2021, 13:22:52 UTC helm: use 'quay.io/cilium/certgen:v0.1.5' [ upstream commit 206105f4462c8ab70820e6b0bf5e9e974f46bcc2 ] Related to the previous commit, v0.1.5 of 'cilium/certgen' adds '*.mesh.cilium.io' to the list of SANs for the server certificate generated for 'clustermesh-apiserver'. Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 August 2021, 10:18:05 UTC
b32204e Bruno Miguel Custódio 02 August 2021, 13:07:48 UTC helm: add '*.mesh.cilium.io' to the list of SANs [ upstream commit 3753fe72460d47f4c1dc861c7fc2342df1d116b3 ] Currently, the server certificate generated by Helm for 'clustermesh-apiserver' doesn't include '*.mesh.cilium.io', which is used alongside host aliases when establishing a cluster mesh. This commit addresses that by adding said domain to the list of SANs. Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 August 2021, 10:18:05 UTC
c4bbfde André Martins 03 August 2021, 00:06:43 UTC node-neigh: Wait instead of sleeping in unit tests [ upstream commit 2017e04b6bf40291e3e6e8cbd0ce5537fe5d0110 ] We can inspect the neighLastPingByNextHop map to check when insertNeighbor() or deleteNeighbor() was called. Fixes: e68848b98004 ("remove ARP entries left from previous Cilium run") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 August 2021, 10:18:05 UTC
9b5aa6d André Martins 03 August 2021, 15:18:06 UTC .github: add MLH config for flake tracking Signed-off-by: André Martins <andre@cilium.io> 04 August 2021, 21:30:35 UTC
6f8b3d2 Paul Chaignon 18 June 2021, 07:59:19 UTC vagrant: Bump all Vagrant box versions [ upstream commit edf76fb1ef6b58d5ef90b439d54134f314ed086e ] Mostly to pick up the latest commits on bpf-next, which fix vulnerabilities but may increase complexity. Signed-off-by: Paul Chaignon <paul@cilium.io> 01 August 2021, 04:50:55 UTC
704ec0a Maciej Kwiek 19 March 2021, 12:46:31 UTC ci: Fix local files chmod in test vagrantfile [ upstream commit f948d14a2629a9146857364d6c47f91bbde1254d ] 0ac54f42ba2371f1e183e41e2d986f8aab4ff619 causes local dev env to be broken because of NFS mounted files being chmodded in the test vm. This change uses sudo on previously failing test instead so that chmod is not needed. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> 01 August 2021, 04:50:55 UTC
d7e276f Joe Stringer 15 July 2021, 23:03:27 UTC backporting: Detect only one related commit [ upstream commit 9abbbbfef0431f0e54dbe863648329c7bf138ee4 ] Recently, the check-stable script has suggested every single possible match for commits where the name does not uniquely identify the commit. This can be a bit confusing to backporters since it looks like there are many commits to backport as part of this PR, but the second and later ones are not necessary to backport. * PR: 16589 -- vagrant: Bump all Vagrant box versions (@pchaigno) -- https://github.com/cilium/cilium/pull/16589 Merge with 1 commit(s) merged at: Tue, 22 Jun 2021 12:36:17 -0700! Branch: master (!) refs/pull/16589/head ---------- ------------------- v (start) | edf76fb1ef6b58d5ef90b439d54134f314ed086e 5bef5d77137a9ecc5d3f2b72149307ffdd52cd42 4dc60e6faf654d7424ee959867a774205b3fed13 816b3231cdbc39f4bcdd3e6f5b40a056459a478c 51826b31087496d108044f3bffbf304580fffb4a df8238d451d755d5be75e202be89b4f88067c77b a4e7bc6c1f0e96078793458b6719b9a3999b89db via fb723f8133c40faa068a5a401f594622668b2753 ("vagrant: Bump all Vagrant box versions") v (end) Probably within the last year of commits, we should be able to correlate the exact commit that needs backporting, so iterate through those to find the exact commit. If none of those are the correct commit, fail out and push back to the backporter to figure out. This allows us to now accurately pick the correct commit in most cases: * PR: 16589 -- vagrant: Bump all Vagrant box versions (@pchaigno) -- https://github.com/cilium/cilium/pull/16589 Merge with 1 commit(s) merged at: Tue, 22 Jun 2021 12:36:17 -0700! Branch: master (!) refs/pull/16589/head ---------- ------------------- v (start) | edf76fb1ef6b58d5ef90b439d54134f314ed086e via fb723f8133c40faa068a5a401f594622668b2753 ("vagrant: Bump all Vagrant box versions") v (end) Manually tested by substituting a known commit into 'related_commits', and by checking the current v1.8 backports which includes an ambiguous commit due to a revert+reapply in the master branch. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Paul Chaignon <paul@cilium.io> 01 August 2021, 04:50:19 UTC
266b247 Martynas Pumputis 21 July 2021, 11:41:34 UTC docs: Clarify SA target in KPR gsg [ upstream commit 951eded9622a2c92c50069ad15493b08a2ba2415 ] As reported in [1], we do have the same behavior for service affinity as kube-proxy in iptables and ipvs mode. Document this subtle behavior to make users aware of it. [1]: https://github.com/kubernetes/kubernetes/issues/103000 Reported-by: André Martins <andre@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Paul Chaignon <paul@cilium.io> 01 August 2021, 04:50:19 UTC
6b3752f Bruno Miguel Custódio 21 July 2021, 14:29:25 UTC docs: capitalize 'Pod' in 'bandwidth-manager.rst'. [ upstream commit fa00a1b3a61a40e15d000b86e48c8e1d64537bab ] Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 28 July 2021, 09:24:08 UTC
ac16881 Bruno Miguel Custódio 05 July 2021, 13:49:42 UTC docs: improve the bandwidth manager page [ upstream commit 22acd68c760945414601c50454cf24aaf9e6d55c ] Attempts to make the "Bandwidth Manager" page more user-friendly by deploying a server pod and a client pod that is guaranteed to not be colocated with the former. Also provides friendlier commands for making the 'netperf' test, as well as to check the status of the bandwidth manager. Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 28 July 2021, 09:24:08 UTC
345b4cb Joe Stringer 20 July 2021, 00:09:15 UTC contrib: Improve release script guard rails [ upstream commit 189cf7f4f73e49618ae8975fc9d297c9a107872b ] * Print help if zero args are provided * Pick up on invalid URLs with a simple regex to avoid failing early * Add the actions URL to the commit and PR messages. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 28 July 2021, 09:24:08 UTC
e952b0c Jorik Jonker 20 July 2021, 09:04:39 UTC install/kubernetes: restrict k8s access for relay [ upstream commit 2857b3ed1816d4b1620a77e5d0852ba03736be31 ] It seems relay has no interaction with Kubernetes, and as such, it does not need (cluster)roles/-bindings or a mounted SA token. This prevents attackers from doing nasty stuff on behalf of relay. Fixes: e9cb43c03179 ("Helm: full refactor of helm charts..") Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 28 July 2021, 09:24:08 UTC
d741767 Sebastian Wicki 21 July 2021, 14:35:33 UTC hubble/relay: Fix close of closed channel in unit test [ upstream commit 31176f7c28059fb022f573bac6410479b6f8f8e0 ] This commit fixes #15442 (and variants), where the `done` channel used to indicate completion to the test driver could be closed twice. This happened because at the end of a test, most mock client will start returning `io.EOF`. Due to #16955, this sometimes caused the peer manager to reconnect immediately and create a new mock client, which would then attempt to re-run the test-logic again. This commit addresses this issue by ensuring that all mock clients within a test share the same state (i.e. the `i` counter and `once` instance). This way, each mock client instance will continue the work of its predecessor instead of replaying the whole test sequence. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 28 July 2021, 09:24:08 UTC
b2eb748 dependabot[bot] 26 July 2021, 14:08:12 UTC build(deps): bump 8398a7/action-slack from 3.9.1 to 3.9.2 Bumps [8398a7/action-slack](https://github.com/8398a7/action-slack) from 3.9.1 to 3.9.2. - [Release notes](https://github.com/8398a7/action-slack/releases) - [Commits](https://github.com/8398a7/action-slack/compare/dcc8c8e9dd8802e21a712dc0c003db97b42efe43...e74cd4e48f4452e8158dc4f8bcfc780ae6203364) --- updated-dependencies: - dependency-name: 8398a7/action-slack dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 27 July 2021, 13:12:32 UTC
5a9ca01 Tom Payne 06 July 2021, 12:00:35 UTC contrib: Explicitly set remote for backport branches [ upstream commit eea7f9c3903da135675c0d2e1566067a89706e10 ] Before this change, the backporting scripts would correctly push to the user's remote, but the default remote for the backport branch was left as origin (typically cilium/cilium). This commit sets the backporting branch's remote to the user's remote, so further pushes from the command line (e.g. after adding more commits or rebasing) go by default to the correct remote. Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 23 July 2021, 19:34:19 UTC
366b300 Paul Chaignon 02 July 2021, 14:45:52 UTC test: Rename FQDN test to avoid escaping bug [ upstream commit 39163aec1de2aefc7d33d70ce7fea48e02b63b93 ] Jenkins' TestDataPublishers is failing to link the artifact for this test to the test itself in the interface, likely due to a escaping bug: Recording test results Attachment ad391c17_RuntimeFQDNPolicies_Implements_matchPattern:_"*".zip was referenced from the test 'Suite-runtime' but it doesn't exist. Skipping. We can rename the test to avoid that issue. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 23 July 2021, 19:34:19 UTC
f265bc5 Paul Chaignon 02 July 2021, 14:13:48 UTC test: Fix bugtool collection for Runtime test [ upstream commit edb91208ad5366e3daecaeb135cf3d0d17c558d1 ] The file path wasn't properly escaped and therefore failed for our one test named: RuntimeFQDNPolicies Implements matchPattern: "*" Fixes: d1798b3 ("Test: Add variadic argument on Node.Exec functions") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 23 July 2021, 19:34:19 UTC
f487892 Paul Chaignon 16 June 2021, 07:22:44 UTC test: Fix missing artifacts for tests with parentheses [ upstream commit 41e830e01139b1cdcff97bd592780d8883a4eba8 ] When tests with parentheses in their name fail, the artifacts are missing. This is happening because we run: bash -c "zip -qr test_name.zip test_directory" That therefore fails with: /bin/bash: -c: line 0: syntax error near unexpected token `(' We need to add double quotes for this command to work properly with parentheses. Fixes: b4bfb40 ("Test: Add test result in Jenkins Junit") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 23 July 2021, 19:34:19 UTC
09b498f Paul Chaignon 09 June 2021, 17:21:47 UTC test: Fix artifact collection for bad log failures [ upstream commit 740cecb7adbab84d87ed045debd803fc172094fe ] When a test fails because a bad log message is found [1], the per-test artifacts are not collected and exposed in the Jenkins UI. This issue is visible at [2] at the time of writing this. We only collect per-test artifacts for failing tests, which we detect with ginkgo.CurrentGinkgoTestDescription().Failed. Unfortunately, this variable is not updated when the test fails in a JustAfterEach block. That's the case for the bad log messages, which are almost always checked from a JustAfterEach block. This commit fixes that issue by using the dedicated function TestFailed instead of ginkgo.CurrentGinkgoTestDescription().Failed. At the time of writing this, the result can be seen at [3]. This issue was discovered before in da25f94 ("k8sT: Clean up services in JustAfterEach"), but the fix was not extended to the existing code at the time. 1 - https://github.com/cilium/cilium/blob/v1.10.0/test/helpers/cons.go#L291 2 - https://jenkins.cilium.io/job/Cilium-PR-Runtime-4.9/4917/testReport/junit/(root)/Suite-runtime/RuntimeFQDNPolicies_toFQDNs_populates_toCIDRSet__data_from_proxy__L3_dependent_L7_HTTP_with_toFQDN_updates_proxy_policy/ 3 - https://jenkins.cilium.io/job/Cilium-PR-K8s-1.20-kernel-4.19/637/testReport/junit/Suite-k8s-1/20/K8sServicesTest_Checks_service_across_nodes_Supports_IPv4_fragments/ Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 23 July 2021, 19:34:19 UTC
0762150 André Martins 23 July 2021, 11:50:52 UTC github: remove steps from Images workflow Some of the steps are deprecated and they do not need to be executed anymore. This commit removes them. Signed-off-by: André Martins <andre@cilium.io> 23 July 2021, 12:45:04 UTC
17f322d André Martins 23 July 2021, 11:38:49 UTC github: fix GH workflows to handle push events to stable branches As these workflows exist in the stable branches, they should be executed whenever a push is made into the respective stable branch. Signed-off-by: André Martins <andre@cilium.io> 23 July 2021, 12:45:04 UTC
ee80740 Gilberto Bertin 19 July 2021, 09:59:42 UTC bpf: remove bandwidth manager from 5.4 MAX_BASE_OPTIONS There's a known complexity issue in 5.4 kernels that is causing the K8sVerifier test to always fail. Disabling the bandwidth manager on these kernels will allow us to run this test again while the complexity issue is sorted. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 21 July 2021, 22:12:07 UTC
9b4bd54 André Martins 15 July 2021, 22:56:19 UTC .github: harden permissions on GH workflows [ upstream commit 4286608cba1e973be832618d41d438e80784596a ] None of the GH workflows need the GITHUB_TOKEN to have write permissions for all scopes. This commit hardens the access values for each GH workflow accordingly their needs. Signed-off-by: André Martins <andre@cilium.io> 21 July 2021, 15:58:54 UTC
373ac8b dependabot[bot] 21 July 2021, 14:05:48 UTC build(deps): bump KyleMayes/install-llvm-action from 1.4.0 to 1.4.1 Bumps [KyleMayes/install-llvm-action](https://github.com/KyleMayes/install-llvm-action) from 1.4.0 to 1.4.1. - [Release notes](https://github.com/KyleMayes/install-llvm-action/releases) - [Commits](https://github.com/KyleMayes/install-llvm-action/compare/v1.4.0...v1.4.1) --- updated-dependencies: - dependency-name: KyleMayes/install-llvm-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 21 July 2021, 15:14:07 UTC
ecd68c1 Joe Stringer 20 July 2021, 00:10:20 UTC install: Update image digests for v1.9.9 Generated from https://github.com/cilium/cilium/actions/runs/1047063615. `docker.io/cilium/cilium:v1.9.9@sha256:a85d5cff13f8231c2e267d9fc3c6e43d24be4a75dac9f641c11ec46e7f17624d` `quay.io/cilium/cilium:v1.9.9@sha256:a85d5cff13f8231c2e267d9fc3c6e43d24be4a75dac9f641c11ec46e7f17624d` `docker.io/cilium/clustermesh-apiserver:v1.9.9@sha256:4d35224d32dd48ce0e5b46841fcfea2dd53cb7f8328d970150d4b56e5d22b05f` `quay.io/cilium/clustermesh-apiserver:v1.9.9@sha256:4d35224d32dd48ce0e5b46841fcfea2dd53cb7f8328d970150d4b56e5d22b05f` `docker.io/cilium/docker-plugin:v1.9.9@sha256:6dc317ac53fbc6c9eee57e7ab2b51b46d7d0239a7c278d493740e1f1a82abfe4` `quay.io/cilium/docker-plugin:v1.9.9@sha256:6dc317ac53fbc6c9eee57e7ab2b51b46d7d0239a7c278d493740e1f1a82abfe4` `docker.io/cilium/hubble-relay:v1.9.9@sha256:87148a802be0b265887a8ce9803715eb992825ee309d3e4347c18fd25080cd2c` `quay.io/cilium/hubble-relay:v1.9.9@sha256:87148a802be0b265887a8ce9803715eb992825ee309d3e4347c18fd25080cd2c` `docker.io/cilium/operator-aws:v1.9.9@sha256:4061333748a46c87c5e68d312b80508d0b42ebdc93e7dd558438615a80e73b73` `quay.io/cilium/operator-aws:v1.9.9@sha256:4061333748a46c87c5e68d312b80508d0b42ebdc93e7dd558438615a80e73b73` `docker.io/cilium/operator-azure:v1.9.9@sha256:f40e8ab1434dd964af5a1bc3ef5a4d2c7cf8fb9de47ad0e4b6678b31a510336d` `quay.io/cilium/operator-azure:v1.9.9@sha256:f40e8ab1434dd964af5a1bc3ef5a4d2c7cf8fb9de47ad0e4b6678b31a510336d` `docker.io/cilium/operator-generic:v1.9.9@sha256:3726a965cd960295ca3c5e7f2b543c02096c0912c6652eb8bbb9ce54bcaa99d8` `quay.io/cilium/operator-generic:v1.9.9@sha256:3726a965cd960295ca3c5e7f2b543c02096c0912c6652eb8bbb9ce54bcaa99d8` `docker.io/cilium/operator:v1.9.9@sha256:062f6723097fa2d64fd2e50185d9013a8889cafb29f4cd250d8efae9230097aa` `quay.io/cilium/operator:v1.9.9@sha256:062f6723097fa2d64fd2e50185d9013a8889cafb29f4cd250d8efae9230097aa` Signed-off-by: Joe Stringer <joe@cilium.io> 20 July 2021, 00:18:31 UTC
5bcf83c Joe Stringer 19 July 2021, 23:45:00 UTC Prepare for release v1.9.9 Signed-off-by: Joe Stringer <joe@cilium.io> 19 July 2021, 23:56:42 UTC
92be5a0 Joao Victorino 01 July 2021, 10:54:40 UTC cgroups: Fix improper error on return [ upstream commit e3f9c61a67815fcbb22bc545267496d8372bd218 ] [ Backporter's notes: handle rename pkg/cgroups/cgroups{,_linux}.go ] If cgroupv2 is not mounted, a logical mistake returns a error even after a successful mount, which is silently ignored by the caller function. This commit fixes the logical mistake and takes care of print a warning message if the cgroupv2 could not be mounted. Fixes: #15997 Signed-off-by: Joao Victorino <joao@accuknox.com> Signed-off-by: Joe Stringer <joe@cilium.io> 19 July 2021, 19:34:42 UTC
3ebf33b Tobias Klauser 14 July 2021, 13:36:58 UTC Update Go to 1.15.14 Signed-off-by: Tobias Klauser <tobias@cilium.io> 16 July 2021, 21:51:36 UTC
05fdc2d Jarno Rajahalme 06 July 2021, 04:29:30 UTC wip: Add WaitGroup for SelectorCache user notifications [ upstream commit fc6ef4d5cd0764c7e67a72ed62b105e4c1c80263 ] Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 16 July 2021, 11:58:43 UTC
55b58b2 Jarno Rajahalme 04 June 2021, 06:30:21 UTC policy: Make selectorcache callbacks lock-free [ upstream commit 7e91f36c5c9845af8de62a652a5406c206b0bb24 ] Make IdentitySelectionUpdated() callbacks lock-free by queueing them while still holding selectorcache lock (to keep FIFO order) and calling from a goroutine not holding any locks. This prevents deadlocks caused by the implementation of IdentitySelectionUpdated() taking locks such as endpoint or selectorcache locks. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 16 July 2021, 11:58:43 UTC
2ee4c66 André Martins 03 July 2021, 23:22:39 UTC Revert "policy: Make selectorcache callbacks lock-free" [ upstream commit a97bd0d8f99fa18be533570b9f6afa4ce4649f3a ] This reverts commit a75599da7964fb5e24c3362dfbdedf7d2f455089. has it seems to be causing a lot of FQDN flakes through the entire CI. Signed-off-by: André Martins <andre@cilium.io> 16 July 2021, 11:58:43 UTC
8ca9a6a Jarno Rajahalme 08 July 2021, 18:52:42 UTC envoy: Keep track of proxy listeners separately [ upstream commit 099c34d977b73491618454d1a9ea253623665c2d ] Since the addition of Envoy prometheus listener it has been possible to have non-proxy listeners configured with Envoy. Waiting for Envoy N/ACKs must be disabled when no proxy listeners are configured, even if a prometheus listener may still be configured. Without this fix adding endpoints may fail due to not receiving N/ACKs from Envoy after Envoy has been started due to an L7 network policy, and this policy is removed, if the Cilium option '--proxy-prometheus-port' is also configured. Fixes: #12949 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 16 July 2021, 11:58:43 UTC
b47dc3d Aditi Ghag 07 July 2021, 22:11:20 UTC install/kubernetes: Remove `sh` and `mount` dependency from init container [ upstream commit a76bbde4320591399cd94392ab39650737ee4e13 ] The mount-cgroup init container runs a mount command on the underlying host using `nsenter`. However, certain distros like Talos don't have `sh` or `mount` utilities available. Hence, move the logic to check and mount cgroup2 fs to a statically linked Go program binary. Fixes: fa8bea45562f ("cilium-daemonset: Fix ineffective socket-lb caused by incorrect cgroup2 fs mount") Signed-off-by: Aditi Ghag <aditi@cilium.io> 15 July 2021, 22:31:28 UTC
4cc07fe Aditi Ghag 07 July 2021, 00:48:58 UTC install/kubernetes: Mount host's `/proc` in init container [ upstream commit eecca2e0d912b5c17a998c317b4c3d3e4c142e89 ] The mount-cgroup init container needs to run a mount command on the underlying host. But the current approach to mount `/proc/1/ns` fails on distros like Fedora when running on minikube - mounting "/proc/1/ns" to rootfs at "/var/lib/docker/.../merged/hostpid1ns" caused: permission denied: unknown Mount host's `/proc` instead. Fixes: fa8bea45562f ("cilium-daemonset: Fix ineffective socket-lb caused by incorrect cgroup2 fs mount") Reported-By: André Martins <andre@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io> 15 July 2021, 22:31:28 UTC
023c489 Aditi Ghag 07 July 2021, 01:37:07 UTC install/kubernetes: Set image pull policy for init container [ upstream commit f9b79c7bb776653fdc002eb8bfbff051d36156ad ] Fixes: fa8bea45562f ("cilium-daemonset: Fix ineffective socket-lb caused by incorrect cgroup2 fs mount") Signed-off-by: Aditi Ghag <aditi@cilium.io> 15 July 2021, 22:31:28 UTC
4e3a256 Aditi Ghag 10 June 2021, 20:04:52 UTC docs: Add troubleshooting steps to the kube-proxy free guide [ upstream commit f263235b4e3f0de9dbddbf6353f65dbd6c0ad036 ] Document the requirement that Cilium agent needs to be able to attach BPF cgroup programs at the host cgroup root, in order for socket-based load balancing (aka host-reachable services) to be effective for other pods and host processes. More details in the PR - https://github.com/cilium/cilium/pull/16259 Signed-off-by: Aditi Ghag <aditi@cilium.io> 15 July 2021, 22:31:28 UTC
be9e4a2 Aditi Ghag 10 June 2021, 20:02:42 UTC docs: Document failure scenario for kind deployment [ upstream commit ca8456ca5606bc03d643bd4eaccaab751b742f06 ] Deploying a kind cluster in an environment where Cilium is already running (for example, in the Cilium development VM) can lead to Cilium pods crashing. This can also happen if there are other BPF cgroup programs attached to the parent ``cgroup`` hierarchy of the kind container nodes. Relevant Linux kernel code reference - https://elixir.bootlin.com/linux/latest/source/kernel/bpf/cgroup.c#L457. Signed-off-by: Aditi Ghag <aditi@cilium.io> 15 July 2021, 22:31:28 UTC
69d7080 Aditi Ghag 08 June 2021, 06:13:20 UTC Revert "cgroups: Determine cgroup v2 hierarchy root for Kind" [ upstream commit 0c166f6c6488d3ef12afb6015a86cdd222c890e9 ] This reverts commit e9ce8306400bf416087046b8d5b013b23ebdcb3e. This logic is no longer needed as we mount cgroup v2 filesystem from the underlying kubernetes node. This will enable cilium to correctly attach BPF programs at every `kind` node's cgroup root. Signed-off-by: Aditi Ghag <aditi@cilium.io> 15 July 2021, 22:31:28 UTC
633db21 Aditi Ghag 24 June 2021, 05:19:35 UTC cilium-daemonset: Host cgroup root mount as alternative to auto-mount [ upstream commit 826531447fa5ba18d2fe0df8d7eed9881b47235d ] Cilium agent daemonset auto mounts cgroup2 filesystem on the host by default. However, it needs to mount host's `/proc` inside an init container in order to do that. To disable this auto-mount behavior, we introduce a helm option. When auto-mount is disabled, users can specify the mount point on the underlying host where cgroup v2 fs is already mounted. We then volume mount this directory inside the cilium agent pod. The reason why we don't set the host cgroup2 mount point to a hard-coded path such as `/sys/fs/cgroup`, is because cgroup2 filesystem mount point can be platform dependent. See this note in the cgroup manpage [1] - >Note that on many modern systems, systemd(1) automatically mounts the cgroup2 filesystem at /sys/fs/cgroup/unified during the boot process. [1] https://man7.org/linux/man-pages/man7/cgroups.7.html Suggested-by: Kornilios Kourtis <kornilios@isovalent.com>. Signed-off-by: Aditi Ghag <aditi@cilium.io> 15 July 2021, 22:31:28 UTC
00d4873 Aditi Ghag 21 May 2021, 05:10:57 UTC cilium-daemonset: Fix ineffective socket-lb caused by incorrect cgroup2 fs mount [ upstream commit fa8bea45562f7ea3005708e968c419720a0ad190 ] If container runtimes are run with cgroup v2, Cilium agent pod would be deployed in a separate cgroup namespace. For example, Docker container runtime with cgroupv2 support switched to private cgroup namespace mode as the default [1]. Due to cgroup namespaces [2], the cgroup fs mounted by the Cilium pod points to a virtualized cgroup hierarchy instead of the host cgroup root. As a result, BPF programs are attached to the nested cgroup root, and socket-lb isn't effective for other pods. Fix: Mount cgroup2 fs from the host so that BPF programs are attached at the host cgroup root. A new init container is added to the Cilium Daemonset that mounts cgroup2 fs on the host. The `/proc/1/ns/` directory on the host is required to be mounted so that cgroup and mount namespaces are enabled as enterable namespaces while running the `nsenter` command. Additionally, cgroup2 fs can be attached to different paths so let's mount it on the host at a cilium-specific custom location. Cilium can thus have control over the location (e.g., create the directory if it doesn't exist). This also helps in effectively identifying if a cgroup2 mount already exists at the custom location. [1] https://docs.docker.com/config/containers/runmetrics/#running-docker-on-cgroup-v2 [2] https://man7.org/linux/man-pages/man7/cgroup_namespaces.7.html Reported-By: Kornilios Kourtis <kornilios@isovalent.com> Fixes: #15137 Signed-off-by: Aditi Ghag <aditi@cilium.io> 15 July 2021, 22:31:28 UTC
9450bfb Aditi Ghag 14 June 2021, 22:02:28 UTC defaults: Update default cgroup root [ upstream commit 8b9bc2ed952533d296066ed711ddfae06c2c7ed4 ] `/var/run` is a symlink to `/run` on most platforms, and may not always be present. Also, this is consistent with the `DefaultMapRootFallback` currently configured in the agent. Example - $ sudo mount -t cgroup2 none /var/run/cilium/cgroupv2 $ mount | grep cgroup none on /run/cilium/cgroupv2 type cgroup2 (rw,relatime) Signed-off-by: Aditi Ghag <aditi@cilium.io> 15 July 2021, 22:31:28 UTC
eafd12f Jarno Rajahalme 07 July 2021, 11:19:33 UTC iptables: Remove leading zeroes [ upstream commit d5ff6879dbc50de93cde07b4e6c87f2581106f34 ] Remove leading zeroes from marks, as 'iptables' is not formatting them. This allows proper matching of existing rules and avoids appending duplicate rules. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 15 July 2021, 16:38:56 UTC
01e7687 Jarno Rajahalme 02 June 2021, 03:08:52 UTC endpoint: Do not panic in Finalize() [ upstream commit 28e7e39047622a317670638e40b69b4aa4087811 ] Panicing in Finalize functions may leave endpoint locked and brick the whole agent. Better avoid itt and log errors instead, and unlock the Endpoint in defer if it still happens. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 15 July 2021, 16:38:56 UTC
b14da88 Jarno Rajahalme 01 June 2021, 04:27:37 UTC iptables: Keep old rules while adding new ones [ upstream commit 5839d2322f3b691e419fcad25a01c29373d96996 ] Keep old iptables rules by renaming Cilium chains so that new rules can be added while old are still in use. Copy old TPROXY rules from the renamed old rules. Remove the backups only after new rules have been successfully added. This change makes it possible to keep old rules in effect while adding new ones without special consideration for transient rules. On first initialization only copy over the DNS proxy TPROXY rules, as other proxies can't reuse old proxy ports across restarts. Pick the last applicable proxy port from iptables, if multiple are present. Remove stale TPROXY rules once the current port is known. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 15 July 2021, 16:38:56 UTC
e3fd9a2 Jarno Rajahalme 18 June 2021, 19:07:09 UTC iptables: Add rudimentary unit testing [ upstream commit 537715af01ae560e950563ab866751098d433e59 ] Wrap "iptables" and "ip6tables" programs with iptablesInterface so that unit testing can mock up the executables. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 15 July 2021, 16:38:56 UTC
49cac4c Gilberto Bertin 13 May 2021, 08:28:48 UTC test: re-enable K8sDatapathConfig Host firewall test [ upstream commit 2c10568cada51702d2d2e97ad4ed49d1f8f587a0 ] This commit re-enables the "K8sDatapathConfig Host firewall tests With native routing" test to run with kube-proxy Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 15 July 2021, 12:04:18 UTC
1973b1d Gilberto Bertin 18 June 2021, 10:22:59 UTC bpf: fix iptables masquerading for node -> remote pod traffic [ upstream commit 31927a2e8db5c7ced889cc3618d2372ba4e999c9 ] When Cilium runs with KPR, host-firewall or bandwidth manager, it will try to auto-derive one or more devices to which the bpf_host program is attached. This program will, among other things, redirect ingress traffic destined to a pod to the pod's lxc device using `bpf_redirect()`. This causes the traffic to bypass the nf_conntrack table, leading to a situation where traffic leaving the pod after the connection's been established will be (incorrectly) masqueraded in case Iptables masquerading is enabled, since the connection is not tracked by netfilter. This commit fixes this by skipping `bpf_redirect()` when we detect this case (i.e. traffic is flowing through bpf_host attached to a physical device and Cilium has installed Iptables rules which require conntrack). Fixes: #14859 Suggested-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 15 July 2021, 12:04:18 UTC
c0a6ffd Daniel Borkmann 01 March 2021, 13:04:18 UTC bpf: enable bpf host routing for tunnels [ upstream commit ffd02dd37aebbea366df9cadc752fe95fb2ba137 ] Lift this constraint now that it is working for tunnels, too. We also transparently get the local Pod->Pod optimization through this. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 15 July 2021, 12:04:18 UTC
f4159af Daniel Borkmann 03 March 2021, 10:40:29 UTC bpf: generally return after endpoint lookup when !from_host [ upstream commit fcf61a7c7154587e36402d10c77992e76551ffe4 ] After the endpoint lookup, we should generally punt up to the stack when traffic arrives on phy dev from external (!from_host). The remainder of the handle_ipv{4,6}() code really only deals with the case when traffic was egressing from cilium_host device. Note that the tunnel encap handling for the nodeport case is done elsewhere in tail_nodeport_nat_ipv{4,6}(). Suggested-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 15 July 2021, 12:04:18 UTC
4a6016e Daniel Borkmann 02 March 2021, 12:23:51 UTC bpf: do not blindly push to stack for bpf host routing on encap [ upstream commit 8b0a9a82a77e433b6ec8200df655cf627a3fb317 ] Also in case of vxlan/geneve, let the bpf_host perform local delivery into Pods, for example, for the case of K8s services where traffic arrives on the phys dev and does not go via vxlan/geneve dev. For this scenario, the same optimizations can be performed as with the direct routing case. Hence lift the skip_redirect constraints for encaps given the return path in bpf_lxc will also support this. Typical case for this is cloud LB pushing inbound traffic to a node's NodePort service as one example where this will improve performance. For the bpf_host prog attached to the phy dev, this means that we perform the ipv4_local_delivery() into a local Pod backend for a service more efficiently compared to before where it gets pushed up the stack, then routed into cilium_host and pushed from there. Note that in tunnel mode the Pod's host-facing lxc devices do not have a policy tc egress program attached, so the tail call into the v{4,6} policy prog of the bpf_lxc is now done at an earlier point which also becomes visible in the RR numbers. Only if there's no local endpoint for the target address, we push up the stack via CTX_ACT_OK as before. Before: root@apoc:~# netperf -H 192.168.180.28 -t TCP_RR -l20 -- -P 13000,12866 MIGRATED TCP REQUEST/RESPONSE TEST from 0.0.0.0 (0.0.0.0) port 13000 AF_INET to 192.168.180.28 () port 12866 AF_INET : demo : first burst 0 Local /Remote Socket Size Request Resp. Elapsed Trans. Send Recv Size Size Time Rate bytes Bytes bytes bytes secs. per sec 16384 131072 1 1 20.00 8709.14 16384 131072 After: root@apoc:~# netperf -H 192.168.180.28 -t TCP_RR -l20 -- -P 13000,12866 MIGRATED TCP REQUEST/RESPONSE TEST from 0.0.0.0 (0.0.0.0) port 13000 AF_INET to 192.168.180.28 () port 12866 AF_INET : demo : first burst 0 Local /Remote Socket Size Request Resp. Elapsed Trans. Send Recv Size Size Time Rate bytes Bytes bytes bytes secs. per sec 16384 131072 1 1 20.00 21983.21 16384 131072 If Pod <-> Pod traffic needs to go over vxlan/geneve, the gains will be smaller since bpf_host needs to push to upper stack for triggering bpf_overlay. We still do the redirect_peer() from the overlay, just that the gain might be less visible in the big picture since the path with vxlan/geneve needs to travere upper layers like routing/netfilter. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 15 July 2021, 12:04:18 UTC
58a0a04 Daniel Borkmann 01 March 2021, 14:11:00 UTC bpf: fix up pkt for bpf host routing in tunneling mode [ upstream commit dd7805a2a14ef6080867c1aaf653f630a970eefb ] When switching netns when coming from overlay the packet type is not set to HOST, so we need to do it here in order to avoid being dropped in IP layer. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 15 July 2021, 12:04:18 UTC
a51cd00 Daniel Borkmann 03 March 2021, 07:50:13 UTC bpf: disable bpf host routing for flannel chaining [ upstream commit 67eb9de049825fbc1dd655c81f8d25f41deca6fa ] When Cilium's datapath is chained in any way, all bets are off. Lets not bother for such niche case for bpf host routing. Based on recent issues (#15095, #15170) it seems like users might still run with flannel. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 15 July 2021, 12:04:18 UTC
ee3b8a8 Gilberto Bertin 02 June 2021, 06:30:34 UTC endpoint: trigger k8s sync controller on identity update [ upstream commit 9e086277de3e23450953c2afd24a68fd727d3066 ] When an endpoint's identity is updated, Cilium does not sync immediately the new state with k8s, but rather waits up to 10 seconds for the sync-to-k8s-ciliumendpoint controller to run, meaning that the the new identity can remain unannounced for up to 10 seconds. This commit fixes this by explicitly triggering the k8s sync controller whenever an endpoint's identity is updated. Fixes: #15097 Suggested-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 15 July 2021, 12:04:18 UTC
95bfbe5 Gilberto Bertin 01 June 2021, 11:48:24 UTC controller: allow to manually trigger it [ upstream commit c61d02fc4233fe925e4d0ca87fa768723190b195 ] Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 15 July 2021, 12:04:18 UTC
3368b06 dependabot[bot] 12 July 2021, 14:07:10 UTC build(deps): bump docker/setup-buildx-action from 1.5.0 to 1.5.1 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1.5.0 to 1.5.1. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/e673438944759779e411a0f7ceef3ba437dccfa0...abe5d8f79a1606a2d3e218847032f3f2b1726ab0) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 12 July 2021, 15:04:14 UTC
3e9887c Chris Tarazi 30 June 2021, 06:26:15 UTC daemon: Add Azure IPAM mode for setting the native routing CIDR [ upstream commit dc7df4d85 ] [ Backporter's notes: Removed reference to AlibabaCloud IPAM ] This will allow the router IP restoration logic to pick up the correct pod CIDR to validate the router IP. This also fixes the issue where upon Cilium restart, additional IPs were erroneously assigned to `cilium_host`. Signed-off-by: Chris Tarazi <chris@isovalent.com> 12 July 2021, 01:42:16 UTC
d812037 Chris Tarazi 30 June 2021, 06:23:25 UTC azure, ipam, k8s: Derive primary / VPC CIDR of Azure interface [ upstream commit 8d8a7f88c ] [ Backporter's notes: Resolved conflicts: * CRD schema version * CRD Azure API fields slightly differ * Removed reference to AlibabaCloud IPAM ] To align with other CRD-backed IPAM modes such as ENI and Alibaba, derive the VPC CIDR from the Azure API and set it as the native routing CIDR. This enables the subsequent commit to use the CIDR to validate the router IPs upon restoration. Signed-off-by: Chris Tarazi <chris@isovalent.com> 12 July 2021, 01:42:16 UTC
586ea07 Chris Tarazi 30 June 2021, 23:10:21 UTC ipam: Fix return inside deriveVpcCIDR() [ upstream commit fc06cbc22 ] [ Backporter's notes: Removed reference to AlibabaCloud IPAM as it doesn't exist in the v1.9 tree. ] The `return` statement wasn't placed in the correct place, as the code should return as soon as a valid result is found. Signed-off-by: Chris Tarazi <chris@isovalent.com> 12 July 2021, 01:42:16 UTC
6cba74c Chris Tarazi 28 June 2021, 17:07:45 UTC daemon, node: Fix faulty router IP restoration logic [ upstream commit ff63b0775c0d7603822d79c36c32d274e1ea6a53 ] [ Backporter's notes: Removed AlibabaCloud IPAM as it's not available in the v1.9 tree. ] When running in ENI or Alibaba IPAM mode, or any CRD-backed IPAM mode ("crd") and upon Cilium restart, it was very likely that `cilium_host` was assigned an additional IP. Below is a case where Cilium was restarted 3 times, hence getting 3 additional router IPs: ``` 4: cilium_host@cilium_net: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default qlen 1000 link/ether 66:03:3c:07:8c:47 brd ff:ff:ff:ff:ff:ff inet 192.168.35.9/32 scope link cilium_host valid_lft forever preferred_lft forever inet 192.168.34.37/32 scope link cilium_host valid_lft forever preferred_lft forever inet 192.168.57.107/32 scope link cilium_host valid_lft forever preferred_lft forever inet6 fe80::6403:3cff:fe07:8c47/64 scope link valid_lft forever preferred_lft forever ``` This was because in CRD-backed IPAM modes, we wait until we fully sync with K8s in order to derive the VPC CIDR, which becomes the pod CIDR on the node. Since the router IP restoration logic was using a different pod CIDR during the router IP validation check, it was erroneously discarding it. This was observed with: ``` 2021-06-25T13:59:47.816069937Z level=info msg="The router IP (192.168.135.3) considered for restoration does not belong in the Pod CIDR of the node. Discarding old router IP." cidr=10.8.0.0/16 subsys=node ``` This is problematic because the extraneous router IPs could be also assigned to pods, which would break pod connectivity. The fix is to break up the router IP restoration process into 2 parts. The first is to attempt a restoration of the IP from the filesystem (`node_config.h`). We also fetch the router IPs from Kubernetes resources since they were already retrieved prior inside k8s.WaitForNodeInformation(). Then after the CRD-backed IPAM is initialized and started (*Daemon).startIPAM() is called, we attempt the second part. This includes evaluating which IPs (either from filesystem or from K8s) should be set as the router IPs. The IPs from the filesystem take precedence. In case the node was rebooted, the filesystem will be wiped so then we'd rely on the IPs from the K8s resources. At this point in the daemon initialization, we have the correct CIDR range as the pod CIDR range to validate the chosen IP. Fixes: beb8bdea3 ("k8s, node: Restore router IPs (`cilium_host`) from K8s resource") Signed-off-by: Chris Tarazi <chris@isovalent.com> 12 July 2021, 01:42:16 UTC
fb819aa Chris Tarazi 25 May 2021, 19:38:10 UTC k8s, node: Restore router IPs (`cilium_host`) from K8s resource [ upstream commit beb8bdea384fdc4ccb10769142c8981bb10334d5 ] [ Backporter's notes: * Resolved simple conflict with RegisterCRDs() inside pkg/k8s/init.go. Resolution was to keep both the newly added function and RegisterCRDs(). * Due to https://github.com/cilium/cilium/pull/14800 not being backported to the v1.9 tree, we don't have the ability to set the router IPs via args, hence I needed to modify the warning msg in the case of mismatched router IPs between the filesystem and k8s resources. The user will not be advised to set the router IPs as a workaround, like they would in the v1.10 version of this. ] Previously, after a node reboot, Cilium would allocate a new router IP and append it slice of node IPs. Since the node IPs have already been synced to the K8s resource, meaning there are already IPs present (from the previous Cilium instance), the router IP is appended to the slice. In other parts of Cilium, it is assumed that the router IP is the first node IP (first element of the slice). Since the new router IP has been appended to the end, it is no longer where it is expected, aka no longer the first element. This causes a mismatch of which router IP is to be used. There should only ever be one router IP (one IPv4 or one IPv6). In case of a node reboot, the router IPs cannot be restored because they are wiped away due to the Cilium state dir being mounted as a tmpfs [1]. This commit fixes this to restore the router IPs from the K8s resource (Node or CiliumNode) if they are present in the annotations. This prevents the possibility of having more than one router IP, as described above. Note that router IPs from the K8s resource are only restored if no router IP was found on the filesystem, which is considered the source of truth. In other words, the filesystem takes precedence over the K8s resource. The user is warned in cases of a mismatch between the two different sources. We also check that the IP to be restored is within the pod / node CIDR range, otherwise we ignore it from restoration. [1]: Linux distributions mount /run as tmpfs and Cilium's default state directory is created under /run. (It's worth mentioning that it's also common for /var/run to be symlinked to /run.) Fixes: https://github.com/cilium/cilium/issues/16279 Signed-off-by: Chris Tarazi <chris@isovalent.com> 12 July 2021, 01:42:16 UTC
11bba4f Chris Tarazi 01 June 2021, 20:08:37 UTC node: Clear router IPs on Uninitialize() [ upstream commit d620a92632610e293d03e248ac802c0a1177dfa7 ] The subsequent commit will add unit tests that make use of ipv{4,6}RouterAddress and state will need to be cleared during testing. Signed-off-by: Chris Tarazi <chris@isovalent.com> 12 July 2021, 01:42:16 UTC
5d934d7 Chris Tarazi 01 June 2021, 19:33:37 UTC node: Modify SetIPv6NodeRange() to accept cidr.CIDR [ upstream commit 0db244468ef973a19be507725f35efe2c6d164d5 ] This conforms SetIPv6NodeRange() to have the same prototype as SetIPv4AllocRange(). There was no benefit for them to be different. It will ease the subsequent commits. Signed-off-by: Chris Tarazi <chris@isovalent.com> 12 July 2021, 01:42:16 UTC
6ad543c Chris Tarazi 21 June 2021, 19:20:41 UTC k8s: Update libraries to 1.19.12 Also update the k8s tests versions to 1.18.20 and 1.19.12. Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 July 2021, 19:51:03 UTC
bb58c2b Aditi Ghag 29 June 2021, 23:22:50 UTC bugtool: Collect BPF cgroup programs related information [ upstream commit 607ca9386269ea0aa240e8273d24508f67a00838 ] `bpftool cgroup tree [CGROUP_ROOT]` [1] provides information about BPF cgroup programs attached at the specified cgroup root. This is particularly useful in checking if the programs are attached at the right cgroup hierarchy. [1] https://manpages.ubuntu.com/manpages/focal/man8/bpftool-cgroup.8.html Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Tom Payne <tom@isovalent.com> 08 July 2021, 19:47:17 UTC
6e96370 Bruno Miguel Custódio 02 July 2021, 11:39:27 UTC Revert "docs: add 'endpointRoutes.enabled=true' to aws-cni" [ upstream commit 8c94f11e481107b9c7ae9f257d2919c640d13b75 ] This reverts commit 437e2bbd745a074b6dd140e4bd17208e3ba499f0. The original issue has been fixed, and hence this can be removed (c.f. https://github.com/cilium/cilium/pull/16227). Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> Signed-off-by: Tom Payne <tom@isovalent.com> 08 July 2021, 19:47:17 UTC
1ec5f51 André Martins 02 July 2021, 01:04:48 UTC contrib/docs: rename 'cilium-actions.yml' with 'maintainers-little-helper.yaml" [ upstream commit d936ebf18cc329628529d7881cf5c86082de3fec ] Commit a93c0ed53691 renamed the MLH configuration file. Unfortunately in a lot of places this filename was set and this commit renames those locations with this new filename. Fixes: a93c0ed53691 (".github: Rename maintainer's little helper's config file") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Tom Payne <tom@isovalent.com> 08 July 2021, 19:47:17 UTC
c0ffbc4 Derek Gaffney 29 June 2021, 22:21:10 UTC Fix maglev.hashSeed byte length references in docs Signed-off-by: Derek Gaffney <derekmgaffney@gmail.com> [ upstream commit d97240695287087418f4447e6ce1abd5850a3cc1 ] Signed-off-by: Tom Payne <tom@isovalent.com> 08 July 2021, 19:47:17 UTC
21b974c André Martins 01 July 2021, 04:15:16 UTC test/helpers: retrieve kube-apiserver logs [ upstream commit 445af9a1b4e32038ffda698f3f7583d30741149c ] To help debug certain flakes, we need kube-apiserver logs available in the test sysdump. This commit adds the ability to retrieve such logs. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Tom Payne <tom@isovalent.com> 08 July 2021, 19:47:17 UTC
e1b7cbd André Martins 01 July 2021, 04:13:18 UTC test/k8sT: set imagePullPolicy for cilium/log-gatherer stable tag [ upstream commit f470a071bd5df373578f720f852a0bd1c53731d8 ] cilium/log-gatherer:v1.1 is not mutable thus we don't need to always performing a pull of that docker image from docker hub. Fixes: a9285f49ca65 ("[CI] Move vagrant start script to separate file") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Tom Payne <tom@isovalent.com> 08 July 2021, 19:47:17 UTC
09020ef André Martins 01 July 2021, 04:10:47 UTC test: fix gathering of kubelet logs [ upstream commit da0fbad0b3be3ccfad8d73f599140b36470e484f ] When using journalctl to read the logs of another system, one need to explicitly pass -D and the directory containing the logs to successfully read the log messages. Fixes: a9285f49ca65 ("[CI] Move vagrant start script to separate file") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Tom Payne <tom@isovalent.com> 08 July 2021, 19:47:17 UTC
f188ac7 Paul Chaignon 16 June 2021, 22:13:33 UTC contrib: Identify upstream commits by author and date [ upstream commit 4ddb158e2189fd4298d8adb92200b6937122cb5f ] When listing the commits of pull requests to backport, GitHub doesn't offer a way to find the corresponding commits merged in master. We therefore have to do it manually. To that end, we first retrieve a candidate commit by matching on the exact commit title. Several commits can have the same title however, so we need another check to confirm the candidate commit is the same commit as the pull request's. We currently use 'git patch-id' for the second check. That command computes a unique ID for a patch. It can however have false negatives. For example, 9515d1e ("docs: add a reference of helm values") and de62fa3 ("docs: add a reference of helm values") refer to the same patch, the first being from the pull request and the second from master (i.e., once merged). Nevertheless, when we run 'git patch-id', we get two different IDs: $ git show 9515d1e | git patch-id 5d928411d72fcdb5c9c24ab2138896e6709e578c 9515d1ea37f1d1122ece73cf061cf47590e90f9e $ git show de62fa3 | git patch-id de14f63774d0f56ecc1e22db615987bedffe1e4b de62fa37c9ac679fd45bb617e8759dd7a4918ccb Comparing the two commits shows that the difference is actually due to changes not introduced by this commit: $ diff <(git show 9515d1e) <(git show de62fa3) [...] 1997,1998c1997,1998 < @@ -118,7 +118,7 @@ contributors across the globe, there is almost always someone available to help. < | debug.enabled | bool | `false` | Enable debug logging | --- > @@ -119,7 +119,7 @@ contributors across the globe, there is almost always someone available to help. > | disableEndpointCRD | string | `"false"` | Disable the usage of CiliumEndpoint CRD | [...] We however don't need to use 'git patch-id'. Using the author's email address and date (+ commit title) is usually enough to uniquely identify commits on master. If someone sends two commits with the same title and author date (to the second), then they are definitely trying to game the system. In that unlikely event, we have two rounds of reviews (original pull request and backport pull request) to catch it. This commit implements that change. "%ae%at" (author email followed by author date without spaces) is used as the commit ID instead of the ID generated by git patch-id. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tom Payne <tom@isovalent.com> 08 July 2021, 19:47:17 UTC
6771b45 Sebastian Wicki 16 June 2021, 10:08:41 UTC ci: Disable NFS locking [ upstream commit 1dd477dd4198b5bf5e20d8d6b3d4a55d46bc8e89 ] This is an attempt to fix the recent issues with NFS locking in CI, e.g. issue #16551 From the nfs(5) manpage: > When using the nolock option, applications can lock files, but such > locks provide exclusion only against other applications running on > the same client. Remote applications are not affected by these locks. Since in CI, we do not have any remote applications accessing the shared folder, only using local locks should be safe and more robust than using distributed locking. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Tom Payne <tom@isovalent.com> 08 July 2021, 19:47:17 UTC
7f04d53 André Martins 17 May 2021, 22:08:56 UTC pkg/k8s: add pod IP event change [ upstream commit e92dc6ac6b766e793091410d0cf58c61b01d424d ] This is a follow up of 6bd98ad7e443 ("handle IP addresses modification in running nodes and CEPs") for more information read the commit description of that commit. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Tom Payne <tom@isovalent.com> 08 July 2021, 19:47:17 UTC
88dc081 dependabot[bot] 05 July 2021, 14:05:44 UTC build(deps): bump docker/build-push-action from 2.5.0 to 2.6.1 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.5.0 to 2.6.1. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/ad44023a93711e3deb337508980b4b5e9bcdc5dc...1bc1040caef9e604eb543693ba89b5bf4fc80935) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 05 July 2021, 20:47:55 UTC
9ea19bd dependabot[bot] 02 July 2021, 14:06:29 UTC build(deps): bump docker/setup-buildx-action from 1.4.1 to 1.5.0 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1.4.1 to 1.5.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/a1c666d855a037f439ebb7bf701ee144fcadd307...e673438944759779e411a0f7ceef3ba437dccfa0) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 02 July 2021, 16:16:54 UTC
0b8b2e4 Bruno Miguel Custódio 30 June 2021, 14:56:55 UTC docs: update the version specific notes table Updates the table in the "Version Specific Notes" subsection of the "Upgrade" page in order to be explicit about the supported upgrade paths. [ upstream commit eb9a5c4 ] Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> 02 July 2021, 12:46:08 UTC
22f9e39 Nicolas Busseneau 30 June 2021, 16:51:58 UTC workflows: update Kind version to 0.11.1 This is necessary to work around a probable GH infrastructure issue where 0.9.0 suddenly started not to work in GH Actions: https://github.com/helm/kind-action/issues/42 Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 30 June 2021, 18:05:17 UTC
f26e76b dependabot[bot] 30 June 2021, 14:06:27 UTC build(deps): bump helm/kind-action from 1.1.0 to 1.2.0 Bumps [helm/kind-action](https://github.com/helm/kind-action) from 1.1.0 to 1.2.0. - [Release notes](https://github.com/helm/kind-action/releases) - [Commits](https://github.com/helm/kind-action/compare/v1.1.0...v1.2.0) --- updated-dependencies: - dependency-name: helm/kind-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 30 June 2021, 18:05:17 UTC
e03b6d2 Tobias Klauser 23 June 2021, 15:09:55 UTC Update Go to 1.15.13 Signed-off-by: Tobias Klauser <tobias@cilium.io> 30 June 2021, 14:22:01 UTC
152ec04 dependabot[bot] 29 June 2021, 14:08:12 UTC build(deps): bump docker/setup-buildx-action from 1.3.0 to 1.4.1 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1.3.0 to 1.4.1. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/v1.3.0...a1c666d855a037f439ebb7bf701ee144fcadd307) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 29 June 2021, 21:57:30 UTC
1355540 Jarno Rajahalme 04 June 2021, 06:30:21 UTC policy: Make selectorcache callbacks lock-free [ upstream commit a75599da7964fb5e24c3362dfbdedf7d2f455089 ] Make IdentitySelectionUpdated() callbacks lock-free by queueing them while still holding selectorcache lock (to keep FIFO order) and calling from a goroutine not holding any locks. This prevents deadlocks caused by the implementation of IdentitySelectionUpdated() taking locks such as endpoint or selectorcache locks. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 28 June 2021, 12:42:47 UTC
0754dd4 Aditi Ghag 16 June 2021, 04:45:27 UTC lrp: Refactor logic executed on policy delete [ upstream commit 92d851dbf3eee0f51cb3944f8b2745044dde5dbd ] The `deletePolicyService` function was previously common to both delete policy and delete service callbacks. Refactor the logic to pass the policy config directly, thereby skip config look up. Signed-off-by: Aditi Ghag <aditi@cilium.io> 28 June 2021, 12:42:47 UTC
a2c8160 Aditi Ghag 16 June 2021, 04:40:21 UTC lrp: Skip restoring service on delete operation [ upstream commit a7d73e4c8063457b4223285dcb4ba232930bbc3b ] Previously, we were restoring the original clusterIP service even when the service was deleted. Signed-off-by: Aditi Ghag <aditi@cilium.io> 28 June 2021, 12:42:47 UTC
6996c64 Paul Chaignon 16 June 2021, 12:16:30 UTC ipsec: Fix logging of SPI after key rotations [ upstream commit d42614e0a053fb37dd16130776616a3b88431224 ] Five minutes after IPsec key rotations, we cleanup the old IPsec state and print the following message: level=info msg="New encryption keys reclaiming SPI" spi=0 subsys=ipsec Unfortunately, due to a bug the SPI was always 0 in that log message. This commit changes it and also logs the old SPI value if we have it: level=info msg="New encryption keys reclaiming SPI" SPI=7 oldSPI=0 subsys=ipsec Fixes: 3f12fb6 ("cilium: ipsec, add cleanup xfrm routine") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io> 28 June 2021, 12:42:47 UTC
23ba8d3 Martynas Pumputis 17 June 2021, 09:54:19 UTC node-neigh: Use arping ts in last ping hashmap [ upstream commit 4c4a5dc5d5aa80a26de8ea589ac51014f7057480 ] The change is probably noop, but itshould improve the last ping timestamp precision. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Aditi Ghag <aditi@cilium.io> 28 June 2021, 12:42:47 UTC
ff715c1 Martynas Pumputis 17 June 2021, 09:34:24 UTC node-neigh: Add retry for concurrent arping test case [ upstream commit 8260f9dd72bee0a62708128d71194e9d4eb6887b ] The test became notoriously flaky. It seems that some goroutines were lagging behind with the updates and they were overwritting the new MAC addr entry with the obsolete. To fix this, retry multiple times until the correct entry is found. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Aditi Ghag <aditi@cilium.io> 28 June 2021, 12:42:47 UTC
20e7166 Martynas Pumputis 17 June 2021, 09:33:33 UTC testutils: Add WaitUntilWithSleep [ upstream commit 128f0f8db3c2bb53f041c02c3ca8f866a8b2dc55 ] As for some cases WaitUntil() is a DoS tool. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Aditi Ghag <aditi@cilium.io> 28 June 2021, 12:42:47 UTC
back to top