Skip to main content

Browse the archive

https://github.com/cilium/cilium
22 July 2024, 03:12:21 UTC
sort by:
Revision Author Date Message Commit Date
3fcfff7 André Martins 28 May 2021, 00:03:28 UTC Prepare for release v1.9.8 Signed-off-by: André Martins <andre@cilium.io> 28 May 2021, 11:54:29 UTC
fa82311 dependabot[bot] 27 May 2021, 06:31:46 UTC build(deps): bump docker/build-push-action from 2.4.0 to 2.5.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/e1b7f96249f2e4c8e4ac1519b9608c0d48944a1f...ad44023a93711e3deb337508980b4b5e9bcdc5dc) Signed-off-by: dependabot[bot] <support@github.com> 28 May 2021, 00:59:45 UTC
8461f94 Paul Chaignon 25 May 2021, 15:33:46 UTC Revert "endpoint: Refactor init of EndpointDatapathConfiguration" [ upstream commit 8da8b88c7509a1a57f928f43ffe46d676a71ca66 ] Commit 0875453 ("endpoint: Refactor init of EndpointDatapathConfiguration") leads to .RequireEgressProg being overwritten on endpoint creation. That in turns breaks reverse NAT when running in chaining mode [1]. This commit is a partial revert of commit 0875453afda841d3bba50fb16ed0929e72c08ddf, keeping only a helper function. 1 - https://github.com/cilium/cilium/blob/v1.10.0/plugins/cilium-cni/chaining/generic-veth/generic-veth.go#L165 Signed-off-by: Paul Chaignon <paul@cilium.io> 27 May 2021, 23:31:04 UTC
10da7e7 Paul Chaignon 19 May 2021, 21:54:14 UTC Revert "endpoint: Overwrite endpoint datapath config. on restore" [ upstream commit 320ea0d9e1eaae533ad648c91acc1c63041ef6e3 ] This commit partially reverts commit a9ecab17278d05b0492d450c239bbfed367f6d5e. Disabling endpoint routes in an existing cluster is not supported for now. We first need to find a way to properly remove the endpoint routes (see previous commit) before we can support this. We keep the override of endpoint datapath config. for the host endpoint as otherwise host firewall test will error due to a failure to load bpf_host. Signed-off-by: Paul Chaignon <paul@cilium.io> 27 May 2021, 23:31:04 UTC
a6089e7 Paul Chaignon 19 May 2021, 16:07:20 UTC loader: Revert removal of endpoint routes [ upstream commit f937df79f3cc9083bf41f29767393865e3bc5630 ] This commit is a partial revert of 72e6238 ("loader: Remove program and route when disable endpoint routes"). Commit 72e6238 started removing existing endpoint routes when enable-endpoint-routes is disabled in the agent. In chaining mode however, if Cilium isn't the primary CNI, it isn't responsible for the endpoint's networking. In that case, the primary CNI may install and rely on those endpoint routes and we shouldn't remove them. This commit reverts the removal of endpoint routes. We'll provide a proper solution to remove only endpoint routes Cilium "owns" in a subsequent commit. Fixes: 72e6238 ("loader: Remove program and route when disable endpoint routes") Signed-off-by: Paul Chaignon <paul@cilium.io> 27 May 2021, 23:31:04 UTC
f17d70f Jarno Rajahalme 21 May 2021, 17:56:19 UTC endpoint: Skip waiting-to-regenerate -> waiting-for-identity transitions [ upstream commit 1e5f74d64ffd01626ac29166972ca44e0c3c3412 ] Regeneration logic fails if waiting-for-identity changes to ready state in a scenario like this: builder: ready -> waiting-to-regenerate .. label change etc: waiting-to-regenerate -> waiting-for-identity .. labels resolved: waiting-for-identity -> ready .. builder: (ready) -> regenerating (FAILS as this is not expected) Resolve this by giving precedence to the waiting-to-regenerate state over the waiting-for-identity state. Compensate for possibly blocking this state change in Cilium endpoint PATCH API. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> 27 May 2021, 23:31:04 UTC
c2d5850 André Martins 21 May 2021, 17:20:54 UTC pkg/k8s: ignore namespace events that do not change labels [ upstream commit 83391b41d23c3e4fb0941a7e15bd4c45e035cd41 ] As we can receive different type of namespace events, like difference in the annotations. We can ignore all of these events unless the labels are different. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Paul Chaignon <paul@cilium.io> 27 May 2021, 23:31:04 UTC
ef4d539 Nate Sweet 20 May 2021, 16:12:25 UTC k8s: Update k8s libraries to 1.19.11 Also update k8s test versions to 1.18.19 and 1.19.11 Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 27 May 2021, 16:50:00 UTC
d5004c1 Tom Payne 27 May 2021, 09:09:56 UTC Revert "test: add tests for fromEntities: cluster and all" This reverts commit 3f4ef8ee7e00d148c5a57826eccb8f5a4b15aaab. Signed-off-by: Tom Payne <tom@isovalent.com> 27 May 2021, 16:45:15 UTC
2dbe4c1 Tom Payne 26 May 2021, 17:18:04 UTC Revert "test: Mark GKE CI pipeline as running Linux 4.19" This reverts commit f42f5e1fcbaca9046e04d038f00a55e518b07677. Signed-off-by: Tom Payne <tom@isovalent.com> 27 May 2021, 16:45:15 UTC
49d0cee Chris Tarazi 03 May 2021, 21:25:46 UTC docs: Clarify coordination for backporting process [ upstream commit 946f52cf100c87668fb97ccf91659df1b4d24fe3 ] Document the common workflow that we've been working under. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 27 May 2021, 12:58:50 UTC
3c6d0b7 Chris Tarazi 14 May 2021, 16:48:39 UTC examples, connectivity-check, test: Use even-numbered nodePort [ upstream commit c983bd18fcbb42eda1dcfb93c2ee2923fe7a8f56 ] Following the same logic as https://github.com/cilium/cilium/pull/15988, we want to use an even-numbered port to reduce the likelihood that the underlying kernel allocates a conflicting port for the nodePort. Fixes: https://github.com/cilium/cilium/issues/13071 Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 27 May 2021, 12:58:50 UTC
208e1ef Maciej Kwiek 19 May 2021, 10:08:00 UTC ci: add slack notification to GH actions [ upstream commit c132e65b65793a04345b97196ebc2c929d5ce924 ] Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Conflicts due to new code around the Slack additions. Ignored all new code, only focused on retaining the Slack additions. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 27 May 2021, 12:58:50 UTC
0378da9 Eric M. Yanulis 12 May 2021, 02:21:01 UTC daemon: Ignore cilium_* interfaces when deriving NodePort device [ upstream commit 9366190aa1fec27cd44da62628ef66224eec4f54 ] Any Cilium-created interface (cilium_host, etc) will never be a valid interface for kube-proxy-replacement NodePort (or direct routing). In certain cases, it is possible for the NodePort auto-derivation code to select one of these interfaces. This notably happens when the k8s node IP is an IPv6 address: the node IP is cloned to cilium_host, and the IP (sans netmask) is used as a map key - so cilium_host may be viewed as the only interface with an address matching the node IP. Add a check bypassing any interface whose name is prefixed with "cilium_" during NodePort device detection. Add a test mimicking the IPv6 cilium_host case: node IP assigned to a "real" interface and a "cilium_foo" interface, we should ignore "cilium_foo". Fixes: #16019 Signed-off-by: Eric M. Yanulis <eric@eyanulis.net> Conflicts due to new code introduced since 1.9. Since the commit does not seem to use any part of this new code, I decided to resolve by only retaining lines of code most faithful to the cherry-picked commit, i.e. only adding the two bits of code in their proper place and ignoring the new bits around that were causing the conflicts. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 27 May 2021, 12:58:50 UTC
1ba3eff Christian Hörtnagl 19 May 2021, 05:11:20 UTC Specify scrape interval for Hubble metrics [ upstream commit 45689ece6f242c4c2546a3f32ddd80f6464f6e24 ] Fixes: #16148 I have checked that 30s (instead of 10s) works as well. Signed-off-by: Christian Hörtnagl <christian2@univie.ac.at> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
5714f16 Joe Stringer 27 April 2021, 21:31:20 UTC bpf: Test build with -DHAVE_FIB_LOOKUP [ upstream commit 4722a2bdde99bbadf68f94dbc08ebdb977ef3e57 ] Add extra build options with this to catch build-time errors with/without this option. This is normally controlled by kernel version support, but we don't currently factor variants of such feature detection into the build testing. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
243cfe1 Joe Stringer 26 April 2021, 22:44:02 UTC bpf: Enable IP_POOLS in testing [ upstream commit ab5d9aff63d73d12ab4d987b8482406540a7f48a ] Whenever we test ENABLE_IPSEC, also enable IP_POOLS which enables extra code in most circumstances, except in one or two situations where it is equivalent to the alternative (basically just determines which skb->cb0[] offset to use for storing encryption bits). Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
b936bf2 Joe Stringer 26 April 2021, 22:37:20 UTC bpf: Compile ipsec in tree [ upstream commit 22998809b93d22b52a80e371481b0e71cfc6db95 ] Previously, the default compile of bpf_network.o in the tree wouldn't compile with IPv4, IPv6, or IPSEC enabled, which limited its ability to catch compile failures at development time. Fix it up by adding these to the BPF_SIMPLE_OPTIONS. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
020932d Bruno Miguel Custódio 13 May 2021, 16:45:29 UTC helm: add back 'wellKnownIdentities' [ upstream commit 50c004509146864af72c03ed0ed04ae44babb656 ] This reverts commit 25f45b5bbe6fba4165dccf3bd72492fb32cf42de. Some users rely on this functionality while using externally managed etcd clusters. Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
aeb3959 Joe Stringer 28 April 2021, 02:25:36 UTC AUTHORS: Fix up some author names [ upstream commit 6d128d201bbecfdc06a809a17bf3e89fbd494a71 ] Bokang Li informed me out-of-band that this is the correct representation of their name, fix it up. Yurii Komar has their name on their github profile. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
c628574 Joe Stringer 28 April 2021, 00:43:47 UTC .mailmap: Update authors for v1.10 dev cycle [ upstream commit acba9d12dc09fd925c16abf69f02626709f8ba4d ] [ upstream commit 622d841c9b5408f33170179eabdc71923d8a2b28 ] Pull this commit from the v1.10 branch used during that release, and re-generate the authors file based on it. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
4c390e4 Joe Stringer 18 May 2021, 00:01:39 UTC contrib: Skip vagrant authors in extract_authors [ upstream commit 6d6ff65dc767b459864e616cac32ed9c1161d84d ] Authors in the git log who have used the vagrant VM have always been repeat contributors who have resolved invalid git authorship issues in subsequent submissions, so there is no need to take these authors into account when calculating the authors list. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
63597f9 Joe Stringer 17 May 2021, 23:52:53 UTC contrib: Optimize extract_authors.sh script [ upstream commit 1cd5be9e79d6094b4b472a1d0e9073ad0d834480 ] By using built-in formatting primitives instead of independently fetching names and emails from git in separate commands, we can reduce git history iteration by 50%, saving 30s per authors update on my system. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
b618dd0 Joe Stringer 14 May 2021, 18:39:41 UTC contrib: Make upstream commit check more generic [ upstream commit 8a2d2d3d2ff4df24eac37b565869f45c3dda7d8f ] This bash function is super close to being generically useful across different repositories, by allowing to check whether a commit is in any particular upstream (including hubble repos). Make it a bit more generic without changing the default args, that way we don't have to update any of the existing scripts. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
e5727a5 André Martins 13 May 2021, 14:39:02 UTC docs: add information about ConfigMap updates [ upstream commit e95a201ffa54d05d313d048d9b61f043a397c566 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
6dfcedf Daniel Borkmann 17 May 2021, 11:36:02 UTC docs, gsg: add link to plumbers talk on service lb mechanisms [ upstream commit d5d072740ec9d61c85d76a1021ab4b1148346691 ] Given this details the various service types and our implementation, add this to further reading. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
c938000 Daniel Borkmann 17 May 2021, 07:29:52 UTC docs, gsg: minor edits to kpr guide and note on hybrid use [ upstream commit 107fb8f5a177ba9dbf9c97815645d6bfb558ee6f ] b2d2d69e8f85 ("docs: Add how to remove kube-proxy from existing clusters") added the howto for removing kube-proxy right into the middle of the kubeadm setup given right afterwards we talk about kubeadm join. Detangle this to make it more clear that both don't have anything to do with each other. Also add a warning to removing kube-proxy that this is disruptive. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
b89674e Bruno Miguel Custódio 12 May 2021, 17:09:23 UTC docs: add ids to the list of special identities [ upstream commit 519fa82d18e4c59a882c65f078b17dfe7c9a3fbd ] A few users have been asking about where to find the numeric IDs associated with a given identity, so maybe it's worth adding them to the table. Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
7df8773 Martynas Pumputis 11 May 2021, 16:47:45 UTC node-neigh: Skip neigh update if arping is stale [ upstream commit dd46cc182a51da031c34e2cfdd1b2785904a0543 ] It's possible that in the case of multiple concurrent insertNeighbor() executions the oldest (or older) goroutine will overwrite the latest arping result due to the fine-grained locking. To fix this, avoid updating neigh entry if we detect that prev last ping timestamp is after our arping timestamp. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
bc7484c Martynas Pumputis 10 May 2021, 18:17:08 UTC node-neigh: Wait instead of sleeping in unit tests [ upstream commit 6ee44eda0f68dcc21eea10e6fe3eaf8e2bf83263 ] We can inspect the neighLastPingByNextHop map to check when insertNeighbor() or deleteNeighbor() was called. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
67ab5f1 Martynas Pumputis 10 May 2021, 15:16:53 UTC node-neigh: Set lastPing if arping was successful [ upstream commit bf750f6cf343df882adbb362c4c7ebddf7b30629 ] We don't return early if arping was skipped. This can happen when insertNeighbor() is invoked by the non-refresh path and nexthop is not new. Make sure that lastPing is updated only if arping was sent and it was successful (if hwAddr != nil condition). Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
0cc12a3 Paul Chaignon 10 May 2021, 09:54:11 UTC test: Parallelize host firewall test [ upstream commit 9e141aa68066d4f676774a7d2d5623488aa7bdc5 ] For each of the host firewall test cases, we check both an allowed and a blocked request. We therefore spend a fair amount of time waiting for the timeout to occur on blocked requests. We can parallelize test cases to waste less time. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
49042eb Paul Chaignon 10 May 2021, 09:51:03 UTC test: Parallelize to-entities and from-entities tests [ upstream commit 79e5351b50c5e0e7466660a582a1e507906c12ae ] We may spend a lot of time just waiting in these tests because the requests are sometimes expected to fail (in which case we wait for the timeout). Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
3e79f38 Paul Chaignon 10 May 2021, 08:51:59 UTC test: Parallelize LRP test cases [ upstream commit 7387ca26996f3abdc2350e34d407f715cff310bd ] By parallelizing the verification of test cases, we save 5min. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
36b79bc Paul Chaignon 10 May 2021, 08:28:32 UTC test: Increase frequency of wait helpers to 1 per sec [ upstream commit aaa7b8da4ff930d7eaf80447c4333039703f8dd5 ] We use a number of WaitXXX helper function to wait for pods to be deployed, policies to be enforced, service endpoints to be created, etc. The default frequency at which these functions check the expected output is 5s. So for namespace deletions and policy enforcements, we often wait 10s, because the output is not as expected after the first 5s check. This is unnecessary. We can instead check the output every 1s and shave off a few seconds every time we wait for something to happen (and we do that a lot!). Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
bc90c0c Paul Chaignon 10 May 2021, 08:28:15 UTC test: Remove duplicate log messages [ upstream commit e75b46ae113fc9d18b6f02a80070853fc7f60782 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
0bfaf57 Paul Chaignon 10 May 2021, 12:02:17 UTC test: Return non-zero code if building tests fails [ upstream commit 3882893e4f886e269d611464819396e69338e044 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
46f0f53 Paul Chaignon 01 February 2021, 14:54:17 UTC test: Extend coverage for host policies enforcement [ upstream commit 6f59f4f04cced5a3f493a8d7790e2bf9227f5112 ] We currently have a couple of host firewall tests, but they don't cover all possible packet paths. [1] added two tests for the path node <-> world (one with fromCIDR+toPorts and one combined with NodePort handling). Other firewall tests [2] are only validating correct loading without enforcing policies. This commit fills this gap by adding VXLAN and direct routing tests for the host firewall, with L3+L4 policies enforced on the paths node <-> local pod, node <-> remote pod, and node <-> remote node. The test design draws inspiration from early host firewall bugs and regressions: - Test ingress and egress at the same time with restrictions on allowed ports. This is meant to ensure we detect a regression where only one direction bypasses policy enforcement. If such a case arises, we will fail because the source port won't be allowed and the connection will be dropped. - Allow connections to/from world and pods not used in tests. This is meant to reduce the risk of bricking the nodes. Node to node communications are still strongly restricted, but the ports defined there have been stable for a while. - Test connections to local and remote pods separately. They follow very different paths through our datapath. 1 - https://github.com/cilium/cilium/pull/12621 2 - https://github.com/cilium/cilium/pull/14255 Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
3f4ef8e chez-shanpu 19 March 2021, 13:25:47 UTC test: add tests for fromEntities: cluster and all [ upstream commit 2400042f144cf298b14527de303c7ee8e2c3c0d4 ] Add e2e test for checking `fromEntities: cluster` and `fromEntities: all`. And also add a check for pod-to-pod connectivity and ingress connectivity from "world". Related: cilium#10979 Signed-off-by: Tomoki Sugiura <cheztomo513@gmail.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
54987cb Paul Chaignon 30 April 2021, 20:43:37 UTC test: Fix the search for VIPs in cilium service list [ upstream commit bb7fab80e5e5e2dee7791b834169bf57f437f3fc ] In several different service tests, we check that cilium is handling or not handling a service VIP. To that end, we search for the given VIP in the output of 'cilium service list'. That output looks something like: ID Frontend Service Type Backend 1 10.87.240.1:443 ClusterIP 1 => 35.247.116.7:443 2 10.87.245.217:443 ClusterIP 1 => 10.84.1.94:443 3 10.87.240.10:53 ClusterIP 1 => 10.84.1.175:53 2 => 10.84.1.28:53 4 10.87.241.252:80 ClusterIP 1 => 10.84.1.104:8080 Searching for the VIP directly in the output may return false positives however. For instance, searching for 10.87.241.25 in the above would match the last line when the IP doesn't actually match. Instead we should search for " VIP:", that is, with anchors at the beginning and end of the VIP. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
2e772c5 Paul Chaignon 18 January 2021, 22:28:47 UTC test: Skip fragment tracking test on GKE [ upstream commit 0eb9b82aefff44ff59b928113ffbc8cfbb0aa0d8 ] The test is currently broken, none of the fragment are received. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
f42f5e1 Paul Chaignon 08 January 2021, 11:10:00 UTC test: Mark GKE CI pipeline as running Linux 4.19 [ upstream commit 227860cbbccb06cb0e9d904be73f3be7b2ba2cbf ] Marking the GKE pipeline as running 4.19 should enable additional tests (e.g., fragment tracking test that requires 4.19+). It shouldn't cause issues when GKE switches to 5.4 because tests that support 4.19 generally support newer kernels as well. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 May 2021, 15:47:28 UTC
307663b Joe Stringer 13 May 2021, 01:47:20 UTC install: Update image digests for v1.9.7 From https://github.com/cilium/cilium/runs/2571864468. `docker.io/cilium/cilium:v1.9.7@sha256:fe81537bc5df109e85f7f14487750c73fa1d802c72654a9bf392f1700d5ef512` `quay.io/cilium/cilium:v1.9.7@sha256:fe81537bc5df109e85f7f14487750c73fa1d802c72654a9bf392f1700d5ef512` `docker.io/cilium/cilium:stable@sha256:fe81537bc5df109e85f7f14487750c73fa1d802c72654a9bf392f1700d5ef512` `quay.io/cilium/cilium:stable@sha256:fe81537bc5df109e85f7f14487750c73fa1d802c72654a9bf392f1700d5ef512` `docker.io/cilium/clustermesh-apiserver:v1.9.7@sha256:930997952d88ca053c858b651a6dadcaa3868aca1d63ebd2fc0261976b89ad64` `quay.io/cilium/clustermesh-apiserver:v1.9.7@sha256:930997952d88ca053c858b651a6dadcaa3868aca1d63ebd2fc0261976b89ad64` `docker.io/cilium/clustermesh-apiserver:stable@sha256:930997952d88ca053c858b651a6dadcaa3868aca1d63ebd2fc0261976b89ad64` `quay.io/cilium/clustermesh-apiserver:stable@sha256:930997952d88ca053c858b651a6dadcaa3868aca1d63ebd2fc0261976b89ad64` `docker.io/cilium/docker-plugin:v1.9.7@sha256:32e883005f78f4e4f5db1f0f0044f5513ca7046b9d499b007c90179f21b0209f` `quay.io/cilium/docker-plugin:v1.9.7@sha256:32e883005f78f4e4f5db1f0f0044f5513ca7046b9d499b007c90179f21b0209f` `docker.io/cilium/docker-plugin:stable@sha256:32e883005f78f4e4f5db1f0f0044f5513ca7046b9d499b007c90179f21b0209f` `quay.io/cilium/docker-plugin:stable@sha256:32e883005f78f4e4f5db1f0f0044f5513ca7046b9d499b007c90179f21b0209f` `docker.io/cilium/hubble-relay:v1.9.7@sha256:cae0d25c445c1462a2d2efd639da746caab8b5d7d8cb06b1b00723bcd2b00fcd` `quay.io/cilium/hubble-relay:v1.9.7@sha256:cae0d25c445c1462a2d2efd639da746caab8b5d7d8cb06b1b00723bcd2b00fcd` `docker.io/cilium/hubble-relay:stable@sha256:cae0d25c445c1462a2d2efd639da746caab8b5d7d8cb06b1b00723bcd2b00fcd` `quay.io/cilium/hubble-relay:stable@sha256:cae0d25c445c1462a2d2efd639da746caab8b5d7d8cb06b1b00723bcd2b00fcd` `docker.io/cilium/operator-aws:v1.9.7@sha256:3bcc3b5815d8b70ada058071b1cdecaf99d0e11b4a628938a07d481d8805a1da` `quay.io/cilium/operator-aws:v1.9.7@sha256:3bcc3b5815d8b70ada058071b1cdecaf99d0e11b4a628938a07d481d8805a1da` `docker.io/cilium/operator-aws:stable@sha256:3bcc3b5815d8b70ada058071b1cdecaf99d0e11b4a628938a07d481d8805a1da` `quay.io/cilium/operator-aws:stable@sha256:3bcc3b5815d8b70ada058071b1cdecaf99d0e11b4a628938a07d481d8805a1da` `docker.io/cilium/operator-azure:v1.9.7@sha256:79ea03a1670cbae124aa32654d4e43ea69bcdaa330725875786c21cb48ffb362` `quay.io/cilium/operator-azure:v1.9.7@sha256:79ea03a1670cbae124aa32654d4e43ea69bcdaa330725875786c21cb48ffb362` `docker.io/cilium/operator-azure:stable@sha256:79ea03a1670cbae124aa32654d4e43ea69bcdaa330725875786c21cb48ffb362` `quay.io/cilium/operator-azure:stable@sha256:79ea03a1670cbae124aa32654d4e43ea69bcdaa330725875786c21cb48ffb362` `docker.io/cilium/operator-generic:v1.9.7@sha256:8f121bf312654de62eeec0076755411b088ce4c48843b174d206ea1b141fbb7c` `quay.io/cilium/operator-generic:v1.9.7@sha256:8f121bf312654de62eeec0076755411b088ce4c48843b174d206ea1b141fbb7c` `docker.io/cilium/operator-generic:stable@sha256:8f121bf312654de62eeec0076755411b088ce4c48843b174d206ea1b141fbb7c` `quay.io/cilium/operator-generic:stable@sha256:8f121bf312654de62eeec0076755411b088ce4c48843b174d206ea1b141fbb7c` `docker.io/cilium/operator:v1.9.7@sha256:151834edf9bf52729719ae50f3465a4a512f22e6eb5de84de8499ca19ca571b0` `quay.io/cilium/operator:v1.9.7@sha256:151834edf9bf52729719ae50f3465a4a512f22e6eb5de84de8499ca19ca571b0` `docker.io/cilium/operator:stable@sha256:151834edf9bf52729719ae50f3465a4a512f22e6eb5de84de8499ca19ca571b0` `quay.io/cilium/operator:stable@sha256:151834edf9bf52729719ae50f3465a4a512f22e6eb5de84de8499ca19ca571b0` Signed-off-by: Joe Stringer <joe@cilium.io> 17 May 2021, 16:50:14 UTC
67cb553 Bruno Miguel Custódio 17 May 2021, 12:25:19 UTC docs: gsg/operations - use parsed-literal for all blocks referring SCM_WEB [ upstream commit 094d141b5aedf189765e0f821fb06b5474669afb ] Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> 17 May 2021, 13:42:22 UTC
f993696 Joe Stringer 13 May 2021, 01:21:30 UTC Prepare for release v1.9.7 Signed-off-by: Joe Stringer <joe@cilium.io> 13 May 2021, 01:40:25 UTC
cdd5eb5 Chris Tarazi 06 May 2021, 22:04:30 UTC datapath/linux/ipsec: Insert additional In rule when tunneling [ upstream commit a9f18f36ee63fab88cbe2262c0fbfbd777604080 ] This is needed to fix the L7 ingress policy case. In tunneling mode when a packet is received on the destination node, it makes two passes through the stack. The first pass decrypts the packet because it matches the XFRM IN policy with mark 0xd00, indicating it needs decryption. The second pass through, since L7 ingress policy is enabled, the packet mark is set to 0x200 meaning the packet is destined to the proxy. The problem occurs because there is only one XFRM IN policy matching on mark 0xd00. Since the packet mark is 0x200, the match fails and the packet is dropped by the stack. Therefore, we add a new XFRM policy that matches packets destined for the proxy so that they're allowed. Why doesn't this happen in direct routing mode? The reason is because the skb extension bits[1] are cleared in DR, whereas they are not in tunneling. When the bits are toggled on, then this causes extra logic to be executed in the kernel inside `__xfrm_policy_check()`. This logic upon a policy lookup failure drops the packet [2]. When the bits are cleared, there is no logic to cause a drop upon policy lookup failure. Why are the skb extension bits cleared in DR and not in tunneling? Because the packet path traversal in DR is `cilium_host` -> `cilium_net` -> stack, where the veth pair of `cilium_host` and `cilium_net` calls the kernel `veth_forward_skb()`, which eventually calls `skb_scrub_packet()` where the extension bits are cleared. The path for tunneling is `cilium_{vxlan,geneve}` -> stack, where there is no veth pair traversal, and thus no call to `skb_scrub_packet()`. Hence why we only create a new XFRM policy in tunneling mode. (This was debugged with the help of the following bpftrace script: https://gist.github.com/christarazi/4bb48eb623a03f25026be21856ea10fb) [1]: https://elixir.bootlin.com/linux/v5.12.2/source/net/xfrm/xfrm_policy.c#L3558 [2]: https://elixir.bootlin.com/linux/v5.12.2/source/net/xfrm/xfrm_policy.c#L3590 Co-authored-by: John Fastabend <chris@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 May 2021, 23:24:01 UTC
cb84501 Chris Tarazi 06 May 2021, 21:51:33 UTC datapath/linux: Add RouteMarkToProxy constant [ upstream commit ebd3833938b152157ffd7757f536504f7a58e427 ] This will be used in the subsequent commit, when creating a XFRM policy specifically to allow to-proxy traffic. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 May 2021, 23:24:01 UTC
9ad2bca Chris Tarazi 10 May 2021, 19:58:37 UTC datapath/linux/ipsec: Delete all XFRM state after each test [ upstream commit bbec6969c81bfca9656691fe117277a390709c71 ] Previously, the tests would leave state on the host machine. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 May 2021, 23:24:01 UTC
3e63c02 Bruno Miguel Custódio 07 May 2021, 08:48:54 UTC docs: add 'endpointRoutes.enabled=true' to aws-cni [ upstream commit 437e2bbd745a074b6dd140e4bd17208e3ba499f0 ] This is meant as a temporary workaround for #16007. Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 May 2021, 23:24:01 UTC
0e865d4 Joe Stringer 05 May 2021, 15:24:55 UTC docs: Update SIG-Datapath meeting time. [ upstream commit 4eafc0943a820e71d504e7a45e890388ed5d8989 ] Following the vote and topic raised on 2021-05-05 SIG-Datapath, since the primary community meeting is moved to Wednesday, the SIG-Datapath meeting is moved to Thursday. Q: When would you prefer for SIG-Datapath to meet? Votes: Tuesday 8am PT, 5pm CET 3 Tuesday 9am PT, 6pm CET 3 Thursday 8am PT, 5pm CET 6 Thursday 9am PT, 6pm CET 2 Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 May 2021, 23:24:01 UTC
28d4b0a dependabot[bot] 11 May 2021, 19:01:46 UTC build(deps): bump KyleMayes/install-llvm-action from 1.2.2 to 1.3.0 Bumps [KyleMayes/install-llvm-action](https://github.com/KyleMayes/install-llvm-action) from 1.2.2 to 1.3.0. - [Release notes](https://github.com/KyleMayes/install-llvm-action/releases) - [Commits](https://github.com/KyleMayes/install-llvm-action/compare/v1.2.2...v1.3.0) Signed-off-by: dependabot[bot] <support@github.com> 12 May 2021, 22:42:15 UTC
700fc8d André Martins 04 May 2021, 23:50:32 UTC daemon: store Cilium's configuration in a file [ upstream commit 2e0603ba67074252cd62370ec4913fdbf0dc910b ] To make it easier debug or share configurations across users and developers, Cilium will store its viper.Config as well as agent's configuration in files under `/var/run/cilium`. It will store up to the last 3 previous configurations. Another use case for it will be to check the previous configuration run by Cilium in case certain steps need to be executed, for example, to clean up state left from a previous run that will not be cleaned up by a new set of flags. Signed-off-by: André Martins <andre@cilium.io> 12 May 2021, 21:55:43 UTC
d36dc61 Jarno Rajahalme 11 May 2021, 00:28:47 UTC envoy: Update Envoy to release 1.17.3 [ upstream commit d7b7672c3980bd8d3ba2f2ca4c51ad6284da2464 ] Update Envoy to release 1.17.3 which fixes CVE-2021-29492. Configure cilium-envoy with path normalization, path slash merge, and path escaped slash unescaping by default. This setting can be reverted with Cilium agent option --http-normalize-path=false. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 12 May 2021, 19:22:03 UTC
3198d60 Jarno Rajahalme 04 May 2021, 21:21:56 UTC envoy: Add response headers access logging [ upstream commit 094d141b5aedf189765e0f821fb06b5474669afb ] Use cilium-envoy image that adds response headers to response access log messages. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 12 May 2021, 19:22:03 UTC
4a6e7b9 Aditi Ghag 11 May 2021, 17:55:18 UTC docs: Add a note about minikube docker driver mode Signed-off-by: Aditi Ghag <aditi@cilium.io> 12 May 2021, 19:20:16 UTC
3df0aa7 Tobias Klauser 10 May 2021, 10:21:06 UTC Update Go to 1.15.12 Signed-off-by: Tobias Klauser <tobias@cilium.io> 11 May 2021, 19:00:50 UTC
7dc246b Martynas Pumputis 27 April 2021, 13:11:25 UTC node-neigh: Fix obsolete nextHop removal [ upstream commit a753b38a254e5b2cf95220635e0ca4e6a01e2a63 ] The impact of the wrong removal was very small - unnecessary neigh insert via netlink and dangling unused value. This could have happened under very rare circumstances when a next hop to a node had changed. Fixes: 0483ba07a57f ("node-neigh: Do not inc neighbor refcount for the same node") Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
45d7d8a Martynas Pumputis 27 April 2021, 12:52:36 UTC node-neigh: Avoid arpinging the same next hop [ upstream commit c3d971a00bee275ed33c26bb76d41198d33deedd ] When nodes are connected via L3 GW, the periodic ARP refresher pings the same IP (GW). To avoid that, introduce neighLastPingByNextHop which stores a timestamp of the last successful arping for a given next hop. If delta between the last and the next arping is less than option.Config.ARPPingRefreshPeriod, then the arping is skipped until the next time the refresher is scheduled. Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
12c711e John Fastabend 26 April 2021, 18:45:47 UTC cilium: set packet_type to ensure packet is not dropped by stack [ upstream commit adb5ccf3d8b32b5e2c5a62fc8306953c34c679a1 ] The dmac may not be set in the case of !HAVE_FIB_SUPPORT so we need to ensure the stack doesn't mark this packet as OTHERHOST and drop it. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
b09aa58 John Fastabend 23 April 2021, 20:34:58 UTC cilium: encryption, nodeSubnets are populated before auto-discovery [ upstream commit e34115a22cbd3beb526236783f17091279916e2e ] In order to push auto-discovery of the subnet into the nodeSubent fields we need to do the discovery early enough in the setup that the subnets exist. At the moment we do the auto-discovery too late and the values are not pushed into the nodeConfiguration so we miss updating ipsec route table correctly. Rather than overwrite the config options this patch pushes the code into the nodeConfigurationChanged() and updates the node configuration directly. This has two advantages: we avoid stomping on user config and then we also catch any subnet updates. Fixes: a42d442a096a5 ("cilium: auto-discovery pod subnets for ENI IPAM") Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
c34e7c1 John Fastabend 23 April 2021, 20:12:00 UTC cilium: encryption, ensure IP_POOLS is set in IPAMENI case [ upstream commit 69e885c6c59ef0e08caf0435412260f7b983608c ] We moved the subnet detection lower into the init path so that it handled reinitialization, but unfortunately this broke setting IP_POOLS define in header writing. Do the simplest fix and just always enable IP_POOLS for ENI case. Fixes: a42d442a096a5 ("cilium: auto-discovery pod subnets for ENI IPAM") Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
1e534fa John Fastabend 26 April 2021, 18:34:15 UTC cilium: encrypt iface without fib lookup is not usable [ upstream commit d56f565b2782ee76f30d71df61f6beba1f4a7393 ] We can not do a redirect to the egress interface if the fib lookup is not supported. If we do try to do the redirect there is no guarantee the MAC addresses are correct because we didn't rewrite them from the BPF datapath. This may work, if the network is very fogiving, but more likely the NIC will drop the packet because of MAC addresses being incorrect. Also without a correct ENCRYPT_IFINDEX the FIB lookup will fail. So lets guard fib lookups with both encrypt ifindex and fib support this way we will pass the packets to the stack instead of dropping them when we don't have the correct set of kernel features or config. EKS creates a unique problem here. EKS does source routing and has multiple egress interfaces. The correct egress interface is unclear at init time (there are multiple interfaces) and can change at runtime. Rather than try to pick an interface (fragile!) let the stack route the packet and skip FIB lookup and redirect from BPF datapath. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
91cfc37 John Fastabend 26 April 2021, 19:06:38 UTC cilium: encryption, use cilium_host IP for IPSec header srcIP [ upstream commit fbadf99e76ab1e1c4af8a3822f72081b58fbbe95 ] When using subnet mode for encryption IPs subnets are not bound to any specific node. So rather than use xfrm stack to write src/dst IPs in the IPSec path we use bpf_host.o attached to cilium_host qdisc to complete the header. This is necessary because we want to avoid having an entry per pod in the xfrm tables and instead have at max an entry per node. Currently, we use the srcIP of the first interface we find in the egress interface list. This works on some more forgiving networks, but EKS uses source based IP routing, but does not have a source IP in the source routing tables for all network facing interfaces. What happens then is we rewrite the SIP of the IPSec header to the IPAddr assigned to the network interface. This is passed to the stack for routing. The routing table doesn't have a source entry for the SIP so it uses the default route. The default may or may not point to the first interface. If it doesn't then the network appears to do a firewall rule where the NIC/SIP lookup is unexpected and the network drops the packet either by firewall or just missing routing rules. It appears common for the first interface "eth0" to match the default route so often get working by depending on this ordering, buts its very fragile and easy to break. Fix by using the SIP of cilium_host which always has an entry in the source routing table. Note: Above only applies to non-fib case (kernels <4.17) with fib lookup we do a lookup in BPF datapath and write MACs and IPs correctly without stack intervention. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
84f4265 Martynas Pumputis 27 April 2021, 09:04:15 UTC node-neigh: Log arping failures only in debug mode [ upstream commit 0ff85f2f9d857e4da0732813b5db79a4b07ed857 ] Most of arping failures which we observed are transient, so these false positives might mislead users. Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
b488530 Martynas Pumputis 22 April 2021, 16:36:55 UTC daemon: Add --arping-refresh-period [ upstream commit e779e96b4e07d380641bce9e9db2f1dc80765a73 ] Instead of deriving the value from net.ipv4.neigh.default.base_reachable_time_ms which is 30s by default use a user specified value for the ARP periodic refresher. Running ARP refresher every 15-45s is too often, as in most clusters node hw addrs don't change at all. Users who have highly dynamic environments will be able to schedule the refresher in higher frequency by using the flag. Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
3254934 Martynas Pumputis 22 April 2021, 15:58:24 UTC node-neigh: Do not return early if nextHop is the same [ upstream commit 38d00498100f934ac2d8d5e36f397c5f41037e42 ] It can happen that the insertNeighbor(refresh=true) gets called before insertNeighbor(refresh=false), and only the latter can increment the neigh refcounting. Remove the optimization for the sake of refcounting correctness. Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
8d570e2 Martynas Pumputis 20 April 2021, 14:14:48 UTC node-neigh: Make neighLock'ing more fine-grained [ upstream commit a82137bb602bd746edb7a09573e897ebeb2d8df5 ] This commit changes how insertNeighbor() method takes the lock. Instead of holding the lock for the entire execution duration, we release the lock while arpinging. This allows parallel arpings which should make the periodic ARP refresher faster. Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
f3cb2d5 Martynas Pumputis 20 April 2021, 12:50:42 UTC node-neigh: Misc refactoring [ upstream commit 0d729410d7f1362a7024174569717a3cca2811b7 ] - Lock insertNeighbor() before accessing shared structures. - Defer neighbor BPF map retirement so that it's moved from the contend path. - Make getSrcAndNextHopIPv4() a function to indicate that it's not using any shared structures. Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
a3d9342 Martynas Pumputis 20 April 2021, 08:45:41 UTC node-neigh: Remove unnecessary looping over recv [ upstream commit 7c45d177e1ab2c2552513607360b8248f37d4930 ] There is no default case in the select, so the select will block until one of its cases is fulfilled. Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
6467050 Martynas Pumputis 13 April 2021, 20:46:22 UTC node-neigh: Introduce dedicated lock [ upstream commit a99414798c73eb3ad89f09be17049347351d62cc ] This commit introduces a dedicated lock for managing node neighbor entries. Previously, the neighbor subsystem was sharing the same lock with the node manager. This resulted in the lock starvation when the periodic neighbor refresh was taking longer than expected and it was queuing up the refresh requests. To avoid the starvation which can slow down node updates, we introduce the dedicated lock. Also, we make sure that insertNeighbor() won't block NodeUpdate() in the case of the scenario above by running it in a separate goroutine (same applies to deleteNeighbor() and NodeDelete()). Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
27c3267 André Martins 28 April 2021, 16:54:38 UTC plugins/cilium-cni: fix aws-cni cni chaining [ upstream commit ea381e77fc75db582dacf52bad7f3a643badee6d ] AWS-CNI seems to require more fields than the ones hard coded in Cilium image. This patch adds the missing fields. Error messages that might show up in pod describe are similar as: ``` network: invalid character '{' after top-level value ``` or ``` \n{\n \"code\": 100,\n \"msg\": \"add cmd: failed to assign an IP address to container\"\n}": invalid character '{' after top-level value ``` Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
56c32f2 Joe Stringer 03 May 2021, 16:23:08 UTC Update weekly community meeting timeslot [ upstream commit 785c2e781649ea9204fe8d76d6ef4a306b3bf4b4 ] As discussed during community meeting 2021-05-03. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
64f4582 Paul Chaignon 03 May 2021, 20:36:14 UTC connectivity-check: Reduce chances of port conflict with proxy [ upstream commit e97c7c3889843f2ad20f557cb6c905e5fdae707a ] Cilium's DNS proxy listens on a port allocated by the kernel. That port can however conflict with the port used by echo-c-host-container from the connectivity checks, leading to CI flakes when run regularly. A kernel comment on the function allocating the port [1] gives us a way out: * if snum is zero it means select any available local port. * We try to allocate an odd port (and leave even ports for connect()) So using an even-numbered port for echo-c-host-container in the connectivity checks should strongly reduce the likelihood of this flake happening again. Other hostns pods already use even-numbered ports. 1 - https://elixir.bootlin.com/linux/v5.12.1/source/net/ipv4/inet_connection_sock.c#L354 Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
a74d6cc Paul Chaignon 30 April 2021, 09:44:36 UTC test: Fix fragment tracking test on GKE [ upstream commit 9fc95830c630c7b94c3e4d5d5401ee8a87eff474 ] The fragment tracking test was disabled on GKE because it is incompatible with endpoint routes [1]. Until that incompatiblity is fixed, we can disable endpoint routes when running on GKE. 1 - https://github.com/cilium/cilium/issues/15958 Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
79002f1 Daniel Borkmann 30 April 2021, 12:50:36 UTC bwm: temporarily disable setting bbr until we have a pacing fix [ upstream commit c2331400c1b5d7d082b3c2cb181f9ca6a56e64ee ] Consider a socket which has SO_MAX_PACING_RATE of 4Gbit/s and the socket being part of a Pod. This is currently broken given skb->tstamps are cleared on BPF redirect as well as netns traversal even though fq in hostns manages the socket's pacing. Rates would result being unpredictable: root@apoc:~/go/src/github.com/cilium/cilium# netperf -H 10.217.1.19 -t TCP_STREAM -l40 -s2 MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.217.1.19 () port 0 AF_INET : demo Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 16384 16384 40.04 655.52 root@apoc:~/go/src/github.com/cilium/cilium# netperf -H 10.217.1.19 -t TCP_STREAM -l40 -s2 MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.217.1.19 () port 0 AF_INET : demo Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 16384 16384 40.07 1274.70 root@apoc:~/go/src/github.com/cilium/cilium# netperf -H 10.217.1.19 -t TCP_STREAM -l40 -s2 MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.217.1.19 () port 0 AF_INET : demo Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 16384 16384 40.07 1519.32 root@apoc:~/go/src/github.com/cilium/cilium# netperf -H 10.217.1.19 -t TCP_STREAM -l40 -s2 MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.217.1.19 () port 0 AF_INET : demo Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 16384 16384 40.06 849.96 We are working on a kernel side solution to retain skb->tstamps which would fix this issue and result in a stable 4Gbit/s rate for this example. Once that is merged we can reenable BBR from BWM side for those kernels (and fallback to cubic for those that do not have it). Related: #15324 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
3e0b887 Daniel Borkmann 30 April 2021, 12:45:10 UTC bpf: only mark v4/v6 traffic wrt EDT with LXC_ID [ upstream commit d3dc63ddfaaf198bd3aba8d0201e43a5dc9885da ] A Pod could potentially emit non-IPv4/v6 traffic and in that case we must not set the aggregate since we also don't clear it in edt_sched_departure() again. Hence, move the edt_set_aggregate() to the two supported protos. Fixes: #15960 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
dce0990 Paul Chaignon 16 April 2021, 09:57:32 UTC test: Format test-only's kernel_version to avoid mistakes [ upstream commit fb08c6cfe6b6295a9aca9e579a067f34ee1c69c2 ] I often try to start test-only builds with e.g.: test-only --kernel_version=4.19 --focus="..." That fails because our tests expect "419". We can extend the Python script used to parse argument to recognize that and update kernel_version to the expected format. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
3b42bce Jaff Cheng 01 February 2021, 12:40:08 UTC node-neigh: add metric to count arping requests [ upstream commit 42eb1edafdaccad2814e7c16a1795e501fcd76b3 ] Could be used to decide if the arping refresh interval needs to be adjusted in order to limit spams. Signed-off-by: Jaff Cheng <jaff.cheng.sh@gmail.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
cf5143a Paul Chaignon 12 February 2021, 21:03:06 UTC docs: Update our community docs page [ upstream commit 63996d674e844da369e6408db4b90c836952d5ba ] - Update the information on SIGs. - Split the Slack channels in three categories and add a few new suggestions. - Add a section on the Weekly Community Meeting. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 May 2021, 13:59:00 UTC
f045408 Sebastian Wicki 28 April 2021, 12:18:24 UTC eni: Fix Cilium overallocating network interfaces [ upstream commit 119cd19f77aeddc4c1f930d55ba74fa42cc1a118 ] This fixes a bug where Cilium wrongly overestimated the amount of available ENI IP addresses. This bug was introduced when we removed the primary ENI IP address from the IPAM pool, but forgot to adjust the number of addresses used to compare with the AWS instance limits. This led to the operator overestimating the number of available IP addresses by one. This in turn could lead to the operator first failing to allocate more IPs (because it exceeded the limit) and then unnecessarily creating a new ENI to fulfill the allocation request. Fixes: 7c1bb3592c46 ("aws/ec2: Exclude primary ENI IP from IPAM pool") Fixes: #15877 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 06 May 2021, 22:46:02 UTC
ba36148 Sebastian Wicki 28 April 2021, 18:07:57 UTC eni/mock: Use correct number of secondary IPs on interface [ upstream commit 9cf13c0c9e55d6c66718f999de7b052adf2a254b ] This commit modifies the CreateNetworkInterface mock API to mirror what the actual EC2 API implementation does for the `toAllocate` value, i.e. only use this number for secondary IP addresses, as a primary address is always implicitly allocated. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 06 May 2021, 22:46:02 UTC
430bd49 Paul Chaignon 22 April 2021, 08:24:14 UTC test: Run only K8sVerifier and K8sDatapathConfig on 5.4 [ upstream commit dfb822001f63fac4a5cc38240367f5a16bb8782f ] Since the goal of the 5.4 CI job is only to catch complexity issues, other test suites are skipped. They are not expected to help us catch new complexity issues compared to K8sVerifier and K8sDatapathConfig. Signed-off-by: Paul Chaignon <paul@cilium.io> 06 May 2021, 14:47:45 UTC
efc7fe6 Paul Chaignon 19 April 2021, 10:16:33 UTC bpf/Makefile, test: Support 5.4 kernel in verifier test [ upstream commit 869a008396eb4758841f41b087b85348aed7da2e ] The bandwidth manager is the only feature we can enable on 5.4 but not on 4.19. It requires Linux v5.1. Signed-off-by: Paul Chaignon <paul@cilium.io> 06 May 2021, 14:47:45 UTC
7cda85a Paul Chaignon 19 April 2021, 10:16:33 UTC test: RunsOn54Kernel helper [ upstream commit a5b0ca7cada63c8960ab22f09e48dcaab97abae7 ] Signed-off-by: Paul Chaignon <paul@cilium.io> 06 May 2021, 14:47:45 UTC
6b0ec1e Paul Chaignon 19 April 2021, 10:16:33 UTC test: Rename RunsOnNetNextOr419Kernel to RunsOn419OrLaterKernel [ upstream commit bfe16c233921d6286cd937dbc19d3d753f2099cc ] This helper function will also encompass the 5.4 kernel in a subsequent commit, so we should reflect that in its name. Signed-off-by: Paul Chaignon <paul@cilium.io> 06 May 2021, 14:47:45 UTC
ade9b78 Paul Chaignon 30 April 2021, 09:08:01 UTC vagrant: Add 5.4 VM image This commit also extends the Jenkinsfile to define KUBEPROXY in the same way as on 4.19. Signed-off-by: Paul Chaignon <paul@cilium.io> 06 May 2021, 14:47:45 UTC
a2e844f Aditi Ghag 29 April 2021, 16:22:41 UTC test: Extend the hairpin flow test with policy [ upstream commit 69f10edf2 ] Test for PR #15321 - tests the case where a pod connects to itself via service clusterIP when selected by a policy. Signed-off-by: Aditi Ghag <aditi@cilium.io> 05 May 2021, 09:02:16 UTC
e30c549 Chris Tarazi 28 April 2021, 19:56:07 UTC bpf: Skip remote endpoint lookup for dst ID in hairpin case Upon code inspection, the remote endpoint lookup that retrieves the destination ID is useless because the destination ID is not used when `hairpin_flow` is true. We can skip over this code in hopes that it simplifies the code complexity. Signed-off-by: Chris Tarazi <chris@isovalent.com> 05 May 2021, 09:02:16 UTC
b71c987 Aditi Ghag 11 March 2021, 21:27:13 UTC bpf: Skip policy enforcements for service loopback case [ upstream commit 52cd6da139c1ac5d67de65a821f953c936034f2e ] When an endpoint connects to itself via service clusterIP, we hairpin the flow using a loopback IP address (configured using ipv4-service-loopback-address). The destination clusterIP (on egress) and loopback IP (on ingress) map to unexpected identities. As a result, policy enforcement fails and the packet is dropped. This is visible in the cilium monitor output: <- endpoint 1844 flow 0x96c8d52 identity 55108->unknown state new ifindex 0 orig-ip 0.0.0.0: 10.12.0.123:58242 -> 172.20.0.130:80 tcp SYN Policy verdict log: flow 0x96c8d52 local EP ID 1844, remote ID world, proto 6, egress, action deny, match none, 169.254.42.1:58242 -> 10.12.0.123:80 tcp SYN Since we don't want to enforce policies anyway for the loopback traffic, this commit skips policy enforcements in that case. Co-authored-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com> 05 May 2021, 09:02:16 UTC
d6e6ab1 André Martins 13 April 2021, 23:41:40 UTC handle IP addresses modification in running nodes and CEPs [ upstream commit 6bd98ad7e44324b6baaedf192378366b50b04ed8 ] Since k8s nodes, pods and CEPs can have their pod IP modified without being deleted, Cilium needs to be able to handle such cases by deleting the ipcache entries of the old IP addresses. Failing to do it so, Cilium will rely on outdated information from those old entries until it receives new events that can update those entries. Until the events with the up-to-date information are received, Cilium might use the old, and potentially wrong, security identity stored for this IP address. Leveraging any such stale IP to Identity mappings is difficult given the access required to make use of them and the limited time window during which an update would be processed, rendering such entries no longer stale, and identity propagation is transmitted before a pod is marked as Ready. Signed-off-by: André Martins <andre@cilium.io> 03 May 2021, 06:57:31 UTC
0c41e9d André Martins 23 February 2021, 15:16:24 UTC pkg/k8s: add DeepEqual code generation for Service [ upstream commit 58d8b1dd33bf3abb02e3a82f919814bd39b1364d ] DeepEqual of Service can be automatically generated by deepequal-gen, so there is no reason to manually keep the equalness of this structure. Signed-off-by: André Martins <andre@cilium.io> 03 May 2021, 06:57:31 UTC
1d00356 Nicolas Busseneau 27 April 2021, 17:03:50 UTC test/gke: fix retry loop failing [ upstream commit f0a4292c2354f9eb5ebee928eed8a221041de6e0 ] From `bash` manpage: > ((expression)) > The expression is evaluated according to the rules described below > under ARITHMETIC EVALUATION. If the value of the expression is > non-zero, the return status is 0; otherwise the return status is 1. > This is exactly equivalent to let "expression". With `set -o errexit`, this means `((resize_wait_retries++))` fails... Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 30 April 2021, 19:58:22 UTC
1b24d67 Nicolas Busseneau 26 April 2021, 20:04:49 UTC test/gke: handle operations via ConfigConnector only [ upstream commit 9e21ed118e0d91cb7468f5aacea77855d9f3ca96 ] ConfigConnector already takes care of resizing/deletion for us, no need for manually handling that. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 30 April 2021, 19:58:22 UTC
a73b75d Nicolas Busseneau 26 April 2021, 20:02:23 UTC test/gke: refactor gcloud container operations [ upstream commit 635b9070a9539cd8cdf783e1077b9e272b19a37f ] Using server-side filtering greatly accelerates checking for running operations. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 30 April 2021, 19:58:22 UTC
a425cef Nicolas Busseneau 26 April 2021, 20:00:35 UTC test/gke: remove obsolete script [ upstream commit 44f12e3a2ed62a8d1985e05337b2389fc0ff1e8c ] Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 30 April 2021, 19:58:22 UTC
68b0d28 Paul Chaignon 22 April 2021, 21:04:34 UTC docs/policy: Clarify table for deny policy scenarios [ upstream commit a6eba34564e4cb23d052e2dee7ac9ee510f5f62e ] This commit attempts to clarify the table detailed different deny policy scenarios. The titles are changed to clarify that the bottom part gives the result from each scenario detailed in the top part. Yes/No are replaced by Xs as that makes the table a bit easier to parse visually and probably also better represents the presence/absence of policies. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 30 April 2021, 19:58:22 UTC
9244120 Maciej Kwiek 30 April 2021, 15:46:54 UTC .github: remove unnecessary docker hub credentials [ upstream commit 31625355bec914998bbf372a0519a87a4a8e1c3f ] GHA are not rate limited by DockerHub [1] so we can remove these credentials [1] https://github.com/actions/virtual-environments/issues/1445#issuecomment-713861495 Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 30 April 2021, 19:58:22 UTC
73e2c41 Paul Chaignon 22 April 2021, 21:41:51 UTC contrib: Clean output of submit-backport [ upstream commit b1221c36739d4720025b3a3718848d82d269c876 ] When using submit-backport to open the backport pull request, it outputs the following information: Sending pull request... Enumerating objects: 154, done. Counting objects: 100% (115/115), done. Delta compression using up to 6 threads Compressing objects: 100% (24/24), done. Writing objects: 100% (24/24), 3.27 KiB | 3.27 MiB/s, done. Total 24 (delta 20), reused 0 (delta 0) remote: Resolving deltas: 100% (20/20), completed with 12 local objects. remote: remote: Create a pull request for 'pr/v1.9-backport-2021-04-22' on GitHub by visiting: remote: https://github.com/pchaigno/cilium/pull/new/pr/v1.9-backport-2021-04-22 remote: To github.com:pchaigno/cilium * [new branch] pr/v1.9-backport-2021-04-22 -> pr/v1.9-backport-2021-04-22 https://github.com/cilium/cilium/pull/15837 Updating labels for PRs 15780 This is a bit messy and mostly caused by the git push command. We can hide most of this since the script is in charge of opening the pull request. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 30 April 2021, 19:58:22 UTC
e448b0f Paul Chaignon 19 April 2021, 08:12:49 UTC test: Skip K8sPolicies on GKE and 4.19 [ upstream commit 1fff6e98487956da9e6c37f83b6b82c7b88f9ec9 ] Running K8sPolicies on those CI jobs is not expected to increase coverage, so let's disable to reduce cost. We need to skip in both BeforeAll and JustBeforeEach because we want to skip the installation in BeforeAll but doing so only skips the first test in K8sPolicyTest. So we also want to skip in JustBeforeEach. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 30 April 2021, 19:58:22 UTC
fe4a354 Aditi Ghag 08 February 2021, 18:02:18 UTC bugtool: Record attached BPF programs [ upstream commit 0412be84ca00c3764b908cc80d036ea1addf5635 ] bpftool net show command lists all the attached programs. We sometimes need to get a summary of BPF programs/SECs attached to different interfaces to debug datapath related issues. Sample output - bpftool net show xdp: tc: eth0(2) clsact/ingress bpf_network.o:[from-network] id 221 cilium_net(4) clsact/ingress bpf_host_cilium_net.o:[to-host] id 230 cilium_host(5) clsact/ingress bpf_host.o:[to-host] id 222 cilium_host(5) clsact/egress bpf_host.o:[from-host] id 226 lxc_health(7) clsact/ingress bpf_lxc.o:[from-container] id 242 lxc_health(7) clsact/egress bpf_lxc.o:[to-container] id 246 lxc37bff36e0cd2(9) clsact/ingress bpf_lxc.o:[from-container] id 234 lxc37bff36e0cd2(9) clsact/egress bpf_lxc.o:[to-container] id 238 lxc2686a607b303(12) clsact/ingress bpf_lxc.o:[from-container] id 250 lxc2686a607b303(12) clsact/egress bpf_lxc.o:[to-container] id 254 lxc33d2535b88de(14) clsact/ingress bpf_lxc.o:[from-container] id 258 lxc33d2535b88de(14) clsact/egress bpf_lxc.o:[to-container] id 262 flow_dissector: Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 30 April 2021, 19:58:22 UTC
back to top