Skip to main content

Browse the archive

https://github.com/cilium/cilium
12 July 2024, 03:14:21 UTC
sort by:
Revision Author Date Message Commit Date
63682d6 Thomas Graf 28 March 2018, 02:47:36 UTC bpf: Fix return value of lpm{46}_ingress_lookup When policy enforcement is disabled, these lookup calls should always return a positive value to indicate a match. This bug had no effect so far as calls to these functions are currently protected by defines only defined when policy enforcement is enabled. Signed-off-by: Thomas Graf <thomas@cilium.io> 28 March 2018, 05:54:03 UTC
b9bd015 Thomas Graf 28 March 2018, 00:40:41 UTC bpf: Fix egress CIDR policy enforcement The existing egress CIDR enforcement lookup was performed correctly but relied on a later policy check enforcing a drop and thus only marked the packet to skip the policy check instead of dropping it directly. The latter policy check was removed and since broke the egress CIDR policy enforcement. The CI test is in-effective and thus did not catch this regression. This commit fixes the bug, the CI test will be fixed in a separate commit. Fixes: #3345 Fixes: #3340 Signed-off-by: Thomas Graf <thomas@cilium.io> 28 March 2018, 05:54:03 UTC
41e9af3 Manali Bhutiyani 28 March 2018, 03:29:44 UTC docs: Fix the Kafka policy to use the new role in the GSG Fixes: #3349 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> 28 March 2018, 04:46:45 UTC
1237ec3 Joe Stringer 27 March 2018, 22:08:16 UTC monitor: Fix egress identity mapping output Signed-off-by: Joe Stringer <joe@covalent.io> 28 March 2018, 03:45:10 UTC
f53a362 Joe Stringer 25 March 2018, 02:25:16 UTC monitor: Fix ct entry port byteorder in output Signed-off-by: Joe Stringer <joe@covalent.io> 28 March 2018, 03:45:10 UTC
3d82a4b Daniel Borkmann 21 March 2018, 11:02:32 UTC maps: allow for migration when map properties change Currently, when changing simple map properties such as type, key/value size, maximum number of elements or flags, then the loader rightfully bails out when it sees an already pinned map node comparing it to the one specified in the object file. The issue is that this makes it hard to upgrade certain maps, e.g. tail call maps when they get extended with new call entries or other generic maps when bumping their maximum elements or changing key/value size. For tail call maps, we temporarily move the map to a different location in the bpf fs and once the prog got installed successfully then we can unlink it such that the old map gets released eventually, or in case of failure, we can move it back. This patch generalizes such migration of the data path such that updates on any maps would work. It consists of two parts, i) object based tool that checks directly all maps in the generated object file agains the pinned ones, and ii) daemon based checks on daemon-triggered map creation. The former also allows to get rid of remove_non_persistent_map() in the init.sh before each bpf_load(), and the cilium_calls_${EPID} specific workaround in the join_ep.sh. The cilium-map-migrate tool will report into the journal once map migration needed to be done. On the daemon side, we move the existing migrate() logic out of the Map's OpenOrCreate() handler into the lower-level OpenOrCreateMap() function, since the latter is used also from other locations where we otherwise would need to duplicate the logic. It also makes sense to actually check what we've received from ObjGet() call and whether it matches with the request instead of blindly passing the fd onwards. The original migrate() logic is extended to remove the map with exception to tail call maps due to eviction of prog entries upon inode removal. Limitations: what cannot be detected as of today is struct changes in the key/value for the case where the size doesn't change. There will be kernel side support with BPF type format soon for allowing this at least on newer kernels. Also, there will be data loss for the time being when such conflict in map properties is detected on live update. In future, BPF type format we could make this more graceful by automating such upgrades with a mapping scheme between the two maps. Fixes: #3182 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 28 March 2018, 00:20:45 UTC
089e625 Daniel Borkmann 21 March 2018, 11:02:32 UTC bpf: import elf headers to avoid extra dep Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 28 March 2018, 00:20:45 UTC
edb8896 Romain Lenglet 27 March 2018, 06:25:07 UTC ctmap: Move doFiltering debug logs under flowdebug Fixes: #3295 Signed-off-by: Romain Lenglet <romain@covalent.io> 28 March 2018, 00:10:13 UTC
edda929 Romain Lenglet 27 March 2018, 06:11:14 UTC envoy: Fix xDS server start log message Fixes: #3273 Signed-off-by: Romain Lenglet <romain@covalent.io> 28 March 2018, 00:10:13 UTC
87c62e3 Ian Vernon 27 March 2018, 21:07:23 UTC pkg/endpoint: pass denied egress identities to UpdateNetworkPolicy Signed-off by: Ian Vernon <ian@cilium.io> 27 March 2018, 23:30:54 UTC
1b03f6d Romain Lenglet 27 March 2018, 21:44:54 UTC envoy: Don't try to set the endpoint's policy revision if policy is nil Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 23:06:06 UTC
59ef1e3 Romain Lenglet 27 March 2018, 20:39:29 UTC envoy: Use mutex to protect field accesses in Cilium xDS server Fixes: #3329 Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 23:06:06 UTC
cecd5f1 Ian Vernon 23 March 2018, 00:46:54 UTC test/helpers: do not wait for endpoint to regenerate in EndpointSetConfig The command to set configuration should take care of this; clients should not have to implement logic to set configuration on endpoints based off of endpoint state. Signed-off by: Ian Vernon <ian@cilium.io> 27 March 2018, 22:25:58 UTC
28b6b78 Ian Vernon 22 March 2018, 21:13:17 UTC pkg/endpoint: update variable from changed --> needToRegenerateBPF Make variable more evocative of what it means. Signed-off by: Ian Vernon <ian@cilium.io> 27 March 2018, 22:25:58 UTC
5b62f57 Ian Vernon 22 March 2018, 16:40:25 UTC pkg/endpoint: check endpoint state before trying to regenerate * check if endpoint state is able to be changed to waiting-to-regenerate before trying configuration update * return error if after a hardcoded timeout, regeneration is unable to occur if endpoint state not able to be changed to waiting-to-regenerate. Signed-off by: Ian Vernon <ian@cilium.io> 27 March 2018, 22:25:58 UTC
9ea330a Ian Vernon 27 March 2018, 18:20:48 UTC F 27 March 2018, 22:25:00 UTC
61f903d Ian Vernon 23 March 2018, 22:26:52 UTC pkg/ipcache: only unmarshal value of key-value store event for create events The value is only populated for create events; for delete events, it is not populated. Thus, added a new function which extracts the IP from the key; this is similar to what is done for `pkg/kvstore/allocator`. Add unit tests for this conversion as well. Also do the following: * Update code-comment for EventTypeListDone to be more accurate. * Add event type to log message were we cannot unmarshal data from the key-value store. Signed-off by: Ian Vernon <ian@cilium.io> 27 March 2018, 22:25:00 UTC
e2fe78d Ian Vernon 24 March 2018, 00:10:49 UTC daemon: only use value for Upsert CacheModification The value field is not used in Delete CacheModification, so only set the value in Upsert CacheModification. Signed-off by: Ian Vernon <ian@cilium.io> 27 March 2018, 22:25:00 UTC
ce762dd Romain Lenglet 27 March 2018, 05:27:03 UTC npds: Send allow-all policy when enforcement is disabled for endpoint Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 20:20:07 UTC
992733d Romain Lenglet 27 March 2018, 04:31:43 UTC npds: Convert nil L4Policy into deny-all policy Any endpoint with a nil L4Policy was causing a panic. Instead, generate a policy that denies all traffic at both ingress and egress. Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 20:20:07 UTC
0c6d916 Eloy Coto 26 March 2018, 09:45:36 UTC Test: Fix assert message on kafka tests Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 27 March 2018, 19:43:14 UTC
6046566 Ray Bejjani 27 March 2018, 11:02:26 UTC endpoint: Print endpoint logs to agent logs We record information for retrieval with 'cilium endpoint log' but we never log it as part of the agent logs. This change includes an equivalent debug print of these changes. Signed-off-by: Ray Bejjani <ray@covalent.io> 27 March 2018, 18:29:28 UTC
9e6265f Ray Bejjani 27 March 2018, 11:39:12 UTC k8s: Fix formatted annotation log 27 March 2018, 18:29:28 UTC
0c1fd16 André Martins 27 March 2018, 12:43:49 UTC Dockerfile: increment image builder to 2018-03-27 Signed-off-by: André Martins <aanm90@gmail.com> 27 March 2018, 14:00:32 UTC
f75755f André Martins 27 March 2018, 12:34:35 UTC packaging/docker: add libelf-dev to builder image Signed-off-by: André Martins <aanm90@gmail.com> 27 March 2018, 14:00:32 UTC
6b37ad6 Romain Lenglet 26 March 2018, 18:05:42 UTC api: Remove redirects from proxy status Remove the redirects field from proxy status in "cilium status". Move allocated-proxy-port field into proxy-statistics in "cilium endpoint get". Sort the elements of proxy-statistics. Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 05:35:10 UTC
7ad82c8 Romain Lenglet 23 March 2018, 22:05:37 UTC proxy: Update endpoint stats from Kafka proxy Rename NetworkPolicyEndpoint interface into EndpointUpdater. Move EndpointUpdater from pkg/envoy into pkg/proxy/logger to make usable from the Kafka proxy. Update stats from Kafka proxy after logging into access log. Fix access logging to only log and account once when a request is denied and a response can't be created. Add endpoint identities, IP addresses, and ports in Kafka response access logs. This is also required to be able to derive endpoint stats. Look up original destination address and port of a Kafka request connection only once after accepting the connection, instead of for every request. Simplify the implementation of handleRequests as it was always passed a nil log record. Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 05:35:10 UTC
ddcbdcc Romain Lenglet 23 March 2018, 06:57:41 UTC api: Move redirect statistics from proxy status to endpoint Remove statistics from ProxyRedirectStatus. Add security identity and labels SHA256 to ProxyRedirectStatus. Move ProxyRedirectStatistics into Endpoint (cilium endpoint get) and redefine it as a subset of ProxyRedirectStatus plus statistics. The output of cilium endpoint get now contains stats like: "proxy-statistics": [ { "location": "ingress", "port": 80, "protocol": "http", "statistics": { "requests": { "denied": 12, "forwarded": 15, "received": 27 }, "responses": { "forwarded": 15, "received": 15 } } } ], Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 05:35:10 UTC
8f3f573 Romain Lenglet 22 March 2018, 22:23:44 UTC envoy: Extract network policy name and obs point from log records Associate access log producers to network policies. Remove all logging logic from Redirect. Add the observation point (ingress / egress) in every Envoy log record, and use that to create an access log record. Remove all stats logic from Redirect, to decouple stats from redirects to local proxies. Split the LogRecordProducer interface into the existing LogRecordNotifier interface and a new EndpointInfoRegistry interface. Group identity lookup by ID and by IP under the same EndpointInfoRegistry interface. Split files for readability: logger.go: move enpoint info interface into epinfo.go proxy.go: move Redirect into redirect.go, getMagicMark into mark.go Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 05:35:10 UTC
837c044 Romain Lenglet 22 March 2018, 21:24:55 UTC envoy: Use policy name instead of listener ID in access logs Remove duplicate accesslog.pb.go. Move files related to access log protobufs into the right package: pkg/envoy/cilium. Remove listener_id from filter configuration. Use network policy resource name instead. Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 05:35:10 UTC
49fcc49 Joe Stringer 26 March 2018, 20:59:09 UTC endpoint: Sweep old identities in applyNewFilter Each time we apply a new filter, sweep through the policymap entries and clear out any identities that don't exist in the new labelsMap. Fixes: #3314 Signed-off-by: Joe Stringer <joe@covalent.io> 27 March 2018, 02:44:00 UTC
74a92f3 Joe Stringer 26 March 2018, 20:20:15 UTC endpoint: Delete old policies based on old labelsMap Related: #3314 Signed-off-by: Joe Stringer <joe@covalent.io> 27 March 2018, 02:44:00 UTC
45276cb Manali Bhutiyani 26 March 2018, 20:10:28 UTC CI/tests: Make Kafka service headless Fixes: #3319 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> 27 March 2018, 00:03:47 UTC
ee379a5 Manali Bhutiyani 26 March 2018, 20:03:18 UTC docs: Make Kafka service headless Fixes: #3319 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> 27 March 2018, 00:03:47 UTC
e1143c5 Joe Stringer 24 March 2018, 23:51:44 UTC health: Fix succinct/verbose modes. Commit 11f420b59d9d ("health: Format localhost first in status output") inadventently swapped the order of the 'succinct' and 'verbose' parameters, leading to weird results with respect to verbosity on the commandline. Put them back in the right order. Signed-off-by: Joe Stringer <joe@covalent.io> 26 March 2018, 20:12:44 UTC
e91065b Eloy Coto 26 March 2018, 16:02:06 UTC Vagrant: Bump minimal version to 2.0 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 26 March 2018, 18:45:52 UTC
28c8871 Eloy Coto 24 March 2018, 19:47:43 UTC Vagrant: Update base box version Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 26 March 2018, 18:12:08 UTC
f43c706 Shantanu Deshpande 24 March 2018, 15:35:32 UTC Use alpine as base image for Docs container 1. Modify Docs Dockerfile to use alpine. 2. Modify Makefile to use newer docker cli commands. Signed-off-by: Shantanu Deshpande <shantanud106@gmail.com> 26 March 2018, 07:37:53 UTC
b2d794f Ian Vernon 24 March 2018, 19:39:44 UTC run cilium-docker in debug mode by default in CI * Change log-gathering command for `cilium-docker`. * Add "--debug" to cilium-docker service file. Signed-off by: Ian Vernon <ian@cilium.io> 26 March 2018, 00:42:31 UTC
b0829be Manali Bhutiyani 25 March 2018, 19:40:50 UTC CI/tests: Update kafka zookeeper connection timeout to 20 sec Fixes: #3307 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> 25 March 2018, 21:46:01 UTC
5d781a2 Manali Bhutiyani 25 March 2018, 19:38:33 UTC docs: Update kafka zookeeper connection timeout to 20 sec Fixes: #3307 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> 25 March 2018, 21:46:01 UTC
5b70876 Eloy Coto 24 March 2018, 13:02:12 UTC Ginkgo: Refactor to use cons Refactor the code to use the cons instead hardcode string Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 24 March 2018, 20:47:26 UTC
9d3a0ac Joe Stringer 23 March 2018, 22:27:56 UTC docs: Fix generated links for latest Commit 369eb2a464c5 ("Documentation: Fix generated links when documentation is built from tags") fixed readthedocs generation for tagged releases, but inadvertently broke them for the latest release. Add back the previous command as a last resort instead, to hopefully fix the latest and keep versioned docs builds working. Related: #3128 Signed-off-by: Joe Stringer <joe@covalent.io> 24 March 2018, 09:27:34 UTC
fa654af Manali Bhutiyani 24 March 2018, 05:05:15 UTC CI/tests: Update kafka zookeeper session timeout to 20 sec Fixes: #3286 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> 24 March 2018, 07:49:43 UTC
00fc374 Manali Bhutiyani 24 March 2018, 05:03:03 UTC docs: Update kafka zookeeper session timeout to 20 sec Fixes: #3286 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> 24 March 2018, 07:49:43 UTC
07c81c6 Ian Vernon 23 March 2018, 16:23:37 UTC test/runtime: remove no endpoint selector Ginkgo test Testing whether policy with no endpoint selector is denied is now done as a unit test. Thus, having a Ginkgo test for this is not necessary. Delete said Ginkgo test. Signed-off by: Ian Vernon <ian@cilium.io> 23 March 2018, 23:15:50 UTC
f380ab7 Ian Vernon 23 March 2018, 00:15:53 UTC pkg/policy: check if EndpointSelector is provided in CNP rule Per the definition of a Rule, EndpointSelector cannot be empty. Ensure this constraint is met when rules are sanitized. Signed-off by: Ian Vernon <ian@cilium.io> 23 March 2018, 23:15:50 UTC
7f339a0 Ian Vernon 23 March 2018, 21:28:20 UTC test/helpers: gather cilium-envoy.log Copy this file as part of log-gathering functions in Ginkgo CI. Signed-off by: Ian Vernon <ian@cilium.io> 23 March 2018, 22:53:00 UTC
558d953 Ian Vernon 23 March 2018, 20:02:07 UTC test/config: rename file to which test output is saved Rename it from "logs" to "test-output.log"; this ensures that all log files have the extension ".log". Signed-off by: Ian Vernon <ian@cilium.io> 23 March 2018, 22:53:00 UTC
8580b2a Ian Vernon 23 March 2018, 20:00:04 UTC test/helpers: use .log extension instead of .logs for container logs This allows the file to be opened without having to specify the application on Mac. It also adheres to convention used throughout the rest of the log files created. Signed-off by: Ian Vernon <ian@cilium.io> 23 March 2018, 22:53:00 UTC
48e9890 Jarno Rajahalme 22 March 2018, 23:41:23 UTC envoy: Add network filter to delete proxymap entries of closed connections. Add a new "cilium.network" network filter to remove bpf proxymap entries as soon as incoming connections are closed. Move the proxymap to a singleton and pass a shared pointer to it via the cilium socket option object. Shared pointer ensures that the proxymap is available also after all the listeners have been deleted, as a connection may take a long time to finally close. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 23 March 2018, 21:35:24 UTC
20b44e8 Jarno Rajahalme 22 March 2018, 23:41:23 UTC envoy: Rebase to upstream master. Envoy integration testing with additional network filters before the http connection manager was enabled by a recent upstream commit. Rebase to be able to use it. Signed-off-by: Jarno Rajahlame <jarno@covalent.io> 23 March 2018, 21:35:24 UTC
a7b3166 Daniel Borkmann 23 March 2018, 19:46:50 UTC bpf: actually move calls map to temporary location and remove it later Commit 850615cc41ac ("bpf: Move calls map to temporary location and remove after filter replace") is actually buggy and doesn't work since in BPF fs dentry lookups on files with '.' are reserved names and will return 'Permission Denied'. So the mv + rm combination never worked and we always hit the || true case. The 'mv "${CALLS_MAP}.old" "${CALLS_MAP}"' noticeably failed for Adrian when the lxc device from the EP was gone. Fix it by not using a reserved name. Reported via Slack. Fixes: 850615cc41ac ("bpf: Move calls map to temporary location and remove after filter replace") Reported-by: Adrian Wawrzak <adiq94@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 23 March 2018, 21:34:43 UTC
6ba59d5 Eloy Coto 20 March 2018, 15:39:39 UTC Doc: Added new step on release - Added a new step in the release process. - Added v0.13 branch in the Jenkins configuration to build once per day. Fixes #3168 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 23 March 2018, 11:49:57 UTC
82b891f Eloy Coto 23 March 2018, 08:39:11 UTC Test: Disable swap workaround Fix #3066 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 23 March 2018, 11:49:36 UTC
4458e0f Eloy Coto 21 March 2018, 15:33:17 UTC Test: Disable rolling status in Update - Enable Cilium Update test - Disable rolling status and use custom WithTimeout helper. - Update Nigthly to use BeforeAll/AfterAll helpers function Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 23 March 2018, 11:49:04 UTC
0e19767 Eloy Coto 23 March 2018, 09:37:13 UTC Test: Fix typos in comments Addressed comments from PR #3211 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 23 March 2018, 11:45:32 UTC
f1484a4 Eloy Coto 23 March 2018, 09:31:20 UTC Test: Added L3-L7 dependant test Update "Extended HTTP Method" test to support L3/L7 dependant rules Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 23 March 2018, 11:45:32 UTC
0189e67 Joe Stringer 22 March 2018, 22:09:42 UTC daemon: Log invalid endpoint PATCH state transitions We can't reject such requests for backwards compatibility reasons, but we can at least complain to developers in the logs so they fix any outstanding poorly formed requests. Do so. Signed-off-by: Joe Stringer <joe@covalent.io> 23 March 2018, 09:22:46 UTC
41c0839 Joe Stringer 22 March 2018, 22:10:25 UTC daemon: Only regenerate in PATCH from valid state Previously, we would attempt to regenerate even if we were not in the state where we are waiting to regenerate. The function being called expects that it must be in that state already, so don't regenerate if not already in the right state. Related: #3268 Signed-off-by: Joe Stringer <joe@covalent.io> 23 March 2018, 09:22:46 UTC
db80303 Joe Stringer 22 March 2018, 21:53:05 UTC daemon: Check endpoint exists before PATCH It appears that it's possible for endpoint PATCH and DELETE API calls to arrive in quick succession, and for the PATCH to retrieve a reference to an endpoint just before the DELETE removes it from the endpoint manager. In this case, deleteEndpointQuiet() will remove the endpoint and transition it to StateDisconnecting, then the PATCH will attempt to revive the endpoint, however the newly resurrected endpoint will have no controller and will be unable to determine its identity. Related: #3268 Signed-off-by: Joe Stringer <joe@covalent.io> 23 March 2018, 09:22:46 UTC
70d5456 Manali Bhutiyani 22 March 2018, 22:38:14 UTC docs: Update the kafka GSG to use the new kafka roles Fixes: #3184 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> 23 March 2018, 02:51:55 UTC
9f7b44e Manali Bhutiyani 22 March 2018, 22:37:17 UTC policy: make kafka GSG use the high-level role versus apiKey This change changes the policy to use the new role field as opposed to apiKey Fixes: #3184 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> 23 March 2018, 02:51:55 UTC
7c480a3 Joe Stringer 22 March 2018, 20:47:44 UTC cmdref: Fix nested links Previously, the cli reference would assume that links within each of the CLI cmdref markdown files would refer to subcommands as other files under the same path, eg this URL: http://cilium.readthedocs.io/en/latest/cmdref/cilium/ Links under its "See also" section to this URL: http://cilium.readthedocs.io/en/latest/cmdref/cilium/cilium_bpf.html However, the latter never existed so would always serve 404 errors. Fix this by ensuring the links are referenced by the directory depth of the cli index. Fixes: #2733 Fixes: #3260 Signed-off-by: Joe Stringer <joe@covalent.io> 22 March 2018, 23:35:36 UTC
e49b992 Ian Vernon 14 March 2018, 21:22:05 UTC pkg/bpf: log when we call DeleteAll() on map Signed-off by: Ian Vernon <ian@cilium.io> 22 March 2018, 19:03:54 UTC
e76192a Ian Vernon 01 March 2018, 02:12:39 UTC pkg/maps: add BPF ipcache map This new map maps IPs to their corresponding numerical security identities. Whenever the IPCache is updated, a callback is made to update this new map as well. There is only one such map per cilium-agent. This map is used by the datapath to get the identity which corresponds to an IP of a packet upon egress to make a decision whether to allow or deny a packet upon egress. Also starts the watcher for ip-identity in the key-value store after the map is cleaned up in daemon.init(), otherwise the contents of the map will be cleaned after the watcher starts, which will result in inconsistent state in the agent. Signed-off by: Ian Vernon <ian@cilium.io> 22 March 2018, 19:03:54 UTC
7820baa Ian Vernon 16 March 2018, 16:41:46 UTC bpf: rename cilium_remote_lxc to cilium_ipcache Bump up amount of entries in map to 512000 as well. Signed-off by: Ian Vernon <ian@cilium.io> 22 March 2018, 19:03:54 UTC
bf32c7a Ray Bejjani 20 March 2018, 17:17:03 UTC k8s: Do not overwrite CRD validation fields When we unrolled using references in the validation we ended up reusing validation objects directly, cloberring the original's description. Signed-off-by: Ray Bejjani <ray@covalent.io> 22 March 2018, 19:02:25 UTC
e07c616 Ray Bejjani 21 March 2018, 19:45:42 UTC k8s: CEP controller detects and handles health ep The health endpoint has a corresponding CEP but isn't part of the orchestration system (in this case, k8s). It isn't initialized to work with the default CEP naming scheme, and requires special casing. Signed-off-by: Ray Bejjani <ray@covalent.io> 22 March 2018, 19:01:37 UTC
0134d87 Romain Lenglet 22 March 2018, 00:50:55 UTC ctmap: Clean up CT map filtering Add debug logs. Simplify the implementation of doFiltering(). Define GCFilter.Type as an enum instead of a bit set, since it was used as an enum. Signed-off-by: Romain Lenglet <romain@covalent.io> 22 March 2018, 18:59:52 UTC
3b7c3b9 Joe Stringer 19 March 2018, 18:58:33 UTC Makefile: Add check-bindata to unit-tests Previously in the CI, it could take up to 15 minutes for a build failure due to improper bpf.sha to be discovered, as a plain 'make' would only be issued after booting ginkgo VMs and attempting to provision them. Add a check-bindata check into the unit-tests target so this will fail almost immediately. Signed-off-by: Joe Stringer <joe@covalent.io> 22 March 2018, 17:33:24 UTC
e616a08 Joe Stringer 21 March 2018, 19:35:04 UTC bpf: Enable GC for LRU conntrack maps Until github issue #3239 is resolved, set timeouts in conntrack entries and enable active garbage collection in userspace. Signed-off-by: Joe Stringer <joe@covalent.io> 22 March 2018, 17:15:18 UTC
732ea7e Joe Stringer 21 March 2018, 17:06:19 UTC bpf: Retire entries quickly for unreplied connections Set a five minute timeout for conntrack entries that have not yet seen a non-SYN packet. For non-TCP protocols, the timeouts remain longer. ICMP response tuples for TCP connections will be timed out quickly in all cases. Fixes: #3232 Signed-off-by: Joe Stringer <joe@covalent.io> 22 March 2018, 17:15:18 UTC
1168342 Joe Stringer 21 March 2018, 17:36:34 UTC bpf: Remove dead code Signed-off-by: Joe Stringer <joe@covalent.io> 22 March 2018, 17:15:18 UTC
b16c033 Joe Stringer 21 March 2018, 23:05:51 UTC test: Fix -cilium.SSHConfig for dev VM The developer VM defined in the Vagrantfile in the root of the Cilium repository is named "runtime1". Using `gingko ... -- -cilium.SSHConfig` and fetching the runtime VM config would previously fail, because ginkgo is looking for a machine named exactly "runtime". Loosen the restrictions by just searching for a vagrant configuration of a VM with the same prefix as the target VM. Tested via: ginkgo -- -cilium.SSHConfig="cd ../cilium && vagrant ssh-config" Signed-off-by: Joe Stringer <joe@covalent.io> 22 March 2018, 17:10:49 UTC
92caba3 Eloy Coto 22 March 2018, 15:25:28 UTC Test: Kafka disallowTopic fixed The disallow topic didn't exit 1, and keeps forever[0], this change uses disable topic in background and wait until AUTH_MESSAGE is in place. Example: ``` root@runtime:/home/vagrant# docker exec -i client /opt/kafka/bin/kafka-console-consumer.sh --bootstrap-server kafka:9092 --topic disallowTopic 6 --timeout-ms 300000 --from-beginning [2018-03-22 14:39:43,394] WARN Error while fetching metadata with correlation id 2 : {disallowTopic=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient) [2018-03-22 14:39:43,498] WARN Error while fetching metadata with correlation id 5 : {disallowTopic=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient) [2018-03-22 14:39:43,610] WARN Error while fetching metadata with correlation id 6 : {disallowTopic=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient) [2018-03-22 14:39:43,715] WARN Error while fetching metadata with correlation id 7 : {disallowTopic=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient) [2018-03-22 14:39:43,821] WARN Error while fetching metadata with correlation id 8 : {disallowTopic=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient) [2018-03-22 14:39:43,924] WARN Error while fetching metadata with correlation id 9 : {disallowTopic=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient) ``` Build: https://github.com/cilium/cilium/pull/3259 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 22 March 2018, 17:10:29 UTC
e5f4360 Eloy Coto 22 March 2018, 10:13:52 UTC Tests: Fix issues on Kafka AfterEach I saw the following error in the test logs: ``` time="2018-03-22T01:51:03Z" level=debug msg="running command: policy delete --all" cmd: "policy delete --all" exitCode: 127 bash: policy: command not found ``` Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 22 March 2018, 17:10:29 UTC
2ad22e4 Eloy Coto 22 March 2018, 09:29:41 UTC Ginkgo: Fix issues on AfterAll If the describe was like: ``` var _ = Describe("Test", func() { AfterAll(func() { fmt.Println("------------AfterAll ALL-------------") }) AfterEach(func() { fmt.Println("------------AfterEach-------------") }) ``` The AfterAll Function will be executed two times instead of one. On the other hand, the AfterAll function will be executed before AfterEach. This commit fix the incorrect behaviour Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 22 March 2018, 16:30:22 UTC
6131eee Maciej Kwiek 21 March 2018, 13:21:04 UTC Add timeout for getting etcd session Trying to get concurrent session for etcd cluster hangs etcd client library, which in turn hanged Cilium Agent. This change adds 10s timeout to session creation that will crash the agent with error message pointing to etcd version as possible culprit. Signed-off-by: Maciej Kwiek <maciej@covalent.io> 22 March 2018, 16:18:59 UTC
942fd97 Eloy Coto 22 March 2018, 14:06:54 UTC Jenkins: Fix failfast on runtime Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 22 March 2018, 16:13:17 UTC
9085ac0 Romain Lenglet 21 March 2018, 19:15:01 UTC envoy: Replace the atomic redirectCount with the listeners count Signed-off-by: Romain Lenglet <romain@covalent.io> 22 March 2018, 07:34:07 UTC
ff1fad2 Romain Lenglet 15 March 2018, 20:51:21 UTC xds: Change xDS response log level from Info to Debug Signed-off-by: Romain Lenglet <romain@covalent.io> 22 March 2018, 07:34:07 UTC
fcc4e3d Romain Lenglet 15 March 2018, 05:38:51 UTC envoy: Support concurrent access log connections Signed-off-by: Romain Lenglet <romain@covalent.io> 22 March 2018, 07:34:07 UTC
2500db4 Romain Lenglet 15 March 2018, 05:29:56 UTC envoy: Clean up log statements Signed-off-by: Romain Lenglet <romain@covalent.io> 22 March 2018, 07:34:07 UTC
f140519 Romain Lenglet 15 March 2018, 04:34:16 UTC envoy: Make the xDS and access log sockets accessible by non-root proxies Signed-off-by: Romain Lenglet <romain@covalent.io> 22 March 2018, 07:34:07 UTC
f79a4c8 Romain Lenglet 14 March 2018, 00:47:53 UTC proxy: Start xDS and access log servers independently from Envoy Embed envoy.XDSServer and the access log server into proxy.Proxy since they now have the same lifecycle. Start them when Proxy is created. Remove the coupling between Envoy and XDSServer and access log server. Signed-off-by: Romain Lenglet <romain@covalent.io> 22 March 2018, 07:34:07 UTC
09aa62c Manali Bhutiyani 21 March 2018, 19:41:11 UTC Correctly change Kafka policy filenames to lower case Fixes: #3241 Signed-Off-by: Manali Bhutiyani <manali@covalent.io> 22 March 2018, 03:55:59 UTC
454f8d1 Romain Lenglet 21 March 2018, 23:20:01 UTC completion: Only call callback in case of success Signed-off-by: Romain Lenglet <romain@covalent.io> 22 March 2018, 02:41:10 UTC
cf04eb8 Romain Lenglet 21 March 2018, 22:53:47 UTC completion: Make Completion.Complete atomic Signed-off-by: Romain Lenglet <romain@covalent.io> 22 March 2018, 02:41:10 UTC
92415e1 Romain Lenglet 21 March 2018, 22:53:22 UTC completion: Update doc about optional callback Signed-off-by: Romain Lenglet <romain@covalent.io> 22 March 2018, 02:41:10 UTC
28d7b83 Ian Vernon 21 March 2018, 23:16:37 UTC test/runtime: disable runtime CT test Signed-off by: Ian Vernon <ian@cilium.io> 21 March 2018, 23:23:33 UTC
7696813 Thomas Graf 21 March 2018, 20:13:09 UTC k8s: Add L4 tests to NP allow-all tests Ensure that L4 is wildcarded as expected. Signed-off-by: Thomas Graf <thomas@cilium.io> 21 March 2018, 22:15:43 UTC
1791e0f Thomas Graf 21 March 2018, 20:03:59 UTC k8s: Expand egress ports when converting NP to CNP The test is commented out until #3099 enables use of this. Signed-off-by: Thomas Graf <thomas@cilium.io> 21 March 2018, 22:15:43 UTC
55e12d2 Thomas Graf 21 March 2018, 19:53:45 UTC k8s: Add test for L3 wildcard with L4 filter The test was passing, although a bit unexpected from looking at the code as no "all" label was attached to the rule. This commits cleans this up to make it absolutely obvious and to have an all label stored in the rule. Signed-off-by: Thomas Graf <thomas@cilium.io> 21 March 2018, 22:15:43 UTC
85cc490 Thomas Graf 21 March 2018, 19:37:17 UTC k8s: Add test for ingress allow all This is working as expected Signed-off-by: Thomas Graf <thomas@cilium.io> 21 March 2018, 22:15:43 UTC
3327589 Thomas Graf 21 March 2018, 19:19:23 UTC k8s: Fix egress policy with empty To selector The following policy should allow all egress to of id=a: ``` Spec: networkingv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{ MatchLabels: map[string]string{ "id": "a", }, }, Egress: []networkingv1.NetworkPolicyEgressRule{ { To: []networkingv1.NetworkPolicyPeer{}, }, }, }, ``` Signed-off-by: Thomas Graf <thomas@cilium.io> 21 March 2018, 22:15:43 UTC
dfeb3fc Eloy Coto 21 March 2018, 17:55:04 UTC CMD: Add json output on endpoint config I saw, a few times, issues where the config cannot be retrieved correctly because `endpoint config` does not have `-o json` support. Added json support to stop failing in the test. Related with failures in `Conntrack-related configuration options for endpoints` test. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 21 March 2018, 21:24:18 UTC
e85c785 Ian Vernon 21 March 2018, 20:01:31 UTC misc: remove Owner parameter from many functions Remove from removeOldFilter, applyNewFilter, applyL4PolicyLocked, writeL4Policy, writeL4Map. Signed-off by: Ian Vernon <ian@cilium.io> 21 March 2018, 21:23:21 UTC
3b59bd1 Ian Vernon 16 March 2018, 00:36:21 UTC pkg/endpoint: remove Owner parameter from SetIdentity This parameter is not used anymore, so just remove it. Signed-off by: Ian Vernon <ian@cilium.io> 21 March 2018, 21:23:21 UTC
3e75ad6 Ian Vernon 16 March 2018, 00:05:25 UTC pkg/policy: remove Owner argument to allowIngress/EgressIdentity functions This argument is not used; remove it. Signed-off by: Ian Vernon <ian@cilium.io> 21 March 2018, 21:23:21 UTC
back to top