Skip to main content

Browse the archive

https://github.com/cilium/cilium
31 August 2024, 23:00:30 UTC
sort by:
Revision Author Date Message Commit Date
461ba46 Joe Stringer 20 April 2021, 21:39:13 UTC Prepare for release v1.7.16 Signed-off-by: Joe Stringer <joe@cilium.io> 20 April 2021, 22:47:08 UTC
fc95564 jomenxiao 13 April 2021, 05:54:12 UTC fix chan panic [ upstream commit 4a8f4073b8bbb2fece90112f10d519061614a965 ] Signed-off-by: jomenxiao <jomenxiao@gmail.com> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 20 April 2021, 21:28:33 UTC
7f3dcd1 Aditi Ghag 25 February 2021, 21:42:34 UTC backporting: Update instructions for backporting workflow [ upstream commit 198fe64d79b53c983ba74f09f5c7a1c34408666d ] Commit 02320e added support for working with Cilium forks. Document the additional steps that are required with this new workflow. Additionally, workflow scope might be needed with the GitHub token in some cases that update the corresponding yamls - ``(refusing to allow a Personal Access Token to create or update workflow `.github/workflows/go-check.yaml` without `workflow` scope`` Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 20 April 2021, 21:28:33 UTC
cdb417f Jarno Rajahalme 16 April 2021, 03:51:00 UTC envoy: Update to release 1.17.2 [ upstream commit d42cc416b1a4071201b9ace1976736cb35cd60e8 ] Update Envoy image to release 1.17.2, including the latest security fixes. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 20 April 2021, 20:27:11 UTC
07d6457 Maciej Kwiek 16 April 2021, 19:03:13 UTC test: ensure kubectl version is available for test run [ upstream commit 61812551f6594cf27d4f2ca61d0b96208826b911 ] [ Backporter's notes: All hunks needed conflict resolution. Mostly just including the new code into the older version of the branch. Also needed to resolve these errors: $ make -C test/ build config/config.go:82:2: undefined: flagset helpers/kubectl.go:274:4: undefined: ginkgoext.Failf helpers/kubectl.go:3154:46: res.GetStdOut().String undefined (type string has no field or method String) ] This change makes K8s ginkgo test suite download kubectl version compatible with current cluster version if it's not available. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 17 April 2021, 02:26:47 UTC
70c92d9 Joe Stringer 15 April 2021, 00:35:29 UTC Dockerfile: Bump cilium-runtime image dependency Signed-off-by: Joe Stringer <joe@cilium.io> 15 April 2021, 22:08:11 UTC
cba19be dependabot[bot] 14 April 2021, 07:25:33 UTC build(deps): update docker/build-push-action requirement to e1b7f96249f2e4c8e4ac1519b9608c0d48944a1f Updates the requirements on [docker/build-push-action](https://github.com/docker/build-push-action) to permit the latest version. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/commits/e1b7f96249f2e4c8e4ac1519b9608c0d48944a1f) Signed-off-by: dependabot[bot] <support@github.com> 14 April 2021, 13:20:33 UTC
32b9f82 dependabot[bot] 13 April 2021, 07:37:48 UTC build(deps): bump docker/setup-buildx-action Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 154c24e1f33dbb5865a021c99f1318cfebf27b32 to 1.1.2. This release includes the previously tagged commit. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/154c24e1f33dbb5865a021c99f1318cfebf27b32...2a4b53665e15ce7d7049afb11ff1f70ff1610609) Signed-off-by: dependabot[bot] <support@github.com> 13 April 2021, 13:49:38 UTC
9723f35 dependabot[bot] 12 April 2021, 13:41:21 UTC build(deps): bump actions/download-artifact Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4a7a711286f30c025902c28b541c10e147a9b843 to 2.0.9. This release includes the previously tagged commit. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/4a7a711286f30c025902c28b541c10e147a9b843...158ca71f7c614ae705e79f25522ef4658df18253) Signed-off-by: dependabot[bot] <support@github.com> 12 April 2021, 14:03:45 UTC
030f0bd dependabot[bot] 12 April 2021, 07:41:55 UTC build(deps): bump actions/upload-artifact Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from e448a9b857ee2131e752b06002bf0e093c65e571 to 2.2.3. This release includes the previously tagged commit. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/e448a9b857ee2131e752b06002bf0e093c65e571...ee69f02b3dfdecd58bb31b4d133da38ba6fe3700) Signed-off-by: dependabot[bot] <support@github.com> 12 April 2021, 10:27:06 UTC
c29d726 Joe Stringer 06 April 2021, 18:17:49 UTC docs: Hide "Edit on GitHub" buttons [ upstream commit fe14fc9e6fc4050c8706dfb92acc63972b7db06d ] Following the instructions here, remove the buttons to edit on github since this is confusing for contributors since it opens PRs against branches where we don't accept contributions, bypasses the standard instructions like requiring signoffs, etc. https://github.com/readthedocs/readthedocs.org/blob/master/docs/guides/remove-edit-buttons.rst Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io> 08 April 2021, 21:10:28 UTC
ccf2b13 dependabot[bot] 29 March 2021, 17:26:41 UTC build(deps): bump pygments from 2.4.2 to 2.7.4 in /Documentation [ upstream commit 9ac4d95837ae5ac325f804d062fc075a208dbd98 ] Bumps [pygments](https://github.com/pygments/pygments) from 2.4.2 to 2.7.4. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](https://github.com/pygments/pygments/compare/2.4.2...2.7.4) Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: André Martins <andre@cilium.io> 01 April 2021, 02:30:26 UTC
38bf38d Joe Stringer 10 March 2021, 20:45:32 UTC contrib: Simplify docker manifest pull script [ upstream commit 2dc28058b525ecda2eb91a080c4efd35a98f72ad ] Rearrange the parameters and make version / github username optional parameters with some sane autodetection. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 01 April 2021, 02:30:26 UTC
3c4f6b8 Joe Stringer 10 March 2021, 20:35:06 UTC contrib: Fix start-release "old release" detection [ upstream commit b117daebd94649d7860467f91d30302e1da6b194 ] This script previously assumed that you first checkout the branch where you will make the release, then run the script. By first pulling & creating the branch in the script, we can detect the "old_version" correctly with fewer dependencies on the release manager's environment. Reported-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 01 April 2021, 02:30:26 UTC
3daf3f6 Joe Stringer 10 March 2021, 20:19:15 UTC contrib: Zero image digests when starting release [ upstream commit daeaa9cbcf8252505d67b79245b27456c7f5a1cc ] When we prepare the tag commit for an upcoming Cilium release, we want that commit to point towards images like "cilium/cilium:vX.Y.Z". Then, once we have pushed & generated images for that tag, we will have an image digest that points to this tag. At that point, we will update the digests again to point to a fully qualified image something like "cilium/cilium:vX.Y.Z@sha256:abcdef...", which will be injected into the Helm charts corresponding to this release. This commit clears the previous image shas (corresponding to a prior release) when starting a new release. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 01 April 2021, 02:30:26 UTC
ba1f78f Joe Stringer 10 March 2021, 19:40:14 UTC contrib: Remove duplicate docker manifest title [ upstream commit 648fbf0b26102229257a3f78dd00d9f8f030eb45 ] Commits 14a908777eed ("contrib/release: do not require images to be download locally") and 1a6d10af62fa (".github: Improve digest formatting in workflow") both attempted to add the title for the digests into the output format, but this lead to the title being added twice. We only need one, so remove the other one. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 01 April 2021, 02:30:26 UTC
1561038 Joe Stringer 10 March 2021, 19:55:23 UTC contrib: Allow pull-docker-manifests to run out of tree [ upstream commit 6feafc2203be4d17a2f3b6049a995064e7297712 ] These changes allow running the master version of the script from another directory and only outputting the changed files into the current directory (for instance, if you have a dedicated copy of Cilium per branch). Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 01 April 2021, 02:30:26 UTC
b10bf64 Joe Stringer 10 March 2021, 01:37:58 UTC contrib: Update helm manifests during digest pull [ upstream commit ef6c8a6f224e5232b0038ea02a390ee59b08127a ] This extra step should be carried out to ensure the digests are correct in the helm charts in the tree following a release. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 01 April 2021, 02:30:26 UTC
3dd8c98 Joe Stringer 10 March 2021, 01:39:55 UTC contrib: Make version parsing more lenient in digest pull [ upstream commit ceb1e075f9afaabca11caf28e6b191241b56e2a7 ] Make the version handling more flexible by taking in a version number in either the "vX.Y.Z" or "X.Y.Z" formats, stripping the leading v and setting the URL up correctly to pull the manifests from the target URL. Fixes the following error: $ contrib/release/pull-docker-manifests.sh joestringer 1.7.15 https://github.com/cilium/cilium/actions/runs/637686978 curl: (3) URL using bad/illegal format or missing URL Signal ERR caught! Traceback (line function script): 71 main contrib/release/pull-docker-manifests.sh 85 main contrib/release/pull-docker-manifests.sh Exiting... Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 01 April 2021, 02:30:26 UTC
202f69d Paul Chaignon 26 March 2021, 16:51:01 UTC docs: Fix commands for IPSec key rotations [ upstream commit aabc7bf0b82581f6702ebb293df5e36f74f68fec ] The commands to perform key rotations don't work because of YAML's indentations. The key keys can be indented: $ ks get secrets cilium-ipsec-keys -o yaml | grep -C1 keys: data: keys: MSByZmM0MTA2KGdjbShhZXMpKSA0NDQzNDI0MTM0MzMzMjMxMjQyMzIyMjExNDEzMTIxMWY0ZjNmMmYxIDEyOA== kind: Secret This commit fixes the regular expression. Fixes: 458c623 ("Documentation: fix key rotation command in encryption guide") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 01 April 2021, 02:30:26 UTC
ded07c2 Martynas Pumputis 23 March 2021, 08:03:24 UTC node-neigh: Bump arping vsn to accept netlink.Link This commit bumps github.com/cilium/arping version to accept netlink.Link instead of net.Interface. The change allows us to use netlink to query netdevs which avoids a possible deadlock described in the previous commit. Signed-off-by: Martynas Pumputis <m@lambda.lt> 25 March 2021, 22:11:33 UTC
568a626 Gaurav Genani 16 March 2021, 14:16:53 UTC bugtool: dump iptables-legacy and iptables-nft [ upstream commit 9020c65f7446bf6b277d33720be50685290904ab ] Fixes : #15270 Signed-off-by: Gaurav Genani <h3llix.pvt@gmail.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 22 March 2021, 23:42:27 UTC
422ceb9 youssefazrak 23 December 2020, 19:27:16 UTC Bugtool: route tables dynamically dumped [ upstream commit 9a058d6563e8530149a8fe56e25e72779def784d ] When using the Bugtool with "direct routing / native routing mode" enabled, we are only getting the encryption and proxy tables (200 / 2005). The goal of this PR is to get the route tables dynamically and remove the hardcoded ones. Fixes: #12250 Signed-off-by: Youssef Azrak yazrak.tech@gmail.com Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 22 March 2021, 23:42:27 UTC
7e84854 Mauricio Vásquez 12 March 2021, 19:44:54 UTC Documentation: fix key rotation command in encryption guide [ upstream commit 458c623b4b7acd5fc77e6542e5b2cff54dd3f624 ] "kubectl get secret -n kube-system cilium-ipsec-keys" outputs two lines with "keys:", one is the real key data and other is a "managedField": $ kubectl get secret -n kube-system cilium-ipsec-keys -o yaml | grep keys: keys: MyByZmM0MTA2KGdjbShhZXMpKSA3ZTE1YmZlNmQyZjczNGUzZmQ0YTEzM2FlZDU2MGQwMjEzZjBjNmRmIDEyOA== f:keys: {} It makes the whole command to get the key id to fail: $ KEYID=$(kubectl get secret -n kube-system cilium-ipsec-keys -o yaml|grep keys: | awk '{print $2}' | base64 -d | awk '{print $1}') base64: invalid input This will be fixed in next Kubernetes release (https://github.com/kubernetes/kubernetes/pull/96878), in the meanwhile just use a regular expression in awk to match "keys:" at the begining. Fixes: 4ea52ae1394b ("cilium: encryption, docs key updates") Signed-off-by: Mauricio Vásquez <mauricio@accuknox.com> Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 22 March 2021, 23:42:27 UTC
a14def8 Alexandre Perrin 12 March 2021, 09:55:11 UTC contrib: fix remote overriding [ upstream commit 390ee46a79b762ea727df07d1a1fbc2c798e1bfc ] Before this patch, get_user_remote() would ignore its remote argument when provided and always take the auto-detection path. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 22 March 2021, 23:42:27 UTC
b93db0a Thomas Graf 20 March 2021, 00:48:30 UTC vendor: Bump x/sys The netlink library depends on a more recent x/sys/unix Signed-off-by: Thomas Graf <thomas@cilium.io> 20 March 2021, 05:00:27 UTC
8763be7 Thomas Graf 20 March 2021, 01:15:43 UTC datapath: Fixup code after netlink vendor bump Signed-off-by: Thomas Graf <thomas@cilium.io> 20 March 2021, 05:00:27 UTC
7f8e1a5 Thomas Graf 20 March 2021, 00:32:58 UTC vendor: Bump vishvananda/netlink dependency Neighbor insertion can block indefinitely. See https://github.com/cilium/cilium/issues/14710 for details. ``` goroutine 62 [syscall, 1080 minutes]: syscall.Syscall6(0x2d, 0x4e, 0xc002e27000, 0x1000, 0x0, 0xc004ba33e0, 0xc004ba33d4, 0x20, 0x21b1380, 0xc005241101) /usr/local/go/src/syscall/asm_linux_amd64.s:44 +0x5 syscall.recvfrom(0x4e, 0xc002e27000, 0x1000, 0x1000, 0x0, 0xc004ba33e0, 0xc004ba33d4, 0x27637a0, 0xc0015555c0, 0x0) /usr/local/go/src/syscall/zsyscall_linux_amd64.go:1618 +0xa3 syscall.Recvfrom(0x4e, 0xc002e27000, 0x1000, 0x1000, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0) /usr/local/go/src/syscall/syscall_unix.go:273 +0xaf syscall.NetlinkRIB(0x12, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0) /usr/local/go/src/syscall/netlink_linux.go:71 +0x23c net.interfaceTable(0x0, 0x4, 0x4, 0x8, 0x18, 0xc002462cc0) /usr/local/go/src/net/interface_linux.go:17 +0x48 net.InterfaceByName(0xc0001dd298, 0x4, 0xc00a3e6a20, 0x10, 0x10) /usr/local/go/src/net/interface.go:157 +0x1a4 github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).insertNeighbor(0xc0008d4c30, 0xc004ba3b58, 0xc0001dd298, 0x4) /go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:591 +0x132 github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).nodeUpdate(0xc0008d4c30, 0x0, 0xc004ba3b58, 0x0, 0x0, 0x0) /go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:729 +0x18f github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).NodeValidateImplementation(0xc0008d4c30, 0xc0006a6ed0, 0x29, 0xc00a3e6958, 0x7, 0xc00be311d0, 0x2, 0x2, 0xc001646368, 0x0, ...) /go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:1171 +0x9b github.com/cilium/cilium/pkg/node/manager.(*Manager).backgroundSync.func1(0x27c8680, 0xc0008d4c30) /go/src/github.com/cilium/cilium/pkg/node/manager/manager.go:282 +0xaa github.com/cilium/cilium/pkg/node/manager.(*Manager).Iter(0xc00091c280, 0xc004ba3e08) /go/src/github.com/cilium/cilium/pkg/node/manager/manager.go:149 +0xe7 github.com/cilium/cilium/pkg/node/manager.(*Manager).backgroundSync(0xc00091c280) /go/src/github.com/cilium/cilium/pkg/node/manager/manager.go:281 +0x421 created by github.com/cilium/cilium/pkg/node/manager.NewManager /go/src/github.com/cilium/cilium/pkg/node/manager/manager.go:191 +0x673 ``` Signed-off-by: Thomas Graf <thomas@cilium.io> 20 March 2021, 05:00:27 UTC
8201b67 Joe Stringer 10 March 2021, 00:53:30 UTC contrib: Skip image digests during release prep In the initial PR, the image digest should be omitted, otherwise we point to an image tag with the upcoming release and a digest from the previous release. Skip it in that case. Signed-off-by: Joe Stringer <joe@cilium.io> 10 March 2021, 20:16:56 UTC
993435d Joe Stringer 10 March 2021, 01:32:08 UTC install: Update image digests for v1.7.15 Signed-off-by: Joe Stringer <joe@cilium.io> 10 March 2021, 17:08:43 UTC
9f1f8d1 Joe Stringer 10 March 2021, 00:25:09 UTC Prepare for release v1.7.15 Signed-off-by: Joe Stringer <joe@cilium.io> 10 March 2021, 01:03:48 UTC
c11b57d Martynas Pumputis 08 January 2021, 15:43:20 UTC datapath: Do not create NAT entry for egress ICMP ECHO_REPLY Previously, when ICMP ECHO was sent from outside to a host managed by Cilium, the handling of the reply to it (ICMP ECHO_REPLY) used to create the following entries: CT | src | dst | dir | +------------+-----------+-----+ | outside:0 | host:ID | OUT | NAT | src | dst | dir | +------------+-----------+-----+ | host:0 | outside:ID| OUT | <-- ICMP ECHO_REPLY +------------+-----------+-----+ | outside:ID | host:ID | IN | <-- ICMP ECHO The NAT IN entry was useful only to avoid pod->outside to be SNAT-ed with the same ID, but this is no longer the case after the "datapath: Fix unintended SNAT of ICMP ECHO" commit. Also, this removes the problematic CT GC case in which for such a CT entry a corresponding NAT OUT entry with the existing GC logic could not be found. Finally, do not skip SNAT for ICMP packets based on ID. Signed-off-by: Martynas Pumputis <m@lambda.lt> 09 March 2021, 22:37:08 UTC
c17bfcb Martynas Pumputis 08 January 2021, 12:59:15 UTC datapath: Fix unintended SNAT of ICMP ECHO Let's say that we have a pod sending ICMP ECHO request to outside. The handling of the request creates the following CT and NAT entries: CT | src | dst | dir | +------------+-----------+-----+ | outside:ID | pod:0 | OUT | NAT | src | dst | dir | +------------+-----------+-----+ | pod:ID | outside:0 | OUT | +------------+-----------+-----+ | outside:0 | host:ID | IN | Now, let's say that we have the outside sending ICMP echo request to the host running the pod with the same ID as above. The following NAT lookup is performed: outside:0 -> host:ID IN The lookup will find the NAT entry from the pod->outside case. This will translate the request making it to be delivered to the pod instead of the host. Fix this by making the ICMP ECHO ID placement in the NAT tuple to depend on the ICMP type instead of the packet direction. After this change, the NAT entries will be the same as above, but the lookup for the outside->host case is changed to the following: outside:ID -> host:0 IN (doesn't match any NAT entry above). Signed-off-by: Martynas Pumputis <m@lambda.lt> 09 March 2021, 22:37:08 UTC
472bbef Martynas Pumputis 08 January 2021, 12:38:43 UTC datapath: Fix ICMP ID placement in CT entries The [1] changed the ICMP ECHO/ECHO_REPLY ID placement in CT entries in order to fix the problem when an egress NAT entry for ECHO_REPLY cannot be found by a corresponding CT entry which lead to leaking NAT entries, as the CT GC could not find the NAT entries by the given CT entry. The changed placement introduced an interesting problem described below. What happens when a pod (10.154.0.89) sends ICMP EchoRequest to 8.8.8.8? A CT entry with the following key is created: dst src dport sport TUPLE_F_OUT | | | | | 0a 9a 00 59 08 08 08 08 00 00 08 00 01 00 <-- dst=pod because of the reverse before the second __ct_lookup. ("ICMP OUT 10.154.0.89:2048 -> 8.8.8.8:0 [...]" in the "cilium bpf ct list global" output). What happens when 8.8.8.8 sends ICMP EchoRequest to the pod? The lookup is performed for the reverse flow first with the following key: dst src dport sport TUPLE_F_OUT <-- dir is TUPLE_F_OUT | | | | | because we do the 0a 9a 00 59 08 08 08 08 00 00 08 00 01 00 lookup in reverse order first. The key matches the first __ct_lookup(), hence the return is CT_REPLY. Previously, before the changed ID placement, the CT key for 8.8.8.8 -> the pod lookup was: 0a 9a 00 59 08 08 08 08 08 00 00 00 01 00 This resulted in CT_NEW instead of CT_REPLY. [1]: https://github.com/cilium/cilium/pull/12729 Signed-off-by: Martynas Pumputis <m@lambda.lt> 09 March 2021, 22:37:08 UTC
1aaae79 Joe Stringer 25 February 2021, 23:46:05 UTC .github: Improve digest formatting in workflow [ upstream commit c8d7b82c98398b136a61bdb0b662296c52ca34ee ] This just adjusts the formatting slightly to follow the digest formats that we have used to report recent releases. Cosmetic only. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 09 March 2021, 09:21:01 UTC
718e22c Joe Stringer 25 February 2021, 23:56:02 UTC contrib: Submit release PRs via user repo [ upstream commit 3560ec7455025a19dce7c8cc106d2bb225ec8b95 ] Rather than depending on the ability to push release PRs via the main cilium repo, rely on the release manager's repo for this instead. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 09 March 2021, 09:21:01 UTC
76e909e Joe Stringer 25 February 2021, 23:47:00 UTC contrib: Move contributor remote detection to lib [ upstream commit 216dc75430e4481a694d6cb53042ec44e74afa66 ] Move this function into the common lib area so that it can be reused by other scripts such as the release scripts. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 09 March 2021, 09:21:01 UTC
93cb3b7 Joe Stringer 25 February 2021, 23:48:07 UTC contrib: Use 'get_remote' shell fn to fetch remote [ upstream commit f330af5accb0613150da8091f8b8a0af8ba9e86b ] This helps when you have multiple remotes like 'upstream', 'origin'. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 09 March 2021, 09:21:01 UTC
e99230e André Martins 08 March 2021, 09:56:44 UTC .github: remove comments of GH action versions Dependabot will update those commit SHAs automatically and the version number will quickly outdated. To avoid confusion, we will remove the comments related with the versions a SHA points to from all GH actions. Signed-off-by: André Martins <andre@cilium.io> 08 March 2021, 17:20:53 UTC
f3c8274 André Martins 02 March 2021, 13:53:29 UTC contrib/release: do not require images to be download locally The SHAs are available in the GH run, so we can use the GH API to retrieve them automatically. Signed-off-by: André Martins <andre@cilium.io> 08 March 2021, 17:20:53 UTC
cf776df André Martins 02 March 2021, 16:15:04 UTC .github: generate release files automatically Having files with the right format will make it easier to download them locally and use them as part of the release process. Signed-off-by: André Martins <andre@cilium.io> 08 March 2021, 17:20:53 UTC
d8ee061 André Martins 03 March 2021, 17:04:47 UTC install: add digests into helm charts This commit adds a simple way to add the image digests into the official helm charts. Signed-off-by: André Martins <andre@cilium.io> 08 March 2021, 17:20:53 UTC
d8c1232 Jarno Rajahalme 05 March 2021, 20:36:04 UTC envoy: Silently discard v2 deprecation warnings if flowdebug is not enabled Envoy 1.17 keeps warning about using API v2, which we are still using on v1.7 and v1.8. Silently drop APIv2 related deprecation warnings unless flowdebug is enabled (via --debug-verbose=flow). Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 06 March 2021, 00:13:48 UTC
fca0286 Jarno Rajahalme 05 March 2021, 17:30:59 UTC envoy: Specify API version 2 explicitly on command line Envoy 1.17 disables APIv2 support by default. Re-enable by specifying '--bootstrap-version' as '2' on Envoy command line. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 06 March 2021, 00:13:48 UTC
43b1697 Jarno Rajahalme 04 March 2021, 15:51:36 UTC test: update internal lyft certificate [ upstream commit 29f01fd63ef8678f92830e171bd2fc2f7dd0fa04 ] These files are generated by $ cd test/k8sT/manifests $ openssl req -new -key internal-lyft.key -out internal-lyft.csr $ openssl x509 -req -days 3600 -in internal-lyft.csr -CA testCA.crt -CAkey testCA.key -CAcreateserial -out internal-lyft.crt -sha256 common name needs to be `www.lyft.com`. testCA.key password is `cilium` Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 06 March 2021, 00:13:48 UTC
1f28ad0 Jarno Rajahalme 27 January 2021, 17:59:57 UTC envoy: Update to release 1.17.1 [ upstream commit 0d5c1a05c31d77e84c85c0b9c4c42b9c092bfbbb ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 06 March 2021, 00:13:48 UTC
6f3a5c2 Maciej Kwiek 02 March 2021, 13:24:13 UTC test: set COMPOSE_INTERACTIVE_NO_CLI in precheck [ upstream commit ecfc6cef601151d352afcefb64fc709cfef81f65 ] https://github.com/moby/moby/issues/4209://github.com/moby/moby/issues/42093 causes precheck to fail for us. Setting this env var should fix that. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> 05 March 2021, 22:53:24 UTC
c083860 Joe Stringer 25 February 2021, 22:12:05 UTC Prepare for release v1.7.14 Signed-off-by: Joe Stringer <joe@cilium.io> 25 February 2021, 22:21:00 UTC
21daf4a Joe Stringer 21 May 2020, 23:47:29 UTC test: Redeploy registry during Vagrant provision [ upstream commit 2035ba3ae6a2c9a725a93e05b92b9d4f5798e527 ] The vagrant box we ship & use with Cilium 1.5 uses certs generated over one year ago. Given that we intend to sunset Cilium 1.5 soon, rather than regenerating the certs & box, and dealing with updating the box image and so on for this branch, instead here we just copy the registry.sh from the latest cilium/packer-ci-build repository as of today and call it directly during vagrant provisioning. Fixes: #11641 Signed-off-by: Joe Stringer <joe@cilium.io> 25 February 2021, 21:17:19 UTC
c089c99 Joe Stringer 24 February 2021, 22:55:26 UTC Dockerfile: Bump cilium-runtime image dependency Canonical are not always on top of generating new versions of their main docker images, so we can't just bump the image sha here. We actually need to make sure that we don't just use the cached image from the prior "apt upgrade" that was run in Quay.io, or we'll ship images with outdated packages. Introduce an arbitrary date-based arg here to invalidate the Quay cache. Then we can bump the date, build the cilium-runtime image, and pull in the latest (up-to-date) runtime image into the main container creation. Signed-off-by: Joe Stringer <joe@cilium.io> 25 February 2021, 19:37:36 UTC
4fa670f Tom Payne 13 November 2020, 16:03:15 UTC backporting: Stop scripts from running on non-Linux [ upstream commit 05eabc71a8525fffba8977eabdfd6e763dcd08c7 ] This is mainly for the benefit of macOS users typing in the wrong terminal. Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 22 February 2021, 23:06:41 UTC
fc62a4d André Martins 22 February 2021, 18:27:51 UTC add GH action to push hot fix images into -dev repositories Signed-off-by: André Martins <andre@cilium.io> 22 February 2021, 19:56:42 UTC
360549d Sebastian Wicki 17 February 2021, 13:54:26 UTC docs: Document changes to `submit-backport` [ upstream commit 388e7aafe921d8fc993f65ba1324b62c804081fa ] Co-authored-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 22 February 2021, 09:45:13 UTC
28baa9c Sebastian Wicki 17 February 2021, 13:39:23 UTC contrib/submit-backport: Support creating PRs from forks [ upstream commit 01956570b62fd423281c787f1389d2b98ce03d60 ] This adds support for pushing backport PRs from Cilium forks. Because the names of remotes in forked repositories are not standardized, the `submit-backport` script is changed such that it accepts two branch arguments: The upstream remote and the user (fork) remote. The upstream remote is detected using the existing `get_remote` helper, while the user (fork) remote is guessed by checking for a remote matching `github.com/<user>/cilium`. Co-authored-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 22 February 2021, 09:45:13 UTC
73394cc Sebastian Wicki 17 February 2021, 13:37:08 UTC contrib: Support alternative orgs in `get_remote` [ upstream commit bbf5b2021cdb6eabbcb892367b253be7d8b44dea ] This commit adds a optional positional argument to `get_remote` to allow obtaining the remote of Cilium forks in other organizations than the default `cilium` one. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 22 February 2021, 09:45:13 UTC
c78e8a1 Sebastian Wicki 17 February 2021, 12:33:00 UTC contrib: Detect correct remote in start-backport [ upstream commit c7e2573b5b7f60a54242a3dd561c5830724d0355 ] Previously, the script assumed `origin` would point to the upstream branch. For users with forked repositories this is not necessarily true, therefore this commit auto-detects the remote name based on the git remote url. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 22 February 2021, 09:45:13 UTC
b6fdad0 Jarno Rajahalme 20 February 2021, 00:54:54 UTC policy: Do not detach if still using old policy [ upstream commit 0359854a08eb8634faaa5b34e048ce114503e32f ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 20 February 2021, 23:50:06 UTC
aade303 Jarno Rajahalme 19 February 2021, 22:59:13 UTC policy: Clear references to old EndpointPolicies [ upstream commit a631f790f0e2a2b4ed77b94317bb0eae811af850 ] Clear references to old EndpointPolicies from the shared policy structures both on endpoint policy recalculations and when an endpoint is removed. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 20 February 2021, 23:50:06 UTC
5276166 André Martins 18 February 2021, 15:42:35 UTC k8s: update k8s libraries and tests to 1.17.17 Signed-off-by: André Martins <andre@cilium.io> 19 February 2021, 11:35:08 UTC
88a83bf André Martins 18 February 2021, 15:56:25 UTC .github: publish into official repo for next release Signed-off-by: André Martins <andre@cilium.io> 19 February 2021, 11:31:15 UTC
bb442e1 Paul Chaignon 08 February 2021, 18:37:46 UTC labelsfilter: Tests for default filters and documented example [ upstream commit 3b0f6e8666dec1d22c230964ace62417c7b062d1 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 18 February 2021, 19:02:06 UTC
f06c036 Paul Chaignon 09 December 2020, 21:07:36 UTC docs: Clarify and update documentation on label filters [ upstream commit 1e80ec0b326f5d333e0257252df73eb9a602b176 ] This commit updates the list of default label filters and clarifies the default behavior, as well as how it changes when a first inclusive label is added. The example is also completed based on the new unit test added in the previous commit. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 18 February 2021, 19:02:06 UTC
15236cb Joe Stringer 09 February 2021, 23:11:36 UTC docs: Document hostport requirements in eni [ upstream commit 55caedc581e8784acc72e78a2e9e42db51064b04 ] Strictly speaking this is a general truth for all services, but we don't have a dedicated section for explaining services and users have begun reporting specifically in relation to AWS / ENI mode. Put this somewhere in the docs, we can always move it around to somewhere more generic when we have a better location for these links to live. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 18 February 2021, 19:02:06 UTC
d8c57d9 Joe Stringer 08 February 2021, 17:27:55 UTC docs: Add FQDN limitation to IPVLAN docs [ upstream commit 463e0dc64cdd1e29c2e6887e0778e58f397a7542 ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 18 February 2021, 19:02:06 UTC
e5e6047 Kornilios Kourtis 11 November 2020, 16:55:35 UTC runtime: specify ICMP ids on connectivity test [ upstream commit 2f38bfbcc47036599046a0dd352678887f39bab8 ] The RuntimeConntrackInVethModeTest failed transiently (#12891). The test sends pings from client->server and expects them to work, and pings from server->client and expects them to not work (based on cilium policies). If the ICMP ids for these two case match, current CT code allows packets in both directions. This patch uses a modified ping utility (called xping) that allows to specify the ICMP id when executing a ping to produce determenistic results. Currently, we only test the case where the ids do not match. Once the CT code is modified to address the above issue, we can add a test where the ids match. Related: #12891 [ backport notes: - Add definition for PingTimeout, created in commit e1e1f50c5b48 ("test/helpers: allow passing custom number of requests to helpers.Ping()") - Add timeout for the netperf command to related deployment, added in commit c87f2f99a0aa ("test: update k8s tests to 1.20") ] Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 13 February 2021, 00:42:58 UTC
1768b26 André Martins 10 February 2021, 17:45:44 UTC CODEOWNERS: set maintainers as owners of .github Signed-off-by: André Martins <andre@cilium.io> 11 February 2021, 19:56:55 UTC
91ace9f André Martins 04 February 2021, 17:41:57 UTC .github: add GitHub actions to build images These GH actions will be able to push images into quay.io/cilium/*-ci. In follow up PRs, Jenkins jobs and GH actions will stop building images and the GH action will push the images into quay.io making them available. Signed-off-by: André Martins <andre@cilium.io> 11 February 2021, 19:56:55 UTC
94bf253 Joe Stringer 22 January 2021, 22:00:08 UTC contrib: Add script to fetch docker manifests [ upstream commit dc0841e2d89c19f836588ff44ba20973fd49af35 ] [ Backporter's notes: removed images that don't make sense ] This script pulls all of the tagged cilium images from docker.io and quay.io and fetches the official manifests from the images, and generates text output for adding to the github release announcement to allow users to use and/or audit the docker digests that are deployed in the cluster. Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2021, 13:35:41 UTC
1d244f9 Joe Stringer 28 January 2021, 18:42:45 UTC release: Fix script to check presence of docker images When this script was backported, differences in the v1.7 branch were not taken into account, so it was just broken. Fix up the make target and update the images to fetch, matching the ones v1.7 uses. Notably, there is no platform-specific operator images, no hubble and no clustermesh-apiserver (or related dependencies like etcd). Fixes: 5273db146877 ("release: add script to check presence of docker images") Signed-off-by: Joe Stringer <joe@cilium.io> 28 January 2021, 20:02:34 UTC
364f55f Joe Stringer 27 January 2021, 22:25:11 UTC Prepare for release v1.7.13 Signed-off-by: Joe Stringer <joe@cilium.io> 27 January 2021, 22:30:50 UTC
5cf516a Joe Stringer 27 January 2021, 19:17:36 UTC Dockerfile: Bump cilium-runtime image Signed-off-by: Joe Stringer <joe@cilium.io> 27 January 2021, 22:17:43 UTC
a448957 André Martins 21 January 2021, 10:57:38 UTC contrib/release: clarify project number for release process [ upstream commit 257e91f0780813da2a319b8999ae9cbbadc12cee ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 26 January 2021, 11:43:16 UTC
a6258b3 Joe Stringer 18 January 2021, 21:36:11 UTC cilium-cni: Fix error handling for bad netns [ upstream commit 6e3ca8f84e643200203aec24b4310ec71c403942 ] If kubelet gives cilium-cni bad input (no netns), the error here would not be returned properly to the caller, which could result in a segfault: panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x14e0c8b] goroutine 1 [running, locked to thread]: main.cmdAdd(0xc00015a000, 0xc0004d60e8, 0x5) /go/src/github.com/cilium/cilium/plugins/cilium-cni/cilium-cni.go:354 +0x5cb github.com/containernetworking/cni/pkg/skel.(*dispatcher).checkVersionAndCall(0xc0005e5d40, 0xc00015a000, 0x1a42f20, 0xc0004de000, 0x18d07c0, 0x0, 0x44a1ef) /go/src/github.com/cilium/cilium/vendor/github.com/containernetworking/cni/pkg/skel/skel.go:185 +0x258 github.com/containernetworking/cni/pkg/skel.(*dispatcher).pluginMain(0xc0005e5d40, 0x18d07c0, 0x0, 0x18d07c8, 0x1a42f20, 0xc0004de000, 0xc000174000, 0x5d, 0xc000174000) /go/src/github.com/cilium/cilium/vendor/github.com/containernetworking/cni/pkg/skel/skel.go:221 +0x546 github.com/containernetworking/cni/pkg/skel.PluginMainWithError(...) /go/src/github.com/cilium/cilium/vendor/github.com/containernetworking/cni/pkg/skel/skel.go:286 github.com/containernetworking/cni/pkg/skel.PluginMain(0x18d07c0, 0x0, 0x18d07c8, 0x1a42f20, 0xc0004de000, 0xc000174000, 0x5d) /go/src/github.com/cilium/cilium/vendor/github.com/containernetworking/cni/pkg/skel/skel.go:301 +0x128 main.main() /go/src/github.com/cilium/cilium/plugins/cilium-cni/cilium-cni.go:85 +0x33c The above logs would typically be pushed to kubelet logs. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 January 2021, 20:53:08 UTC
4e0eac8 Jarno Rajahalme 21 November 2020, 01:24:09 UTC ip: Fix RemoveCIDR edge condition [ upstream commit 6ad5a22b8644fc23fb5dec2291a80ffce8d8657e ] A CIDR should be able to be removed from itself. Add test cases that would fail without the fix: $ go test ---------------------------------------------------------------------- FAIL: ip_test.go:184: IPTestSuite.TestRemoveCIDRsEdgeCase ip_test.go:190: s.testIPNetsEqual(allowedCIDRs, expectedCIDRs, c) ip_test.go:83: c.Assert(created, HasLen, len(expected)) ... obtained []*net.IPNet = []*net.IPNet(nil) ... n int = 1 ---------------------------------------------------------------------- FAIL: ip_test.go:194: IPTestSuite.TestRemoveCIDRsEdgeCase2 ip_test.go:200: s.testIPNetsEqual(allowedCIDRs, expectedCIDRs, c) ip_test.go:83: c.Assert(created, HasLen, len(expected)) ... obtained []*net.IPNet = []*net.IPNet(nil) ... n int = 1 ---------------------------------------------------------------------- FAIL: ip_test.go:176: IPTestSuite.TestRemoveSameCIDR ip_test.go:180: c.Assert(err, IsNil) ... value *errors.errorString = &errors.errorString{s:"allow CIDR prefix must be a superset of remove CIDR prefix"} ("allow CIDR prefix must be a superset of remove CIDR prefix") OOPS: 14 passed, 3 FAILED Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 January 2021, 20:53:08 UTC
af81330 Thomas Graf 08 January 2021, 22:17:47 UTC clustermesh: Ignore symlink files on fsnotify events [ upstream commit f03450706a4b3ca4fcfd17def021a74114aac7f5 ] Kubernetes secrets are mapped into the pod using symlinks. The initial scan was already correctly ignoring symlinks but the fsnotify events have not been. This has resulted in invalid cluster configurations being added: ``` ClusterMesh: 0/3 clusters ready, 0 global-services cluster2: not-ready, 0 nodes, 0 identities, 0 services, 0 failures (last: never) └ Waiting for initial connection to be established ..2021_01_08_21_11_57.892158678: not-ready, 0 nodes, 0 identities, 0 services, 0 failures (last: never) └ Waiting for initial connection to be established ..data: not-ready, 0 nodes, 0 identities, 0 services, 0 failures (last: never) └ Waiting for initial connection to be established ``` Fixes: 076b0188b98 ("Inter cluster connectivity (ClusterMesh)") Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 21 January 2021, 20:53:08 UTC
a5b91c3 Aditi Ghag 21 January 2021, 00:01:51 UTC [backport 1.7] pkg/node: Skip setting MTU on local node routes [ upstream commit 4ad84d9cd35c] Previously, we were setting mtu on local node routes, which takes effect in routing in recent kernels. This could lead to drops for jumbo packets when the "Don't fragment" bit is set. Regardless of the kernel routing, we shouldn't restrict mtu on the host local routes. This fix avoids setting an mtu on local node routes (i.e., when enable-local-node flag is enabled). Testing - kubectl get node k8s1 -o json | jq .spec.podCIDR "10.16.0.0/16" Before: 10.16.0.0/16 via 10.16.213.171 dev cilium_host src 10.16.213.171 mtu 1450 After: 10.16.0.0/16 via 10.16.213.171 dev cilium_host src 10.16.213.171 Signed-off-by: Aditi Ghag <aditi@cilium.io> 21 January 2021, 20:37:58 UTC
bd444aa Joe Stringer 12 January 2021, 00:29:39 UTC daemon: Plumb the endpoint garbage collector In a user environment, we encountered a scenario where pods would "disappear" and Cilium seemingly received no notification of deletion (eg, CNI DELETE command). If this occurs regularly over time, then this leads to Cilium managing a series of phantom endpoints which no longer have corresponding k8s objects. Some symptoms include: * Exhaustion of IP address management pool, causing inability to deploy new endpoints on the node; * Metrics such as cilium_endpoint_count increase to the maximum number of endpoints on the node (typically limited by IP pool); * Label resolution controllers reporting errors in "cilium status" output, such as: pod.core "my-pod-name" not found; and * Endpoints that Cilium is aware of have no corresponding veth interfaces. Fix this by periodically iterating the list of exposed endpoints and checking that the endpoints are still alive and healthy, by checking that the link is still present on the node. If an endpoint's link is not present for two consecutive iterations of the garbage collection (and the endpoint is not otherwise cleaned up by CNI DELETE or similar operations), then disconnect it from the endpointmanager and release its resources. Signed-off-by: Joe Stringer <joe@cilium.io> 20 January 2021, 08:27:57 UTC
0e4378a Joe Stringer 12 January 2021, 01:45:03 UTC endpointmanager: Add garbage collection routine To improve the robustness of Cilium operations in production environments, introduce a new periodic garbage collection controller that attempts to detect when endpoints are no longer alive and healthy, and disconnects them from the agent. Signed-off-by: Joe Stringer <joe@cilium.io> 20 January 2021, 08:27:57 UTC
49cc364 Joe Stringer 07 January 2021, 02:44:15 UTC daemon: Refactor endpoint management to expose Delete Due to some complications around daemon initialization, when deleting an endpoint, the caller must pass in additional parameters like the daemon, the IPAM module, and the endpoint manager. This makes it difficult to share an endpoint deletion implementation with other subsystems. While it'd be nice to better untangle these objects, doing so could accrue some risk which we'd rather avoid while preparing an upcoming bugfix commit. Instead, refactor endpoint management functionality into a new dedicated type in the daemon package, which hopefully can be subsequently refactored into more appropriate places (like the endpointmanager package). No functional changes, this is purely prepatory work for additional callers of endpointManager.Delete() from other packages. Signed-off-by: Joe Stringer <joe@cilium.io> 20 January 2021, 08:27:57 UTC
c4933f1 Chris Tarazi 16 December 2020, 22:15:37 UTC docs: Add upgrade docs for egress-multi-home-ip-rule-compat Signed-off-by: Chris Tarazi <chris@isovalent.com> 06 January 2021, 19:20:02 UTC
332a3fd Chris Tarazi 04 December 2020, 01:19:44 UTC routing: Fix route collisions in AWS ENI This commit fixes a potential route collision in AWS ENI IPAM modes, where the ifindex could equal the main routing table ID (from 253-255) [1], causing traffic to be subject to these routes incorrectly. This is admittedly rare, but we've seen this from a user report. The impact is that most traffic on the node is suddenly blackholed. To fix this, we say that each device or interface (ENI) will have their own dedicated routing table. The table ID will start with an offset of 10 because it is highly unlikely to collide with the main routing table ID (from 253-255). We grab the number associated with the ENI device (`Number`) and add the offset. For example, if we have an ENI device "eni-0" which has a `Number` of 5, then the table ID will be 10 + 5 = 15. Another important piece to note is that only the egress rule will reside inside the per-device tables, whereas the ingress rule will stay in the main routing table. This is because we want the main routing table to hold the routes to the endpoint. Moving forward, the ENI datapath will now create rules under a new egress priority value (RulePriorityEgressv2), as long as the egress-multi-home-ip-rule-compat flag is false. If it's true, then the datapath will create rules under the original egress priority value (RulePriorityEgress). This helps disambiguate when running with the older or newer ENI datapath. See https://github.com/cilium/cilium/issues/14336. [1]: See ip-route(8) Reported-by: Vlad Ungureanu <vladu@palantir.com> Suggested-by: Joe Stringer <joe@cilium.io> Suggested-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com> 06 January 2021, 19:20:02 UTC
1b9ed44 Chris Tarazi 09 December 2020, 05:48:48 UTC routing: Add ENI route table migration logic This commit will fixup the ENI datapath depending on the egress-multi-home-ip-rule-compat flag (see previous commits for context). The migration logic supports both upgrading and downgrading the ENI datapath. This logic must run on startup before the API is served and before the health endpoint is created, so that no endpoints are prematurely crreated before Cilium has had the chance to migrate the entire datapath. See https://github.com/cilium/cilium/issues/14336. Suggested-by: Joe Stringer <joe@cilium.io> Suggested-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com> 06 January 2021, 19:20:02 UTC
db23c50 Chris Tarazi 11 December 2020, 19:53:46 UTC revert: Add ability to extend the revert stack This is useful to aggregate the items to revert in one stack, so that it can all be done at once. Signed-off-by: Chris Tarazi <chris@isovalent.com> 06 January 2021, 19:20:02 UTC
e052560 Chris Tarazi 11 December 2020, 19:59:52 UTC linux_defaults: Add RouteTableInterfacesOffset This new value is the table ID for the per-ENI routing tables in the new ENI datapath. Upcoming commits will use this value and implement the new datapath. See https://github.com/cilium/cilium/issues/14336. Signed-off-by: Chris Tarazi <chris@isovalent.com> 06 January 2021, 19:20:02 UTC
aec2d8f Chris Tarazi 10 December 2020, 19:37:57 UTC linux_defaults: Add RulePriorityEgressv2 This new priority value is vital for disambiguating which rules are still under the old scheme. Without this, upgrading to the new scheme would be difficult, as we aren't able to identify which rules have been fixed up [1]. Furthermore, this would also allow us to enable downgrades from the new scheme, because we would be able to identify which rules need to be modified. [1]: https://github.com/cilium/cilium/issues/14336 Signed-off-by: Chris Tarazi <chris@isovalent.com> 06 January 2021, 19:20:02 UTC
b86bf93 Chris Tarazi 09 December 2020, 19:38:48 UTC cni, routing: Plumb interface number In the previous commit, we added the interface number to the IPAM response for ENI mode. This commit plumbs this new field into the CNI to set up the ENI datapath. Signed-off-by: Chris Tarazi <chris@isovalent.com> 06 January 2021, 19:20:02 UTC
a5d696a Chris Tarazi 09 December 2020, 19:34:53 UTC api: Extend IPAM to accept interface number This is needed in ENI mode. In upcoming commits, the interface number (ENI.Number) will be used to compute the per-ENI table ID in order to store rules and routes for the ENI datapath. Signed-off-by: Chris Tarazi <chris@isovalent.com> 06 January 2021, 19:20:02 UTC
d5ad26c Chris Tarazi 16 December 2020, 22:49:46 UTC api: Expose egress-multi-home-ip-rule-compat flag This is important for use in the CNI to decide whether to use the new ENI datapath (see previous commit for context) or the original datapath. Signed-off-by: Chris Tarazi <chris@isovalent.com> 06 January 2021, 19:20:02 UTC
549c256 Chris Tarazi 09 December 2020, 01:29:19 UTC daemon, option: Add flag egress-multi-home-ip-rule-compat This flag is needed to control the behavior of Cilium when it starts up under ENI mode. If the flag is false, meaning "do not maintain compatibility", then Cilium will attempt to migrate the ENI datapath (`ip rule`s and routes) created under the aforementioned IPAM mode to a new table ID scheme. The table ID refers to the Linux routing policy database tables, aka "routing table". If the flag is true, meaning "maintain compatibility", then Cilium will not attempt to migrate the ENI database under the aforementioned IPAM mode to the new table ID scheme. It will continue to use the original scheme. Additionally, when the flag is true and Cilium finds the rules under the newer scheme (by checking the priority of the rule), it will attempt to migrate back to the original scheme. This allows downgrading Cilium without affecting connectivity. Signed-off-by: Chris Tarazi <chris@isovalent.com> 06 January 2021, 19:20:02 UTC
cfab9cf Chris Tarazi 23 December 2020, 00:13:10 UTC routing: Remove unnecessary debug logs from test Signed-off-by: Chris Tarazi <chris@isovalent.com> 06 January 2021, 19:20:02 UTC
18da314 Chris Tarazi 23 December 2020, 00:10:31 UTC routing: Refactor helper to run function in netns This makes it usable for an upcoming commit which adds a new test suite to this packag. Signed-off-by: Chris Tarazi <chris@isovalent.com> 06 January 2021, 19:20:02 UTC
df62e87 Chris Tarazi 17 December 2020, 18:09:19 UTC k8s: Update libraries to v1.17.16 This also updates the K8s version for provisioning in CI. Signed-off-by: Chris Tarazi <chris@isovalent.com> 22 December 2020, 16:41:31 UTC
47d7b9b John Watson 08 December 2020, 01:02:07 UTC ipcache: Use controller.Manager on IPIdentityCache for ipcache-bpf-garbage-collection [ upstream commit 1ef686bfb92bb3cc7ee1ac5a6d5d706835e34806 ] Signed-off-by: John Watson <johnw@planetscale.com> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 17 December 2020, 18:18:49 UTC
bfd9b79 André Martins 08 December 2020, 21:23:20 UTC pkg/k8s: fix k8s_event_lag_seconds for negative time [ upstream commit 478f409ccab1b7bfb73653aed90756ad0ee5cd44 ] In some occasions the metric `k8s_event_lag_seconds` could be presented as an overflown value such as `9223372036854775807`. This commit fixes this by checking if the calculated value is less than zero by only setting this metric for positive times. Fixes: 4e2913004340 ("pkg/endpoint: calculate Kube API-Server lag from pod events") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 17 December 2020, 18:18:49 UTC
95a76d5 Joe Stringer 03 December 2020, 18:47:21 UTC docs: Fix dependency conflict [ upstream commit f15af5e64617ff39629e37ac7dc5f85065921038 ] Pip 20.3 introduced a new dependency resolver[[0]] which silently reinterprets our current requirements file in a different way to resolve the dependencies, which results the build being broken. On non-aarch64 systems, there are two requirements that satisfy the sphinx-rtd-theme package: * One provided by our own theme repository[[1]] which has nice consistent theming for the website, and * One provided by the upstream sphinx-rtd-theme package. Prior to pip 20.3, the default resolver was able to resolve this conflict to favour our custom theme, which is the one we intend to use in most cases. Unfortunately, with the new resolver, this conflict is resolved the other way. As far as I can tell, there is no "strict" mode to prescribe that pip should resolve conflicts first and fail out if the requirements are ambiguous. Instead, pip silently resolves this conflict and we do not find out that there was ambiguity until later in the process. In addition, on readthedocs.org, new versions of pip are automatically pulled upon each new docs build, which meant that from one day to the next, a previously successful build began to consistently fail with weird errors that imply a problem with the dependency but don't explain why the problem was introduced without changes to code in our build system: Theme error: no theme named 'sphinx_rtd_theme_cilium' found (missing theme.conf?) make[1]: *** [Makefile:48: html] Error 2 make: *** [Makefile:552: test-docs] Error 2 Fix the issue by disambiguating the theme dependency. [0]: http://pyfound.blogspot.com/2020/11/pip-20-3-new-resolver.html [1]: https://github.com/cilium/sphinx_rtd_theme Fixes: #14252 Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 17 December 2020, 18:18:49 UTC
573dd34 Gilberto Bertin 16 December 2020, 14:01:20 UTC docker: rebuild cilium-runtime image The build of the cilium-runtime docker image will pull in the latest version of the openssl package, which includes a fix for CVE-2020-1971. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 17 December 2020, 11:39:28 UTC
4427286 Jarno Rajahalme 12 December 2020, 18:08:11 UTC policy: Don't nil an empty selectors map. [ upstream commit 03bfb2bece5108549b3d613e119059758035d448 ] Turns out unit testing did not need this any more and this actually caused a runtime panic. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 13 December 2020, 12:00:15 UTC
0e19149 Jarno Rajahalme 08 December 2020, 20:21:08 UTC policy: Track selectors that contribute to MapStateEntries [ upstream commit 04840b96530031a84bc359c476a59d320617d2db ] Track which selectors in policy require a specific bpf policy map key to be present, and keep policy entries in the map as long as any selector requires it's presence. Without this it is possible for a timed-out DNS cache entry to clear a policy cache key that is still required by another selector (FQDN or CIDR). To implement this, each MapStateEntry is now equipped with a set of (cached) selectors through which the policy map key/value was added. 'nil' has the special significance that it is used as the CachedSelector in cases where the policy map entry is added due to some administrative or configuration reason. Currently incremental updates will never remove such entries. Incremental policy updates now simply collect the requested map changes. When the endpoint then pulls the changes they are first applied the desired policy map (MapState), while tallying which selectors still need the map entries to be present. The actual bpf map diffs are recorded based on the total count of selectors on each map entry. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 11 December 2020, 11:06:40 UTC
5665303 Joe Stringer 04 December 2020, 00:11:41 UTC Prepare for release v1.7.12 Signed-off-by: Joe Stringer <joe@cilium.io> 04 December 2020, 10:59:12 UTC
b8b817d Jarno Rajahalme 30 November 2020, 16:30:56 UTC vendor: Fix cilium/arping goroutine leak [ upstream commit 24d44500e40af599dfc1b932be0dac1b75504889 ] This fixes a privileged runtime test failure caused by leaked goroutines on arpings with no response. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 03 December 2020, 20:08:31 UTC
back to top