Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
506068f John Fastabend 24 January 2019, 20:41:24 UTC cilium: ipsec, ipv6 recv support [ upstream commit 2cddea1bbfb54aa234a09d36fb930ebfc7c184b0 ] Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
c127e67 John Fastabend 24 January 2019, 15:45:37 UTC cilium: ipsec, ipv6 support [ upstream commit 34e49dfb5ffbcc3211511eab1e39ea0c6002bcab ] Add ipv6 support to BPF programs Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
b255489 John Fastabend 25 January 2019, 17:09:32 UTC cilium: ipsec, add IPv6 route rules [ upstream commit 2c98f20c416ea6fb6e798cddf1120c8edf10e3e8 ] Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
099a133 John Fastabend 25 January 2019, 16:58:38 UTC cilium: ipsec, improve route rules updates to prep for IPv6 [ upstream commit e1adfa19fda80fdce99da695b727047cbfd548d6 ] In preperation for IPv6 rules add family and masks to the route rules replacement. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
f6dbf97 John Fastabend 24 January 2019, 17:03:06 UTC cilium: ipsec, add xfrm rules for IPv6 [ upstream commit f3fc874cf1cc05198835642031601a92f5c840d2 ] Add policy and state rules for IPv6. Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
d735867 John Fastabend 27 January 2019, 00:17:08 UTC cilium: ipsec, enable ipv6 forwarding "all" when IPSec is enabled [ upstream commit 0117f05fe0704ad2e04deb738f98ff8d7cc3902a ] Check IPSec status at daemon start and enable IPv6 forwarding if required. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
e26a529 John Fastabend 24 January 2019, 20:14:12 UTC cilium: ipsec, configure cilium_overlay for encrypt support [ upstream commit a9ed32324e2feb70b4e94cddf0560052eb71dcd8 ] The cilium_overlay device also needs rp_filter disabled and forwarding enabled. Pass it through same setup as cilium_{host|net}. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
6636bb2 John Fastabend 23 January 2019, 19:23:33 UTC cilium: ipsec, check for key instead of segfault [ upstream commit 72e80d98f765435161a2018672623f0f201b1652 ] In general keys must be loaded before state/policy from ipsec is added. However, if a state/policy is attempted before the key file is loaded and/or the key file omits a default key currently the ipsec code will segfault. Instead of segfaulting this patch will now throw an error. Found when I added unit tests in future patch. This segfault does not actually happen with cilium-agent but its nice to have and make the code a bit more resilient. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
3257370 John Fastabend 28 January 2019, 05:08:07 UTC cilium: ipsec, replace node ip addrs with addr types [ upstream commit 11b8f7389412b9127c72c4649eb8bd58f402b470 ] Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
fec4c71 Maciej Kwiek 28 January 2019, 11:29:21 UTC fqdn proxy cache list CLI [ upstream commit 8ec7e6d1562d9c03598a0cd351b464caec9de245 ] Add `cilium fqdn cache list` cli command Signed-off-by: Maciej Kwiek <maciej@covalent.io> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
6ebb3ef Joe Stringer 29 January 2019, 00:45:16 UTC contrib: Accept multiple commits in 'cherry-pick' [ upstream commit 8b74d6b7139a992b3905f26f886d1317a749f5ae ] Update the 'cherry-pick' commit to accept multiple commits, which it will attempt to apply one-by-one until either they all apply or a patch fails to apply. When a patch fails to apply, it will terminate and not continue applying the rest of the commits in the list. Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
a254acd Ian Vernon 29 January 2019, 03:07:40 UTC Documentation: add "fqdn" to allowed wordlist [ upstream commit 4997925bc8f48a4f4f82d02060cd25680e60bd51 ] Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
801cb34 Thomas Graf 28 January 2019, 19:19:27 UTC operator: Don't restart kube-dns when running in HostNetwork mode [ upstream commit 2e7186c45e1be576e8ddd4abae80befc70c674cd ] Fixes: #6819 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 30 January 2019, 16:53:25 UTC
cab4348 André Martins 24 January 2019, 14:33:38 UTC pkg/client: add missing comment [ upstream commit a20e6b8acaa92d8bed9c1b3a5415b4d4340031b3 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
762c99b Michal Rostecki 28 January 2019, 12:02:50 UTC client: Use one err variable in client with timeout [ upstream commit 6b09f010ac0b40968bb5a52b44772a58807f16ac ] Before this change, `GetConfig` call in `NewDefaultClientWithTimeout` was using its own `err` variable, which was never returned and nil error was returned instead. Fixes: d48af6ab5c28 ("pkg/client: wait until the client has connectivity with daemon") Fixes: #6801 Signed-off-by: Michal Rostecki <mrostecki@suse.de> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
deaf0e3 Eloy Coto 28 January 2019, 11:27:57 UTC Test: Assertion helper change order. [ upstream commit f57d450678ff2c49fea088705e00e132bf16aac5 ] At the moment, Cilium is validated that all is ok before etcd pods and the dns pods are ready. So Cilium can be restarted due timeoUt on etcd connection and pre-flight checks does not happens afterwards. With this change we make sure that Cilium is installed correctly after etcd-operator and the pre-flight errors are ok before doing any test. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
4d55159 Thomas Graf 28 January 2019, 06:09:19 UTC allocator: Remove kvstore refresh on failure watermark [ upstream commit 3b1b58245898012183a7014bd2c1cff199d0d661 ] Logs have proven that we have never hit this watermark so far. The code behind it is hard to test and only complicates the logic. Remove it. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
85da38b Michal Rostecki 13 December 2018, 15:28:14 UTC idpool: Use checker.DeepEquals in unit tests [ upstream commit 1e91684f22474b44ced8cd9ed8fc72aa1a86e05b ] Signed-off-by: Michal Rostecki <mrostecki@suse.de> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
37ca613 Thomas Graf 28 January 2019, 05:25:30 UTC idpool: Remove erroneous index cache [ upstream commit e91fb0a85131c2e7ad2dd5cde076cc40e4a0cec0 ] The index was trying to act as an index to the ids slice. However, the index was not properly fixed up when an ID was removed from the middle of the slice. There is no need for the complicated index mechanism, simply use a hashtable and leverage the random map range behavior to pick a random number. Fixes: #6632 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
0017076 Thomas Graf 28 January 2019, 05:11:42 UTC idpool: Add additional testing and benchmarks [ upstream commit db21531aaa0fdfe6f8eda02ddfd00d2440d279fc ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
fc60ccd Thomas Graf 28 January 2019, 04:42:10 UTC idpool: Remove unused and unprotected Dump() function [ upstream commit fa17ba5fd3304b03e3214e56bd7d8cd1b123140b ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
2ccb396 Thomas Graf 28 January 2019, 04:27:27 UTC store: Fix race condition when access store keys [ upstream commit a16c854d18363702406748e14aa56b4d256ebdd4 ] This fixes two race conditions: * The shared keys in the store are no longer updated in place but replaced with new objections. Users of the store continue to be notified via the OnUpdate() interface * The local keys continue to be collected but are deep copied so the deep copy can continously be pushed into the kvstore. The only user of UpdateLocalKey() is the node discovery, the local node is never changing after the initial registration so no further changes are needed. Fixes: #6422 Fixes: #6572 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
28a3d4d Michal Rostecki 13 December 2018, 16:20:33 UTC kvstore: Use checker.DeepEquals in unit tests [ upstream commit a35399e6c6a995c929bf36b66e4915f9efcbb46f ] Signed-off-by: Michal Rostecki <mrostecki@suse.de> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
708032a Thomas Graf 28 January 2019, 04:18:50 UTC service: Generate DeepCopy() function for ClusterService [ upstream commit 967f9a3973352b4bc2a5b134ce3fbd5926703971 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
d5c6b6a Thomas Graf 28 January 2019, 03:26:30 UTC endpoint: Fix old endpoint identity release [ upstream commit f7b768bcbe5107ad763a86bc4828a3134bd74709 ] The old identity release logic mistakenly released the identity in some of the error paths which could lead to an endpoint identity no longer being reference counted. Fixes: #6308 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
a18b5c5 Thomas Graf 28 January 2019, 03:19:58 UTC operator: Allow running operator before kvstore connectivity is achieved [ upstream commit b59f72598c67234b20c12f377f894593ed8ca04b ] It is possible to provide CEP garbage collection and other services before the kvstore is connected. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
e459cdb Thomas Graf 27 January 2019, 21:18:56 UTC operator: Automatically restart unmanaged kube-dns pods [ upstream commit f616d20685cb638ab2fd8819d2a7e84faa7bd716 ] Check for unmanaged kube-dns pods every 15 seconds and restart these pods automatically. This avoids requiring to document the need to restart kube-dns during installation and helps bring up the etcd-operator a lot smoother. In order to avoid restarting cycles, a minimal age of the kube-dns pod is required before restarting. This is set to 30 seconds for now. Log example message ``` level=info msg="Restarting unmanaged kube-dns pod kube-system/coredns-cd9c8565f-tq4mc started 58.414470847s ago" subsys=cilium-operator ``` Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
ea14baf André Martins 26 January 2019, 20:07:47 UTC pkg/endpoint: restore endpoints that were being regenerated [ upstream commit bb099df4c32ae454ce1e70db1ab4d1f5b4930d04 ] If cilium-agent got terminated while an endpoint was being created for the first time, Cilium could not restore that endpoint from previous life as the endpoint was never considered "alive" in the first place. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
45e2227 Thomas Graf 26 January 2019, 20:38:21 UTC datapath/linux: Explode node handling datapath unit tests to IPv4/IPv6 only [ upstream commit a227a0298b8a421c75770534c77e44cf2053ede7 ] Run all unit tests and benchmarks with the following three addressing configurations: * IPv4 only * IPv6 only * IPv4 & IPv6 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
cc042f2 Thomas Graf 26 January 2019, 20:36:10 UTC datapath/linux: Fix node route creation when allocation CIDR is nil [ upstream commit 5d20ca7e8322268320ee37096e19b8c7563e6a6f ] Ensure that the allocation CIDR is non-nil and verify that the required nodeAddressing requirements are fulfilled. Fixes the following panic: ``` [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x259ebf1] goroutine 1 [running]: github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).createNodeRoute(0xc00017d650, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...) /go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:292 +0x71 github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).lookupNodeRoute(0xc00017d650, 0x0, 0xc0004804e0, 0x10, 0x10) /go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:309 +0x50 github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).nodeUpdate(0xc00017d650, 0x0, 0xc000e94c60, 0x0, 0x4adf920) /go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:456 +0x4b8 github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).NodeConfigurationChanged(0xc00017d650, 0x5dc, 0x5aa, 0x0, 0x4adf920, 0x0, 0x0, 0x10000000100, 0x0, 0x0) /go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:622 +0x1e1 main.(*Daemon).compileBase(0xc0007be700, 0x0, 0x0) /go/src/github.com/cilium/cilium/daemon/daemon.go:533 +0x7a9 main.(*Daemon).init(0xc0007be700, 0xc000e332b8, 0x1) /go/src/github.com/cilium/cilium/daemon/daemon.go:675 +0x126 main.NewDaemon(0x2f49b80, 0xc0004c8de0, 0x1, 0x1, 0xc00088f928, 0x113d542) /go/src/github.com/cilium/cilium/daemon/daemon.go:1191 +0x1177 main.runDaemon() /go/src/github.com/cilium/cilium/daemon/daemon_main.go:1062 +0x214 main.glob..func1(0x44ee920, 0xc0007e67d0, 0x0, 0x5) /go/src/github.com/cilium/cilium/daemon/daemon_main.go:108 +0x30 github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).execute(0x44ee920, 0xc00004c1f0, 0x5, 0x5, 0x44ee920, 0xc00004c1f0) /go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:766 +0x2cc github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0x44ee920, 0x2f2caf0, 0x2f543c0, 0x2f2cb10) /go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:852 +0x2fd github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).Execute(0x44ee920, 0x0, 0x0) /go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:800 +0x2b main.daemonMain() /go/src/github.com/cilium/cilium/daemon/daemon_main.go:126 +0x14c main.main() /go/src/github.com/cilium/cilium/daemon/main.go:30 +0xc9 ``` Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
25a1a91 André Martins 27 January 2019, 12:33:56 UTC cilium-cni: build endpoint synchronously in flannel mode [ upstream commit bfd55185173cb5e363fad05fcf02a7c33f0b7185 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
c1126c1 André Martins 26 January 2019, 17:44:29 UTC flannel.Jenkinsfile: test against k8s 1.9 as k8s 1.8 is not supported [ upstream commit 79a05b50f56d2c019e7378621dd1df742fe6929f ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
69bbe58 André Martins 26 January 2019, 17:31:05 UTC Revert "pkg/datapath: ignore iptables MASQUERADE rules in flannel mode" [ upstream commit e7c587b1df4a0780590c1f6bfa2eb701bd181fc5 ] This reverts commit 7740e3914ebf2bb36860369aeda585a94b2c17c1. Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
0d32552 André Martins 26 January 2019, 14:01:37 UTC daemon: syncLBMapsWithK8s - delete k8s service once if not found [ upstream commit 853fec659702b724295b83e0df8b282c033933f6 ] As lbmap.DumpServiceMapsToUserspace returns a list of backend services, this list of backend services can contain duplicated entries as BPF lb map can contain multiple entries for the same service as showned from the following log messages: ``` level=debug msg="parsing service mapping" bpfMapKey="10.98.234.114:9125" bpfMapValue="0.0.0.0:0 (0)" subsys=map-lb level=debug msg="converting ServiceKey and ServiceValue to frontend and backend" obj="0.0.0.0:0 (0)" serviceID="10.98.234.114:9125" subsys=map-lb level=debug msg="creating L3n4Addr for ServiceKey" serviceID="10.98.234.114:9125" subsys=map-lb level=debug msg="adding frontend and backend to SVCMap" backend="0.0.0.0:0, weight: 0" backendIndex=0 frontend="10.98.234.114:9125" subsys=loadbalancer level=debug msg="parsing service mapping" bpfMapKey="10.98.234.114:9125" bpfMapValue="10.10.1.222:9125 (29)" subsys=map-lb level=debug msg="converting ServiceKey and ServiceValue to frontend and backend" obj="10.10.1.222:9125 (29)" serviceID="10.98.234.114:9125" subsys=map-lb ``` In order to correctly remove this list of services that are no longer being managed by k8s one should use a Set to avoid trying to delete multiple times the same LB service which results in controller errors such as: ``` msg="Controller run failed" consecutiveErrors=2 error="Errors deleting BPF map entries: key 10.98.234.114:42275 is not in lbmap... ``` Fixes: cc4be8e37107 ("daemon: sync BPF maps with in-memory K8s service maps") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
1576284 Joe Stringer 26 January 2019, 20:52:50 UTC bpf: Remove GetLRUMapType() [ upstream commit bc911162fb7bc62dd718350caa06049f7b85e5fe ] Previously the ctmap used a dedicated additional helper, GetLRUMapType(), to determine the map type of the conntrack maps whenever the objects were created, however a recent patch has introduced such logic into the main OpenOrCreate() function, so this is no longer necessary. Rely on the automatic fallback to MapTypeHash provided by OpenOrCreate() instead. Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
0586c44 Joe Stringer 25 January 2019, 23:47:02 UTC bpf: Autodetect map type support on open [ upstream commit ab721bc6d5eaad40a9377064b853758aa8dd0d3c ] Use the BPF probes of the LPM support in the kernel to set the map type during OpenOrCreate of the map before attempting to create the map. This should avoid situations on older kernels where a previous Cilium instance creates the ipcache map as a hash map, then Cilium is re-run and on startup it first sees the wrong map type and attempts to delete it because the type is wrong (hash, not LPM), then attempts to create the LPM map, fails, and falls back to hash map. This would create unnecessary churn and recreation of IPCache maps, potentially leading to some amount of network connectivity downtime. Fixes: #6775 Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
0c9c673 Joe Stringer 25 January 2019, 02:46:37 UTC endpoint: Properly cache ipvlan option [ upstream commit 4bf03dbb438e301e7d99e7d91285581ee10f5e8f ] This option was being dereferenced while the endpoint was unlocked and could (in theory) disappear. Cache it instead. Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
d07ce86 Thomas Graf 25 January 2019, 21:21:49 UTC agent: Announce both IPv4 and IPv6 node address via node discovery [ upstream commit 3ff455e1ced5836790155beaedc2b3493f2861ce ] No real functional differences as the IPv6 node address is not used in the datapath but it ensures that the IPv6 node address is listed in `cilium node list`. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
42d8348 Thomas Graf 25 January 2019, 20:29:02 UTC cli: Only print address range in cilium status when enabled [ upstream commit 9e0aca07c657fdb75a11c49221ee9c234c779bfa ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
7dfa8e5 Thomas Graf 25 January 2019, 19:02:34 UTC node: Only require external IPv4 node address when IPv4 or encapsulation is enabled [ upstream commit 0c22956df3f1ab873a2763e4d3fb7d464b612309 ] The external IPv4 node address is not required in pure IPv6 direct routing mode. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
3ff1569 Thomas Graf 25 January 2019, 18:47:01 UTC cni: Check if NodeAddressing.IPv* is nil [ upstream commit 9c70fee985d76595a4e9d0216de4929c27c2f534 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
7ec6835 Thomas Graf 25 January 2019, 18:43:59 UTC node: Only return node addressing for address families that are enabled [ upstream commit f3ede032ed7df8a781e37d47968608d959acdc16 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
6afbffd Thomas Graf 25 January 2019, 18:37:52 UTC node: Only auto-generate allocation prefix when address family is enabled [ upstream commit d858c9cf75823086431d4ece6a6931ca8e60cff9 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
8a22743 Thomas Graf 25 January 2019, 21:24:10 UTC fqdn: Prepare DNS proxy for node IPs to be nil [ upstream commit dd09d30ead3225682015516a6bd1cb77e8678370 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
3818f6f Thomas Graf 25 January 2019, 21:22:45 UTC proxy: Prepare proxy layer for node IPs to be nil [ upstream commit 91d7a7be8ab0d65f90c2c363f7ebf0dc9946760e ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
f654289 Thomas Graf 25 January 2019, 18:55:30 UTC bpf: Only define IPV4_MASK when IPv4 is enabled [ upstream commit 889fd1d0c40a18873227776e883c85315c89866f ] Prepare for GetIPv4AllocRange() to potentially return nil and only use it when IPv4 is enabled. The BPF datapath has also become capable of not requiring IPv4 so the workaround can be removed. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
708b219 Thomas Graf 25 January 2019, 18:30:06 UTC agent: Support IPv6 NodeSuffix() [ upstream commit 845ba0311d2fc68afcdcc6fb7f7aab28d1c8a094 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
2a66b2b Thomas Graf 25 January 2019, 17:14:35 UTC node: Do not restore NodeIP from node_config.h for disabled address family [ upstream commit 2abbfa8b40a440fa8318d8c8c89ed1570df93866 ] This is required to stop using a NodeIP for an address family that has been disabled. This can happen if a user is switch on/off address families on a node. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
9f86014 Thomas Graf 25 January 2019, 17:10:44 UTC k8s: Do not inherit PodCIDR for disabled address family from k8s node [ upstream commit be469fea38f3601c1e729cd5c4374d695a87718c ] The node IPs should be derived. The IPv4 external IP can be used for encapsulation of an IPv6 only PodCIDR environment. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
7e6cfee Joe Stringer 25 January 2019, 17:45:54 UTC daemon: Fix failure on first health EP start [ upstream commit 6d55daca69e16a63c284a37ccd6d3945afb00345 ] Previously, due to a static global definition of the client object in the health launch package, the daemon had no way to determine whether the client is already initialized, and would always fail to start the endpoint the first time the controller runs, then succeed afterwards. Fix this by pushing the client out to the daemon package, where we can then switch on whether the client exists to create it the first time without treating that case as an error, then only if the client already exists, attempt to ping it and treat failure to ping as an error worthy of failing the controller and restarting the endpoint. Fixes: #6754 Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
46ea68e Joe Stringer 25 January 2019, 17:38:54 UTC launch: Use node type for addressing information [ upstream commit 8f64280aa652bd9834eb98903af03769075ce210 ] Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
2cba452 Joe Stringer 25 January 2019, 17:36:33 UTC launch: Remove unused Annotator interface [ upstream commit 2a67816298ffebf1e9716754ab5587a07f3e27b9 ] Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
f217850 Joe Stringer 25 January 2019, 17:34:47 UTC node: Simplify GetModel() api [ upstream commit 8badece869b67102fcb0a432ec4eb0510fbc6aea ] The IPv4 bool passed in here was confusing and unnecessary, remove it in favour of the global options setting. Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
9f21398 Thomas Graf 25 January 2019, 15:36:14 UTC kvstore: Fix panic in `cilium kvstore` CLI [ upstream commit 60db32bc98a03b07e3dade50ca2c11dcb3e51241 ] Fix the following panic when the kvstore client cannot be created via the CLI: ``` panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x50 pc=0x1a306d0] goroutine 1 [running]: github.com/cilium/cilium/pkg/kvstore.Get(0x0, 0x0, 0x8, 0x8, 0x8, 0x7, 0x7) /home/vagrant/go/src/github.com/cilium/cilium/pkg/kvstore/kvstore.go:40 +0x40 github.com/cilium/cilium/cilium/cmd.glob..func32(0x44e3c80, 0x4ada920, 0x0, 0x0) /home/vagrant/go/src/github.com/cilium/cilium/cilium/cmd/kvstore_get.go:55 +0x2e7 github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).execute(0x44e3c80, 0x4ada920, 0x0, 0x0, 0x44e3c80, 0x4ada920) /home/vagrant/go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:766 +0x2cc github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0x44e7f00, 0x2f, 0xffffffffffffffff, 0xc0004c2f30) /home/vagrant/go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:852 +0x2fd github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).Execute(0x44e7f00, 0xc0007a7f58, 0x1164e30) /home/vagrant/go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:800 +0x2b github.com/cilium/cilium/cilium/cmd.Execute() /home/vagrant/go/src/github.com/cilium/cilium/cilium/cmd/root.go:46 +0x2d main.main() /home/vagrant/go/src/github.com/cilium/cilium/daemon/main.go:32 +0xd0 ``` Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
882c1fb Thomas Graf 27 January 2019, 19:33:41 UTC test: Add IPv4 only test [ upstream commit b17aeb9980b5937b992f0fe9972524417f9304e7 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
454b014 Thomas Graf 27 January 2019, 19:33:41 UTC cilium: Fix cilium lb list when IPv4 or IPv6 are disabled [ upstream commit 2922601a41edc78af27f071e418f7e3813218664 ] Fixes: #6800 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
6ef1809 Maciej Kwiek 24 January 2019, 13:52:49 UTC CLI for clearing FQDN proxy cache [ upstream commit 691079d92128c90050cc9adc9214e7639ee06b26 ] Signed-off-by: Maciej Kwiek <maciej@covalent.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
7c2eef7 André Martins 24 January 2019, 21:15:06 UTC plugins/cilium-cni: uninstall cilium-flannel CNI configuration if user opt-in [ upstream commit 306b6b31c56847bb43ce5b2ea9ce9eaaf74b9d3c ] This avoids containers to accidentally be created and starting being managed only by Flannel if Cilium is in the process of being upgraded where the CNI configuration is always removed during the upgrade. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
272713c André Martins 24 January 2019, 15:22:48 UTC addons/flannel: add more flannel documentation [ upstream commit 923e054e6d55469d3b1dffa49c5ed0fd7a0ff490 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
be15ec4 André Martins 24 January 2019, 14:33:38 UTC pkg/client: wait until the client has connectivity with daemon [ upstream commit d48af6ab5c286fd91b751eed90a7d1b715a55231 ] Fixes: c6518190de30 ("client: Add NewDefaultClientWithTimeout function") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
30f0bb4 André Martins 24 January 2019, 12:10:58 UTC daemon: stop waiting for flannel device to be ready if process is terminated [ upstream commit 2262a7aa0a4d50d94f5da9bd6e719a0f435e0fce ] When running in flannel mode, cilium-agent would ignore the sigterms as it would be infinitely waiting for the flannel interface to be ready. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
9bb831a André Martins 23 January 2019, 12:22:04 UTC plugins/cilium-cni: change CNI channing name to cbr0 [ upstream commit 80ea41a1701450f57f052ad64865af5e0149dd71 ] As flannel runs with the name "cbr0" by default in its cni configuration, in order for Cilium to be able to run on top of flannel with existing containers, the flannel-cilium CNI configuration file needs to have the same name. By having the same name it prevents the flannel IPAM assigning existing addresses as they are stored on each node under the directory `/var/lib/cni/networks/cbr0/`. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
35b554c André Martins 23 January 2019, 10:43:27 UTC pkg/datapath: ignore iptables MASQUERADE rules in flannel mode [ upstream commit 7740e3914ebf2bb36860369aeda585a94b2c17c1 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
b9eb92e André Martins 21 January 2019, 15:27:25 UTC daemon: append bpf programs to existing flannel running containers [ upstream commit ad5ae3843b4497bea72c09c111d5f89f058b906c ] [ Backporter's notes: Re-ran "make -C examples/kubernetes" to handle conflicts ] As Cilium has the ability to install BPF programs in already running interfaces we can enable this option by default environments where Cilium is deployed on top of Kubernetes. This requires Cilium DaemonSet to run with `hostPID: true` so that cilium-agent process can access already running network namespaces. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
8bcb935 André Martins 21 January 2019, 14:42:21 UTC plugins/cilium-cni: rely on flannel response [ upstream commit a67df9f6ff07df999a6f98dd48f18bc8f1ddaf68 ] With CNI chaining, the response from the previous CNI plugin, flannel, is sent to the previous CNI plugin, Cilium, we can rely on the flannel response to create a Cilium endpoint instead of entering the network namespace of the container. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 29 January 2019, 16:49:19 UTC
e5f5c6f Thomas Graf 26 January 2019, 01:29:27 UTC Prepare for 1.4.0-rc5 release Signed-off-by: Thomas Graf <thomas@cilium.io> 26 January 2019, 01:33:09 UTC
374c483 Ray Bejjani 20 January 2019, 13:34:42 UTC fqdn/rulegen: per-name regeneration via ForceGenerateDNS [ upstream commit c8375f8dbbd75c8d617709fb61b8a3454c75ad27 ] There are circumstances to trigger a rule regeneration without new IP information (such as a cache clear or TTL expiration without a new DNS event). ForceGenerateDNS allows running logic similar to UpdateGenerateDNS, where DNS names are matched against rules and new versions generated. Signed-off-by: Ray Bejjani <ray@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 26 January 2019, 01:11:22 UTC
365c907 Ray Bejjani 18 January 2019, 17:57:47 UTC api: Add DELETE /fqdn/cache API [ upstream commit 274d782c32f4d04e16809b2a3171226d705f4f38 ] Signed-off-by: Ray Bejjani <ray@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 26 January 2019, 01:11:22 UTC
91a062f Ray Bejjani 18 January 2019, 16:02:03 UTC daemon: Implement DELETE /fqdn/cache API [ upstream commit 770ebd596fcde6a175933dd98d7c337b6bc808a3 ] This removes entries that match the matchName or CIDR, removing lookups that occurred before the time the API call was issued. No-parameter invocations will clear the entire cache. Signed-off-by: Ray Bejjani <ray@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 26 January 2019, 01:11:22 UTC
0ec824c Ray Bejjani 20 January 2019, 13:34:54 UTC fqdn/cache: Implement .ForceExpire to delete entries [ upstream commit 8f1f949abc1cd719a8ee5bba360c7ba24d6c91f1 ] In normal operation, the cache will only expire entries after the TTL. In some circumstances, we will need to forcibly clear part of the cache without removing all the data within it. ForceExpire and the updated removeExpired allow doing this per-name and by LookupTime. Signed-off-by: Ray Bejjani <ray@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 26 January 2019, 01:11:22 UTC
5c29ff7 Thomas Graf 25 January 2019, 03:13:22 UTC k8s: Don't list identities in CEP for default-allow [ upstream commit c8846bc1a1e4ec9fed88e591d33f0ec7f336769c ] This lowers the size of the CEP and reduces the number of updates required for pods that are running in default-allow policy enforcement mode. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 26 January 2019, 01:11:22 UTC
3ce41ce Martynas Pumputis 25 January 2019, 17:36:43 UTC node: Do not require ipv6AllocRange in ipv4-only mode [ upstream commit d52f6ed0378a314138a724ac6142a9a0ddcb39cc ] Otherwise, cilium-agent cannot start when only ipv4 is enabled. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 26 January 2019, 01:11:22 UTC
a0a34f5 Martynas Pumputis 25 January 2019, 18:38:37 UTC daemon: Set ROUTER_IP only if IPv6 is enabled [ upstream commit 59d6eddbf0e538c0f3aa5d55f612754aa88a6566 ] Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 26 January 2019, 01:11:22 UTC
e9e5c29 Martynas Pumputis 25 January 2019, 16:41:52 UTC bpf: Enable some IPv6 code only if ENABLE_IPV6 is set [ upstream commit b1ce2bc831c3d25b02403ff5456a27b8b02f26e4 ] 75028e4bcb14 ("ipam: Only allocate IPs if address family is enabled") made setting of `ROUTER_IP` conditional, i.e. it is non-empty only if IPv6 is enabled. In the case of ipv4-only mode, `ROUTER_IP` in node_config.h is empty which leads to compilation errors of BPF functions which calls `BPF_V6(<..>, ROUTER_IP)`. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 26 January 2019, 01:11:22 UTC
1b26f11 Eloy Coto 25 January 2019, 15:31:07 UTC Jenkins: delete docker-compose networks [ upstream commit c1b0e3d91b4fd8c395be8f5678c3ca163a4870c2 ] On commit `eb3b298849bc72b283034e13ab32e57130260758` target clean-ginkgo-test was deleted, but the jenkins-precheck is still using the docker-compose, so the docker networks never got deleted and Jenkins failed after a while With this change, after each build a delete will happens. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 26 January 2019, 01:11:22 UTC
a23ab40 Ray Bejjani 25 January 2019, 14:04:48 UTC daemon: Sanitize fqdn/cache API matchpattern parameter [ upstream commit a964e923541dc21333334ce96909503f873e6ef1 ] When parsing policy .Sanitize ensures a name or pattern is a FQDN. The FQDN API code now also does this, allow the same patterns in policies to match in-cache names. Signed-off-by: Ray Bejjani <ray@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 26 January 2019, 01:11:22 UTC
00180ce Eloy Coto 22 January 2019, 09:00:32 UTC Jenkins: Add Flannel job [ upstream commit 39f6982aeaf742da13099feb3ae65208810d11c6 ] Add a new flannel job with the new trigger test-flannel in the PR and with the new jenkinsfile. It'll run once a day in the CI. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 26 January 2019, 01:11:22 UTC
c9295a0 Nirmoy Das 25 January 2019, 10:56:40 UTC daemon: sockops: delay sockops init till node_config.h gets generated [ upstream commit fc25dbe2454815456cefab4f34807ab3ec270b47 ] SockmapEnable and SkmsgEnable require node_config.h which generated in Daemon.init(). level=error msg="Failed to compile bpf_sockops.o: exit status 1" compiler-pid=23550 linker-pid=23551 subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/sockops/bpf_sockops.c:21:10: fatal error: 'node_config.h' file not found" subsys=datapath-loader level=warning msg="#include <node_config.h>" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~~~~~~" subsys=datapath-loader level=warning msg="1 error generated." subsys=datapath-loader level=error msg="failed compile sockops/bpf_sockops.c: Failed to compile bpf_sockops.o: exit status 1" subsys=sockops level=error msg="Failed to compile bpf_redir.o: exit status 1" compiler-pid=23553 linker-pid=23554 subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/sockops/bpf_redir.c:21:10: fatal error: 'node_config.h' file not found" subsys=datapath-loader level=warning msg="#include <node_config.h>" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~~~~~~" subsys=datapath-loader Fixes: ac55c6a (daemon: Create BPF maps before restoring service IDs) Signed-off-by: Nirmoy Das <ndas@suse.de> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 26 January 2019, 01:11:22 UTC
ec183bd Michal Rostecki 23 January 2019, 13:52:40 UTC proxylib: Add SONAME, create .so* files and symlinks [ upstream commit 6b785067216e64b4b08bb6bf8fc4ea312a4cebb7 ] The common pattern in the most of Linux distributions is to have SONAME field in shared object files and to keep the library version as its suffix. The name of shared object file should be the same as SONAME and .so file without suffix should be a symlink to the versioned file. In this case, SONAME contains only the major version as a suffix, which is acceptable by the most of projects and Linux distributions. After this change, executing `make` and `make install` produces the following results: ``` $ make [...] $ ls -la proxylib/ | grep libcilium.so lrwxrwxrwx 1 mrostecki users 14 Jan 23 14:04 libcilium.so -> libcilium.so.1 -rw-r--r-- 1 mrostecki users 21362336 Jan 23 14:04 libcilium.so.1 $ readelf -a proxylib/libcilium.so | grep SONAME 0x000000000000000e (SONAME) Library soname: [libcilium.so.1] $ make install PREFIX=~/.local LIBDIR=~/.local/lib64 [...] $ ls -la ~/.local/lib64/ total 20988 drwxr-xr-x 3 mrostecki users 188 Jan 23 14:57 . drwx------ 9 mrostecki users 91 Jan 23 14:40 .. lrwxrwxrwx 1 mrostecki users 14 Jan 23 14:57 libcilium.so -> libcilium.so.1 -rwxr-xr-x 1 mrostecki users 21362336 Jan 23 14:57 libcilium.so.1 ``` Signed-off-by: Michal Rostecki <mrostecki@suse.de> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 26 January 2019, 01:11:22 UTC
0f9fb59 Martynas Pumputis 25 January 2019, 13:04:51 UTC workloads: Set options per runtime [ upstream commit 0035477ca593f1855ad77a0b61a86b39b38546af ] Previously, all workloads runtime options passed to `workloads.Setup/2` were passed to each individual runtime implementation. This led to some runtimes returning an error during the setup step, because not all options were supported by them (e.g. "datapath-mode" is not supported by the containerd workloads runtime). This commit changes the runtime options in a way that they are defined per runtime. Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 26 January 2019, 01:11:22 UTC
68e5fe7 Martynas Pumputis 25 January 2019, 10:58:28 UTC workloads: Export WorkloadRuntimeType type [ upstream commit f9174de1a6896833237202c21b470a7b8a3a4268 ] Signed-off-by: Martynas Pumputis <martynas@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 26 January 2019, 01:11:22 UTC
4c8ec20 Eloy Coto 25 January 2019, 12:14:43 UTC Kubernetes: CEP fixes. [ upstream commit 9c744603631024b7484a0718d066ee92ae187667 ] Due the changes on commit `c5e50eb57be837b6b90c601c990fb6834d96d33b` the get cep list is not reporting correctly. With this change the list is reporting correctly: ``` NAME ENDPOINT ID IDENTITY ID INGRESS ENFORCEMENT EGRESS ENFORCEMENT ENDPOINT STATE IPV4 IPV6 testclient-m894b 3216 4397 false false ready 10.10.0.218 f00d::a0a:0:0:f testds-2p4hq 3644 645 false false ready 10.10.0.120 f00d::a0a:0:0:f521 ``` Also, make ingress/egress enforcement value in the json as non-empty, due is good to report that the value is false for jsonpath utilities. Due the changes, I also changed the CI report to make it easy to understand if the test failed, the new behaviour looks like this: ``` <Checks> Number of 'context deadline exceeded' in logs: 0 Number of 'level=error' in logs: 0 Number of 'level=warning' in logs: 0 Number of 'Cilium API handler panicked' in logs: 0 Number of 'Goroutine took lock for more than' in logs: 0 Cilium pods: [cilium-rmcw9] Netpols loaded: CiliumNetworkPolicies loaded: Endpoint Policy Enforcement: Pod Ingress Egress coredns-fff89c9b9-cfkvb false false etcd-operator-5cf67779fd-hmkcv false false testclient-m894b false false testds-2p4hq false false cilium-etcd-8nwlbq9cvq false false cilium-etcd-wgptgl2gt5 false false cilium-etcd-xxh29gps5m false false ``` Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 26 January 2019, 01:11:22 UTC
10c96b6 Eloy Coto 21 January 2019, 16:34:14 UTC Contrib: Add prometheus and grafana dashboards. [ upstream commit 8308b07dce9fb14341e904868c7b59d31e742865 ] Added a new prometheus manifest that includes a fully functional Prometheus, grafana and kube-metrics to deploy in a single command. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
4d2452d Ian Vernon 23 January 2019, 19:31:40 UTC endpoint: fix logic to finalize proxy state in dry mode [ upstream commit fa240b46ae3e14a12afed369702f49d13de90b59 ] The logic was inverted for checking whether proxy state should be finalized or not. Fixes: 4045887122c11827977956abda8c7c28684538f8 Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
f2d32fa Thomas Graf 24 January 2019, 19:22:38 UTC health: Annotate k8s node with health IPs in intial annotation call [ upstream commit 45b4a5c3d20b6c476a1592585f23550a48f9f7d9 ] Related: #6728 Fixes: be7d5cb4b919 ("node: Use new routing datapath for node events") Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
58183c8 Thomas Graf 24 January 2019, 19:23:28 UTC vendor: Remove now unused dependency code [ upstream commit 4d533b3c2d2ed7f3ad61bd848625d82abf75b3ae ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
0a6b5d5 Thomas Graf 24 January 2019, 19:23:28 UTC node: Remove unused ipv4HealthAddress and ipv6HealthAddress [ upstream commit a26b64b7319f0a6ebc2bf589e257a0f878ded82b ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
8be972e Thomas Graf 24 January 2019, 19:23:28 UTC ipam: Only allocate IPs if address family is enabled [ upstream commit 75028e4bcb1491042e94f30490857ba75d842d38 ] Only initialize the IP allocator for a particular address family if that address family is actually enabled. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
e06d846 Thomas Graf 24 January 2019, 19:23:28 UTC agent: Fail if loopback IPv4 address cannot be allocated [ upstream commit f0653858bd73f6d97529710d6bebeb929d6d0e18 ] Make sure that allocation fails if the allocator is not available Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
e609b0a Thomas Graf 24 January 2019, 19:23:28 UTC health: Support running IPv6 only health endpoints [ upstream commit d92a362c13c58e15d0e9768bfdec9db1c05cf35a ] The cleanup was limited to IPv4 only so far Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
d33e9e9 Thomas Graf 24 January 2019, 19:23:28 UTC health: Only allocate health IP if address family is enabled [ upstream commit 35bf51763c96196d22d9b3458a3c8988d9f34aec ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
a99acb7 Thomas Graf 24 January 2019, 19:23:28 UTC ipam: Remove unused IPAMConfig [ upstream commit dec2dbada2b417862f74ebf0712a3fcf5194ab25 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
f4cf7ab Thomas Graf 24 January 2019, 19:23:28 UTC ipam: Add AllocateNextFamily() to allocate IPs of individual families [ upstream commit 2581cab845d6d3c898dc33262a2fc703e259ae06 ] AllocateNext() allows to allocate for a specific family but the allocation does not fail if the allocator is unavailable. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
c4d0ff2 Thomas Graf 24 January 2019, 19:23:28 UTC ipam: Stop using global ipamConfig variable [ upstream commit 4a1701a183383b6620a3bbf2a351b1ba507bd153 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
2608259 Thomas Graf 24 January 2019, 19:23:28 UTC workloads: Fix init race condition between workloads and IPAM init [ upstream commit f3932a1a69b729530b83debcd42f840f26fd5afa ] The workloads system requires IP allocation. Initialize the workloads system after initializing IPAM. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
142e371 Ian Vernon 24 January 2019, 18:32:46 UTC endpoint: do not return error if endpoint RLock fails due to endpoint being removed [ upstream commit 73aafb818b564b673116af008497c28121d1794e ] The Cilium CI has failed recently on multiple occasions due to errors appearing for controllers for endpoints which resolve the identity for said endpoints. The errors were "rlock failed: endpoint is in the process of being removed". Handle this case specially in both cases where \`identityLabelsChanged\` is called for endpoints by adding a new error variable which is returned if \`RLockAlive\` fails, and handle this error being returned in callers to \`identityLabelsChanged\`. In the case where \`identityLabelsChanged\` is called within the \`resolve-identity\` controller for an endpoint, do not return an error in the controller if \`RLockAlive\` fails because the endpoint is being deleted, so there is no purpose in allocating a new identity for it. Fixes: #6721 Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
e2553f5 John Fastabend 18 January 2019, 16:50:00 UTC cilium: ipsec, bpf add receive side ipsec [ upstream commit 6fd8f36a6eb5a5b05107a83f15f34f70b543b23d ] If we did nothing here cilium_vxlan will pop the vxlan header then the outer header will route to cilium_host (assuming tunnel mode) this route would hit the ipsec decrypt path so cilium host would get decrypted packet. These would process using normal host logic and be locally redirected to lxc endpoint via BPF program. However, when mixed with non-ipsec traffic some flows were getting encrypted/decrypted unexpectedly. So instead of hopping through multiple BPF programs this changes the flow as follows. Set the mark decrypt bit and pass to stack. The routing stack decrypts the packet and routes it back to cilium vxlan after decryption is complete. After this cilium_vxlan "sees" the decrypted bit is set and does redirect to lxc. We keep the ipsec traffic localized this way. IMO its easier to trace the flow. We had to pull in a portion of if_packet to get magic numbers for PACKET_* values. Only pulled in required defines for now. Finally, in the next set of patches we drop the tunnel mode flag and this becomes even more relavent to avoid (re)routing. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
8077110 John Fastabend 23 January 2019, 01:41:03 UTC cilium: Add IPv4GW to node discovery [ upstream commit e1438518b192cbf56bb46ce2b3977d4f2d19293f ] This adds the IPv4 gateway address to the localNode so that on node events we can use the gateway address to populate the IPSec context. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
6ea2cdb John Fastabend 22 January 2019, 19:32:36 UTC cilium: ipsec, bind nodeUpdate to ipsec upsert to install ipsec state [ upstream commit 29536aeef82948a9aa720b4b8f6716230991206b ] This hooks into nodeUpdate events using it to add/remote IPSec policies and states when new endpoints come online/offline. For node based ipsec this is sufficient, if we want finer grained IPSe policies. Possibly per identity we will need to hook into ipache most likely. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
a6e3a83 John Fastabend 17 January 2019, 20:34:57 UTC cilium: ipsec, add BPF datapath encryption direction [ upstream commit 3b6245843aeff0509bf0781ef88658ae7a69b9f8 ] This enables encryption on TX path for traffic that is sent over a vxlan tunnel. Currently, we use tunneled IPSec but the datapath should work regardless. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 25 January 2019, 20:35:12 UTC
back to top