| aaf6f7b | Thomas Graf | 25 May 2018, 14:22:37 UTC | Prepare for 1.1.0-rc1 Signed-off-by: Thomas Graf <thomas@cilium.io> | 25 May 2018, 16:13:29 UTC |
| 1c7a5aa | Thomas Graf | 25 May 2018, 14:22:01 UTC | Update NEWS | 25 May 2018, 16:13:28 UTC |
| b666cee | Thomas Graf | 25 May 2018, 08:32:20 UTC | policy: Overwrite eventual L4 localhost policies when AllowLocalhost=true The move to desired/realized policy map state has broken the allow localhost logic required for Kubernetes. Fix this by removing eventual L4 entries from localhost in the DesiredL4Policy map. Fixes: f79e85666986 ("pkg/endpoint: add DesiredL4Policy field for endpoint") Fixes: #4245 Signed-off-by: Thomas Graf <thomas@cilium.io> | 25 May 2018, 13:01:06 UTC |
| c6e2155 | Ian Vernon | 24 May 2018, 21:48:21 UTC | daemon: remove loopbackIPv4 from Daemon type This value is now contained within pkg/node. Signed-off by: Ian Vernon <ian@cilium.io> | 25 May 2018, 10:57:23 UTC |
| 9b68458 | Ian Vernon | 24 May 2018, 17:30:10 UTC | pkg/node: move IPv4Loopback address from daemon to node package Signed-off by: Ian Vernon <ian@cilium.io> | 25 May 2018, 10:57:23 UTC |
| cf52c06 | Ian Vernon | 24 May 2018, 01:49:31 UTC | daemon: factor out node config headerfile into separate function This makes the code more readable / modular. Signed-off by: Ian Vernon <ian@cilium.io> | 25 May 2018, 10:57:23 UTC |
| 33d47b8 | Eloy Coto | 24 May 2018, 15:48:14 UTC | Test: Do not log cilium logs in test-output.log Fix #4189 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 25 May 2018, 09:19:34 UTC |
| 6a488b4 | Joe Stringer | 23 May 2018, 21:26:07 UTC | policy: Add test for default CIDR prefix lengths Test that the default set of CIDR prefix lengths looks sane. Signed-off-by: Joe Stringer <joe@covalent.io> | 25 May 2018, 03:39:58 UTC |
| 0a563d2 | Joe Stringer | 23 May 2018, 21:19:05 UTC | endpoint: Use policy for IP LPM, not IPCache Previously, CIDR insertion in policy would queue updates for the IPCache via the KVstore, then go straight into policy add / policy regeneration for endpoints. This would reach into IPCache to fetch the set of prefix lengths (ipcache.ToBPFData()) before the original IPCache KVstore update has propagated into the local IPCache. Thus, the set of prefix lengths used in generating the BPF programs may not include the prefix lengths for the newly inserted CIDRs. When the IPCache KVstore event is eventually processed, no regeneration of BPF is triggered so the old set of prefix lengths is used for endpoints until the next time the endpoints are regenerated. This leads to improper CIDR->Identity mapping in the datapath, which may lead to unexpected packet drops as the broader "reserved:world" policy would apply rather than the CIDR policy. For reference, one plausible solution would be to trigger regeneration from IPCache, however this could be costly if you have dozens of IPCache updates occurring. There's no good way to batch the updates for these currently. Furthermore, it would trigger multiple rebuilds of the datapath based on a single policy update. Alternatively, we should have enough information already during policy resolution to generate the appropriate set of prefix lengths for the datapath from that policy path. This patch implements this. In other words: * Policy generation inserts elements into the L3Policy * Endpoint regeneration uses the L3Policy to determine which CIDR prefixes need to be used by the endpoint to perform CIDR->ID mappings in order to implement that policy * The IPCache (by way of the KVstore) will plumb the actual CIDR->ID mappings into the BPF maps. This should mean that the datapath is eventually consistent with the configured CIDR policies. Fixes: #4188 Signed-off-by: Joe Stringer <joe@covalent.io> | 25 May 2018, 03:39:58 UTC |
| 2d41e92 | Joe Stringer | 24 May 2018, 03:58:50 UTC | policy: Express egress CIDRs in endpoint model An upcoming commit will make use of the endpoint's L3Policy egress map to determine which prefix lengths are necessary for generating IPcache LPM mappings on older Linux kernels. This ensures that the relevant entries are propagated into this structure for this use. Over time, the Ingress CIDR L3Policy should do the same (see GH #4129). Signed-off-by: Joe Stringer <joe@covalent.io> | 25 May 2018, 03:39:58 UTC |
| 90eed3a | André Martins | 23 May 2018, 22:15:23 UTC | pkg: allocate first IP in IPv4 allocation range Since kubernetes allocator fixed their randomize function to allocate a different IP on each new allocation we have to make sure existing cilium instances keep the previously IPv4 gateway IP. On a new node however, the IPv4 gateway IP will be the first IP from the allocation range. Fixes: cfe05650d (vendor: update k8s dependencies to 1.10.2) Signed-off-by: André Martins <andre@cilium.io> | 24 May 2018, 22:46:56 UTC |
| 908f862 | André Martins | 16 May 2018, 13:12:29 UTC | pkg/ip: add GetNextIP Signed-off-by: André Martins <andre@cilium.io> | 24 May 2018, 22:46:56 UTC |
| 5d9d74c | André Martins | 15 May 2018, 14:50:10 UTC | common: add C2GoArray function Signed-off-by: André Martins <andre@cilium.io> | 24 May 2018, 22:46:56 UTC |
| 88330ac | André Martins | 13 May 2018, 22:19:24 UTC | vendor: update k8s dependencies to 1.10.2 * For the cri integration the following dependencies were prematurely updated: - All kubernetes libraries were updated to 1.10.2 * All transient dependencies were automatically delt by dep. * pkg/ipam: fixed imports due kubernetes library update Signed-off-by: André Martins <andre@cilium.io> | 24 May 2018, 22:46:56 UTC |
| 24c4c38 | Steven Ceuppens | 24 May 2018, 14:10:21 UTC | Add "cilium identity list" output to bugtool Fixes: #4236 Signed-Off-By: Steven Ceuppens <steven.ceuppens@icloud.com> | 24 May 2018, 21:46:24 UTC |
| 8d72fd9 | Ian Vernon | 24 May 2018, 02:11:56 UTC | pkg/endpoint: include node headerfile hash Since the node's headerfile is used when compiling the endpoint's BPF program, it must be hashed as well when computing the hash of the headerfiles used when generating the endpoint's BPF program. Previously, if configuration of the agent was changed, endpoint regeneration would not occur even though the configuration of the agent would have impact on the endpoint, because only the endpoint's lxc_config.h was hashed. Signed-off-by: Ian Vernon <ian@cilium.io> | 24 May 2018, 21:46:08 UTC |
| af92bd4 | Jarno Rajahalme | 24 May 2018, 17:07:29 UTC | envoy: Update integration test. Cilium integration test for Envoy is not run in the CI, so we've failed to update it to match the Envoy sources we use as a dependency. Update the integration test so that it passes in manual tests. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 24 May 2018, 21:43:34 UTC |
| 70136e3 | Jarno Rajahalme | 24 May 2018, 17:07:29 UTC | envoy: Update generated Cilium protobufs. We include the go sources generated from the Cilium filter protobufs in the git repo, but forgot to update them after a recent envoy rebase. Merge the updated files so that they do not need to be generated every time Cilium is built. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 24 May 2018, 21:43:34 UTC |
| 5ad5ec7 | Ian Vernon | 16 May 2018, 22:45:41 UTC | pkg/endpoint: check if PolicyMap is nil in syncPolicyMap If a build fails for an endpoint, the PolicyMap for it will be set to `nil`. But, the controller that is started to sync the desiredMapState for the endpoint with the datapath will still run, and thus can result in a panic due to a nil-dereference of the map. Also add a check if any other fields for endpoint utilized in this function are nil as well. Signed-off by: Ian Vernon <ian@cilium.io> | 24 May 2018, 17:40:30 UTC |
| ddf1c02 | Joe Stringer | 23 May 2018, 22:16:07 UTC | metricsmap: Set the key size properly The key size when creating this map type from userspace was set to the size of the value instead of the key. Fix it. Fixes: 70b1bd28c3b0 ("pkg/maps/metricsmap: Add a new userspace pkg/maps/metricsmap to access BPF metrics maps.") Fixes: #4228 CC: Manali Bhutiyani <manali@covalent.io> Signed-off-by: Joe Stringer <joe@covalent.io> | 24 May 2018, 17:18:38 UTC |
| dfa50f8 | André Martins | 21 May 2018, 22:22:19 UTC | test: update k8s versions to 1.7.15, 1.8.13, 1.9.8, 1.10.3 and 1.11.0-beta.0 Signed-off-by: André Martins <andre@cilium.io> | 24 May 2018, 16:48:54 UTC |
| 3edbdbe | Jarno Rajahalme | 24 May 2018, 00:02:37 UTC | bpf: Only create veth pair if it does not already exist. Deleting and re-creating a veth pair will pick up new MAC addresses and interface indices, avoid that by figuring out if the veth pair already exists. This fixes a frequest CI issue, but also hides underlying problems relating to endpoint bpf regeneration on daemon config changes or restarts. New GH issues are opened to keep track of those. Fixes: #4198 Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 24 May 2018, 14:46:53 UTC |
| fd62556 | Maciej Kwiek | 23 May 2018, 13:42:37 UTC | [Monitor] add src and dst data to json output Signed-off-by: Maciej Kwiek <maciej@covalent.io> | 24 May 2018, 13:22:18 UTC |
| aef051d | Manali Bhutiyani | 23 May 2018, 19:01:01 UTC | pkg/maps/metricsmap/: Add a doc.go in the metricsmap pkg This change adds a doc.go which describes the metricsmap package, so that this package shows up on: https://godoc.org/github.com/cilium/cilium Fixes: #4224 Signed-off by: Manali Bhutiyani <manali@covalent.io> | 24 May 2018, 04:26:59 UTC |
| 6adc2d2 | Joe Stringer | 23 May 2018, 21:31:50 UTC | docs: Update dependencies for latest Envoy After a recent Envoy version bump, Bazel started complaining about: libtoolize: not found Also, aclocal: not found This was because two new build-time dependencies were added. Document them. Signed-off-by: Joe Stringer <joe@covalent.io> | 24 May 2018, 02:20:48 UTC |
| 1081d8f | Joe Stringer | 21 May 2018, 21:44:43 UTC | daemon: Format packet marks as 32bit hexits The option to `--set-mark` is 32-bit, so it's more explicit to use 8-hexit output when formatting the commands. Signed-off-by: Joe Stringer <joe@covalent.io> | 23 May 2018, 23:16:35 UTC |
| 2c01ca3 | Joe Stringer | 02 May 2018, 22:14:16 UTC | daemon: Reuse proxy magic marker variables Reuse these variables from one location in golang code. Signed-off-by: Joe Stringer <joe@covalent.io> | 23 May 2018, 23:16:35 UTC |
| b3fb449 | Joe Stringer | 27 April 2018, 22:04:38 UTC | bpf: Mark traffic from outside local host as world Pick up on the magic mark for traffic sourced from a local application, and treat such traffic as from the host, then default to treating traffic without this mark (or either proxy mark) as from the world. Fixes: #3940 Signed-off-by: Joe Stringer <joe@covalent.io> | 23 May 2018, 23:16:35 UTC |
| 742c5ac | Joe Stringer | 02 May 2018, 21:04:11 UTC | daemon: Install rules to mark local applications Add an IPTables rule to mark traffic in the OUTPUT chain (ie, traffic coming from applications on the local host) with a magic marker, so that when the traffic arrives in the BPF datapath we can differentiate traffic sourced from the local node (with the node's IP) from traffic sourced outside the local node (which was masqueraded to the node's IP). Signed-off-by: Joe Stringer <joe@covalent.io> | 23 May 2018, 23:16:35 UTC |
| 7ec8ebc | Ian Vernon | 16 May 2018, 22:10:17 UTC | cleanup: remove refs to Consumable in comments The Consumable type no longer exists any more; remove all references to it in documentation. Signed-off by: Ian Vernon <ian@cilium.io> | 23 May 2018, 18:10:21 UTC |
| 619c752 | Ian Vernon | 17 May 2018, 21:47:37 UTC | cmd: specify JSON format for `cilium policy import` Specify that `cilium policy import` only accepts files in JSON format. Signed-off by: Ian Vernon <ian@cilium.io> | 23 May 2018, 18:01:49 UTC |
| 5b9699f | Eloy Coto | 21 May 2018, 13:28:23 UTC | Test: Ginkgo fix AfterFailed when fail on JustAfterEach. When an assertion fails on `JustAfterEach` functions, Ginkgo stopped all next AfterEach functions because the assert do a panic in the child process. With this change all the functions will be called, and will trigger the error at the end of the AfterEach, so all the logs will be retrieved correctly. Fix #4139 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 23 May 2018, 15:50:45 UTC |
| 659aea2 | André Martins | 21 May 2018, 14:21:44 UTC | pkg/bpf: Use pointer receivers for MapKeys types bpf.MapValue interface function GetValuePtr() returns a pointer to a new temporary if the function receiver is a value rather than a pointer. endpoint, lxcmap, ipcache, and lbmap were also using value receivers for their implementations of MapValue interface. The problem with this is that any lookups would fail to return the actual value, as the bpf.LookupElement would write the value into a temporary unaccessible to the caller. No such lookups were performed, so this did not cause any problems in practice. Fix the implementations to prevent future problems. This fix is otherwise low risk, but it has happened earlier in development that GetValuePtr() implmentations were not fixed properly and a pointer to the pointer receiver was returned. This is not noticed by the compiler, and would result in garbage data being written to/read from the bpf maps. Fixes: e76192a27b (bpf: Refactor EndpointKey) Fixes: 888a179908 (pkg/maps: add BPF ipcache map) Signed-off-by: André Martins <andre@cilium.io> | 23 May 2018, 10:15:12 UTC |
| 88ad237 | Joe Stringer | 21 May 2018, 21:33:29 UTC | docs: Attempt to use RTD version for GH URLs ReadTheDocs (RTD) provides an environment variable `READTHEDOCS_VERSION` which describes the branch of documentation that is currently being built. We should use this branch to create URLs to GitHub resources such as kubernetes YAMLs for Cilium install. This will mean that, for instance, if we build the branch `v1.0` on RTD then it will point to the latest version of the docs that are present on that branch. There's some special cases - if we're building locally, then the environment variable will not be there, and also on RTD the `latest` branch name that it provides should point to our `master` branch. In these cases, use HEAD for generating the URLs. Fixes: #4183 Signed-off-by: Joe Stringer <joe@covalent.io> | 23 May 2018, 09:16:16 UTC |
| 70b1bd2 | Manali Bhutiyani | 17 May 2018, 05:56:38 UTC | pkg/maps/metricsmap: Add a new userspace pkg/maps/metricsmap to access BPF metrics maps. This commit adds a new pkg/maps/metricsmap which defines the userspace interface and functions to access the BPF metrics maps. Fixes: #4155 Related-to: #3284 Related-to: #3337 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> | 23 May 2018, 01:15:54 UTC |
| 49034ce | Manali Bhutiyani | 17 May 2018, 05:42:31 UTC | bpf: Add BPF map cilium_metrics for L3-l4 packet drops/forwards This commit adds a new global BPF map named cilium_metrics which keeps account for L3-L4 packet drops and forwards. The key of the map is the drop reason and direction (ingress/egress), while the value is the count. If drop reason = 0 then the packet is forwarded and the count is the count of forwarded packets. Fixes: #4155 Related-to: #3284 Related-to: #3337 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> | 23 May 2018, 01:15:54 UTC |
| 7d28508 | Manali Bhutiyani | 11 May 2018, 22:37:12 UTC | cmd: Add a CLI command to access the bpf L3-L4 metrics map This change adds a new `cilium bpf metrics list` command to access the new metrics bpf map. Fixes: #4155 Related-to: #3284 Related-to: #3337 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> | 23 May 2018, 01:15:54 UTC |
| 51ecf75 | Manali Bhutiyani | 17 May 2018, 20:08:46 UTC | linux/bpf.h: Add reference link to in-kernel sk_buff structure. This is particularly useful to map the bpf sk_buff which should always be in sync with the in-kernel sk_buff structure. Related-to: #4155 Related-to: #3284 Related-to: #3337 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> | 23 May 2018, 01:15:54 UTC |
| 7d8f833 | Romain Lenglet | 18 May 2018, 23:37:18 UTC | envoy: Update Istio to the latest 0.8 RC version Update the Envoy and Istio Proxy SHAs to match Istio Proxy's release-0.8 HEAD. Update the builder Docker image and Vagrant box. Update the Istio version to the latest 0.8 RC: release-0.8-20180521-15-16. Signed-off-by: Romain Lenglet <romain@covalent.io> | 22 May 2018, 21:20:04 UTC |
| f4f8363 | André Martins | 22 May 2018, 19:17:51 UTC | docs: layout fixes in GSG Signed-off-by: André Martins <andre@cilium.io> | 22 May 2018, 19:51:51 UTC |
| 3c9c780 | André Martins | 21 May 2018, 19:09:25 UTC | docs: remove duplicated cilium installation instructions from GSG Signed-off-by: André Martins <andre@cilium.io> | 22 May 2018, 19:51:51 UTC |
| 5143fd1 | André Martins | 21 May 2018, 19:04:07 UTC | docs: change minikube GSG to have necessary flags to run CNI Signed-off-by: André Martins <andre@cilium.io> | 22 May 2018, 19:51:51 UTC |
| 4fac285 | Eloy Coto | 22 May 2018, 13:18:47 UTC | Test: Fix issues with Ginkgo Kubernetes Job Jenkins Kubernetes job does not have Cilium library loaded, so can't update the commit status. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 22 May 2018, 16:20:12 UTC |
| ea336a6 | André Martins | 22 May 2018, 15:58:35 UTC | docs: fix typos Signed-off-by: André Martins <andre@cilium.io> | 22 May 2018, 16:19:33 UTC |
| b25bbec | Eloy Coto | 22 May 2018, 07:56:19 UTC | Test: Enable containerd on Jenkins builds. - Add `setIfLabel` function to send some parameters need by features toggles. - Enable containerd when area/containerd label is present in the PR. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 22 May 2018, 10:01:48 UTC |
| 5a76033 | Eloy Coto | 18 May 2018, 09:50:20 UTC | Test: Improved Kubectl CEP helpers Added a new helper to make sure that all endpoints are updated in the kubernetes resource. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 22 May 2018, 08:44:46 UTC |
| ba19fbb | Arvind Soni | 18 May 2018, 19:50:19 UTC | Elasticsearch Getting Started Guide added changes from Andre's review Signed-off-by: Arvind Soni <arvindsoni@gmail.com> | 21 May 2018, 23:52:47 UTC |
| ddc8a6b | Nirmoy Das | 21 May 2018, 16:03:00 UTC | daemon: exit if tunnel is not supported Signed-off-by: Nirmoy Das <ndas@suse.de> | 21 May 2018, 19:04:41 UTC |
| 57b1b82 | Jarno Rajahalme | 19 May 2018, 01:01:47 UTC | envoy: Rebase to get gRPC proxy responses. Rebase to the upstream Envoy commit that merged the gRPC responses to gRPC requests. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 21 May 2018, 18:58:12 UTC |
| 9ec2c60 | Jarno Rajahalme | 19 May 2018, 01:01:46 UTC | Gopkg: Update golang/protobuf Newly generated Envoy APIs require a newer golang/protobuf, maybe because we use latest protoc-gen-go? Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 21 May 2018, 18:58:12 UTC |
| f1bc739 | Eloy Coto | 15 May 2018, 14:08:53 UTC | Jenkins: Fix issues with downstreams Jobs - Added `sha1` and `ghprbSourceBranch` in parameters to build the downstreams jobs. - Fix some jenkins jobs report status Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 21 May 2018, 17:35:37 UTC |
| b4bfb40 | Eloy Coto | 16 May 2018, 18:21:48 UTC | Test: Add test result in Jenkins Junit - Added helper GetTestName() on ginkgo-ext - In case of error and it's running on Jenkins a Junit attachment will be added in the platform. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 21 May 2018, 17:35:07 UTC |
| 3db480c | Eloy Coto | 18 May 2018, 11:15:22 UTC | Test: Dump vagrant provision logs to Jenkins console. With the new log behaviour, Jenkins logs are no longer have the vagrant provision logs. With this change Jenkins will have the logs and also the test-output.log Fixes #4170 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 21 May 2018, 13:56:26 UTC |
| c5b3378 | Jarno Rajahalme | 18 May 2018, 21:44:29 UTC | bugtool: Add '-a' option to netstat. It is valuable to get both listening and non-listening sockets, rather than non-listening sockets only, for example to verify that proxy ports are listening. Add the '-a' option to 'netstat' to accomplish this. Signed-off-buy: Jarno Rajahalme <jarno@covalent.io> | 20 May 2018, 09:06:12 UTC |
| 8b64ca8 | Joe Stringer | 17 May 2018, 21:19:47 UTC | ipcache: Provide old mapping to listeners on change When an ipcache change occurs, we pass the event down to two implementations which handle updates of existing entries differently: * The BPF implementation organises its ipcache indexed by IP. When it sees an upsert for an IP that already has a corresponding ID, it will overwrite the existing entry directly. * The NPHDS implementation organises its ipcache by ID. When it sees an upsert for an IP that already has a corresponding ID, it needs to issue a delete for the old ID->IP pair, then issue an upsert for the new ID->IP pair. Previously, the core ipcache logic would issue a delete + upsert which fit with the NPHDS model, but it could cause traffic drops on the BPF side in the brief period between applying the delete and the new insert. This patch fixes this behaviour by shifting the logic down to the listener implementation so that the BPF implementation never needs to handle a delete. Fixes: #3840 Signed-off-by: Joe Stringer <joe@covalent.io> | 20 May 2018, 09:04:29 UTC |
| 1c23584 | Joe Stringer | 17 May 2018, 22:10:13 UTC | ipcache: Rename ipIDPair parameter This is a purely cosmetic change that simplifies the changes for the next commit, which introduces a new parameter for the old ipIDPair. Signed-off-by: Joe Stringer <joe@covalent.io> | 20 May 2018, 09:04:29 UTC |
| d5f5e33 | Thomas Graf | 17 May 2018, 21:36:46 UTC | store: Cast event.Value to string Signed-off-by: Thomas Graf <thomas@cilium.io> | 20 May 2018, 08:34:47 UTC |
| 4a98889 | Thomas Graf | 12 May 2018, 13:49:06 UTC | kvstore: Introduce shared store type Package store implements a shared store backed by a kvstore or similar with the following properties: * A single type is used to represent all keys * Any number of collaborators can join the store. Typically a collaborator is an individual Cilium agent running on each node. * All collaborators can own and contribute keys to the store. Each key is owned by exactly one collaborator. It is the responsibility of each collaborator to pick a key name which is guaranteed to be unique. * All collaborate desire to see all keys within the scope of a store. The scope of the store is defined by a common key prefix. For this purpose, each collaborator maintains a local cache of all keys in the store by subscribing to change events. This implementation will be used by the upcoming kvstore based node discovery Signed-off-by: Thomas Graf <thomas@cilium.io> | 20 May 2018, 08:34:47 UTC |
| ff58d9a | Romain Lenglet | 15 May 2018, 01:50:53 UTC | endpointmanager: Don't generate new endpoints waiting-for-identity The initial generation for a new endpoint is now handled by setting the initial identity. Signed-off-by: Romain Lenglet <romain@covalent.io> | 19 May 2018, 18:20:03 UTC |
| fc2390b | Romain Lenglet | 12 May 2018, 01:08:34 UTC | k8s: Don't add namespace labels into reserved:init endpoint selectors Signed-off-by: Romain Lenglet <romain@covalent.io> | 19 May 2018, 18:20:03 UTC |
| c177eec | Romain Lenglet | 09 May 2018, 08:11:18 UTC | test: Handle initializing endpoints with the reserved:init identity Update all helpers to wait for the endpoints' identity to be different from "init" / 5 in addition to being ready. Fix the egress test to ping the host instead of 8.8.8.8. Update DROP_ALL tests to test the reserved:init identity, since endpoints don't get a DROP_ALL program installed anymore unless labels are passed to the PUT /endpoint/{id} API. Test applying a policy to the reserved:init identity. Signed-off-by: Romain Lenglet <romain@covalent.io> | 19 May 2018, 18:20:03 UTC |
| 710fafe | Romain Lenglet | 09 May 2018, 08:09:06 UTC | daemon: Fix identity label update APIs Have PUT /endpoint/{id} return status code 400 in case of failure to set labels, instead of code 404 which was not specified in the API. On endpoint creation, set the endpoint's identity before adding it into the endpoint manager so it is never exposed with no identity. PUT /endpoint/{id} now sets orchestration labels, not custom labels, to be consistent with PATCH /endpoint/{id}. Signed-off-by: Romain Lenglet <romain@covalent.io> | 19 May 2018, 18:20:03 UTC |
| f39e616 | Romain Lenglet | 09 May 2018, 08:06:10 UTC | endpoint: Fix state machine to support changing endpoint's labels Signed-off-by: Romain Lenglet <romain@covalent.io> | 19 May 2018, 18:20:03 UTC |
| 1cf6980 | Romain Lenglet | 09 May 2018, 08:04:22 UTC | cilium-docker: Remove now-unnecessary PATCH /endpoint/{id} API call All the information that used to be passed in the PATCH call is now passed in the PUT call. The remaining state change triggered by the PATCH call was unnecessary. Signed-off-by: Romain Lenglet <romain@covalent.io> | 19 May 2018, 18:20:03 UTC |
| 98d30a3 | Romain Lenglet | 09 May 2018, 08:04:08 UTC | cilium-docker: Create veth pair on endpoint creation Create the veth pair immediately, so that the LXC and node MAC addresses are known at endpoint creation time, like with the CNI plugin. Signed-off-by: Romain Lenglet <romain@covalent.io> | 19 May 2018, 18:20:03 UTC |
| 2c7ca90 | Romain Lenglet | 09 May 2018, 08:02:51 UTC | cilium-docker: Remove constraint on endpoint state after creation After creation, endpoints can now be in different states: creating, waiting-for-identity, not-ready, etc. Signed-off-by: Romain Lenglet <romain@covalent.io> | 19 May 2018, 18:20:03 UTC |
| 2c1ce28 | Romain Lenglet | 09 May 2018, 08:02:30 UTC | identity: Allocate reserved identities for entity reserved labels Allocate ID 4 to "health" entities (health daemon endpoints). Allocate ID 5 to "init" entities (initializing endpoints). Allocate such entity IDs synchronously, since that doesn't require any kvstore interactions. Fixes: https://github.com/cilium/cilium/issues/3895 Signed-off-by: Romain Lenglet <romain@covalent.io> | 19 May 2018, 18:20:03 UTC |
| c2bb1ec | Romain Lenglet | 09 May 2018, 07:58:24 UTC | api: Add "init" as supported entity Document "init" as a supported entity in the k8s CRD schema. Bump the CRD schema version. Signed-off-by: Romain Lenglet <romain@covalent.io> | 19 May 2018, 18:20:03 UTC |
| 4e81d7e | Romain Lenglet | 09 May 2018, 07:57:42 UTC | policy: Always enable policy for reserved:init endpoints in default mode Signed-off-by: Romain Lenglet <romain@covalent.io> | 19 May 2018, 18:20:03 UTC |
| 50aee0a | Romain Lenglet | 09 May 2018, 07:54:12 UTC | daemon: Define reserved:init label and set it on endpoints with no labels Signed-off-by: Romain Lenglet <romain@covalent.io> | 19 May 2018, 18:20:03 UTC |
| 63b5cdf | Romain Lenglet | 18 May 2018, 22:50:55 UTC | ipcache: Create copies of NPHDS cache resources when deleting Signed-off-by: Romain Lenglet <romain@covalent.io> | 19 May 2018, 00:07:33 UTC |
| 595ba35 | Romain Lenglet | 18 May 2018, 00:21:30 UTC | xds: Match the client's version if higher than the server's When Cilium restarts but the xDS clients survive, they keep requesting the last version they had received from the previous Cilium instance. Handle this case by bumping the server's resource version to match the clients'. Signed-off-by: Romain Lenglet <romain@covalent.io> | 18 May 2018, 23:46:42 UTC |
| b58bff5 | Joe Stringer | 18 May 2018, 18:27:13 UTC | endpoint: Fix detection of L4 policy changes When adding an L7 rule to an L4 policy, the recent endpoint logic changes did not properly propagate the need to recompile the BPF program, so entirely skipped it, leading to #4181. Fix it by tracking whether the L4 policy changes in regeneratePolicy() and including this in the final "needToRegenerateBPF" result. Fixes: #4181 Signed-off-by: Joe Stringer <joe@covalent.io> | 18 May 2018, 23:01:08 UTC |
| ae39ed9 | ashwinp | 18 May 2018, 01:56:09 UTC | GH4164 Append rule labels while parsing api.Rule - Fix the Bug - Add unit test to check for rule labels Fixes: #4164 Signed-off-by: ashwinp <ashwin@covalent.io> | 18 May 2018, 21:15:23 UTC |
| bf47944 | Arvind Soni | 16 May 2018, 21:39:48 UTC | Fix image formatting and simplifies app yaml Fixed the squished images Fixed the application yaml to not create deployments for client pods this avoids users to change the pod name while following instructions for e.g. xwing-ab57d becomes xwing and you won't have the random string Signed-off-by: Arvind Soni <arvindsoni@gmail.com> | 18 May 2018, 17:45:45 UTC |
| 2bcc25e | Romain Lenglet | 17 May 2018, 21:22:27 UTC | ipcache: Create copies of NPHDS cache resources when updating NPHDS resources were modified in place within the cache, which prevented notifying IP-to-ID mapping updates to Envoy. Signed-off-by: Romain Lenglet <romain@covalent.io> | 18 May 2018, 15:07:45 UTC |
| 0dfab09 | Romain Lenglet | 17 May 2018, 20:05:08 UTC | ipcache: Update NPHDS cache before updating BPF maps Updating NPHDS lets Envoy get configured earlier, so it will be ready earlier during policies updates, resulting in fewer request drops. Signed-off-by: Romain Lenglet <romain@covalent.io> | 18 May 2018, 15:07:45 UTC |
| e7e85cc | Joe Stringer | 06 April 2018, 00:35:42 UTC | bpf: Fix lxc header guard Needs to cover the whole file. Signed-off-by: Joe Stringer <joe@covalent.io> | 18 May 2018, 10:58:32 UTC |
| 7283ead | Joe Stringer | 25 March 2018, 23:25:18 UTC | test: Don't gather logs in -holdEnvironment When developers are running a test repeatedly using `-cilium.holdEnvironment`, they typically do not need to gather logs because they are manually investigating the failure when it fails rather than after the failure. In such cases, disable log gathering since it's not used. This speeds up the iterative cycle for retrying a test. Signed-off-by: Joe Stringer <joe@covalent.io> | 18 May 2018, 09:58:19 UTC |
| aaaa8f3 | Ian Vernon | 17 May 2018, 21:22:57 UTC | Revert "Re-enable microscsope in CI" This reverts commit ac4b37c9f450e67c89708a41df77fd4ce727a781. Signed-off by: Ian Vernon <ian@cilium.io> | 17 May 2018, 22:49:19 UTC |
| ac4b37c | Maciej Kwiek | 06 May 2018, 20:01:46 UTC | Re-enable microscsope in CI Signed-off-by: Maciej Kwiek <maciej@covalent.io> | 17 May 2018, 15:45:28 UTC |
| 9e9a475 | Shantanu Deshpande | 17 May 2018, 07:04:51 UTC | Misc fixes for kops installation guide Signed-off-by: Shantanu Deshpande <shantanud106@gmail.com> | 17 May 2018, 12:39:41 UTC |
| 102d30f | Shantanu Deshpande | 17 May 2018, 06:45:56 UTC | Fixes 'any' reference target not found warning Signed-off-by: Shantanu Deshpande <shantanud106@gmail.com> | 17 May 2018, 12:39:41 UTC |
| 04934a6 | Shantanu Deshpande | 17 May 2018, 06:41:55 UTC | Add org to spellcheck wordlist Signed-off-by: Shantanu Deshpande <shantanud106@gmail.com> | 17 May 2018, 12:39:41 UTC |
| b9f398d | André Martins | 17 May 2018, 11:19:14 UTC | pkg/endpoint: fix owner merge conflict 2 non conflicting PRs got merged into master, the last PR break the CI which was removing a function's attribute still used by the first PR. Fixes: b39cc1e38a (configuration: move TracingEnabled to pkg/option) Signed-off-by: André Martins <andre@cilium.io> | 17 May 2018, 12:33:40 UTC |
| b39cc1e | Ian Vernon | 16 May 2018, 15:50:11 UTC | configuration: move TracingEnabled to pkg/option Now that configuration is part of a global singleton, we can remove the TracingEnabled function out of the Owner interface and into pkg/option. This allows for the removal of the owner as a parameter in some functions. Signed-off by: Ian Vernon <ian@cilium.io> | 17 May 2018, 10:54:01 UTC |
| 4507c85 | Tasdik Rahman | 16 May 2018, 16:30:48 UTC | docs: k8s: updating formatting | 17 May 2018, 10:40:33 UTC |
| 7b06be6 | Tasdik Rahman | 16 May 2018, 12:49:47 UTC | docs: k8s: updating docs for k8s v1.9, 1.10 and 1.11 support | 17 May 2018, 10:40:33 UTC |
| 38c2217 | Joe Stringer | 16 May 2018, 22:46:20 UTC | Remove upstart artifacts. Ubuntu hasn't shipped upstart as part of its distribution for over three years, remove the scripts and references to it. Signed-off-by: Joe Stringer <joe@covalent.io> | 17 May 2018, 10:33:14 UTC |
| aaf6827 | Joe Stringer | 16 May 2018, 00:06:47 UTC | cmd: Describe LPM limitation of IPCache Signed-off-by: Joe Stringer <joe@covalent.io> | 17 May 2018, 08:48:04 UTC |
| 561b464 | Joe Stringer | 15 May 2018, 22:14:32 UTC | cmd: Fix import ordering for bpf ipcache Signed-off-by: Joe Stringer <joe@covalent.io> | 17 May 2018, 08:48:04 UTC |
| 9acd318 | Joe Stringer | 14 May 2018, 23:16:41 UTC | ipcache: Loosen CIDR configuration restrictions Recent testing with latest datapath code on Linux v4.9.13 shows that more CIDR prefix lengths can be safely supported in common configurations, by testing with a CIDRSet on /8 + exception on /32 + two ports in a CIDR-dependent L4 rule. Allow as many as 25 unique CIDR prefix lengths. It seemed like we may be okay to support as many as 32 (ie, max for IPv4), but it depends on how much complexity is introduced by other code paths in the datapath, which is variable. Without a comprehensive way to test maximum complexity limits, or a way to measure how close to the complexity limit we are, it's hard to know whether it would be safe in all Cilium configurations. This patch proposes to keep it to 25 for this reason. Signed-off-by: Joe Stringer <joe@covalent.io> | 17 May 2018, 08:48:04 UTC |
| deb11d9 | Joe Stringer | 25 April 2018, 05:03:20 UTC | bpf: Support LPM for ipcache on newer kernels The keys are already in the right format for LPM map type, the code just needs to be extended to pass the appropriate parameters to the lookup functions. On kernels 4.11 and newer, this will save a few instructions and allow us to support more than 16 unique prefix lengths in CIDR rules. As such, we relax this restriction in this case. Signed-off-by: Joe Stringer <joe@covalent.io> | 17 May 2018, 08:48:04 UTC |
| d6d5769 | Joe Stringer | 24 April 2018, 21:36:32 UTC | bpf: Remove egress CIDR lookup Now that userspace doesn't plumb down the egress CIDR policies into a separate map, we can get rid of the calls from the policy logic that checks against those maps, which allows us to reduce the instruction count a bit. Signed-off-by: Joe Stringer <joe@covalent.io> | 17 May 2018, 08:48:04 UTC |
| 0c00ca7 | Joe Stringer | 11 May 2018, 06:19:10 UTC | ipcache: Refactor ipcache limitations check to map Refactor the limitations check for IPCache into the bpf ipcache implementation so that the ipcache package doesn't need to understand the details of the BPF implementation. Signed-off-by: Joe Stringer <joe@covalent.io> | 17 May 2018, 08:48:04 UTC |
| d1abb06 | Joe Stringer | 14 May 2018, 22:34:43 UTC | bpf: Improve logging output for map creation * Improve the message for failing to pin maps, to include the path * Format desired map type as a string rather than an integer * Don't format the map path twice in the logs Signed-off-by: Joe Stringer <joe@covalent.io> | 17 May 2018, 08:48:04 UTC |
| 1cc5ab5 | Joe Stringer | 05 April 2018, 22:31:23 UTC | test: Handle endpoint list errors in helper This helper should check whether the attempt to get the endpoint list was successful or not, and fail out if it didn't work. This means that when it actually fails here, the error is more obvious. Signed-off-by: Joe Stringer <joe@covalent.io> | 17 May 2018, 08:44:14 UTC |
| 39a3106 | Joe Stringer | 26 March 2018, 01:07:18 UTC | test: Fix no-op checks in CT tests These lines were checking a boolean and ignoring the return value. Swap them for proper asserts. Signed-off-by: Joe Stringer <joe@covalent.io> | 17 May 2018, 08:44:14 UTC |
| a0720ee | Joe Stringer | 16 May 2018, 23:25:02 UTC | test: Refactor policy labels name for common usage Signed-off-by: Joe Stringer <joe@covalent.io> | 17 May 2018, 08:44:14 UTC |
| 3fc516f | Ian Vernon | 16 May 2018, 20:45:15 UTC | pkg/endpoint: release lock if syncPolicyMap fails The endpoint mutex was not released if syncPolicyMap failed in regenerateBPF. Unlock the endpoint mutex accordingly. Signed-off by: Ian Vernon <ian@cilium.io> | 16 May 2018, 23:44:24 UTC |
