Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docker, runtime: upgrade to recent clang/llvm image in runtime
Do not rely on clang-7/llvm-7 shipped by Ubuntu base image and instead upgrade to clang-11/llvm-11 with a BPF-only backend. This would help overcoming the blockade of [0] where we're hitting the 1 mio instruction complexity limit which was bisected by Paul to the kernel commit f7cf25b20 ("bpf: track spill/fill of constants"). As it is stated there: Newer clang generates better code by spilling less to the stack. Instead it keeps more constants in the registers which hurts state pruning since the verifier already tracks constants in the registers [...]. Tracking constants in the registers hurts state pruning already. Adding tracking of constants through stack hurts pruning even more. The later patch address this general constant tracking issue with coarse/precise logic. Side-effect of going with a custom clang-11/llvm-11 build with a BPF-only backend is that i) we can also shrink the image since x86 is not needed anymore, and ii) avoid shipping a generic compiler in our image that can generate x86 executable code. This depends on [1] where we first need to get rid of our custom runtime probes in Cilium and instead rely on bpftool to take over that job. Size shrinkage around 36.6M: clang-7 (90,777,392) -> clang-11/stripped (75,617,520) llc-7 (51,453,072) -> llc-11/bpf/stripped (29,997,384) [0] #10517 [1] #10019 Complexity comparison: https://user-images.githubusercontent.com/677393/76440789-aae08b80-63be-11ea-863f-37ab12106ad9.png Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Paul Chaignon <paul@cilium.io>
- Loading branch information