Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Complexity issue on 5.10+ with kubeProxyReplacement=disabled #14726

Closed
pchaigno opened this issue Jan 25, 2021 · 0 comments · Fixed by #16084
Closed

Complexity issue on 5.10+ with kubeProxyReplacement=disabled #14726

pchaigno opened this issue Jan 25, 2021 · 0 comments · Fixed by #16084
Assignees
@pchaigno
Labels
kind/bug This is a bug in the Cilium logic. kind/complexity-issue Relates to BPF complexity or program size issues sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Milestone
1.10.0

Comments

@pchaigno
Copy link
Member

Disabling the kube-proxy replacement on net-next results in complexity issues for the IPv4 path of bpf_lxc:

level=error msg="Command execution failed" cmd="[tc filter replace dev lxcd7934e21d6b8 ingress prio 1 handle 1 bpf da obj 1885_next/bpf_lxc.o sec from-container]" error="exit status 1" subsys=datapath-loader
[...]
level=warning msg="Prog section '2/7' rejected: Argument list too long (7)!" subsys=datapath-loader
level=warning msg=" - Type:         3" subsys=datapath-loader
level=warning msg=" - Attach Type:  0" subsys=datapath-loader
level=warning msg=" - Instructions: 3307 (0 over limit)" subsys=datapath-loader
level=warning msg=" - License:      GPL" subsys=datapath-loader
level=warning subsys=datapath-loader
level=warning msg="Verifier analysis:" subsys=datapath-loader
level=warning subsys=datapath-loader
[...]
level=warning msg="BPF program is too large. Processed 1000001 insn" subsys=datapath-loader

An example can be found at https://jenkins.cilium.io/job/Cilium-PR-K8s-1.13-net-next/556/testReport/Suite-k8s-1/13/K8sDatapathConfig_Encapsulation_Check_connectivity_with_transparent_encryption_and_VXLAN_encapsulation/.
Sysdump:
b91bb5b3_K8sDatapathConfig_Encapsulation_Check_connectivity_with_transparent_encryption_and_VXLAN_encapsulation.zip
(IPSec is enabled in this example but it doesn't make a difference.)

This is closely related to #14234.
@pchaigno pchaigno added kind/bug This is a bug in the Cilium logic. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. kind/complexity-issue Relates to BPF complexity or program size issues labels Jan 25, 2021
@brb brb mentioned this issue Jan 27, 2021
Closed
@pchaigno pchaigno mentioned this issue Feb 12, 2021
Closed
@pchaigno pchaigno mentioned this issue Mar 12, 2021
Closed
@aanm aanm added this to the 1.10.0 milestone Apr 16, 2021
@pchaigno pchaigno self-assigned this Apr 19, 2021
@pchaigno pchaigno changed the title Complexity issue on netnext with kubeProxyReplacement=disabled Complexity issue on 5.10+ with kubeProxyReplacement=disabled May 3, 2021
This was referenced May 7, 2021
Closed
Merged
Merged
@pchaigno pchaigno mentioned this issue Jun 15, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pchaigno pchaigno

Labels
kind/bug This is a bug in the Cilium logic. kind/complexity-issue Relates to BPF complexity or program size issues sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
None yet
Milestone
1.10.0
Development

Successfully merging a pull request may close this issue.

Fix 5.10+ complexity issue with kubeProxyReplacement=disabled pchaigno/cilium
3 participants
@tgraf @pchaigno @aanm