New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CI: Host firewall: unable to upgrade connection #15455
Comments
This is very similar to #13853 (same error message + hostfw). Probably the same root cause |
The
So this is not a setup issue and something breaks after a few seconds/minutes of running the test. All other policy drops I found were on connections established in the wrong direction in conntrack, which should be fine to drop. |
Looks like we got a hit on a branch that had the fix: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/2214/testReport/junit/Suite-k8s-1/26/K8sDatapathServicesTest_Checks_N_S_loadbalancing_With_host_policy_Tests_NodePort/ 😢 |
I don't think that specific test has the workaround. Only The dashboard you want to follow is: https://lookerstudio.google.com/s/vquN3vXM-kM. I'd say Monday we will have "official" confirmation and we can extend the workaround and consider what we should document. |
Ah right 😌 ok still monitoring then. Few potential failures on that test but a lot less than the huge amount of failures on the VXLAN test. |
Change 439a0a0 introduced potential workaround to common flake we've been seeing relating to issue cilium#15455. In the meantime, let's quarantine other tests that appear to be failing for the same cause. Addresses: cilium#25411 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com>
I think we can say we have confirmation the workaround is working: Let's close this issue. We can discuss the proper way forward for the host firewall at #25448. We should also extend this workaround to other host firewall test (i.e., |
Change 439a0a0 introduced workaround to common flake we've been seeing relating to issue cilium#15455. Any test enabling hostfw/host-policy will may suffer from the same issue. Addresses: cilium#25411 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com>
[ upstream commit 0cfce97 ] Change 439a0a0 introduced workaround to common flake we've been seeing relating to issue #15455. Any test enabling hostfw/host-policy will may suffer from the same issue. Addresses: #25411 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 0cfce97 ] Change 439a0a0 introduced workaround to common flake we've been seeing relating to issue #15455. Any test enabling hostfw/host-policy will may suffer from the same issue. Addresses: #25411 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 0cfce97 ] Change 439a0a0 introduced workaround to common flake we've been seeing relating to issue #15455. Any test enabling hostfw/host-policy will may suffer from the same issue. Addresses: #25411 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
This seems to be occurring on the v1.11 branch more often, even though we backported the workaround to v1.11 🤔 |
[ upstream commit 0cfce97 ] Change 439a0a0 introduced workaround to common flake we've been seeing relating to issue #15455. Any test enabling hostfw/host-policy will may suffer from the same issue. Addresses: #25411 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>
Failed a couple times in different PRs:
1cee8a70_K8sDatapathConfig_Host_firewall_With_VXLAN.zip
39f2ff05_K8sDatapathConfig_Host_firewall_With_VXLAN.zip
5cc06922_K8sDatapathConfig_Host_firewall_With_native_routing.zip
Stacktrace
Standard Output
Standard Error
Click to show details
The text was updated successfully, but these errors were encountered: