-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CI: RuntimeFQDNPolicies Validates DNSSEC responses: Cannot connect to "dnssec" #16713
Comments
In the artifact, we can see it keeps trying to send SYN but it's denied due to lack of allowing policy rule:
Given the above, we know it's not the DNS resolution failing but the following TCP connection. So the DNS<->IP association should be in the FQDN cache at this point and we should have a toCIDR entry in the policy map. The remote identity looks okay. We can't check the BPF map content because the endpoint 3554 (source endpoint given the above is an egress policy verdict) was deleted as soon as the command ended (since it's However, we can see that the requested domain (
|
Please post here if you hit this again. The next failures should have more information thanks to #16748. |
According to DataStudio, this flake started happening on June 24th: So #16391, which was merged on June 29th, is not to blame here. https://github.com/cilium/cilium/pulls?q=is%3Apr+is%3Aclosed+merged%3A2021-06-22..2021-06-24+-label%3Akind%2Fbackports+-label%3Aarea%2Fdocumentation+ has PRs merged shortly before June 24th. Of these, 4 have been backported to v1.9:
#16529 is the main suspect here given it touched locking mechanisms in the policy engine. /cc @jrajahalme @aanm |
https://jenkins.cilium.io/job/cilium-master-runtime-kernel-4.9/2235/testReport/(root)/Suite-runtime/RuntimeFQDNPolicies_Validates_DNSSEC_responses/
09fe2bc5_RuntimeFQDNPolicies_Validates_DNSSEC_responses.zip
Stacktrace
Standard Output
Standard Error
Click to show.
The text was updated successfully, but these errors were encountered: