-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CI: ConformanceAKS: client-egress-to-echo-expression-deny: command terminated with exit code 28 #22529
Comments
Tracing the ConnectionClient side:
SYN+ACK is never received. Server side:
SYN+ACK is sent but seems it never leaves the first BPF program as we don't have a Looking for Missing Packet TracesLooking at the code, I found two possibles places where we could be dropping/forwarding this packet without emitting a packet trace event:
Checking the second first as it seems more likely to happen (forwarding case) than the first (vs. corner-case error cases). Redirect to the ProxyThe second missing packet trace event corresponds to a case where we are sending a packet from the container to our proxy based on information from the CT map. We don't have a packet trace event to confirm, but we can check the CT map content, same as the code does:
And indeed, we have a CT entry flagged with We are most likely hitting #17459 once again. Root Cause#17459 should have been strongly mitigated (though not fixed) by cilium/cilium-cli#558. But that reordering is a bit fragile because we don't have a good way to enforce it. So let's check that someone didn't partially undo cilium/cilium-cli#558 since then. And indeed! cilium/cilium-cli@8c772b7 adds a bunch of connectivity tests with L7 redirects before tests without L7 redirects, partially undoing cilium/cilium-cli#558. |
To mitigate the effects of bug cilium/cilium#17459, commit 7f84818 ("test: Run tests with UDP proxy redirections last") reordered the tests such that those with proxy redirections are executed last. Commit 8c772b7 ("connectivity: Add policy test for name ports") however partially undid that, causing a new flake in CI. This commit moves those new L7 ingress tests to the end of the connectivity tests. Related: cilium/cilium#22529 Fixes: 8c772b7 ("connectivity: Add policy test for name ports") Signed-off-by: Paul Chaignon <paul@cilium.io>
To mitigate the effects of bug cilium/cilium#17459, commit 7f84818 ("test: Run tests with UDP proxy redirections last") reordered the tests such that those with proxy redirections are executed last. Commit 8c772b7 ("connectivity: Add policy test for name ports") however partially undid that, causing a new flake in CI. This commit moves those new L7 ingress tests to the end of the connectivity tests. Related: cilium/cilium#22529 Fixes: 8c772b7 ("connectivity: Add policy test for name ports") Signed-off-by: Paul Chaignon <paul@cilium.io>
This flake should be fixed by cilium/cilium-cli#1261 once we update to CLI v1.12.12 (not yet released). |
This was fixed with the new CLI release in #23030. |
To mitigate the effects of bug cilium#17459, commit 7f84818 ("test: Run tests with UDP proxy redirections last") reordered the tests such that those with proxy redirections are executed last. Commit 8c772b76d ("connectivity: Add policy test for name ports") however partially undid that, causing a new flake in CI. This commit moves those new L7 ingress tests to the end of the connectivity tests. Related: cilium#22529 Fixes: 8c772b76d ("connectivity: Add policy test for name ports") Signed-off-by: Paul Chaignon <paul@cilium.io>
From: https://github.com/cilium/cilium/actions/runs/3609902939/jobs/6083378949
cilium-sysdumps.zip
The text was updated successfully, but these errors were encountered: