devices: allow local route entries in device mngr

[oblazek]

Related slack thread: https://cilium.slack.com/archives/C2B917YHE/p1679920009513589

Previously when --enable-runtime-device-detection was enabled the code skipped local route table.
This means if device route was only present in the local table it was skipped and no datapath program
was attached.

In case of a dummy device with e.g. anycast IP it would be necessary to remove this check.
Known unwanted links are still filtered out and the rest can be narrowed down by using --devices flag.
This PR fixes that.

Signed-off-by: Ondrej Blazek ondrej.blazek@firma.seznam.cz

Allow devices from local route table to be used for datapath programs. 

[joamaki]

/test

[oblazek]

ah, failure seems legit, taking a look

[YutaroHayakawa]

LGTM 👍

[oblazek]

forced pushed with a fixed test file..

[oblazek]

the failures don't look related.. could be a flake?

[joestringer]

If the issue is a flake, then I would expect to be able to find the test failure + symptoms documented in another issue. If there isn't an issue, then it could either be this PR or others have not yet encountered the issue such that we've had a chance to file an issue for it. It looks like there's a bunch of failures, may be worth investigating the first failure (make sure it's the first one that ran&failed) to see whether the initial failure somehow left the test cluster in a bad state that caused later failures. Either way if we think this is not related to your PR, I'd encourage you to file an issue with the failure details so that others can find that issue as well. If it's generally affecting the main branch then others will likely hit the issue and chime in on the filed issue soon enough. If you're the only one observing the issue, then that increases the odds that there's some aspect related to your changes.

[pchaigno]

I suspect https://github.com/cilium/cilium/actions/runs/4573718201 is because your PR isn't rebased and doesn't include #24122.
https://jenkins.cilium.io/job/Cilium-PR-K8s-1.25-kernel-4.19/1547/testReport/junit/Suite-k8s-1/25/K8sUpdates_Tests_upgrade_and_downgrade_from_a_Cilium_stable_image_to_master/ is #24573.

[oblazek]

got this error for the ci-eks

2023-04-11T11:19:55.991006262Z level=warning msg="Unable to synchronize EC2 VPC list" error="operation error EC2: DescribeVpcs, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Post \"https://ec2.us-east-2.amazonaws.com/\": dial tcp: lookup ec2.us-east-2.amazonaws.com on 10.100.0.10:53: write udp 192.168.127.65:37304->10.100.0.10:53: write: operation not permitted" subsys=eni
2023-04-11T11:19:55.991349965Z level=fatal msg="Unable to start eni allocator" error="Initial synchronization with instances API failed" subsys=cilium-operator-aws

[oblazek]

Anyone has encountered the Setup&Test failures? I can't see much in the sysdump as it doesn't include cilium-agent logs.. only operator, which seems fine.

[joamaki]

/test

[joestringer]

/test

Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed:

Click to show.

Test Name

K8sDatapathConfig Host firewall With native routing and endpoint routes

Failure Output

FAIL: Error deleting resource /home/jenkins/workspace/Cilium-PR-K8s-1.24-kernel-5.4/src/github.com/cilium/cilium/test/k8s/manifests/host-policies.yaml: Cannot retrieve "cilium-8crvt"'s policy revision: cannot get policy revision: ""

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.24-kernel-5.4/1996/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.24-kernel-5.4 so I can create one.

Then please upload the Jenkins artifacts to that issue.

[joestringer]

A few of the failures look familiar from a search, but some of them do not look familiar. Do you think that they could be related to the changes being made in this PR?

[oblazek]

I will try to look deeper.. but I am unsure how are these related.. thanks Joe :)

[joestringer]

Given the Jenkins outage we had last week, you may need to rebase the PR again and re-run /test in order to gather data on the failures again. The old links are expired now.

[oblazek]

/test

Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed:

Click to show.

Test Name

K8sUpdates Tests upgrade and downgrade from a Cilium stable image to master

Failure Output

FAIL: Unexpected missed tail call

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/198/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.26-kernel-net-next so I can create one.

Then please upload the Jenkins artifacts to that issue.

[oblazek]

rebased to be up to date.. retriggering tests

[oblazek]

/test

[yingnanzhang666]

This means if device route was only present in the local table it was skipped and no datapath program
was attached.
In case of a dummy device with e.g. anycast IP it would be necessary to remove this check.

@oblazek I cannot see the historical slack thread. For the dummy device with e.g. anycast IP, Can we just add its IP as reserved:host into ipcache without attach datapath program?
The traffic which target is the anycast IP will also go through the bpf program attached to real interface. right? If add the IP as the reserved:host, it will also do the host firewall check in the program attached to the real interface.