Best effort for xdp

[poblahblahblah]

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• [?] All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• If your commit description contains a Fixes: <commit-id> tag, then
  please add the commit author[s] as reviewer[s] to this issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• [?] Are you a user of Cilium? Please add yourself to the Users doc
• Thanks for contributing!

This allows a user to specify a new mode, best-effort when enabling XDP. We need this ability since we are running physical hosts where the primary NICs do support XDP, but have additional vlan devices that do not have XDP support in the driver.

More background can be found in #24768, but to summarize we have 1 physical device (ens785np0) per host and due to network design we need an additional vlan type interface (vlan3). Regrettably the vlan driver in the kernel does not support XDP. When enabling XDP without this change Cilium enters a crashloop with this error:

level=fatal msg="Failed to compile XDP program" error="program cil_xdp_entry: attaching XDP program to interface vlan3: operation not supported" subsys=datapath-loader

With this change applied and by setting loadBalancer.acceleration to best-effort in our values.yaml file we get the following log output with XDP enabled only on devices that support it:

level=info msg="attaching XDP program to interface vlan3 failed. Ignoring" subsys=datapath-loader

$ sudo bpftool net
xdp:
ens785np0(2) driver id 28652

tc:
ens785np0(2) clsact/ingress cil_from_netdev-ens785np0 id 28699
ens785np0(2) clsact/egress cil_to_netdev-ens785np0 id 28721
vlan3(4) clsact/ingress cil_from_netdev-vlan3 id 28731
vlan3(4) clsact/egress cil_to_netdev-vlan3 id 28739
cilium_net(5) clsact/ingress cil_to_host-cilium_net id 28692
cilium_host(6) clsact/ingress cil_to_host-cilium_host id 28674
cilium_host(6) clsact/egress cil_from_host-cilium_host id 28686
cilium_vxlan(7) clsact/ingress cil_from_overlay-cilium_vxlan id 28663
cilium_vxlan(7) clsact/egress cil_to_overlay-cilium_vxlan id 28664
lxc_health(11) clsact/ingress cil_from_container-lxc_health id 28708

flow_dissector:

I initially created #25870 and it was indicated in this comment thread that swallowing these errors if set to "best-effort" would be an acceptable solution.

Any and all feedback would be very welcome!

Fixes: #24768

Adds "best-effort" mode for XDP to skip interfaces without driver support

[mhofstetter]

Thanks for the contribution @poblahblahblah

Added some config-related comments.

@borkmann Adding you as reviewer because it seems that you already have the context from the issue and the previous PR

[rgo3]

Thanks, just a couple nits.

[maintainer-s-little-helper]

Commits ec4e546, 454ce4b, 50367e6 do not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[poblahblahblah]

I'll squash commits into a single commit once this is looking like it will be ready for merge.

[qmonnet]

/test

[qmonnet]

/test

[qmonnet]

Looks better, thanks! But now I don't understand where the new files install/kubernetes/cilium/Chart.yaml-e, ...-ee, and ...-eee come from. Were they committed by mistake?

[ti-mo]

@poblahblahblah I've merged #28308 in the meantime, so I gave this a rebase and moved the error check to reinitializeXDPLocked(). I'll kick off tests as well.

[ti-mo]

/test

[poblahblahblah]

I'm not super familiar with the failures we're seeing. Can/should these be run again?

@qmonnet you've been very generous with your time and I appreciate that. It looks like there's another helm failure. Do you have any insight into this?

[nathanjsweet]

Approval for API.

[qmonnet]

It looks like there's another helm failure. Do you have any insight into this?

Just as the workflow output says 🙂:

HINT: to fix this, run 'make -C Documentation update-helm-values'

So please try running this command and committing the changes in Documentation/helm-reference.rst (This is a different command from make -C install/kubernetes).

[poblahblahblah]

Just as the workflow output says 🙂

Can't believe I missed that. Apologies!

Should be good now

[qmonnet]

/test

[qmonnet]

Thank you!

[qmonnet]

Jussi, Daniel, Nate and I are all part of sig-datapath, so I think we can skip Louis' review.

[poblahblahblah]

Thank you for the help, everyone!

Great experience all around!

[julianwiedmann]

👋 should the new bpf-lb-acceleration value ("best-effort") also be mentioned in the agent documentation?
https://docs.cilium.io/en/v1.15/cmdref/cilium-agent/#options

  --bpf-lb-acceleration string                                BPF load balancing acceleration via XDP ("native", "disabled") (default "disabled")