New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.13 Backports 2023-11-07 #29034
v1.13 Backports 2023-11-07 #29034
Conversation
[ upstream commit 904ceb3 ] The Cilium standalone LB does not run as a K8s pod, so the regular Cilium's sysdump collection does not work. Instead, just show docker container logs of the LB. Suggested-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 28a3cb7 ] l4_load_port() is just a thin wrapper around ctx_load_bytes(), which returns raw kernel errnos. Translate these to a Cilium-internal drop reason before returning to the caller. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit df969b7 ] [ backporter's notes: a few conflicts to deal with, I just started fresh and removed all logic for IPSec node encryption ] Node encryption for IPsec hasn't been supported since 1d2674d ("docs: ipsec: remove node-to-node encryption") and subsequent commits. The feature also wasn't working since several releases. This commit simply removes the code for that feature. This code has no use now and makes changes to IPsec slightly more difficult. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 1900f4a ] [ backporter's notes: a few conflicts to deal with, as the IPSec methods differ from the ones in main, so I just manually moved all the methods from node.go to ipsec.go ] This commit has no functional changes. It simply moves all the linuxNodeHandler functions that pertain to IPsec to a new file, ipsec.go. This will ease review assignments by ensuring that we don't require an IPsec review on non-IPsec code and vice versa. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
dfabd80
to
0c10678
Compare
This comment was marked as outdated.
This comment was marked as outdated.
[ upstream commit e27730b ] This is useful for XFRM states which do not have a built-in direction field. Instead, we encode the direction in the packet mark and can therefore rely on that when logging. The same function can be used for XFRM policies, even though they do have a built-in Dir field as well. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
[ upstream commit 89626bc ] The SPI and the source and destination IP addresses (or CIDRs for XFRM policies) are not enough anymore to uniquely identify XFRM states and policies. We additionally need the node ID. This commit therefore ensures that we always log the five contextual information bits whenever possible: SPI, source, destination, direction, and node ID. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
[ upstream commit 4506c76 ] The node ID is reported in hexadecimal format in the XFRM states and policies, as well as in the node ID map dump. To make it easier to match the node ID across different sources, we should also dump it in hex format in the agent logs. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
[ upstream commit fe08772 ] This function will be used from cilium-dbg so we need to expose it from a shared package. We already have such a package for IPsec utility functions in pkg/common/ipsec. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
[ upstream commit 37b611e ] The cilium-dbg encrypt flush command removes all XFRM states and policies on the node. That will lead to packet drops until connections are reestablished. Traffic will also be sent in plain text between pods. This commit therefore asks for confirmation when running the command, to ensure nobody performs this action by mistake. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
[ upstream commit 5c7cfe6 ] This is useful to for example manually delete the XFRM config corresponding to an old key. It will warn if the user is about to delete all XFRM configs on the assumption that that isn't the intended action or the filter wouldn't be necessary. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
[ upstream commit dd8920a ] Refactor the filterXFRMBySPI function to be able to filter by other things than SPI without duplicating the main logic. The new function filterXFRMs takes two predicate functions instead of hardcoding the comparison to "spi". No functional changes in this commit. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
917fc98
to
7c17022
Compare
[ upstream commit c924bd6 ] We test both a single call to filterXFRMs and two chained calls. The latter is because we will need to chain calls for different filters because they are ANDed. For example, filtering on both the SPI and the node ID should only flush XFRM configs that match for both the given SPI and node ID. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
[ upstream commit 47e1b3f ] We will use this function from cilium-dbg in the subsequent commit. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
[ upstream commit 0e5d3c3 ] This can be useful to flush the XFRM configs of stale node IDs. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
[ upstream commit 550b56e ] Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
7c17022
to
5381d1d
Compare
/test-backport-1.13 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks and looks good for my commit
/test-1.23-4.19 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The two PRs from me you backported look good. Thanks!
linuxNodeHandler
IPsec functions to their own file #28941 (@pchaigno)encrypt flush
command #28795 (@pchaigno)Once this PR is merged, a GitHub action will update the labels of these PRs: