New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Host endpoint #10994
Host endpoint #10994
Conversation
28e7496
to
35f2213
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Series looks great, thanks!
Some nits and remarks, mostly low-level.
Should we maybe add something to the Documentation/
? Documentation/policy/intro.rst
and Documentation/policy/language.rst
look like good candidates.
e3705b0
to
48f70f4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exciting stuff! I only got about 3-4 commits in as it's a pretty big PR, will come back later.
Is there any chance we can further split this PR? The Github UI is painfully slow to interact with for this PR in its current state.
@joe I've addressed (or answered) your comments. Please note I had to add a commit ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
bf8ca9f
to
76c8466
Compare
Failed with:
retest-4.9
|
b489494
to
11821ee
Compare
bpf_netdev.c is renamed to bpf_host and bpf_hostdev_ingress is included, in preparation for the host endpoint that requires a single object file. Signed-off-by: Paul Chaignon <paul@cilium.io>
For the host firewall, we need to have a single bpf_host object file containing both the from-host and the from-netdev paths, to load it from the Go side. We therefore turn FROM_HOST into a variable set to true or false depending on the entry point (i.e., from_host() vs. from_netdev()). The other option (to avoid the increased code complexity in datapath) is to let the Go side handle several object files and header files for the special host endpoint. That second option is likely to just move the increase code complexity to the Go side. The CILIUM_CALL_IPV{4,6}_FROM_LXC entry points (and handle_ipv{4,6}) are broken into CILIUM_CALL_IPV{4,6}_FROM_LXC and CILIUM_CALL_IPV{4,6}_FROM_HOST based on the value of from_host. This change allows the compiler to perform dead code elimination on from_host and reduce the program sizes to <4096. Signed-off-by: Paul Chaignon <paul@cilium.io>
handle_ipv{4,6} have the highest complexity as reported by the BPF verifier. We can extract the source ID resolution from these programs and execute it before the tail calls. This comes at zero cost in term of metadata slots since we already use the same metadata slot to transfer the source identity from the proxy across the tail call. Signed-off-by: Paul Chaignon <paul@cilium.io>
The package contains a single constant definition right now but will have more with the host endpoint in later commits. Signed-off-by: Paul Chaignon <paul@cilium.io>
This function is also going to be used to create the host endpoint in subsequent commits. Signed-off-by: Paul Chaignon <paul@cilium.io>
This commit adds a special Cilium endpoint on each node to represent the node itself. It takes the reserved security ID 1. The special endpoint is created by endpoint.CreateLocalNodeEndpoint on daemon startup if that endpoint wasn't already restored. When the datapath for the special endpoint is regenerated, it loads bpf_host.o instead of bpf_lxc.o. bpf_host enforces policies for both traffic to/from pods and traffic to/from the outside world. It follows the same template generation path as traditional bpf_lxc files. ENABLE_EXTRA_HOST_DEV was only defined in init.sh for the from_host path. It is now defined from the Go side for all paths, and we check whether from_host is true in the C code instead. Signed-off-by: Paul Chaignon <paul@cilium.io>
We define IPV6_NODEPORT and IPV6_DIRECT_ROUTING both from Golang (for bpf_netdev) and init.sh (for bpf_xdp). On Go side it is defined as static data whose value is patched before loading. In init.sh the values are given as simple macros. IPv6 addresses defined as static data rely on BPF_V6(), but BPF_V6() doesn't support macros. Thus, we define BPF_V6_NODEPORT() and BPF_V6_DIRECT_ROUTING() which will fallback to BPF_V6 in case of static data and just copy the value otherwise. For IPV6_DIRECT_ROUTING, this workaround can be removed once we move it's definition to node_config.h. For IPV6_NODEPORT, a better, long-term fix would be to load the bpf_xdp program from Golang. Signed-off-by: Paul Chaignon <paul@cilium.io>
Because we changed the C header filenames (from lxc_config.h to ep_config.h), endpoints don't get properly restored on upgrades and downgrades. This commit fixes the up/downgrade paths by 1) creating a lxc_config.h symlink for new ep_config.h header files and 2) renaming the header file and creating the symlink when restoring endpoints on an upgrade. On a downgrade, Cilium will pick up the lxc_config.h symlink. Signed-off-by: Paul Chaignon <paul@cilium.io>
11821ee
to
f8e8b7b
Compare
This last push fixes a couple bugs:
|
Because the host endpoint relies on bpf_host instead of bpf_lxc, it needs the CIDR prefixes maintained by the Daemon instead of endpoint-specific CIDR prefixes. The former are already printed in netdev_config.h but the host endpoint datapath doesn't use that header file anymore. Instead, we need to print the appropriate CIDR prefixes (the Daemon's) into the host endpoint's ep_config.h header file. We therefore also need to regenerate the host endpoint whenever CIDR policies change, as we already do for the base programs. Signed-off-by: Paul Chaignon <paul@cilium.io>
f8e8b7b
to
1cc2f9c
Compare
test-me-please |
|
This pull request adds the special host endpoint (needed for subsequent host network policies PR). See commit messages for details. As a summary:
bpf_netdev
andbpf_hostdev_ingress
) into single filebpf_host
.FROM_HOST
macro to be able to compile from Go side.handle_ipv{4,6}
to reduce complexity.pkg/maps/callsmap
package for constants of internal calls map.createEndpoint
function.BPF_V6_NODEPORT
andBPF_V6_DIRECT_ROUTING
to allow loading IPv6 addresses as either static data or a macro.