Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.7 backports 2020-07-08 #12458

Merged
merged 7 commits into from Jul 10, 2020
Merged

v1.7 backports 2020-07-08 #12458

merged 7 commits into from Jul 10, 2020

Conversation

vadorovsky
Copy link
Member

Once this PR is merged, you can update the PR labels via:

$ for pr in 12185 12194 12291 12351 12361 11236; do contrib/backporting/set-labels.py $pr done 1.7; done

@vadorovsky vadorovsky requested a review from a team as a code owner July 8, 2020 11:57
@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.7 kind/backports This PR provides functionality previously merged into master. labels Jul 8, 2020
@vadorovsky
Copy link
Member Author

test-backport-1.7

@brb
Copy link
Member

brb commented Jul 8, 2020

The failures look legit:

14:01:49  # github.com/cilium/cilium/pkg/service
[2020-07-08T12:01:49.812Z] ../pkg/service/service.go:125:5: undefined: option
[2020-07-08T12:01:49.812Z] ../pkg/service/service.go:246:6: undefined: option
[2020-07-08T12:01:49.812Z] ../pkg/service/service.go:611:5: undefined: option
[2020-07-08T12:01:49.812Z] Makefile:8: recipe for target 'cilium' failed
14:01:49  make[1]: Leaving directory '/go/src/github.com/cilium/cilium/cilium'
14:01:49  make[1]: *** [cilium] Error 2
[2020-07-08T12:01:49.812Z] make: *** [build-container] Error 2
[2020-07-08T12:01:49.812Z] Makefile:81: recipe for target 'build-container' failed
14:01:51  The command '/bin/sh -c make LOCKDEBUG=$LOCKDEBUG PKG_BUILD=1 V=$V LIBNETWORK_PLUGIN=$LIBNETWORK_PLUGIN     SKIP_DOCS=true DESTDIR=/tmp/install clean-container build-container install-container' returned a non-zero code: 2
14:01:51  Makefile:209: recipe for target 'docker-image-no-clean' failed
14:01:51  make: *** [docker-image-no-clean] Error 2

@vadorovsky vadorovsky force-pushed the pr/v1.7-backport-2020-07-08 branch from 113f926 to 7d336a1 Compare July 8, 2020 14:37
@vadorovsky
Copy link
Member Author

test-backport-1.7

christarazi
christarazi approved these changes Jul 8, 2020
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for my changes. I noticed that the PRs listed are not marked as "pending". Could you please mark them (the script should do it for you)? This helps reduce any conflict in case another backporter starts a 1.7 backport.

jrfastab and others added 7 commits July 9, 2020 10:28
@jrfastab @vadorovsky
cilium: chaining mode skb->mark can be mangled by iptables allow opt-out
48dd360 
[ upstream commit 1cc79c1 ]

The skb->mark field may not reliable in chaining modes because the host
stack may have conflicting users of the mark field. For example in one
case we observe a set mark rule 'MARK and 0xfff1ffff' which mangles the
identity stored in skb->mark. If Cilium user also has ingress policy
logic the identity is no longer correct. This likely will result in policy
denied hits,

-> stack flow 0xa0688256 identity 54898->7179 state established ifindex 0 orig-ip 0.0.0.0: 192.168.187.136:50344 -> 192.168.187.139:80 tcp SYN
xx drop (Policy denied) flow 0xa0688256 to endpoint 149, identity 54897->7179: 192.168.187.136:50344 -> 192.168.187.139:80 tcp SYN

To fix this create a flag EnableIdentityMark to allow setting the identity.
In cases that have conflicting mark values this can then be disabled. The
trace on ingress will no longer have a listed identity but because when
'identity < UNMANAGED' we do the lookup using the src ip and policy will
work correctly.

Fixes: f25d8b9 ("bpf: Preserve source identity for hairpin via stack")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
@jrfastab @vadorovsky
cilium: fix helm usage of enableIdentityMap -> enableIdentityMark
db381a8 
[ upstream commit c7acec0 ]

Fix the helm usage of enableIdentityMap so that it uses the correct cilium-agent
variable enableIdentityMark. Additionally add text in Calico guide for CNI
chaining to use the field.

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
@aanm @vadorovsky
docs: add instructions for vX.Y helm charts
be4873e 
[ upstream commit 8f624a7 ]

Signed-off-by: André Martins <andre@cilium.io>
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
@christarazi @vadorovsky
contrib: Add ability to pass suffix for branch
09c2105 
[ upstream commit ecac73d ]

This is useful in cases where a backport PR is started on the same day
that another backport PR was created, for the same branch (e.g. v1.6).
In this case, the developer would have to manually modify the script to
create a non-conflicting branch name.

This commit allows the developer instead to pass a suffix to
disambiguate the branch name, without need to modify the script.

Example usage:

```
$ ./contrib/backporting/start-backport 1.6 "-2"
```

This creates a backport branch name pr/v1.6-backport-2020-06-30-2.

Signed-off-by: Chris Tarazi <chris@isovalent.com>
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
@christarazi @vadorovsky
contrib: Warn user when backport branch exists
a66a324 
[ upstream commit 5cfa8a8 ]

Signed-off-by: Chris Tarazi <chris@isovalent.com>
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
@rolinh @vadorovsky
contrib: fix branch check in start-backport script
84d59d3 
[ upstream commit 5968d5a ]

The `if` condition is actually inverted which makes it impossible to
create a backport branch. This commit fixes this issue.

Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
@soumynathan @vadorovsky
agent: Add an option to cilium-agent for disabling 'HealthCheckNodePort'
32212cf 
[ upstream commit edff374 ]

This PR adds in an option 'enable-health-check-nodeport' to the
cilium-agent for disabling 'HealthCheckNodePort' based on the
KubeProxyReplacement configuration.
It also adds in an opton 'enableHealthCheckNodePort' to the helm
charts and documents the new config options with impacts when
kubeProxyReplacement is set to 'partial'.

Fixes: #11168
Signed-off-by: Swaminathan Vasudevan <svasudevan@suse.com>
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
@vadorovsky vadorovsky force-pushed the pr/v1.7-backport-2020-07-08 branch from 7d336a1 to 32212cf Compare July 9, 2020 08:33
@vadorovsky
Copy link
Member Author

@christarazi Sorry for that, I totally forgot about running the set-labels script.

@vadorovsky
Copy link
Member Author

test-backport-1.7

aanm
aanm approved these changes Jul 9, 2020
View reviewed changes
Copy link
Member

@aanm aanm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good for my changes

@vadorovsky
Copy link
Member Author

Failure:

11:46:36  • Failure in Spec Setup (BeforeEach) [267.302 seconds]
11:46:36  K8sServicesTest
11:46:36  /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-K8s/1.12-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:395
11:46:36    External services
11:46:36    /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-K8s/1.12-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:395
11:46:36      To Services first endpoint creation [BeforeEach]
11:46:36      /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-K8s/1.12-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:430
11:46:36  
11:46:36      Endpoints are not ready after timeout
[2020-07-09T09:46:36.139Z]     Expected
[2020-07-09T09:46:36.139Z]         <*helpers.SSHMetaError | 0xc0012c9040>: Error: context deadline exceeded
[2020-07-09T09:46:36.139Z]     Extended info: 	Cilium Pod: cilium-dt9zt 	Endpoint: 372 	Identity: 5	 State: ready
[2020-07-09T09:46:36.139Z]     	Cilium Pod: cilium-dt9zt 	Endpoint: 3070 	Identity: 4	 State: ready
[2020-07-09T09:46:36.139Z]     	Cilium Pod: cilium-nwp8z 	Endpoint: 1484 	Identity: 21866	 State: ready
[2020-07-09T09:46:36.139Z]     	Cilium Pod: cilium-nwp8z 	Endpoint: 1904 	Identity: 39889	 State: ready
[2020-07-09T09:46:36.139Z]     	Cilium Pod: cilium-nwp8z 	Endpoint: 3014 	Identity: 4	 State: ready
[2020-07-09T09:46:36.139Z]     
[2020-07-09T09:46:36.139Z]     
[2020-07-09T09:46:36.139Z]     to be nil
11:46:36  
11:46:36      /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-K8s/1.12-gopath/src/github.com/cilium/cilium/test/k8sT/Services.go:846

@joestringer
Copy link
Member

joestringer commented Jul 9, 2020
edited

Looks like known flake #10442 , not a regression so can be bypassed to merge.

@joestringer joestringer merged commit 1e74671 into v1.7 Jul 10, 2020
@joestringer joestringer deleted the pr/v1.7-backport-2020-07-08 branch July 10, 2020 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christarazi christarazi christarazi approved these changes

@aanm aanm aanm approved these changes

Assignees
No one assigned
Labels
kind/backports This PR provides functionality previously merged into master.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@vadorovsky @brb @joestringer @christarazi @aanm @jrfastab @rolinh @soumynathan