v1.7 backports 2020-07-08

Documentation/cmdref/cilium-agent.md

@@ -56,8 +56,10 @@ cilium-agent [flags]
       --enable-endpoint-health-checking               Enable connectivity health checking between virtual endpoints (default true)
       --enable-endpoint-routes                        Use per endpoint routes instead of routing via cilium_host
       --enable-external-ips                           Enable k8s service externalIPs feature (requires enabling enable-node-port) (default true)
+      --enable-health-check-nodeport                  Enables a healthcheck nodePort server for NodePort services with 'healthCheckNodePort' being set (default true)
       --enable-health-checking                        Enable connectivity health checking (default true)
       --enable-host-reachable-services                Enable reachability of services for host applications (beta)
+      --enable-identity-mark                          Enable setting identity mark for local traffic (default true)
       --enable-ipsec                                  Enable IPSec support
       --enable-ipv4                                   Enable IPv4 support (default true)
       --enable-ipv6                                   Enable IPv6 support (default true)

Documentation/contributing/release/stable.rst

@@ -159,7 +159,43 @@ If you intent to release a new feature release, see the
 
    #. Preview the description and then publish the release
 
-#. Announce the release in the ``#general`` channel on Slack
+#. Prepare Helm changes using the `Cilium Helm Charts Repository <https://github.com/cilium/charts/>`_
+   and push the changes into that repository (not the main cilium repository):
+
+   ::
+
+      ./prepare_artifacts.sh /path/to/cilium/repository/checked/out/to/release/commit
+      git push
+
+#. Prepare Helm changes using the `Cilium Helm Charts Repository <https://github.com/cilium/charts/>`_
+   for the vX.Y helm charts, and push the changes into that repository (not the main cilium repository):
+
+   In the ``cilium/cilium`` repository:
+
+   #. ``git checkout vx.y -b vx.z-dev``
+   #. Change the ``VERSION`` file to ``x.y-dev``
+   #. Run ``make -C install/kubernetes``
+
+   In the ``cilium/charts`` repository:
+
+   ::
+
+      ./prepare_artifacts.sh /path/to/cilium/repository/checked/out/to/release/commit
+      git push
+
+   After pushing you can revert all the changes made in the local branch
+   ``x.y-dev`` from ``cilium/cilium``.
+
+#. Announce the release in the ``#general`` channel on Slack. Sample text:
+
+   ::
+
+      :cilium-new: **Announcement:** Cilium vX.Y.Z has been released :tada:
+
+      <If security release or major bugfix, short summary of fix here>
+
+      For more details, see the release notes:
+      https://github.com/cilium/cilium/releases/tag/vX.Y.Z
 
 #. Update the ``README.rst#stable-releases`` section from the Cilium master branch
 

Documentation/gettingstarted/cni-chaining-calico.rst

@@ -78,7 +78,8 @@ Deploy Cilium release via Helm:
       --set global.cni.customConf=true \\
       --set global.cni.configMap=cni-configuration \\
       --set global.tunnel=disabled \\
-      --set global.masquerade=false
+      --set global.masquerade=false \\
+      --set global.enableIdentityMark=false
 
 .. note::
 

Documentation/gettingstarted/kubeproxy-free.rst

@@ -322,12 +322,14 @@ This section therefore elaborates on the various ``global.kubeProxyReplacement``
   ``probe`` which checks the underlying kernel for available BPF features and automatically
   disables components responsible for the BPF kube-proxy replacement when kernel support
   is missing, the ``partial`` option requires the user to manually specify which components
-  for the BPF kube-proxy replacement should be used. Similarly to ``strict`` mode, the
-  Cilium agent will bail out on start-up with an error message if the underlying kernel
-  requirements are not met. For fine-grained configuration, ``global.hostServices.enabled``,
-  ``global.nodePort.enabled`` and ``global.externalIPs.enabled`` can be set to ``true``.
-  By default all three options are set to ``false``. A few example configurations for the
-  ``partial`` option are provided below.
+  for the BPF kube-proxy replacement should be used. When ``global.kubeProxyReplacement``
+  is set to ``partial`` make sure to also set ``global.enableHealthCheckNodeport`` to
+  ``false``, so that the Cilium agent does not start the NodePort health check server.
+  Similarly to ``strict`` mode, the Cilium agent will bail out on start-up with an error
+  message if the underlying kernel requirements are not met. For fine-grained configuration,
+  ``global.hostServices.enabled``, ``global.nodePort.enabled``, ``global.externalIPs.enabled``
+  and ``global.hostPort.enabled`` can be set to ``true``. By default all four options are set
+  to ``false``. A few example configurations for the ``partial`` option are provided below.
 
   The following helm setup below would be equivalent to ``global.kubeProxyReplacement=strict``
   in a kube-proxy-free environment:

Documentation/spelling_wordlist.txt

@@ -574,6 +574,7 @@ username
 userspace
 uuid
 vCPUs
+vX
 validator
 verifier
 vers

bpf/bpf_lxc.c

@@ -393,11 +393,13 @@ static inline int ipv6_l3_from_lxc(struct __sk_buff *skb,
 #endif
 #endif
 	{
+#ifdef ENABLE_IDENTITY_MARK
 		/* Always encode the source identity when passing to the stack. If the
 		 * stack hairpins the packet back to a local endpoint the source
 		 * identity can still be derived even if SNAT is performed by a
 		 * component such as portmap */
 		asm_set_seclabel_identity(skb);
+#endif
 	}
 
 #ifdef ENCAP_IFINDEX
@@ -734,11 +736,13 @@ static inline int handle_ipv4_from_lxc(struct __sk_buff *skb, __u32 *dstID)
 #endif
 #endif
 	{
+#ifdef ENABLE_IDENTITY_MARK
 		/* Always encode the source identity when passing to the stack. If the
 		 * stack hairpins the packet back to a local endpoint the source
 		 * identity can still be derived even if SNAT is performed by a
 		 * component such as portmap */
 		asm_set_seclabel_identity(skb);
+#endif
 	}
 
 #ifdef ENCAP_IFINDEX

bpf/node_config.h

@@ -67,6 +67,8 @@ DEFINE_IPV6(HOST_IP, 0xbe, 0xef, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0xa, 0x
 #define SNAT_MAPPING_MAX_PORT 65535
 #endif
 
+#define ENABLE_IDENTITY_MARK 1
+
 #ifdef ENABLE_IPV4
 #define IPV4_MASK 0xffff
 #define IPV4_GATEWAY 0xfffff50a

contrib/backporting/start-backport

@@ -27,13 +27,28 @@ if [ "$BRANCH" = "" ]; then
 fi
 BRANCH=$(echo "$BRANCH" | sed 's/^v//')
 
+# Extra optional suffix in cases where there are multiple backport PRs that
+# have the same conflicting branch name.
+SUFFIX="${2}"
+
 git fetch origin
 if ! git branch -a | grep -q "origin/v$BRANCH$" ; then
-    echo "usage: start-backport <branch version>" 1>&2
+    echo "usage: start-backport <branch version> [suffix]" 1>&2
     echo "  (detected branch $BRANCH)" 1>&2
     common::exit 1
 fi
 
 DATE=$(date --rfc-3339=date)
-git checkout -b pr/v$BRANCH-backport-$DATE origin/v$BRANCH
+PRBRANCH="pr/v${BRANCH}-backport-${DATE}${SUFFIX}"
+
+if (git --no-pager branch | grep -q "${PRBRANCH}"); then
+    echo "Error: branch '${PRBRANCH}' already exists"
+    echo "Consider passing a suffix as the second parameter"
+    echo
+    echo "Example:"
+    echo "  ./contrib/backporting/start-backport ${BRANCH} \"-2\""
+    common::exit 1
+fi
+
+git checkout -b "${PRBRANCH}" origin/v$BRANCH
 contrib/backporting/check-stable $BRANCH v$BRANCH-backport-$DATE.txt

daemon/bpf.sha

@@ -1,2 +1,2 @@
-GO_BINDATA_SHA1SUM=4c9cc3d2d8462a47feff46ddfe344e0396d955b6
+GO_BINDATA_SHA1SUM=946cca91748deb767594f37be2149fe06dc4b374
 BPF_FILES=../bpf/COPYING ../bpf/Makefile ../bpf/Makefile.bpf ../bpf/bpf_alignchecker.c ../bpf/bpf_features.h ../bpf/bpf_hostdev_ingress.c ../bpf/bpf_ipsec.c ../bpf/bpf_lxc.c ../bpf/bpf_netdev.c ../bpf/bpf_network.c ../bpf/bpf_overlay.c ../bpf/bpf_sock.c ../bpf/bpf_xdp.c ../bpf/cilium-map-migrate.c ../bpf/filter_config.h ../bpf/include/bpf/api.h ../bpf/include/elf/elf.h ../bpf/include/elf/gelf.h ../bpf/include/elf/libelf.h ../bpf/include/iproute2/bpf_elf.h ../bpf/include/linux/bpf.h ../bpf/include/linux/bpf_common.h ../bpf/include/linux/byteorder.h ../bpf/include/linux/byteorder/big_endian.h ../bpf/include/linux/byteorder/little_endian.h ../bpf/include/linux/icmp.h ../bpf/include/linux/icmpv6.h ../bpf/include/linux/if_arp.h ../bpf/include/linux/if_ether.h ../bpf/include/linux/if_packet.h ../bpf/include/linux/in.h ../bpf/include/linux/in6.h ../bpf/include/linux/ioctl.h ../bpf/include/linux/ip.h ../bpf/include/linux/ipv6.h ../bpf/include/linux/perf_event.h ../bpf/include/linux/swab.h ../bpf/include/linux/tcp.h ../bpf/include/linux/type_mapper.h ../bpf/include/linux/udp.h ../bpf/init.sh ../bpf/lib/arp.h ../bpf/lib/common.h ../bpf/lib/config.h ../bpf/lib/conntrack.h ../bpf/lib/conntrack_map.h ../bpf/lib/conntrack_test.h ../bpf/lib/csum.h ../bpf/lib/dbg.h ../bpf/lib/drop.h ../bpf/lib/encap.h ../bpf/lib/eps.h ../bpf/lib/eth.h ../bpf/lib/events.h ../bpf/lib/icmp6.h ../bpf/lib/identity.h ../bpf/lib/ipv4.h ../bpf/lib/ipv6.h ../bpf/lib/ipv6_test.h ../bpf/lib/l3.h ../bpf/lib/l4.h ../bpf/lib/lb.h ../bpf/lib/lxc.h ../bpf/lib/maps.h ../bpf/lib/metrics.h ../bpf/lib/nat.h ../bpf/lib/nat46.h ../bpf/lib/nodeport.h ../bpf/lib/policy.h ../bpf/lib/signal.h ../bpf/lib/tailcall.h ../bpf/lib/trace.h ../bpf/lib/utils.h ../bpf/lib/xdp.h ../bpf/lxc_config.h ../bpf/netdev_config.h ../bpf/node_config.h ../bpf/probes/raw_change_tail.t ../bpf/probes/raw_fib_lookup.t ../bpf/probes/raw_insn.h ../bpf/probes/raw_invalidate_hash.t ../bpf/probes/raw_lpm_map.t ../bpf/probes/raw_lru_map.t ../bpf/probes/raw_main.c ../bpf/probes/raw_max_insn.t ../bpf/probes/raw_sock_cookie.t ../bpf/run_probes.sh ../bpf/sockops/Makefile ../bpf/sockops/bpf_redir.c ../bpf/sockops/bpf_sockops.c ../bpf/sockops/bpf_sockops.h ../bpf/sockops/sockops_config.h 

daemon/daemon_main.go

@@ -278,6 +278,9 @@ func init() {
 	flags.Bool(option.EnableHealthChecking, defaults.EnableHealthChecking, "Enable connectivity health checking")
 	option.BindEnv(option.EnableHealthChecking)
 
+	flags.Bool(option.EnableHealthCheckNodePort, defaults.EnableHealthCheckNodePort, "Enables a healthcheck nodePort server for NodePort services with 'healthCheckNodePort' being set")
+	option.BindEnv(option.EnableHealthCheckNodePort)
+
 	flags.StringSlice(option.EndpointStatus, []string{},
 		"Enable additional CiliumEndpoint status features ("+strings.Join(option.EndpointStatusValues(), ",")+")")
 	option.BindEnv(option.EndpointStatus)
@@ -517,6 +520,9 @@ func init() {
 	flags.Bool(option.NodePortBindProtection, true, "Reject application bind(2) requests to service ports in the NodePort range")
 	option.BindEnv(option.NodePortBindProtection)
 
+	flags.Bool(option.EnableIdentityMark, true, "Enable setting identity mark for local traffic")
+	option.BindEnv(option.EnableIdentityMark)
+
 	flags.String(option.IPv4NativeRoutingCIDR, "", "Allows to explicitly specify the CIDR for native routing. This value corresponds to the configured cluster-cidr.")
 	option.BindEnv(option.IPv4NativeRoutingCIDR)
 

install/kubernetes/Makefile

@@ -10,7 +10,7 @@ CILIUM_VALUES := "$(CILIUM_CHARTS)/values.yaml"
 
 VERSION_REGEX := '[0-9]\+\.[0-9]\+\.[0-9]\+.*'
 LATEST_VERSION_REGEX := '[0-9]\+\.[0-9]\+\.90'
-DEV_VERSION_REGEX := '[0-9]\+\.[0-9]\+\.[0-9]\+-dev'
+DEV_VERSION_REGEX := '[0-9]\+\.[0-9]\+-dev'
 CILIUM_CHART_REGEX := '\([vV]ersion:\) '$(VERSION_REGEX)
 CILIUM_TAG_REGEX := '\(tag:\) \(v'$(VERSION_REGEX)'\|latest\)'
 CILIUM_PULLPOLICY_REGEX := '\(pullPolicy:\) .*'
@@ -30,9 +30,8 @@ update-versions:
 			sed -i 's/'$(CILIUM_TAG_REGEX)'/\1 latest/' $(CILIUM_VALUES);			\
 			sed -i 's/'$(CILIUM_PULLPOLICY_REGEX)'/\1 Always/' $(CILIUM_VALUES);		\
 		elif echo $(VERSION) | grep -q $(DEV_VERSION_REGEX); then				\
-			DEV_BRANCH=$$(echo $(VERSION) | sed 's/-dev//')					\
-			sed -i 's/'$(CILIUM_TAG_REGEX)'/\1 $(DEV_BRANCH)/' $(CILIUM_VALUES);		\
-			sed -i 's/'$(CILIUM_PULLPOLICY_REGEX)'/\1 Always/' $(CILIUM_VALUES);		\
+			sed -i 's/'$(CILIUM_TAG_REGEX)'/\1 v$(subst -dev,,$(VERSION))/' $$chart;	\
+			sed -i 's/'$(CILIUM_PULLPOLICY_REGEX)'/\1 Always/' $$chart;			\
 		else											\
 			sed -i 's/'$(CILIUM_TAG_REGEX)'/\1 v$(VERSION)/' $(CILIUM_VALUES);		\
 			sed -i 's/'$(CILIUM_PULLPOLICY_REGEX)'/\1 IfNotPresent/' $(CILIUM_VALUES);	\

install/kubernetes/cilium/charts/config/templates/configmap.yaml

@@ -243,6 +243,8 @@ data:
   #  - portmap (Enables HostPort support for Cilium)
   cni-chaining-mode: {{ .Values.global.cni.chainingMode }}
 
+  enable-identity-mark: {{ .Values.global.enableIdentityMark | quote }}
+
 {{- if ne .Values.global.cni.chainingMode "portmap" }}
   # Disable the PodCIDR route to the cilium_host interface as it is not
   # required. While chaining, it is the responsibility of the underlying plugin
@@ -284,7 +286,7 @@ data:
 
 {{- if .Values.global.kubeProxyReplacement }}
   kube-proxy-replacement:  {{ .Values.global.kubeProxyReplacement | quote }}
-{{- end}}
+{{- end }}
 {{- if .Values.global.hostServices }}
   enable-host-reachable-services: {{ .Values.global.hostServices.enabled | quote }}
 {{- if ne .Values.global.hostServices.protocols "tcp,udp" }}
@@ -304,6 +306,9 @@ data:
 {{- end }}
 {{- if .Values.global.nodePort.mode }}
   node-port-mode: {{ .Values.global.nodePort.mode | quote }}
+{{- end }}
+{{- if .Values.global.nodePort.enableHealthCheck }}
+  enable-health-check-nodeport: {{ .Values.global.nodePort.enableHealthCheck | quote}}
 {{- end }}
   node-port-bind-protection: {{ .Values.global.nodePort.bindProtection | quote }}
   enable-auto-protect-node-port-range: {{ .Values.global.nodePort.autoProtectPortRange | quote }}

install/kubernetes/cilium/values.yaml

@@ -279,6 +279,9 @@ global:
     # ports is detected
     autoProtectPortRange: true
 
+    # enableHealthCheck enables healthcheck nodePort server for NodePort services
+    enableHealthCheck: true
+
   # externalIPs is the configuration for ExternalIPs service handling
   externalIPs:
     # enabled enables ExternalIPs functionality
@@ -368,3 +371,7 @@ global:
     # Regular expression matching compatible Istio sidecar istio-proxy
     # container image names
     sidecarImageRegex: "cilium/istio_proxy"
+
+  # enables passing identity on local routes by using the mark fields. However,
+  # in cases where this conflicts with a chained CNI plugin it may be disabled.
+  enableIdentityMark: true

install/kubernetes/quick-install.yaml

@@ -143,6 +143,7 @@ data:
   enable-host-reachable-services: "false"
   enable-external-ips: "false"
   enable-node-port: "false"
+  enable-health-check-nodeport: "true"
   node-port-bind-protection: "true"
   enable-auto-protect-node-port-range: "true"
   enable-endpoint-health-checking: "true"

pkg/datapath/linux/config/config.go

@@ -271,6 +271,10 @@ func (h *HeaderfileWriter) WriteNodeConfig(w io.Writer, cfg *datapath.LocalNodeC
 		ctmap.WriteBPFMacros(fw, nil)
 	}
 
+	if option.Config.EnableIdentityMark {
+		cDefinesMap["ENABLE_IDENTITY_MARK"] = "1"
+	}
+
 	// Since golang maps are unordered, we sort the keys in the map
 	// to get a consistent writtern format to the writer. This maintains
 	// the consistency when we try to calculate hash for a datapath after

pkg/defaults/defaults.go

@@ -187,6 +187,10 @@ const (
 	// EnableEndpointHealthChecking
 	EnableEndpointHealthChecking = true
 
+	// EnableHealthCheckNodePort is the default value for
+	// EnableHealthCheckNodePort
+	EnableHealthCheckNodePort = true
+
 	// AlignCheckerName is the BPF object name for the alignchecker.
 	AlignCheckerName = "bpf_alignchecker.o"
 
@@ -361,4 +365,8 @@ const (
 	// K8sEnableAPIDiscovery defines whether Kuberntes API groups and
 	// resources should be probed using the discovery API
 	K8sEnableAPIDiscovery = false
+
+	// EnableIdentityMark enables setting identity in mark field of packet
+	// for local traffic
+	EnableIdentityMark = true
 )

pkg/option/config.go

@@ -259,6 +259,11 @@ const (
 	// NodePortRange defines a custom range where to look up NodePort services
 	NodePortRange = "node-port-range"
 
+	// EnableIdentityMark enables setting the mark field with the identity for
+	// local traffic. This may be disabled if chaining modes and Cilium use
+	// conflicting marks.
+	EnableIdentityMark = "enable-identity-mark"
+
 	// LibDir enables the directory path to store runtime build environment
 	LibDir = "lib-dir"
 
@@ -559,6 +564,9 @@ const (
 	// EnableEndpointHealthChecking is the name of the EnableEndpointHealthChecking option
 	EnableEndpointHealthChecking = "enable-endpoint-health-checking"
 
+	// EnableHealthCheckNodePort is the name of the EnableHealthCheckNodePort option
+	EnableHealthCheckNodePort = "enable-health-check-nodeport"
+
 	// PolicyQueueSize is the size of the queues utilized by the policy
 	// repository.
 	PolicyQueueSize = "policy-queue-size"
@@ -1217,6 +1225,10 @@ type DaemonConfig struct {
 	// health endpoints
 	EnableEndpointHealthChecking bool
 
+	// EnableHealthCheckNodePort enables health checking of NodePort by
+	// cilium
+	EnableHealthCheckNodePort bool
+
 	// KVstoreKeepAliveInterval is the interval in which the lease is being
 	// renewed. This must be set to a value lesser than the LeaseTTL ideally
 	// by a factor of 3.
@@ -1343,6 +1355,11 @@ type DaemonConfig struct {
 	// NodePortMax is the maximum port address for the NodePort range
 	NodePortMax int
 
+	// EnableIdentityMark enables setting the mark field with the identity for
+	// local traffic. This may be disabled if chaining modes and Cilium use
+	// conflicting marks.
+	EnableIdentityMark bool
+
 	// excludeLocalAddresses excludes certain addresses to be recognized as
 	// a local address
 	excludeLocalAddresses []*net.IPNet
@@ -1425,6 +1442,7 @@ var (
 		EnableHostIPRestore:          defaults.EnableHostIPRestore,
 		EnableHealthChecking:         defaults.EnableHealthChecking,
 		EnableEndpointHealthChecking: defaults.EnableEndpointHealthChecking,
+		EnableHealthCheckNodePort:    defaults.EnableHealthCheckNodePort,
 		EnableIPv4:                   defaults.EnableIPv4,
 		EnableIPv6:                   defaults.EnableIPv6,
 		EnableL7Proxy:                defaults.EnableL7Proxy,
@@ -1798,6 +1816,7 @@ func (c *DaemonConfig) Populate() {
 	c.EnableEndpointRoutes = viper.GetBool(EnableEndpointRoutes)
 	c.EnableHealthChecking = viper.GetBool(EnableHealthChecking)
 	c.EnableEndpointHealthChecking = viper.GetBool(EnableEndpointHealthChecking)
+	c.EnableHealthCheckNodePort = viper.GetBool(EnableHealthCheckNodePort)
 	c.EnableLocalNodeRoute = viper.GetBool(EnableLocalNodeRoute)
 	c.EnablePolicy = strings.ToLower(viper.GetString(EnablePolicy))
 	c.EnableExternalIPs = viper.GetBool(EnableExternalIPs)
@@ -1896,6 +1915,8 @@ func (c *DaemonConfig) Populate() {
 		c.ipv4NativeRoutingCIDR = cidr.MustParseCIDR(nativeCIDR)
 	}
 
+	c.EnableIdentityMark = viper.GetBool(EnableIdentityMark)
+
 	// toFQDNs options
 	// When the poller is enabled, the default MinTTL is lowered. This is to
 	// avoid caching large sets of identities generated by a poller (it runs

pkg/service/healthserver/healthserver.go

@@ -17,6 +17,7 @@ package healthserver
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"sync/atomic"
@@ -25,8 +26,10 @@ import (
 	lb "github.com/cilium/cilium/pkg/loadbalancer"
 	"github.com/cilium/cilium/pkg/logging"
 	"github.com/cilium/cilium/pkg/logging/logfields"
+	"github.com/cilium/cilium/pkg/option"
 
 	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
 )
 
 var log = logging.DefaultLogger.WithField(logfields.LogSubsys, "service-healthserver")
@@ -188,6 +191,13 @@ func (h *httpHealthHTTPServerFactory) newHTTPHealthServer(port uint16, svc *Serv
 
 		if err := srv.ListenAndServe(); err != http.ErrServerClosed {
 			svc := srv.loadService()
+			if errors.Is(err, unix.EADDRINUSE) {
+				log.WithError(err).WithFields(logrus.Fields{
+					logfields.ServiceName:                svc.Service.Name,
+					logfields.ServiceNamespace:           svc.Service.Namespace,
+					logfields.ServiceHealthCheckNodePort: port,
+				}).Errorf("ListenAndServe failed for service health server, since the user might be running with kube-proxy. Please ensure that '--%s' option is set to false if '--%s' is set to '%s'", option.EnableHealthCheckNodePort, option.KubeProxyReplacement, option.KubeProxyReplacementPartial)
+			}
 			log.WithError(err).WithFields(logrus.Fields{
 				logfields.ServiceName:                svc.Service.Name,
 				logfields.ServiceNamespace:           svc.Service.Namespace,