-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.9 backports 2020-11-30 #14212
v1.9 backports 2020-11-30 #14212
Commits on Nov 30, 2020
-
Doc: Link hubble metrics to L7 visibility.
[ upstream commit 53f35fb ] Signed-off-by: Mandar U Jog <mjog@google.com> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 771b225 - Browse repository at this point
Copy the full SHA 771b225View commit details -
helm: fix and improve
extraHostPathMounts
for agent and operatorConfiguration menu - View commit details
-
Copy full SHA for 5a8063a - Browse repository at this point
Copy the full SHA 5a8063aView commit details -
checkpatch: update image tag to latest
[ upstream commit a3d1f02 ] Update the tag for the checkpatch image in order to benefit from the latest changes when running the GitHub actions: The latest image suppresses reports for FILE_PATH_CHANGES to avoid checkpatch to complain when files are added or moved under bpf/ directory. See discussion at #14088 (comment) Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for cf69681 - Browse repository at this point
Copy the full SHA cf69681View commit details -
endpoint: Add DebugPolicy option
[ upstream commit baeb61f ] Add endpoint DebugPolicy option that, if enabled, logs endpoint policy map update details to /var/run/cilium/state/endpoint-policy.log. The new DebugPolicy option is enabled if the new flag --debug-verbose=policy is set, but can be enabled also independently via: cilium endpoint config <EPID> DebugPolicy=true Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 1dbc840 - Browse repository at this point
Copy the full SHA 1dbc840View commit details -
endpoint: Update lock requirement comments
[ upstream commit 8704e85 ] Endpoint's Mutex has been renamed as 'mutex'. Update comments to reflect this and also the lock level requirement (Lock for writing, RLock for reading). Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for dbfb949 - Browse repository at this point
Copy the full SHA dbfb949View commit details -
[ upstream commit baf84ad ] Module listings can allow figuring out the availability of certain functionality like iptables or aes modules which can be useful when debugging certain types of problems. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 33fc9d4 - Browse repository at this point
Copy the full SHA 33fc9d4View commit details -
Configuration menu - View commit details
-
Copy full SHA for 297c65c - Browse repository at this point
Copy the full SHA 297c65cView commit details -
helm: Fix description for clustermesh
[ upstream commit e38fd96 ] With the `disableEnvoyVersionCheck` option commented out and no subsequent comment for the `clustermesh` option, the autogeneration script was pulling the description for `disableEnvoyVersionCheck` in for `clustermesh`. Fix it by removing the dashes so no description is generated for this particular option. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 71e7c79 - Browse repository at this point
Copy the full SHA 71e7c79View commit details -
cilium: disable bind-protection in kube-proxy free probe mode
[ upstream commit 2a3e5d4 ] The probe mode is expected to only run alongside kube-proxy as hybrid. There was confusion that the kube-proxy log was throwing (harmless) warnings to its log that it could not bind sockets to service ports in the hostns. This is due to Cilium performing bind protection right out of the bind(2) syscall with eBPF. To avoid this confusion, defer to kube-proxy to bind sockets instead. This is less efficient and consuming more resources, but if users want to avoid the overhead, they would run kube-proxy free in strict mode anyway where Cilium does the bind protection by default anyway. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for e65a58f - Browse repository at this point
Copy the full SHA e65a58fView commit details -
test: Use NFS by default for test VMs
[ upstream commit acb2daa ] The new K8sVerifier test compiles some Cilium binaries inside the VM, which can lead to 'interrupted system call' errors. Using NFS should fix it by speeding up the filesystem accesses. This commit switches the test VMs to use NFS by default, thereby enabling NFS in our CI. NFS remains disabled in the CI's Runtime tests because it leads to permission errors [1]. 1 - https://jenkins.cilium.io/job/Cilium-PR-Runtime-4.9/2739/consoleFull Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 700c4ba - Browse repository at this point
Copy the full SHA 700c4baView commit details -
hubble/parser: Always preserve datapath numeric identity
[ upstream commit 1b29044 ] This introduces a check that we do not overwrite the numeric security identity provided by the datapath trace point. Only if the datapath did not provide an identity (i.e. in `FROM_LXC` trace points) do we want to fall back on the identity from the user-space ip cache or endpoint manager. The numeric identity from the datapath can differ from the one we obtain from user-space (e.g. the endpoint manager or the IP cache), because the identity could have changed between the time the datapath event was created and the time the event reaches the Hubble parser. To aid in troubleshooting, we want to preserve what the datapath observed when it made the policy decision. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 884ec28 - Browse repository at this point
Copy the full SHA 884ec28View commit details -
test: Avoid installing Cilium for K8sBandwidth if tests are skipped
[ upstream commit f380dd3 ] The overall structure for test K8sBandwidth looks to have been extracted from K8sServices. It works fine but is more complex than necessary and leads to unintended behavior when tests are skipped. This commit simplifies the structure to have a single conditional Context (conditioned on net-next kernel) inside which the three It tests are run. Cilium was also installed with the bandwidth manager enabled *before* the conditional Context. That installation would therefore happen regardless of whether bandwidth tests should actually be skipped, sometimes even leading to flakes on 4.9 kernels [1]. Removing this initial installation of Cilium implies that the test pods are now deployed (once for all tests) before Cilium is installed. We therefore need to wait for the test pods, with a new helper waitForTestPods(), after each re-installation of Cilium. 1 - https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-K8s/3740/testReport/junit/Suite-k8s-1/16/K8sBandwidthTest_Checks_Bandwidth_Rate_Limiting/ Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for d780ef2 - Browse repository at this point
Copy the full SHA d780ef2View commit details -
daemon: Fix netns usage in kpr privileged unit tests
[ upstream commit 885a319 ] Previously, the SetUpSuite() routine called netns.New(). It expected that the latter only creates a new netns without setting it. However, according to the docs it's not the case: package netns // import "github.com/vishvananda/netns" func New() (ns NsHandle, err error) New creates a new network namespace, sets it as current and returns a handle to it. This meant that we changed the netns before locking the OS thread which could result in other Go runtime threads running in the test netns. Fixes: b059c31 ("daemon: Add unit tests for device detection") Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 47dbc74 - Browse repository at this point
Copy the full SHA 47dbc74View commit details -
fqdn: Delay ipcache upserts until policies have been updated
[ upstream commit 60bd47f ] Add a map for newly allocated identities to ipcache.AllocateCIDR functions that the caller can use to upsert the IPs to ipcache later, after affected endpoint policy maps have been updated. Use this new functionality on the DNS proxy code path, that makes sure that new policy map entries are in place before an IP received from a DNS server is placed in ipcache. This is really straightforward as the logic for waiting was already in place for delaying the forwarding of the DNS response. Policy update path is still allowing ipcache upserts at policy ingestion time rather than waiting for the policy maps to be updated. This means that new, more specific CIDRs (e.g., 10.0.0/24) in policies can still cause momentary drops on traffic currently using a less specific CIDR (e.g., 10.0/16). Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 247bfce - Browse repository at this point
Copy the full SHA 247bfceView commit details -
daemon: Postpone ipcache upserts until after policy changes have been…
… regenerated by endpoints. [ upstream commit 8f20d3b ] Move ipcache CIDR upserts and releases to the policy reaction queue, where upserts can be executed after regenerations have been completed, i.e. after endpoint policy maps have been updated. This way IP addresses are mapped to newly allocated identities only after endpoint policy maps are ready to classify them. Correspondingly, on deletes the to-be-deleted CIDR identities are first deleted from ipcache so that when they are deleted from endpoint policy maps they are no longer used in classification. Releases of CIDR identities must still be serialized with ipcache upserts via the policy reaction queue so that they are executed in the same order w.r.t. ipcache upserts as policy deletes and adds. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 09d6d42 - Browse repository at this point
Copy the full SHA 09d6d42View commit details -
test: use kubectl helper for cilium cleanup in upgrade tests
[ upstream commit 19a6011 ] Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 1428bff - Browse repository at this point
Copy the full SHA 1428bffView commit details -
bpf: Don't compile unused BPF sections
[ upstream commit 81dc19b ] When we load a BPF program in the kernel, tc loads the entire object file, meaning it attempts to load each BPF program found in the object file. In some cases (e.g., ICMPv6 code in bpf_xdp.o), we include BPF program as sections in the object file even though we never tail call to them. This commit fixes it by ensuring we only compile those sections if they are needed. This also fixes a failure to load bpf_xdp on 4.19 when compiled with our MAX_LB_OPTIONS options combination: ENABLE_IPV4 ENABLE_IPV6 ENABLE_HOST_SERVICES_TCP ENABLE_HOST_SERVICES_UDP ENABLE_IPSEC. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 390c1b2 - Browse repository at this point
Copy the full SHA 390c1b2View commit details -
test: Avoid use of install with NFS
[ upstream commit a77842b ] Running the Runtime tests in CI with NFS enabled currently fails because 'install' reports a permission error when trying to change permissions of cilium.conf.ginkgo. This commit switches 'install' for 'chmod' which works fine. The reason for this error is that 'install' relies on the fsetxattr(2) system call to change the permissions and, as pointed by Quentin, there is no support for Extended File Attributes in NFS [1]. 'install' therefore fails whereas 'chmod', which relies on fchmodat(2) works fine. That bug wasn't found when running the Runtime test with NFS locally because, for local tests, a different implementation of RenderTemplateToFile() is used, one that does not rely on 'install'. 1 - https://tools.ietf.org/html/rfc8276 Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 09e59d0 - Browse repository at this point
Copy the full SHA 09e59d0View commit details -
ci: Enable NFS for Runtime tests
[ upstream commit 8bf3ed8 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for bb290f3 - Browse repository at this point
Copy the full SHA bb290f3View commit details