Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipsec: Fatal on unsupported, <4.19 kernels in tunneling mode #14525

Merged
merged 1 commit into from
Jan 11, 2021
Merged

ipsec: Fatal on unsupported, <4.19 kernels in tunneling mode #14525

merged 1 commit into from
Jan 11, 2021

Conversation

pchaigno
Copy link
Member

@pchaigno pchaigno commented Jan 5, 2021

When using IPSec with Cilium in tunneling mode, we need support for the xfrm state output mask in the kernel (cf. #14381). This pull request probes for such kernel support, introduced upstream in 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking"), on startup and fatals if the kernel is too old.

The lack of kernel support only breaks policy enforcement across nodes and we can probably make it work in the future, but in the meantime, it's best to cleanly fatal.

@pchaigno pchaigno added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. needs-backport/1.8 labels Jan 5, 2021
@pchaigno pchaigno requested review from a team January 5, 2021 17:39
@pchaigno pchaigno requested a review from a team as a code owner January 5, 2021 17:39
@pchaigno pchaigno requested review from jibi and qmonnet January 5, 2021 17:39
@maintainer-s-little-helper maintainer-s-little-helper bot added this to In progress in 1.10.0 Jan 5, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.9.2 Jan 5, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.8.7 Jan 5, 2021
@pchaigno pchaigno requested a review from jrfastab January 5, 2021 17:39
qmonnet
qmonnet approved these changes Jan 5, 2021
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thanks

pkg/datapath/linux/ipsec/ipsec_linux.go Outdated Show resolved Hide resolved
joestringer
joestringer requested changes Jan 5, 2021
View reviewed changes
Copy link
Member

@joestringer joestringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor nits 👍

Documentation/operations/system_requirements.rst Outdated Show resolved Hide resolved
pkg/datapath/linux/ipsec/probe_linux.go Outdated Show resolved Hide resolved
@pchaigno pchaigno force-pushed the pr/pchaigno/ipsec-fatal-unsupported-kernels branch from bda4591 to a729ef2 Compare January 5, 2021 19:04
christarazi
christarazi requested changes Jan 5, 2021
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, minor nits for docs and optional code compaction suggestion

daemon/cmd/daemon_main.go Outdated Show resolved Hide resolved
pkg/datapath/linux/ipsec/probe_linux.go Outdated Show resolved Hide resolved
pkg/datapath/linux/ipsec/probe_linux.go Show resolved Hide resolved
joestringer
joestringer approved these changes Jan 5, 2021
View reviewed changes
Copy link
Member

@joestringer joestringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, @christarazi pointed out the other aspect of my prior feedback - now the daemon-side check can be simpler.

@joestringer joestringer removed their assignment Jan 5, 2021
@pchaigno pchaigno force-pushed the pr/pchaigno/ipsec-fatal-unsupported-kernels branch from a729ef2 to 8ea9a8d Compare January 5, 2021 20:20
christarazi
christarazi approved these changes Jan 5, 2021
View reviewed changes
pkg/datapath/linux/ipsec/probe_linux.go Outdated Show resolved Hide resolved
@pchaigno
ipsec: Fatal on unsupported, <4.19 kernels in tunneling mode
127c0ab 
When using IPSec with Cilium in tunneling mode, we need support for the
xfrm state output mask in the kernel (cf. #14381). This commit probes
for such kernel support, introduced upstream in 9b42c1f ("xfrm: Extend
the output_mark to support input direction and masking"), on startup
and fatals if the kernel is too old.

The lack of kernel support only breaks policy enforcement across nodes
and we can probably make it work in the future, but in the meantime,
it's best to cleanly fatal.

Signed-off-by: Paul Chaignon <paul@cilium.io>
@pchaigno pchaigno force-pushed the pr/pchaigno/ipsec-fatal-unsupported-kernels branch from 8ea9a8d to 127c0ab Compare January 5, 2021 20:26
@pchaigno pchaigno removed the request for review from jibi January 5, 2021 20:27
@pchaigno pchaigno mentioned this pull request Jan 6, 2021
Closed
@pchaigno
Copy link
Member Author

pchaigno commented Jan 6, 2021

K8s-1.20-kernel-4.9 failed with known flake #13774. Other tests are passing.

@pchaigno pchaigno added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 11, 2021
@pchaigno pchaigno merged commit 1870713 into master Jan 11, 2021
@pchaigno pchaigno deleted the pr/pchaigno/ipsec-fatal-unsupported-kernels branch January 11, 2021 11:02
@nathanjsweet nathanjsweet mentioned this pull request Jan 11, 2021
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.9 in 1.9.2 Jan 11, 2021
@nathanjsweet nathanjsweet mentioned this pull request Jan 11, 2021
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.8 in 1.8.7 Jan 11, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.8 to Backport done to v1.8 in 1.8.7 Jan 13, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.9 to Backport done to v1.9 in 1.9.2 Jan 13, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.9 to Backport done to v1.9 in 1.9.2 Jan 13, 2021
@aanm aanm mentioned this pull request Jan 20, 2021
Merged
@joestringer joestringer mentioned this pull request Feb 17, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christarazi christarazi christarazi approved these changes

@joestringer joestringer joestringer approved these changes

@qmonnet qmonnet qmonnet approved these changes

@jrfastab jrfastab Awaiting requested review from jrfastab

Assignees

@jrfastab jrfastab

Labels
area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
No open projects
1.10.0
Done
1.8.7
Backport done to v1.8
1.9.2
Backport done to v1.9
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@pchaigno @joestringer @christarazi @qmonnet @gandro @jibi @nathanjsweet @jrfastab @aanm