v1.8 backports 2021-01-19 #14654
Merged
v1.8 backports 2021-01-19 #14654
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit f034507 ] Kubernetes secrets are mapped into the pod using symlinks. The initial scan was already correctly ignoring symlinks but the fsnotify events have not been. This has resulted in invalid cluster configurations being added: ``` ClusterMesh: 0/3 clusters ready, 0 global-services cluster2: not-ready, 0 nodes, 0 identities, 0 services, 0 failures (last: never) └ Waiting for initial connection to be established ..2021_01_08_21_11_57.892158678: not-ready, 0 nodes, 0 identities, 0 services, 0 failures (last: never) └ Waiting for initial connection to be established ..data: not-ready, 0 nodes, 0 identities, 0 services, 0 failures (last: never) └ Waiting for initial connection to be established ``` Fixes: 076b018 ("Inter cluster connectivity (ClusterMesh)") Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 6ad5a22 ] A CIDR should be able to be removed from itself. Add test cases that would fail without the fix: $ go test ---------------------------------------------------------------------- FAIL: ip_test.go:184: IPTestSuite.TestRemoveCIDRsEdgeCase ip_test.go:190: s.testIPNetsEqual(allowedCIDRs, expectedCIDRs, c) ip_test.go:83: c.Assert(created, HasLen, len(expected)) ... obtained []*net.IPNet = []*net.IPNet(nil) ... n int = 1 ---------------------------------------------------------------------- FAIL: ip_test.go:194: IPTestSuite.TestRemoveCIDRsEdgeCase2 ip_test.go:200: s.testIPNetsEqual(allowedCIDRs, expectedCIDRs, c) ip_test.go:83: c.Assert(created, HasLen, len(expected)) ... obtained []*net.IPNet = []*net.IPNet(nil) ... n int = 1 ---------------------------------------------------------------------- FAIL: ip_test.go:176: IPTestSuite.TestRemoveSameCIDR ip_test.go:180: c.Assert(err, IsNil) ... value *errors.errorString = &errors.errorString{s:"allow CIDR prefix must be a superset of remove CIDR prefix"} ("allow CIDR prefix must be a superset of remove CIDR prefix") OOPS: 14 passed, 3 FAILED Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 28745d3 ] Rename removeCIDR() as excludeContainedCIDR() and remove checks that the caller already makes. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit e813f5a ] Remove unnecessary pointer indirections from excludeContainedCIDR(). Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 2e40bf5 ] allowCIDR contains removeCIDR so they share all the bits in the allowCIDR. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit aafe9e2 ] Address bits from high to low, starting from 0. This allows arbitrarily sized masks to be manipulated without forcing masks to any given size. For example, 0th bit is the highest bit, bits 0-7 are in the highest byte. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 3a9cf53 ] Remove redundant CIDRs in one pass instead of restarting the loops again. Remove redundant CIDRs also from AllowCIDRs. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 255cb86 ] Error return was only used for mixed address families. This is not needed as net.Contains() seems to behave as expected when given mixed address families. Remove the error return and add unit tests. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit a544c51 ] Fixes the following data race: ``` Read at 0x00c00079f200 by goroutine 43: github.com/cilium/cilium/pkg/node/manager.(*Manager).StartNeighborRefresh.func1.1() /go/src/github.com/cilium/cilium/pkg/node/manager/manager.go:581 +0xc4 Previous write at 0x00c00079f200 by goroutine 166: github.com/cilium/cilium/pkg/node/manager.(*Manager).NodeUpdated() /go/src/github.com/cilium/cilium/pkg/node/manager/manager.go:414 +0x824 github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).ciliumNodeInit.func2() /go/src/github.com/cilium/cilium/pkg/k8s/watchers/cilium_node.go:71 +0x2d4 k8s.io/client-go/tools/cache.ResourceEventHandlerFuncs.OnUpdate() /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/controller.go:238 +0xa5 k8s.io/client-go/tools/cache.(*ResourceEventHandlerFuncs).OnUpdate() <autogenerated>:1 +0x2e github.com/cilium/cilium/pkg/k8s/informer.NewInformerWithStore.func1() /go/src/github.com/cilium/cilium/pkg/k8s/informer/informer.go:114 +0x389 k8s.io/client-go/tools/cache.(*DeltaFIFO).Pop() /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/delta_fifo.go:507 +0x50d k8s.io/client-go/tools/cache.(*controller).processLoop() /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/controller.go:183 +0x83 k8s.io/client-go/tools/cache.(*controller).processLoop-fm() /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/controller.go:181 +0x44 k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1() /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:155 +0x75 k8s.io/apimachinery/pkg/util/wait.BackoffUntil() /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:156 +0xba k8s.io/apimachinery/pkg/util/wait.JitterUntil() /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133 +0x114 k8s.io/apimachinery/pkg/util/wait.Until() /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90 +0x507 k8s.io/client-go/tools/cache.(*controller).Run() /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/controller.go:154 +0x4a9 Goroutine 43 (running) created at: github.com/cilium/cilium/pkg/node/manager.(*Manager).StartNeighborRefresh.func1() /go/src/github.com/cilium/cilium/pkg/node/manager/manager.go:578 +0x368 github.com/cilium/cilium/pkg/controller.(*Controller).runController() /go/src/github.com/cilium/cilium/pkg/controller/controller.go:208 +0xd10 Goroutine 166 (running) created at: github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).ciliumNodeInit() /go/src/github.com/cilium/cilium/pkg/k8s/watchers/cilium_node.go:101 +0x184 ``` Fixes: 5ec4d51 ("daemon, node: refresh neighbor by sending arping periodically") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 562aa3d ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 0228afa ] ``` goroutine 319 [running]: go.etcd.io/etcd/clientv3/concurrency.(*Session).Orphan(...) /go/src/github.com/cilium/cilium/vendor/go.etcd.io/etcd/clientv3/concurrency/session.go:90 go.etcd.io/etcd/clientv3/concurrency.(*Session).Close(0xc000dcca50, 0xc00145d790, 0x2) /go/src/github.com/cilium/cilium/vendor/go.etcd.io/etcd/clientv3/concurrency/session.go:96 +0x2a github.com/cilium/cilium/pkg/kvstore.(*etcdClient).Close(0xc0014f2c30) /go/src/github.com/cilium/cilium/pkg/kvstore/etcd.go:1652 +0xc8 github.com/cilium/cilium/pkg/clustermesh.(*remoteCluster).restartRemoteConnection.func1(0x2e862e0, 0xc0009fc300, 0x460d7a0, 0x415c26) /go/src/github.com/cilium/cilium/pkg/clustermesh/remote_cluster.go:178 +0x408 github.com/cilium/cilium/pkg/controller.(*Controller).runController(0xc0008d2100) /go/src/github.com/cilium/cilium/pkg/controller/controller.go:205 +0xa2a created by github.com/cilium/cilium/pkg/controller.(*Manager).updateController /go/src/github.com/cilium/cilium/pkg/controller/manager.go:120 +0xb09 ``` Fixes: c1b05df ("pkg/kvstore: introduced a dedicated session for locks") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 6e3ca8f ] If kubelet gives cilium-cni bad input (no netns), the error here would not be returned properly to the caller, which could result in a segfault: panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x14e0c8b] goroutine 1 [running, locked to thread]: main.cmdAdd(0xc00015a000, 0xc0004d60e8, 0x5) /go/src/github.com/cilium/cilium/plugins/cilium-cni/cilium-cni.go:354 +0x5cb github.com/containernetworking/cni/pkg/skel.(*dispatcher).checkVersionAndCall(0xc0005e5d40, 0xc00015a000, 0x1a42f20, 0xc0004de000, 0x18d07c0, 0x0, 0x44a1ef) /go/src/github.com/cilium/cilium/vendor/github.com/containernetworking/cni/pkg/skel/skel.go:185 +0x258 github.com/containernetworking/cni/pkg/skel.(*dispatcher).pluginMain(0xc0005e5d40, 0x18d07c0, 0x0, 0x18d07c8, 0x1a42f20, 0xc0004de000, 0xc000174000, 0x5d, 0xc000174000) /go/src/github.com/cilium/cilium/vendor/github.com/containernetworking/cni/pkg/skel/skel.go:221 +0x546 github.com/containernetworking/cni/pkg/skel.PluginMainWithError(...) /go/src/github.com/cilium/cilium/vendor/github.com/containernetworking/cni/pkg/skel/skel.go:286 github.com/containernetworking/cni/pkg/skel.PluginMain(0x18d07c0, 0x0, 0x18d07c8, 0x1a42f20, 0xc0004de000, 0xc000174000, 0x5d) /go/src/github.com/cilium/cilium/vendor/github.com/containernetworking/cni/pkg/skel/skel.go:301 +0x128 main.main() /go/src/github.com/cilium/cilium/plugins/cilium-cni/cilium-cni.go:85 +0x33c The above logs would typically be pushed to kubelet logs. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
maintainer-s-little-helper
bot
added
backport/1.8
kind/backports
|
never-tell-me-the-odds |
@mrostecki We changed it to: test-backport-1.8 |
aanm
approved these changes
Jan 19, 2021
|
test-upstream-k8s (previous failure: https://jenkins.cilium.io/job/Cilium-PR-Kubernetes-Upstream/2795/execution/node/64/log/) |
joestringer
approved these changes
Jan 19, 2021
|
test-missed-k8s (previous failure: https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-K8s/3902/) |
rolinh
approved these changes
Jan 20, 2021
maintainer-s-little-helper
bot
added
ready-to-merge
|
@rolinh this is a reminder to run the "labels update" command from backports PRs when you merge them. I've done it this time (hopefully one day we'll just automate this step...). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, you can update the PR labels via: