Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test v1.10 #16156

Closed
wants to merge 13 commits into from
Closed

Test v1.10 #16156

wants to merge 13 commits into from

Conversation

aanm
Copy link
Member

@aanm aanm commented May 14, 2021

Testing #16150 without #15422

tgraf and others added 13 commits May 14, 2021 14:21
@tgraf @aanm
doc: Update benchmark results
fc51ad2 
[ upstream commit a6eebde ]

Signed-off-by: Thomas Graf <thomas@cilium.io>
Signed-off-by: André Martins <andre@cilium.io>
@jrajahalme @aanm
envoy: Add response headers access logging
4e49ce4 
[ upstream commit 094d141 ]

Use cilium-envoy image that adds response headers to response access
log messages.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: André Martins <andre@cilium.io>
@jrajahalme @aanm
envoy: Update Envoy to release 1.17.3
2c3e625 
[ upstream commit d7b7672 ]

Update Envoy to release 1.17.3 which fixes CVE-2021-29492.

Configure cilium-envoy with path normalization, path slash merge, and
path escaped slash unescaping by default. This setting can be reverted
with Cilium agent option --http-normalize-path=false.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: André Martins <andre@cilium.io>
@tgraf @aanm
doc: Add more generic install section for egress gateway guide
7a0b6be 
[ upstream commit aa3a5d2 ]

Refer to the common installation instructions and document how to enable
the feature.

Fixes: cilium#15976

Signed-off-by: Thomas Graf <thomas@cilium.io>
Signed-off-by: André Martins <andre@cilium.io>
@twpayne @aanm
docs: Add note about DNS-related policies on OpenShift
8cd99d1 
[ upstream commit b4c38f0 ]

Signed-off-by: Tom Payne <tom@isovalent.com>
Signed-off-by: André Martins <andre@cilium.io>
@twpayne @aanm
docs: Remove unnecessary flags to kubectl exec and trailing whitespace
c3bf747 
[ upstream commit c3f6ee6 ]

Signed-off-by: Tom Payne <tom@isovalent.com>
Signed-off-by: André Martins <andre@cilium.io>
@brb @aanm
node-neigh: Set lastPing if arping was successful
5ab5481 
[ upstream commit bf750f6 ]

We don't return early if arping was skipped. This can happen when
insertNeighbor() is invoked by the non-refresh path and nexthop is not
new.

Make sure that lastPing is updated only if arping was sent and it was
successful (if hwAddr != nil condition).

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: André Martins <andre@cilium.io>
@brb @aanm
node-neigh: Wait instead of sleeping in unit tests
e42d86c 
[ upstream commit 6ee44ed ]

We can inspect the neighLastPingByNextHop map to check when
insertNeighbor() or deleteNeighbor() was called.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: André Martins <andre@cilium.io>
@brb @aanm
node-neigh: Skip neigh update if arping is stale
3ec62fd 
[ upstream commit dd46cc1 ]

It's possible that in the case of multiple concurrent insertNeighbor()
executions the oldest (or older) goroutine will overwrite the latest
arping result due to the fine-grained locking.

To fix this, avoid updating neigh entry if we detect that prev last ping
timestamp is after our arping timestamp.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: André Martins <andre@cilium.io>
@pchaigno @aanm
bpf: Fixes to support mattr=+alu32
c0d9b51 
[ upstream commit ad0d3cf ]

mattr=+alu32, supported since LLVM 7.0 and implied by mcpu=v3, enables
the use of 32-bit registers in BPF bytecode. Enabling this compiler
option can however result in loading issues as illustrated below.

    12: (61) r1 = *(u32 *)(r0 +80) // ctx->data_end
    13: (61) r6 = *(u32 *)(r0 +76) // ctx->data
    14: (bc) w7 = w6 // <- verifier looses track of inferred pkt type here.
    [...]
    38: (71) r1 = *(u8 *)(r7 +20)
    R7 invalid mem access 'inv'

These errors typically happen because the data and data_end pointers are
actually 32-bit registers. Depending on how these pointers are used,
LLVM sometimes makes use of that assumption (e.g., 32-bit assignment on
instruction 14 above). The verifier is however not able to follow and
reject such programs.

We can usually work around those by ensuring these pointers are only
used via 64-bit types. This commit implements this wherever needed to
pass the verifier.

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Paul Chaignon <paul@cilium.io>
Signed-off-by: André Martins <andre@cilium.io>
@pchaigno @aanm
loader, bpf: Use mcpu=v3 on kernels 5.10+
692838b 
[ upstream commit 631f351 ]

Set mcpu=v3 in the compiler on kernels 5.10+ to use all available eBPF
instructions and 32-bit registers. This change fixes the complexity
issue we're hitting on v5.10+ when socket-level load balancing is disabled
(via enable-host-services=false or kube-proxy-replacement=disabled).

Using the third eBPF instruction set doesn't reduce complexity for all
BPF programs but it leads to more standard numbers, with less variations
in complexities. A big part of this improvement is due to the implicit
use of mattr=+alu32 to enable 32-bit eBPF registers.

In addition to the end-to-end test on bpf-next, this change was tested
on kernels 5.10 and 5.11 with the existing verifier-test.sh, compiling
the datapath with both KERNEL=netnext and KERNEL=419.

Signed-off-by: Paul Chaignon <paul@cilium.io>
Signed-off-by: André Martins <andre@cilium.io>
@pchaigno @aanm
bpf/Makefile: Remove workaround for complexity issue
a7f081a 
[ upstream commit 05512b2 ]

On master and with kernels 5.10+, we have a complexity issue when
ENABLE_HOST_SERVICES_FULL is undefined (i.e., socket-level load balancing
is disabled and additional code compiled in bpf_lxc as a replacement).
Our verifier test included a workaround for that issue, by always
defining ENABLE_HOST_SERVICES_FULL on newer kernels.

This commit removes that workaround since the previous commit fixed the
complexity issue.

Signed-off-by: Paul Chaignon <paul@cilium.io>
Signed-off-by: André Martins <andre@cilium.io>
@bmcustodio @aanm
docs: add ids to the list of special identities
f791f3f 
[ upstream commit 519fa82 ]

A few users have been asking about where to find the numeric IDs
associated with a given identity, so maybe it's worth adding them to the
table.

Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com>
Signed-off-by: André Martins <andre@cilium.io>
@aanm aanm added the dont-merge/blocked Another PR must be merged before this one. label May 14, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.10 kind/backports This PR provides functionality previously merged into master. labels May 14, 2021
@aanm
Copy link
Member Author

aanm commented May 14, 2021

test-upstream-k8s

@aanm aanm mentioned this pull request May 14, 2021
Merged
@aanm aanm closed this May 14, 2021
@aanm aanm deleted the pr/v1.10-backport-2021-05-14-2 branch May 14, 2021 22:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dont-merge/blocked Another PR must be merged before this one. kind/backports This PR provides functionality previously merged into master.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@aanm @tgraf @jrajahalme @twpayne @brb @pchaigno @bmcustodio