-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test v1.10 #16156
Closed
Closed
Test v1.10 #16156
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit a6eebde ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit 094d141 ] Use cilium-envoy image that adds response headers to response access log messages. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit d7b7672 ] Update Envoy to release 1.17.3 which fixes CVE-2021-29492. Configure cilium-envoy with path normalization, path slash merge, and path escaped slash unescaping by default. This setting can be reverted with Cilium agent option --http-normalize-path=false. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit aa3a5d2 ] Refer to the common installation instructions and document how to enable the feature. Fixes: cilium#15976 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit b4c38f0 ] Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit c3f6ee6 ] Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit bf750f6 ] We don't return early if arping was skipped. This can happen when insertNeighbor() is invoked by the non-refresh path and nexthop is not new. Make sure that lastPing is updated only if arping was sent and it was successful (if hwAddr != nil condition). Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit 6ee44ed ] We can inspect the neighLastPingByNextHop map to check when insertNeighbor() or deleteNeighbor() was called. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit dd46cc1 ] It's possible that in the case of multiple concurrent insertNeighbor() executions the oldest (or older) goroutine will overwrite the latest arping result due to the fine-grained locking. To fix this, avoid updating neigh entry if we detect that prev last ping timestamp is after our arping timestamp. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit ad0d3cf ] mattr=+alu32, supported since LLVM 7.0 and implied by mcpu=v3, enables the use of 32-bit registers in BPF bytecode. Enabling this compiler option can however result in loading issues as illustrated below. 12: (61) r1 = *(u32 *)(r0 +80) // ctx->data_end 13: (61) r6 = *(u32 *)(r0 +76) // ctx->data 14: (bc) w7 = w6 // <- verifier looses track of inferred pkt type here. [...] 38: (71) r1 = *(u8 *)(r7 +20) R7 invalid mem access 'inv' These errors typically happen because the data and data_end pointers are actually 32-bit registers. Depending on how these pointers are used, LLVM sometimes makes use of that assumption (e.g., 32-bit assignment on instruction 14 above). The verifier is however not able to follow and reject such programs. We can usually work around those by ensuring these pointers are only used via 64-bit types. This commit implements this wherever needed to pass the verifier. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit 631f351 ] Set mcpu=v3 in the compiler on kernels 5.10+ to use all available eBPF instructions and 32-bit registers. This change fixes the complexity issue we're hitting on v5.10+ when socket-level load balancing is disabled (via enable-host-services=false or kube-proxy-replacement=disabled). Using the third eBPF instruction set doesn't reduce complexity for all BPF programs but it leads to more standard numbers, with less variations in complexities. A big part of this improvement is due to the implicit use of mattr=+alu32 to enable 32-bit eBPF registers. In addition to the end-to-end test on bpf-next, this change was tested on kernels 5.10 and 5.11 with the existing verifier-test.sh, compiling the datapath with both KERNEL=netnext and KERNEL=419. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit 05512b2 ] On master and with kernels 5.10+, we have a complexity issue when ENABLE_HOST_SERVICES_FULL is undefined (i.e., socket-level load balancing is disabled and additional code compiled in bpf_lxc as a replacement). Our verifier test included a workaround for that issue, by always defining ENABLE_HOST_SERVICES_FULL on newer kernels. This commit removes that workaround since the previous commit fixed the complexity issue. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit 519fa82 ] A few users have been asking about where to find the numeric IDs associated with a given identity, so maybe it's worth adding them to the table. Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> Signed-off-by: André Martins <andre@cilium.io>
maintainer-s-little-helper
bot
added
backport/1.10
kind/backports
This PR provides functionality previously merged into master.
labels
May 14, 2021
test-upstream-k8s |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
dont-merge/blocked
Another PR must be merged before this one.
kind/backports
This PR provides functionality previously merged into master.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Testing #16150 without #15422