-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.8 backports 2021-07-01 #16745
v1.8 backports 2021-07-01 #16745
Conversation
test-backport-1.8 |
@jrajahalme you've signed these off with vagrant user as well :-)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM apart from Joe's comment.
What's interesting about the failure is that in v1.8 we try to fetch the DNS proxy port from iptables rules, but don't make it unique... so apparently there are many iptables rules with the DNS proxy port:
Whereas on v1.9 or later, we use Sure enough from the sysdump, there are many duplicate iptables rules for proxy ports:
|
This change added code scanning the existing rules to figure out if the rule already exists; the problem was that we formatted marks with leading zeroes, while The 1.8 CI code catched this due to the code only expecting one port number existing for any proxy. The CI fail would have been similar regardless if the port numbers were duplicates or not. Fixed this by changing the formatting, and using a port number with leading zeroes in the mark in unit tests. |
764f9e9
to
367b174
Compare
test-backport-1.8 |
Do we need the same fix in master? |
|
CI infra fails, retesting |
test-backport-1.8 |
Build runtime vm provisioning fail v1.8 backports 2021-07-01 |
test-runtime |
test-upstream-k8s |
[ upstream commit 537715a ] Wrap "iptables" and "ip6tables" programs with iptablesInterface so that unit testing can mock up the executables. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 5839d23 ] Keep old iptables rules by renaming Cilium chains so that new rules can be added while old are still in use. Copy old TPROXY rules from the renamed old rules. Remove the backups only after new rules have been successfully added. This change makes it possible to keep old rules in effect while adding new ones without special consideration for transient rules. On first initialization only copy over the DNS proxy TPROXY rules, as other proxies can't reuse old proxy ports across restarts. Pick the last applicable proxy port from iptables, if multiple are present. Remove stale TPROXY rules once the current port is known. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 28e7e39 ] Panicing in Finalize functions may leave endpoint locked and brick the whole agent. Better avoid itt and log errors instead, and unlock the Endpoint in defer if it still happens. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit d5ff687 ] Remove leading zeroes from marks, as 'iptables' is not formatting them. This allows proper matching of existing rules and avoids appending duplicate rules. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
367b174
to
2edde18
Compare
Rebased, added upstream commit reference to the last commit |
test-backport-1.8 |
known flake #13400 (reopened) in test-1.17-4.19. |
test-1.17-4.19 |
Once this PR is merged, you can update the PR labels via: