-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v1.8] bpf: unconditionally enable tail calls in bpf_lxc #16965
Conversation
The following cilium agent configuration [1] leads to the health endpoint lxc program to fail to load on 5.4 (tested using the dev VMs). The configuration does not enable IPv6, which means that the tailcalls on bpf_lxc are not enabled. This patch fixes this issue by unconditionally enabling tailcalls. The patch keeps the compile-time checks in case we want to modify this behaviour at a later time. [1]: --enable-hubble --hubble-listen-address :4244 --enable-k8s-event-handover --k8s-require-ipv4-pod-cidr --kube-proxy-replacement=partial --enable-remote-node-identity=false --enable-ipv6=false -t vxlan --k8s-kubeconfig-path/var/lib/cilium/cilium.kubeconfig --identity-allocation-mode=crd --enable-k8s-event-handover=false --enable-session-affinity --enable-node-port=false --enable-bpf-clock-probe=true --enable-bpf-masquerade=true --bpf-map-dynamic-size-ratio='0.0' --bpf-policy-map-max='65536' --disable-cnp-status-updates='true' --disable-endpoint-crd='true' --enable-api-rate-limit='true' --enable-external-ips='false' --enable-host-port='false' --enable-k8s-event-handover='true' --identity-allocation-mode=crd --enable-remote-node-identity='false' --enable-well-known-identities='false' --mtu=1500 --preallocate-bpf-maps='false' --monitor-aggregation='medium' --monitor-aggregation-flags=all" Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
test-backport-1.8 |
Cilium-PR-K8s-Upstream seems to be hitting a vagrant ssh issue:
Will restart it. |
test-upstream-k8s |
For the k8s-1.18-kernel-4.9 (test-1.18-4.9) failure, Failure log reports:
From the corresponding build artifact:
For which @nbusseneau pointed out that:
|
After retry, test-upstream-k8s is now green. The only remaining failure k8s-1.18-kernel-4.9 (test-1.18-4.9) which, as discussed above, is expected to be addressed once #16554 is backported to 1.8. I think there is an argument to be made for merging this PR as is, since it addresses an existing user issue. @cilium/cilium-maintainers thoughts? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor non-blocking comment.
@@ -433,8 +435,7 @@ static __always_inline int handle_ipv6(struct __ctx_buff *ctx, __u32 *dstID) | |||
return ipv6_l3_from_lxc(ctx, &tuple, ETH_HLEN, ip6, dstID); | |||
} | |||
|
|||
declare_tailcall_if(__or(__and(is_defined(ENABLE_IPV4), is_defined(ENABLE_IPV6)), | |||
is_defined(DEBUG)), CILIUM_CALL_IPV6_FROM_LXC) | |||
declare_tailcall_if(ENABLE_LXC_TAILCALLS, CILIUM_CALL_IPV6_FROM_LXC) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would probably have kept original conditions and just change to __or(ENABLE_LXC_TAILCALLS, $PREV_COND))
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree this would be nice documentation, but if the condition is going to be hardcoded to 1 then it doesn't make such a big difference. We can always look back into git or do a revert if we want to switch back to the old behaviour. This is also limited to v1.8 branch so the latest will continue to document the real intent here.
The cilium agent configuration below leads to the health endpoint
lxc program to fail to load on 5.4 (tested using the dev VMs). The
configuration does not enable IPv6, which means that the tailcalls on
bpf_lxc are not enabled.
This patch fixes this issue by unconditionally enabling tailcalls. The
patch keeps the compile-time checks in case we want to modify this
behaviour at a later time.
Configuration:
Signed-off-by: Kornilios Kourtis kornilios@isovalent.com