New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: Derive host netns cookie via SO_NETNS_COOKIE #17018
Conversation
test-me-please Job 'Cilium-PR-Runtime-4.9' failed and has not been observed before, so may be related to your PR: Click to show.Test Name
Failure Output
If it is a flake, comment |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
small nit, but LGTM
76ee0c1
to
d612829
Compare
When running in nested environments (e.g. Kind), cilium-agent does not run in the host netns. So, in such cases the cookie comparison based on bpf_get_netns_cookie(NULL) in bpf_sock.c for checking whether a socket belongs to a host netns does not work. This breaks some socket-lb functionality. To fix this, we derive the cookie of the netns in which cilium-agent runs via getsockopt(...SO_NETNS_COOKIE...) and then use it in the check above. This is based on an assumption that cilium-agent always runs with "hostNetwork: true". Signed-off-by: Martynas Pumputis <m@lambda.lt>
test-1.16-netnext |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
ci-l4lb |
When running in nested environments (e.g. Kind), cilium-agent does not
run in the host netns. So, in such cases the cookie comparison based on
bpf_get_netns_cookie(NULL) in bpf_sock.c for checking whether a socket
belongs to a host netns does not work. This breaks some socket-lb
functionality.
To fix this, we derive the cookie of the netns in which cilium-agent
runs via getsockopt(...SO_NETNS_COOKIE...) and then use it in the check
above. This is based on an assumption that cilium-agent always runs with
"hostNetwork: true".
Fix #14956