v1.11 backports 2021-11-30

.github/workflows/build-images-beta.yaml

@@ -0,0 +1,129 @@
+name: Beta Image Release Build
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Docker Image Tag'
+        required: true
+
+permissions: read-all
+
+jobs:
+  build-and-push:
+    if: ${{ github.repository == 'cilium/cilium' }}
+    environment: release-beta-images
+    runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        include:
+          - name: cilium
+            dockerfile: ./images/cilium/Dockerfile
+
+          - name: operator
+            dockerfile: ./images/operator/Dockerfile
+
+          - name: operator-aws
+            dockerfile: ./images/operator/Dockerfile
+
+          - name: operator-azure
+            dockerfile: ./images/operator/Dockerfile
+
+          - name: operator-alibabacloud
+            dockerfile: ./images/operator/Dockerfile
+
+          - name: operator-generic
+            dockerfile: ./images/operator/Dockerfile
+
+          - name: hubble-relay
+            dockerfile: ./images/hubble-relay/Dockerfile
+
+          - name: clustermesh-apiserver
+            dockerfile: ./images/clustermesh-apiserver/Dockerfile
+
+          - name: docker-plugin
+            dockerfile: ./images/cilium-docker-plugin/Dockerfile
+
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25
+
+      - name: Login to quay.io
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_BETA_USERNAME }}
+          password: ${{ secrets.QUAY_BETA_PASSWORD }}
+
+      - name: Getting image tag
+        id: tag
+        run: |
+          echo ::set-output name=tag::${GITHUB_REF##*/}
+
+      - name: Checking if tag already exists
+        id: tag-in-repositories
+        shell: bash
+        run: |
+          if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/${{ matrix.name }}-beta:${{ github.event.inputs.tag }} &>/dev/null; then
+            echo "Tag already exists!"
+            exit 1
+          fi
+
+      - name: Checkout Source Code
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+        with:
+          persist-credentials: false
+
+      - name: Release Build ${{ matrix.name }}
+        uses: docker/build-push-action@a66e35b9cbcf4ad0ea91ffcaf7bbad63ad9e0229
+        id: docker_build_release
+        with:
+          context: .
+          file: ${{ matrix.dockerfile }}
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            quay.io/${{ github.repository_owner }}/${{ matrix.name }}-beta:${{ github.event.inputs.tag }}
+            quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ github.sha }}
+          build-args: |
+            OPERATOR_VARIANT=${{ matrix.name }}
+
+      - name: Image Release Digest
+        shell: bash
+        run: |
+          mkdir -p image-digest/
+          echo "## ${{ matrix.name }}" > image-digest/${{ matrix.name }}.txt
+          echo "" >> image-digest/${{ matrix.name }}.txt
+          echo "\`quay.io/${{ github.repository_owner }}/${{ matrix.name }}-beta:${{ github.event.inputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt
+          echo "\`quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ github.sha }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt
+          echo "" >> image-digest/${{ matrix.name }}.txt
+
+      # Upload artifact digests
+      - name: Upload artifact digests
+        uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074
+        with:
+          name: image-digest ${{ matrix.name }}
+          path: image-digest
+          retention-days: 1
+
+  image-digests:
+    if: ${{ github.repository == 'cilium/cilium' }}
+    name: Display Digests
+    runs-on: ubuntu-20.04
+    needs: build-and-push
+    steps:
+      - name: Downloading Image Digests
+        shell: bash
+        run: |
+          mkdir -p image-digest/
+
+      - name: Download digests of all images built
+        uses: actions/download-artifact@3be87be14a055c47b01d3bd88f8fe02320a9bb60
+        with:
+          path: image-digest/
+
+      - name: Image Digests Output
+        shell: bash
+        run: |
+          cd image-digest/
+          find -type f | sort | xargs -d '\n' cat

Documentation/concepts/networking/ipam/eni.rst

@@ -405,7 +405,7 @@ ENI Deletion Policy
 ENIs can be marked for deletion when the EC2 instance to which the ENI is
 attached to is terminated. In order to enable this, the option
 ``spec.eni.delete-on-termination`` can be enabled. If enabled, the ENI
-is modifying after creation using ``ModifyNetworkInterface`` to specify this
+is modified after creation using ``ModifyNetworkInterfaceAttribute`` to specify this
 deletion policy.
 
 Node Termination
@@ -430,7 +430,7 @@ perform ENI creation and IP allocation:
  * ``DescribeSecurityGroups``
  * ``CreateNetworkInterface``
  * ``AttachNetworkInterface``
- * ``ModifyNetworkInterface``
+ * ``ModifyNetworkInterfaceAttribute``
  * ``AssignPrivateIpAddresses``
  * ``CreateTags``
 

Documentation/gettingstarted/encryption-ipsec.rst

@@ -96,7 +96,7 @@ Enable Encryption in Cilium
    When using Cilium in any direct routing configuration, ensure that the
    native routing CIDR is set properly. This is done using
    ``--ipv4-native-routing-cidr=CIDR`` with the CLI or ``--set
-   nativeRoutingCIDR=CIDR`` with Helm.
+   ipv4NativeRoutingCIDR=CIDR`` with Helm.
 
 At this point the Cilium managed nodes will be using IPsec for all traffic. For further
 information on Cilium's transparent encryption, see :ref:`ebpf_datapath`.

Documentation/gettingstarted/k8s-install-default.rst

@@ -291,14 +291,14 @@ You can install Cilium on any Kubernetes cluster. Pick one of the options below:
     .. group-tab:: k3s
 
        .. include:: requirements-k3s.rst
-      
+
        **Install Cilium:**
 
        Install Cilium into your newly created Kubernetes cluster:
 
        .. code-block:: shell-session
 
-           cilium install
+           KUBECONFIG=/etc/rancher/k3s/k3s.yaml cilium install
 
 
 If the installation fails for some reason, run ``cilium status`` to retrieve

Documentation/gettingstarted/k8s-install-helm.rst

@@ -73,7 +73,7 @@ Install Cilium
             --set cni.binPath=/home/kubernetes/bin \\
             --set gke.enabled=true \\
             --set ipam.mode=kubernetes \\
-            --set nativeRoutingCIDR=$NATIVE_CIDR
+            --set ipv4NativeRoutingCIDR=$NATIVE_CIDR
 
        The NodeInit DaemonSet is required to prepare the GKE nodes as nodes are added
        to the cluster. The NodeInit DaemonSet will perform the following actions:

Documentation/gettingstarted/k8s-install-openshift-okd.rst

@@ -112,7 +112,7 @@ The resulting configuration will look like this:
 You may wish to make a few changes, e.g. increase the number of nodes.
 
 If you do change any of the CIDRs, you will need to make sure that Helm values in ``${CLUSTER_NAME}/manifests/cluster-network-07-cilium-ciliumconfig.yaml``
-reflect those changes. Namely ``clusterNetwork`` should match ``nativeRoutingCIDR``, ``clusterPoolIPv4PodCIDRList`` and ``clusterPoolIPv4MaskSize``.
+reflect those changes. Namely ``clusterNetwork`` should match ``ipv4NativeRoutingCIDR``, ``clusterPoolIPv4PodCIDRList`` and ``clusterPoolIPv4MaskSize``.
 Also make sure that the ``clusterNetwork`` does not conflict with ``machineNetwork`` (which represents the VPC CIDR in AWS).
 
 .. warning::

Documentation/gettingstarted/kind-preload.rst

@@ -2,5 +2,5 @@ Preload the ``cilium`` image into each worker node in the kind cluster:
 
 .. parsed-literal::
 
-  docker pull cilium/cilium:|IMAGE_TAG|
-  kind load docker-image cilium/cilium:|IMAGE_TAG|
+  docker pull quay.io/cilium/cilium:|IMAGE_TAG|
+  kind load docker-image quay.io/cilium/cilium:|IMAGE_TAG|

Documentation/operations/upgrade.rst

@@ -335,6 +335,12 @@ Annotations:
   interruption of the connectivity between the client pods and the egress
   gateway nodes.
 
+Removed Metrics/Labels
+~~~~~~~~~~~~~~~~~~~~~~
+
+* ``cilium_operator_identity_gc_entries_total`` is removed. Please use ``cilium_operator_identity_gc_entries`` instead.
+* ``cilium_operator_identity_gc_runs_total`` is removed. Please use ``cilium_operator_identity_gc_runs`` instead.
+
 Removed Options
 ~~~~~~~~~~~~~~~
 

Makefile

@@ -35,7 +35,7 @@ SWAGGER := $(CONTAINER_ENGINE) run -u $(shell id -u):$(shell id -g) --rm -v $(CU
 
 COVERPKG_EVAL := $(shell if [ $$(echo "$(TESTPKGS)" | wc -w) -gt 1 ]; then echo "./..."; else echo "github.com/cilium/cilium/$(TESTPKGS)"; fi)
 COVERPKG ?= $(COVERPKG_EVAL)
-GOTEST_BASE := -test.v -timeout 500s
+GOTEST_BASE := -test.v -timeout 600s
 GOTEST_UNIT_BASE := $(GOTEST_BASE) -check.vv
 GOTEST_COVER_OPTS += -coverprofile=coverage.out -coverpkg $(COVERPKG)
 BENCH_EVAL := "."

bpf/Makefile

@@ -102,7 +102,7 @@ else ifeq ("$(KERNEL)","netnext")
 # We define ETH_HLEN only for net-next, as bpf_skb_change_head is non-available
 # on 4.{9,19}.
 MAX_BASE_OPTIONS += -DENABLE_TPROXY=1 -DENABLE_REDIRECT_FAST=1 -DENABLE_BANDWIDTH_MANAGER=1 \
-	-DENABLE_CUSTOM_CALLS=1 -DETH_HLEN=0
+	-DENABLE_CUSTOM_CALLS=1 -DETH_HLEN=0 -DENABLE_WIREGUARD
 endif
 endif
 
@@ -254,7 +254,8 @@ LXC_OPTIONS = \
 	 -DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_IPV4:-DENABLE_IPV6:-DPOLICY_VERDICT_NOTIFY: \
 	 -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DUSE_BPF_PROG_FOR_INGRESS_POLICY: \
 	 -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DHAVE_LPM_TRIE_MAP_TYPE:-DHAVE_LRU_HASH_MAP_TYPE:-DENABLE_TPROXY:-DENABLE_REDIRECT_FAST: \
-	 -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DHAVE_LPM_TRIE_MAP_TYPE:-DHAVE_LRU_HASH_MAP_TYPE:-DENABLE_TPROXY:-DENABLE_REDIRECT_FAST:-DENABLE_SKIP_FIB:
+	 -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DHAVE_LPM_TRIE_MAP_TYPE:-DHAVE_LRU_HASH_MAP_TYPE:-DENABLE_TPROXY:-DENABLE_REDIRECT_FAST:-DENABLE_SKIP_FIB: \
+	 -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DHAVE_LPM_TRIE_MAP_TYPE:-DHAVE_LRU_HASH_MAP_TYPE:-DENABLE_TPROXY:-DENABLE_REDIRECT_FAST:-DENABLE_SKIP_FIB:-DENABLE_WIREGUARD:
 
 # These options are intended to max out the BPF program complexity. it is load
 # tested as well.

bpf/complexity-tests/netnext/bpf_lxc.txt

@@ -1,3 +1,3 @@
--DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_HOST_SERVICES_TCP=1 -DENABLE_HOST_SERVICES_UDP=1 -DENABLE_HOST_REDIRECT=1 -DENABLE_ROUTING=1 -DNO_REDIRECT=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_REDIRECT_FAST=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENABLE_CUSTOM_CALLS=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1
--DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_HOST_SERVICES_TCP=1 -DENABLE_HOST_SERVICES_UDP=1 -DENABLE_HOST_REDIRECT=1 -DENABLE_ROUTING=1 -DNO_REDIRECT=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_REDIRECT_FAST=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENABLE_CUSTOM_CALLS=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1
--DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_HOST_SERVICES_TCP=1 -DENABLE_HOST_SERVICES_UDP=1 -DENABLE_HOST_REDIRECT=1 -DENABLE_ROUTING=1 -DNO_REDIRECT=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_REDIRECT_FAST=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENABLE_CUSTOM_CALLS=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1
+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_HOST_SERVICES_TCP=1 -DENABLE_HOST_SERVICES_UDP=1 -DENABLE_HOST_REDIRECT=1 -DENABLE_ROUTING=1 -DNO_REDIRECT=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_REDIRECT_FAST=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENABLE_CUSTOM_CALLS=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_WIREGUARD
+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_HOST_SERVICES_TCP=1 -DENABLE_HOST_SERVICES_UDP=1 -DENABLE_HOST_REDIRECT=1 -DENABLE_ROUTING=1 -DNO_REDIRECT=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_REDIRECT_FAST=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENABLE_CUSTOM_CALLS=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_WIREGUARD
+-DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_HOST_SERVICES_TCP=1 -DENABLE_HOST_SERVICES_UDP=1 -DENABLE_HOST_REDIRECT=1 -DENABLE_ROUTING=1 -DNO_REDIRECT=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_REDIRECT_FAST=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENABLE_CUSTOM_CALLS=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_WIREGUARD

bugtool/cmd/configuration.go

@@ -258,8 +258,8 @@ func routeCommands() []string {
 	routes, _ := execCommand("ip route show table all | grep -E --only-matching 'table [0-9]+'")
 
 	for _, r := range bytes.Split(bytes.TrimSuffix(routes, []byte("\n")), []byte("\n")) {
-		routeTablev4 := fmt.Sprintf("ip -4 route show %v", r)
-		routeTablev6 := fmt.Sprintf("ip -6 route show %v", r)
+		routeTablev4 := fmt.Sprintf("ip -4 route show %s", r)
+		routeTablev6 := fmt.Sprintf("ip -6 route show %s", r)
 		commands = append(commands, routeTablev4, routeTablev6)
 	}
 	return commands

bugtool/cmd/root.go

@@ -399,7 +399,7 @@ func writeCmdToFile(cmdDir, prompt string, k8sPods []string, enableMarkdown bool
 		// produced might have useful information
 		if bytes.Contains(output, []byte("```")) || !enableMarkdown {
 			// Already contains Markdown, print as is.
-			fmt.Fprint(f, output)
+			fmt.Fprint(f, string(output))
 		} else if enableMarkdown && len(output) > 0 {
 			// Write prompt as header and the output as body, and/or error but delete empty output.
 			fmt.Fprint(f, fmt.Sprintf("# %s\n\n```\n%s\n```\n", prompt, output))

cilium-health/launch/endpoint.go

@@ -304,7 +304,7 @@ func LaunchAsEndpoint(baseCtx context.Context,
 
 	pidfile := filepath.Join(option.Config.StateDir, PidfilePath)
 	prog := "ip"
-	args := []string{"netns", "exec", netNSName, binaryName, "--pidfile", pidfile}
+	args := []string{"netns", "exec", netNSName, binaryName, "--listen", strconv.Itoa(option.Config.ClusterHealthPort), "--pidfile", pidfile}
 	cmd.SetTarget(prog)
 	cmd.SetArgs(args)
 	log.Debugf("Spawning health endpoint with command %q %q", prog, args)

cilium-health/responder/main.go

@@ -22,15 +22,6 @@ import (
 	"golang.org/x/sys/unix"
 )
 
-func cancelOnSignal(cancel context.CancelFunc, sig ...os.Signal) {
-	c := make(chan os.Signal, 1)
-	signal.Notify(c, sig...)
-	go func() {
-		<-c
-		cancel()
-	}()
-}
-
 func main() {
 	var (
 		pidfilePath string
@@ -41,8 +32,7 @@ func main() {
 	flag.Parse()
 
 	// Shutdown gracefully to halt server and remove pidfile
-	ctx, cancel := context.WithCancel(context.Background())
-	cancelOnSignal(cancel, unix.SIGINT, unix.SIGHUP, unix.SIGTERM, unix.SIGQUIT)
+	ctx, cancel := signal.NotifyContext(context.Background(), unix.SIGINT, unix.SIGHUP, unix.SIGTERM, unix.SIGQUIT)
 
 	srv := responder.NewServer(listen)
 	defer srv.Shutdown()

contrib/scripts/quarantine.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+set -e
+set -o pipefail
+
+indent() {
+    sed 's/^/  /'
+}
+
+main() {
+    tmpfile=$(mktemp)
+    trap 'rm -f -- $tmpfile' EXIT
+
+    if [ $# -lt 1 ] || [ $# -gt 1 ]; then
+        >&2 echo "usage: $0 <focus-phrase>"
+        return 1
+    fi
+
+    if ! git grep -q "$1"; then
+        >&2 echo "Unable to find phrase."
+        return 1
+    fi
+
+    if ! git diff --quiet || ! git diff --quiet --cached; then
+        >&2 echo "Local changes in the git tree break this script. Stage your changes to continue."
+        return 1
+    fi
+
+    files=( $(git grep -l "$1" test/*/*go) )
+    for f in "${files[@]}"; do
+        commits=( $(git blame $f | grep "$1" |  awk '{ print $1; }') )
+        authors=()
+        for c in "${commits[@]}"; do
+            authors+=( "$(git log -1 $c --pretty='%aN <%aE>')" )
+        done
+
+        sed -i '/Quarantine/b; s/\(SkipItIf([^,]*\),\(.*'"$1"'.*\)/\1 || helpers.SkipQuarantined,\2/g' $f
+        sed -i '/Quarantine/b; s/\(SkipContextIf([^,]*\),\(.*'"$1"'.*\)/\1 || helpers.SkipQuarantined,\2/g' $f
+        sed -i 's/It(\(.*'"$1"'.*\)$/SkipItIf(helpers.SkipQuarantined, \1/g' $f
+        sed -i 's/Context(\(.*'"$1"'.*\)$/SkipContextIf(helpers.SkipQuarantined, \1/g' $f
+
+        git add $f || ( >&2 echo "Unable to disable test, maybe the declaration is multi-line?" && return 1 )
+
+        >$tmpfile echo "test/$(basename $f | sed 's/\.go//'): Quarantine '$1'"
+        >>$tmpfile echo
+        for a in "${authors[@]}"; do
+            if grep -q "$a" $tmpfile; then
+                continue
+            fi
+            >>$tmpfile echo "CC: $a"
+        done
+        git commit --signoff --quiet --message "$(cat $tmpfile)"
+    done
+}
+
+main "$@"