Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

daemon: Allow to enable PCAP recorder in non-lb mode #18592

Merged
merged 1 commit into from
Jan 24, 2022
Merged

daemon: Allow to enable PCAP recorder in non-lb mode #18592

merged 1 commit into from
Jan 24, 2022

Conversation

brb
Copy link
Member

@brb brb commented Jan 24, 2022

Previously, the PCAP recorder [1] was enabled only when running the
lb-only mode. However, there was an ask from users, who are running KPR
in the XDP mode, to have means to observe the LB traffic (tcpdump
cannot be used for XDP progs).

Why we didn't allow it before? Our main concern was potential verifier
complexity issues. But considering that the opt is disabled by default,
it's up to a user to take the potential risk.

Tested manually on the 5.16 kernel with the following cmds:

./daemon/cilium-agent  --debug=true --enable-ipv4=true
--enable-ipv6=false --disable-envoy-version-check=true
--tunnel=disabled --k8s-kubeconfig-path=/home/vagrant/.kube/config
--kube-proxy-replacement=strict --native-routing-cidr=10.154.0.0/16
--enable-ipv4-masquerade=true --auto-direct-node-routes=true
--enable-hubble=true --enable-recorder=true --bpf-lb-acceleration=native
--bpf-lb-acceleration=testing-only

# create nginx pod and expose it via NodePort service

hubble record --server=unix:///var/run/cilium/hubble.sock "0.0.0.0/0
0 192.168.34.11/32 31894 TCP"

# access the svc from outside

2022-01-24T10:25:03Z Status: 14 packets (1106 bytes) written

[1]: https://cilium.io/blog/2021/05/20/cilium-110#pcap

@brb brb added kind/enhancement This would improve or streamline existing functionality. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. needs-backport/1.11 labels Jan 24, 2022
@brb brb requested review from borkmann and a team January 24, 2022 10:34
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.11.2 Jan 24, 2022
@brb
daemon: Allow to enable PCAP recorder in non-lb mode
db53a2d 
Previously, the PCAP recorder [1] was enabled only when running the
lb-only mode. However, there was an ask from users, who are running KPR
in the XDP mode, to have means to observe the LB traffic (tcpdump
cannot be used for XDP progs).

Why we didn't allow it before? Our main concern was potential verifier
complexity issues. But considering that the opt is disabled by default,
it's up to a user to take the potential risk.

Tested manually on the 5.16 kernel with the following cmds:

    ./daemon/cilium-agent  --debug=true --enable-ipv4=true
    --enable-ipv6=false --disable-envoy-version-check=true
    --tunnel=disabled --k8s-kubeconfig-path=/home/vagrant/.kube/config
    --kube-proxy-replacement=strict --native-routing-cidr=10.154.0.0/16
    --enable-ipv4-masquerade=true --auto-direct-node-routes=true
    --enable-hubble=true --enable-recorder=true --bpf-lb-acceleration=native
    --bpf-lb-acceleration=testing-only

    # create nginx pod and expose it via NodePort service

    hubble record --server=unix:///var/run/cilium/hubble.sock "0.0.0.0/0
    0 192.168.34.11/32 31894 TCP"

    # access the svc from outside

    2022-01-24T10:25:03Z Status: 14 packets (1106 bytes) written

[1]: https://cilium.io/blog/2021/05/20/cilium-110#pcap

Signed-off-by: Martynas Pumputis <m@lambda.lt>
@brb
Copy link
Member Author

brb commented Jan 24, 2022

No need to run the full CI.

@brb brb added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 24, 2022
@borkmann borkmann merged commit 92bf6c6 into master Jan 24, 2022
@borkmann borkmann deleted the pr/brb/enable-pcap-recorder branch January 24, 2022 11:00
@borkmann borkmann mentioned this pull request Jan 24, 2022
Closed
@kkourt kkourt mentioned this pull request Jan 26, 2022
Merged
@glibsm glibsm added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. and removed backport-pending/1.11 labels Jan 30, 2022
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport done to v1.11 in 1.11.2 Jan 30, 2022
@joestringer joestringer mentioned this pull request Feb 23, 2022
Merged
@brb brb mentioned this pull request May 5, 2022
Closed
@borkmann borkmann mentioned this pull request Feb 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@borkmann borkmann borkmann approved these changes

Assignees
No one assigned
Labels
backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. kind/enhancement This would improve or streamline existing functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
No open projects
1.11.2
Backport done to v1.11
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@brb @borkmann @glibsm @kkourt