-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.11 backports 2022-02-17 #18836
v1.11 backports 2022-02-17 #18836
Conversation
[ upstream commit 76e3aac ] error message: panic: descriptor Desc{fqName: "cilium_operator_alibaba-cloud_api_duration_seconds", help: "Duration of interactions with API", constLabels: {}, variableLabels: [operation response_code]} is invalid: "cilium_operator_alibaba-cloud_api_duration_seconds" is not a valid metric name Signed-off-by: Jaff Cheng <jaff.cheng.sh@gmail.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
[ upstream commit 842f6c8 ] Currently, cilium-agent using alibaba ipam mode doesn't respect pre-allocate configuration from CNI config file when creating ciliumnode resource, and the value of pre-allocate is always the default value 8. This patch makes this option configurable via CNI config. Signed-off-by: Jaff Cheng <jaff.cheng.sh@gmail.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
[ upstream commit 98ca102 ] We currently have a race condition between functions AddToNodeIpset and InstallRules (see stacktrace below). AddToNodeIpset creates the ipset then adds the given IP address to that ipset. At the same time, InstallRules renames ipsets to a backup name, creates new ipsets, and removes the backups. Depending on timings, AddToNodeIpset may therefore attempt to add IPs to a nonexistent ipset. runDaemon() - NewDameon() - InitK8sSubsystem() - EnableK8sWatcher() * ciliumNodeInit() - NodeUpdated() - iptables.AddToNodeIpset() [...] - d.init() - d.Datapath().Loader().Reinitialize() - InstallRules() - removeRulesAndIpsets() We however don't need InstallRules to use a whole backup system for ipsets. This backup system makes sense for iptables rules because we may need to change them based on the agent configuration, but that's not the case for ipsets; their content doesn't depend on configuration. So either we need them and should create them, or we don't need them and we can remove any leftover ipsets. We never need to reset them. Fixes: 76551df ("iptables: Remove old ipsets") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
/test-backport-1.11 Job 'Cilium-PR-K8s-1.21-kernel-4.9' failed and has not been observed before, so may be related to your PR: Click to show.Test Name
Failure Output
If it is a flake, comment Job 'Cilium-PR-K8s-1.23-kernel-4.9' failed and has not been observed before, so may be related to your PR: Click to show.Test Name
Failure Output
If it is a flake, comment Job 'Cilium-PR-K8s-1.23-kernel-4.9' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My changes look good. Thanks Maciej!
/ci-aks-1.11 |
/test-1.21-4.9 |
/test-1.21-5.4 |
/test-1.23-4.9 |
k8s-1.23-kernel-4.9 hit #13071, safe to ignore. It's the only failure, merging. |
Once this PR is merged, you can update the PR labels via:
or with