Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.13 Backports 2023-05-16 #25503

Merged
merged 11 commits into from
May 19, 2023
Merged

v1.13 Backports 2023-05-16 #25503

merged 11 commits into from
May 19, 2023

Commits on May 17, 2023

  1. test/k8s: for services test, wait for all applied manifests to delete 

    [ upstream commit 6878133 ]

In the K8sDatapathConfig tests "echo-svc" deployment Pods are failing to terminate while waiting to terminate all Pods.
These come from a deployment, that shouldn't be applied in this suite. Presumably failure to delete is being cause by the Deployment controller restarting the Pods as they're deleted.

To try to fix this, going to wait for applied yamls in K8sServices to be fully deleted, including finalizers.

Addresses: #25255

Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @tommyp1ckles @jibi
    tommyp1ckles authored and jibi committed May 17, 2023
    Configuration menu
    Copy the full SHA
    0f4926c View commit details
    Browse the repository at this point in the history

  2. test/provision/compile.sh: Make usable from dev VM 

    [ upstream commit 0112ddb ]

Add missing 'sudo' commands so that this can be run from a shell in a dev
VM to launch a local cilium agent in docker.

Only install the bpf mount unit to systemd if not already mounted. This
avoids error message like this:

    Unit sys-fs-bpf.mount has a bad unit file setting

With these changes Cilium agent can be compiled and launced in docker,
assuming the VM hostname does NOT include "k8s", like so:

   $ SKIP_TEST_IMAGE_DOWNLOAD=1 VMUSER=${USER} PROVISIONSRC=test/provision test/provision/compile.sh

After this 'docker ps' should show a "cilium" container.

This can be used, for example to quickly run Cilium agent locally to
observer agent startup and exit logs via 'docker logs cilium -f' when
stopping cilium with 'docker stop cilium'.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @jrajahalme @jibi
    jrajahalme authored and jibi committed May 17, 2023
    Configuration menu
    Copy the full SHA
    db4adc7 View commit details
    Browse the repository at this point in the history

  3. bpf: host: add drop notify for missed POLICY_EGRESSCALL_MAP tail-call 

    [ upstream commit f601b4c ]

We're returning a DROP reason, but nothing outside do_netdev() creates the
corresponding drop notification from it.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @julianwiedmann @jibi
    julianwiedmann authored and jibi committed May 17, 2023
    Configuration menu
    Copy the full SHA
    5226086 View commit details
    Browse the repository at this point in the history

  4. bpf: host: add drop notify for do_netdev_encrypt() 

    [ upstream commit 9788f53 ]

do_netdev_encrypt_encap() can return various errors, but its caller doesn't
raise the corresponding drop notification.

Also clean up the one case in do_netdev_encrypt_encap() where we currently
*do* raise a drop notification.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @julianwiedmann @jibi
    julianwiedmann authored and jibi committed May 17, 2023
    Configuration menu
    Copy the full SHA
    3a219d7 View commit details
    Browse the repository at this point in the history

  5. bpf: host: check ep->tunnel_endpoint in do_netdev_encrypt_encap() 

    [ upstream commit e92863c ]

__encap_and_redirect_with_nodeid() expects the caller to handle this check.
Otherwise we end up encapsulating with an OuterDstIP of 0.0.0.0.

I looked at all the other users, looks like this was the only one missing.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @julianwiedmann @jibi
    julianwiedmann authored and jibi committed May 17, 2023
    Configuration menu
    Copy the full SHA
    48f1dcf View commit details
    Browse the repository at this point in the history

  6. bpf: overlay: add drop notify for __encap_and_redirect_with_nodeid() 

    [ upstream commit c058e9b ]

Align with all the other error paths in tail_handle_arp() and raise a drop
notification on error. This function is executed as a tail-call, so there's
no surrounding code that would do this for us otherwise.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @julianwiedmann @jibi
    julianwiedmann authored and jibi committed May 17, 2023
    Configuration menu
    Copy the full SHA
    e0eaecc View commit details
    Browse the repository at this point in the history

  7. bpf: host: add drop notify for __encap_and_redirect_with_nodeid() 

    [ upstream commit b96624d ]

Add an error path for the from-netdev program that handles the missing
drop notification.

backporting conflicts:
* bpf/bpf_host.c: some conflicts in cil_from_netdev as that function
  differs quite a bit in v1.13

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @julianwiedmann @jibi
    julianwiedmann authored and jibi committed May 17, 2023
    Configuration menu
    Copy the full SHA
    9644c01 View commit details
    Browse the repository at this point in the history

  8. test/k8s: update host policies for firewall tests. 

    [ upstream commit 8f7a537 ]

Allow ICMP/ICMPv6 traffic on all nodes.

Fixes: #25344 #25343 #25342

Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @tommyp1ckles @jibi
    tommyp1ckles authored and jibi committed May 17, 2023
    Configuration menu
    Copy the full SHA
    e4b6414 View commit details
    Browse the repository at this point in the history

  9. bpf: nat: fix ICMPv6 ECHO types in snat_v6_rewrite_ingress() 

    [ upstream commit 405bd39 ]

When revSNATing ICMPv6 packets, check for the ICMPv6 type identifiers.

Fixes: 0759290 ("bpf/nat: review snat_v{4|6}_rewrite_ingress to support more ICMP types")
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @julianwiedmann @jibi
    julianwiedmann authored and jibi committed May 17, 2023
    Configuration menu
    Copy the full SHA
    8ab9cd6 View commit details
    Browse the repository at this point in the history

  10. docs: Add Bottlerocket OS to validated distros 

    [ upstream commit 7f3d8d0 ]

This distro has recently been confirmed to play well with Cilium #15393

Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @nebril @jibi
    nebril authored and jibi committed May 17, 2023
    Configuration menu
    Copy the full SHA
    d86e0db View commit details
    Browse the repository at this point in the history

  11. docs: Fix broken link to backends leak issue 

    [ upstream commit 800c7ef ]

Signed-off-by: Akhil Velagapudi <4@4khil.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @akhilles @jibi
    akhilles authored and jibi committed May 17, 2023
    Configuration menu
    Copy the full SHA
    59d5b90 View commit details
    Browse the repository at this point in the history