v1.13 Backports 2023-05-16

Documentation/network/kubernetes/kubeproxy-free.rst

@@ -1513,7 +1513,7 @@ The fixes to clean up leaked duplicate backend entries were backported to older
 releases, and are available as part of Cilium versions v1.11.16, v1.12.9 and v1.13.2.
 Fresh clusters deploying Cilium versions 1.11.15 or later don't experience this leak issue.
 
-For more information, see `this GitHub issue <https://github.com/cilium/cilium/issues/235514>`__.
+For more information, see `this GitHub issue <https://github.com/cilium/cilium/issues/23551>`__.
 
 Limitations
 ###########

Documentation/operations/system_requirements.rst

@@ -68,6 +68,7 @@ run Cilium.
 Distribution               Minimum Version
 ========================== ====================
 `Amazon Linux 2`_          all
+`Bottlerocket OS`_         all
 `CentOS`_                  >= 8.0
 `Container-Optimized OS`_  all
 `CoreOS`_                  all
@@ -89,6 +90,7 @@ Ubuntu_                    >= 18.04.3
 .. _RedHat Enterprise Linux: https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux
 .. _Ubuntu: https://wiki.ubuntu.com/YakketyYak/ReleaseNotes#Linux_kernel_4.8
 .. _Opensuse: https://www.opensuse.org/
+.. _Bottlerocket OS: https://github.com/bottlerocket-os/bottlerocket
 
 .. note:: The above list is based on feedback by users. If you find an unlisted
           Linux distribution that works well, please let us know by opening a

bpf/bpf_host.c

@@ -736,10 +736,8 @@ static __always_inline int do_netdev_encrypt_encap(struct __ctx_buff *ctx, __u32
 		break;
 # endif /* ENABLE_IPV4 */
 	}
-	if (!ep)
-		return send_drop_notify_error(ctx, src_id,
-					      DROP_NO_TUNNEL_ENDPOINT,
-					      CTX_ACT_DROP, METRIC_EGRESS);
+	if (!ep || !ep->tunnel_endpoint)
+		return DROP_NO_TUNNEL_ENDPOINT;
 
 	ctx->mark = 0;
 	bpf_clear_meta(ctx);
@@ -771,7 +769,8 @@ do_netdev(struct __ctx_buff *ctx, __u16 proto, const bool from_host)
 
 			ctx->mark = 0;
 			tail_call_dynamic(ctx, &POLICY_EGRESSCALL_MAP, lxc_id);
-			return DROP_MISSED_TAIL_CALL;
+			return send_drop_notify_error(ctx, identity, DROP_MISSED_TAIL_CALL,
+						      CTX_ACT_DROP, METRIC_EGRESS);
 		}
 	}
 #endif
@@ -794,7 +793,11 @@ do_netdev(struct __ctx_buff *ctx, __u16 proto, const bool from_host)
 			send_trace_notify(ctx, TRACE_FROM_STACK, identity, 0, 0,
 					  ctx->ingress_ifindex, TRACE_REASON_ENCRYPTED,
 					  TRACE_PAYLOAD_LEN);
-			return do_netdev_encrypt(ctx, identity);
+			ret = do_netdev_encrypt(ctx, identity);
+			if (IS_ERR(ret))
+				return send_drop_notify_error(ctx, identity, ret,
+							      CTX_ACT_DROP, METRIC_EGRESS);
+			return ret;
 		}
 #endif
 
@@ -996,6 +999,7 @@ __section("from-netdev")
 int cil_from_netdev(struct __ctx_buff *ctx)
 {
 	__u32 __maybe_unused vlan_id;
+	int ret;
 
 #ifdef ENABLE_NODEPORT_ACCELERATION
 #ifdef HAVE_ENCAP
@@ -1011,10 +1015,15 @@ int cil_from_netdev(struct __ctx_buff *ctx)
 	if (flags & XFER_PKT_ENCAP) {
 		edt_set_aggregate(ctx, 0);
 
-		return __encap_and_redirect_with_nodeid(ctx, ctx_get_xfer(ctx, XFER_ENCAP_NODEID),
+		ret = __encap_and_redirect_with_nodeid(ctx, ctx_get_xfer(ctx, XFER_ENCAP_NODEID),
 							ctx_get_xfer(ctx, XFER_ENCAP_SECLABEL),
 							ctx_get_xfer(ctx, XFER_ENCAP_DSTID),
 							NOT_VTEP_DST, &trace);
+
+		if (IS_ERR(ret))
+			goto drop_err;
+
+		return ret;
 	}
 #endif
 #endif
@@ -1026,13 +1035,16 @@ int cil_from_netdev(struct __ctx_buff *ctx)
 		if (vlan_id) {
 			if (allow_vlan(ctx->ifindex, vlan_id))
 				return CTX_ACT_OK;
-			else
-				return send_drop_notify_error(ctx, 0, DROP_VLAN_FILTERED,
-							      CTX_ACT_DROP, METRIC_INGRESS);
+
+			ret = DROP_VLAN_FILTERED;
+			goto drop_err;
 		}
 	}
 
 	return handle_netdev(ctx, false);
+
+drop_err:
+	return send_drop_notify_error(ctx, 0, ret, CTX_ACT_DROP, METRIC_INGRESS);
 }
 
 /*

bpf/bpf_overlay.c

@@ -379,15 +379,19 @@ int tail_handle_arp(struct __ctx_buff *ctx)
 	ret = arp_prepare_response(ctx, &mac, tip, &smac, sip);
 	if (unlikely(ret != 0))
 		return send_drop_notify_error(ctx, 0, ret, CTX_ACT_DROP, METRIC_EGRESS);
-	if (info->tunnel_endpoint)
-		return __encap_and_redirect_with_nodeid(ctx,
-							info->tunnel_endpoint,
-							LOCAL_NODE_ID,
-							WORLD_ID,
-							WORLD_ID,
-							&trace);
-
-	return send_drop_notify_error(ctx, 0, DROP_UNKNOWN_L3, CTX_ACT_DROP, METRIC_EGRESS);
+	if (info->tunnel_endpoint) {
+		ret = __encap_and_redirect_with_nodeid(ctx, info->tunnel_endpoint,
+						       LOCAL_NODE_ID, WORLD_ID,
+						       WORLD_ID, &trace);
+		if (IS_ERR(ret))
+			goto drop_err;
+
+		return ret;
+	}
+
+	ret = DROP_UNKNOWN_L3;
+drop_err:
+	return send_drop_notify_error(ctx, 0, ret, CTX_ACT_DROP, METRIC_EGRESS);
 
 pass_to_stack:
 	send_trace_notify(ctx, TRACE_TO_STACK, 0, 0, 0, ctx->ingress_ifindex,

bpf/lib/nat.h

@@ -1248,7 +1248,7 @@ static __always_inline int snat_v6_rewrite_ingress(struct __ctx_buff *ctx,
 
 			if (ctx_load_bytes(ctx, off, &type, 1) < 0)
 				return DROP_INVALID;
-			if (type == ICMP_ECHO || type == ICMP_ECHOREPLY) {
+			if (type == ICMPV6_ECHO_REQUEST || type == ICMPV6_ECHO_REPLY) {
 				if (ctx_store_bytes(ctx, off +
 						    offsetof(struct icmp6hdr,
 							     icmp6_dataun.u_echo.identifier),

test/k8s/manifests/host-policies.yaml

@@ -93,3 +93,19 @@ specs:
     - toEntities:
       - health
       - world
+  - description: "Allow ICMP/ICMPv6 traffic on all nodes"
+    nodeSelector: {}
+    ingress:
+    - icmps:
+      - fields:
+        - type: 8
+          family: IPv4
+        - type: 128
+          family: IPv6
+    egress:
+    - icmps:
+      - fields:
+        - type: 8
+          family: IPv4
+        - type: 128
+          family: IPv6

test/k8s/services.go

@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"sync"
 	"time"
 
 	"github.com/asaskevich/govalidator"
@@ -89,9 +90,19 @@ var _ = SkipDescribeIf(helpers.RunsOn54Kernel, "K8sDatapathServicesTest", func()
 		})
 
 		AfterAll(func() {
+			wg := sync.WaitGroup{}
 			for _, yaml := range yamls {
-				kubectl.Delete(yaml)
+				wg.Add(1)
+				go func(yaml string) {
+					defer wg.Done()
+					// Ensure that all deployments are fully cleaned up before
+					// proceeding to the next test.
+					res := kubectl.DeleteAndWait(yaml, true)
+
+					Expect(res.WasSuccessful()).Should(BeTrue(), "Unable to cleanup yaml: %s", yaml)
+				}(yaml)
 			}
+			wg.Wait()
 			ExpectAllPodsTerminated(kubectl)
 		})
 

test/provision/compile.sh

@@ -5,7 +5,7 @@ export CILIUM_DS_TAG="k8s-app=cilium"
 export KUBE_SYSTEM_NAMESPACE="kube-system"
 export KUBECTL="/usr/bin/kubectl"
 export VMUSER=${VMUSER:-vagrant}
-export PROVISIONSRC="/tmp/provision"
+export PROVISIONSRC=${PROVISIONSRC:-/tmp/provision}
 export GOPATH="/home/${VMUSER}/go"
 export REGISTRY="k8s1:5000"
 export DOCKER_REGISTRY="docker.io"
@@ -118,7 +118,7 @@ then
 else
     echo "Installing docker-plugin..."
     make -C plugins/cilium-docker
-    make -C plugins/cilium-docker install
+    sudo make -C plugins/cilium-docker install
 
     if [[ "${CILIUM_IMAGE}" == "" ]]; then
 	export CILIUM_IMAGE=cilium/cilium:latest
@@ -127,20 +127,24 @@ else
     fi
     sudo cp ${PROVISIONSRC}/docker-run-cilium.sh /usr/bin/docker-run-cilium
 
-    mkdir -p /etc/sysconfig/
-    sed "s|CILIUM_IMAGE[^[:space:]]*$|CILIUM_IMAGE=${CILIUM_IMAGE}|" contrib/systemd/cilium > /etc/sysconfig/cilium
+    sudo mkdir -p /etc/sysconfig/
+    sed -e "s|CILIUM_IMAGE[^[:space:]]*$|CILIUM_IMAGE=${CILIUM_IMAGE}|" -e "s|HOME=/home/vagrant|HOME=/home/${VMUSER}|" contrib/systemd/cilium | sudo tee /etc/sysconfig/cilium
 
-    cp -f contrib/systemd/*.* /etc/systemd/system/
+    sudo cp -f contrib/systemd/*.* /etc/systemd/system/
     # Use dockerized Cilium with runtime tests
-    cp -f contrib/systemd/cilium.service-with-docker /etc/systemd/system/cilium.service
+    sudo cp -f contrib/systemd/cilium.service-with-docker /etc/systemd/system/cilium.service
     # Do not run cilium-operator with runtime tests, as it fails to connect to k8s api-server
-    rm -f /etc/systemd/system/cilium-operator.service
+    sudo rm -f /etc/systemd/system/cilium-operator.service
 
-    services=$(cd /etc/systemd/system; ls -1 cilium*.service sys-fs-bpf.mount)
+    services_pattern="cilium*.service"
+    if ! mount | grep /sys/fs/bpf; then
+	services_pattern+=" sys-fs-bpf.mount"
+    fi
+    services=$(cd /etc/systemd/system; ls -1 ${services_pattern})
     for service in ${services}; do
         echo "installing service $service"
-        systemctl enable $service || echo "service $service failed"
-        systemctl restart $service || echo "service $service failed to restart"
+        sudo systemctl enable $service || echo "service $service failed"
+        sudo systemctl restart $service || echo "service $service failed to restart"
     done
 
     echo "running \"sudo adduser ${VMUSER} cilium\" "
@@ -149,5 +153,7 @@ else
     sudo adduser ${VMUSER} cilium
 
     # Download all images needed for runtime tests.
-    ./test/provision/container-images.sh test_images test/helpers
+    if [ -z "${SKIP_TEST_IMAGE_DOWNLOAD}" ]; then
+	./test/provision/container-images.sh test_images test/helpers
+    fi
 fi