[1.14] Downgrade XDP attachments from Cilium 1.15 #29104
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ti-mo
added
sig/loader
maintainer-s-little-helper
bot
added
the
kind/backports
|
/test-backport-1.14 |
[ upstream commit 0b488fb ] [ backporter's notes: had to pull in mustXDPProgram() from another commit ] This commit fixes a bug where Cilium expected the XDP mode flag to be carried in the netlink.LinkXdp.Flags field, while in reality the XDP mode is actually contained in the LinkXdp.AttachMode field. Also added a regression test. Signed-off-by: Robin Gögge <r.goegge@isovalent.com>
[ upstream commit 7a8e3c8 ] A follow-up commit will introduce attaching XDP programs using bpf_link. Those attachments cannot be overridden using netlink. If an older version of Cilium wants to replace an XDP program on a managed interface, it'll need to remove the bpf_link first. This commit teaches the agent to remove the (currently) only XDP entrypoint, cil_xdp_entry, before reattaching it using netlink. Note that this transition is never seamless, since some time passes between deleting the link and attaching the new program. Also note that this downgrade path should seldom be used. If Cilium is upgraded from a version with only netlink support, the new Cilium version will continue to use netlink. Only if a fresh node is deployed with a new Cilium version supporting bpf_link, then downgraded to one supporting only netlink, will the bpf_link need to be removed. For adding XDP bpf_link support, a per-device bpffs directory will be created to pin the device's links, maps, etc. Follow-up commits will put XDP bpf_links here. Subdirectories will be created for each device, for example: /sys/fs/bpf/cilium/devices/enp5s0/ Then, following the convention we're already using for cgroup links, another subdirectory will be created for links, followed by the entrypoint name: /sys/fs/bpf/cilium/devices/enp5s0/links/cil_xdp_entry Signed-off-by: Robin Gögge <r.goegge@isovalent.com> Co-authored-by: Timo Beckers <timo@isovalent.com>
ti-mo
force-pushed
the
tb/xdp-bpf-link-1.14
branch
from
12d754f
to
8bd018a
Compare
|
/test-backport-1.14 |
julianwiedmann
approved these changes
Nov 14, 2023
maintainer-s-little-helper
bot
added
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cilium 1.15 will attach XDP programs using bpf_link on supported kernels by default. This patch ensures these attachments can be undone during downgrades so programs can be attached using netlink again.
Also fixes a bug in removing XDP attachments from unused devices.