Update vishvananda/netlink

[foyerunix]

Hello,

Fixes: #30744

When queried for the routes of an unknow IP family the kernel return the routes for all IP families.
This end up returning the IPv4 routes when IPv6 is disabled at boot time. Therefore calling DeleteRouteTable with family = AF_INET6 will delete IPv4 routes too, breaking the DNS proxy.

I didn't include all the new code from the library yet as the contribution guide state that:

If the PR is considerably large (e.g. with more than 200 lines changed and/or more than 6 commits), consider whether there is a good way to split the PR into smaller PRs that can be merged more incrementally.

Unfortunately I don't see how to split the whole library update into smaller chunks. I also can't guarantee that the updated library code, if included fully, won't cause any regression. Therefore I prefer to run the CI with my changes only first.

Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes

Best Regards,

[maintainer-s-little-helper]

Commit 84473ba does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[sayboras]

I misclicked the update branch button, which adds one merge commit for main branch. I did a force push to your remote branch to rectify it, additionally, we can merge 2 commits into one.

[sayboras]

/test

[sayboras]

/test

[sayboras]

This change in vendor looks good to me, but no harm to have another check from others who involve in triaging the mentioned issue.

[rgo3]

I've been triggering CI here from time to time over the last two weeks but also can't really pinpoint a clear area that's breaking or deduce a simple reproducer. But its definitely multiple tests that keep failing, not just upgrade/downgrade tests. Potentially you could try to bisect the commits between current commit that cilium pulls from the netlink library and your latest fix. Happy to keep running CI with the revisions we need to test. Once we have a commit in the library that breaks cilium, it hopefully will be easier to locate why that change breaks so many tests.

[rgo3]

I think vishvananda/netlink@916f968 is the commit in the netlink lib that is causing the troubles for this PR. At least bisecting lead me to that commit. Can't really say what exactly the problematic part is that causes the issues in CI, but the code added to catch EAGAIN and retry seems problematic regardless for cilium as that creates a busy loop. Will update this PR if I make any further progress with debugging.

[georglauterbach]

Thank you very much @rgo3! ❤️

[julianwiedmann]

Note that if we want to unblock this sooner, one option is to switch over to our https://github.com/cilium/netlink fork again and revert the offending patch there.

[julianwiedmann]

@julianwiedmann what's the state on this? #30744 is a serious blocker - as of now, you cannot use the DNS proxy on an IPv4-only cluster. Running the proxy on an IPv4-only cluster is, I guess, rather common (for those that do not want nor need IPv6).

If IPv4-only is a common environment that folks care about, then I think it would be great to reflect this via contributions towards #30327. Otherwise we'll most likely continue to break it once in a while 🤷.

[georglauterbach]

If IPv4-only is a common environment that folks care about, then I think it would be great to reflect this via contributions towards #30327. Otherwise we'll most likely continue to break it once in a while 🤷.

I understand, fair point. Sadly, I have neither the time nor the Go experience to do that :( Hopefully someone can tackle this :)

[foyerunix]

Hello,

Someone reverted the offending commit in the netlink library: vishvananda/netlink#976

I just rebased the branch and updated the library to the latest version.

@julianwiedmann let's CI this please ! 🙂

Best Regards.

[julianwiedmann]

/test

[julianwiedmann]

Looks much better :).

The ci-e2e-upgrade is a known flake, so just the go module thing that needs sorting out. Over to sig/vendor.

[sayboras]

Thanks for your contribution and endless effort to drive this one through.

[sayboras]

Can you help to re-run go mod tidy and go mod vendor to sync up vendor dir?

$ git status            
On branch update-vishvananda-netlink
Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        deleted:    vendor/github.com/vishvananda/netlink/cmd/ipset-test/main.go

[foyerunix]

Hello,

I think the issue should be solved. Not being a Go developer myself, I didn't know the existence of go mod vendor, therefore I tried to do the process manually.

Best Regards.

[sayboras]

/test