New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sync with upstream v0.8.7 #36
Conversation
Signed-off-by: Onur Filiz <ofiliz@users.noreply.github.com>
loopback: Fix ipv6 address checks
Signed-off-by: Bruce Ma <brucema19901024@gmail.com>
Signed-off-by: Bruce Ma <brucema19901024@gmail.com>
Signed-off-by: Bruce Ma <brucema19901024@gmail.com>
pkg/ip: use type cast instead of untrusty error message
ptp: remove some redundant lines
pkg/utils: sysctl package should use black-box testing
In case pciBusID contains pci address of the virtio device, then lookup the net directory under virtio<id> directory. Issue: containernetworking/plugins#320 Signed-off-by: Periyasamy Palanisamy <periyasamy.palanisamy@est.tech>
Make host-device to work with virtio net device
Signed-off-by: Bruce Ma <brucema19901024@gmail.com>
Add Michael Cambria per containernetworking/cni#751 Remove Stefan Junker per personal request Update Casey's email to @redhat.com Signed-off-by: Dan Williams <dcbw@redhat.com>
owners: updates for maintainer changes
The current ns package code is very careful about not leaving the calling thread with the overridden namespace set, for example when origns.Set() fails. This is achieved by starting a new green thread, locking its OS thread, and never unlocking it. Which makes golang runtime to scrap the OS thread backing the green thread after the go routine exits. While this works, it's probably not as optimal: stopping and starting a new OS thread is expensive and may be avoided if we unlock the thread after resetting network namespace to the original. On the other hand, if resetting fails, it's better to leave the thread locked and die. While it won't work in all cases, we can still make an attempt to reuse the OS thread when resetting the namespace succeeds. This can be achieved by unlocking the thread conditionally to the namespace reset success. Signed-off-by: Ihar Hrachyshka <ihrachys@redhat.com>
Unlock OS thread after netns is restored
Signed-off-by: root <timyinshi>
Signed-off-by: Bruce Ma <brucema19901024@gmail.com>
Signed-off-by: Bruce Ma <brucema19901024@gmail.com>
replace juju/errors because of CNCF license scan
Signed-off-by: ahenan <ahenan00@gmail.com>
fix #463 link host veth pair to bridge, the Initial state of port is BR_STATE_DISABLED and change to BR_STATE_FORWARDING async. Signed-off-by: honglichang <honglichang@tencent.com>
Reset the route flag before moving the rule
check bridge's port state
If the pluging receives portMappings in runtimeConfig, the pluing will add a NAT policy for each port mapping on the generated endpoints. It enables HostPort usage on Windows with win-bridge. Signed-off-by: Vincent Boulineau <vincent.boulineau@datadoghq.com>
* Add support for `deviceID` runtime config attribute Signed-off-by: Adrian Chiris <adrianc@mellanox.com>
The DNAT hairpin rule only allow the container itself to access the ports it is exposing thru the host IP. Other containers in the same subnet might also want to access this service via the host IP, so apply this rule to the whole subnet instead of just for the container. This is particularly useful with setups using a reverse proxy for https. With such a setup connections between containers (for ex. oauth2) have to downgrade to http, or need complex dns setup to make use of the internal IP of the reverse proxy. On the other hand going thru the host IP is easy as that is probably what the service name already resolve to. Signed-off-by: Alban Bedel <albeu@free.fr> -- v2: Fixed the tests v3: Updated iptables rules documentation in README.md v4: Fixed the network addresses in README.md to match iptables output
win-bridge: add support for portMappings capability
portmap: Apply the DNAT hairpin to the whole subnet
A /64 mask was used which routed an entire cidr based on source, not only the bound address. Fixes #478 Signed-off-by: Lars Ekman <lars.g.ekman@est.tech>
plugins/meta/sbr: Adjusted ipv6 address mask to /128
firewall: fix generate of admin chain comment
if the runtime is not passing portMappings in the runtimeConfig, then DEL is a noop. This solves performance issues, when the portmap plugin is executed multiple times, holding the iptables lock, despite it does not have anything to delete. Signed-off-by: Antonio Ojea <aojea@redhat.com>
Document `CNI-ADMIN` chain usage as well as `iptablesAdminChainName` Signed-off-by: Sameer Vohra <vohra.sam@gmail.com>
portmap should not perform deletions if not portMapping config received
Signed-off-by: Bruce Ma <brucema19901024@gmail.com>
firewall: fix some typos in docs
Signed-off-by: Sameer Vohra <vohra.sam@gmail.com>
Update firewall README.md
Signed-off-by: Bryan Boreham <bjboreham@gmail.com>
Add contact info
Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Dan Williams <dcbw@redhat.com>
{ "code": 4, "msg": "interface name contains / or : or whitespace characters" } Signed-off-by: Dan Williams <dcbw@redhat.com>
Bump Go version to 1.13 and 1.14
In GetCurrentNS, If there is a context-switch between getCurrentThreadNetNSPath and GetNS, another goroutine may execute in the original thread and change its network namespace, then the original goroutine would get the updated network namespace, which could lead to unexpected behavior, especially when GetCurrentNS is used to get the host network namespace in netNS.Do. The added test has a chance to reproduce it with "-count=50". The patch fixes it by locking the thread in GetCurrentNS. Signed-off-by: Quan Tian <qtian@vmware.com>
Fix race condition in GetCurrentNS
flannel: remove net conf file after DEL succeed
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dougbtv, squeed The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test e2e-aws |
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
/retest Please review the full test history for this PR and help us cut down flakes. |
Synchronizes with Upstream CNI plugins v0.8.7