{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":299601833,"defaultBranch":"master","name":"cilium","ownerLogin":"ti-mo","currentUserCanPush":false,"isFork":true,"isEmpty":false,"createdAt":"2020-09-29T11:54:11.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/3214460?v=4","public":true,"private":false,"isOrgOwned":false},"refInfo":{"name":"","listCacheKey":"v0:1718797359.0","currentOid":""},"activityList":{"items":[{"before":"e2b0d9f4af9e4fd74cee7172f44f0b61163b0360","after":"96636865d86555b504f370bfd0eab442a3bfacb6","ref":"refs/heads/tb/there-is-no-datapath","pushedAt":"2024-07-24T15:11:13.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"loader: refactor loadDatapath into bpf.LoadAndAssign\n\nThis commit removes what's left of  loader.loadDatapath and moves it into the\nbpf package, where it is pulled further apart and refactored into taking a\nMap and Program receiver object. This automates away checking for Map and Program\nobjects in a Collection and adds a layer of runtime safety around it. Previously,\ntrying to access missing Maps or programs would panic.\n\nLoadAndAssign remains the primary entry point for loader invocations from the\nvarious subsystems (xdp, lxc, host, network, overlay) and retains its logging\nbehaviour and verifier error handling.\n\nLoader behaviour remains largely unchanged.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"loader: refactor loadDatapath into bpf.LoadAndAssign"}},{"before":"2c5d85e6d1b7ead1e025000cc90da0e34efae2c7","after":"7143cffbf687d3eb5e0fa6e64fdf66750d7c6d75","ref":"refs/heads/tb/v1.13-wait-hostdp","pushedAt":"2024-07-01T08:58:20.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"lmb","name":"Lorenz Bauer","path":"/lmb","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/368392?s=80&v=4"},"commit":{"message":"pkg/endpoint: make state synchronization atomic (partial backport)\n\n[ upstream commit acf3141f35 ]\n[ backporter's notes: only needed a single line from this patch, the rest\n  was not compatible ]\n\nBPF regeneration writes state into a new temporary directory. Once it\nhas succeeded we need to swap the old and new directory. This is currently\nachieved by \"backing up\" the current state by renaming the directory.\nThis code has a bunch of corner cases around cleaning up old directories\nand so on which are necessary since the synchronization isn't truly\natomic.\n\nInstead, use the RENAME_EXCHANGE flag to atomically exchange the two\nexisting directories. Also use hard links to retain existing state\nso that killing the agent during a synchronization doesn't lead\nto corruption.\n\nSigned-off-by: Lorenz Bauer <lmb@isovalent.com>\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"pkg/endpoint: make state synchronization atomic (partial backport)"}},{"before":"f8a07fe718977be508cbd21526dfcc1d6e879af2","after":"2c5d85e6d1b7ead1e025000cc90da0e34efae2c7","ref":"refs/heads/tb/v1.13-wait-hostdp","pushedAt":"2024-06-24T09:46:26.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"pkg/endpoint: make state synchronization atomic (partial backport)\n\n[ upstream commit acf3141f35 ]\n[ backporter's notes: only needed a single line from this patch, the rest\n  was not compatible ]\n\nBPF regeneration writes state into a new temporary directory. Once it\nhas succeeded we need to swap the old and new directory. This is currently\nachieved by \"backing up\" the current state by renaming the directory.\nThis code has a bunch of corner cases around cleaning up old directories\nand so on which are necessary since the synchronization isn't truly\natomic.\n\nInstead, use the RENAME_EXCHANGE flag to atomically exchange the two\nexisting directories. Also use hard links to retain existing state\nso that killing the agent during a synchronization doesn't lead\nto corruption.\n\nSigned-off-by: Lorenz Bauer <lmb@isovalent.com>\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"pkg/endpoint: make state synchronization atomic (partial backport)"}},{"before":null,"after":"f8a07fe718977be508cbd21526dfcc1d6e879af2","ref":"refs/heads/tb/v1.13-wait-hostdp","pushedAt":"2024-06-19T11:42:39.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"pkg/endpoint: make state synchronization atomic (partial backport)\n\n[ upstream commit acf3141f35 ]\n[ backporter's notes: only needed a single line from this patch, the rest\n  was not compatible ]\n\nBPF regeneration writes state into a new temporary directory. Once it\nhas succeeded we need to swap the old and new directory. This is currently\nachieved by \"backing up\" the current state by renaming the directory.\nThis code has a bunch of corner cases around cleaning up old directories\nand so on which are necessary since the synchronization isn't truly\natomic.\n\nInstead, use the RENAME_EXCHANGE flag to atomically exchange the two\nexisting directories. Also use hard links to retain existing state\nso that killing the agent during a synchronization doesn't lead\nto corruption.\n\nSigned-off-by: Lorenz Bauer <lmb@isovalent.com>\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"pkg/endpoint: make state synchronization atomic (partial backport)"}},{"before":"0a3ca087107bfee4c36454d6d94c094f016ddd62","after":"e2b0d9f4af9e4fd74cee7172f44f0b61163b0360","ref":"refs/heads/tb/there-is-no-datapath","pushedAt":"2024-06-17T14:09:04.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"loader: refactor loadDatapath into bpf.LoadAndAssign\n\nThis commit removes what's left of  loader.loadDatapath and moves it into the\nbpf package, where it is pulled further apart and refactored into taking a\nMap and Program receiver object. This automates away checking for Map and Program\nobjects in a Collection and adds a layer of runtime safety around it. Previously,\ntrying to access missing Maps or programs would panic.\n\nLoadAndAssign remains the primary entry point for loader invocations from the\nvarious subsystems (xdp, lxc, host, network, overlay) and retains its logging\nbehaviour and verifier error handling.\n\nLoader behaviour remains largely unchanged.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"loader: refactor loadDatapath into bpf.LoadAndAssign"}},{"before":"0406da07b7e6ea5a46cd8ac70dd033e4dc48fac5","after":"0a3ca087107bfee4c36454d6d94c094f016ddd62","ref":"refs/heads/tb/there-is-no-datapath","pushedAt":"2024-06-17T14:04:58.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"loader: refactor loadDatapath into bpf.LoadAndAssign\n\nThis commit removes what's left of  loader.loadDatapath and moves it into the\nbpf package, where it is pulled further apart and refactored into taking a\nMap and Program receiver object. This automates away checking for Map and Program\nobjects in a Collection and adds a layer of runtime safety around it. Previously,\ntrying to access missing Maps or programs would panic.\n\nLoadAndAssign remains the primary entry point for loader invocations from the\nvarious subsystems (xdp, lxc, host, network, overlay) and retains its logging\nbehaviour and verifier error handling.\n\nLoader behaviour remains largely unchanged.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"loader: refactor loadDatapath into bpf.LoadAndAssign"}},{"before":"20b2759d5ac9f46ba81c9895ec3985c465be1c6a","after":"0406da07b7e6ea5a46cd8ac70dd033e4dc48fac5","ref":"refs/heads/tb/there-is-no-datapath","pushedAt":"2024-06-17T13:02:13.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"loader: refactor loadDatapath into bpf.LoadAndAssign\n\nThis commit removes what's left of  loader.loadDatapath and moves it into the\nbpf package, where it is pulled further apart and refactored into taking a\nMap and Program receiver object. This automates away checking for Map and Program\nobjects in a Collection and adds a layer of runtime safety around it. Previously,\ntrying to access missing Maps or programs would panic.\n\nLoadAndAssign remains the primary entry point for loader invocations from the\nvarious subsystems (xdp, lxc, host, network, overlay) and retains its logging\nbehaviour and verifier error handling.\n\nLoader behaviour remains largely unchanged.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"loader: refactor loadDatapath into bpf.LoadAndAssign"}},{"before":"28b37d89c5f2534ec75dcd408f39fddbf2f01baf","after":"20b2759d5ac9f46ba81c9895ec3985c465be1c6a","ref":"refs/heads/tb/there-is-no-datapath","pushedAt":"2024-06-17T13:01:33.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"loader: refactor loadDatapath into bpf.LoadAndAssign\n\nThis commit removes what's left of  loader.loadDatapath and moves it into the\nbpf package, where it is pulled further apart and refactored into taking a\nMap and Program receiver object. This automates away checking for Map and Program\nobjects in a Collection and adds a layer of runtime safety around it. Previously,\ntrying to access missing Maps or programs would panic.\n\nLoadAndAssign remains the primary entry point for loader invocations from the\nvarious subsystems (xdp, lxc, host, network, overlay) and retains its logging\nbehaviour and verifier error handling.\n\nLoader behaviour remains largely unchanged.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"loader: refactor loadDatapath into bpf.LoadAndAssign"}},{"before":"7953e00b530006765c0d6d5de9c05fb01638ad0e","after":"28b37d89c5f2534ec75dcd408f39fddbf2f01baf","ref":"refs/heads/tb/there-is-no-datapath","pushedAt":"2024-06-14T14:30:17.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"loader: refactor loadDatapath into bpf.LoadAndAssign\n\nThis commit removes what's left of  loader.loadDatapath and moves it into the\nbpf package, where it is pulled further apart and refactored into taking a\nMap and Program receiver object. This automates away checking for Map and Program\nobjects in a Collection and adds a layer of runtime safety around it. Previously,\ntrying to access missing Maps or programs would panic.\n\nLoadAndAssign remains the primary entry point for loader invocations from the\nvarious subsystems (xdp, lxc, host, network, overlay) and retains its logging\nbehaviour and verifier error handling.\n\nLoader behaviour remains largely unchanged.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"loader: refactor loadDatapath into bpf.LoadAndAssign"}},{"before":null,"after":"7953e00b530006765c0d6d5de9c05fb01638ad0e","ref":"refs/heads/tb/there-is-no-datapath","pushedAt":"2024-06-14T14:23:42.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"loader: refactor loadDatapath into bpf.LoadAndAssign\n\nThis commit removes what's left of  loader.loadDatapath and moves it into the\nbpf package, where it is pulled further apart and refactored into taking a\nMap and Program receiver object. This automates away checking for Map and Program\nobjects in a Collection and adds a layer of runtime safety around it. Previously,\ntrying to access missing Maps or programs would panic.\n\nLoadAndAssign remains the primary entry point for loader invocations from the\nvarious subsystems (xdp, lxc, host, network, overlay) and retains its logging\nbehaviour and verifier error handling.\n\nLoader behaviour remains largely unchanged.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"loader: refactor loadDatapath into bpf.LoadAndAssign"}},{"before":"c0b9b7c18a2544f3803713d7f10bc39c109dd1e3","after":null,"ref":"refs/heads/tb/map-pin-replace","pushedAt":"2024-06-13T14:05:05.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"}},{"before":"6236b449dbe081209a43fa673c8efa87c316094a","after":"c0b9b7c18a2544f3803713d7f10bc39c109dd1e3","ref":"refs/heads/tb/map-pin-replace","pushedAt":"2024-06-13T09:32:28.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"bpf: introduce CILIUM_PIN_REPLACE map pinning flag\n\nThis commit adds support for the custom CILIUM_PIN_REPLACE pinning flag.\nIt signals to the loader that a map should be pinned without being reused\nin subsequent ELF loads.\n\nThis replaces bespoke cilium_calls_-specific logic in the loader with a\ngeneric map flag, opening it up for other use cases as well. The reasons\nfor this behaviour are widely documented and present in the code for\nposterity.\n\nAlso, give each netdev its own instance of cilium_calls. Sharing a tail call\nmap across all XDP entry points causes multiple netdevs' programs to clobber\nthe shared cilium_calls_xdp bpffs pin.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"bpf: introduce CILIUM_PIN_REPLACE map pinning flag"}},{"before":"74d2c491a1e112b9b4a50c6b76c4db6b08c0776e","after":"6236b449dbe081209a43fa673c8efa87c316094a","ref":"refs/heads/tb/map-pin-replace","pushedAt":"2024-06-13T09:31:54.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"bpf: introduce CILIUM_PIN_REPLACE map pinning flag\n\nThis commit adds support for the custom CILIUM_PIN_REPLACE pinning flag.\nIt signals to the loader that a map should be pinned without being reused\nin subsequent ELF loads.\n\nThis replaces bespoke cilium_calls_-specific logic in the loader with a\ngeneric map flag, opening it up for other use cases as well. The reasons\nfor this behaviour are widely documented and present in the code for\nposterity.\n\nAlso, give each netdev its own instance of cilium_calls. Sharing a tail call\nmap across all XDP entry points causes multiple netdevs' programs to clobber\nthe shared cilium_calls_xdp bpffs pin.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"bpf: introduce CILIUM_PIN_REPLACE map pinning flag"}},{"before":"8da624764bc3f0cbc96342cb5aa8b1bc4886d7f9","after":"74d2c491a1e112b9b4a50c6b76c4db6b08c0776e","ref":"refs/heads/tb/map-pin-replace","pushedAt":"2024-06-13T08:14:36.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"what's going on here\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"what's going on here"}},{"before":"f4bbf927b489a50dcece06a0538efbda93b7daa6","after":"8da624764bc3f0cbc96342cb5aa8b1bc4886d7f9","ref":"refs/heads/tb/map-pin-replace","pushedAt":"2024-06-12T13:12:59.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"bpf: introduce CILIUM_PIN_REPLACE map pinning flag\n\nThis commit adds support for the custom CILIUM_PIN_REPLACE pinning flag.\nIt signals to the loader that a map should be pinned without being reused\nin subsequent ELF loads.\n\nThis replaces bespoke cilium_calls_-specific logic in the loader with a\ngeneric map flag, opening it up for other use cases as well. The reasons\nfor this behaviour are widely documented and present in the code for\nposterity.\n\nAlso, give each netdev its own instance of cilium_calls. Sharing a tail call\nmap across all XDP entry points causes multiple netdevs' programs to clobber\nthe shared cilium_calls_xdp bpffs pin.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"bpf: introduce CILIUM_PIN_REPLACE map pinning flag"}},{"before":"002f19597d0b6fcbb04346e560156c3aa7c98140","after":"f4bbf927b489a50dcece06a0538efbda93b7daa6","ref":"refs/heads/tb/map-pin-replace","pushedAt":"2024-06-12T13:12:50.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"bpf: introduce CILIUM_PIN_REPLACE map pinning flag\n\nThis commit adds support for the custom CILIUM_PIN_REPLACE pinning flag.\nIt signals to the loader that a map should be pinned without being reused\nin subsequent ELF loads.\n\nThis replaces bespoke cilium_calls_-specific logic in the loader with a\ngeneric map flag, opening it up for other use cases as well. The reasons\nfor this behaviour are widely documented and present in the code for\nposterity.\n\nAlso, give each netdev its own instance of cilium_calls. Sharing a tail call\nmap across all XDP entry points causes multiple netdevs' programs to clobber\nthe shared cilium_calls_xdp bpffs pin.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"bpf: introduce CILIUM_PIN_REPLACE map pinning flag"}},{"before":"aadfe1b03ff6be9f92c3c99781e9decf16e53830","after":"002f19597d0b6fcbb04346e560156c3aa7c98140","ref":"refs/heads/tb/map-pin-replace","pushedAt":"2024-06-11T16:18:36.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"bpf: introduce CILIUM_PIN_REPLACE map pinning flag\n\nThis commit adds support for the custom CILIUM_PIN_REPLACE pinning flag.\nIt signals to the loader that a map should be pinned without being reused\nin subsequent ELF loads.\n\nThis replaces bespoke cilium_calls_-specific logic in the loader with a\ngeneric map flag, opening it up for other use cases as well. The reasons\nfor this behaviour are widely documented and present in the code for\nposteriority.\n\nAlso, give each netdev its own instance of cilium_calls. Sharing a tail call\nmap across all XDP entry points causes multiple netdevs' programs to clobber\nthe shared cilium_calls_xdp bpffs pin.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"bpf: introduce CILIUM_PIN_REPLACE map pinning flag"}},{"before":"9277ae8775979f7ca2b55843bba80d7d7861cc79","after":"aadfe1b03ff6be9f92c3c99781e9decf16e53830","ref":"refs/heads/tb/map-pin-replace","pushedAt":"2024-06-11T16:03:58.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"loader: per-interface cilium_xdp_calls\n\nSharing a tail call map across all XDP entry points causes multiple netdevs'\nprograms to clobber the shared cilium_calls_xdp bpffs pin. Give each netdev\nits own instance of cilium_calls.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"loader: per-interface cilium_xdp_calls"}},{"before":null,"after":"9277ae8775979f7ca2b55843bba80d7d7861cc79","ref":"refs/heads/tb/map-pin-replace","pushedAt":"2024-06-11T15:21:45.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"loader: per-interface cilium_xdp_calls\n\nSharing a tail call map across all XDP entry points causes multiple netdevs'\nprograms to clobber the shared cilium_calls_xdp bpffs pin. Give each netdev\nits own instance of cilium_calls.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"loader: per-interface cilium_xdp_calls"}},{"before":"1188eda4d23f14e6dfdfcf256af2e706126305bb","after":null,"ref":"refs/heads/tb/replacedatapath-remove-attach","pushedAt":"2024-05-22T13:43:45.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"}},{"before":"ae7ea76830677dd0e54dbe76e71ebd902401a6fc","after":"1188eda4d23f14e6dfdfcf256af2e706126305bb","ref":"refs/heads/tb/replacedatapath-remove-attach","pushedAt":"2024-05-22T12:02:54.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"loader: remove ctx from uncancellable functions\n\nLoading bpf objects used to be done by iproute2, where propagating ctx to the\nexec.Cmd invocations made sense, since realistically any shellout can hang for\narbitrary reasons.\n\nNow the loader is fully hosted in the agent process, this no longer makes sense.\nOnce we're blocked in a bpf() syscall, e.g. for loading a program, the verifier\ncan be interrupted by sending a signal to the calling thread. Since the Go runtime\nroutinely sends these signals under normal operation, ebpf-go will retry a few\ntimes when bpf() returns EINTR. The API currently doesn't expose a way to cancel\nprogram loading/verification, and there's no clear benefit to doing so in the first\nplace.\n\nVerification is relatively lightweight compared to datapath compilation, so\ninterrupting it during teardown is of questionable benefit. The agent doesn't expect\nit to be interruptible, it's bound to leave endpoints in an undefined state.\n\nThis commit introduces the assumption that, once endpoint loading/attachment is\nkicked off (after compilation), it cannot be cancelled. This is reflected in the\ninterface exposed to the rest of the system, by removing the ctx parameter on many\nmethods. Only compilation can be interrupted, since it can take a long time on some\nsystems, especially lower-spec.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"loader: remove ctx from uncancellable functions"}},{"before":"cf8ba699c75cc007b024f1e2d79dc82d0d410d32","after":"ae7ea76830677dd0e54dbe76e71ebd902401a6fc","ref":"refs/heads/tb/replacedatapath-remove-attach","pushedAt":"2024-05-17T14:09:36.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"loader: remove ctx from uncancellable functions\n\nLoading bpf objects used to be done by iproute2, where propagating ctx to the\nexec.Cmd invocations made sense, since realistically any shellout can hang for\narbitrary reasons.\n\nNow the loader is fully hosted in the agent process, this no longer makes sense.\nOnce we're blocked in a bpf() syscall, e.g. for loading a program, the verifier\ncan be interrupted by sending a signal to the calling thread. Since the Go runtime\nroutinely sends these signals under normal operation, ebpf-go will retry a few\ntimes when bpf() returns EINTR. The API currently doesn't expose a way to cancel\nprogram loading/verification, and there's no clear benefit to doing so in the first\nplace.\n\nVerification is relatively lightweight compared to datapath compilation, so\ninterrupting it during teardown is of questionable benefit. The agent doesn't expect\nit to be interruptible, it's bound to leave endpoints in an undefined state.\n\nThis commit introduces the assumption that, once endpoint loading/attachment is\nkicked off (after compilation), it cannot be cancelled. This is reflected in the\ninterface exposed to the rest of the system, by removing the ctx parameter on many\nmethods. Only compilation can be interrupted, since it can take a long time on some\nsystems, especially lower-spec.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"loader: remove ctx from uncancellable functions"}},{"before":"a6673b1d33add8564c1f309213eeb19d3232c69e","after":"cf8ba699c75cc007b024f1e2d79dc82d0d410d32","ref":"refs/heads/tb/replacedatapath-remove-attach","pushedAt":"2024-05-16T18:36:44.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"loader: remove ctx from uncancellable functions\n\nLoading bpf objects used to be done by iproute2, where propagating ctx to the\nexec.Cmd invocations made sense, since realistically any shellout can hang for\narbitrary reasons.\n\nNow the loader is fully hosted in the agent process, this no longer makes sense.\nOnce we're blocked in a bpf() syscall, e.g. for loading a program, the verifier\ncan be interrupted by sending a signal to the calling thread. Since the Go runtime\nroutinely sends these signals under normal operation, ebpf-go will retry a few\ntimes when bpf() returns EINTR. The API currently doesn't expose a way to cancel\nprogram loading/verification, and there's no clear benefit to doing so in the first\nplace.\n\nVerification is relatively lightweight compared to datapath compilation, so\ninterrupting it during teardown is of questionable benefit. The agent doesn't expect\nit to be interruptible, it's bound to leave endpoints in an undefined state.\n\nThis commit introduces the assumption that, once endpoint loading/attachment is\nkicked off (after compilation), it cannot be cancelled. This is reflected in the\ninterface exposed to the rest of the system, by removing the ctx parameter on many\nmethods. Only compilation can be interrupted, since it can take a long time on some\nsystems, especially lower-spec.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"loader: remove ctx from uncancellable functions"}},{"before":"38d44d41db2612455ec4a5ea85e2932e884a506a","after":"a6673b1d33add8564c1f309213eeb19d3232c69e","ref":"refs/heads/tb/replacedatapath-remove-attach","pushedAt":"2024-05-15T13:50:04.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"loader: remove ctx from uncancellable functions\n\nLoading bpf objects used to be done by iproute2, where propagating ctx to the\nexec.Cmd invocations made sense, since realistically any shellout can hang for\narbitrary reasons.\n\nNow the loader is fully hosted in the agent process, this no longer makes sense.\nOnce we're blocked in a bpf() syscall, e.g. for loading a program, the verifier\ncan be interrupted by sending a signal to the calling thread. Since the Go runtime\nroutinely sends these signals under normal operation, ebpf-go will retry a few\ntimes when bpf() returns EINTR. The API currently doesn't expose a way to cancel\nprogram loading/verification, and there's no clear benefit to doing so in the first\nplace.\n\nVerification is relatively lightweight compared to datapath compilation, so\ninterrupting it during teardown is of questionable benefit. The agent doesn't expect\nit to be interruptible, it's bound to leave endpoints in an undefined state.\n\nThis commit introduces the assumption that, once endpoint loading/attachment is\nkicked off (after compilation), it cannot be cancelled. This is reflected in the\ninterface exposed to the rest of the system, by removing the ctx parameter on many\nmethods. Only compilation can be interrupted, since it can take a long time on some\nsystems, especially lower-spec.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"loader: remove ctx from uncancellable functions"}},{"before":"c636496d624d9c84622f0e7fcb03e1c6542bf630","after":"38d44d41db2612455ec4a5ea85e2932e884a506a","ref":"refs/heads/tb/replacedatapath-remove-attach","pushedAt":"2024-05-14T08:12:40.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"loader: remove ctx from uncancellable functions\n\nLoading bpf objects used to be done by iproute2, where propagating ctx to the\nexec.Cmd invocations made sense, since realistically any shellout can hang for\narbitrary reasons.\n\nNow the loader is fully hosted in the agent process, this no longer makes sense.\nOnce we're blocked in a bpf() syscall, e.g. for loading a program, the verifier\ncan be interrupted by sending a signal to the calling thread. Since the Go runtime\nroutinely sends these signals under normal operation, ebpf-go will retry a few\ntimes when bpf() returns EINTR. The API currently doesn't expose a way to cancel\nprogram loading/verification, and there's no clear benefit to doing so in the first\nplace.\n\nVerification is relatively lightweight compared to datapath compilation, so\ninterrupting it during teardown is of questionable benefit. The agent doesn't expect\nit to be interruptible, it's bound to leave endpoints in an undefined state.\n\nThis commit introduces the assumption that, once endpoint loading/attachment is\nkicked off (after compilation), it cannot be cancelled. This is reflected in the\ninterface exposed to the rest of the system, by removing the ctx parameter on many\nmethods. Only compilation can be interrupted, since it can take a long time on some\nsystems, especially lower-spec.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"loader: remove ctx from uncancellable functions"}},{"before":null,"after":"c636496d624d9c84622f0e7fcb03e1c6542bf630","ref":"refs/heads/tb/replacedatapath-remove-attach","pushedAt":"2024-05-13T15:08:50.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"loader: move device attachment out of replaceDatapath, rename to loadDatapath\n\nThis unblocks cilium/cilium#29333. See cilium/cilium#32468 for more context.\n\nThis commit refactors replaceDatapath() to loadDatapath() by factoring device attachment\nout of the function into the caller. The main reasons are flexibility and transparency.\nreplaceDatapath() was called from many places and needed to do a lot. This change is the\nfirst step to handing individual callers an object representing actual bpf object handles,\nso they can correctly manage its lifecycle. In the future, ebpf.LoadAndAssign will be used\nfor better readability.\n\nSome callers attach the same program to multiple interfaces, some attach multiple programs\n(ingress/egress) to the same interface, and some use a mixture of both. This has caused\nloops to creep into replaceDatapath, giving it many arguments and many overall\nresponsibilities, making it hard to form intuition around.\n\nMajor changes made in this commit:\n- lifted attach{SKB,XDP}Program out of the function, into all callers, making them\n  call attach* methods explicitly\n- removed `replaceDatapathOptions`\n- reduced the window a potential 'rollback' can happen in (see code comments) due to the\n  risks involved, and it never being correct to begin with.\n- removed a few points where context cancellations are obeyed, to be continued in a\n  subsequent commit\n\nFixes: #32468\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"loader: move device attachment out of replaceDatapath, rename to load…"}},{"before":null,"after":"9918818bd9e256547aedd8e9baa429d3c3e9f70b","ref":"refs/heads/tb/remove-migrate-map","pushedAt":"2024-05-10T11:59:15.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"[WIP] bpf: remove map migrations\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"[WIP] bpf: remove map migrations"}},{"before":"6d80a756db0ffaabed9152afc369a9fdd2b84e34","after":null,"ref":"refs/heads/tb/define-endpoint-teardown","pushedAt":"2024-04-30T11:12:19.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"}},{"before":"7da33fd1ee14b5cb55728b6315a4c113819ae854","after":"6d80a756db0ffaabed9152afc369a9fdd2b84e34","ref":"refs/heads/tb/define-endpoint-teardown","pushedAt":"2024-04-29T14:21:12.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"},"commit":{"message":"datapath,endpoint: explicitly remove TC filters during endpoint teardown\n\nPrior to this commit, we left it up to the kernel to clean up tc attachments\nwhen the CNI finally removes the veth when a Pod goes away. This leaves a window\nof time where an endpoint's tc programs can potentially be invoked after\nthe endpoint's internal tail call maps have already been cleared and the\nendpoint has been removed from the endpoint map and ipcache, resulting in\nundefined behaviour.\n\nThis patch clearly defines the endpoint teardown sequence as follows:\n- remove (endpoint) routes\n- set the interface down\n- detach tc(x) hooks\n- remove endpoint from endpoint map\n- remove endpoint policy program(s)\n- delete conntrack map pins\n- remove policy prog array map pin\n- remove internal tail call map pin\n- remove custom calls map pin\n\nThis puts the agent more in control of the teardown sequence and will allow us\nto reason better about failures related to missed tail calls and other flakes.\n\nSigned-off-by: Timo Beckers <timo@isovalent.com>","shortMessageHtmlLink":"datapath,endpoint: explicitly remove TC filters during endpoint teardown"}},{"before":"7f4da9ee2449e71f8a5faf37e9ab836be1a3eb95","after":null,"ref":"refs/heads/tb/seamless-tcx-downgrade","pushedAt":"2024-04-29T13:06:26.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"ti-mo","name":"Timo Beckers","path":"/ti-mo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3214460?s=80&v=4"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEiBaSDQA","startCursor":null,"endCursor":null}},"title":"Activity · ti-mo/cilium"}