Support device exclusion in --devices #40152

liuyuan10 · 2025-06-21T22:04:39Z

Supports reverse selection in --devices flag with '!'

!excluded-prefix+: exclude devices with prefix "excluded-prefix"
!excluded: exclude the device named "excluded"

Supports device exclusion in --devices flag

pkg/datapath/tables/device.go

pkg/datapath/linux/testdata/device-detection-reverse.txtar

joamaki · 2025-07-01T11:51:55Z

Please rebase (fixes the K8s Network E2E tests flake) and fix the typo:

  Error: pkg/datapath/linux/devices_controller.go:71:373: `criterias` is a misspelling of `criteria` (misspell)
  	flags.StringSlice(option.Devices, []string{}, "List of devices facing cluster/external network (used for BPF NodePort, BPF masquerading and host firewall); supports '+' as wildcard in device name, e.g. 'eth+'; support '!' to exclude devices, e.g. '!eth+' excludes any device with prefix 'eth'. Note '!' says nothing about which ones to include. A device must match other criterias to be selected; The filters are matched in order and whatever matched first wins.")

Then this is good to go!

liuyuan10 · 2025-07-01T17:06:58Z

Please rebase (fixes the K8s Network E2E tests flake) and fix the typo:

  Error: pkg/datapath/linux/devices_controller.go:71:373: `criterias` is a misspelling of `criteria` (misspell)
  	flags.StringSlice(option.Devices, []string{}, "List of devices facing cluster/external network (used for BPF NodePort, BPF masquerading and host firewall); supports '+' as wildcard in device name, e.g. 'eth+'; support '!' to exclude devices, e.g. '!eth+' excludes any device with prefix 'eth'. Note '!' says nothing about which ones to include. A device must match other criterias to be selected; The filters are matched in order and whatever matched first wins.")

Then this is good to go!

Done. Thanks

liuyuan10 · 2025-07-07T18:48:09Z

Is this change ready to merge? Please let me know if anything is missing

dylandreimerink · 2025-07-14T07:42:52Z

/test

tommyp1ckles · 2025-07-23T15:34:06Z

https://github.com/cilium/cilium/actions/runs/16261006442/job/45906168035 Looks like some CI config issue, branch potentially needs a rebase @liuyuan10

joestringer · 2025-07-23T15:38:47Z

Is this change ready to merge?

From a review perspective it looks good, I think the test results were just inconclusive. As Tom mentions, a rebase should likely help. We can retrigger the tests after and steer this in.

liuyuan10 · 2025-07-23T17:22:55Z

just rebased

joestringer · 2025-07-23T17:56:11Z

/test

liuyuan10 · 2025-07-23T19:19:29Z

some are failing. any specific test failure that I should take a look?

joestringer · 2025-07-23T19:25:57Z

@liuyuan10 All required tests must pass before merging the PR. I would suggest investigating each test, check whether the symptoms have been reported before under the "Issues" tab, and make a comment in the following form:

* clustermesh run `<here>` hit `<issue>`
* multi-pool run `<here>` hit a new issue, investigation below.
* ...

<investigation>

If you can't find an existing issue, that could either be due to the PR introducing the change, in which case you'd need to investigate further, or it could be a new failure that others didn't notice yet.

jrife · 2025-07-23T21:05:45Z

@joestringer At a glance, the failures look very similar to those I summarized here and here. The biggest culprit is #40682.

liuyuan10 · 2025-07-23T22:54:03Z

Cilium Cluster Mesh upgrade run hit #39370
Conformance Cluster Mesh run hit #40682
Conformance IPsec E2E run hit #40682

@joestringer for "Conformance Kind Envoy Embedded" and "Conformance Multi Pool IPAM", I dont' find open issues. could you trigger the test again to see if it's flakes?

jrife · 2025-07-24T18:59:34Z

@liuyuan10 Rebase your changes. #40691 was merged today and should help stabilize some of the CI failures you are seeing. I can retrigger the CI tests if you do not have permissions to do so.

Supports reverse selection in --devices flag with '!' !excluded-prefix+: exclude devices with prefix "excluded-prefix" !excluded: exclude the device named "excluded" Signed-off-by: Yuan Liu <liuyuan@google.com>

liuyuan10 · 2025-07-24T19:26:06Z

/test

jrife · 2025-07-24T19:28:30Z

/test

liuyuan10 · 2025-07-24T19:32:18Z

@jrife rebased. but my "/test" is not making any process.

jrife · 2025-07-24T19:34:02Z

@liuyuan10 It looks like CI tests are running after my trigger.

liuyuan10 · 2025-07-24T22:25:43Z

@joestringer all tests have passed except Conformance Ginkgo. it was passing before so this is for sure a flake

joestringer · 2025-07-25T16:03:44Z

@liuyuan10 would you mind triaging the failure and linking the corresponding issue?

bowei · 2025-07-25T17:54:10Z

Yuan -- can you dig into the Gingko failure a bit?

bowei · 2025-07-25T18:15:09Z

FWIW -- it looks like this is the failure:

• Failure [47.088 seconds]
K8sDatapathServicesTest
/home/runner/work/cilium/cilium/test/ginkgo-ext/scopes.go:461
  Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc)
  /home/runner/work/cilium/cilium/test/ginkgo-ext/scopes.go:461
    Checks in-cluster KPR
    /home/runner/work/cilium/cilium/test/ginkgo-ext/scopes.go:461
      with L7 policy
      /home/runner/work/cilium/cilium/test/ginkgo-ext/scopes.go:461
        Tests NodePort with L7 Policy [It]
        /home/runner/work/cilium/cilium/test/ginkgo-ext/scopes.go:515

        Request from kind-control-plane to service tftp://10.96.126.207:10069/hello failed
        Expected command: kubectl exec -n kube-system log-gatherer-29kwm -- /usr/bin/env bash -c 'fails=""; id=$RANDOM; for i in $(seq 1 10); do if curl -k --path-as-is -s -D /dev/stderr --fail --connect-timeout 5 --max-time 20 tftp://10.96.126.207:10069/hello -H "User-Agent: cilium-test-$id/$i"; then echo "Test round $id/$i exit code: $?"; else fails=$fails:$id/$i=$?; fi; done; if [ -n "$fails" ]; then echo "failed: $fails"; fi; cnt="${fails//[^:]}"; if [ ${#cnt} -gt 0 ]; then exit 42; fi' 
        To succeed, but it failed:
        Exitcode: 42 
        Err: exit status 42

@joestringer -- maybe for my edification -- what is the usual procedure for a test flake? Are people supposed to file an issue to track if it there isn't a corresponding issue already? I searched https://github.com/cilium/cilium/issues?q=is%3Aissue%20state%3Aopen%20test%20flake%20label%3Aci%2Fflake and there doesn't seem to be a corresponding issue for this.

jrife · 2025-07-25T18:25:07Z

@bowei This looks similar to #25467 but is a different test case. There's #21055 which matches this test case, but not the same failure. Looks like it might be worth creating a new CI issue to track this?

liuyuan10 · 2025-07-25T18:35:59Z

Conformance Ginkgo (ci-ginkgo) run hit a new issue, investigation below.

failed with error

• Failure [47.088 seconds]
K8sDatapathServicesTest
/home/runner/work/cilium/cilium/test/ginkgo-ext/scopes.go:461
  Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc)
  /home/runner/work/cilium/cilium/test/ginkgo-ext/scopes.go:461
    Checks in-cluster KPR
    /home/runner/work/cilium/cilium/test/ginkgo-ext/scopes.go:461
      with L7 policy
      /home/runner/work/cilium/cilium/test/ginkgo-ext/scopes.go:461
        Tests NodePort with L7 Policy [It]
        /home/runner/work/cilium/cilium/test/ginkgo-ext/scopes.go:515

        Request from kind-control-plane to service tftp://10.96.126.207:10069/hello failed
        Expected command: kubectl exec -n kube-system log-gatherer-29kwm -- /usr/bin/env bash -c 'fails=""; id=$RANDOM; for i in $(seq 1 10); do if curl -k --path-as-is -s -D /dev/stderr --fail --connect-timeout 5 --max-time 20 tftp://10.96.126.207:10069/hello -H "User-Agent: cilium-test-$id/$i"; then echo "Test round $id/$i exit code: $?"; else fails=$fails:$id/$i=$?; fi; done; if [ -n "$fails" ]; then echo "failed: $fails"; fi; cnt="${fails//[^:]}"; if [ ${#cnt} -gt 0 ]; then exit 42; fi' 
        To succeed, but it failed:
        Exitcode: 42 
        Err: exit status 42
        Stdout:
         	 
        	 Hostname: testds-45rvm
        	 
        	 Request Information:
        	 	client_address=10.0.0.183
        	 	client_port=33456
        	 	real path=/hello
        	 	request_scheme=tftp
        	 
        	 Test round 5733/1 exit code: 0
        	 
        	 Hostname: testds-4qh4x
        	 
        	 Request Information:
        	 	client_address=10.0.0.183
        	 	client_port=55083
        	 	real path=/hello
        	 	request_scheme=tftp
        	 
        	 Test round 5733/3 exit code: 0
        	 
        	 Hostname: testds-45rvm
        	 
        	 Request Information:
        	 	client_address=10.0.0.183
        	 	client_port=55570
        	 	real path=/hello
        	 	request_scheme=tftp
        	 
        	 Test round 5733/4 exit code: 0
        	 
        	 Hostname: testds-45rvm
        	 
        	 Request Information:
        	 	client_address=10.0.0.183
        	 	client_port=56408
        	 	real path=/hello
        	 	request_scheme=tftp
        	 
        	 Test round 5733/5 exit code: 0
        	 
        	 Hostname: testds-45rvm
        	 
        	 Request Information:
        	 	client_address=10.0.0.183
        	 	client_port=41282
        	 	real path=/hello
        	 	request_scheme=tftp
        	 
        	 Test round 5733/6 exit code: 0
        	 
        	 Hostname: testds-45rvm
        	 
        	 Request Information:
        	 	client_address=10.0.0.183
        	 	client_port=32796
        	 	real path=/hello
        	 	request_scheme=tftp
        	 
        	 Test round 5733/7 exit code: 0
        	 
        	 Hostname: testds-45rvm
        	 
        	 Request Information:
        	 	client_address=10.0.0.183
        	 	client_port=50080
        	 	real path=/hello
        	 	request_scheme=tftp
        	 
        	 Test round 5733/8 exit code: 0
        	 
        	 Hostname: testds-45rvm
        	 
        	 Request Information:
        	 	client_address=10.0.0.183
        	 	client_port=60410
        	 	real path=/hello
        	 	request_scheme=tftp
        	 
        	 Test round 5733/9 exit code: 0
        	 
        	 Hostname: testds-4qh4x
        	 
        	 Request Information:
        	 	client_address=10.0.0.183
        	 	client_port=35349
        	 	real path=/hello
        	 	request_scheme=tftp
        	 
        	 Test round 5733/10 exit code: 0
        	 failed: :5733/2=71
        	 
        Stderr:
         	 command terminated with exit code 42

Created #40724

joestringer · 2025-07-25T19:17:30Z

@bowei the procedure is outlined here: https://docs.cilium.io/en/stable/contributing/testing/ci/#ci-failure-triage

joestringer · 2025-07-25T19:26:36Z

Thanks for filing that. I think Jordan mentioned there was another similar symptom reported maybe in a slightly different test in the past couple of days, so there might be a regression in the tree around this.

From my understanding, the above test is basically saying "When connecting to a NodePort via L7 policy , despite ~10 repeated retries, I was unable to establish a connection to the target service".

I've retriggered the CI job to see if the failure reproduces on this PR or not.

liuyuan10 · 2025-07-25T19:40:31Z

Thanks. all the tests are now passing

liuyuan10 requested a review from a team as a code owner June 21, 2025 22:04

liuyuan10 requested a review from gentoo-root June 21, 2025 22:04

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 21, 2025

github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Jun 21, 2025

liuyuan10 force-pushed the devicereg branch from 2dbab83 to b9ca75f Compare June 21, 2025 22:14

liuyuan10 mentioned this pull request Jun 21, 2025

Adds a new --device-prefixes-to-exclude flag to Cilium agent #40048

Closed

liuyuan10 force-pushed the devicereg branch from b9ca75f to 8a545cd Compare June 21, 2025 22:15

joamaki reviewed Jun 24, 2025

View reviewed changes

pkg/datapath/tables/device.go Show resolved Hide resolved

gentoo-root approved these changes Jun 24, 2025

View reviewed changes

pkg/datapath/tables/device.go Outdated Show resolved Hide resolved

pkg/datapath/linux/testdata/device-detection-reverse.txtar Show resolved Hide resolved

liuyuan10 force-pushed the devicereg branch from 8a545cd to 25f5cd2 Compare June 24, 2025 18:53

aanm added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs labels Jun 25, 2025

maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Jun 25, 2025

aanm enabled auto-merge June 25, 2025 09:00

aanm disabled auto-merge June 25, 2025 09:00

liuyuan10 force-pushed the devicereg branch from 25f5cd2 to 42caed3 Compare June 30, 2025 19:54

joamaki approved these changes Jul 1, 2025

View reviewed changes

liuyuan10 force-pushed the devicereg branch from 42caed3 to f92be5a Compare July 1, 2025 17:06

joestringer removed the dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs label Jul 1, 2025

liuyuan10 force-pushed the devicereg branch from f92be5a to c70305f Compare July 7, 2025 18:47

joestringer enabled auto-merge July 23, 2025 15:30

auto-merge was automatically disabled July 23, 2025 17:22
Head branch was pushed to by a user without write access

liuyuan10 force-pushed the devicereg branch from c70305f to 0ccc291 Compare July 23, 2025 17:22

Support device exclusion in --devices

80daf47

Supports reverse selection in --devices flag with '!' !excluded-prefix+: exclude devices with prefix "excluded-prefix" !excluded: exclude the device named "excluded" Signed-off-by: Yuan Liu <liuyuan@google.com>

liuyuan10 force-pushed the devicereg branch from 0ccc291 to 80daf47 Compare July 24, 2025 19:25

joestringer mentioned this pull request Jul 25, 2025

CI: K8sDatapathServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) Checks in-cluster KPR with L7 policy [It] Tests NodePort with L7 Policy #40724

Open

maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jul 25, 2025

joestringer added this pull request to the merge queue Jul 25, 2025

Merged via the queue into cilium:main with commit 31748fc Jul 25, 2025
68 checks passed

Support device exclusion in --devices #40152

Support device exclusion in --devices #40152

Uh oh!

Conversation

liuyuan10 commented Jun 21, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

joamaki commented Jul 1, 2025

Uh oh!

liuyuan10 commented Jul 1, 2025

Uh oh!

liuyuan10 commented Jul 7, 2025

Uh oh!

dylandreimerink commented Jul 14, 2025

Uh oh!

tommyp1ckles commented Jul 23, 2025

Uh oh!

joestringer commented Jul 23, 2025

Uh oh!

liuyuan10 commented Jul 23, 2025

Uh oh!

joestringer commented Jul 23, 2025

Uh oh!

liuyuan10 commented Jul 23, 2025

Uh oh!

joestringer commented Jul 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jrife commented Jul 23, 2025

Uh oh!

liuyuan10 commented Jul 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jrife commented Jul 24, 2025

Uh oh!

liuyuan10 commented Jul 24, 2025

Uh oh!

jrife commented Jul 24, 2025

Uh oh!

liuyuan10 commented Jul 24, 2025

Uh oh!

jrife commented Jul 24, 2025

Uh oh!

liuyuan10 commented Jul 24, 2025

Uh oh!

joestringer commented Jul 25, 2025

Uh oh!

bowei commented Jul 25, 2025

Uh oh!

bowei commented Jul 25, 2025

Uh oh!

jrife commented Jul 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

liuyuan10 commented Jul 25, 2025

Uh oh!

joestringer commented Jul 25, 2025

Uh oh!

joestringer commented Jul 25, 2025

Uh oh!

liuyuan10 commented Jul 25, 2025

Uh oh!

Uh oh!

Uh oh!

joestringer commented Jul 23, 2025 •

edited

Loading

liuyuan10 commented Jul 23, 2025 •

edited

Loading

jrife commented Jul 25, 2025 •

edited

Loading