/test

/test

/test

@tsotne95, since you also reproduced #38998, could you retest in your environment with this patch as well? It would be useful to repro with your methodology and see if this patch resolves the issues you saw. It's possible there are some other weird issues resulting from transient errors in the regeneration path.

I commented on issue

@tommyp1ckles @derailed Could you take a look at this when you get a chance? This fix addresses an issue which is currently a 1.18 release blocker, though the issue actually exists in 1.17 as well.

Thanks for the excellent PR description. I'm reading through it, to make sure I understand all the implications. I haven't dropped it on the floor, I promise :-)

Rather than trying to back-fill e.realizedPolicy(), what about setting e.forcePolicyCompute = true when reverting policy? Would that have the desired effect?

@squeed Thanks for taking a look!

Rather than trying to back-fill e.realizedPolicy(), what about setting e.forcePolicyCompute = true when reverting policy? Would that have the desired effect?

Isn't the intent of the revert to go back to a map state that was "good" instead of leaving it in some weird intermediate state? If so, I'm not sure that e.forcePolicyCompute really accomplishes the same thing. Actually, if we're referring to this block:

defer func(p *policy.EndpointPolicy) {
	e.desiredPolicy = p
}(e.desiredPolicy)

I didn't want to force policy recomputation for fear that it would be unnecessarily expensive if we get stuck in some loop where this condition keeps occurring. After all, e.desiredPolicy should be perfectly fine and there's no real reason to recompute it on the next go around; it's just the BPF map state that needs to be synchronized.

Isn't the intent of the revert to go back to a map state that was "good"

@jrife yah, fair enough. Some of the code special-cases e.realizedPolicy.Empty() == true for handling the before-first-regeneration state. But, clearly, not consistently. Plus, there's no guarantee that e.realizedPolicy.Empty() won't be true in the future (e.g. policy disabled).

That said, I'm not super concerned about a few extra policy computations. I'd rather do correctness first, then skip calculations when we understand all possible cases. This bug is a clear example of that :-). In particular, the conditions in runPreCompilationSteps() deciding whether or not to regenerate policy are probably incorrect.

The fact that this code touches e.desiredPolicy at all seems strange to me and seems driven by the fact that syncPolicyMapWith does its synchronization against e.desiredPolicy.

These are great questions. Which has me wondering: do we even need e.desiredPolicy? Obviously that would be a refactor, not a bugfix, but it would make the state management so much clearer.

One more question. In your (excellent) timeline, there are the steps

<reattempt regeneration>
22: e.regenerate(...)
23:     revision, err := e.regenerateBPF(...)
            e.runPreCompilationSteps(regenContext)
	        e.regeneratePolicy(...)
		    ...
		    selectorPolicy, ... = e.policyRepo.GetSelectorPolicy(...)
		    <no-op, since selectorPolicy == nil>

why is selectorPolicy nil here?

why is selectorPolicy nil here?

I believe I was referring to this condition:

GetSelectorPolicy returns nil in the timeline, since we already advanced e.nextPolicyRevision in the first attempt.

@jrife did you have a short writeup of the CI triage you performed? It'd be helpful to understand which issues the PR is facing.

It depends on what you mean by writeup. I tried to link the CI failures I saw with some known issues above. The latest failure with ci-clustermesh looks the same as the failure I saw earlier in ci-eks:

check-log-errors/no-errors-in-logs:pkg/endpoint:kind-cluster2-16478452662/kube-system/cilium-r5jtl (cilium-agent): Found 1 logs in kind-cluster2-16478452662/kube-system/cilium-r5jtl (cilium-agent) matching list of errors that must be investigated:
time=2025-07-23T18:13:22.859972997Z level=warn source=/go/src/github.com/cilium/cilium/pkg/endpoint/endpoint.go:1785 msg="Unable to fetch kubernetes labels" desiredPolicyRevision=1 ciliumEndpointName=kube-system/coredns-f89dfbcc7-sp4r7 endpointID=3762 containerID=182d4fe81b containerInterface="" datapathPolicyRevision=1 ipv6=fd00:10:244:1::695b identity=5 k8sPodName=kube-system/coredns-f89dfbcc7-sp4r7 ipv4=10.244.1.31 subsys=resolve-labels error="pod.core \"coredns-f89dfbcc7-sp4r7\" not found" (30 occurrences)

There's a warning coming out of this block at some point in the logs:

I see this which seems like the same thing: #40682

@jrife Ah sorry I think I just didn't parse the comments very well. When I saw all the re-run comments and looked earlier in the PR, I just didn't identify the information from the posts above. The most obvious format to understand this would be a comment in the following form:

• ci-eks run <here> hit <issue>
• clustermesh run <here> hit <issue>
• gateway-api run <here> hit <issue>
• ipsec-e2e run <here> hit <issue>

Now that we've re-run I can see that the same tests are failing again. At least as of yesterday, I was aware that the clustermesh test was somewhat unreliable, but I wasn't aware of the failures for these other branches.

Looking over the failures again, I'm wondering if the tree further destabilized over the past day or two. At a glance the failures aren't obviously related to the PR, but that's often the case whether they are related or not; that's the downside with relying so much on e2e tests 😢 .

Here's the general trend from the CI dashboard for main branch over the past week, but the failure rates only seem to increase proportionately to the number of tests that are run:

In this screenshot I've filtered main branch for the last week for only scheduled/regular builds. Top graph shows a fairly consistent green bar (total runs) and no obvious trend for orange bars (total failures). Trailing end on right hand side is just the latest 6h data is not yet triggered or not scraped yet.

@jrife as for your most recent report, I agree those look similar and given Marcel's update / investigation in the thread, that particular failure case was likely introduced into the tree recently.

The most obvious format to understand this would be a comment in the following form:

@joestringer Sure, I can organize things a bit more in a single comment. I'll go back through the failures and link to those that match existing CI flake issues. I think all of them look like reported issues, but I'll admit that I can't be 100% sure that this change isn't related. I don't see any obvious reasons why this PR should increase the failure rate, but I have been surprised by seemingly benign changes before :).

@joestringer I wonder if it would be worth opening another PR at the same base commit without the changes in this PR just to get a better baseline?

@jrife I was just thinking about the same thing. CI will skip some jobs if it seems like the PR doesn't touch those tests, so based on the .github/ariane-config.yaml we'd probably want to add some line to some code file, even a comment should do the trick.

I was just glancing through some of the other recent PRs on main also, but that's not providing much signal. ci-clustermesh is definitely unreliable due to #39764. You pointed out the other labels one which Marcel was investigating, so it seems likely that was introduced recently. Not sure about the others.

@joestringer I was thinking of just commenting out the existing code, so I imagine the same checks would run? Not sure how smart the test filtering is...

Just summarizing the latest batch of failures. Looks like a lot are due to #40682

Failure Summary

ci-clustermesh

• Run hit Endpoint restoration/regeneration of completed job stuck in infinite loop (error="retrieving device lxc*: Link not found") #39370

ci-e2e-upgrade

• Run looks similar to CI: Cilium E2E Upgrade (ci-e2e-upgrade) - seq-egress-gateway-multigateway: command terminated with exit code 28 #40659

ci-clustermesh

• Run hit CI: check-log-errors/ - subsys=resolve-labels pod.core "[...]" not found when --enable-k8s-host-firewall-bypass=true #40682

ci-eks

• Run hit CI: check-log-errors/ - subsys=resolve-labels pod.core "[...]" not found when --enable-k8s-host-firewall-bypass=true #40682

ci-ipsec-e2e

• Run looks similar to CI: Cilium IPsec upgrade (ci-ipsec-upgrade) - "No mapping for NAT masquerade" #38481

ci-clustermesh
Run hit #40682

This one looks like #39370 instead (error="retrieving device lxc2772fac915a8: Link not found"). The other assessments look accurate though yeah.

@joestringer Looks like both of those are present in that run. I updated the comment to list them both. FWIW I also saw these both in the ci-clustermesh run over in my dummy PR.

@jrife I don't see "subsys=resolve-labels" in that run the run linked in my last post. Are you sure?

@jrife I don't see "subsys=resolve-labels" in that run the run linked in my last post. Are you sure?

You're right. I just saw "not found" there and thought it was the same.

time=2025-07-23T18:22:21.072492528Z level=error source=/go/src/github.com/cilium/cilium/pkg/endpointmanager/endpointsynchronizer.go:309 msg="Cannot update CEP" containerInterface=eth0 identity=33752 k8sPodName=kube-system/clustermesh-apiserver-6f5c4d98cb-kqc4r endpointID=2551 ciliumEndpointName=kube-system/clustermesh-apiserver-6f5c4d98cb-kqc4r datapathPolicyRevision=0 ipv6=fd00:10:242:2::e996 desiredPolicyRevision=2 ipv4=10.242.2.126 containerID=23c2fbbd38 subsys=endpointsynchronizer controller="sync-to-k8s-ciliumendpoint (2551)" error="ciliumendpoints.cilium.io "clustermesh-apiserver-6f5c4d98cb-kqc4r" not found"

It's coming from a different place in the code than #40682

/test

@jrife thanks for helping to dig into the root causes of those issues affecting the tree! Merging now.

@jrife Oh, what happened between commit e03ca9e until the final version committed here f052828 ? I thought the intent was to move away from the defer approach. Was that intentional?

@jrife Oh, what happened between commit e03ca9e until the final version committed here f052828 ? I thought the intent was to move away from the defer approach. Was that intentional?

Nope, mistake on my part. I did the rebase earlier against an older version of this branch -_-. I'll go ahead and create a new PR.