v1.7 backports 2020-02-26 #10354
Merged
v1.7 backports 2020-02-26 #10354
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit 5a48582 ] "pathStr" is a pointer to a memory location which we want to protect. Previously we were protecting a location which stores the pointer instead. Fixes: 9f492a1 ("bpf: Protect each uintptr with runtime.KeepAlive") Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit a2980e2 ] When launching the tests with -cilium.provision=true on an already running VM, it fails with the following error: fatal: destination path 'k-bpftool' already exists and is not an empty directory. This commit fixes it by detecting if the bpftool fork's repository already exists and avoiding trying to re-clone it. Fixes: c4b6095 ("ci: Install bpftool from Cilium fork of the kernel") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit 9d8114f ] The PR cilium/cilium-sysdump/pull/76 has renamed the cluster-diagnosis tool to cilium-sysdump and simplified it. Adjust the documentation accordingly. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit a7e642c ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Joe Stringer <joe@cilium.io>
…cilium [ upstream commit 4c40755 ] Recently Istio PODs have been lingering in terminating state long after deletion. It appears that kubelet on k8s2-1.17 is not happy that istio-system namespace has been deleted. Deletion of the namespace usually automatically deletes all the PODs in it. It may also be that the termination fails to complete since the Cilium DS is being deleted right after the istio-system namespace is deleted. k8s2 kubelet[3338]: W0225 ... 3338 status_manager.go:546] Failed to update status for pod "istio-citadel-7859cc956c-74474_istio-system(9a0a2875-076b-4670-a9b4-13f92f6c7240)": failed to patch status "... \"state\":{\"terminated\":{\"exitCode\":0,\"finishedAt\":null,\"startedAt\":null}}" for pod "istio-system"/"istio-citadel-7859cc956c-74474": namespaces "istio-system" not found Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit 7559f13 ] The commit 112dcb8 has removed the nodeinit code to put the Azure bridge into transparent mode. While this worked for all routing operations, it broke proxy redirection. Partially undo 112dcb8 and simplify the AKS guide. Fixes: 112dcb8 ("doc: Fix AKS installation guide") Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit f0d65d6 ] We redid how remote clusters are handled and watched in f28f6cd (PR #10185) but did not connect to the events channel used to update selectors. We now re-use the main allocator's events channel as the remote clusters are treated as child allocators and only accessed through the primary. fixes f28f6cd Signed-off-by: Ray Bejjani <ray@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit 68858fc ] In non-tunneled datapath modes a missing xt_socket module breaks proxy redirection traffic. xt_socket is needed due to interaction between kernel's ip early demux logic and an explicit drop for skbs with a socket set in ip_forward(). If xt_socket is not available we can work around this problem by disabling ip early demux. Add a cilium configuration option 'enable-xt-socket-fallback' which is 'true' by default, meaning that cilium-agent is allowed to disable ip early demux if needed. This new option can be set to false to retain the current behavior (== ip early demux is not disabled, but Cilium policy enforcement may not function correctly in all datapath modes with L7 enforcement or visibility. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit cec34b1 ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit b36e167 ] We manage only ARP entries, which is IPV4-only, so it doesn't make sense to do it if IPv4 is disabled. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit 6c06c51 ] When IPsec or NodePort is enabled, we add a permanent ARP entry (remote node IP => remote node MAC addr) upon receiving a NodeUpdate event. The entry is needed to facilitate calls to fib_lookup() from the datapath. Up until now, the permanent entry was not removed when the remote node was deleted. This could lead to a problem, when a packet destined to a new node which reused the IP addr of the deleted node was dropped due to the wrong MAC addr until NodeUpdate event for the new node had been received. This commit fixes the problem by removing obsolete ARP entries. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit ee5a6e7 ] Helm cannot distinguish between empty and false value, so previously used if-statement prevented from disabling the fallback when "--set global.enableXTSocketFallback=false" was set. Fixes: 68858fc ("iptables: Add a fallback to missing xt_socket module.") Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit 7a24487 ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Joe Stringer <joe@cilium.io>
houndci-bot
reviewed
Feb 27, 2020
| haveIp6tables bool | ||
| haveSocketMatch bool | ||
| waitArgs []string | ||
| haveIp6tables bool |
There was a problem hiding this comment.
struct field haveIp6tables should be haveIP6tables
houndci-bot
reviewed
Feb 27, 2020
| haveIp6tables bool | ||
| haveSocketMatch bool | ||
| waitArgs []string | ||
| haveIp6tables bool |
There was a problem hiding this comment.
struct field haveIp6tables should be haveIP6tables
|
never-tell-me-the-odds |
raybejjani
approved these changes
Feb 27, 2020
jrajahalme
approved these changes
Feb 27, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Clean backport (no changes necessary)
Once this PR is merged, you can update the PR labels via:
This change is