Skip to content

v1.10 backports 2021-09-14 #17392

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Sep 29, 2021
Merged

v1.10 backports 2021-09-14 #17392

merged 13 commits into from
Sep 29, 2021

Conversation

kaworu
Copy link
Member

@kaworu kaworu commented Sep 14, 2021
edited
Loading

Once this PR is merged, you can update the PR labels via:

$ for pr in 17275 17445 17338 17351 17168 17153 17381 17258 17143 17464; do contrib/backporting/set-labels.py $pr done 1.10; done

@kaworu kaworu requested a review from a team as a code owner September 14, 2021 14:33
@kaworu kaworu added backport/1.10 kind/backports This PR provides functionality previously merged into master. labels Sep 14, 2021
tklauser
tklauser reviewed Sep 14, 2021
View reviewed changes
pchaigno
pchaigno approved these changes Sep 14, 2021
View reviewed changes
Copy link
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • fix(docs): bandwidth-manager install error #17338 -- fix(docs): bandwidth-manager install error (@withlin)
  • docs: Clarify exact requirements for the egress gateway #17381 -- docs: Clarify exact requirements for the egress gateway (@pchaigno)

Those two look good to me.

tklauser
tklauser approved these changes Sep 15, 2021
View reviewed changes
Copy link
Member

@tklauser tklauser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • #17153 -- ethtool: use ioctl wrapper from golang.org/x/sys/unix (@tklauser)

This one LGTM.

@kaworu kaworu force-pushed the pr/v1.10-backport-2021-09-14 branch from cbd5482 to f4f2932 Compare September 16, 2021 11:43
@kaworu kaworu requested review from a team as code owners September 16, 2021 12:19
joamaki
joamaki approved these changes Sep 16, 2021
View reviewed changes
Copy link
Contributor

@joamaki joamaki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test/runtime: Look into log errors after test start #17351

LGTM.

@kaworu
Copy link
Member Author

kaworu commented Sep 16, 2021

@nbusseneau added #17143 to the backport to fix ConformanceKind1.19, please take a look.

@kaworu
Copy link
Member Author

kaworu commented Sep 16, 2021

test-backport-1.10

nbusseneau
nbusseneau approved these changes Sep 16, 2021
View reviewed changes
Copy link
Member

@nbusseneau nbusseneau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@maintainer-s-little-helper
Copy link

Job 'Cilium-PR-K8s-GKE' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sDatapathConfig Host firewall With VXLAN

Failure Output

FAIL: Failed to reach 10.128.15.192:80 from testclient-22whw

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-GKE so I can create a new GitHub issue to track it.

twpayne
twpayne approved these changes Sep 17, 2021
View reviewed changes
Copy link
Contributor

@twpayne twpayne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for my changes

brb
brb approved these changes Sep 20, 2021
View reviewed changes
Copy link
Member

@brb brb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My changes LGTM, thanks!

@kaworu
Copy link
Member Author

kaworu commented Sep 23, 2021

gke-stable failed due to a DNS timeout

16:14:48      Failed to reach 10.128.15.192:80 from testclient-22whw
[2021-09-16T14:14:48.935Z]     Expected command: kubectl exec -n 202109161413k8sdatapathconfighostfirewallwithvxlan testclient-22whw -- curl --path-as-is -s -D /dev/stderr --fail --connect-timeout 5 --max-time 20 http://10.128.15.192:80/ -w "time-> DNS: '%{time_namelookup}(%{remote_ip})', Connect: '%{time_connect}',Transfer '%{time_starttransfer}', total '%{time_total}'" 
[2021-09-16T14:14:48.935Z]     To succeed, but it failed:
[2021-09-16T14:14:48.935Z]     Exitcode: 28 
[2021-09-16T14:14:48.935Z]     Err: exit status 28
[2021-09-16T14:14:48.935Z]     Stdout:
[2021-09-16T14:14:48.935Z]      	 time-> DNS: '0.000041()', Connect: '0.000000',Transfer '0.000000', total '5.000924'
[2021-09-16T14:14:48.935Z]     Stderr:
[2021-09-16T14:14:48.935Z]      	 command terminated with exit code 28
[2021-09-16T14:14:48.935Z]     	 
[2021-09-16T14:14:48.935Z]

k8s-1.16-kernel-netnext failed due to an istio timeout, but we should skip istio tests on k8s 1.16 (see #17445 for context).

18:30:03      Unable to apply /home/jenkins/workspace/Cilium-PR-K8s-1.16-net-next/src/github.com/cilium/cilium/test/k8sT/manifests/demo-customcalls.yaml
[2021-09-16T16:30:03.066Z]     Expected command: kubectl apply --force=false -f /home/jenkins/workspace/Cilium-PR-K8s-1.16-net-next/src/github.com/cilium/cilium/test/k8sT/manifests/demo-customcalls.yaml 
[2021-09-16T16:30:03.066Z]     To succeed, but it failed:
[2021-09-16T16:30:03.066Z]     Exitcode: 1 
[2021-09-16T16:30:03.066Z]     Err: exit status 1
[2021-09-16T16:30:03.066Z]     Stdout:
[2021-09-16T16:30:03.066Z]      	 serviceaccount/app1-account created
[2021-09-16T16:30:03.066Z]     	 serviceaccount/app2-account created
[2021-09-16T16:30:03.066Z]     	 service/app1-service created
[2021-09-16T16:30:03.066Z]     	 deployment.apps/app1 created
[2021-09-16T16:30:03.066Z]     	 deployment.apps/app2 created
[2021-09-16T16:30:03.066Z]     	 
[2021-09-16T16:30:03.066Z]     Stderr:
[2021-09-16T16:30:03.066Z]      	 Error from server (InternalError): error when creating "/home/jenkins/workspace/Cilium-PR-K8s-1.16-net-next/src/github.com/cilium/cilium/test/k8sT/manifests/demo-customcalls.yaml": Internal error occurred: failed calling webhook "namespace.sidecar-injector.istio.io": Post https://istiod.istio-system.svc:443/inject?timeout=10s: dial tcp 10.109.55.155:443: i/o timeout
[2021-09-16T16:30:03.066Z]     	 
[2021-09-16T16:30:03.066Z]

@kaworu kaworu force-pushed the pr/v1.10-backport-2021-09-14 branch from 777db48 to 3659cde Compare September 27, 2021 11:16
jrajahalme and others added 12 commits September 27, 2021 13:19
@jrajahalme @kaworu
istio: Update to release 1.10.4
655ad58 
[ upstream commit 4c87394 ]

Update Cilium Istio integration to Istio release 1.10.4.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@jrajahalme @kaworu
test: Skip Istio test on k8s <1.17
1b2153f 
[ upstream commit 3992048 ]

Istio 1.10 requires at least k8s version 1.17.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@withlin @kaworu
fix bandwidth-manager install error Signed-off-by: JinLin Fu withlin@…
e489548 
…apache.org

[ upstream commit 712af8e ]

Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@joamaki @kaworu
test/runtime: Look into log errors after test start
b5bbc08 
[ upstream commit 38994b0 ]

When running runtime tests locally sometimes the test fail as level=error
log entries are found that are the result of cilium-agent restarts during
provisioning.

This is similar to the fix done in cilium#14529.

Signed-off-by: Jussi Maki <jussi@isovalent.com>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@brb @kaworu
datapath: Do not SNAT replies to outside
eeb5677 
[ upstream commit d3ff998 ]

Previously, the BPF-based masquerading (--enable-bpf-masquerade=true)
was wrongly masquerading replies from a pod to an outside when the
outside had initiated a connection. This was possible when e.g., the
outside had a route to the pod cidr.

To fix this, we introduce a lightweight CT lookup function
ct_is_reply4() which checks whether a given flow is a reply. The lookup
function is called in snat_v4_needed().

As a side note, I've tried to move the port extraction to a separate
function, but unfortunately it hits complexity issues on the 4.19
kernel in the "K8sDatapathConfig AutoDirectNodeRoutes Check direct
connectivity with per endpoint routes" suite:

    BPF program is too large. Processed 131073 insn
    libbpf: failed to load program 'handle_to_container'
    libbpf: failed to load object '624_next/bpf_lxc.o'

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@brb @kaworu
datapath: Improve snat_v4_needed() comment
9b0d752 
[ upstream commit 55bfba9 ]

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@brb @kaworu
test: Enable BPF masq in test from k8s
b4037a4 
[ upstream commit 4b92d2d ]

Previously, they were failing due to our datapath masquerading replies
from pod to outside. As it got fixed in the previous commit, we can
enable BPF-based masquerading.

This will also gives us some coverage for the fix.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@tklauser @kaworu
vendor: bump golang.org/x/sys to latest version
257bcf8 
[ upstream commit 6418ade ]

This pulls in a few fixes around ioctl wrappers wrt. unsafe.Pointer
usage and fixes ifreqEthtool to be correctly padded.

Ref. golang/sys@e5e7981
Ref. golang/sys@b450225

Signed-off-by: Tobias Klauser <tobias@cilium.io>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@tklauser @kaworu
datapath/linux/ethtool: use IoctlGetEthtoolDrvinfo
f9a598a 
[ upstream commit d82ac6f ]

Use the ioctl wrapper provided in the golang.org/x/sys/unix package with
the correctly padded ifreqData struct, rather than providing our own
wrapper and struct which is incorrectly padded.

Also add a simple unit test and make sure the package is only built on
Linux.

Signed-off-by: Tobias Klauser <tobias@cilium.io>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@pchaigno @kaworu
docs: Clarify exact requirements for the egress gateway
694ea16 
[ upstream commit 82469c3 ]

The egress gateway doesn't exactly require our kube-proxy replacement to
be enabled. It only requires BPF masquerading which itself requires BPF
NodePort. Enabling KPR is just an easy way to enable BPF NodePort.

Signed-off-by: Paul Chaignon <paul@cilium.io>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@twpayne @nbusseneau @kaworu
jenkinsfiles: Don't display nulls in current build display name
ed06fc7 
[ upstream commit e0da2e4 ]

Signed-off-by: Tom Payne <tom@isovalent.com>
Co-authored-by: Nicolas Busseneau <nicolas@isovalent.com>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@nbusseneau @kaworu
workflows: pin cilium-cli version to v0.8.6
3659cde 
[ upstream commit 2202dae ]

In cilium#16892, we switched from pinning CLI version in workflows to using
the latest stable version automatically. This can cause issues if a new
release does not play nice with the set of environments tested by the
workflows on `cilium/cilium`.

We are reverting to pinning CLI version so as to have better control
over the test environment, and avoid new CLI releases negatively
impacting `cilium/cilium` workflows immediately upon release.

With the CLI version pinned, any issues with the new version will be
detected in the PR bumping the pinned version, allowing us to fix them
prior to merging.

Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@kaworu kaworu mentioned this pull request Sep 27, 2021
Merged
@kaworu kaworu requested a review from nebril September 27, 2021 15:12
@nebril @kaworu
ci: update cilium-cli to 0.9.1
0cbbebb 
[ upstream commit acf3431 ]

This change updates cilium-cli to 0.9.1 in github action workflows
files.

Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
jrajahalme
jrajahalme approved these changes Sep 28, 2021
View reviewed changes
Copy link
Member

@jrajahalme jrajahalme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Istio backports look OK.

@jrajahalme
Copy link
Member

test-backport-1.10

@jibi jibi added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Sep 29, 2021
@jibi jibi merged commit a7a5463 into cilium:v1.10 Sep 29, 2021
@kaworu kaworu deleted the pr/v1.10-backport-2021-09-14 branch October 4, 2021 08:49
@joestringer joestringer mentioned this pull request Oct 13, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brb brb brb approved these changes

@tklauser tklauser tklauser approved these changes

@joamaki joamaki joamaki approved these changes

@pchaigno pchaigno pchaigno approved these changes

@nbusseneau nbusseneau nbusseneau approved these changes

@jrajahalme jrajahalme jrajahalme approved these changes

@nebril nebril Awaiting requested review from nebril

+1 more reviewer

@twpayne twpayne twpayne approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@nebril nebril

Labels
kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.