cilium, ci: Add netkit with per-endpoint-routes #35542

borkmann · 2024-10-25T11:53:08Z

(see commits)

borkmann · 2024-10-25T11:53:35Z

/ci-e2e-upgrade

borkmann · 2024-10-25T12:53:55Z

@jrife Fyi, looks like the general bpf/bpf-next tree update leads to a kubeapiserver issue:

E1025 11:58:48.244823    4298 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused"
E10[25](https://github.com/cilium/cilium/actions/runs/11517695663/job/32063075716#step:28:26) 11:58:48.246655    4298 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused"
E1025 11:58:48.248105    4298 memcache.go:[26](https://github.com/cilium/cilium/actions/runs/11517695663/job/32063075716#step:28:27)5] "Unhandled Error" err="couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused"
E1025 11:58:48.249528    4298 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused"
E1025 11:58:48.250917    4298 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused"
The connection to the server localhost:8080 was refused - did you specify the right host or port?

Given it's IPv6, my suspicion for now is this regression: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter?id=306ed1728e8438caed30332e1ab46b28c25fe3d8

Building the latest image now: cilium/little-vm-helper-images#728 and will update here .

borkmann · 2024-10-25T13:58:33Z

/ci-e2e-upgrade

borkmann · 2024-10-25T14:52:48Z

Hm, seems still something off:

Readiness probe failed: Get "http://10.244.1.131:8080/": dial tcp 10.244.1.131:8080: connect: connection refused

edit:

Added net branch now as well which is what we need for the last two: cilium/little-vm-helper-images#729

jrife · 2024-10-25T15:17:48Z

I'm guessing the previous image(s) were building from bpf-next/master?

borkmann · 2024-10-25T15:18:56Z

I'm guessing the previous image(s) were building from bpf-next/master?

Yes, I've just added support for net branch via cilium/little-vm-helper-images#729 . What is odd however is that the non-netkit tests seem to fail for the bpf kernel update. Maybe a kernel regression somewhere.

jrife · 2024-10-25T15:26:43Z

What is odd however is that the non-netkit tests seem to fail for the bpf kernel update. Maybe a kernel regression somewhere.

I remember @aanm mentioning that newer bpf-next images were breaking CI recently. Perhaps a bisect is required here if bpf-next/net also has issues.

jrife · 2024-10-25T16:19:05Z

What are the repro steps to hit the issue mentioned above? Is it just "deploy Cilium on the latest bpf-next/master kernel" or is there a particular connectivity test that fails?

borkmann · 2024-10-25T16:38:13Z

From the sysdump of the e2e test (https://github.com/cilium/cilium/actions/runs/11519637468) for the bpf-next tests (e.g. which are not using netkit) it looks like the agent comes up but there is a connection refused error. Need to double check again. I think it should be reproducible in a kind environment with running the cilium-cli test suite as the e2e test does.

borkmann · 2024-10-25T16:42:45Z

(fwiw, this one now has bpf-net images cilium/little-vm-helper-images#729)

borkmann · 2024-10-25T16:58:13Z

Looking at cilium-2pqr6 from the failed e2e sysdump, test 7:

NAMESPACE            NAME                                         READY   STATUS             RESTARTS      AGE     IP             NODE                 NOMINATED NODE   READINESS GATES
cilium-test-1        client-6db7b75479-kq9v2                      1/1     Running            0             5m22s   10.244.1.170   kind-worker          <none>           <none>
cilium-test-1        client2-84576868b4-4455q                     1/1     Running            0             5m21s   10.244.1.71    kind-worker          <none>           <none>
cilium-test-1        client3-75555c5f5-xv8td                      1/1     Running            0             5m21s   10.244.2.119   kind-worker2         <none>           <none>
cilium-test-1        echo-external-node-55984f6c4f-wpkhs          0/1     CrashLoopBackOff   5 (92s ago)   5m20s   172.18.0.4     kind-worker3         <none>           <none>
cilium-test-1        echo-other-node-7df567f5cd-7zxhs             1/2     CrashLoopBackOff   5 (32s ago)   5m20s   10.244.2.194   kind-worker2         <none>           <none>
cilium-test-1        echo-same-node-57c9b8cff6-kxj6g              1/2     CrashLoopBackOff   5 (47s ago)   5m22s   10.244.1.193   kind-worker          <none>           <none>
cilium-test-1        host-netns-2m74s                             1/1     Running            0             5m21s   172.18.0.3     kind-worker          <none>           <none>
cilium-test-1        host-netns-8f2j5                             1/1     Running            0             5m21s   172.18.0.5     kind-control-plane   <none>           <none>
cilium-test-1        host-netns-non-cilium-scbr5                  1/1     Running            0             5m21s   172.18.0.4     kind-worker3         <none>           <none>
cilium-test-1        host-netns-p7pzs                             1/1     Running            0             5m21s   172.18.0.2     kind-worker2         <none>           <none>
cilium-test-1        lrp-backend-6d8ddc94f7-xh7m8                 0/1     CrashLoopBackOff   5 (61s ago)   5m20s   10.244.1.235   kind-worker          <none>           <none>
cilium-test-1        lrp-client-86dfffd6c6-tnfj7                  1/1     Running            0             5m20s   10.244.1.196   kind-worker          <none>           <none>
cilium-test-1        test-conn-disrupt-client-cc96ff4c6-7h8vq     1/1     Running            0             5m23s   10.244.2.28    kind-worker2         <none>           <none>
cilium-test-1        test-conn-disrupt-client-cc96ff4c6-flcl9     1/1     Running            0             5m23s   10.244.0.143   kind-control-plane   <none>           <none>
cilium-test-1        test-conn-disrupt-client-cc96ff4c6-gqr6b     1/1     Running            0             5m23s   10.244.2.252   kind-worker2         <none>           <none>
cilium-test-1        test-conn-disrupt-client-cc96ff4c6-qlt8k     1/1     Running            0             5m23s   10.244.1.29    kind-worker          <none>           <none>
cilium-test-1        test-conn-disrupt-client-cc96ff4c6-vzbnr     1/1     Running            0             5m23s   10.244.1.70    kind-worker          <none>           <none>
cilium-test-1        test-conn-disrupt-server-6847475bf-6h4dc     1/1     Running            0             5m30s   10.244.0.228   kind-control-plane   <none>           <none>
cilium-test-1        test-conn-disrupt-server-6847475bf-n8bgh     1/1     Running            0             5m30s   10.244.2.19    kind-worker2         <none>           <none>
cilium-test-1        test-conn-disrupt-server-6847475bf-th6q4     1/1     Running            0             5m30s   10.244.1.75    kind-worker          <none>           <none>
kube-system          cilium-2pqr6                                 1/1     Running            0             7m41s   172.18.0.2     kind-worker2         <none>           <none>
kube-system          cilium-envoy-4hd4q                           1/1     Running            0             7m41s   172.18.0.5     kind-control-plane   <none>           <none>
kube-system          cilium-envoy-9dpzt                           1/1     Running            0             7m41s   172.18.0.2     kind-worker2         <none>           <none>
kube-system          cilium-envoy-9z8rg                           1/1     Running            0             7m41s   172.18.0.3     kind-worker          <none>           <none>
kube-system          cilium-j8flq                                 1/1     Running            0             7m41s   172.18.0.5     kind-control-plane   <none>           <none>
kube-system          cilium-operator-6d766f8ff7-5qsz4             1/1     Running            0             7m41s   172.18.0.3     kind-worker          <none>           <none>
kube-system          cilium-rsk6p                                 1/1     Running            0             7m41s   172.18.0.3     kind-worker          <none>           <none>
kube-system          coredns-6f6b679f8f-bhrnk                     1/1     Running            0             8m46s   10.244.2.242   kind-worker2         <none>           <none>
kube-system          coredns-6f6b679f8f-njkd4                     1/1     Running            0             8m46s   10.244.2.107   kind-worker2         <none>           <none>
kube-system          etcd-kind-control-plane                      1/1     Running            0             8m54s   172.18.0.5     kind-control-plane   <none>           <none>
kube-system          kube-apiserver-kind-control-plane            1/1     Running            0             8m53s   172.18.0.5     kind-control-plane   <none>           <none>
kube-system          kube-controller-manager-kind-control-plane   1/1     Running            0             8m53s   172.18.0.5     kind-control-plane   <none>           <none>
kube-system          kube-scheduler-kind-control-plane            1/1     Running            0             8m53s   172.18.0.5     kind-control-plane   <none>           <none>
kube-system          node-local-dns-bwj6m                         1/1     Running            0             5m43s   10.244.0.79    kind-control-plane   <none>           <none>
kube-system          node-local-dns-fkpzk                         1/1     Running            0             5m43s   10.244.2.201   kind-worker2         <none>           <none>
kube-system          node-local-dns-gmg69                         1/1     Running            0             5m43s   10.244.1.192   kind-worker          <none>           <none>
local-path-storage   local-path-provisioner-5cf58d855b-9rbgq      1/1     Running            0             8m46s   10.244.2.101   kind-worker2         <none>           <none>

Looks like Cilium is up but the echo Pods are in CrashLoopBackOff, the cat--var-run-cilium-cilium-cni.log.md however does not show any level=warn or level=error.

status verbose shows the following.. maybe red herring, not sure:

Controller Status:      66/66 healthy
  Name                                                                        Last success   Last error   Count   Message
[...]
  ipcache-inject-labels                                                       33s ago        never        0       no error   
  k8s-heartbeat                                                               25s ago        never        0       no error   
  link-cache                                                                  17s ago        7m33s ago    0       no error   
  node-neighbor-link-updater                                                  11s ago        22s ago      0       no error   
  resolve-identity-133                                                        2m32s ago      never        0       no error   
  resolve-identity-145                                                        2m32s ago      never        0       no error   
[...]
      │   ├── node-manager
      │   │   ├── background-sync                                 [OK] Node validation successful (83s, x5)
      │   │   ├── neighbor-link-updater
      │   │   │   ├── kind-control-plane                          [DEGRADED] Failed node neighbor link update (54s, x6)
      │   │   │   └── kind-worker                                 [DEGRADED] Failed node neighbor link update (23s, x6)
      │   │   ├── node-checkpoint-writer                          [OK] node checkpoint written (5m53s, x3)
[...]

fwiw, ip n from sysdump seems ok on first glance:

172.18.0.5 dev eth0 lladdr 02:42:ac:12:00:05 extern_learn  REACHABLE
172.18.0.3 dev eth0 lladdr 02:42:ac:12:00:03 extern_learn  REACHABLE
172.18.0.1 dev eth0 lladdr 02:42:57:cc:14:cb STALE

The agent does not have any warn or error level logs aside from unrelated:

2024-10-25T14:10:02.284229107Z time="2024-10-25T14:10:02Z" level=warning msg="hubble events queue is full: dropping messages; consider increasing the queue size (hubble-event-queue-size) or provisioning more CPU" related-metric=hubble_lost_events_total subsys=hubble

dmesg looks clean as well

kubelet event log:


14:10:32Z | cilium-test-1 | kubelet | kind-worker2 | echo-other-node-7df567f5cd-7zxhs | Unhealthy | Readiness probe failed: Get "http://10.244.2.194:8080/": read tcp 10.244.2.39:53386->10.244.2.194:8080: read: connection reset by peer
-- | -- | -- | -- | -- | -- | --
14:10:34Z (x4) | cilium-test-1 | kubelet | kind-worker | echo-same-node-57c9b8cff6-kxj6g | BackOff | Back-off restarting failed container echo-same-node in pod echo-same-node-57c9b8cff6-kxj6g_cilium-test-1(f91134b7-ad5f-4c0e-a1c0-db887b2d1786)
14:10:47Z (x2) | cilium-test-1 | kubelet | kind-worker2 | echo-other-node-7df567f5cd-7zxhs | Unhealthy | Readiness probe failed: Get "http://10.244.2.194:8080/": dial tcp 10.244.2.194:8080: connect: connection refused
14:10:48Z (x3) | cilium-test-1 | kubelet | kind-worker | echo-same-node-57c9b8cff6-kxj6g | Pulled | Container image "quay.io/cilium/json-mock:v1.3.8@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603" already present on machine
14:10:48Z (x4) | cilium-test-1 | kubelet | kind-worker | echo-same-node-57c9b8cff6-kxj6g | Created | Created container echo-same-node
14:10:48Z | cilium-test-1 | kubelet | kind-worker2 | echo-other-node-7df567f5cd-7zxhs | Unhealthy | Readiness probe failed: Get "http://10.244.2.194:8080/": read tcp 10.244.2.39:55728->10.244.2.194:8080: read: connection reset by peer
14:11:00Z (x4) | cilium-test-1 | kubelet | kind-worker2 | echo-other-node-7df567f5cd-7zxhs | BackOff | Back-off restarting failed container echo-other-node in pod echo-other-node-7df567f5cd-7zxhs_cilium-test-1(ea174069-20b2-4932-bc3d-de01f0fac344)
14:11:13Z (x3) | cilium-test-1 | kubelet | kind-worker2 | echo-other-node-7df567f5cd-7zxhs | Pulled | Container image "quay.io/cilium/json-mock:v1.3.8@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603" already present on machine
14:11:13Z (x4) | cilium-test-1 | kubelet | kind-worker2 | echo-other-node-7df567f5cd-7zxhs | Created | Created container echo-other-node
14:11:14Z (x4) | cilium-test-1 | kubelet | kind-worker2 | echo-other-node-7df567f5cd-7zxhs | Started | Started container echo-other-node
14:14:03Z (x26) | cilium-test-1 | kubelet | kind-worker3 | echo-external-node-55984f6c4f-wpkhs | BackOff | Back-off restarting failed container echo-external-node in pod echo-external-node-55984f6c4f-wpkhs_cilium-test-1(7edca05a-bbdb-44f9-9c35-379f5648d1b6)

edit:

The degraded comes from:

2024-10-25T14:13:16.675562507Z time="2024-10-25T14:13:16Z" level=debug msg="Controller run failed" consecutiveErrors=1 error="unable to determine next hop IPv4 address for eth1 (172.18.0.3): remote node IP is non-routable\nunable to determine next hop IPv6 address for eth1 (fc00:c111::3): remote node IP is non-routable" name=node-neighbor-link-updater subsys=controller uuid=23605e82-7122-4b74-a1b4-1265d04fea60
2024-10-25T14:13:16.675656723Z time=2024-10-25T14:13:16Z level=debug msg="upserting health status" module=health lastLevel=Degraded reporter-id=agent.controlplane.node-manager.neighbor-link-updater.kind-worker status="agent.controlplane.node-manager.neighbor-link-updater.kind-worker: [Degraded] Failed node neighbor link update: unable to determine next hop IPv4 address for eth1 (172.18.0.3): remote node IP is non-routable\nunable to determine next hop IPv6 address for eth1 (fc00:c111::3): remote node IP is non-routable"
[...]
2024-10-25T14:14:07.710212916Z time=2024-10-25T14:14:07Z level=debug msg="upserting health status" module=health lastLevel=Degraded reporter-id=agent.controlplane.node-manager.neighbor-link-updater.kind-control-plane status="agent.controlplane.node-manager.neighbor-link-updater.kind-control-plane: [Degraded] Failed node neighbor link update: unable to determine next hop IPv4 address for eth1 (172.18.0.5): remote node IP is non-routable\nunable to determine next hop IPv6 address for eth1 (fc00:c111::5): remote node IP is non-routable"

Cluster health:              3/3 reachable             (2024-10-25T14:14:31Z)
  Name                       IP                        Node        Endpoints
  kind-worker2 (localhost)   172.18.0.2,fc00:c111::2   reachable   reachable
  kind-control-plane         172.18.0.5,fc00:c111::5   reachable   reachable
  kind-worker                172.18.0.3,fc00:c111::3   reachable   reachable

borkmann · 2024-10-25T17:12:25Z

I wonder if we're hitting https://github.com/cilium/cilium/issues?q=is%3Aissue%20state%3Aopen%20%22remote%20node%20IP%20is%20non-routable%22%22

jrife · 2024-10-26T15:44:57Z

I wasn't able to reproduce this in a kind cluster, but did reproduce the issue locally by just downloading the qcow2 file from that test run and starting up QEMU.

root@kind-bpf-next:/host# ./test.sh 
++ cd cilium
++ ./cilium connectivity test --include-conn-disrupt-test --conn-disrupt-test-setup --conn-disrupt-test-restarts-path ./cilium-conn-disrupt-restarts --conn-disrupt-dispatch-interval 0ms
✨ [kind-kind] Creating namespace cilium-test-1 for connectivity check...
✨ [kind-kind] Deploying test-conn-disrupt-server deployment...
⌛ [kind-kind] Waiting for deployment cilium-test-1/test-conn-disrupt-server to become ready...
✨ [kind-kind] Deploying test-conn-disrupt service...
✨ [kind-kind] Deploying test-conn-disrupt-client deployment...
✨ [kind-kind] Deploying echo-same-node service...
✨ [kind-kind] Deploying DNS test server configmap...
✨ [kind-kind] Deploying same-node deployment...
✨ [kind-kind] Deploying client deployment...
✨ [kind-kind] Deploying client2 deployment...
✨ [kind-kind] Deploying client3 deployment...
✨ [kind-kind] Deploying echo-other-node service...
✨ [kind-kind] Deploying other-node deployment...
✨ [host-netns] Deploying kind-kind daemonset...
✨ [host-netns-non-cilium] Deploying kind-kind daemonset...
ℹ️  Skipping tests that require a node Without Cilium
✨ [kind-kind] Deploying Ingress resource...
✨ [kind-kind] Deploying Ingress resource...
✨ [kind-kind] Deploying lrp-client deployment...
✨ [kind-kind] Deploying lrp-backend deployment...
⌛ [kind-kind] Waiting for deployment cilium-test-1/client to become ready...
⌛ [kind-kind] Waiting for deployment cilium-test-1/client2 to become ready...
⌛ [kind-kind] Waiting for deployment cilium-test-1/echo-same-node to become ready...
timeout reached waiting for deployment cilium-test-1/echo-same-node to become ready (last error: only 0 of 1 replicas are available)

root@kind-bpf-next:~# kubectl get pods -n cilium-test-1 -o wide     
NAME                                       READY   STATUS             RESTARTS      AGE     IP             NODE                 NOMINATED NODE   READINESS GATES
client-6db7b75479-9lz7w                    1/1     Running            0             3m8s    10.244.2.93    kind-worker          <none>           <none>
client2-84576868b4-rd28q                   1/1     Running            0             3m8s    10.244.2.29    kind-worker          <none>           <none>
client3-75555c5f5-dgwvb                    1/1     Running            0             3m8s    10.244.3.122   kind-worker3         <none>           <none>
echo-other-node-7df567f5cd-dh8dz           1/2     CrashLoopBackOff   4 (82s ago)   3m7s    10.244.3.93    kind-worker3         <none>           <none>
echo-same-node-57c9b8cff6-m4jdj            1/2     CrashLoopBackOff   4 (90s ago)   3m8s    10.244.2.150   kind-worker          <none>           <none>
host-netns-kpspr                           1/1     Running            0             3m7s    172.18.0.2     kind-control-plane   <none>           <none>
host-netns-sqmhl                           1/1     Running            0             3m7s    172.18.0.3     kind-worker          <none>           <none>
host-netns-v7sd6                           1/1     Running            0             3m7s    172.18.0.4     kind-worker2         <none>           <none>
host-netns-z4xj4                           1/1     Running            0             3m7s    172.18.0.5     kind-worker3         <none>           <none>
lrp-backend-6d8ddc94f7-5fww9               0/1     Error              5 (86s ago)   3m6s    10.244.1.92    kind-worker2         <none>           <none>
lrp-client-86dfffd6c6-nqxdt                1/1     Running            0             3m6s    10.244.1.139   kind-worker2         <none>           <none>
test-conn-disrupt-client-cc96ff4c6-244fg   1/1     Running            0             3m8s    10.244.1.157   kind-worker2         <none>           <none>
test-conn-disrupt-client-cc96ff4c6-7n7vz   1/1     Running            0             3m8s    10.244.3.129   kind-worker3         <none>           <none>
test-conn-disrupt-client-cc96ff4c6-7w56m   1/1     Running            0             3m8s    10.244.2.41    kind-worker          <none>           <none>
test-conn-disrupt-client-cc96ff4c6-97dx7   1/1     Running            0             3m8s    10.244.3.111   kind-worker3         <none>           <none>
test-conn-disrupt-client-cc96ff4c6-fc9th   1/1     Running            0             3m8s    10.244.0.244   kind-control-plane   <none>           <none>
test-conn-disrupt-server-6847475bf-8jg47   1/1     Running            0             3m11s   10.244.3.121   kind-worker3         <none>           <none>
test-conn-disrupt-server-6847475bf-q675s   1/1     Running            0             3m11s   10.244.1.150   kind-worker2         <none>           <none>
test-conn-disrupt-server-6847475bf-zsvs7   1/1     Running            0             3m11s   10.244.2.36    kind-worker          <none>           <none>
root@kind-bpf-next:~#

To offer another data point, I tried this test with the 6.10.11-amd64 kernel included in the image and hit the same problem. I may have some time later to dig in more.

borkmann · 2024-10-28T10:01:10Z

I may have some time later to dig in more.

If you have some cycles that would be awesome, thanks! I might otherwise not get to it before KubeCon.

borkmann · 2024-10-28T13:13:06Z

Cc @jschwinger233 found that it looks like an issue with too many open files :

root@kind-5:~# kubectl -ncilium-test-1 logs echo-external-node-55984f6c4f-79mjs
Error: EMFILE: too many open files, watch '/'
    at FSWatcher.<computed> (node:internal/fs/watchers:247:19)
    at Object.watch (node:fs:2469:36)
    at /usr/local/lib/node_modules/json-server/lib/cli/run.js:163:10 {
  errno: -24,
  syscall: 'watch',
  code: 'EMFILE',
  path: '/',
  filename: '/'
}

Also, Gray mentioned:

lvh-image already set 512 max_user_instances by writing /etc/sysctl.conf, but somehow kernel doesn't load the file until I manually run sysctl -p.

https://github.com/search?q=repo%3Acilium%2Flittle-vm-helper-images%20sysctl&type=code

root@kind-5:~# cat /etc/sysctl.conf | grep max_user
fs.inotify.max_user_watches = 524288
fs.inotify.max_user_instances = 512
root@kind-5:~# sysctl -p 
fs.inotify.max_user_watches = 524288
fs.inotify.max_user_instances = 512

Maybe this is the root cause: new kernel somehow no longer loads sysctl from /etc/sysctl.conf on boot.

jrife · 2024-10-28T19:53:17Z

found that it looks like an issue with too many open files

I can confirm that running sysctl -p manually gets past the startup issue and lets cilium connectivity test run.

borkmann · 2024-10-28T21:36:01Z

(related PR: cilium/little-vm-helper-images#731 )

borkmann · 2024-10-29T08:43:55Z

/ci-e2e-upgrade

borkmann · 2024-10-29T10:31:31Z

Looks like with the new fix that test suite is still failing: https://github.com/cilium/cilium/actions/runs/11570233767/job/32210457502
@jrife did it work for you running locally?
The GHA did seem to pick the right kernel though echo "image-name=$(echo kind | sed 's/\-ci//g')_$(echo bpf-net-20241029.033004 | sed 's/$.*$\-$.*$/\1/g')" >> $GITHUB_OUTPUT

jrife · 2024-10-29T15:19:29Z

did it work for you running locally?

I may have some time today. I'll run again locally and see if I can reproduce the failures from the latest run.

jrife · 2024-10-29T19:42:24Z

OK, I was able to reproduce this new problem. I hit this while running cilium connectivity test in a VM. It seems to match the errors seen in the test job you linked to.

cilium connectivity test --test-concurrency=5 --test '!seq-.*' --include-unsafe-tests --collect-sysdump-on-failure --flush-ct --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m --sysdump-output-filename 'cilium-sysdump-24-<ts>' --junit-file 'cilium-junits/Setup & Test (24).xml' --junit-property 'github_job_step=Run tests upgrade 2 (24)' '--expected-drop-reasons=+No egress gateway found

🗳 Compiling sysdump
✅ The sysdump has been saved to cilium-sysdump-24-20241029-184003.zip
  ℹ️  curl stdout:
  :0 -> :0 = 000
  ℹ️  curl stderr:
  curl: (7) Failed to connect to echo-other-node.cilium-test-5 port 8080 after 81 ms: Couldn't connect to server
  
  [.] Action [allow-all-except-world/pod-to-service/curl-1: cilium-test-5/client-6db7b75479-fkxjm (10.244.2.249) -> cilium-test-5/echo-same-node (echo-same-node.cilium-test-5:8080)]
.  ❌ command "curl -w %{local_ip}:%{local_port} -> %{remote_ip}:%{remote_port} = %{response_code} --silent --fail --show-error --output /dev/null --connect-timeout 2 --max-time 10 http://echo-same-node.cilium-test-5:8080" failed: error with exec request (pod=cilium-test-5/client-6db7b75479-fkxjm, container=client): command terminated with exit code 7

Looking at the pods in cilium-test-5 it seems that the readiness probes are timing out for echo-other-node-* and echo-same-node-*. Deleting the allow-all-except-world CiliumNetworkPolicy lets the curl command above (and I'm assuming the others that fail during the test) succeed.

root@kind-bpf-net:/host# kubectl get pods -o wide -n cilium-test-5
NAME                               READY   STATUS    RESTARTS   AGE   IP             NODE                 NOMINATED NODE   READINESS GATES
client-6db7b75479-fkxjm            1/1     Running   0          56m   10.244.2.249   kind-worker3         <none>           <none>
client2-84576868b4-28pbm           1/1     Running   0          56m   10.244.2.213   kind-worker3         <none>           <none>
client3-75555c5f5-zrncj            1/1     Running   0          56m   10.244.1.186   kind-worker2         <none>           <none>
echo-other-node-79f65895f4-scm5l   0/2     Running   0          56m   10.244.0.24    kind-control-plane   <none>           <none>
echo-same-node-55764c895b-d8rbn    0/2     Running   0          56m   10.244.2.142   kind-worker3         <none>           <none>
host-netns-chznb                   1/1     Running   0          56m   172.18.0.5     kind-worker3         <none>           <none>
host-netns-mqx7z                   1/1     Running   0          56m   172.18.0.3     kind-control-plane   <none>           <none>
host-netns-wl7vq                   1/1     Running   0          56m   172.18.0.4     kind-worker2         <none>           <none>
host-netns-z5wrq                   1/1     Running   0          56m   172.18.0.2     kind-worker          <none>           <none>
root@kind-bpf-net:/host# kubectl describe pods -n cilium-test-5 echo-same-node-55764c895b-d8rbn
...
  Warning  Unhealthy         55m                     kubelet            Readiness probe failed: Get "http://10.244.2.142:8181/ready": dial tcp 10.244.2.142:8181: connect: connection refused
  Warning  Unhealthy         55m                     kubelet            Readiness probe failed: Get "http://10.244.2.142:8181/ready": dial tcp 10.244.2.142:8181: i/o timeout (Client.Timeout exceeded while awaiting headers)
  Warning  Unhealthy         22m (x775 over 55m)     kubelet            Readiness probe failed: Get "http://10.244.2.142:8080/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
  Warning  Unhealthy         7m17s (x366 over 55m)   kubelet            Readiness probe failed: Get "http://10.244.2.142:8080/": dial tcp 10.244.2.142:8080: i/o timeout (Client.Timeout exceeded while awaiting headers)
  Warning  Unhealthy         2m17s (x1201 over 55m)  kubelet            Readiness probe failed: Get "http://10.244.2.142:8181/ready": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
root@kind-bpf-net:/host# uname -r
6.12.0-rc2-g97e90539983e

This all seems like the original problem in #34042. Is it possible that either the kernel build doesn't have the Netkit scrub patch or the Cilium version used doesn't have #35306? I just used the same build and tags referenced in the logs from the failed test job.

jrife · 2024-10-29T20:38:00Z

root@kind-control-plane:/# ip route
default via 172.18.0.1 dev eth0 
10.244.0.24 dev lxc1b14086930ee proto kernel scope link 
...

root@kind-control-plane:/# ./netkit-get lxc1b14086930ee
&{LinkAttrs:{Index:10 MTU:1500 TxQLen:1000 Name:lxc1b14086930ee HardwareAddr: Flags:up|broadcast|multicast RawFlags:69827 ParentIndex:9 MasterIndex:0 Namespace:<nil> Alias: AltNames:[] Statistics:0xc000130000 Promisc:0 Allmulti:0 Multi:1 Xdp:0xc000110048 EncapType:ether Protinfo:<nil> OperState:up PhysSwitchID:0 NetNsID:3 NumTxQueues:1 NumRxQueues:1 TSOMaxSegs:65535 TSOMaxSize:524280 GSOMaxSegs:65535 GSOMaxSize:196608 GROMaxSize:196608 GSOIPv4MaxSize:196608 GROIPv4MaxSize:196608 Vfs:[] Group:0 PermHWAddr: Slave:<nil>} Mode:1 Policy:0 PeerPolicy:2 Scrub:0 PeerScrub:1 supportsScrub:true isPrimary:true peerLinkAttrs:{Index:0 MTU:0 TxQLen:0 Name: HardwareAddr:[] Flags:0 RawFlags:0 ParentIndex:0 MasterIndex:0 Namespace:<nil> Alias: AltNames:[] Statistics:<nil> Promisc:0 Allmulti:0 Multi:0 Xdp:<nil> EncapType: Protinfo:<nil> OperState:0 PhysSwitchID:0 NetNsID:0 NumTxQueues:0 NumRxQueues:0 TSOMaxSegs:0 TSOMaxSize:0 GSOMaxSegs:0 GSOMaxSize:0 GROMaxSize:0 GSOIPv4MaxSize:0 GROIPv4MaxSize:0 Vfs:[] Group:0 PermHWAddr:[] Slave:<nil>}}
root@kind-control-plane:/#

root@kind-bpf-net:/host/netlink# cat cmd/netkit-get/netkit-get.go 
package main

import (
	"fmt"
	"os"
	"github.com/vishvananda/netlink"
)

func main() {
	result, err := netlink.LinkByName(os.Args[1])
	if err != nil {
		fmt.Printf("Error: %v\n", err)
		os.Exit(1)
	}

	fmt.Printf("%+v\n", result)
}

I wrote this small utility to check the netkit configuration for one of those Pod's LXC interfaces and it looks correct. IFLA_NETKIT_SCRUB and IFLA_NETKIT_PEER_SCRUB are supported. Scrub is set to NETKIT_SCRUB_NONE and PeerScrub is set to NETKIT_SCRUB_DEFAULT.

jrife · 2024-10-29T23:16:29Z

Hmm strange, after switching the datapath mode to veth I see similar behavior.

root@kind-bpf-net:/host# kubectl exec -it -n kube-system cilium-8sz7q -- cilium status
Defaulted container "cilium-agent" out of: cilium-agent, config (init), mount-cgroup (init), apply-sysctl-overwrites (init), mount-bpf-fs (init), clean-cilium-state (init), install-cni-binaries (init)
KVStore:                 Ok   Disabled
Kubernetes:              Ok   1.31 (v1.31.0) [linux/amd64]
Kubernetes APIs:         ["EndpointSliceOrEndpoint", "cilium/v2::CiliumClusterwideNetworkPolicy", "cilium/v2::CiliumNetworkPolicy", "cilium/v2::CiliumNode", "cilium/v2alpha1::CiliumCIDRGroup", "cilium/v2alpha1::CiliumEndpointSlice", "core/v1::Namespace", "core/v1::Pods", "core/v1::Service", "networking.k8s.io/v1::NetworkPolicy"]
KubeProxyReplacement:    True   [eth0    172.18.0.5 fc00:c111::5 fe80::42:acff:fe12:5 (Direct Routing)]
Host firewall:           Disabled
SRv6:                    Disabled
CNI Chaining:            none
CNI Config file:         successfully wrote CNI configuration file to /host/etc/cni/net.d/05-cilium.conflist
Cilium:                  Ok   1.17.0-dev (v1.17.0-dev-0bc32ae110)
NodeMonitor:             Listening for events on 4 CPUs with 64x4096 of shared memory
Cilium health daemon:    Ok   
IPAM:                    IPv4: 11/254 allocated from 10.244.2.0/24, IPv6: 11/18446744073709551614 allocated from fd00:10:244:2::/64
IPv4 BIG TCP:            Enabled   [196608]
IPv6 BIG TCP:            Enabled   [196608]
BandwidthManager:        Disabled
Routing:                 Network: Native   Host: BPF
Attach Mode:             TCX
Device Mode:             veth
Masquerading:            BPF   [eth0]   10.244.0.0/16 [IPv4: Enabled, IPv6: Enabled]
Controller Status:       66/66 healthy
Proxy Status:            OK, ip 10.244.2.49, 0 redirects active on ports 10000-20000, Envoy: external
Global Identity Range:   min 256, max 65535
Hubble:                  Ok              Current/Max Flows: 65535/65535 (100.00%), Flows/s: 313.07   Metrics: Disabled
Encryption:              Disabled        
Cluster health:          4/4 reachable   (2024-10-29T23:15:38Z)
Name                     IP              Node   Endpoints
Modules Health:          Stopped(0) Degraded(3) OK(67)
root@kind-bpf-net:/host#

.
[=] [cilium-test-5] Test [allow-all-except-world] [1/20]
.........................  ℹ️  📜 Applying CiliumNetworkPolicy 'allow-all-except-world' to namespace 'cilium-test-5' on cluster kind-kind..
  [-] Scenario [allow-all-except-world/pod-to-pod]
  [.] Action [allow-all-except-world/pod-to-pod/curl-ipv4-0: cilium-test-5/client2-84576868b4-phshh (10.244.2.15) -> cilium-test-5/echo-same-node-55764c895b-5rjjg (10.244.2.199:8080)]
  [.] Action [allow-all-except-world/pod-to-pod/curl-ipv6-0: cilium-test-5/client2-84576868b4-phshh (fd00:10:244:2::8fd2) -> cilium-test-5/echo-same-node-55764c895b-5rjjg (fd00:10:244:2::f290:8080)]
  [.] Action [allow-all-except-world/pod-to-pod/curl-ipv4-1: cilium-test-5/client2-84576868b4-phshh (10.244.2.15) -> cilium-test-5/echo-other-node-79f65895f4-fzmsv (10.244.1.185:8080)]
  [.] Action [allow-all-except-world/pod-to-pod/curl-ipv6-1: cilium-test-5/client2-84576868b4-phshh (fd00:10:244:2::8fd2) -> cilium-test-5/echo-other-node-79f65895f4-fzmsv (fd00:10:244:1::fa3f:8080)]
  [.] Action [allow-all-except-world/pod-to-pod/curl-ipv4-2: cilium-test-5/client3-75555c5f5-f5dp6 (10.244.3.91) -> cilium-test-5/echo-other-node-79f65895f4-fzmsv (10.244.1.185:8080)]
  [.] Action [allow-all-except-world/pod-to-pod/curl-ipv6-2: cilium-test-5/client3-75555c5f5-f5dp6 (fd00:10:244:3::2159) -> cilium-test-5/echo-other-node-79f65895f4-fzmsv (fd00:10:244:1::fa3f:8080)]
  [.] Action [allow-all-except-world/pod-to-pod/curl-ipv4-3: cilium-test-5/client3-75555c5f5-f5dp6 (10.244.3.91) -> cilium-test-5/echo-same-node-55764c895b-5rjjg (10.244.2.199:8080)]
  [.] Action [allow-all-except-world/pod-to-pod/curl-ipv6-3: cilium-test-5/client3-75555c5f5-f5dp6 (fd00:10:244:3::2159) -> cilium-test-5/echo-same-node-55764c895b-5rjjg (fd00:10:244:2::f290:8080)]
  [.] Action [allow-all-except-world/pod-to-pod/curl-ipv4-4: cilium-test-5/client-6db7b75479-ljmb5 (10.244.2.145) -> cilium-test-5/echo-other-node-79f65895f4-fzmsv (10.244.1.185:8080)]
  [.] Action [allow-all-except-world/pod-to-pod/curl-ipv6-4: cilium-test-5/client-6db7b75479-ljmb5 (fd00:10:244:2::8a5a) -> cilium-test-5/echo-other-node-79f65895f4-fzmsv (fd00:10:244:1::fa3f:8080)]
  [.] Action [allow-all-except-world/pod-to-pod/curl-ipv4-5: cilium-test-5/client-6db7b75479-ljmb5 (10.244.2.145) -> cilium-test-5/echo-same-node-55764c895b-5rjjg (10.244.2.199:8080)]
  [.] Action [allow-all-except-world/pod-to-pod/curl-ipv6-5: cilium-test-5/client-6db7b75479-ljmb5 (fd00:10:244:2::8a5a) -> cilium-test-5/echo-same-node-55764c895b-5rjjg (fd00:10:244:2::f290:8080)]
  [-] Scenario [allow-all-except-world/client-to-client]
  [.] Action [allow-all-except-world/client-to-client/ping-ipv4-0: cilium-test-5/client-6db7b75479-ljmb5 (10.244.2.145) -> cilium-test-5/client2-84576868b4-phshh (10.244.2.15:0)]
  [.] Action [allow-all-except-world/client-to-client/ping-ipv6-0: cilium-test-5/client-6db7b75479-ljmb5 (fd00:10:244:2::8a5a) -> cilium-test-5/client2-84576868b4-phshh (fd00:10:244:2::8fd2:0)]
  [.] Action [allow-all-except-world/client-to-client/ping-ipv4-1: cilium-test-5/client-6db7b75479-ljmb5 (10.244.2.145) -> cilium-test-5/client3-75555c5f5-f5dp6 (10.244.3.91:0)]
  [.] Action [allow-all-except-world/client-to-client/ping-ipv6-1: cilium-test-5/client-6db7b75479-ljmb5 (fd00:10:244:2::8a5a) -> cilium-test-5/client3-75555c5f5-f5dp6 (fd00:10:244:3::2159:0)]
  [.] Action [allow-all-except-world/client-to-client/ping-ipv4-2: cilium-test-5/client2-84576868b4-phshh (10.244.2.15) -> cilium-test-5/client-6db7b75479-ljmb5 (10.244.2.145:0)]
  [.] Action [allow-all-except-world/client-to-client/ping-ipv6-2: cilium-test-5/client2-84576868b4-phshh (fd00:10:244:2::8fd2) -> cilium-test-5/client-6db7b75479-ljmb5 (fd00:10:244:2::8a5a:0)]
  [.] Action [allow-all-except-world/client-to-client/ping-ipv4-3: cilium-test-5/client2-84576868b4-phshh (10.244.2.15) -> cilium-test-5/client3-75555c5f5-f5dp6 (10.244.3.91:0)]
  [.] Action [allow-all-except-world/client-to-client/ping-ipv6-3: cilium-test-5/client2-84576868b4-phshh (fd00:10:244:2::8fd2) -> cilium-test-5/client3-75555c5f5-f5dp6 (fd00:10:244:3::2159:0)]
  [.] Action [allow-all-except-world/client-to-client/ping-ipv4-4: cilium-test-5/client3-75555c5f5-f5dp6 (10.244.3.91) -> cilium-test-5/client-6db7b75479-ljmb5 (10.244.2.145:0)]
  [.] Action [allow-all-except-world/client-to-client/ping-ipv6-4: cilium-test-5/client3-75555c5f5-f5dp6 (fd00:10:244:3::2159) -> cilium-test-5/client-6db7b75479-ljmb5 (fd00:10:244:2::8a5a:0)]
  [.] Action [allow-all-except-world/client-to-client/ping-ipv4-5: cilium-test-5/client3-75555c5f5-f5dp6 (10.244.3.91) -> cilium-test-5/client2-84576868b4-phshh (10.244.2.15:0)]
  [.] Action [allow-all-except-world/client-to-client/ping-ipv6-5: cilium-test-5/client3-75555c5f5-f5dp6 (fd00:10:244:3::2159) -> cilium-test-5/client2-84576868b4-phshh (fd00:10:244:2::8fd2:0)]
  [-] Scenario [allow-all-except-world/pod-to-service]
  [.] Action [allow-all-except-world/pod-to-service/curl-0: cilium-test-5/client-6db7b75479-ljmb5 (10.244.2.145) -> cilium-test-5/echo-other-node (echo-other-node.cilium-test-5:8080)]
  ❌ command "curl -w %{local_ip}:%{local_port} -> %{remote_ip}:%{remote_port} = %{response_code} --silent --fail --show-error --output /dev/null --connect-timeout 2 --max-time 10 http://echo-other-node.cilium-test-5:8080" failed: error with exec request (pod=cilium-test-5/client-6db7b75479-ljmb5, container=client): command terminated with exit code 7

root@kind-bpf-net:~/cilium# kubectl get pods -n cilium-test-5
NAME                               READY   STATUS    RESTARTS   AGE
client-6db7b75479-ljmb5            1/1     Running   0          4m31s
client2-84576868b4-phshh           1/1     Running   0          4m29s
client3-75555c5f5-f5dp6            1/1     Running   0          4m28s
echo-other-node-79f65895f4-fzmsv   0/2     Running   0          4m24s
echo-same-node-55764c895b-5rjjg    0/2     Running   0          4m31s
host-netns-79zz8                   1/1     Running   0          4m22s
host-netns-gtc2q                   1/1     Running   0          4m22s
host-netns-w8dsg                   1/1     Running   0          4m22s
host-netns-zgwcz                   1/1     Running   0          4m23s
root@kind-bpf-net:~/cilium#

borkmann · 2024-10-30T07:25:23Z

Was there anything log-wise in the two echo Pods which could give further hints?

echo-other-node-79f65895f4-fzmsv   0/2     Running   0          4m24s
echo-same-node-55764c895b-5rjjg    0/2     Running   0          4m31s

jrife · 2024-10-30T22:03:35Z

Was there anything log-wise in the two echo Pods which could give further hints?

Nothing interesting there, although looking more at the Cilium agent logs I think this is the issue

time="2024-10-30T21:51:30.775053522Z" level=error msg="iptables rules full reconciliation failed, will retry another one later" error="failed to install rules: cannot install static proxy rules: unable to run 'ip6tables -t mangle -A CILIUM_PRE_mangle -m socket --transparent ! -o lo -m mark ! --mark 0x00000e00/0x00000f00 -m mark ! --mark 0x00000800/0x00000f00 -m comment --comment cilium: any->pod redirect proxied traffic to host proxy -j MARK --set-mark 0x00000200' iptables command: exit status 1 stderr=\"Warning: Extension MARK revision 0 not supported, missing kernel module?\\nip6tables: No chain/target/match by that name.\\n\"" subsys=iptables

This comes out of m.installStaticProxyRules() and causes m.installRules() to exit early before running m.installHostTrafficMarkRule(). cilium-dbg monitor shows the traffic from kubelet getting mislabeled as world and getting denied, so this would explain it if the packets are never marked coming from the host namespace.

Edit: Hmm could this possibly be because CONFIG_NETFILTER_XT_TARGET_MARK is not set in the kernel config? I'm no netfilter expert, but other CONFIG_NETFILTER_XT_TARGET_* options are enabled in the build.

root@kind-bpf-net:/host# cat /boot/config-6.12.0-rc2-g97e90539983e | grep -i TARGET_MARK
# CONFIG_NETFILTER_XT_TARGET_MARK is not set
root@kind-bpf-net:/host#

I don't have time to check today, but could try doing a local kernel build with this set to see if it resolves the issue later.

borkmann · 2024-10-31T07:08:07Z

Edit: Hmm could this possibly be because CONFIG_NETFILTER_XT_TARGET_MARK is not set in the kernel config? I'm no netfilter expert, but other CONFIG_NETFILTER_XT_TARGET_* options are enabled in the build.

It is not set in the build:

https://github.com/cilium/little-vm-helper-images/blob/main/_data/kernels.json

But it also seems not listed as part of the requirements:

https://docs.cilium.io/en/latest/operations/system_requirements/#requirements-for-l7-and-fqdn-policies

My guess is if it would be required then also current CI would break, but worth a try.

Edit: Ah interesting.. we do use it fwiw:

cilium/pkg/datapath/iptables/iptables.go

Line 524 in 39165a1

"-j", "MARK",

Jordan reported that CONFIG_NETFILTER_XT_TARGET_MARK is missing in CI kernels [0]. We should also it to the documentation to make it clear that it is needed. Reported-by: Jordan Rife <jrife@google.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: #35542 (comment) [0]

Needed for Cilium's L7 proxy [0]. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: Link: cilium/cilium#35542 (comment) [0]

borkmann · 2024-10-31T09:16:50Z

It looks like we might be hitting the same bug as #35436 (comment) .

And bpf-next/net does not yet have the fix: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/log/net/netfilter?h=net (fix: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=306ed1728e8438caed30332e1ab46b28c25fe3d8). I'll see to push out the bpf-next PR till end of week.

Jordan reported that CONFIG_NETFILTER_XT_TARGET_MARK is missing in CI kernels [0]. We should also it to the documentation to make it clear that it is needed. Reported-by: Jordan Rife <jrife@google.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: #35542 (comment) [0]

jrife · 2024-10-31T21:30:39Z

And bpf-next/net does not yet have the fix: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/log/net/netfilter?h=net (fix: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=306ed1728e8438caed30332e1ab46b28c25fe3d8). I'll see to push out the bpf-next PR till end of week.

I can confirm this fixes the issue with readiness probes after trying on my machine.

Needed for Cilium's L7 proxy [0]. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: Link: cilium/cilium#35542 (comment) [0]

Jordan fixed Cilium with netkit and per-endpoint-routes in #35306. Given we have a more recent bpf image now, lets add it also to CI to regularly test for regressions. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

borkmann · 2024-11-04T09:15:40Z

/ci-e2e-upgrade

borkmann · 2024-11-04T09:52:04Z

@jrife Nice tests are green now! 🎉

[ upstream commit 123f374 ] Jordan reported that CONFIG_NETFILTER_XT_TARGET_MARK is missing in CI kernels [0]. We should also it to the documentation to make it clear that it is needed. Reported-by: Jordan Rife <jrife@google.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: #35542 (comment) [0] Signed-off-by: Jussi Maki <jussi@isovalent.com>

borkmann added the release-note/misc This PR makes changes that have no direct user impact. label Oct 25, 2024

borkmann requested a review from jrife October 25, 2024 11:53

borkmann requested review from a team as code owners October 25, 2024 11:53

borkmann requested a review from brlbil October 25, 2024 11:53

borkmann mentioned this pull request Oct 25, 2024

ci, tests: Add netkit with endpoint routes as test case #34500

Closed

brlbil approved these changes Oct 25, 2024

View reviewed changes

jrife approved these changes Oct 25, 2024

View reviewed changes

borkmann force-pushed the pr/ci-update branch from 179b210 to 86ac379 Compare October 25, 2024 13:58

borkmann force-pushed the pr/ci-update branch from 86ac379 to dd122d2 Compare October 25, 2024 14:48

borkmann added the feature/netkit label Oct 25, 2024

borkmann force-pushed the pr/ci-update branch from dd122d2 to 1b2a503 Compare October 29, 2024 08:43

borkmann added a commit to cilium/little-vm-helper-images that referenced this pull request Oct 31, 2024

kernels: Enable XT_TARGET_MARK

cda70cd

Needed for Cilium's L7 proxy [0]. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: Link: cilium/cilium#35542 (comment) [0]

borkmann mentioned this pull request Oct 31, 2024

kernels: Enable XT_TARGET_MARK cilium/little-vm-helper-images#736

Merged

borkmann added a commit to cilium/little-vm-helper-images that referenced this pull request Nov 4, 2024

kernels: Enable XT_TARGET_MARK

45b6227

Needed for Cilium's L7 proxy [0]. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: Link: cilium/cilium#35542 (comment) [0]

borkmann added a commit to cilium/little-vm-helper-images that referenced this pull request Nov 4, 2024

kernels: Enable XT_TARGET_MARK

3f1a488

Needed for Cilium's L7 proxy [0]. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: Link: cilium/cilium#35542 (comment) [0]

cilium, ci: Add netkit with per-endpoint-routes to e2e test

d6c48c0

Jordan fixed Cilium with netkit and per-endpoint-routes in #35306. Given we have a more recent bpf image now, lets add it also to CI to regularly test for regressions. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

borkmann force-pushed the pr/ci-update branch from 1b2a503 to d6c48c0 Compare November 4, 2024 09:15

borkmann merged commit c345a69 into main Nov 4, 2024
74 of 75 checks passed

borkmann deleted the pr/ci-update branch November 4, 2024 09:52

borkmann added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 4, 2024

cilium, ci: Add netkit with per-endpoint-routes #35542

cilium, ci: Add netkit with per-endpoint-routes #35542

Uh oh!

Conversation

borkmann commented Oct 25, 2024

Uh oh!

borkmann commented Oct 25, 2024

Uh oh!

borkmann commented Oct 25, 2024

Uh oh!

borkmann commented Oct 25, 2024

Uh oh!

borkmann commented Oct 25, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jrife commented Oct 25, 2024

Uh oh!

borkmann commented Oct 25, 2024

Uh oh!

jrife commented Oct 25, 2024

Uh oh!

jrife commented Oct 25, 2024

Uh oh!

borkmann commented Oct 25, 2024

Uh oh!

borkmann commented Oct 25, 2024

Uh oh!

borkmann commented Oct 25, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

borkmann commented Oct 25, 2024

Uh oh!

jrife commented Oct 26, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

borkmann commented Oct 28, 2024

Uh oh!

borkmann commented Oct 28, 2024

Uh oh!

jrife commented Oct 28, 2024

Uh oh!

borkmann commented Oct 28, 2024

Uh oh!

borkmann commented Oct 29, 2024

Uh oh!

borkmann commented Oct 29, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jrife commented Oct 29, 2024

Uh oh!

jrife commented Oct 29, 2024

Uh oh!

jrife commented Oct 29, 2024

Uh oh!

jrife commented Oct 29, 2024

Uh oh!

borkmann commented Oct 30, 2024

Uh oh!

jrife commented Oct 30, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

borkmann commented Oct 31, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

borkmann commented Oct 31, 2024

Uh oh!

jrife commented Oct 31, 2024

Uh oh!

borkmann commented Nov 4, 2024

Uh oh!

borkmann commented Nov 4, 2024

Uh oh!

Uh oh!

Uh oh!

borkmann commented Oct 25, 2024 •

edited

Loading

borkmann commented Oct 25, 2024 •

edited

Loading

jrife commented Oct 26, 2024 •

edited

Loading

borkmann commented Oct 29, 2024 •

edited

Loading

jrife commented Oct 30, 2024 •

edited

Loading

borkmann commented Oct 31, 2024 •

edited

Loading