profile
viewpoint
Ilya Dmitrichenko errordeveloper @isovalent / @cilium London, UK https://twitter.com/errordeveloper Ilya is a software engineer at Isovalent, focused on making @kubernetes networking and security easily accessible to more user.

ClusterHQ/powerstrip 306

Powerstrip: A tool for prototyping Docker extensions

binocarlos/powerstrip-weave 36

A Powerstrip plugin that runs weave inside a container and ensures that containers are connected to the weave network before running their entrypoints.

dlespiau/kube-test-harness 28

Write Kubernetes integration tests in go!

cilium/image-tools 5

Dockerfiles for cilium-runtime and cilium-builder dependencies

ClusterHQ/powerstrip-slowreq 4

A trivial example plugin for Powerstrip: a tool for prototyping Docker extensions

binocarlos/powerstrip-debug 1

A powerstrip adapter that logs requests to stdout.

ClusterHQ/docker-plugins 1

A temporary fork of Docker for working on docker plugin mechanism (mainly for issue tracker, wiki)

errordeveloper/.vim 1

Modular Vim configuration without pathogen!

errordeveloper/authenticator 1

A tool for using AWS IAM credentials to authenticate to a Kubernetes cluster

issue commentcilium/cilium

Nightly tests

Since new test library hasn't been developed yet, and Test Cluster Operator for GKE is not ready, I propose follwing break-down of work.

Phase 1

Goal: enable simple developer workflow

A developer should be able to run performance test manually, using the following steps:

  • create a dev cluster with gcloud
  • deploy Prometheus to their dev cluster with simple config
  • run the tests

Once tests finished, developer should be able to view metrics using Prometheus UI or Grafana.

What's not covered here is:

  • centralised Prometheus storage
  • comprehensive dashboards

Phase 2

Goal: start using Test Cluster Operator, centralised Prometheus

A developer should be able to run performance tests manually using Test Cluster Operator for GKE, and centralised Prometheus storage. They would be looking to take the following steps:

  • request a test cluster for performance tests
  • deploy Prometheus server with remote storage configuration
  • run the tests

What's not covered here is:

  • CI integration

Phase 3

Goal: start running tests in GitHub Actions

Note: this is separate phase as it depends on Test Cluster Operator readiness

b3a-dev

comment created time in 14 hours

PR opened cilium/cilium

build: Update runtime image, add a guard rail area/build release-note/ci

This was missed out from aa796a2c282e. A check is added to ensure this doesn't happen again.

Fixes: aa796a2c282e (build: Fix shellcheck linter)

+22 -1

0 comment

5 changed files

pr created time in 14 hours

create barnchcilium/cilium

branch : pr/errordeveloper/update-runtime-image

created branch time in 14 hours

PR opened cilium/cilium

build: Fix shellcheck linter area/build release-note/ci
  • do not assume absolute path, it is different inside GitHub Actions
  • use --source-path flag to set script dir
  • use long flag name (-x/--external-source) for readablity
  • ensure linter also runs on each PR

Fixes: e091612061d9 (build: New runtime image with multi-platform support) Fixes: 6f83fb8f3d02 (build: Fix shellcheck errors)

+22 -3

0 comment

3 changed files

pr created time in 16 hours

delete branch cilium/cilium

delete branch : pr/errordeveloper/improve-image-builds

delete time in 16 hours

create barnchcilium/cilium

branch : pr/errordeveloper/fix-images-lint-error

created branch time in 16 hours

push eventcilium/cilium

Maciej Kwiek

commit sha 082e87932312311f50f6d165905b792ff729f41d

test: retrieve pods based on node label, not name This change removes reliance on hardcoded node names when retrieving pods in several tests, which caused GKE tests (where we don't control node names) to fail. Signed-off-by: Maciej Kwiek <maciej@isovalent.com>

view details

Tobias Klauser

commit sha 226b6c28c0da95d9fb3b51dfffbe2b3ba5f01db1

endpoint: move GetCiliumVersionString from pkg/common The GetCiliumVersionString function is only used in a single function within this package. Move it where it is used to reduce the package size of pkg/common which is imported all over the place. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha bd1689282eba228898b29df0d441783009753210

endpoint: avoid excessive allocations during restore The way endpoint state currently is restored from header files could potentially lead to a lot of memory allocations, partially due to the fact that the respective base64 encoded state is converted to a string after being read and then converted back to a byte slice in order to decode it. Since every conversion of a byte slice to a string allocates (due to the fact that strings are immutable in Go), this essentially doubles the memory that is used which could lead to memory allocation spikes during restore. Avoid this by reading the base64 encoded endpoint state into a byte slice directly and thus reducing the size and number of allocations. Before: EndpointSuite.BenchmarkReadEPsFromDirNames 5000 399980 ns/op 83665 B/op 743 allocs/op After: EndpointSuite.BenchmarkReadEPsFromDirNames 5000 369643 ns/op 73479 B/op 731 allocs/op Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

trevor tao

commit sha 9c08abd72caf09b17955392503fa5f686a3b1ebc

Fix some word errors in the annotations Fix the wrong word used in the passive voice and add a preposition which may lead to confusing otherwise. Use the plural instead of single when meeting multiple endpoints IPs. Signed-off-by: trevor tao <trevor.tao@arm.com>

view details

Vlad Ungureanu

commit sha 9bc07f4af16a3c6333e704b7662db494d3931acb

Move update-ec2-apdater-limit-via-api flag to be on the cilium-operator-aws binary Signed-off-by: Vlad Ungureanu <vladu@palantir.com>

view details

sayboras

commit sha c2c4395404c941a8704a34230436e6af80f5cca9

chore(lint): To enable linter for test files To enable the same linting rules for *_test files as well Signed-off-by: Tam Mach <sayboras@yahoo.com>

view details

Vlad Ungureanu

commit sha 54275be17ab694abc0dc39af6ddf3a87fb3b38c8

Register logging flags with operator main cmd Signed-off-by: Vlad Ungureanu <vladu@palantir.com>

view details

trevor tao

commit sha cb7e63022070a0d845844bcac4bbd68aec97a6df

Fix Spelling Errors for endpoint pkg 2 of the spelling errors are fixed which may lead to confusing for the meaning of the whole sentence. Signed-off-by: trevor tao <trevor.tao@arm.com>

view details

Martynas Pumputis

commit sha d131945388a486d70c008623c21c4f6923b13ab2

docs: Do not specify pod-network-cidr in kubeproxy-free gsg It's no longer required to specify podCIDR [1] when provisioning k8s with kubeadm for Cilium. Removing this allows us to simplify the guide by getting rid of passing the ipam mode to helm which was introduced by https://github.com/cilium/cilium/pull/12246/. [1]: https://github.com/kubernetes/website/pull/21432#discussion_r433933721 Signed-off-by: Martynas Pumputis <m@lambda.lt>

view details

Paul Chaignon

commit sha 6027556095b2b54bf8aacfbe945882c591d7832d

cocci: Fix false positive in null.cocci This commit fixes a false positive in null.cocci, when the NULL variable is assigned before being dereferenced. This change was tested with the following change, originally introduced in #12415, to trigger the false positive. diff --git a/bpf/bpf_sock.c b/bpf/bpf_sock.c index d2ad4ceea..ec3c3063a 100644 --- a/bpf/bpf_sock.c +++ b/bpf/bpf_sock.c @@ -265,7 +265,7 @@ static __always_inline int __sock4_xlate_fwd(struct bpf_sock_addr *ctx, svc = lb4_lookup_service(&key, true); if (!svc) { svc = sock4_nodeport_wildcard_lookup(&key, true, in_hostns); - if (svc && !lb4_svc_is_nodeport(svc)) + if (svc && !(svc->flags & SVC_CHECK_NODEPORT)) svc = NULL; } if (!svc) Fixes: 96d2d5a ("bpf: add cocci script to find wrong null checks") Reported-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Paul Chaignon <paul@cilium.io>

view details

Thomas Graf

commit sha e3df99c8cd907732badc7b9502c4bb4a68e3d77e

doc: Update AUTHORS file Signed-off-by: Thomas Graf <thomas@cilium.io>

view details

Tobias Klauser

commit sha 9db6dfb76fb3ef2bc0f130afe813c2761fb4fbdf

common: remove unused func FindEPConfigCHeader This was already removed by commit d81a5cdea511 ("pkg/endpoint: Simplify search for C header file") when its last user disappeard, but it got readded 74e706da2d9e ("common: Move GoArray2C to common") which moved some code around the same time. Now remove it for good. Fixes: 74e706da2d9e ("common: Move GoArray2C to common") Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Ilya Dmitrichenko

commit sha 67c42f2046fe76372041d4b210ed54f160215771

build: Fix shellcheck errors - specify the path to cni-version.sh - only lint executable shell scripts - remove unused variable Fixes: e091612061d9 (build: New runtime image with multi-platform support) Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 16 hours

pull request commentcilium/cilium

build: Fix shellcheck errors

@aanm thanks, I've update the commit message.

errordeveloper

comment created time in 19 hours

push eventcilium/cilium

Ilya Dmitrichenko

commit sha e80ec22983ca72568ddac0e95d70ed34329d6c37

build: Fix shellcheck errors - specify the path to cni-version.sh - only lint executable shell scripts - remove unused variable Fixes: e091612061d9 Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 19 hours

issue commentweaveworks/eksctl

defork goformation

Hey @michaelbeaumont!

I have indeed copied most of the code from the fork into cfn/template, so Value is largely the same thing.

I think the set of types doesn't grow all that often. Since the usage is very specific, it seems to be right to make opinionated choices of what fields are always just strings Vs Value, and some fields just don't get used at all.

One theoretical use-case to consider - arbitrary CloudFormation resource customisation/inclusion. Personally, I don't think this could ever work in eksctl, not without major generalisation of all the things, so I don't see that as a feasible use-cases, albeit it seems plausible in theory, and perhaps to some users.

Did you have a look at the tests in pkg/cfn/template and the tests for its main consumer (pkg/cfn/builder/iam_test.go, if my memory serves me well)? I do recall those where quite nice and high-level, with gomega matchers etc.

errordeveloper

comment created time in 20 hours

issue commentweaveworks/eksctl

defork goformation

The alternative chosen back then by goformation is a really fragile way of doing things, where they embed intrinsics as base64 strings.

Hi @michaelbeaumont :) that is exactly what I made of it at the time.

Have you considered extending the pkg/cfn/template? I thought it was coming out quite nicely, given the usage patteren, it seemed like just the right fit.

errordeveloper

comment created time in 3 days

issue commentcilium/cilium

Move helm's old requirements.yaml into Chart.yaml

Ustale.

On Fri, 3 Jul 2020, 6:43 pm stale[bot], notifications@github.com wrote:

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cilium/cilium/issues/10478#issuecomment-653633814, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB5MSZKLS4X5ZQC26SD34LRZYKEXANCNFSM4LCDATTQ .

errordeveloper

comment created time in 3 days

issue commentcilium/cilium

CI: Test failure output doesn't point at the code

Unstale.

On Fri, 3 Jul 2020, 7:43 pm stale[bot], notifications@github.com wrote:

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cilium/cilium/issues/10637#issuecomment-653646837, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB5MSZTLF7H6OGTANBZ3ZLRZYRFXANCNFSM4LPNWLPA .

errordeveloper

comment created time in 3 days

pull request commentcilium/cilium

build: Experimental multi-platform images

🎉

errordeveloper

comment created time in 3 days

pull request commentcilium/cilium

build: Fix shellcheck errors

This is a follow-up to https://github.com/cilium/cilium/pull/12013, as I forgot to run linter on the latest iteration of the code.

errordeveloper

comment created time in 3 days

PR opened cilium/cilium

build: Fix shellcheck errors release-note/ci
  • specify the path to cni-version.sh
  • only lint executable shell scripts
  • remove unused variable
+4 -4

0 comment

3 changed files

pr created time in 3 days

create barnchcilium/cilium

branch : pr/errordeveloper/fix-images-lint-error

created branch time in 3 days

created tagerrordeveloper/kue

tagv0.1.0

A simple (experimental) tool for generating Kubernetes manifest from templates based on CUE

created time in 4 days

push eventerrordeveloper/kue

Ilya Dmitrichenko

commit sha cd80b6a9613f372d520b8994ec80c01c698528eb

Check instance for errors

view details

push time in 4 days

push eventcilium/cilium

Ilya Dmitrichenko

commit sha e091612061d96fe9c8851f570f157855367bef62

build: New runtime image with multi-platform support Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 6dcddc00b3d7668e4d26b8962819a7f60100f85c

build: New builder image supporting cross-compilation Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 62f98319f89b242e959fa2c6485d2616f2b1c400

build: Add new multi-platform cilium image This image ommits Hubble CLI and Envoy for now, as neither have arm64 builds at the moment. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 39dbec7053095d0483e5abb50e5da159ca45185a

build: Add new multi-platform operator image This intial version includes all operator falavours, since parametrisation needs some more work to be fully integrated, and it's better to avoid duplication of Dockerfiles. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 0531baf1a158405edbc05785fcc29741cf00f3e2

build: Add new multi-platform hubble-relay image Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 18e15d2841729343ca4175775096fd473e047e6e

build: Add Makefile and GitHub Actions workflow for new images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha e7fb948e7ef71fec786ebf653cae9f119f385612

build: Add helper scripts to update runtime and builder images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 99732bca277719a5f21a792d01ec11f5f4a53f19

CODEOWNERS: Add GitHub Actions workflows and new images dir to @cilium/build group Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 0da8c646d976a9fbea90aaa523bdc4126bab99d3

build: Add documentation for next-gen images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 4 days

Pull request review commentcilium/cilium

build: Experimental multi-platform images

+name: Images+on:+  push:+    branches:+      - master+      - v[0-9]+.[0-9]++    tags:+      - v[0-9]+.[0-9]+.[0-9]++      - v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+++jobs:+  build-and-push:+    if: github.repository == 'cilium/cilium'+    name: Build and push all images+    runs-on: ubuntu-18.04+    steps:+      - uses: actions/checkout@v1+      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Register binfmt from multi-platform builds+        with:+          entrypoint: docker+          args: run --privileged linuxkit/binfmt:5d33e7346e79f9c13a73c6952669e47a53b063d4 +      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Run make lint+        with:+          entrypoint: make+          args: -C images lint+      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Run make runtime-image+        env:+          DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}+          DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}+        with:+          entrypoint: make+          args: -C images runtime-image PUSH=true+      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Run make builder-image+        env:+          DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}+          DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}+        with:+          entrypoint: make+          args: -C images builder-image PUSH=true

Sure, it's not in any explicit right now. There is a mention in the readme, however.

errordeveloper

comment created time in 4 days

push eventcilium/cilium

Ilya Dmitrichenko

commit sha d0bf1e5b9daeebbb03970e53d80b38c301b72469

build: Add Makefile and GitHub Actions workflow for new images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 371f24d25ebcefd6dd9fccd9aee408f34e999b04

build: Add helper scripts to update runtime and builder images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 8b3bef4e4435a2aff136ff005b9733cac26ff6ee

CODEOWNERS: Add GitHub Actions workflows and new images dir to @cilium/build group Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 31168ca622f5e1c71e05ceda779e31f6424087cd

build: Add documentation for next-gen images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 4 days

Pull request review commentcilium/cilium

build: Experimental multi-platform images

+name: Images+on:+  push:+    branches:+      - master+      - v[0-9]+.[0-9]++    tags:+      - v[0-9]+.[0-9]+.[0-9]++      - v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+++jobs:+  build-and-push:+    if: github.repository == 'cilium/cilium'+    name: Build and push all images+    runs-on: ubuntu-18.04+    steps:+      - uses: actions/checkout@v1+      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Register binfmt from multi-platform builds+        with:+          entrypoint: docker+          args: run --privileged linuxkit/binfmt:5d33e7346e79f9c13a73c6952669e47a53b063d4 +      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Run make lint+        with:+          entrypoint: make+          args: -C images lint+      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Run make runtime-image+        env:+          DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}+          DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}+        with:+          entrypoint: make+          args: -C images runtime-image PUSH=true+      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Run make builder-image+        env:+          DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}+          DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}+        with:+          entrypoint: make+          args: -C images builder-image PUSH=true+      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Run make cilium-image+        env:+          DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}+          DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}+        with:+          entrypoint: make+          args: -C images cilium-image PUSH=true+      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Run make operator-image

We are building all the binaries, but those end-up inside of the one image. As I said, just a thing for now and I'll open follow-up issues.

errordeveloper

comment created time in 4 days

Pull request review commentcilium/cilium

build: Experimental multi-platform images

+#!/bin/bash++# Copyright 2017-2020 Authors of Cilium+# SPDX-License-Identifier: Apache-2.0++set -o xtrace+set -o errexit+set -o pipefail+set -o nounset++packages=(+  libelf1+  libmnl0+  bash-completion+  iptables+  kmod+  ca-certificates+)++apt-get update++ln -fs /usr/share/zoneinfo/UTC /etc/localtime

I've added a comment above, it actually got me puzzled when I first noticed it in a Dockerfile that Daniel wrote.

errordeveloper

comment created time in 4 days

Pull request review commentcilium/cilium

build: Experimental multi-platform images

+#!/bin/bash++# Copyright 2017-2020 Authors of Cilium+# SPDX-License-Identifier: Apache-2.0++set -o xtrace+set -o errexit+set -o pipefail+set -o nounset++source /tmp/cni-version.sh++for arch in amd64 arm64 ; do+  curl --fail --show-error --silent --location "https://github.com/containernetworking/plugins/releases/download/v${cni_version}/cni-plugins-linux-${arch}-v${cni_version}.tgz" --output "/tmp/cni-${arch}.tgz"

Perhaps, but I'd rather leave that for another PR, and ideally we should update all calls to curl in cilium/image-tools too.

errordeveloper

comment created time in 4 days

push eventcilium/cilium

Ilya Dmitrichenko

commit sha d2d9620910d4be2e298411b6dee784ca0ee2c09b

build: Add documentation for next-gen images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 4 days

Pull request review commentcilium/cilium

build: Experimental multi-platform images

+# Experimental Nex-gen Cilium Images

Thank you!

errordeveloper

comment created time in 4 days

Pull request review commentcilium/cilium

build: Experimental multi-platform images

+# syntax=docker/dockerfile:1.1-experimental++# Copyright 2020 Authors of Cilium+# SPDX-License-Identifier: Apache-2.0++ARG CILIUM_BUILDER_IMAGE=docker.io/cilium/cilium-builder-dev:a116c9e46733fce354b871dd6e88e037d9459286+ARG CILIUM_RUNTIME_IMAGE=docker.io/cilium/cilium-runtime-dev:bf5a13ab0dd341b446ec1f40a809d365024eeb09++FROM --platform=linux/amd64 ${CILIUM_BUILDER_IMAGE} as builder

I've documented a simplified version of this pattern in the README, since it applied to other Dockerfiles also.

errordeveloper

comment created time in 4 days

Pull request review commentcilium/cilium

build: Experimental multi-platform images

+# Copyright 2020 Authors of Cilium+# SPDX-License-Identifier: Apache-2.0++ARG COMPILERS_IMAGE=docker.io/cilium/image-compilers:57f235db9a07e81c5b60c536498ecbf2501dd267@sha256:080245ac0d7d061e05613e6bf887dc3c8bb07392cd2ce265b8a4aaaad17f2125+ARG TESTER_IMAGE=docker.io/cilium/image-tester:70724309b859786e0a347605e407c5261f316eb0@sha256:89cc1f577d995021387871d3dbeb771b75ab4d70073d9bcbc42e532792719781+ARG GOLANG_IMAGE=docker.io/library/golang:1.14.4@sha256:d39a459086c75920390c9b9d42bbc7c52fef1fe7666e7633a02508c607c889d4++FROM ${GOLANG_IMAGE} as golang-dist++FROM ${COMPILERS_IMAGE} as rootfs+LABEL maintainer="maintainer@cilium.io"++COPY --from=golang-dist /usr/local/go /usr/local/go+RUN mkdir -p /go+ENV GOROOT /usr/local/go+ENV GOPATH /go+ENV PATH "${GOROOT}/bin:${GOPATH}/bin:${PATH}"++COPY build-go-deps.sh /tmp/build-go-deps.sh+RUN /tmp/build-go-deps.sh++COPY install-protoc.sh /tmp/install-protoc.sh+RUN /tmp/install-protoc.sh++FROM ${TESTER_IMAGE} as test+COPY --from=rootfs / /+COPY test /test+RUN /test/bin/cst

This is meant to be documented in images/READE.md.

errordeveloper

comment created time in 4 days

push eventcilium/cilium

Ilya Dmitrichenko

commit sha 1288388130a37625487477e4a95f42b031e5b169

build: Add documentation for next-gen images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 4 days

push eventcilium/cilium

Ilya Dmitrichenko

commit sha 85d6aa2ba2cde11bf7f10efbe406465a5958c121

build: Add documentation for next-gen images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 4 days

Pull request review commentcilium/cilium

build: Experimental multi-platform images

+#!/bin/bash++# Copyright 2017-2020 Authors of Cilium+# SPDX-License-Identifier: Apache-2.0++set -o xtrace+set -o errexit+set -o pipefail+set -o nounset++cni_version="0.7.5"++for arch in amd64 arm64 ; do+  curl --fail --show-error --silent --location "https://github.com/containernetworking/plugins/releases/download/v${cni_version}/cni-plugins-${arch}-v${cni_version}.tgz" --output "/tmp/cni-${arch}.tgz"

Thanks, I've added these, but instead of downloading the checksum at runtime I add a file where checksums are declared, since the checksum file itself can be compromised.

errordeveloper

comment created time in 4 days

push eventcilium/cilium

Ilya Dmitrichenko

commit sha 6fae9a240712f31218a40811c278476f63ba09fc

build: New runtime image with multi-platform support Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 518e8a61804ffddd29874b732ff8b0f7c5ddb9aa

build: New builder image supporting cross-compilation Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 4d3ebe8e7076e04be598c1582437b33abc53fb21

build: Add new multi-platform cilium image This image ommits Hubble CLI and Envoy for now, as neither have arm64 builds at the moment. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 7b447b3e5a9d39b086b9a00bafa267392293e084

build: Add new multi-platform operator image This intial version includes all operator falavours, since parametrisation needs some more work to be fully integrated, and it's better to avoid duplication of Dockerfiles. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 99c555fe094753f35f6f730b6c047cef90ffd5ce

build: Add new multi-platform hubble-relay image Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 5a6668ea008df3033c37d5606e4b7462c33848ad

build: Add Makefile and GitHub Actions workflow for new images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 30da784f1efa27aba96503e5c1429d60fd06e31e

build: Add helper scripts to update runtime and builder images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha fc60649254b213916ef5ac6f2436cd26d26ce2d7

CODEOWNERS: Add GitHub Actions workflows and new images dir to @cilium/build group Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 8402c9ff2f70aa8088e2890bcb42ccf26aec558e

build: Add documentation for next-gen images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 4 days

push eventcilium/cilium

Tam Mach

commit sha e75d4a6e5fdc17d446f7e75170f2594f2157b093

chore(lint): To add golangci-lint gh action to perform lint check As discussed in slack, we can start with few basic linters staticcheck, govet, gofmt and ineffassign. This is a starting point, we can improvise as we are going. + Rename ineffassign Makefile target by lint + Remove ineffassign as it's embeded by golangci-lint binary + Remove un-used badkeys slice in cilium/cmd/preflight_identity_crd_migrate.go + Install golangci-lint in travis script + Revert the changes in #11987 Fixes #11527 Signed-off-by: Tam Mach <sayboras@yahoo.com>

view details

Daniel Borkmann

commit sha 425fbd7d373613a2dd436a0347da09ce6186da86

test: add additional externalTrafficPolicy=Local tests from 3rd node We already have the test where the request fails, so add one for the case where it must succeed from outside. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

view details

Maciej Kwiek

commit sha e6123cbbe1d3bda426864ee9ae67db8ead72b730

ci: release gke nodepool Nodepools were having trouble being recreated after only cluster objects were deleted. Deleting nodepools from cluster causes nodepools to be recreated properly. Signed-off-by: Maciej Kwiek <maciej@isovalent.com>

view details

Tobias Klauser

commit sha 542f0c297ca0c4306bccdc328faa1fc9b04f2bb9

endpoint: atomically replace header files Write contents of the header file to a temporary file first. It will then be atomically renamed to the real file. This makes sure we never end up with corrupted on inconsistent header files on the filesystem. Also make sure the symlink to the old header file in the downgrade case is created atomically. The github.com/google/renameio package is used for the atomic replace and symlink creation. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Sebastian Wicki

commit sha 5382f2ad48a057733904fdaae3e43b9e9ddb4b5e

hubble: Trim FQDN trailing dots in GetNames Hubble v0.5 used to display FQDN names without a trailing dot for absolute paths, i.e. `cilium.io` instead of `cilium.io.`. We accidentally changed this in Hubble v0.6 when we started accessing the Cilium DNS cache directly. This in in turn broke filtering on FQDNs (--{from-,to-,}fqdn), as the filtering logic does not assume trailing dots, same as Hubble UI, the CLI and metrics. This commit restores the old behavior of stripping trailing dots from the source and destination name. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>

view details

Sebastian Wicki

commit sha 00fc18f8fbe160400a51b4420a38a185b1ecba35

ci/hubble: Add test for filtering on FQDNs This performs an additional `hubble observe` invocation when testing DNS-based policies. We expect Hubble to annotate the `destination_names` field of the test flows with the observed DNS name exactly as stated in the test. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>

view details

Joe Stringer

commit sha 1bacd4cf96406a894ac534e97351e6458f4ce15d

Update stable releases Signed-off-by: Joe Stringer <joe@cilium.io>

view details

Daniel Borkmann

commit sha 2bc9f0c0394ec7d0c2a66eb8b0b767b1eb7ee075

docs: fix rst table formatting in for stable releases The `1.6.10` is an extra char from `1.6.9` and thus destroyed the rst formatted table. Fix it so the README displays it again. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

view details

Vlad Ungureanu

commit sha a8eb67de76398cebb7bde7b801435596929e18ca

Bump aws/aws-sdk-go-v2 to 0.23.0 Signed-off-by: Vlad Ungureanu <vladu@palantir.com>

view details

Ilya Dmitrichenko

commit sha 35ea3ac019a94c260c4cecdaed5cca2dd0dede10

build: Import key scripts from cilium/image-tools@05025951392aaff17a5828b8052c2535f079667f This is a temporary measure, these scripts should be consumed either as a submodule, or a portable tool (see cilium/image-tools#10). Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 3e6765ce597b4fb2a5eac96f77b5e2a92981ba58

build: Disable hadolint, adjust subdirs hadolint doesn't yet support experimental `RUN --mount` syntax. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha b4b5b4f6f6852a93b2c0cf24b4a035a1cd10937b

build: New runtime image with multi-platform support Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 2178aabb84d9b3a818dcb5e7877d53a543cae2d4

build: New builder image supporting cross-compilation Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 797ae98f316682428ac1b55776c7f735e0f872ea

build: Add new multi-platform cilium image This image ommits Hubble CLI and Envoy for now, as neither have arm64 builds at the moment. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 1d2f2b3ca9e9bf3fe21e5e7226cb010829d56e9a

build: Add new multi-platform operator image This intial version includes all operator falavours, since parametrisation needs some more work to be fully integrated, and it's better to avoid duplication of Dockerfiles. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 9084d5713fd30f71499b1f1bfc5004acfc938e03

build: Add new multi-platform hubble-relay image Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 5565b7f784771daf0fa737a17be5cd7d7d42770a

build: Add Makefile and GitHub Actions workflow for new images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha bf798fd4e447f10e2d271d6b780f8f59773301c0

build: Add helper scripts to update runtime and builder images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha b2d3757258f9129fce2b2904bd8473ab830cfc43

CODEOWNERS: Add GitHub Actions workflows and new images dir to @cilium/build group Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 76e902ddcdc6d9e33456007484c3d12b47018bdf

build: Add documentation for next-gen images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 4 days

Pull request review commentcilium/cilium

build: Experimental multi-platform images

 lint: runtime-image: .buildx_builder 	TEST=true scripts/build-image.sh cilium-runtime-dev images/runtime linux/amd64,linux/arm64 $(OUTPUT) "$$(cat .buildx_builder)" $(REGISTRIES) +update-runtime-image:

This is meant to be documented in images/READE.md, have you had a look at it yet?

errordeveloper

comment created time in 4 days

Pull request review commentcilium/cilium

build: Experimental multi-platform images

+name: Images+on:+  push:+    branches:+      - master+      - v[0-9]+.[0-9]++    tags:+      - v[0-9]+.[0-9]+.[0-9]++      - v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+++jobs:+  build-and-push:+    if: github.repository == 'cilium/cilium'+    name: Build and push all images+    runs-on: ubuntu-18.04+    steps:+      - uses: actions/checkout@v1+      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Register binfmt from multi-platform builds+        with:+          entrypoint: docker+          args: run --privileged linuxkit/binfmt:5d33e7346e79f9c13a73c6952669e47a53b063d4 +      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Run make lint+        with:+          entrypoint: make+          args: -C images lint+      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Run make runtime-image+        env:+          DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}+          DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}+        with:+          entrypoint: make+          args: -C images runtime-image PUSH=true+      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Run make builder-image+        env:+          DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}+          DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}+        with:+          entrypoint: make+          args: -C images builder-image PUSH=true+      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Run make cilium-image+        env:+          DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}+          DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}+        with:+          entrypoint: make+          args: -C images cilium-image PUSH=true+      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Run make operator-image

It's only one here at the moment. I'd like to have a better story for handling image variants, so keeping it simple for the time being.

errordeveloper

comment created time in 4 days

Pull request review commentcilium/cilium

build: Experimental multi-platform images

+name: Images+on:+  push:+    branches:+      - master+      - v[0-9]+.[0-9]++    tags:+      - v[0-9]+.[0-9]+.[0-9]++      - v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+++jobs:+  build-and-push:+    if: github.repository == 'cilium/cilium'+    name: Build and push all images+    runs-on: ubuntu-18.04+    steps:+      - uses: actions/checkout@v1+      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Register binfmt from multi-platform builds+        with:+          entrypoint: docker+          args: run --privileged linuxkit/binfmt:5d33e7346e79f9c13a73c6952669e47a53b063d4 +      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Run make lint+        with:+          entrypoint: make+          args: -C images lint+      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Run make runtime-image+        env:+          DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}+          DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}+        with:+          entrypoint: make+          args: -C images runtime-image PUSH=true+      - uses: docker://docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a416cef73f99a35fee2c+        name: Run make builder-image+        env:+          DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}+          DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}+        with:+          entrypoint: make+          args: -C images builder-image PUSH=true

Actually, these won't be rebuilt unless there were changes. runtime and builder are scoped to their subdirs, and we use git tree hashes as tags. The logic is implemented in image/scripts/build-image.sh. So with runtime and builder the tag changes only when there are actual changes in the directory.

errordeveloper

comment created time in 4 days

Pull request review commentcilium/cilium

build: Experimental multi-platform images

 MAKER_IMAGE="${MAKER_IMAGE:-docker.io/cilium/image-maker:bc81755ec8f6c5afcb10a41 root_dir="$(git rev-parse --show-toplevel)"  if [ -z "${MAKER_CONTAINER+x}" ] ; then-   exec docker run --rm --volume "${root_dir}:/src" --workdir /src "${MAKER_IMAGE}" "/src/scripts/$(basename "${0}")"+   exec docker run --rm --volume "${root_dir}:/src" --workdir /src/images "${MAKER_IMAGE}" "/src/images/scripts/$(basename "${0}")"

The thing is that previous commit copies a specific revision of this script from cilium/image-tools, and this one commit represents a local tweak.

errordeveloper

comment created time in 4 days

issue commentdocker/buildx

allow loading current builder config from a file

That's what I am doing at the moment, but I is kind of a hack.

On Thu, 2 Jul 2020, 8:22 pm Tõnis Tiigi, notifications@github.com wrote:

Somewhat related: initially, I also thought about loading builders from current working directory. So you could have it connected to the project and not (only) your home directory. Maybe even make --use work only within the project directory in that case.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/docker/buildx/issues/308#issuecomment-653181176, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB5MSZS32NKCIFIZM7NQCTRZTM53ANCNFSM4N4RTRCQ .

errordeveloper

comment created time in 4 days

issue commentdocker/buildx

bake with multiple outputs

@tonistiigi thanks!

errordeveloper

comment created time in 4 days

push eventerrordeveloper/imagine

Ilya Dmitrichenko

commit sha c8561e59e72e654adae745d9193331e23f2600b3

Add `--push` and `--export` flags

view details

push time in 5 days

issue openeddocker/buildx

bake with multiple outputs

The manifest currently has Outputs as a a slice:

https://github.com/docker/buildx/blob/f3111bcbef8ce7e3933711358419fa18294b3daf/bake/bake.go#L350

However, trying to set multiple outputs results in an error:

multiple outputs currently unsupported

The message suggests that this may be implemented in the future, but I couldn't find an existing issue so opening one.

My use-case would be to use something like this:

      "output": [
        "type=image,push=true",
        "type=docker,dest=image.oci"
      ]

I'd like to push to a registry and store a tarball as CI artefact as well.

created time in 5 days

push eventerrordeveloper/imagine

Ilya Dmitrichenko

commit sha 6d89cef1ba85f47983f934733ee86b4d5bf4680c

Add build command

view details

push time in 5 days

push eventerrordeveloper/imagine

Ilya Dmitrichenko

commit sha 9f018beb1ad812574f79d69a09b5221cce5ed641

Add build command

view details

push time in 5 days

push eventerrordeveloper/imagine

Ilya Dmitrichenko

commit sha 9525d17a445b767a91542a4d353d20995ac729a1

Fix a bug in how manifest file is written out

view details

Ilya Dmitrichenko

commit sha 3e7622a51f5a1c5f8f10b72eeb08580f6bca9b71

Add build command

view details

push time in 5 days

push eventerrordeveloper/imagine

Ilya Dmitrichenko

commit sha a5d6c708831ec71b6a7c954ddd24c269d0104750

Add `BakeManifest` methods, minor refactoring

view details

Ilya Dmitrichenko

commit sha 9c6f5755a3716920f7e30a69a7f5cb23926a4549

Add registry and rebuilder packages

view details

Ilya Dmitrichenko

commit sha f3f5c3b0f91ff4a58162678c0472178b20ede4d5

Fix test

view details

Ilya Dmitrichenko

commit sha 9d73076b6f2342b5d813e9cafff6e860357d09ed

Add rebuilder test

view details

push time in 5 days

Pull request review commentcilium/cilium

build: Experimental multi-platform images

+# syntax=docker/dockerfile:1.1-experimental++# Copyright 2020 Authors of Cilium+# SPDX-License-Identifier: Apache-2.0++ARG CILIUM_BUILDER_IMAGE=docker.io/cilium/cilium-builder-dev:5c1d8916b5ad0fbb86aabcc6239e163b6c645a71+ARG CILIUM_RUNTIME_IMAGE=docker.io/cilium/cilium-runtime-dev:bf5a13ab0dd341b446ec1f40a809d365024eeb09++FROM --platform=linux/amd64 ${CILIUM_BUILDER_IMAGE} as builder++ARG NOSTRIP+ARG LOCKDEBUG++RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium --mount=target=/root/.cache,type=cache --mount=target=/go/pkg/mod,type=cache \+  make clean-container build-container install-container \+    NOSTRIP=$NOSTRIP LOCKDEBUG=$LOCKDEBUG PKG_BUILD=1 SKIP_DOCS=true DESTDIR=/out/linux/amd64++RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium --mount=target=/root/.cache,type=cache --mount=target=/go/pkg/mod,type=cache \+  env GOARCH=arm64 CC=aarch64-linux-gnu-gcc \+    make clean-container build-container install-container \

#12326 was merged, and I've rebased this PR just now

errordeveloper

comment created time in 5 days

push eventcilium/cilium

Jianlin Lv

commit sha 9447854a577e102e086d3f815dc1ab70dc727c6c

.travis: Fix probes_test failure on Arm64 Have no available kernel config in LXD container for arm64 Signed-off-by: Jianlin Lv <Jianlin.Lv@arm.com>

view details

Tobias Klauser

commit sha 589b56f45964d99d93854d1b078299cdb1b657de

bpf: remove dead stores in tail_nodeport_nat_ipv{4,6} The assignment ret = CTX_ACT_OK is either overwritten or unused in all successive code paths and thus a dead store. Found using the clang static analyzer. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Deepesh Pathak

commit sha 7856a775f5f731098b5b828adfb6da32913a51eb

fix(9966): fix creation of multiple KVStore watchers for CNPs and CCNPs * Fixes #9966 * Imlement Observer for CNPStatusEventHandler to remove the need of extra KVstore watcher. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>

view details

Joe Stringer

commit sha fa8857fbd09f4c2045bf96fc700927a82c3d1100

endpoint: Inherit context during identity allocation Inherit the identity allocation context from the parent function when calling into identityLabelsChanged(). This function isn't a background thread, and it receives a context so it should respect the passed context. Signed-off-by: Joe Stringer <joe@cilium.io>

view details

Joe Stringer

commit sha 8bb5382fd916c534bca22469413edf817d0178d3

endpoint: Use kvstore timeout for undo When there's some kind of late error / failure and a newly allocated identity must be released, allow the kvstore connectivity timeout to be customised via the standard kvstore connectivity timeout. This path may still be called from endpoint create, so it's not appropriate to block for up to two minutes to attempt to roll back the identity allocation here. Signed-off-by: Joe Stringer <joe@cilium.io>

view details

Jarno Rajahalme

commit sha b796665e077a6fc2ad9a2fe53bb36f79a0057240

envoy: Update to 1.13.3 This fixes the following CVEs for the Envoy version 1.13.x: - CVE-2020-12603 (CVSS score 7.0, High): Envoy through 1.14.2 may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (e.g., 1 byte) data frames. - CVE-2020-12605 (CVSS score 7.0, High): Envoy through 1.14.2 may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs. - CVE-2020-8663 (CVSS score 7.0, High): Envoy version 1.14.2 or earlier may exhaust file descriptors and/or memory when accepting too many connections. - CVE-2020-12604 (CVSS score 5.3, Medium): Envoy through 1.14.2 is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream. The attacker can cause data associated with many streams to be buffered forever. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>

view details

Jarno Rajahalme

commit sha 31f8ba02339f7cfb0a3018354a59f9f129b7e6f3

istio: Update to 1.5.7 Signed-off-by: Jarno Rajahalme <jarno@covalent.io>

view details

Tobias Klauser

commit sha cfff1985d45ae5d3c7e801fa0aacdf40556c181e

datapath/linux/probes: make ErrKernelConfigNotFound a sentinel error value This is idiomatic in Go and allows to use errors.Is on error values returned by (*ProbeManager).SystemConfigProbes instead of a type assertion. Also use fmt.Errorf instead of the external github.com/pkg/errors to wrap error values in (*ProbeManager).SystemConfigProbes Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Ilya Dmitrichenko

commit sha db39f5da949e1d6e9fdc31ff461aaca1cae994a3

test: Remove old `startup-script` image dir This is now part of image-tools repository: https://github.com/cilium/image-tools/tree/master/images/startup-script Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Maciej Kwiek

commit sha 269c985099c8d9b2147b746f200d757d15334467

ci: Check for gke nodepool before locking cluster If the cluster has just been recreated, it can have no nodepool yet. Don't choose such clusters because scaling it will fail. Signed-off-by: Maciej Kwiek <maciej@isovalent.com>

view details

Chris Tarazi

commit sha ecac73d4028ab32329b857a2da049dc4a457a11b

contrib: Add ability to pass suffix for branch This is useful in cases where a backport PR is started on the same day that another backport PR was created, for the same branch (e.g. v1.6). In this case, the developer would have to manually modify the script to create a non-conflicting branch name. This commit allows the developer instead to pass a suffix to disambiguate the branch name, without need to modify the script. Example usage: ``` $ ./contrib/backporting/start-backport 1.6 "-2" ``` This creates a backport branch name pr/v1.6-backport-2020-06-30-2. Signed-off-by: Chris Tarazi <chris@isovalent.com>

view details

Chris Tarazi

commit sha 5cfa8a88d5b91d3370b8db3009e43fc7e7f327d9

contrib: Warn user when backport branch exists Signed-off-by: Chris Tarazi <chris@isovalent.com>

view details

arthurchiao

commit sha 9673c485a72ec93c10e2db1f4fdc8feab45d3d98

metrics: fix negative identity count Identity allocation uses cache and refcnt mechanisms, if the identity info is already in remote kvstore and localkeys store, it will just increase the refcnt, then notify the caller that this identity is reused. The caller will then not bump up the identity counter. However, there is a corner case that not get handled: refcnt from 0 to 1, which will result to negative identity count in the metrics output. This patch fixes the problem by returning another flag to indicate whether the identity is first-time referenced (refcnt from 0 to 1) or not. The caller then uses this information to determine whether or not to increase the counter. Signed-off-by: arthurchiao <arthurchiao@hotmail.com>

view details

Jarno Rajahalme

commit sha 0868c6c4f439574d6a4a28293406d15170a5cad9

test: Remove generated temp files Remove the generated temp files after they are no longer needed. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>

view details

Ilya Dmitrichenko

commit sha f6a3e1e6be21e7d7d44d72e02f7ac9586a18007f

release: Remove unused scripts and shell functions - remove contrib/release/relnotes and contrib/release/uplodarev - delete all unused functions from contrib/release/lib/common.sh and contrib/release/lib/gitlib.sh - update documentation Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Kir Kolyshkin

commit sha 76bb67e861ff0ae33d6ba5ea679f4ed0ab26f1f5

mountinfo: remove useless TrimSpace The /proc/self/mountinfo format is well known and it should not contain any extra whitespace, so strings.TrimSpace() is a useless no-op here. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

view details

Kir Kolyshkin

commit sha 1536acec32f47e098b811ceaaa5ce536ab565de7

mountinfo/IsMountFS: optimize Instead of parsing /proc/self/mountinfo (which is slow and prone to errors), we can check if a given path is a mount point having a specific fs type with just a 3 simple syscalls. [v2: add TestIsMountFSbyMount] [v3: makee TestIsMountFSbyMount a privileged test] [v4: drop dir check, treat ENOENT, wrap errors] Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

view details

MaiReo

commit sha ea8b727d7b663c4482f26348cbf613c29811879f

Set 'kubernetes' IPAM in kube-proxy free guide The pod cidr should match 10.217.0.0/16 mentioned previously, not the default value 10.0.0.0/16 set by default via helm in this tutorial. --set global.ipam.operator.clusterPoolIPv4PodCIDR=10.217.0.0/16 Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: MaiReo <sawako.saki@gmail.com>

view details

Robin Hahling

commit sha 5968d5a747700d0bc7d39ad8c155c0b4b768e1fb

contrib: fix branch check in `start-backport` script The `if` condition is actually inverted which makes it impossible to create a backport branch. This commit fixes this issue. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>

view details

Quentin Monnet

commit sha c388f1fcabae8988edbe9f449f5444885f311f7c

bpf: fix checkpatch errors Checkpatch was run with the following command: checkpatch.pl --no-tree --show-types \ --ignore COMPLEX_MACRO --ignore MULTISTATEMENT_MACRO_USE_DO_WHILE \ -f bpf/**/*.{c,h} The following error types were fixed in the bpf/ sources: - ASSIGN_IN_IF: do not use assignment in if condition - CODE_INDENT: code indent should use tabs where possible - FUNCTION_WITHOUT_ARGS: Bad function definition - xxx() should probably be xxx(void) - INITIALISED_STATIC: do not initialise statics to NULL - OPEN_BRACE: open brace '{' following struct go on the same line - OPEN_BRACE: open brace '{' following function definitions go on the next line - POINTER_LOCATION: "(foo*)" should be "(foo *)" - SPACING: space required before the open brace '{' - SPACING: space required after that ',' (ctx:VxV) - SWITCH_CASE_INDENT_LEVEL: switch and case should be at the same indent - TRAILING_WHITESPACE: trailing whitespace The following were ignored in this patch: - COMPLEX_MACRO, because of IPCACHE4_PREFIXES and IPCACHE6_PREFIXES that we do not want to enclose between parenthesis. - MULTISTATEMENT_MACRO_USE_DO_WHILE, we do not want do {} while() for macros used to define struct contents. - SPACING (some of them), when we intentionally aligned fields on several lines. - TRAILING_STATEMENTS, we do not want to add line breaks everywhere in bpf/include/bpf/builtins.h. - Issues reported with lower levels (warnings, minor checks). Signed-off-by: Quentin Monnet <quentin@isovalent.com>

view details

push time in 5 days

pull request commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

@Rolinh @pchaigno thanks a lot for the reviews!

errordeveloper

comment created time in 5 days

push eventerrordeveloper/imagine

Ilya Dmitrichenko

commit sha 8822748f8c9273a79752081ea9b70778e972dbc4

Switch to pretty JSON

view details

Ilya Dmitrichenko

commit sha a4c1022a8a03a1434cbc27c9908b7aac82bdfd85

Export TopLevel

view details

Ilya Dmitrichenko

commit sha c3009c2d88439a43551a8e27b63b78facc6a8497

Implement CLI

view details

Ilya Dmitrichenko

commit sha 2fdc66be2e44bfb294eb1e3583676fe23234cea4

Fix test

view details

push time in 5 days

create barncherrordeveloper/imagine

branch : master

created branch time in 5 days

created repositoryerrordeveloper/imagine

created time in 5 days

pull request commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

test-4.19

errordeveloper

comment created time in 5 days

pull request commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

retest-4.19

errordeveloper

comment created time in 5 days

push eventcilium/cilium

Ilya Dmitrichenko

commit sha 9458b1cc11bef1523e8c1f1b7c97728ef6cdbebf

build: Simplify how `BPF_SRCFILES` is set in git-free mode Since git-free mode is for builds inside a container, it is safe to assume that all files under `bpf` came from the Cilium git tree. For that purpose `find` is sufficient and there is no need for a two-stage process with `BPF_SRCFILES` file being written first. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 5 days

Pull request review commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

 CILIUM_ENVOY_SHA=$(shell grep -o "FROM.*cilium/cilium-envoy:[0-9a-fA-F]*" $(ROOT GO_BUILD_LDFLAGS += -X "github.com/cilium/cilium/pkg/envoy.RequiredEnvoyVersionSHA=$(CILIUM_ENVOY_SHA)"  # Use git only if in a Git repo, otherwise depend on file BPF_SRCFILES existing+BPF_SRCFILES_IGNORE = bpf/.gitignore ifneq ($(wildcard $(dir $(lastword $(MAKEFILE_LIST)))/.git),)-	BPF_FILES_EVAL = $(shell git ls-files $(ROOT_DIR)/bpf/ | grep -v .gitignore | tr "\n" ' ')-	BPF_FILES ?= $(BPF_FILES_EVAL)-	BPF_SRCFILES := $(subst ../,,$(BPF_FILES))+	BPF_SRCFILES := $(shell git ls-files $(ROOT_DIR)/bpf/ | sort | tr "\n" ' ') else-	BPF_SRCFILES = $(shell cat $(ROOT_DIR)/BPF_SRCFILES)+	# this line has to be in-sync with bpf/.gitignore, please note usage of make patterns like `%.i`+	BPF_SRCFILES_IGNORE += bpf/cilium-map-migrate bpf/cilium-probe-kernel-hz bpf/%.i bpf/%.s bpf/.rebuild_all

The syntax is very different, we cannot just read it as is, even if we striped the comment - it has regex support (including negation), while filter-out macro supports make's own pattern syntax. We'd need to drag in some sort gitignore parser. I'd much rather just improve this by creating a go Tool that can be used by the loaded as well as during the build. In fact, I believe loaded already has most of logic.

errordeveloper

comment created time in 5 days

pull request commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

So on master I ran make dev-docker-image DOCKER_BUILDKIT=1 IGNORE_GIT_STATUS=1 and noted down the hash as 64b593950feb19e00277ae7d2ca0d388a5f884e0.

I then did this:

$ git ls-files bpf/ | sort | grep -v .gitignore | xargs cat | shasum -a 1
64b593950feb19e00277ae7d2ca0d388a5f884e0  -
$ git ls-files bpf/ | grep -v .gitignore | xargs cat | shasum -a 1       
64b593950feb19e00277ae7d2ca0d388a5f884e0  -

So sorting git ls-files doesn't change anything, I believe it already returns results in alphabetical order.

However, running the same command on this branch resulted in a different hash:

$ git ls-files bpf/ | sort | grep -v .gitignore | xargs cat | shasum -a 1
966f5a8b50f5454b98ada4758e1e0b7b32992f34  -

I rebased, and getting the same hash now:

$ git ls-files bpf/ | grep -v .gitignore | xargs cat | shasum -a 1       
64b593950feb19e00277ae7d2ca0d388a5f884e0  -
errordeveloper

comment created time in 5 days

push eventcilium/cilium

Ilya Dmitrichenko

commit sha db39f5da949e1d6e9fdc31ff461aaca1cae994a3

test: Remove old `startup-script` image dir This is now part of image-tools repository: https://github.com/cilium/image-tools/tree/master/images/startup-script Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Maciej Kwiek

commit sha 269c985099c8d9b2147b746f200d757d15334467

ci: Check for gke nodepool before locking cluster If the cluster has just been recreated, it can have no nodepool yet. Don't choose such clusters because scaling it will fail. Signed-off-by: Maciej Kwiek <maciej@isovalent.com>

view details

Chris Tarazi

commit sha ecac73d4028ab32329b857a2da049dc4a457a11b

contrib: Add ability to pass suffix for branch This is useful in cases where a backport PR is started on the same day that another backport PR was created, for the same branch (e.g. v1.6). In this case, the developer would have to manually modify the script to create a non-conflicting branch name. This commit allows the developer instead to pass a suffix to disambiguate the branch name, without need to modify the script. Example usage: ``` $ ./contrib/backporting/start-backport 1.6 "-2" ``` This creates a backport branch name pr/v1.6-backport-2020-06-30-2. Signed-off-by: Chris Tarazi <chris@isovalent.com>

view details

Chris Tarazi

commit sha 5cfa8a88d5b91d3370b8db3009e43fc7e7f327d9

contrib: Warn user when backport branch exists Signed-off-by: Chris Tarazi <chris@isovalent.com>

view details

arthurchiao

commit sha 9673c485a72ec93c10e2db1f4fdc8feab45d3d98

metrics: fix negative identity count Identity allocation uses cache and refcnt mechanisms, if the identity info is already in remote kvstore and localkeys store, it will just increase the refcnt, then notify the caller that this identity is reused. The caller will then not bump up the identity counter. However, there is a corner case that not get handled: refcnt from 0 to 1, which will result to negative identity count in the metrics output. This patch fixes the problem by returning another flag to indicate whether the identity is first-time referenced (refcnt from 0 to 1) or not. The caller then uses this information to determine whether or not to increase the counter. Signed-off-by: arthurchiao <arthurchiao@hotmail.com>

view details

Jarno Rajahalme

commit sha 0868c6c4f439574d6a4a28293406d15170a5cad9

test: Remove generated temp files Remove the generated temp files after they are no longer needed. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>

view details

Ilya Dmitrichenko

commit sha f6a3e1e6be21e7d7d44d72e02f7ac9586a18007f

release: Remove unused scripts and shell functions - remove contrib/release/relnotes and contrib/release/uplodarev - delete all unused functions from contrib/release/lib/common.sh and contrib/release/lib/gitlib.sh - update documentation Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Kir Kolyshkin

commit sha 76bb67e861ff0ae33d6ba5ea679f4ed0ab26f1f5

mountinfo: remove useless TrimSpace The /proc/self/mountinfo format is well known and it should not contain any extra whitespace, so strings.TrimSpace() is a useless no-op here. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

view details

Kir Kolyshkin

commit sha 1536acec32f47e098b811ceaaa5ce536ab565de7

mountinfo/IsMountFS: optimize Instead of parsing /proc/self/mountinfo (which is slow and prone to errors), we can check if a given path is a mount point having a specific fs type with just a 3 simple syscalls. [v2: add TestIsMountFSbyMount] [v3: makee TestIsMountFSbyMount a privileged test] [v4: drop dir check, treat ENOENT, wrap errors] Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

view details

MaiReo

commit sha ea8b727d7b663c4482f26348cbf613c29811879f

Set 'kubernetes' IPAM in kube-proxy free guide The pod cidr should match 10.217.0.0/16 mentioned previously, not the default value 10.0.0.0/16 set by default via helm in this tutorial. --set global.ipam.operator.clusterPoolIPv4PodCIDR=10.217.0.0/16 Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: MaiReo <sawako.saki@gmail.com>

view details

Robin Hahling

commit sha 5968d5a747700d0bc7d39ad8c155c0b4b768e1fb

contrib: fix branch check in `start-backport` script The `if` condition is actually inverted which makes it impossible to create a backport branch. This commit fixes this issue. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>

view details

Quentin Monnet

commit sha c388f1fcabae8988edbe9f449f5444885f311f7c

bpf: fix checkpatch errors Checkpatch was run with the following command: checkpatch.pl --no-tree --show-types \ --ignore COMPLEX_MACRO --ignore MULTISTATEMENT_MACRO_USE_DO_WHILE \ -f bpf/**/*.{c,h} The following error types were fixed in the bpf/ sources: - ASSIGN_IN_IF: do not use assignment in if condition - CODE_INDENT: code indent should use tabs where possible - FUNCTION_WITHOUT_ARGS: Bad function definition - xxx() should probably be xxx(void) - INITIALISED_STATIC: do not initialise statics to NULL - OPEN_BRACE: open brace '{' following struct go on the same line - OPEN_BRACE: open brace '{' following function definitions go on the next line - POINTER_LOCATION: "(foo*)" should be "(foo *)" - SPACING: space required before the open brace '{' - SPACING: space required after that ',' (ctx:VxV) - SWITCH_CASE_INDENT_LEVEL: switch and case should be at the same indent - TRAILING_WHITESPACE: trailing whitespace The following were ignored in this patch: - COMPLEX_MACRO, because of IPCACHE4_PREFIXES and IPCACHE6_PREFIXES that we do not want to enclose between parenthesis. - MULTISTATEMENT_MACRO_USE_DO_WHILE, we do not want do {} while() for macros used to define struct contents. - SPACING (some of them), when we intentionally aligned fields on several lines. - TRAILING_STATEMENTS, we do not want to add line breaks everywhere in bpf/include/bpf/builtins.h. - Issues reported with lower levels (warnings, minor checks). Signed-off-by: Quentin Monnet <quentin@isovalent.com>

view details

Quentin Monnet

commit sha ca9e91a02d0ec084417c6afe93493352ba684231

bpf: fix checkpatch warnings Checkpatch was run as follows: $ checkpatch.pl --no-tree --show-types \ --ignore BLOCK_COMMENT_STYLE --ignore CONST_STRUCT \ --ignore CONSTANT_CONVERSION --ignore JIFFIES_COMPARISON \ --ignore MACRO_WITH_FLOW_CONTROL \ --ignore PRINTK_WITHOUT_KERN_LEVEL --ignore TRAILING_SEMICOLON \ --ignore VOLATILE \ -f bpf/**/*.{c,h} The following warning types were fixed in the bpf/ files: - ARRAY_SIZE: Prefer ARRAY_SIZE(kernel_hz) - BRACES: braces {} are not necessary for any arm of this statement - BRACES: braces {} are not necessary for single statement blocks - LEADING_SPACE: please, no spaces at the start of a line - LINE_CONTINUATIONS: Avoid unnecessary line continuations - LINE_SPACING: Missing a blank line after declarations - RETURN_VOID: void function return statements are not generally useful - SPACE_BEFORE_TAB: please, no space before tabs - SPDX_LICENSE_TAG: Missing or malformed SPDX-License-Identifier tag in line 1 - TABSTOP: Statements should start on a tabstop - UNNECESSARY_ELSE: else is not generally useful after a break or return The following were ignored: - BLOCK_COMMENT_STYLE, let's not fix those just yet - CONST_STRUCT, broken with empty struct list - CONSTANT_CONVERSION, we do want to use __constant_htons - CONSTANT_COMPARISON, one false positive in bpf/lib/trace.h, some cases in bpf/lib/icmp6.h where we bound the value and it looks better - JIFFIES_COMPARISON, we do want jiffies - MACRO_WITH_FLOW_CONTROL, we still want some macros with flow control - PREFER_ALIGNED, false positive on __aligned definition - PREFER_PACKED, false postivie on __packed definition - PRINTK_WITHOUT_KERN_LEVEL, our printk() does not have KERN_<LEVEL> - TRAILING_SEMICOLON, we do want semicolons in some of our macros - VOLATILE, we know what we are doing with volatile The following were ignored, some of which will be fixed in a later patch. This is because they are downgraded to the "check" level (instead of warning) when checkpatch runs on files and not on patches and commit logs (and so I did not see them at first): - LONG_LINE - LONG_LINE_COMMENT - LONG_LINE_STRING - PREFER_FALLTHROUGH - TYPO_SPELLING Signed-off-by: Quentin Monnet <quentin@isovalent.com>

view details

Quentin Monnet

commit sha b612da20e27a696bf8127d62c6f1136e1eea7451

bpf: fix checkpatch BLOCK_COMMENT_STYLE warnings Let's harmonise block comment style. The kernel network codestyle is preferred: /* Single-line comment */ /* Multi-line comment, * spanning several lines. */ The regular kernel codestyle (non-network-specific) is not reported by checkpatch, but strongly discouraged, to keep comment blocks consistent: /* * Multi-line comment, * with opening marker on its own line */ (Note that we could detect those by tricking checkpatch into believing the files are under a "net/" directory, but this would also enforce the "--strict" mode, which we do not desire.) Signed-off-by: Quentin Monnet <quentin@isovalent.com>

view details

Quentin Monnet

commit sha 7a69ee20bc1e6f16a5f6fa9faeaedb622c5307d4

bpf: fix more checkpatch warnings Checkpatch was run as follows: $ checkpatch.pl --no-tree --strict --show-types \ --types AVOID_BUG --types FSF_MAILING_ADDRESS \ --types LONG_LINE --types LONG_LINE_COMMENT \ --types SPDX_LICENSE_TAG --types TYPO_SPELLING \ -f bpf/**/*.{c,h} Although we do not try to fix the reports on the "check" level (logged when the "--strict" option is used), these are some checks that would be considered as warnings by checkpatch if not running directly on the source files (but on patches or git commit instead). Let's process them to be on par with what the GitHub action would report. The following warning types were fixed in the bpf/ files: - LONG_LINE: line length of <n> exceeds 100 columns - LONG_LINE_COMMENT: line length of <n> exceeds 100 columns - TYPO_SPELLING: 'xxx' may be misspelled - perhaps 'xxy'? The following were ignored: - LONG_LINE_STRING, not desired - LONG_LINE: IP addresses are better on long lines in bpf/node_config.h - PREFER_FALLTHROUGH, since "fallthrough;" is not implemented Signed-off-by: Quentin Monnet <quentin@isovalent.com>

view details

Quentin Monnet

commit sha 9acc12c870fdf61c5806fb068d8f9f91668a9f97

bpf: fix checkpatch C99_COMMENTS errors Run checkpatch with option "--ignore C99_COMMENT_TOLERANCE" to disable its default tolerance to C99-style comments (those comments starting with "// ..."). For this error type, checkpatch.pl also reports the SPDX identifier tags in .c files as infringing the rule. Those are left untouched. All other occurrences are replaced with "/* ... */" style comments. One exception: one comment in bpf/lib/icmp6.h was apparently a leftover commented instruction and was simply removed. Signed-off-by: Quentin Monnet <quentin@isovalent.com>

view details

Quentin Monnet

commit sha 1843b4adeddad7ee0fd83bc3c71ba6e4d57db48e

build: run checkpatch.pl for bpf/ locally or as GitHub action Although there is no explicit coding style for the BPF code, several developers tend to follow the kernel coding style conventions [0]. To try and maintain a consistent style all over the code, this commit adds kernel's checkpatch.pl to the list of checks performed on the source as part as BPF's "make check". Some details on the check: - We only run checkpatch.pl on the bpf/ directory. - A new "checkpatch" BPF make target is created, and added as a dependency to "check". - However, we only run it on the latest changes by default, meaning the changes since newest Git parent reference plus the changes returned by "git diff HEAD". - For manual checks, the bash script used to launch checkpatch has an option to run the checks on all the bpf/ source code, independently of the Git history. - GitHub action runs checkpatch.pl on all commits from the PR. There is no mechanism to bypass checkpatch errors, Janitors will have to decide if issues reported by checkpatch should be ignored. The checkpatch.pl and spelling.txt files (both under GPLv2) are directly copied from the kernel repository, as per commit f436a58e2619 ("checkpatch: fix CONST_STRUCT when const_structs.checkpatch is missing") (in linux-next as of the creation of this patch). File deprecated_terms.txt is created from this PR, and populated in prevision of the changes proposed in #12206. The script checkpatch.sh (bash script) launches checkpatch.pl with the relevant arguments and options. COPYING file is copied from bpf/COPYING, to make sure people get a version of the license boilerplate with the checkpatch code. [0] https://www.kernel.org/doc/html/v5.6/process/coding-style.html Signed-off-by: Quentin Monnet <quentin@isovalent.com>

view details

Maciej Kwiek

commit sha 8d1f9522754caf3c27acf108fb1a2e509f141b2a

ci: add startup-script to local node repo Lack of this image is reason for gke tests to fail, if it's available node init should run properly in gke. Signed-off-by: Maciej Kwiek <maciej@isovalent.com>

view details

Philipp Gniewosz

commit sha 8f700ac13f900359c3327e53de182599a1324e56

add CLI for checking kernel capabilities Introducing a CLI for easily checking whether required BPF related kernel capabilities as required by Cilium are employed on the respective machine. Fixes: #11214 Signed-off-by: Philipp Gniewosz <philipp.gniewosz@posteo.de

view details

Philipp Gniewosz

commit sha 7d4d2c07fca6d2ea09636a67fe4826722a197617

introduce Deployment for running kernel-check CLI Signed-off-by: Philipp Gniewosz <philipp.gniewosz@posteo.de>

view details

push time in 5 days

pull request commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

@tklauser sorry, fixed that now! It was because I was testing on macOS and forgot to undo a tweak.

errordeveloper

comment created time in 6 days

push eventcilium/cilium

Ilya Dmitrichenko

commit sha ff0c8118267cb4435bbe8c7a13efc18a403b3f89

build: Simplify how `BPF_SRCFILES` is set in git-free mode Since git-free mode is for builds inside a container, it is safe to assume that all files under `bpf` came from the Cilium git tree. For that purpose `find` is sufficient and there is no need for a two-stage process with `BPF_SRCFILES` file being written first. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 6 days

pull request commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

As discussed with @jrajahalme on Slack, I've added a comment to bpf/.gitignore to ensure anyone updating that also updates Makefile.defs.

errordeveloper

comment created time in 6 days

pull request commentcilium/cilium

release: Remove all unsused gitlib functions

I'm not sure where they come from

@joestringer these where from Kubernetes, and from what I can tell these had been rewritten, namely release note generator is now a JavaScript app, and it has a UI.

errordeveloper

comment created time in 6 days

Pull request review commentcilium/cilium

release: Remove all unsused gitlib functions

 common::exit () {   common::cleanexit $etype } -#############################################################################-# Simple yes/no prompt-#-# @optparam default -n(default)/-y/-e (default to n, y or make (e)xplicit)-# @param message-common::askyorn () {

No worries, I've put this one back in!

errordeveloper

comment created time in 6 days

push eventcilium/cilium

Paul Chaignon

commit sha 1bd46240479805818370daadd342cf5c8aa271f6

bpf: Use same file as Golang side instead of nproc On Golang side we get the number of CPUs from /sys/devices/system/cpu/possible. On BPF side, we use $(nproc -all). nproc calls num_processors() from the gnulib. That function, however, may not always return the value from the /sys file above. Instead, we should use the exact same source as Golang side to ensure both sides have the same value and avoid issues later on. See #12070 for details. The __NR_CPUS__ values in test/bpf/Makefile and bpf/Makefile.bpf do not need to be in sync. with Golang values because these files are only used for unit tests, sparse, and compile testing. Fixes: 8191b16 ("bpf: Use `nproc --all` for __NR_CPUS__") Signed-off-by: Paul Chaignon <paul@cilium.io>

view details

Robin Hahling

commit sha 8cf1e203b826a0a28243e83631dd7c37e46179e0

make: fix LOCKDEBUG env variable reference for docker-plugin-image This commit fixes a typo that prevents LOCKDEBUG from working for the `docker-plugin-image` make target. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>

view details

Robin Hahling

commit sha 29abe2b752d8ca18ee3d3b9ad0947185c1defa56

hubble-relay: add support for LOCKDEBUG Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>

view details

Jarno Rajahalme

commit sha 30f4e755b72a5c39338f764933285a85c516ecf4

test: Always run L4 services test. There is no need to skip the L4 services test if it runs without kube-proxy (i.e., with NodePort BPF), as this test does not deploy any L7 redirects. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>

view details

Jarno Rajahalme

commit sha 069ff4896671b90416979e09e2e5c6067cca08e7

test: Add TFTP / DNS collision test. Add a test case where a TFTP client in k8s1 uses the DNS proxy port of k8s2 as it's ephemeral local (source) port number. This exposes a problem with the iptables rules used in proxy redirection in k8s2, as the response TFTP packets get intercepted by a socket match rule. As of now, this test case fails, but the fix in a following commit fixes the underlying problem. Related: #12241 Signed-off-by: Jarno Rajahalme <jarno@covalent.io>

view details

Jarno Rajahalme

commit sha ca767ee2e1fff301c99ee7f63a190e3367d726cb

iptables: Remove '--nowildcard' from socket match '--no-wildcard' allows the socket match to find zero-bound (listening) sockets, which we do not want, as this may intercept (reply) traffic intended for other nodes when an ephemeral source port number allocated in one node happens to be the same as the allocated proxy port number in 'this' node (the node doing the iptables socket match changed here). Fixes: #12241 Related: #8864 Signed-off-by: Jarno Rajahalme <jarno@covalent.io>

view details

Maciej Kwiek

commit sha 2fb03bc769babdda8fac754a230d832e8c9ebbd2

test: add missing artii cert-key pair These files are generated by cd k8sT/manifests openssl genrsa -out internal-artii.key 2048 openssl req -new -key internal-artii.key -out internal-artii.csr openssl x509 -req -days 3600 -in internal-artii.csr -CA testCA.crt -CAkey testCA.key -CAcreateserial -out internal-artii.crt -sha256 common name needs to be `artii.herokuapp.com`. testCA.key password is `cilium` Signed-off-by: Maciej Kwiek <maciej@isovalent.com>

view details

Maciej Kwiek

commit sha 8ed026ada6b01bf06b05b3cb392c2210eabbbb71

test: fix escaping in l7 tls vis policy Signed-off-by: Maciej Kwiek <maciej@isovalent.com>

view details

Paul Chaignon

commit sha 089060b41bfa817d8b075b8888a394a65b2eaed1

daemon: Skip devices without hw address during device detection We need NodePort and direct routing devices to have a MAC address. If they don't, init.sh fails with the following error: level=warning msg="+ for NATIVE_DEV in ${NATIVE_DEVS//;/ }" subsys=datapath-loader level=warning msg="++ cat /sys/class/net/lo/ifindex" subsys=datapath-loader level=warning msg="+ IDX=1" subsys=datapath-loader level=warning msg="++ ip link show lo" subsys=datapath-loader level=warning msg="++ grep ether" subsys=datapath-loader level=warning msg="++ awk '{print $2}'" subsys=datapath-loader level=warning msg="+ MAC=" subsys=datapath-loader level=error msg="Error while initializing daemon" error="exit status 1" subsys=daemon level=fatal msg="Error while creating daemon" error="exit status 1" subsys=daemon Thus, we need to skip auto-detected devices that don't have a MAC address. This commit implements that and was tested by injecting a loopback interface with an IP address in the code, in the dev. VM: loAddr, err := netlink.ParseAddr("192.168.33.11/32") if err == nil { loAddr.LinkIndex = 1 addrs = append(addrs, *loAddr) } Fixes: #12228 Fixes: #12304 Fixes: 6730d0f ("daemon: Extend BPF NodePort device auto-detection") Signed-off-by: Paul Chaignon <paul@cilium.io>

view details

Paul Chaignon

commit sha 5244b68c146810a99eeb3503739d2a0309ba362e

bpf: Hande icmpv6 in host firewall In IPv6 mode, when the host firewall is enabled and rules are enforced, we start dropping ICMPv6 packets that are required to route packets. In particular, we can notice the following drops in cilium monitor: xx drop (Policy denied) flow 0x1fc0ef0 to endpoint 0, identity 1->0: fd00::c -> f00d::a0f:0:0:dfa1 DestinationUnreachable(NoRouteToDst) xx drop (Policy denied) flow 0x0 to endpoint 0, identity 0->0: fd01::c -> fd01::b NeighborAdvertisement The nodes need to be able to exchange ICMPv6 NS and NA messages to establish routes. We already handle the response to NS messages on ingress, but when the egress policies are enforced, we start dropping outgoing NS and NA messages. This commit fixes that by allowing and rejecting ICMPv6 messages according to RFC4890 Section 4.4. No other verifications than the types' are performed on the messages' correctness or their source IP addresses. Such messages from the pods are already handled on their egress, so we're not at risk of spoofing from pods here. Handling of echo request and reply messages does not conform to RFC4890 as they can be filtered by the host firewall. That is to be consistent with our handling of ICMPv4 messages. With this commit, we also stop answering to NS and echo request messages from the BPF program on ingress to the host. This behavior had been broken by a695f53 ("Endpoint for host"), but we will now explicitly stop replying to those messages and pass them up the stack instead. Fixes: a695f53 ("Endpoint for host") Fixes: 489dbef ("bpf: Enforce host policies for IPv6") Signed-off-by: Paul Chaignon <paul@cilium.io>

view details

Joe Stringer

commit sha 655c6362c5c44a554039f297b9bde55fc5413f28

docs: Switch hostfw tech-preview -> beta After discussion from the Cilium community meeting, we determined that the beta designation is more appropriate for the state of the host firewall feature. Signed-off-by: Joe Stringer <joe@cilium.io>

view details

André Martins

commit sha 360a21082266cb10da031cd7bed6e75c436a5123

test: fix k8s upgrade testing for 1.9-dev Signed-off-by: André Martins <andre@cilium.io>

view details

André Martins

commit sha 5c3a67ccd13e9177eb1ab7d41a93dd93ebba2376

test: add v1.8 upgrade to the nightly tests Signed-off-by: André Martins <andre@cilium.io>

view details

Jianlin Lv

commit sha 9447854a577e102e086d3f815dc1ab70dc727c6c

.travis: Fix probes_test failure on Arm64 Have no available kernel config in LXD container for arm64 Signed-off-by: Jianlin Lv <Jianlin.Lv@arm.com>

view details

Tobias Klauser

commit sha 589b56f45964d99d93854d1b078299cdb1b657de

bpf: remove dead stores in tail_nodeport_nat_ipv{4,6} The assignment ret = CTX_ACT_OK is either overwritten or unused in all successive code paths and thus a dead store. Found using the clang static analyzer. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Deepesh Pathak

commit sha 7856a775f5f731098b5b828adfb6da32913a51eb

fix(9966): fix creation of multiple KVStore watchers for CNPs and CCNPs * Fixes #9966 * Imlement Observer for CNPStatusEventHandler to remove the need of extra KVstore watcher. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>

view details

Joe Stringer

commit sha fa8857fbd09f4c2045bf96fc700927a82c3d1100

endpoint: Inherit context during identity allocation Inherit the identity allocation context from the parent function when calling into identityLabelsChanged(). This function isn't a background thread, and it receives a context so it should respect the passed context. Signed-off-by: Joe Stringer <joe@cilium.io>

view details

Joe Stringer

commit sha 8bb5382fd916c534bca22469413edf817d0178d3

endpoint: Use kvstore timeout for undo When there's some kind of late error / failure and a newly allocated identity must be released, allow the kvstore connectivity timeout to be customised via the standard kvstore connectivity timeout. This path may still be called from endpoint create, so it's not appropriate to block for up to two minutes to attempt to roll back the identity allocation here. Signed-off-by: Joe Stringer <joe@cilium.io>

view details

Jarno Rajahalme

commit sha b796665e077a6fc2ad9a2fe53bb36f79a0057240

envoy: Update to 1.13.3 This fixes the following CVEs for the Envoy version 1.13.x: - CVE-2020-12603 (CVSS score 7.0, High): Envoy through 1.14.2 may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (e.g., 1 byte) data frames. - CVE-2020-12605 (CVSS score 7.0, High): Envoy through 1.14.2 may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs. - CVE-2020-8663 (CVSS score 7.0, High): Envoy version 1.14.2 or earlier may exhaust file descriptors and/or memory when accepting too many connections. - CVE-2020-12604 (CVSS score 5.3, Medium): Envoy through 1.14.2 is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream. The attacker can cause data associated with many streams to be buffered forever. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>

view details

Jarno Rajahalme

commit sha 31f8ba02339f7cfb0a3018354a59f9f129b7e6f3

istio: Update to 1.5.7 Signed-off-by: Jarno Rajahalme <jarno@covalent.io>

view details

push time in 6 days

push eventcilium/cilium

Ilya Dmitrichenko

commit sha 9f77023aeb6bb0927c63e7685bb8222fee1322dd

build: Simplify how `BPF_SRCFILES` is set in git-free mode Since git-free mode is for builds inside a container, it is safe to assume that all files under `bpf` came from the Cilium git tree. For that purpose `find` is sufficient and there is no need for a two-stage process with `BPF_SRCFILES` file being written first. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 6 days

push eventcilium/cilium

André Martins

commit sha 360a21082266cb10da031cd7bed6e75c436a5123

test: fix k8s upgrade testing for 1.9-dev Signed-off-by: André Martins <andre@cilium.io>

view details

André Martins

commit sha 5c3a67ccd13e9177eb1ab7d41a93dd93ebba2376

test: add v1.8 upgrade to the nightly tests Signed-off-by: André Martins <andre@cilium.io>

view details

Jianlin Lv

commit sha 9447854a577e102e086d3f815dc1ab70dc727c6c

.travis: Fix probes_test failure on Arm64 Have no available kernel config in LXD container for arm64 Signed-off-by: Jianlin Lv <Jianlin.Lv@arm.com>

view details

Tobias Klauser

commit sha 589b56f45964d99d93854d1b078299cdb1b657de

bpf: remove dead stores in tail_nodeport_nat_ipv{4,6} The assignment ret = CTX_ACT_OK is either overwritten or unused in all successive code paths and thus a dead store. Found using the clang static analyzer. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Deepesh Pathak

commit sha 7856a775f5f731098b5b828adfb6da32913a51eb

fix(9966): fix creation of multiple KVStore watchers for CNPs and CCNPs * Fixes #9966 * Imlement Observer for CNPStatusEventHandler to remove the need of extra KVstore watcher. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>

view details

Joe Stringer

commit sha fa8857fbd09f4c2045bf96fc700927a82c3d1100

endpoint: Inherit context during identity allocation Inherit the identity allocation context from the parent function when calling into identityLabelsChanged(). This function isn't a background thread, and it receives a context so it should respect the passed context. Signed-off-by: Joe Stringer <joe@cilium.io>

view details

Joe Stringer

commit sha 8bb5382fd916c534bca22469413edf817d0178d3

endpoint: Use kvstore timeout for undo When there's some kind of late error / failure and a newly allocated identity must be released, allow the kvstore connectivity timeout to be customised via the standard kvstore connectivity timeout. This path may still be called from endpoint create, so it's not appropriate to block for up to two minutes to attempt to roll back the identity allocation here. Signed-off-by: Joe Stringer <joe@cilium.io>

view details

Jarno Rajahalme

commit sha b796665e077a6fc2ad9a2fe53bb36f79a0057240

envoy: Update to 1.13.3 This fixes the following CVEs for the Envoy version 1.13.x: - CVE-2020-12603 (CVSS score 7.0, High): Envoy through 1.14.2 may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (e.g., 1 byte) data frames. - CVE-2020-12605 (CVSS score 7.0, High): Envoy through 1.14.2 may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs. - CVE-2020-8663 (CVSS score 7.0, High): Envoy version 1.14.2 or earlier may exhaust file descriptors and/or memory when accepting too many connections. - CVE-2020-12604 (CVSS score 5.3, Medium): Envoy through 1.14.2 is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream. The attacker can cause data associated with many streams to be buffered forever. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>

view details

Jarno Rajahalme

commit sha 31f8ba02339f7cfb0a3018354a59f9f129b7e6f3

istio: Update to 1.5.7 Signed-off-by: Jarno Rajahalme <jarno@covalent.io>

view details

Tobias Klauser

commit sha cfff1985d45ae5d3c7e801fa0aacdf40556c181e

datapath/linux/probes: make ErrKernelConfigNotFound a sentinel error value This is idiomatic in Go and allows to use errors.Is on error values returned by (*ProbeManager).SystemConfigProbes instead of a type assertion. Also use fmt.Errorf instead of the external github.com/pkg/errors to wrap error values in (*ProbeManager).SystemConfigProbes Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Ilya Dmitrichenko

commit sha fd77bc2bac3e9ab51c4a68b66b7ed0a9679f1d40

build: Simplify how `BPF_SRCFILES` is set in git-free mode Since git-free mode is for builds inside a container, it is safe to assume that all files under `bpf` came from the Cilium git tree. For that purpose `find` is sufficient and there is no need for a two-stage process with `BPF_SRCFILES` file being written first. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 6 days

pull request commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

That is too fragile, IMO. Someone will add a file into .gitignore and not update the filter-out line in Makefile.defs, so this will get broken.

Sure, so that would be a good reason to prioritise a more coherent solution that uses exactly the same code on each of the ends.

errordeveloper

comment created time in 7 days

pull request commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

@jrajahalme I've added filter-out macro for all files in bpf/.gitignore.

errordeveloper

comment created time in 7 days

push eventcilium/cilium

Ilya Dmitrichenko

commit sha dca1681a08174668fae7b792af716ccc44930397

build: Simplify how `BPF_SRCFILES` is set in git-free mode Since git-free mode is for builds inside a container, it is safe to assume that all files under `bpf` came from the Cilium git tree. For that purpose `find` is sufficient and there is no need for a two-stage process with `BPF_SRCFILES` file being written first. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 7 days

pull request commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

Likely so, but find does not care about .gitignore.

So in the case of find, I don't see those binaries, but they are not an issue in a container build. However, I'll make sure to filter those out.

errordeveloper

comment created time in 7 days

pull request commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

Did you notice that the list of bpf files in the git-free build includes binaries such as bpf/cilium-map-migrate bpf/cilium-probe-kernel-hz

I how so, aren't those in .gitignore?

errordeveloper

comment created time in 7 days

pull request commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

So I just double checked on sorting, and looks like git ls-files sorts alphabetically. I think there is a possibility inconsistencies to occur, since we have two implementations in make and one in Go. In my view there should be just one implementation, ideally in Go, but for now this should be sufficient.

errordeveloper

comment created time in 7 days

pull request commentcilium/cilium

test: Remove old `startup-script` image dir

@aanm could you please de-activate Docker Hub build (https://hub.docker.com/repository/docker/cilium/startup-script/builds), and delete latest tag?

errordeveloper

comment created time in 7 days

PR opened cilium/cilium

test: Remove old `startup-script` image dir area/build release-note/misc

This is now part of image-tools repository:

https://github.com/cilium/image-tools/tree/master/images/startup-script

+0 -65

0 comment

4 changed files

pr created time in 7 days

create barnchcilium/cilium

branch : pr/errordeveloper/delete-test-startup-script

created branch time in 7 days

push eventcilium/cilium

Ilya Dmitrichenko

commit sha 78a29a3e359606989a4e6cb22138c9089655ce1a

build: Simplify how `BPF_SRCFILES` is set in git-free mode Since git-free mode is for builds inside a container, it is safe to assume that all files under `bpf` came from the Cilium git tree. For that purpose `find` is sufficient and there is no need for a two-stage process with `BPF_SRCFILES` file being written first. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 7 days

pull request commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

@jrajahalme thanks! I have add sort in both instances and it solves the hashing consistency, PTAL :)

errordeveloper

comment created time in 7 days

push eventcilium/cilium

Ilya Dmitrichenko

commit sha 997ac475e3af6e4d4671d251b3c7100cc3e56b14

build: Simplify how `BPF_SRCFILES` is set in git-free mode Since git-free mode is for builds inside a container, it is safe to assume that all files under `bpf` came from the Cilium git tree. For that purpose `find` is sufficient and there is no need for a two-stage process with `BPF_SRCFILES` file being written first. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 7 days

push eventcilium/cilium

Ilya Dmitrichenko

commit sha be5d75d01033de80cf3339815f65ee4faf932f67

build: Simplify how `BPF_SRCFILES` is set in git-free mode Since git-free mode is for builds inside a container, it is safe to assume that all files under `bpf` came from the Cilium git tree. For that purpose `find` is sufficient and there is no need for a two-stage process with `BPF_SRCFILES` file being written first. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 7 days

Pull request review commentcilium/cilium

build: Experimental multi-platform images

 RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium --mount=   HOST_CC=aarch64-linux-gnu-gcc HOST_STRIP=aarch64-linux-gnu-strip \   SKIP_DOCS=true DESTDIR=/out/linux/arm64 clean-container build-container install-container -FROM docker.io/errordeveloper/cilium-runtime:201594d798c0dafdc5969e81ca21fa2761103b7f-dev-LABEL maintainer="maintainer@cilium.io"+FROM ${CILIUM_RUNTIME_IMAGE} ARG TARGETPLATFORM+LABEL maintainer="maintainer@cilium.io"

It's actually being used as image tag for the agent image, as well operator and hubble-relay.

errordeveloper

comment created time in 7 days

Pull request review commentcilium/cilium

Add an option to cilium-agent for disabling 'HealthCheckNodePort'

 type Service struct {  // NewService creates a new instance of the service handler. func NewService(monitorNotify monitorNotify) *Service {++	var localhealthServer healthServer+	if option.Config.EnableHealthCheckNodePort {+		localhealthServer = healthserver.New()+	} 	return &Service{ 		svcByHash:       map[string]*svcInfo{}, 		svcByID:         map[lb.ID]*svcInfo{}, 		backendRefCount: counter.StringCounter{}, 		backendByHash:   map[string]*lb.Backend{}, 		monitorNotify:   monitorNotify,-		healthServer:    healthserver.New(),+		healthServer:    localhealthServer,
		healthServer:    localHealthServer,
soumynathan

comment created time in 7 days

Pull request review commentcilium/cilium

Add an option to cilium-agent for disabling 'HealthCheckNodePort'

 type Service struct {  // NewService creates a new instance of the service handler. func NewService(monitorNotify monitorNotify) *Service {++	var localhealthServer healthServer
	var localHealthServer healthServer
soumynathan

comment created time in 7 days

Pull request review commentcilium/cilium

Add an option to cilium-agent for disabling 'HealthCheckNodePort'

 type Service struct {  // NewService creates a new instance of the service handler. func NewService(monitorNotify monitorNotify) *Service {++	var localhealthServer healthServer+	if option.Config.EnableHealthCheckNodePort {+		localhealthServer = healthserver.New()
		localHealthServer = healthServer.New()
soumynathan

comment created time in 7 days

Pull request review commentcilium/cilium

Add an option to cilium-agent for disabling 'HealthCheckNodePort'

 type Service struct {  // NewService creates a new instance of the service handler. func NewService(monitorNotify monitorNotify) *Service {++	var localhealthServer healthServer
	var localHealthServer healthServer
soumynathan

comment created time in 7 days

push eventcilium/cilium

Maciej Kwiek

commit sha 2fb03bc769babdda8fac754a230d832e8c9ebbd2

test: add missing artii cert-key pair These files are generated by cd k8sT/manifests openssl genrsa -out internal-artii.key 2048 openssl req -new -key internal-artii.key -out internal-artii.csr openssl x509 -req -days 3600 -in internal-artii.csr -CA testCA.crt -CAkey testCA.key -CAcreateserial -out internal-artii.crt -sha256 common name needs to be `artii.herokuapp.com`. testCA.key password is `cilium` Signed-off-by: Maciej Kwiek <maciej@isovalent.com>

view details

Maciej Kwiek

commit sha 8ed026ada6b01bf06b05b3cb392c2210eabbbb71

test: fix escaping in l7 tls vis policy Signed-off-by: Maciej Kwiek <maciej@isovalent.com>

view details

Paul Chaignon

commit sha 089060b41bfa817d8b075b8888a394a65b2eaed1

daemon: Skip devices without hw address during device detection We need NodePort and direct routing devices to have a MAC address. If they don't, init.sh fails with the following error: level=warning msg="+ for NATIVE_DEV in ${NATIVE_DEVS//;/ }" subsys=datapath-loader level=warning msg="++ cat /sys/class/net/lo/ifindex" subsys=datapath-loader level=warning msg="+ IDX=1" subsys=datapath-loader level=warning msg="++ ip link show lo" subsys=datapath-loader level=warning msg="++ grep ether" subsys=datapath-loader level=warning msg="++ awk '{print $2}'" subsys=datapath-loader level=warning msg="+ MAC=" subsys=datapath-loader level=error msg="Error while initializing daemon" error="exit status 1" subsys=daemon level=fatal msg="Error while creating daemon" error="exit status 1" subsys=daemon Thus, we need to skip auto-detected devices that don't have a MAC address. This commit implements that and was tested by injecting a loopback interface with an IP address in the code, in the dev. VM: loAddr, err := netlink.ParseAddr("192.168.33.11/32") if err == nil { loAddr.LinkIndex = 1 addrs = append(addrs, *loAddr) } Fixes: #12228 Fixes: #12304 Fixes: 6730d0f ("daemon: Extend BPF NodePort device auto-detection") Signed-off-by: Paul Chaignon <paul@cilium.io>

view details

Paul Chaignon

commit sha 5244b68c146810a99eeb3503739d2a0309ba362e

bpf: Hande icmpv6 in host firewall In IPv6 mode, when the host firewall is enabled and rules are enforced, we start dropping ICMPv6 packets that are required to route packets. In particular, we can notice the following drops in cilium monitor: xx drop (Policy denied) flow 0x1fc0ef0 to endpoint 0, identity 1->0: fd00::c -> f00d::a0f:0:0:dfa1 DestinationUnreachable(NoRouteToDst) xx drop (Policy denied) flow 0x0 to endpoint 0, identity 0->0: fd01::c -> fd01::b NeighborAdvertisement The nodes need to be able to exchange ICMPv6 NS and NA messages to establish routes. We already handle the response to NS messages on ingress, but when the egress policies are enforced, we start dropping outgoing NS and NA messages. This commit fixes that by allowing and rejecting ICMPv6 messages according to RFC4890 Section 4.4. No other verifications than the types' are performed on the messages' correctness or their source IP addresses. Such messages from the pods are already handled on their egress, so we're not at risk of spoofing from pods here. Handling of echo request and reply messages does not conform to RFC4890 as they can be filtered by the host firewall. That is to be consistent with our handling of ICMPv4 messages. With this commit, we also stop answering to NS and echo request messages from the BPF program on ingress to the host. This behavior had been broken by a695f53 ("Endpoint for host"), but we will now explicitly stop replying to those messages and pass them up the stack instead. Fixes: a695f53 ("Endpoint for host") Fixes: 489dbef ("bpf: Enforce host policies for IPv6") Signed-off-by: Paul Chaignon <paul@cilium.io>

view details

Joe Stringer

commit sha 655c6362c5c44a554039f297b9bde55fc5413f28

docs: Switch hostfw tech-preview -> beta After discussion from the Cilium community meeting, we determined that the beta designation is more appropriate for the state of the host firewall feature. Signed-off-by: Joe Stringer <joe@cilium.io>

view details

André Martins

commit sha 360a21082266cb10da031cd7bed6e75c436a5123

test: fix k8s upgrade testing for 1.9-dev Signed-off-by: André Martins <andre@cilium.io>

view details

André Martins

commit sha 5c3a67ccd13e9177eb1ab7d41a93dd93ebba2376

test: add v1.8 upgrade to the nightly tests Signed-off-by: André Martins <andre@cilium.io>

view details

Ilya Dmitrichenko

commit sha c41443024f8eada312773267d26bb57e9742eb29

build: Import key scripts from cilium/image-tools@05025951392aaff17a5828b8052c2535f079667f This is a temporary measure, these scripts should be consumed either as a submodule, or a portable tool (see cilium/image-tools#10). Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 1db0a3c8f457545368d95433f05c646610b75bbe

build: Disable hadolint, adjust subdirs hadolint doesn't yet support experimental `RUN --mount` syntax. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 7ae9c1bdead8c83cbcbb23b58c665eebe0de4873

build: New runtime image with multi-platform support Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 2f4fa36809d7a9072a641195b6860a5ebbfa0bea

build: New builder image supporting cross-compilation Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 96c2bd5bed77ce3d7841464c6680deadc5810b2e

build: Add new multi-platform cilium image This image ommits Hubble CLI and Envoy for now, as neither have arm64 builds at the moment. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 23e6992197a947e66036b9df99a95e6a1bf09edc

build: Add new multi-platform operator image This intial version includes all operator falavours, since parametrisation needs some more work to be fully integrated, and it's better to avoid duplication of Dockerfiles. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha 292a7247c536aace7db7bff11afbaab10040de15

build: Add new multi-platform hubble-relay image Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha beff4a7095e0d3187ccdcf41662dc9c84642b0fa

build: Add Makefile and GitHub Actions workflow for new images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha f28b2a9a32c079129ede61c2af1c7411248fa29d

build: Add helper scripts to update runtime and builder images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha a17071884556888bc350aab8a81f8935e3a57398

CODEOWNERS: Add GitHub Actions workflows and new images dir to @cilium/build group Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

Ilya Dmitrichenko

commit sha c2f29645d5e1263aba298189c2e9dac6bf8be22e

build: Add documentation for next-gen images Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 7 days

pull request commentcilium/cilium

bpf: run kernel's checkpatch.pl locally and as GitHub action, fix style

I will implement your suggestion in a follow-up, if you don't mind.

@qmonnet of course! Hit me up when you find the time to do it :)

qmonnet

comment created time in 7 days

push eventcilium/cilium

Ilya Dmitrichenko

commit sha fe1e130429e24169f33b2f20e672d0d361f75d10

build: Simplify how `BPF_SRCFILES` is set in git-free mode Since git-free mode is for builds inside a container, it is safe to assume that all files under `bpf` came from the Cilium git tree. For that purpose `find` is sufficient and there is no need for a two-stage process with `BPF_SRCFILES` file being written first. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 7 days

pull request commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

@tklauser @Rolinh I think I fixed it!

errordeveloper

comment created time in 7 days

pull request commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

Ok, actually it needs more work. I'll post an update once I figured this out.

errordeveloper

comment created time in 7 days

Pull request review commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

 GO_BUILD_LDFLAGS += -X "github.com/cilium/cilium/pkg/envoy.RequiredEnvoyVersionS  # Use git only if in a Git repo, otherwise depend on file BPF_SRCFILES existing ifneq ($(wildcard $(dir $(lastword $(MAKEFILE_LIST)))/.git),)-	BPF_FILES_EVAL = $(shell git ls-files $(ROOT_DIR)/bpf/ | grep -v .gitignore | tr "\n" ' ')-	BPF_FILES ?= $(BPF_FILES_EVAL)-	BPF_SRCFILES := $(subst ../,,$(BPF_FILES))+	BPF_SRCFILES := $(shell git ls-files $(ROOT_DIR)/bpf/ | grep -v .gitignore | tr "\n" ' ') else-	BPF_SRCFILES = $(shell cat $(ROOT_DIR)/BPF_SRCFILES)+	BPF_SRCFILES := $(shell cd $(ROOT_DIR) && find bpf/ -type f | grep -v .gitignore | tr "\n" ' ')

I've reverted back to subst, but now the idea is that ROOT_DIR is being stripped-off explicitly, not ../.

errordeveloper

comment created time in 7 days

push eventcilium/cilium

Maciej Kwiek

commit sha 2fb03bc769babdda8fac754a230d832e8c9ebbd2

test: add missing artii cert-key pair These files are generated by cd k8sT/manifests openssl genrsa -out internal-artii.key 2048 openssl req -new -key internal-artii.key -out internal-artii.csr openssl x509 -req -days 3600 -in internal-artii.csr -CA testCA.crt -CAkey testCA.key -CAcreateserial -out internal-artii.crt -sha256 common name needs to be `artii.herokuapp.com`. testCA.key password is `cilium` Signed-off-by: Maciej Kwiek <maciej@isovalent.com>

view details

Maciej Kwiek

commit sha 8ed026ada6b01bf06b05b3cb392c2210eabbbb71

test: fix escaping in l7 tls vis policy Signed-off-by: Maciej Kwiek <maciej@isovalent.com>

view details

Paul Chaignon

commit sha 089060b41bfa817d8b075b8888a394a65b2eaed1

daemon: Skip devices without hw address during device detection We need NodePort and direct routing devices to have a MAC address. If they don't, init.sh fails with the following error: level=warning msg="+ for NATIVE_DEV in ${NATIVE_DEVS//;/ }" subsys=datapath-loader level=warning msg="++ cat /sys/class/net/lo/ifindex" subsys=datapath-loader level=warning msg="+ IDX=1" subsys=datapath-loader level=warning msg="++ ip link show lo" subsys=datapath-loader level=warning msg="++ grep ether" subsys=datapath-loader level=warning msg="++ awk '{print $2}'" subsys=datapath-loader level=warning msg="+ MAC=" subsys=datapath-loader level=error msg="Error while initializing daemon" error="exit status 1" subsys=daemon level=fatal msg="Error while creating daemon" error="exit status 1" subsys=daemon Thus, we need to skip auto-detected devices that don't have a MAC address. This commit implements that and was tested by injecting a loopback interface with an IP address in the code, in the dev. VM: loAddr, err := netlink.ParseAddr("192.168.33.11/32") if err == nil { loAddr.LinkIndex = 1 addrs = append(addrs, *loAddr) } Fixes: #12228 Fixes: #12304 Fixes: 6730d0f ("daemon: Extend BPF NodePort device auto-detection") Signed-off-by: Paul Chaignon <paul@cilium.io>

view details

Paul Chaignon

commit sha 5244b68c146810a99eeb3503739d2a0309ba362e

bpf: Hande icmpv6 in host firewall In IPv6 mode, when the host firewall is enabled and rules are enforced, we start dropping ICMPv6 packets that are required to route packets. In particular, we can notice the following drops in cilium monitor: xx drop (Policy denied) flow 0x1fc0ef0 to endpoint 0, identity 1->0: fd00::c -> f00d::a0f:0:0:dfa1 DestinationUnreachable(NoRouteToDst) xx drop (Policy denied) flow 0x0 to endpoint 0, identity 0->0: fd01::c -> fd01::b NeighborAdvertisement The nodes need to be able to exchange ICMPv6 NS and NA messages to establish routes. We already handle the response to NS messages on ingress, but when the egress policies are enforced, we start dropping outgoing NS and NA messages. This commit fixes that by allowing and rejecting ICMPv6 messages according to RFC4890 Section 4.4. No other verifications than the types' are performed on the messages' correctness or their source IP addresses. Such messages from the pods are already handled on their egress, so we're not at risk of spoofing from pods here. Handling of echo request and reply messages does not conform to RFC4890 as they can be filtered by the host firewall. That is to be consistent with our handling of ICMPv4 messages. With this commit, we also stop answering to NS and echo request messages from the BPF program on ingress to the host. This behavior had been broken by a695f53 ("Endpoint for host"), but we will now explicitly stop replying to those messages and pass them up the stack instead. Fixes: a695f53 ("Endpoint for host") Fixes: 489dbef ("bpf: Enforce host policies for IPv6") Signed-off-by: Paul Chaignon <paul@cilium.io>

view details

Joe Stringer

commit sha 655c6362c5c44a554039f297b9bde55fc5413f28

docs: Switch hostfw tech-preview -> beta After discussion from the Cilium community meeting, we determined that the beta designation is more appropriate for the state of the host firewall feature. Signed-off-by: Joe Stringer <joe@cilium.io>

view details

Ilya Dmitrichenko

commit sha 05652db744e91f8a6ee21f136c91d378dfe2d599

build: Simplify how `BPF_SRCFILES` is set in git-free mode Since git-free mode is for builds inside a container, it is safe to assume that all files under `bpf` came from the Cilium git tree. For that purpose `find` is sufficient and there is no need for a two-stage process with `BPF_SRCFILES` file being written first. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 7 days

Pull request review commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

 GO_BUILD_LDFLAGS += -X "github.com/cilium/cilium/pkg/envoy.RequiredEnvoyVersionS  # Use git only if in a Git repo, otherwise depend on file BPF_SRCFILES existing ifneq ($(wildcard $(dir $(lastword $(MAKEFILE_LIST)))/.git),)-	BPF_FILES_EVAL = $(shell git ls-files $(ROOT_DIR)/bpf/ | grep -v .gitignore | tr "\n" ' ')-	BPF_FILES ?= $(BPF_FILES_EVAL)-	BPF_SRCFILES := $(subst ../,,$(BPF_FILES))+	BPF_SRCFILES := $(shell git ls-files $(ROOT_DIR)/bpf/ | grep -v .gitignore | tr "\n" ' ') else-	BPF_SRCFILES = $(shell cat $(ROOT_DIR)/BPF_SRCFILES)+	BPF_SRCFILES := $(shell cd $(ROOT_DIR) && find bpf/ -type f | grep -v .gitignore | tr "\n" ' ')

The point is that we want to search${ROOT_DIR}/bpf, but find ${ROOT_DIR}/bpf yields having ${ROOT_DIR} prefix in all of the results. And in non-git case inside a container ROOT_DIR was not set to ../, it was actually absolute path, namely /go/src/github.com/cilium/cilium.

It does look the whole thing is more convoluted then I expected it to be, I might have to rethink it or even leave for later.

errordeveloper

comment created time in 7 days

pull request commentcilium/cilium

bpf: run kernel's checkpatch.pl locally and as GitHub action, fix style

It could, but I'm not sure this is the best thing to do. The script might get some “breaking” changes (such as trying to read a new file, like it just did for the “deprecated terms”: If the file is not found it errors out, which would make the GH action fail). So I'd rather keep the updates manual so we can check there is no bad surprise. Plus it's about formatting anyway, so not a big deal if we don't get the “latest features” from the script.

@qmonnet I wasn't suggesting that, I was suggesting that instead of having the script checked in, it'd be better to package it inside an image, and no need to pollute this repo with a huge script that is not written in any of the language that are common to the project and is under GPL (not APL).

So instead of checking the script it here, it would a concern of the image-tools repo to either download on image build, or have it checked in (if really needed). But it certain won't be downloaded at runtime.

And in this repo (and possibly other repos), it could be consumed like this:

      - uses: actions/checkout@v1
      - uses: docker://docker.io/cilium/checkpatch:3e2ea4f151593908c362307a1de22e68610d955c
        name: Run checkpatch.pl

And in a makefile:

checkpatch:
	@$(ECHO_CHECK) "(checkpatch)"
	$(QUIET) docker run <args> docker.io/cilium/checkpatch:3e2ea4f151593908c362307a1de22e68610d955c

So instead of being part of a source tree, it would be a packaged tool basically.

qmonnet

comment created time in 7 days

pull request commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

Oh, it must be the case of ROOT_DIR := ../.

errordeveloper

comment created time in 7 days

pull request commentcilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode

@tklauser any ideas where could ../ be coming from? I could really tell in my local tests that it could possibly be a thing.

errordeveloper

comment created time in 7 days

pull request commentcilium/cilium

bpf: run kernel's checkpatch.pl locally and as GitHub action, fix style

@qmonnet thanks for doing this! I wonder if the perl script itself needs to be checked in the repo at all, perhaps it could be a one of image-tools container images?

qmonnet

comment created time in 7 days

push eventcilium/cilium

Ilya Dmitrichenko

commit sha 1f15d579ea9786ee2f8a13411ae6e001b7693a74

build: Simplify how `BPF_SRCFILES` is set in git-free mode Since git-free mode is for builds inside the container, it is safe to assume that all files under `bpf` came from the Cilium git tree. For that purpose `find` is sufficient and there is no need for a two-stage process with `BPF_SRCFILES` file being written first. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

view details

push time in 7 days

Pull request review commentcilium/cilium

build: Experimental multi-platform images

+# syntax=docker/dockerfile:1.1-experimental++# Copyright 2020 Authors of Cilium+# SPDX-License-Identifier: Apache-2.0++ARG CILIUM_BUILDER_IMAGE=docker.io/cilium/cilium-builder-dev:5c1d8916b5ad0fbb86aabcc6239e163b6c645a71+ARG CILIUM_RUNTIME_IMAGE=docker.io/cilium/cilium-runtime-dev:bf5a13ab0dd341b446ec1f40a809d365024eeb09++FROM --platform=linux/amd64 ${CILIUM_BUILDER_IMAGE} as builder++ARG NOSTRIP+ARG LOCKDEBUG++RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium --mount=target=/root/.cache,type=cache --mount=target=/go/pkg/mod,type=cache \+  make clean-container build-container install-container \+    NOSTRIP=$NOSTRIP LOCKDEBUG=$LOCKDEBUG PKG_BUILD=1 SKIP_DOCS=true DESTDIR=/out/linux/amd64++RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium --mount=target=/root/.cache,type=cache --mount=target=/go/pkg/mod,type=cache \+  env GOARCH=arm64 CC=aarch64-linux-gnu-gcc \+    make clean-container build-container install-container \+      NOSTRIP=$NOSTRIP LOCKDEBUG=$LOCKDEBUG PKG_BUILD=1 SKIP_DOCS=true DESTDIR=/out/linux/arm64 \+      HOST_CC=aarch64-linux-gnu-gcc HOST_STRIP=aarch64-linux-gnu-strip

But from line 9 to line 33 we are building for both archs at the same time, no?

No, that's from line 34 onwards.

Also, why are we mounting /go/pkg/mod? Cilium vendors all code in the vendor directory

That is just a matter of re-using pattern, and do not that directory is mounted as cache, so if something does end-up there it will get cached, but if nothing - nothing will get cached.

errordeveloper

comment created time in 7 days

Pull request review commentcilium/cilium

build: Experimental multi-platform images

+# syntax=docker/dockerfile:1.1-experimental++# Copyright 2020 Authors of Cilium+# SPDX-License-Identifier: Apache-2.0++ARG CILIUM_BUILDER_IMAGE=docker.io/cilium/cilium-builder-dev:5c1d8916b5ad0fbb86aabcc6239e163b6c645a71+ARG CILIUM_RUNTIME_IMAGE=docker.io/cilium/cilium-runtime-dev:bf5a13ab0dd341b446ec1f40a809d365024eeb09++FROM --platform=linux/amd64 ${CILIUM_BUILDER_IMAGE} as builder++ARG NOSTRIP+ARG LOCKDEBUG++RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium --mount=target=/root/.cache,type=cache --mount=target=/go/pkg/mod,type=cache \+  make clean-container build-container install-container \+    NOSTRIP=$NOSTRIP LOCKDEBUG=$LOCKDEBUG PKG_BUILD=1 SKIP_DOCS=true DESTDIR=/out/linux/amd64++RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/cilium --mount=target=/root/.cache,type=cache --mount=target=/go/pkg/mod,type=cache \+  env GOARCH=arm64 CC=aarch64-linux-gnu-gcc \+    make clean-container build-container install-container \

This is due to exclusion of .git dir, waiting for https://github.com/cilium/cilium/pull/12326.

errordeveloper

comment created time in 7 days

PR opened cilium/cilium

build: Simplify how `BPF_SRCFILES` is set in git-free mode area/build release-note/ci
+4 -13

0 comment

4 changed files

pr created time in 7 days

more