Risc-V journey thru containers and new projects
Just local BPF wip branches for upstream
nice C code snippets
LSCI 2012 Programing Project
Build gccgo toolchain from scratch
Container introspection tool. Find out what container runtime is being used as well as features available.
Tools for Tegra 3 based Toradex Apalis modules
ARP Ping
A Go module datastore and proxy
pull request commentcilium/cilium
metricsmap: reduce MaxEntries to account for maximum key space
test-me-please
comment created time in 2 days
PR opened cilium/cilium
Currently, the size of the metrics map is chosen to account for the theoretical maximum key space of 216 (2 uint8: direction and reason). However, the direction currently uses max. 2 bits (3 possible values: unknown, ingress and egress). Thus we can reduce the size of the map to 1024 (210) and still cover the entire key space used.
This reduces the metrics map size from ~1.5MB to ~24KB.
Updates #10056
pr created time in 2 days
create barnchcilium/cilium
branch : pr/tklauser/metricsmap-reduce-size
created branch time in 2 days
pull request commentcilium/cilium
option: reduce default number for TCP CT max entires
test-docs-please
comment created time in 2 days
pull request commentcilium/cilium
option: reduce default number for TCP CT max entires
test-me-please
comment created time in 2 days
push eventcilium/cilium
commit sha f519dfb19ebad2d1ed00ebdf6bbf157b5ff3b8c7
options: add godoc for CTMapEntriesGlobal* consts Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 2 days
PR opened cilium/cilium
Commit e824a86bba21 ("daemon: Allow configuration of CT max entries")
bumped the default value to 1000000 in order to ease upgrades from
Cilium 1.2. In the helm charts, the value was again set to 512KB via the
ct-global-max-entries-tcp option. However, if Cilium is not deployed
via helm charts (e.g. when running as a systemd service in the devel
VM) the large default number of entries is used.
Set the default value to 512KB again and instead advise users in the helm chart comments to set it to 1000000 in case they're upgrading from Cilium v1.2.
This saves about ~150MB of memory at runtime.
Updates #10056
The default maximum number of entries in the BPF TCP ctmap is reduced to 512K.
pr created time in 2 days
create barnchcilium/cilium
branch : pr/tklauser/ctmap-tcp-global-default-size
created branch time in 2 days
pull request commentcilium/cilium
[RFC] make: strip symbol tables from all binaries by default
Does this have an impact on the memory consumption of
cilium-agentor only on binary size?
AFAICS it only affects binary size. Memory consumption is more or less the same.
comment created time in 2 days
pull request commentcilium/cilium
[RFC] make: strip symbol tables from all binaries by default
test-me-please
comment created time in 2 days
push eventcilium/cilium
commit sha f5c42e7e0cda0c2a0ee46a8467382c8acc6fd388
api: Add missing annotations to generate DeepCopy for new status fields The referenced commits below did not add the annotations required to generate the DeepCopy() code. Add the annotations and autogenerate the code. Fixes: b2271f74c0f ("api: Extend proxy redirect status") Fixes: 06add2d8ba7 ("api: Add KubeProxyReplacement field to StatusResponse") Signed-off-by: Thomas Graf <thomas@cilium.io>
commit sha 7d7a3db5a828d56244147138481da4d7ca9f880e
docs: Fix formatting of link to GCloud SDK Link format was Markdown instead of reStructuredText. Signed-off-by: Paul Chaignon <paul@cilium.io>
commit sha 5dde03ae860f06eab0d44b78fd0b2144d93688ee
docs: Duplicate validation step Since we deploy Cilium in its own cilium namespace, we need to change the Validation section accordingly. Signed-off-by: Paul Chaignon <paul@cilium.io>
commit sha 09fc8da0525485e53f439236f600972955acac20
docs: Clarify why global.restartPods is not the default Users might not want to restart pods as soon as the Cilium daemonset is installed, so we provide a separate step for that. Since we also mention the global.restartPods flag, let's clarify why that's not always a good idea and not our default. Signed-off-by: Paul Chaignon <paul@cilium.io>
commit sha a4ce0e1872e397acc50857f7b51accc35b8b3b26
docs: De-duplicate Connectivity Test section Signed-off-by: Paul Chaignon <paul@cilium.io>
commit sha b52a9821418c09bd1ab0bc4950713013cd1d87d8
client, identity: remove unnecessary guards around delete() From https://golang.org/pkg/builtin/#delete > If the map is nil or there is no such element, delete is a no-op. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha c1b28422502c0636496fdc6b8c415ecccc5c2375
.github: update cilium-actions for latest 1.7 RC Signed-off-by: Joe Stringer <joe@cilium.io>
commit sha 3f18897f19ec5eac8c2b0b1abe1278c26ddb7cf0
datapath: Filter out bpftool probes emitting dmesg messages bpftool feature probes related to trace, perf and write_user helpers are emitting dmesg messages with warnings which may be confusing for operators running Cilium on production environments. After this change, those probes will be not performed. Fixes #10048 Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
commit sha 780393d48f31292fc33d887bd9adb06284a26287
Dockerfile: Use Cilium fork of the kernel to build bpftool Cilium fork of the Linux kernel contains necessary enhancements for bpftool which are not avalavle upstream yet. Ref: #10048 Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
commit sha c4b6095d69fca4b9875d2c222bba434e818632d6
ci: Install bpftool from Cilium fork of the kernel This should be done in packer-ci-build, but to get the fix faster, we install patched bpftool here as a temporary hack... Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
commit sha 640b7a6cb35905ca1aafd3010baf9b8265d383c9
charts: Generate versions from VERSION file Use the top-of-tree VERSION file to generate the chart versions and update the pull policy using the following rules: * Set the helm chart versions to the VERSION in the file * If the VERSION file ends with ".90": - Set the cilium tag to 'latest' - Set the pullPolicy to 'Always' * If the VERSION file does not end with ".90": - Set the cilium tag to the VERSION in the file - Set the pullPolicy to 'IfNotPresent' * Set the managed-etcd version tag to the version specified at the top of this Makefile. This must be manually bumped, it does not appear to follow the standard Cilium docker image tag process. Signed-off-by: Joe Stringer <joe@cilium.io>
commit sha 1dfe49f45a8b8d15c11868b9d5d36adc8e8b76a2
Documentation: read Go version from GO_VERSION file for development setup This avoids having to bump the Go version in the docs manually and also allows to get rid of the Go version check in Documentation/Makefile. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 7dd2b36782e79a41078234e33af2d4cdd63c83d8
test: define variable for Go version This will allow to easily bump the version via a Makefile target introduced in a successive commit. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha c95f93b87cfc7fbe0bc8ea5698b4bb59d3645e7f
Makefile: add target to update Go version in test scripts Read the Go version from the GO_VERSION file and use it to replace the hard-coded versions in the test scripts. Together with the preceding commits, this allows to bump the Go version in a single place: the GO_VERSION file. Updating to a new Go version (1.13.8 in this example) is now as easy as: echo 1.13.8 > GO_VERSION && make update-golang Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 46300783b166ac13300d78113e99a2a6e1cbf534
bpf: Fix space hack in Makefile Fix the space hack which stopped working with make v4.3 (works with v4.2 though): [..] " [-DENABLE_HOST_REDIRECT-DENABLE_IPV4-DENABLE_IPV6-DENABLE_NAT46]"; clang -DENABLE_HOST_REDIRECT-DENABLE_IPV4-DENABLE_IPV6-DENABLE_NAT46 -I/home/brb/sandbox/gopath/src/github.com/cilium/cilium/bpf/include -I/home/brb/sandbox/gopath/src/github.com/cilium/cilium/bpf -D__NR_CPUS__=8 -O2 -g -target bpf -emit-llvm -Wall -Werror -Wno-address-of-packed-member -Wno-unknown-warning-option -c bpf_lxc.c -o bpf_lxc.ll; llc -march=bpf -mcpu=probe -mattr=dwarfris -o /dev/null bpf_lxc.ll; \ fi In file included from <built-in>:323: <command line>:1:20: error: ISO C99 requires whitespace after the macro name [-Werror,-Wc99-extensions] #define ENABLE_IPV4-DHAVE_LPM_MAP_TYPE 1 Signed-off-by: Martynas Pumputis <m@lambda.lt>
commit sha 0e5b45966416eca4795ddedd5218e631b1dd959a
Makefile: move cscope.files generation to its own target Commit 6c66fe9df9f6 ("Makefile: Fix duplicates in cscope output") added cscope.files as a dependency to the "tags" target. However, this is the very target supposed to be used to build cscope.files in the first place, so running "make tags" for the first time (when cscope.files is not present) fails. Let's keep cscope.files as a dependency for "tags", but move the generation of that file to its own target. Also silence the "ctags" command when creating tags. Fixes: 6c66fe9df9f6 ("Makefile: Fix duplicates in cscope output") Signed-off-by: Quentin Monnet <quentin@isovalent.com>
commit sha 1bf235a4cecbc844740e949165607cd25b33e1a4
clustermesh: Add cilium status section Brief status: ``` ClusterMesh: 1/1 clusters ready, 1 global-services ``` Verbose status: ``` ClusterMesh: 1/1 clusters ready, 1 global-services cluster2: ready, 2 nodes, 3 identities, 1 services └ etcd: 1/1 connected, lease-ID=19b870354bdf4432, lock lease-ID=19b870354bdf4434, has-quorum=true: https://cluster2.mesh.cilium.io:2379 - 3.3.12 ``` Signed-off-by: Thomas Graf <thomas@cilium.io>
commit sha 1810709a25e50d8db9101d1ede71be8568220317
vagrant: Install temporary forked bpftool Provisioning of the Vagrant development environment fails due to the missing forked bpftool: $ ./contrib/vagrant/start.sh [...] runtime1: Feb 13 17:26:23 runtime1 cilium-agent[20863]: level=error msg="Command execution failed" cmd="[bpftool -j feature probe filter_out \\(trace\\|write_user\\)]" error="exit status 255" subsys=probes runtime1: Feb 13 17:26:23 runtime1 cilium-agent[20863]: level=warning msg="{\"error\":\"expected no more arguments, 'kernel', 'dev', 'macros' or 'prefix', got: 'filter_out'?\"}" subsys=probes runtime1: Feb 13 17:26:23 runtime1 cilium-agent[20863]: level=fatal msg="could not run bpftool" error="exit status 255" subsys=probes runtime1: Cilium failed to start [...] This provisioning failure was introduced by #10164. Cilium now expects bpftool to be Cilium's (temporary) forked version, but the VirtualBox VM has the upstream bpftool. This commit installs the forked bpftool as part of the Vagrant provisioning. Signed-off-by: Paul Chaignon <paul@cilium.io>
commit sha 5b9002d61500b674c04b5bdd4aa00f91619af8e0
docs: fix link for Cilium-PR-Kubernetes-Upstream job Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 459925361e4a05f83c4366df93830c017e9a0425
golang: update to 1.13.8 Signed-off-by: André Martins <andre@cilium.io>
push time in 2 days
pull request commentcilium/cilium
Add priority class to operator deployment
The link for Submitting a Pull Request is dead.
Thanks for the report. I sent PR #10287 which fixes the link (and the one to the COO too).
comment created time in 2 days
PR opened cilium/cilium
Adjust the links to their new location and change them to https.
Reported-by: Maximilian Bischoff maximilian.bischoff@inovex.de (in #10285) Signed-off-by: Tobias Klauser tklauser@distanz.ch
pr created time in 2 days
pull request commentcilium/cilium
[WIP] plugins/cilium-cni: duplicate ENISpec
test-me-please
comment created time in 2 days
push eventtklauser/netsniff-ng
commit sha 1fe3d20291b339101d8931a15816add1ea85beef
AUTHORS: update Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 21b9cc33337e904dee4cac87794291ca95a148dd
mz: Zero memory allocated for new automops element Prevent crashes when using mausezahn in interactive mode by using calloc to zero the memory upon allocation. Fixes #195 Signed-off-by: Michael R Torres <mic.ric.tor@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 2 days
PR closed netsniff-ng/netsniff-ng
Prevent crashes when using mausezahn in interactive mode by using calloc to zero the memory upon allocation.
Fixes #195
Signed-off-by: Michael R Torres mic.ric.tor@gmail.com
pr closed time in 2 days
pull request commentnetsniff-ng/netsniff-ng
mz: Zero memory allocated for new automops element
Thanks! Merged as 21b9cc33337e904dee4cac87794291ca95a148dd
comment created time in 2 days
push eventnetsniff-ng/netsniff-ng
commit sha 21b9cc33337e904dee4cac87794291ca95a148dd
mz: Zero memory allocated for new automops element Prevent crashes when using mausezahn in interactive mode by using calloc to zero the memory upon allocation. Fixes #195 Signed-off-by: Michael R Torres <mic.ric.tor@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 2 days
issue closednetsniff-ng/netsniff-ng
backtrace:
$ sudo gdb -q -ex run --args mausezahn/mausezahn -x 2323
Reading symbols from mausezahn/mausezahn...done.
Starting program: /home/mcroce/src/netsniff-ng/mausezahn/mausezahn -x 2323
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
warning: Loadable section ".note.gnu.property" outside of ELF segments
Program received signal SIGSEGV, Segmentation fault.
0x0000000000405336 in automops_delete_fields (amp=0x6cceb0) at staging/automops.c:798
798 cur = cur->next;
Missing separate debuginfos, use: dnf debuginfo-install glibc-2.27-30.fc28.x86_64 libcli-1.9.7-0.20160131gite60d4cc.fc28.x86_64 libnet-1.1.6-15.fc28.x86_64 libpcap-1.9.0-1.fc28.x86_64 libxcrypt-4.1.1-4.fc28.x86_64
(gdb) bt
#0 0x0000000000405336 in automops_delete_fields (amp=0x6cceb0) at staging/automops.c:798
#1 0x00000000004036b6 in automops_set_defaults (cur=0x6cceb0) at staging/automops.c:62
#2 0x000000000040356f in automops_init () at staging/automops.c:32
#3 0x0000000000406e6d in mz_cli_init () at staging/cli.c:28
#4 0x000000000042943b in getopts (argc=3, argv=0x7fffffffe4c8) at staging/mausezahn.c:819
#5 0x00000000004296fc in main (argc=3, argv=0x7fffffffe4c8) at staging/mausezahn.c:916
(gdb)
closed time in 2 days
teknoraver
push eventnetsniff-ng/netsniff-ng
commit sha 1fe3d20291b339101d8931a15816add1ea85beef
AUTHORS: update Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 2 days
issue commentcilium/cilium
Since we just use it for the JSON spec, I tried duplicating ENISpec into cilium-cni/types with #10282 as a low-effort short term solution. Currently, it's running through CI. I'm not sure whether I overlooked something?
comment created time in 2 days
pull request commentcilium/cilium
[WIP] plugins/cilium-cni: duplicate ENISpec
test-me-please
comment created time in 2 days
PR opened cilium/cilium
Duplicate type ENISpec struct from pkg/k8s/apis/cilium.io/v2 to reduce
package dependencies. This reduces the binary size of cilium-cni from
~47M to ~21M for #10056
While not very elegant, this would be a low-effort solution to reduce cilium-cni binary size significantly. Not sure if I overlooked something, thus testing this on CI.
pr created time in 2 days
create barnchcilium/cilium
branch : pr/tklauser/rfc-cilium-cni-duplicate-enispec
created branch time in 2 days
pull request commentcilium/cilium
iptables: de-duplicate code for forward chain rules
test-me-please
comment created time in 2 days
PR opened cilium/cilium
Move the installation of the forward chain rules into a separate
function which is called from (*IptablesManager).TransientRulesStart and
(*IptablesManager).InstallRules.
De-duplicate code in (*IptablesManager).ciliumNoTrackXfrmRules.
pr created time in 2 days
push eventcilium/cilium
commit sha c03fae17fbe79d595e249f49ea811248e56e8cb9
iptables: de-duplicate code in (*IptablesManager).ciliumNoTrackXfrmRules Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 2 days
push eventcilium/cilium
commit sha 6af97cb7c8deed204649d81c758dd95908e5f084
iptables: de-duplicate code for forward chain rules Move the installation of the forward chain rules into a separate function which is called from (*IptablesManager).TransientRulesStart and (*IptablesManager).InstallRules. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 2 days
push eventcilium/cilium
commit sha b78b2ed23ae73d40d50d3200ae6a33a8c3bf6b62
iptables: de-duplicate code for forward chain rules Move the installation of the forward chain rules into a separate function which is called from (*IptablesManager).TransientRulesStart and (*IptablesManager).InstallRules. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 2 days
create barnchcilium/cilium
branch : pr/tklauser/datapath-iptables-deduplicate-code
created branch time in 2 days
pull request commentcilium/cilium
bpf: use syscall.BytePtrFromString instead of deprecated syscall.StringBytePtr
@joestringer not really a bugfix, rather a cleanup
comment created time in 2 days
pull request commentcilium/cilium
bpf: use syscall.BytePtrFromString instead of deprecated syscall.StringBytePtr
test-me-please
comment created time in 2 days
push eventcilium/cilium
commit sha 40657fa1ed98f10f90453b02cd69c67b6fce192b
test: upgrade tests from v1.7 to master Signed-off-by: André Martins <andre@cilium.io>
commit sha f5d76918395ddb5564f166967c4a5d688c0a8215
datapath/loader: always set all args to bpf/init.sh Passing empty strings to bpf/init.sh will lead to arguments being misinterpreted as their index is no longer correct. This can e.g. lead to the MTU not being set in "vxlan" mode as seen in #10228. Thus, always set all 17 (current value initArgMax) arguments top non-empty values. Use "<nil>" as a default empty value if the arg is not used by bpf/init.sh. Fixes #10228 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 01fb5de90b6e76a658302d82a70c9c5dea75d5ba
daemon: remove deprecated --enable-legacy-services option The option was announced to be deprecated in Cilium 1.6 with commit 6eb4d1d89e6a ("daemon: Deprecate `enable-legacy-services` option"). It no longer had any effect, so remove it now. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 5ceca6336eb447a145732d691772ecf950edd6c0
sysctl: Add Read function The function can be used for reading sysctl parameters. Signed-off-by: Martynas Pumputis <m@lambda.lt>
commit sha 1099ecfea1535d38417ceb2bba44e4b4438ea260
option: Check nodePortMax < ephermeralPortMin in agent Previously, if the ephermeral range min port was not greater than the nodeport range max port, the compilation of bpf_netdev was failing with a cryptic message: level=warning msg="In file included from /var/lib/cilium/bpf/bpf_overlay.c:39:" subsys=daemon level=warning msg="/var/lib/cilium/bpf/lib/nodeport.h:898:3: error: array size is negative" subsys=daemon level=warning msg=" build_bug_on(!(NODEPORT_PORT_MAX < EPHERMERAL_MIN));" subsys=daemon level=warning msg=" ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" subsys=daemon level=warning msg="/var/lib/cilium/bpf/lib/utils.h:124:45: note: expanded from macro 'build_bug_on'" subsys=daemon level=warning msg="# define build_bug_on(e) ((void)sizeof(char[1 - 2*!!(e)]))" subsys=daemon level=warning msg=" ^~~~~~~~~~~" subsys=daemon level=warning msg="3 warnings and 1 error generated." subsys=daemon Fix this by checking the constraint in the agent, and log a helpful message how to fix it. Signed-off-by: Martynas Pumputis <m@lambda.lt>
commit sha 6051681bdb7a392a1567219fcd8895befda639e9
bpf,option: Fix EPHE**R**MERAL typo It's a ephemeral port range, not a ephermeral port range. Signed-off-by: Martynas Pumputis <m@lambda.lt>
commit sha bc73555928809e1515c6c59ce80e4bd5c3a28db6
daemon: Ignore nodeport and ephemeral port check in non-strict mode Otherwise, we might see some users unexpectedly seeing the panic, as in v1.7 we started to enable NodePort by default. Signed-off-by: Martynas Pumputis <m@lambda.lt>
commit sha a15b7a6817ce2a21eb4fbccfc9f1675a2eea14ae
all: remove unused global log vars The `log` var is unused in some packages, so remove it where this is the case. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha ae2ec9643ee71e0bbfb2c73e5e39e4ea69c0c799
pkg/bpf: remove unused Map.once member Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha b5b3b3fc92e3eee16342cf806188acd9796fba06
fqdn: remove unused prepareNameMatch function This is unused since commit 1121202121f7 ("fqdn: L3-aware L7 DNS policy enforcement") Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 5ddace3bde3fc5011e20a440b714d775f4286744
datapath: remove unused configWriter member of type linuxDatapath Also reorder initialization in NewDatapath so that embedded types are initialized first. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha c7d132b57f4f070cdc6ac6703f618c3251cf043c
datapath: move lookupDirectRoute to node_linux_test.go (*linuxNodeHandler).lookupDirectRoute is only used in test code and does not use any members of linuxNodeHandler, so make it a regular function and move it to node_linux_test.go Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 5c11390d3a5becf4930e9bca75da27173e761cea
datapath: remove unused getLogger func Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha c509d107509f162350e3efc166e9957c32d6ed0b
endpoint: remove unused funcs and types type EndpointPolicyVisibilityEventResult, (*Endpoint).getIDandLabels and (*Endpoint).removeProxyRedirect are unused, remove them. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 81e906beb9501a5d044de1d2636d31bcc53515b7
cni: remove unused func releaseIPs Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha e2b162fb68fe0772908151cb151863a453860048
daemon: remove unused type and func Remove unused type rulesManager and func checkLocks. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 800a47f5d5b4e9b717c5719bc94bad7c85052449
aws/eni: remove unuse type instance Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 0477814556249f4cd496791bff0cd874b0f32215
ipam: remove unuse type owner Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha aecbc10016269befce95256c147beb98403c54ad
ipcache: remove unused const fieldIdentities Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha e644fc15ebe5ad17d134913579d7342dbd4234bf
kvstore/allocator: remove unused consts and type member Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 2 days
pull request commentcilium/cilium
bpf: don't use fixed size integer types from stdint.h
test-me-please
comment created time in 3 days
push eventcilium/cilium
commit sha 40657fa1ed98f10f90453b02cd69c67b6fce192b
test: upgrade tests from v1.7 to master Signed-off-by: André Martins <andre@cilium.io>
commit sha f5d76918395ddb5564f166967c4a5d688c0a8215
datapath/loader: always set all args to bpf/init.sh Passing empty strings to bpf/init.sh will lead to arguments being misinterpreted as their index is no longer correct. This can e.g. lead to the MTU not being set in "vxlan" mode as seen in #10228. Thus, always set all 17 (current value initArgMax) arguments top non-empty values. Use "<nil>" as a default empty value if the arg is not used by bpf/init.sh. Fixes #10228 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 4c8a858c01275055a7df0bec75acdd5bff8e012a
bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) This allows to get rid of the x32 libc header dependency to pull in the GNU libc stub headers needed by stdint.h. This should thus more easily allow to compile the BPF programs on platforms other than amd64 (e.g. arm64, ppc64). Also clean up some other unused includes. For some reason these changes lead to clang complaining about several functions defined in .h files being unused. Mark these as __maybe_unused or if they are used in a single place move them to the .c file. Fixes #368 Fixes #8529 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 3 days
issue commentcilium/cilium
Another simple short-term solution would be to copy type ENISpec into cilium-cni/types and add comments to make sure any future updates would be done to both structures.
comment created time in 3 days
issue commentcilium/cilium
Interesting comment here wrt. ctmap size:
https://github.com/cilium/cilium/blob/405a7ae27330562c6f2b6de397b953bf45f0ae51/pkg/option/config.go#L428-L431
comment created time in 3 days
pull request commentcilium/cilium
bpf: use syscall.BytePtrFromString instead of deprecated syscall.StringBytePtr
test-me-please
comment created time in 3 days
pull request commentcilium/cilium
daemon: remove deprecated --enable-legacy-services option
test-me-please
comment created time in 3 days
Pull request review commentcilium/cilium
daemon: Create all global maps in cilium-agent
func (m *Map) DumpEntries() (string, error) { // NewMap creates a new CT map of the specified type with the specified name. func NewMap(mapName string, mapType MapType) *Map {
While at it, I think you could unexport this function (maybe in a separate commit). It is only used within the ctmap package.
comment created time in 3 days
pull request commentcilium/cilium
bpf: don't use fixed size integer types from stdint.h
test-me-please
comment created time in 3 days
pull request commentcilium/cilium
daemon: remove deprecated --enable-legacy-services option
test-me-please
comment created time in 3 days
pull request commentcilium/cilium
daemon: remove deprecated --enable-legacy-services option
test-docs-please
comment created time in 3 days
PR opened cilium/cilium
The option was announced to be deprecated in Cilium 1.6 with commit
6eb4d1d89e6a ("daemon: Deprecate enable-legacy-services option"). It
no longer had any effect, so remove it now.
The deprecared `--enable-legacy-service` option was removed.
pr created time in 3 days
create barnchcilium/cilium
branch : pr/tklauser/remove-enable-legacy-services-option
created branch time in 3 days
push eventtklauser/netsniff-ng
commit sha 8d84c45d196f5d5c4209f82388df7688e7196ddd
mz: Fix accidental assignment in conditional statement Corrects the accidental assignment of _c_ to 'c' or 'p' due to a missing equals sign. This enables the proper display of the missing argument error message for all relevant options. Signed-off-by: Michael R Torres <mic.ric.tor@gmail.com>
push time in 3 days
pull request commentcilium/cilium
bpf: use syscall.BytePtrFromString instead of deprecated syscall.StringBytePtr
test-me-please
comment created time in 3 days
pull request commentcilium/cilium
Remove unused funcs, types and global vars
test-me-please
comment created time in 3 days
pull request commentcilium/cilium
datapath/loader: always set all args to bpf/init.sh
test-me-please
comment created time in 3 days
push eventcilium/cilium
commit sha 77890e638bf737cdf699aa6373f1809be290c4d2
datapath/loader: always set all args to bpf/init.sh Passing empty strings to bpf/init.sh will lead to arguments being misinterpreted as their index is no longer correct. This can e.g. lead to the MTU not being set in "vxlan" mode as seen in #10228. Thus, always set all 17 (current value initArgMax) arguments top non-empty values. Use "<nil>" as a default empty value if the arg is not used by bpf/init.sh. Fixes #10228 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 3 days
pull request commentnetsniff-ng/netsniff-ng
mz: Fix accidental assignment in conditional
Thanks!
comment created time in 3 days
PR merged netsniff-ng/netsniff-ng
Discovered via static code analysis courtesy of CodeQL
pr closed time in 3 days
push eventnetsniff-ng/netsniff-ng
commit sha 8d84c45d196f5d5c4209f82388df7688e7196ddd
mz: Fix accidental assignment in conditional statement Corrects the accidental assignment of _c_ to 'c' or 'p' due to a missing equals sign. This enables the proper display of the missing argument error message for all relevant options. Signed-off-by: Michael R Torres <mic.ric.tor@gmail.com>
push time in 3 days
pull request commentcilium/cilium
bpf: don't use fixed size integer types from stdint.h
test-me-please
comment created time in 3 days
pull request commentcilium/cilium
bpf: don't use fixed size integer types from stdint.h
test-me-please
comment created time in 3 days
pull request commentcilium/cilium
datapath/loader: always set all args to bpf/init.sh
test-me-please
comment created time in 3 days
push eventcilium/cilium
commit sha 56c17631ed57786e9756318bacee3ad4c9aac9bf
datapath/loader: always set all args to bpf/init.sh Passing empty strings to bpf/init.sh will lead to arguments being misinterpreted as their index is no longer correct. This can e.g. lead to the MTU not being set in "vxlan" mode as seen in #10228. Thus, always set all 17 (current value initArgMax) arguments top non-empty values. Use "<nil>" as a default empty value if the arg is not used by bpf/init.sh. Fixes #10228 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 3 days
push eventcilium/cilium
commit sha 405a7ae27330562c6f2b6de397b953bf45f0ae51
datapath: convert global variables to consts where possible Also unexport consts/vars not used outside the package. This also slightly reduces the binary size of cilium-agent: == daemon/cilium-agent == bss 7752192 7752128 -64 data 894041 893913 -128 dec 64553770 64551603 -2167 hex 3d9032a 3d8fab3 -877 text 55907537 55905562 -1975 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha fea74172b282d329a64a63ac60f9caafede9e914
bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) This allows to get rid of the x32 libc header dependency to pull in the GNU libc stub headers needed by stdint.h. This should thus more easily allow to compile the BPF programs on platforms other than amd64 (e.g. arm64, ppc64). Also clean up some other unused includes. For some reason these changes lead to clang complaining about several functions defined in .h files being unused. Mark these as __maybe_unused or if they are used in a single place move them to the .c file. Fixes #368 Fixes #8529 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 3 days
Pull request review commentcilium/cilium
bpf: don't use fixed size integer types from stdint.h
#ifndef _ASM_X86_BYTEORDER_H #define _ASM_X86_BYTEORDER_H -#include <endian.h>--#if __BYTE_ORDER == __LITTLE_ENDIAN+#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
Was a bit too quick to reply. Looks like it is still needed for __constant_htonl in bpf/lib/utils.h.
comment created time in 3 days
Pull request review commentcilium/cilium
bpf: don't use fixed size integer types from stdint.h
var badLogMessages = map[string][]string{ NACKreceived: nil, RunInitFailed: {"signal: terminated", "signal: killed"}, sizeMismatch: nil,+ emptyBPFInitArg: nil,
Oops, indeed. This should have gone into #10230. Will remove.
comment created time in 3 days
Pull request review commentcilium/cilium
bpf: don't use fixed size integer types from stdint.h
func compileAndLink(ctx context.Context, prog *progInfo, dir *directoryInfo, deb return err } -// progLDFlags determines the compiler flags for the specified prog and paths.+var (+ unameOnce sync.Once++ // default fallback+ machineName = "x86_64"+)++// getMachineName returns the machine hardware name of this host.+func getMachineName() string {+ unameOnce.Do(func() {+ var uts unix.Utsname+ err := unix.Uname(&uts)+ if err == nil {+ machineName = string(uts.Machine[:bytes.IndexByte(uts.Machine[:], 0)])+ }
Good point. I think this might even deserve a warning?
comment created time in 3 days
Pull request review commentcilium/cilium
bpf: don't use fixed size integer types from stdint.h
static inline __u32 bpf_ktime_get_sec(void) return (__u64)(bpf_ktime_get_nsec() / NSEC_PER_SEC); } -#if __BYTE_ORDER == __LITTLE_ENDIAN+#if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \+ __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
These are defined by both GCC (https://gcc.gnu.org/onlinedocs/cpp/Common-Predefined-Macros.html) and LLVM and it's e.g. what the Abseil C++ library uses: https://github.com/abseil/abseil-cpp/blob/c44657f55692eddf5504156645d1f4ec7b3acabd/absl/base/config.h#L444-L465
comment created time in 3 days
Pull request review commentcilium/cilium
bpf: don't use fixed size integer types from stdint.h
#ifndef _ASM_X86_BYTEORDER_H #define _ASM_X86_BYTEORDER_H -#include <endian.h>--#if __BYTE_ORDER == __LITTLE_ENDIAN+#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
Doesn't seem to be needed anymore. Will remove it.
comment created time in 3 days
Pull request review commentcilium/cilium
bpf: don't use fixed size integer types from stdint.h
#include "lib/conntrack.h" #include "lib/dbg.h" #include "lib/drop.h"+#define SKIP_UNDEF_LPM_LOOKUP_FN
Just another cleanup which was surfaced by several functions suddenly being complained about by the compiler as being unused after this change. I'm still not sure why there weren't any -Wunused-function errors before this change though.
comment created time in 3 days
pull request commentcilium/cilium
bpf: use syscall.BytePtrFromString instead of deprecated syscall.StringBytePtr
test-me-please
comment created time in 3 days
push eventcilium/cilium
commit sha 5c8537cb09aad56ad0f1774c1a6ce5e1651a2d32
bpf, daemon: fix CT_REPORT_FLAGS truncation warning The value really needs to be 0xff. We got that correct in the shipped bpf/node_config.h file, but not for the go generated header where it is currently ^uint16(0). Therefore fix up TCPFlags. [...] level=warning msg="+ clang -O2 -g -target bpf -emit-llvm -Wno-address-of-packed-member -Wno-unknown-warning-option -I. -I/run/cilium/state/globals -I/var/lib/cilium/bpf -I/var/lib/cilium/bpf/include -D__NR_CPUS__=2 -DENABLE_ARP_RESPONDER -DHANDLE_NS -DSECLABEL=2 -DLB_L3 -DLB_L4 -DBPF_PKT_DIR=0 '-DNODE_MAC={.addr={0x42,0x09,0x4d,0x59,0x33,0xe9}}' -DCALLS_MAP=cilium_calls_netdev_2 -c /var/lib/cilium/bpf/bpf_netdev.c -o -" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:50:" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/lib/nat.h:32:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/conntrack.h:178:8: warning: implicit conversion from 'int' to 'uint8_t' (aka 'unsigned char') changes value from 65535 to 255 [-Wconstant-conversion]" subsys=datapath-loader level=warning msg=" CT_REPORT_FLAGS);" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~~~~~~" subsys=datapath-loader level=warning msg="/run/cilium/state/globals/node_config.h:28:25: note: expanded from macro 'CT_REPORT_FLAGS'" subsys=datapath-loader level=warning msg="#define CT_REPORT_FLAGS 0xffff" subsys=datapath-loader level=warning msg=" ^~~~~~" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:50:" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/lib/nat.h:32:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/conntrack.h:296:22: warning: implicit conversion from 'int' to 'uint8_t' (aka 'unsigned char') changes value from 65535 to 255 [-Wconstant-conversion]" subsys=datapath-loader level=warning msg=" seen_flags, CT_REPORT_FLAGS);" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~~~~~~" subsys=datapath-loader level=warning msg="/run/cilium/state/globals/node_config.h:28:25: note: expanded from macro 'CT_REPORT_FLAGS'" subsys=datapath-loader level=warning msg="#define CT_REPORT_FLAGS 0xffff" subsys=datapath-loader level=warning msg=" ^~~~~~" subsys=datapath-loader [...] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
commit sha 211883c85c45f65d76c3e2f81c5b2d283f115278
bpf: fix incompatible pointer type warning on mac addr [...] level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:52:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/nodeport.h:1057:26: warning: incompatible pointer types passing 'uint8_t (*)[6]' to parameter of type 'uint8_t *' (aka 'unsigned char *') [-Wincompatible-pointer-types]" subsys=datapath-loader level=warning msg=" if (eth_load_saddr(skb, &smac.addr, 0) < 0)" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/eth.h:63:63: note: passing argument to parameter 'mac' here" subsys=datapath-loader level=warning msg="static inline int eth_load_saddr(struct __sk_buff *skb, __u8 *mac, int off)" subsys=datapath-loader level=warning msg=" ^" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:52:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/nodeport.h:1151:32: warning: incompatible pointer types passing 'uint8_t (*)[6]' to parameter of type 'uint8_t *' (aka 'unsigned char *') [-Wincompatible-pointer-types]" subsys=datapath-loader level=warning msg=" if (eth_store_daddr(skb, &dmac->addr, 0) < 0)" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~~" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/eth.h:78:64: note: passing argument to parameter 'mac' here" subsys=datapath-loader level=warning msg="static inline int eth_store_daddr(struct __sk_buff *skb, __u8 *mac, int off)" subsys=datapath-loader level=warning msg=" ^" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:52:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/nodeport.h:1153:32: warning: incompatible pointer types passing 'uint8_t (*)[6]' to parameter of type 'uint8_t *' (aka 'unsigned char *') [-Wincompatible-pointer-types]" subsys=datapath-loader level=warning msg=" if (eth_store_saddr(skb, &mac->addr, 0) < 0)" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/eth.h:68:64: note: passing argument to parameter 'mac' here" subsys=datapath-loader level=warning msg="static inline int eth_store_saddr(struct __sk_buff *skb, __u8 *mac, int off)" subsys=datapath-loader level=warning msg=" ^" subsys=datapath-loader [...] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
commit sha abf5366a5d4418f01432563d8e402fb957cd12e7
daemon, probe: whether CONFIG_CGROUP_BPF is compiled in Given for new deployments, we probe the kernel and selectivly disable kube-proxy replacement features, we need to dig a bit deeper to check whether CONFIG_CGROUP_BPF is compiled in as otherwise we'd try to proceed with host-reachable services and will later fail to start-up in init.sh given we cannot attach: [...] level=warning msg="+ bpftool cgroup attach /var/run/cilium/cgroupv2 post_bind6 pinned /sys/fs/bpf/tc/globals/cilium_cgroups_post_bind6" subsys=datapath-loader level=warning msg="Error: failed to attach program" subsys=datapath-loader I went improving TestDummyProg() rather than relying on a .config to determine availability of CONFIG_CGROUP_BPF since a config may not necessarily be available on the underlying system. I've explicitly used an invalid fd as target cgroup fd to probe on EBADFD code. When compiled out, we'll simply always get an EINVAL for all kernels. Fixes: #10097 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
commit sha 074b092685aff1797ed0224d060b6997f82aabc5
Documentation: Switch EKS documentation to default to ENI ENI has been rock-solid and it is time to point the default EKS documentation to use ENI mode. Signed-off-by: Thomas Graf <thomas@cilium.io>
commit sha a86c3a1ffa81482500eec0868aa3ad089a8e9cc7
install/kubernetes: add option to hold cilium agent on clean In the upgrade test we clean up all Cilium state to perform a clean upgrade test. Since that clean up requires that a Cilium agent is not running we need to change the arguments of the Cilium container image to avoid running Cilium at the same time we are clean its state. Thus, this commit introduces a new helm option that changes the Cilium container image cmd argument to not perform any action in the node while cleaning up its state. Signed-off-by: André Martins <andre@cilium.io>
commit sha 022673fa29dc19a42800694d1d2e8f1442df1a5e
bpf, sock: fix post-bind-sock{4,6} not found in ELF file If kube-proxy replacement is in partial mode and only host-reachable services are enabled, the agent will bail out with the following error: [...] level=warning msg="+ tc exec bpf pin /sys/fs/bpf/tc/globals/cilium_cgroups_post_bind4 obj bpf_sock.o type sock attach_type post_bind4 sec post-bind-sock4" subsys=datapath-loader level=warning msg="Program section 'post-bind-sock4' not found in ELF file!" subsys=datapath-loader [...] Given externalIPs depends on NodePort, we can reuse $NODE_PORT in init.sh. Also fix up some small code nits in bpf_sock in bind sections. Fixes: #10120 Fixes: b25663e65d31 ("bpf: Add post_bind{4,6} programs to block NodePorts") Reported-by: Paul Chaignon <paul@isovalent.com> Reported-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
commit sha 1239278985e54d21c1ce38712e6bd811d46e1f5d
bpf: Remove bpf_netdev.o from previously used devices This commit makes cilium-agent to remove bpf_netdev.o from devices which no longer suppose to have the program attached. This can happen when e.g. a user has specified a different device for NodePort via `--device` or they switched from the direct routing mode to the tunnel mode. Signed-off-by: Martynas Pumputis <m@lambda.lt>
commit sha 7fc73b855d9198a3cdf76232b65096c9aee45a4b
test: Do not remove tc filter from native dev The programs will be removed by cilium-agent during its bootstrap. Signed-off-by: Martynas Pumputis <m@lambda.lt>
commit sha 54d9254abba5b4bb76df58f7074a0aaa4895253b
kubernetes: Updated connectivity check Improved connectivity check with the ability to test various connectivity and policy variations. Signed-off-by: Thomas Graf <thomas@cilium.io>
commit sha c58d749816d943c4f9426f67738013f4e8778463
bpf: Fix proxy redirection for egress programs * Handling of the proxy redirection was missing entirely in the to-container section for IPv6. Add it. * The to-container section case was assuming that any proxy redirection is indicated by ipv{46}_policy() returning a non-zero proxy port. This is no longer true since commit 830adba. Fix this by using a separate return code to indicate proxy redirection and treating the proxy port as optional. The above deficits lead to proxy redirection being ineffective when the setting EnableEndpointRoutes was set. Fixes: 830adba1c02 ("bpf: Support proxy using original source address and port.") Fixes: 25a80dfdd5e ("bpf: Add to-container section to bpf_lxc") Fixes: #10105 Signed-off-by: Thomas Graf <thomas@cilium.io>
commit sha 7b03642caeb64fc00d02e0a7c2c586b0f7c6498a
Add required etcd version for external etcd guide Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
commit sha 6b9559ecf021ef2a73025243fa1833fbfdc6b1b1
doc: Document L7 limitation in azure-cni chaining mode Signed-off-by: Thomas Graf <thomas@cilium.io>
commit sha 02aba8bff4356c664c61bb15ce1f8eeca9a67a29
docs: Mention direct routing mode requirement for DSR Direct Server Return (DSR) currently requires Cilium to be deployed in direct routing mode. This patch updates the kube-proxy-free documentation to reflect this. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
commit sha 5f62b560e64843492423be0fd297019571b7207d
fixed padding after code blocks Signed-off-by: Dmitry Kharitonov <geakstr@me.com>
commit sha 25ee77eb9c3e524ff6001d79cd2b566e30d2d124
test: fix upgrade-downgrade test with helm instalation Signed-off-by: André Martins <andre@cilium.io>
commit sha dd534bc55947d54b8071ae067238ae9cdbe1b66b
docs: reclarify upgrade guide for deprecated label As removing the labels is an operation extreamly complex we should warn the users that the label was removed but still give them the option to keep the label to upgrade from older versions to v1.7. During testing it was found that following the existing upgrade guide could leave 2 Cilium pods running per each node when performing a downgrade. Signed-off-by: André Martins <andre@cilium.io>
commit sha 3fd7a6a25125d7d1f1c8e9025539e206f7add2e3
doc: Mark encryption as stable for direct-routing and ENI mode Fixes: #10123 Signed-off-by: Thomas Graf <thomas@cilium.io>
commit sha aff13556af9aa8c62138d54dc6d2d0de91bf97b4
policy: Fix test combining of L4 and L7. Specify slice size as 0 when making it so that it is not full of zero entries to begin with. This has no effect on test results, but fixing this reduces confusion in reading the test output. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
commit sha 55be11b58e72cc7745042b0cafffffe08627c49f
daemon: Add L3-dependent L7 policy test Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
commit sha ba98f0ea3ead15c9a0816ea65166cb741b6daa72
policy: Unify CachedSelectors and L7RulesPerEp Currently all selectors used by a policy are stored in 'CachedSelectors', while a subset of them having L7 rules are present in the L7RulesPerEp. Moving to an on-demand L7 wildcarding sceme requires keeping track of selectors without L7 rules (as those need wildcarding if merged with a filter with L7 rules). Do this by placing all selectors into L7RulesPerEp, while renaming it to 'L7RulesPerSelector'. Selectors without L7 rules have a value 'nil' in this map, which now represents "L7 wildcard". Remove 'CachedSelectors' as it is now fully redundant. Proxies (DNS, Kafka, Envoy) are updated to accept 'nil' as a wildcard rule. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
push time in 3 days
pull request commentcilium/cilium
Remove unused funcs, types and global vars
test-me-please
comment created time in 3 days
pull request commentcilium/cilium
datapath/loader: always set all args to bpf/init.sh
test-me-please
comment created time in 3 days
push eventcilium/cilium
commit sha eb450e1f69a9c575242c57b16151e694543c78e1
option: mark --keep-bpf-templates as deprecated With go-bindata being removed, the flag becomes a no-op. Mark it as deprecated and announce removal in v1.9. Updates #10075 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha ff22f483938da1c090145ec973401769f0673a53
make: remove the need for go-bindata Use of go-bindata dates back from times when people ran Cilium as static binary. This has become uncommon and users either use the container image or a package manager which will both ship /var/lib/cilium directly so there is no need to unpack any assets via the binary. For people still wanting to use Cilium as a static binary, e.g. for local development provide the `install-bpf` Makefile target to install the BPF assets into `/var/lib/cilium`. This saves ~380 kB in the resulting cilium-agent binary: == daemon/cilium-agent == bss 7752192 7752160 -32 data 894041 651280 -242761 dec 64545230 64166071 -379159 hex 3d8e1ce 3d318b7 -5c917 text 55898997 55762631 -136366 Updates #10056 Fixes #10075 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 405a7ae27330562c6f2b6de397b953bf45f0ae51
datapath: convert global variables to consts where possible Also unexport consts/vars not used outside the package. This also slightly reduces the binary size of cilium-agent: == daemon/cilium-agent == bss 7752192 7752128 -64 data 894041 893913 -128 dec 64553770 64551603 -2167 hex 3d9032a 3d8fab3 -877 text 55907537 55905562 -1975 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 18d34deb4070324922d4481626e88b27352da8c9
datapath/loader: always set all args to bpf/init.sh Passing empty strings to bpf/init.sh will lead to arguments being misinterpreted as their index is no longer correct. This can e.g. lead to the MTU not being set in "vxlan" mode as seen in #10228. Thus, always set all 17 (current value initArgMax) arguments top non-empty values. Use "<nil>" as a default empty value if the arg is not used by bpf/init.sh. Fixes #10228 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 3 days
pull request commentcilium/cilium
bpf: don't use fixed size integer types from stdint.h
CI finally passed on the latest iteration. PTAL.
comment created time in 3 days
pull request commentcilium/cilium
[WIP] bpf: don't use fixed size integer types from stdint.h
test-me-please
comment created time in 3 days
push eventcilium/cilium
commit sha eb450e1f69a9c575242c57b16151e694543c78e1
option: mark --keep-bpf-templates as deprecated With go-bindata being removed, the flag becomes a no-op. Mark it as deprecated and announce removal in v1.9. Updates #10075 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha ff22f483938da1c090145ec973401769f0673a53
make: remove the need for go-bindata Use of go-bindata dates back from times when people ran Cilium as static binary. This has become uncommon and users either use the container image or a package manager which will both ship /var/lib/cilium directly so there is no need to unpack any assets via the binary. For people still wanting to use Cilium as a static binary, e.g. for local development provide the `install-bpf` Makefile target to install the BPF assets into `/var/lib/cilium`. This saves ~380 kB in the resulting cilium-agent binary: == daemon/cilium-agent == bss 7752192 7752160 -32 data 894041 651280 -242761 dec 64545230 64166071 -379159 hex 3d8e1ce 3d318b7 -5c917 text 55898997 55762631 -136366 Updates #10056 Fixes #10075 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 446519c68a279e0cee2bddb60f1cd17de1bf1bca
bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) This allows to get rid of the x32 libc header dependency to pull in the GNU libc stub headers needed by stdint.h. This should thus more easily allow to compile the BPF programs on platforms other than amd64 (e.g. arm64, ppc64). Also clean up some other unused includes. For some reason these changes lead to clang complaining about several functions defined in .h files being unused. Mark these as __maybe_unused or if they are used in a single place move them to the .c file. Fixes #368 Fixes #8529 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 3 days
pull request commentcilium/cilium
datapath: convert global variables to consts where possible
test-me-please
comment created time in 3 days
pull request commentcilium/cilium
datapath/loader: always set all args to bpf/init.sh
test-me-please
comment created time in 3 days
push eventcilium/cilium
commit sha 293bdc5a247f5e9eb0009b35b797afce2575912d
agent: Remove awareness of IPv4 cluster-range While operating in direct-routing mode (`--tunnel=disabled`), traffic with a destination address matching a particular CIDR is automatically excluded from being masqueraded. So far, this CIDR consisted of `<alloc-cidr>/<size>` where the size could be set with the option `--ipv4-cluster-cidr-mask-size`. This was not always desirable and limiting, therefore Cilium 1.6 had already introduced the option `--native-routing-cidr` allowing to explicitly specify the CIDR for native routing. With Cilium 1.8, the option `--ipv4-cluster-cidr-mask-size` is being deprecated and all users must use the option `--native-routing-cidr` instead. Updates: #9919 Signed-off-by: Thomas Graf <thomas@cilium.io>
commit sha 480d524bb20dc28220999ee02b80a5fd8a6ac989
datapath/loader: always set all args to bpf/init.sh Passing empty strings to bpf/init.sh will lead to arguments being misinterpreted as their index is no longer correct. This can e.g. lead to the MTU not being set in "vxlan" mode as seen in #10228. Thus, always set all 17 (current value initArgMax) arguments top non-empty values. Use "<nil>" as a default empty value if the arg is not used by bpf/init.sh. Fixes #10228 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 3 days
pull request commentcilium/cilium
[WIP] bpf: don't use fixed size integer types from stdint.h
test-me-please
comment created time in 3 days
push eventcilium/cilium
commit sha 293bdc5a247f5e9eb0009b35b797afce2575912d
agent: Remove awareness of IPv4 cluster-range While operating in direct-routing mode (`--tunnel=disabled`), traffic with a destination address matching a particular CIDR is automatically excluded from being masqueraded. So far, this CIDR consisted of `<alloc-cidr>/<size>` where the size could be set with the option `--ipv4-cluster-cidr-mask-size`. This was not always desirable and limiting, therefore Cilium 1.6 had already introduced the option `--native-routing-cidr` allowing to explicitly specify the CIDR for native routing. With Cilium 1.8, the option `--ipv4-cluster-cidr-mask-size` is being deprecated and all users must use the option `--native-routing-cidr` instead. Updates: #9919 Signed-off-by: Thomas Graf <thomas@cilium.io>
commit sha 7d84cb416670628942f364eda8ce7b01bfc5c074
bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) This allows to get rid of the x32 libc header dependency to pull in the GNU libc stub headers needed by stdint.h. This should thus more easily allow to compile the BPF programs on platforms other than amd64 (e.g. arm64, ppc64). Also clean up some other unused includes. For some reason these changes lead to clang complaining about several functions defined in .h files being unused. Mark these as __maybe_unused or if they are used in a single place move them to the .c file. Fixes #368 Fixes #8529 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 4 days
pull request commentcilium/cilium
Remove the need for go-bindata
test-docs-please
comment created time in 4 days
pull request commentcilium/cilium
Remove the need for go-bindata
test-me-please
comment created time in 4 days
push eventcilium/cilium
commit sha 926ad33a7510c88b3a0ad6d31b3328127e1a57a1
monitor: Refactor listener registration logic - Modify registerNewListener() to take MonitorListener as a parameter to allow arbitrary listener to be registered instead of assuming the type of listener is always listenerv1_2. - Add Close() method to MonitorListener so that the Monitor can close listeners without knowing implementation details. - Explicitly call close() on listenerv1_2.queue so that drainQueue gets unblocked during unit test. Ref #9925 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>
commit sha 263af2ab97f03c5013fec2b14dc6aea049665da6
policy: replace go-logging with std log This saves ~35 KB on the cilium-agent and cilium-operator binaries and gets rid of a vendored dependency. Updates #10056 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha f912be76021181fcd88eea6336e5bd8d3e93b098
proxy: remove write-only members from type Redirect The created and lastUpdated timestamps in type Redirect struct are only written but never read. Remove them. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 293bdc5a247f5e9eb0009b35b797afce2575912d
agent: Remove awareness of IPv4 cluster-range While operating in direct-routing mode (`--tunnel=disabled`), traffic with a destination address matching a particular CIDR is automatically excluded from being masqueraded. So far, this CIDR consisted of `<alloc-cidr>/<size>` where the size could be set with the option `--ipv4-cluster-cidr-mask-size`. This was not always desirable and limiting, therefore Cilium 1.6 had already introduced the option `--native-routing-cidr` allowing to explicitly specify the CIDR for native routing. With Cilium 1.8, the option `--ipv4-cluster-cidr-mask-size` is being deprecated and all users must use the option `--native-routing-cidr` instead. Updates: #9919 Signed-off-by: Thomas Graf <thomas@cilium.io>
commit sha 5a5c0116ee8789da3570f874df9fcdd9724e1a6c
option: mark --keep-bpf-templates as deprecated With go-bindata being removed, the flag becomes a no-op. Mark it as deprecated and announce removal in v1.9. Updates #10075 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 0de957d7e94f4d4dc80f488770c8c19d4e6a528d
make: remove the need for go-bindata Use of go-bindata dates back from times when people ran Cilium as static binary. This has become uncommon and users either use the container image or a package manager which will both ship /var/lib/cilium directly so there is no need to unpack any assets via the binary. For people still wanting to use Cilium as a static binary, e.g. for local development provide the `install-bpf` Makefile target to install the BPF assets into `/var/lib/cilium`. This saves ~380 kB in the resulting cilium-agent binary: == daemon/cilium-agent == bss 7752192 7752160 -32 data 894041 651280 -242761 dec 64545230 64166071 -379159 hex 3d8e1ce 3d318b7 -5c917 text 55898997 55762631 -136366 Updates #10056 Fixes #10075 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 4 days
pull request commentcilium/cilium
[WIP] bpf: don't use fixed size integer types from stdint.h
test-me-please
comment created time in 4 days
push eventcilium/cilium
commit sha 3e00fd6637d9bf39142fde84c95838232daa191b
bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) This allows to get rid of the x32 libc header dependency to pull in the GNU libc stub headers needed by stdint.h. This should thus more easily allow to compile the BPF programs on platforms other than amd64 (e.g. arm64, ppc64). Also clean up some other unused includes. For some reason these changes lead to clang complaining about several functions defined in .h files being unused. Mark these as __maybe_unused or if they are used in a single place move them to the .c file. Fixes #368 Fixes #8529 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 4 days
push eventcilium/cilium
commit sha 926ad33a7510c88b3a0ad6d31b3328127e1a57a1
monitor: Refactor listener registration logic - Modify registerNewListener() to take MonitorListener as a parameter to allow arbitrary listener to be registered instead of assuming the type of listener is always listenerv1_2. - Add Close() method to MonitorListener so that the Monitor can close listeners without knowing implementation details. - Explicitly call close() on listenerv1_2.queue so that drainQueue gets unblocked during unit test. Ref #9925 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>
commit sha 263af2ab97f03c5013fec2b14dc6aea049665da6
policy: replace go-logging with std log This saves ~35 KB on the cilium-agent and cilium-operator binaries and gets rid of a vendored dependency. Updates #10056 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha f912be76021181fcd88eea6336e5bd8d3e93b098
proxy: remove write-only members from type Redirect The created and lastUpdated timestamps in type Redirect struct are only written but never read. Remove them. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 25321fdc78582c4a7ae76c9f1724747dec16f3e9
bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) This allows to get rid of the x32 libc header dependency to pull in the GNU libc stub headers needed by stdint.h. This should thus more easily allow to compile the BPF programs on platforms other than amd64 (e.g. arm64, ppc64). Also clean up some other unused includes. For some reason these changes lead to clang complaining about several functions defined in .h files being unused. Mark these as __maybe_unused or if they are used in a single place move them to the .c file. Fixes #368 Fixes #8529 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 4 days
pull request commentcilium/cilium
datapath/loader: always set all args to bpf/init.sh
test-me-please
comment created time in 4 days
push eventcilium/cilium
commit sha 279f1248b20aca36f408f667d8e25f33e2021ef8
cli: Do not panic if BPF map does not exist This commit changes the behavior of the following cmds: - cilium bpf ct flush - cilium bpf ct list - cilium bpf nat list - cilium bpf nat flush The change makes the cmds not to fail if a map does not exist, and instead to continue processing a next map. This was observed when a user was running in the ipv6-only mode, and the listed cmds failed to process ipv6 maps due to missing ipv4 maps. Signed-off-by: Martynas Pumputis <m@lambda.lt>
commit sha f8343b3b2cc3e0b9d4628d4fc18f1b11342e19a2
Makes k8s cert generation modular. The oringal scripts that come with Cilium statically generates certificates only on the master node and it limits the worker node number to be <=1. If you try to bring up a cluster with two or more worker nodes, the script will fail and the nodes (except for the master and the first worker) won't be brought up correctly. This moves the cert generation for k8s components and kubelets to the worker nodes so that it will dynamically adapt to the number of workers set with NWORKER. Test: I can successfully bring up a cluster with 2 workers using ``` K8S=1 NWORKERS=2 contrib/vagrant/start.sh ``` Signed-off-by: Weilong Cui <cuiwl@google.com>
commit sha d615dcd3b1f5d9c34875882041a7e3992949e087
contrib/vagrant: only ssh to k8s1 if vagrant up suceeded In case `vagrant up` returned with non-zero status (e.g. due to being canceled or the initial box download failing), the script would still attempt to `vagrant ssh` to k8s1 and print a message in case $K8S is non-zero. Fix this by only executing `vagrant ssh k8s1` if `vagrant up` was successful. Also fix indentation. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha cfb7333a064e4bf00ee4bcf95e556b5331b632cd
bpf: remove `Map.DeleteWithErrno()` `Map.Delete()` now wraps the underlying errno when returning an error. Therefore, `Map.DeleteWithErrno()` is rendered obsolete as checking for an error of type `syscall.Errno` can now be done using `errors.Is()` or `errors.As()` with the error returned by `Map.Delete()`. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>
commit sha 7579af6b0327a76fd1cad819256b5d91d0ef958c
daemon: silence log messages during cmdref generation Call genMarkdown as early as possible and extract the cmdref directory directly from viper instead of letting initEnv populate all options first. This avoids log messages related to kvstore when generating cmdref. Also move the os.Exit(0) into daemon_main.go so it is more obvious that the agent exits after generating the command reference. Fixes #10081 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 8e6c3d1fa9344af606c83f39d597c27f1484a894
test/bpf: remove unused event.h It's unused since commit ae53f9cf7913 ("bpf: Delete perf event reader implementation"). Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 2cebc7fc0b3d1d9fa159d7c04767c6d8ce8118dc
datapath/linux,maps/ipcache: consistently use BackedByLPM() helper This commit introduces no functional changes. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>
commit sha 84d5af36be34b5d89d885a6b449dfea771a86cc2
vendor: re-vendor golang.org/x/sys and github.com/vishvananda/netlink This pulls in several unsafe.Pointer usage fixes found in these packages using the Go 1.14 `-d=checkptr` compiler flag. Updates #10133 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 942b8bd9080333cfe71ae35b2143adc7c592bf16
docs: de-duplicate AWS cluster scale up instructions Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 1fd54f938a3885cbea6b5f616f72ac81b1289cbe
pkg/datapath/linux/route: reduce duplicate code Signed-off-by: Lehner Florian <dev@der-flo.net>
commit sha 48327b9726f07e8bac3ff09484a60f22d6eeffeb
bpf: remove unused GetProgNextID and GetProgFDByID These are not used by Cilium. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 50cabdc3c80a13d54426112e329a34374a2e80df
Update for release v1.7.0 Signed-off-by: André Martins <andre@cilium.io>
commit sha 3b6de5f28af9b83eceeb14653684037a87181c84
daemon: adding support for egress policy tracing Previously, only ingress policy tracing is supported. Fixes: #9790 Signed-off-by: Wenxian Li <wofanli@gmail.com>
commit sha c3582661dbee7c551ee5f838e80970617dea5947
Refactor NodePortRange code into separate function This change separates out the NodePortRange logic from Populate() into a separate function to enable easier unit testing. This commit also brings in said unit tests. Signed-off-by: Chris Tarazi <tarazichris@gmail.com>
commit sha 5e7b791d04cda22fee88dc98abde82e0712869bb
Validate NodePortRange length We can rely on the defaults to set NodePortRange to a slice of length 2 when it has NOT been passed in by the user explicitly. If NodePortRange is passed in explicitly, then we ensure that it must be of length 2. If it is explicitly empty, we simply log a warning. Signed-off-by: Chris Tarazi <tarazichris@gmail.com>
commit sha 0dec7e67f897eaa41e85486a162e6099c84a4921
daemon: remove unused type rulesManager It's been unused since commit 5882053964eb ("datapath: make `Datapath` an `IptablesManager`") Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 11525c11d17332ab65377139261b68935f7b8ef0
pkg/maps/encrypt: allocate BPF map in MapCreate only if EnableIPSec is set Allocate encryptMap in MapCreate which is only called if EnableIPSec is true (default is false) to avoid unnecessarily allocating memory for the map. Updates #10056 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 4271b542ef0d26474bbab07af50c79f534022787
datapath: use net.IP.IsLoopback instead of string comparison Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 132807dd2cec2441749cb43a0ae295aed0918baa
policy: fix innermap's flag error in eppolicymap The policymap is created with BPF_F_NO_PREALLOC flag, but the innermap in eppolicymap uses a flag 0. When enable sockops, the eppolicymap will be update failed because of the different bpf-map metadatas. This commit changes the innermap's flag and fixes it. Signed-off-by: Zhiyuan Hou <zhiyuan2048@linux.alibaba.com>
commit sha d1411960bfdf63627eec6d20f450f1c8f47b02b4
test: Reduce length of log filenames With some filesystems (e.g., ecryptfs), the maximum filename length is lower than 255, that of ext4. On these filesystems, the tests fail with the following error because log filenames are too long: K8sPolicyTest Basic Test Redirects traffic to proxy when no policy is applied with proxy-visibility annotation Tests HTTP proxy visibility without policy at /cilium/cilium/test/ginkgo-ext/scopes.go:430 [Could not read monitor log Expected <*os.PathError | 0xc000e1fec0>: { Op: "open", Path: "test_results/117-/K8sPolicyTest_Basic_Test_Redirects_traffic_to_proxy_when_no_policy_is_applied_with_proxy-visibility_annotation_Tests_HTTP_proxy_visibility_without_policy/monitor-13f3cf9b-4f30-11ea-b222-60f262b6c493.log", Err: 0x24, } to be nil] This commit updates the name of the tests (from which the log filename is derived) to be consistent with other tests' names. Signed-off-by: Paul Chaignon <paul@cilium.io>
push time in 4 days
push eventcilium/cilium
commit sha f912be76021181fcd88eea6336e5bd8d3e93b098
proxy: remove write-only members from type Redirect The created and lastUpdated timestamps in type Redirect struct are only written but never read. Remove them. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 9cc6d0a6704439f06b367ea48d12dee883858bf4
datapath: convert global variables to consts where possible Also unexport consts/vars not used outside the package. This also slightly reduces the binary size of cilium-agent: == daemon/cilium-agent == bss 7752192 7752128 -64 data 894041 893913 -128 dec 64553770 64551603 -2167 hex 3d9032a 3d8fab3 -877 text 55907537 55905562 -1975 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 4 days
push eventcilium/cilium
commit sha ae9619af6377cbb6217e2a80dbe795f31bfa52ea
[CI] Randomize ns in policy tests Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
commit sha 8ffed85b902ca711a21bf6d5eb46f48bb969e2e1
bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) This allows to get rid of the x32 libc header dependency to pull in the GNU libc stub headers needed by stdint.h. This should thus more easily allow to compile the BPF programs on platforms other than amd64 (e.g. arm64, ppc64). Also clean up some other unused includes. For some reason these changes lead to clang complaining about several functions defined in .h files being unused. Mark these as __maybe_unused or if they are used in a single place move them to the .c file. Fixes #368 Fixes #8529 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 4 days
push eventcilium/cilium
commit sha e8a475f9cbc37417413fc4750feb98504fe79829
datapath/loader: always set all args to bpf/init.sh Passing empty strings to bpf/init.sh will lead to arguments being misinterpreted as their index is no longer correct. This can e.g. lead to the MTU not being set in "vxlan" mode as seen in #10228. Thus, always set all 17 (current value initArgMax) arguments top non-empty values. Use "<nil>" as a default empty value if the arg is not used by bpf/init.sh. Fixes #10228 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 4 days
push eventcilium/cilium
commit sha 12b2ec72f8fa61c954aa1f4872b31d1b2bad4716
make: consistently use $(GO) to invoke the Go tool Otherwise when building with e.g. GO=go1.14rc1 make, the version log message still shows: level=info msg="Cilium 1.7.90 7051378bf234 2020-02-11T11:05:47+01:00 go version go1.13.8 linux/amd64" subsys=daemon while e.g. `go version /usr/bin/cilium-agent` correctly shows: /usr/bin/cilium-agent: go1.14rc1 Also use $(GO) when checking for `-mod=vendor0` support. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha c402767a2b19d866387725672d0da36bb0a57305
bpf: Add test for __ct_lookup return value Check that __ct_lookup returns CT_NEW when given tuple wasn't previously connection-tracked. Fixes: #9303 Signed-off-by: Paul Chaignon <paul@isovalent.com>
commit sha 76581e6c29bc4897e4449b2124ff8673f0e3b38b
agent: Remove leftovers from IPv6 /96 prefix requirement The requirement for the Kubernetes `-node-cidr-mask-size` to be a /96 has been lifted a while ago but there were still some remaining leftovers hinting that it exists. Remove them. Fixes: #6804 Signed-off-by: Thomas Graf <thomas@cilium.io>
commit sha 78fefa7c577ed89d753916be55d6c00eb1f6d77f
daemon: remove alignchecker import The alignchecker package doesn't have any side effects (anymore), so it doesn't need to be underscore-imported. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha c6f3240a27e8b0ef395571aa2d4d5aa863b1fd89
alignchecker: split alignment checks for monitor types into own package The datapath/alignchecker package also checks the monitor types for proper alignment and thus needs to import the monitor package. These types are not used in the agend but importing the package ends up pulling in github.com/google/gopacket which adds quite a lot to the binary size. Thus, split out the alignment checks for the monitor types into its own subpackage of package monitor, monitor/alignchecker and call the corresponding CheckStructAlignments from tools/alignchecker/main.go as well. This reduces the binary size of cilium-agent by ~2MB. Updates #10056 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha ce71fc191dfc217c10231d2bfa34d3d460e73589
service: Fix HealthCheckNodePort not displayed in API The `HealthCheckNodePort` field was not copied in `deepCopyToLBSVC`, thus causing the field to never show up in the Cilium API. Signed-off-by: Sebastian Wicki <gandro@gmx.net>
commit sha 1d01a1748323e06c0f95cec92cfc204785621132
all: remove unused global log vars The `log` var is unused in some packages, so remove it where this is the case. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha a2f701643baaed1071f4fe820cf725f179b40157
pkg/bpf: remove unused Map.once member Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 7853d7a9b06f0288c00c2cbf9e6e0b0f63b93311
fqdn: remove unused prepareNameMatch function This is unused since commit 1121202121f7 ("fqdn: L3-aware L7 DNS policy enforcement") Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 11b1e45991ec95105de2dd8db39dd4daee4cdb79
datapath: remove unused configWriter member of type linuxDatapath Also reorder initialization in NewDatapath so that embedded types are initialized first. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 5f8b05352ef88054db750498dd573d32ffb5a857
datapath: move lookupDirectRoute to node_linux_test.go (*linuxNodeHandler).lookupDirectRoute is only used in test code and does not use any members of linuxNodeHandler, so make it a regular function and move it to node_linux_test.go Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 9731c1fe1f6121ad92d660e17d5dff3626fd931e
datapath: remove unused getLogger func Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 631d5586ef2e541c612a1af679e699ea753affa2
endpoint: remove unused funcs and types type EndpointPolicyVisibilityEventResult, (*Endpoint).getIDandLabels and (*Endpoint).removeProxyRedirect are unused, remove them. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 94f826ac04b8f74727dbcb549c70336b07939efb
cni: remove unused func releaseIPs Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 13e0bbecab106dddabb370cc89dee0379b66c9a8
daemon: remove unused type and func Remove unused type rulesManager and func checkLocks. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha abfa633062906e4b3097bc006c8a482118c8d2d9
aws/eni: remove unuse type instance Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 461834b113c3c3b484425048075aaafd7f55deda
ipam: remove unuse type owner Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha f23f91ea2a257307d0216ae824cd376f4216c003
ipcache: remove unused const fieldIdentities Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 99790492b49dc9c26f710b5e9d6a55c83b86bd53
kvstore/allocator: remove unused consts and type member Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha ba64caf0f69eb309f85639c087e9546f4bb78d68
eppolicymap: remove unused func newEndpointKey Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 4 days
pull request commentcilium/cilium
Remove the need for go-bindata
test-me-please
comment created time in 4 days
push eventcilium/cilium
commit sha 12b2ec72f8fa61c954aa1f4872b31d1b2bad4716
make: consistently use $(GO) to invoke the Go tool Otherwise when building with e.g. GO=go1.14rc1 make, the version log message still shows: level=info msg="Cilium 1.7.90 7051378bf234 2020-02-11T11:05:47+01:00 go version go1.13.8 linux/amd64" subsys=daemon while e.g. `go version /usr/bin/cilium-agent` correctly shows: /usr/bin/cilium-agent: go1.14rc1 Also use $(GO) when checking for `-mod=vendor0` support. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha c402767a2b19d866387725672d0da36bb0a57305
bpf: Add test for __ct_lookup return value Check that __ct_lookup returns CT_NEW when given tuple wasn't previously connection-tracked. Fixes: #9303 Signed-off-by: Paul Chaignon <paul@isovalent.com>
commit sha 76581e6c29bc4897e4449b2124ff8673f0e3b38b
agent: Remove leftovers from IPv6 /96 prefix requirement The requirement for the Kubernetes `-node-cidr-mask-size` to be a /96 has been lifted a while ago but there were still some remaining leftovers hinting that it exists. Remove them. Fixes: #6804 Signed-off-by: Thomas Graf <thomas@cilium.io>
commit sha 78fefa7c577ed89d753916be55d6c00eb1f6d77f
daemon: remove alignchecker import The alignchecker package doesn't have any side effects (anymore), so it doesn't need to be underscore-imported. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha c6f3240a27e8b0ef395571aa2d4d5aa863b1fd89
alignchecker: split alignment checks for monitor types into own package The datapath/alignchecker package also checks the monitor types for proper alignment and thus needs to import the monitor package. These types are not used in the agend but importing the package ends up pulling in github.com/google/gopacket which adds quite a lot to the binary size. Thus, split out the alignment checks for the monitor types into its own subpackage of package monitor, monitor/alignchecker and call the corresponding CheckStructAlignments from tools/alignchecker/main.go as well. This reduces the binary size of cilium-agent by ~2MB. Updates #10056 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha ce71fc191dfc217c10231d2bfa34d3d460e73589
service: Fix HealthCheckNodePort not displayed in API The `HealthCheckNodePort` field was not copied in `deepCopyToLBSVC`, thus causing the field to never show up in the Cilium API. Signed-off-by: Sebastian Wicki <gandro@gmx.net>
commit sha ae9619af6377cbb6217e2a80dbe795f31bfa52ea
[CI] Randomize ns in policy tests Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
commit sha 9f0d1c200dae6f4e646469e1f84d9482bd07ab77
option: mark --keep-bpf-templates as deprecated With go-bindata being removed, the flag becomes a no-op. Mark it as deprecated and announce removal in v1.9. Updates #10075 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha 2973e14341267ccc55ef395360a16536a8f87ec4
make: remove the need for go-bindata Use of go-bindata dates back from times when people ran Cilium as static binary. This has become uncommon and users either use the container image or a package manager which will both ship /var/lib/cilium directly so there is no need to unpack any assets via the binary. For people still wanting to use Cilium as a static binary, e.g. for local development provide the `install-bpf` Makefile target to install the BPF assets into `/var/lib/cilium`. This saves ~380 kB in the resulting cilium-agent binary: == daemon/cilium-agent == bss 7752192 7752160 -32 data 894041 651280 -242761 dec 64545230 64166071 -379159 hex 3d8e1ce 3d318b7 -5c917 text 55898997 55762631 -136366 Updates #10056 Fixes #10075 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 4 days
pull request commentcilium/cilium
[WIP] bpf: don't use fixed size integer types from stdint.h
test-me-please
comment created time in 4 days
push eventcilium/cilium
commit sha 12b2ec72f8fa61c954aa1f4872b31d1b2bad4716
make: consistently use $(GO) to invoke the Go tool Otherwise when building with e.g. GO=go1.14rc1 make, the version log message still shows: level=info msg="Cilium 1.7.90 7051378bf234 2020-02-11T11:05:47+01:00 go version go1.13.8 linux/amd64" subsys=daemon while e.g. `go version /usr/bin/cilium-agent` correctly shows: /usr/bin/cilium-agent: go1.14rc1 Also use $(GO) when checking for `-mod=vendor0` support. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha c402767a2b19d866387725672d0da36bb0a57305
bpf: Add test for __ct_lookup return value Check that __ct_lookup returns CT_NEW when given tuple wasn't previously connection-tracked. Fixes: #9303 Signed-off-by: Paul Chaignon <paul@isovalent.com>
commit sha 76581e6c29bc4897e4449b2124ff8673f0e3b38b
agent: Remove leftovers from IPv6 /96 prefix requirement The requirement for the Kubernetes `-node-cidr-mask-size` to be a /96 has been lifted a while ago but there were still some remaining leftovers hinting that it exists. Remove them. Fixes: #6804 Signed-off-by: Thomas Graf <thomas@cilium.io>
commit sha 78fefa7c577ed89d753916be55d6c00eb1f6d77f
daemon: remove alignchecker import The alignchecker package doesn't have any side effects (anymore), so it doesn't need to be underscore-imported. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha c6f3240a27e8b0ef395571aa2d4d5aa863b1fd89
alignchecker: split alignment checks for monitor types into own package The datapath/alignchecker package also checks the monitor types for proper alignment and thus needs to import the monitor package. These types are not used in the agend but importing the package ends up pulling in github.com/google/gopacket which adds quite a lot to the binary size. Thus, split out the alignment checks for the monitor types into its own subpackage of package monitor, monitor/alignchecker and call the corresponding CheckStructAlignments from tools/alignchecker/main.go as well. This reduces the binary size of cilium-agent by ~2MB. Updates #10056 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
commit sha ce71fc191dfc217c10231d2bfa34d3d460e73589
service: Fix HealthCheckNodePort not displayed in API The `HealthCheckNodePort` field was not copied in `deepCopyToLBSVC`, thus causing the field to never show up in the Cilium API. Signed-off-by: Sebastian Wicki <gandro@gmx.net>
commit sha 7d06c68a2ca845dbcbbcd61df1d6115d346d00f5
bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) This allows to get rid of the x32 libc header dependency to pull in the GNU libc stub headers needed by stdint.h. This should thus more easily allow to compile the BPF programs on platforms other than amd64 (e.g. arm64, ppc64). Also clean up some other unused includes. For some reason these changes lead to clang complaining about several functions defined in .h files being unused. Mark these as __maybe_unused or if they are used in a single place move them to the .c file. Fixes #368 Fixes #8529 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
push time in 4 days
pull request commentcilium/cilium
policy: replace go-logging with std log
test-me-please
comment created time in 4 days
pull request commentcilium/cilium
Remove unused funcs, types and global vars
test-me-please
comment created time in 4 days