profile
viewpoint

carlosedp/riscv-bringup 33

Risc-V journey thru containers and new projects

cilium/linux 5

Just local BPF wip branches for upstream

tklauser/csnippets 4

nice C code snippets

henrique/lsci2012 1

LSCI 2012 Programing Project

tklauser/build-cross-gccgo 1

Build gccgo toolchain from scratch

tklauser/amicontained 0

Container introspection tool. Find out what container runtime is being used as well as features available.

tklauser/apalis-tools 0

Tools for Tegra 3 based Toradex Apalis modules

tklauser/arping 0

ARP Ping

tklauser/athens 0

A Go module datastore and proxy

delete branch tklauser/libnetwork

delete branch : cli-pkg-migrate

delete time in 16 hours

delete branch tklauser/cilium

delete branch : test-k8s-curl-o-option

delete time in 2 days

delete branch tklauser/cilium

delete branch : pr/tklauser/remove-go-bindata

delete time in 2 days

pull request commentcilium/cilium

metricsmap: reduce MaxEntries to account for maximum key space

test-me-please

tklauser

comment created time in 2 days

PR opened cilium/cilium

metricsmap: reduce MaxEntries to account for maximum key space pending-review release-note/misc

Currently, the size of the metrics map is chosen to account for the theoretical maximum key space of 216 (2 uint8: direction and reason). However, the direction currently uses max. 2 bits (3 possible values: unknown, ingress and egress). Thus we can reduce the size of the map to 1024 (210) and still cover the entire key space used.

This reduces the metrics map size from ~1.5MB to ~24KB.

Updates #10056

+8 -4

0 comment

1 changed file

pr created time in 2 days

create barnchcilium/cilium

branch : pr/tklauser/metricsmap-reduce-size

created branch time in 2 days

pull request commentcilium/cilium

option: reduce default number for TCP CT max entires

test-docs-please

tklauser

comment created time in 2 days

pull request commentcilium/cilium

option: reduce default number for TCP CT max entires

test-me-please

tklauser

comment created time in 2 days

push eventcilium/cilium

Tobias Klauser

commit sha f519dfb19ebad2d1ed00ebdf6bbf157b5ff3b8c7

options: add godoc for CTMapEntriesGlobal* consts Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 2 days

PR opened cilium/cilium

option: reduce default number for TCP CT max entires release-note/minor

Commit e824a86bba21 ("daemon: Allow configuration of CT max entries") bumped the default value to 1000000 in order to ease upgrades from Cilium 1.2. In the helm charts, the value was again set to 512KB via the ct-global-max-entries-tcp option. However, if Cilium is not deployed via helm charts (e.g. when running as a systemd service in the devel VM) the large default number of entries is used.

Set the default value to 512KB again and instead advise users in the helm chart comments to set it to 1000000 in case they're upgrading from Cilium v1.2.

This saves about ~150MB of memory at runtime.

Updates #10056

The default maximum number of entries in the BPF TCP ctmap is reduced to 512K.
+5 -7

0 comment

4 changed files

pr created time in 2 days

create barnchcilium/cilium

branch : pr/tklauser/ctmap-tcp-global-default-size

created branch time in 2 days

pull request commentcilium/cilium

[RFC] make: strip symbol tables from all binaries by default

Does this have an impact on the memory consumption of cilium-agent or only on binary size?

AFAICS it only affects binary size. Memory consumption is more or less the same.

tklauser

comment created time in 2 days

pull request commentcilium/cilium

[RFC] make: strip symbol tables from all binaries by default

test-me-please

tklauser

comment created time in 2 days

push eventcilium/cilium

Thomas Graf

commit sha f5c42e7e0cda0c2a0ee46a8467382c8acc6fd388

api: Add missing annotations to generate DeepCopy for new status fields The referenced commits below did not add the annotations required to generate the DeepCopy() code. Add the annotations and autogenerate the code. Fixes: b2271f74c0f ("api: Extend proxy redirect status") Fixes: 06add2d8ba7 ("api: Add KubeProxyReplacement field to StatusResponse") Signed-off-by: Thomas Graf <thomas@cilium.io>

view details

Paul Chaignon

commit sha 7d7a3db5a828d56244147138481da4d7ca9f880e

docs: Fix formatting of link to GCloud SDK Link format was Markdown instead of reStructuredText. Signed-off-by: Paul Chaignon <paul@cilium.io>

view details

Paul Chaignon

commit sha 5dde03ae860f06eab0d44b78fd0b2144d93688ee

docs: Duplicate validation step Since we deploy Cilium in its own cilium namespace, we need to change the Validation section accordingly. Signed-off-by: Paul Chaignon <paul@cilium.io>

view details

Paul Chaignon

commit sha 09fc8da0525485e53f439236f600972955acac20

docs: Clarify why global.restartPods is not the default Users might not want to restart pods as soon as the Cilium daemonset is installed, so we provide a separate step for that. Since we also mention the global.restartPods flag, let's clarify why that's not always a good idea and not our default. Signed-off-by: Paul Chaignon <paul@cilium.io>

view details

Paul Chaignon

commit sha a4ce0e1872e397acc50857f7b51accc35b8b3b26

docs: De-duplicate Connectivity Test section Signed-off-by: Paul Chaignon <paul@cilium.io>

view details

Tobias Klauser

commit sha b52a9821418c09bd1ab0bc4950713013cd1d87d8

client, identity: remove unnecessary guards around delete() From https://golang.org/pkg/builtin/#delete > If the map is nil or there is no such element, delete is a no-op. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Joe Stringer

commit sha c1b28422502c0636496fdc6b8c415ecccc5c2375

.github: update cilium-actions for latest 1.7 RC Signed-off-by: Joe Stringer <joe@cilium.io>

view details

Michal Rostecki

commit sha 3f18897f19ec5eac8c2b0b1abe1278c26ddb7cf0

datapath: Filter out bpftool probes emitting dmesg messages bpftool feature probes related to trace, perf and write_user helpers are emitting dmesg messages with warnings which may be confusing for operators running Cilium on production environments. After this change, those probes will be not performed. Fixes #10048 Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>

view details

Michal Rostecki

commit sha 780393d48f31292fc33d887bd9adb06284a26287

Dockerfile: Use Cilium fork of the kernel to build bpftool Cilium fork of the Linux kernel contains necessary enhancements for bpftool which are not avalavle upstream yet. Ref: #10048 Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>

view details

Michal Rostecki

commit sha c4b6095d69fca4b9875d2c222bba434e818632d6

ci: Install bpftool from Cilium fork of the kernel This should be done in packer-ci-build, but to get the fix faster, we install patched bpftool here as a temporary hack... Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>

view details

Joe Stringer

commit sha 640b7a6cb35905ca1aafd3010baf9b8265d383c9

charts: Generate versions from VERSION file Use the top-of-tree VERSION file to generate the chart versions and update the pull policy using the following rules: * Set the helm chart versions to the VERSION in the file * If the VERSION file ends with ".90": - Set the cilium tag to 'latest' - Set the pullPolicy to 'Always' * If the VERSION file does not end with ".90": - Set the cilium tag to the VERSION in the file - Set the pullPolicy to 'IfNotPresent' * Set the managed-etcd version tag to the version specified at the top of this Makefile. This must be manually bumped, it does not appear to follow the standard Cilium docker image tag process. Signed-off-by: Joe Stringer <joe@cilium.io>

view details

Tobias Klauser

commit sha 1dfe49f45a8b8d15c11868b9d5d36adc8e8b76a2

Documentation: read Go version from GO_VERSION file for development setup This avoids having to bump the Go version in the docs manually and also allows to get rid of the Go version check in Documentation/Makefile. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 7dd2b36782e79a41078234e33af2d4cdd63c83d8

test: define variable for Go version This will allow to easily bump the version via a Makefile target introduced in a successive commit. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha c95f93b87cfc7fbe0bc8ea5698b4bb59d3645e7f

Makefile: add target to update Go version in test scripts Read the Go version from the GO_VERSION file and use it to replace the hard-coded versions in the test scripts. Together with the preceding commits, this allows to bump the Go version in a single place: the GO_VERSION file. Updating to a new Go version (1.13.8 in this example) is now as easy as: echo 1.13.8 > GO_VERSION && make update-golang Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Martynas Pumputis

commit sha 46300783b166ac13300d78113e99a2a6e1cbf534

bpf: Fix space hack in Makefile Fix the space hack which stopped working with make v4.3 (works with v4.2 though): [..] " [-DENABLE_HOST_REDIRECT-DENABLE_IPV4-DENABLE_IPV6-DENABLE_NAT46]"; clang -DENABLE_HOST_REDIRECT-DENABLE_IPV4-DENABLE_IPV6-DENABLE_NAT46 -I/home/brb/sandbox/gopath/src/github.com/cilium/cilium/bpf/include -I/home/brb/sandbox/gopath/src/github.com/cilium/cilium/bpf -D__NR_CPUS__=8 -O2 -g -target bpf -emit-llvm -Wall -Werror -Wno-address-of-packed-member -Wno-unknown-warning-option -c bpf_lxc.c -o bpf_lxc.ll; llc -march=bpf -mcpu=probe -mattr=dwarfris -o /dev/null bpf_lxc.ll; \ fi In file included from <built-in>:323: <command line>:1:20: error: ISO C99 requires whitespace after the macro name [-Werror,-Wc99-extensions] #define ENABLE_IPV4-DHAVE_LPM_MAP_TYPE 1 Signed-off-by: Martynas Pumputis <m@lambda.lt>

view details

Quentin Monnet

commit sha 0e5b45966416eca4795ddedd5218e631b1dd959a

Makefile: move cscope.files generation to its own target Commit 6c66fe9df9f6 ("Makefile: Fix duplicates in cscope output") added cscope.files as a dependency to the "tags" target. However, this is the very target supposed to be used to build cscope.files in the first place, so running "make tags" for the first time (when cscope.files is not present) fails. Let's keep cscope.files as a dependency for "tags", but move the generation of that file to its own target. Also silence the "ctags" command when creating tags. Fixes: 6c66fe9df9f6 ("Makefile: Fix duplicates in cscope output") Signed-off-by: Quentin Monnet <quentin@isovalent.com>

view details

Thomas Graf

commit sha 1bf235a4cecbc844740e949165607cd25b33e1a4

clustermesh: Add cilium status section Brief status: ``` ClusterMesh: 1/1 clusters ready, 1 global-services ``` Verbose status: ``` ClusterMesh: 1/1 clusters ready, 1 global-services cluster2: ready, 2 nodes, 3 identities, 1 services └ etcd: 1/1 connected, lease-ID=19b870354bdf4432, lock lease-ID=19b870354bdf4434, has-quorum=true: https://cluster2.mesh.cilium.io:2379 - 3.3.12 ``` Signed-off-by: Thomas Graf <thomas@cilium.io>

view details

Paul Chaignon

commit sha 1810709a25e50d8db9101d1ede71be8568220317

vagrant: Install temporary forked bpftool Provisioning of the Vagrant development environment fails due to the missing forked bpftool: $ ./contrib/vagrant/start.sh [...] runtime1: Feb 13 17:26:23 runtime1 cilium-agent[20863]: level=error msg="Command execution failed" cmd="[bpftool -j feature probe filter_out \\(trace\\|write_user\\)]" error="exit status 255" subsys=probes runtime1: Feb 13 17:26:23 runtime1 cilium-agent[20863]: level=warning msg="{\"error\":\"expected no more arguments, 'kernel', 'dev', 'macros' or 'prefix', got: 'filter_out'?\"}" subsys=probes runtime1: Feb 13 17:26:23 runtime1 cilium-agent[20863]: level=fatal msg="could not run bpftool" error="exit status 255" subsys=probes runtime1: Cilium failed to start [...] This provisioning failure was introduced by #10164. Cilium now expects bpftool to be Cilium's (temporary) forked version, but the VirtualBox VM has the upstream bpftool. This commit installs the forked bpftool as part of the Vagrant provisioning. Signed-off-by: Paul Chaignon <paul@cilium.io>

view details

Tobias Klauser

commit sha 5b9002d61500b674c04b5bdd4aa00f91619af8e0

docs: fix link for Cilium-PR-Kubernetes-Upstream job Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

André Martins

commit sha 459925361e4a05f83c4366df93830c017e9a0425

golang: update to 1.13.8 Signed-off-by: André Martins <andre@cilium.io>

view details

push time in 2 days

pull request commentcilium/cilium

Add priority class to operator deployment

The link for Submitting a Pull Request is dead.

Thanks for the report. I sent PR #10287 which fixes the link (and the one to the COO too).

maxbischoff

comment created time in 2 days

PR opened cilium/cilium

.github: fix doc links in PR template

Adjust the links to their new location and change them to https.

Reported-by: Maximilian Bischoff maximilian.bischoff@inovex.de (in #10285) Signed-off-by: Tobias Klauser tklauser@distanz.ch

+3 -3

0 comment

1 changed file

pr created time in 2 days

create barnchcilium/cilium

branch : pr/tklauser/fix-pr-template-links

created branch time in 2 days

pull request commentcilium/cilium

[WIP] plugins/cilium-cni: duplicate ENISpec

test-me-please

tklauser

comment created time in 2 days

push eventtklauser/netsniff-ng

Tobias Klauser

commit sha 1fe3d20291b339101d8931a15816add1ea85beef

AUTHORS: update Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Michael R Torres

commit sha 21b9cc33337e904dee4cac87794291ca95a148dd

mz: Zero memory allocated for new automops element Prevent crashes when using mausezahn in interactive mode by using calloc to zero the memory upon allocation. Fixes #195 Signed-off-by: Michael R Torres <mic.ric.tor@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 2 days

PR closed netsniff-ng/netsniff-ng

mz: Zero memory allocated for new automops element

Prevent crashes when using mausezahn in interactive mode by using calloc to zero the memory upon allocation.

Fixes #195

Signed-off-by: Michael R Torres mic.ric.tor@gmail.com

+1 -1

1 comment

1 changed file

micrictor

pr closed time in 2 days

pull request commentnetsniff-ng/netsniff-ng

mz: Zero memory allocated for new automops element

Thanks! Merged as 21b9cc33337e904dee4cac87794291ca95a148dd

micrictor

comment created time in 2 days

push eventnetsniff-ng/netsniff-ng

Michael R Torres

commit sha 21b9cc33337e904dee4cac87794291ca95a148dd

mz: Zero memory allocated for new automops element Prevent crashes when using mausezahn in interactive mode by using calloc to zero the memory upon allocation. Fixes #195 Signed-off-by: Michael R Torres <mic.ric.tor@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 2 days

issue closednetsniff-ng/netsniff-ng

mausezahn -x crashes

backtrace:

$ sudo gdb -q -ex run --args mausezahn/mausezahn -x 2323
Reading symbols from mausezahn/mausezahn...done.
Starting program: /home/mcroce/src/netsniff-ng/mausezahn/mausezahn -x 2323
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
warning: Loadable section ".note.gnu.property" outside of ELF segments

Program received signal SIGSEGV, Segmentation fault.
0x0000000000405336 in automops_delete_fields (amp=0x6cceb0) at staging/automops.c:798
798                     cur = cur->next;
Missing separate debuginfos, use: dnf debuginfo-install glibc-2.27-30.fc28.x86_64 libcli-1.9.7-0.20160131gite60d4cc.fc28.x86_64 libnet-1.1.6-15.fc28.x86_64 libpcap-1.9.0-1.fc28.x86_64 libxcrypt-4.1.1-4.fc28.x86_64
(gdb) bt
#0  0x0000000000405336 in automops_delete_fields (amp=0x6cceb0) at staging/automops.c:798
#1  0x00000000004036b6 in automops_set_defaults (cur=0x6cceb0) at staging/automops.c:62
#2  0x000000000040356f in automops_init () at staging/automops.c:32
#3  0x0000000000406e6d in mz_cli_init () at staging/cli.c:28
#4  0x000000000042943b in getopts (argc=3, argv=0x7fffffffe4c8) at staging/mausezahn.c:819
#5  0x00000000004296fc in main (argc=3, argv=0x7fffffffe4c8) at staging/mausezahn.c:916
(gdb)

closed time in 2 days

teknoraver

push eventnetsniff-ng/netsniff-ng

Tobias Klauser

commit sha 1fe3d20291b339101d8931a15816add1ea85beef

AUTHORS: update Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 2 days

issue commentcilium/cilium

Agent memory optimization

Since we just use it for the JSON spec, I tried duplicating ENISpec into cilium-cni/types with #10282 as a low-effort short term solution. Currently, it's running through CI. I'm not sure whether I overlooked something?

tgraf

comment created time in 2 days

pull request commentcilium/cilium

[WIP] plugins/cilium-cni: duplicate ENISpec

test-me-please

tklauser

comment created time in 2 days

PR opened cilium/cilium

[WIP] plugins/cilium-cni: duplicate ENISpec ci-check-only wip

Duplicate type ENISpec struct from pkg/k8s/apis/cilium.io/v2 to reduce package dependencies. This reduces the binary size of cilium-cni from ~47M to ~21M for #10056

While not very elegant, this would be a low-effort solution to reduce cilium-cni binary size significantly. Not sure if I overlooked something, thus testing this on CI.

+87 -9

0 comment

2 changed files

pr created time in 2 days

create barnchcilium/cilium

branch : pr/tklauser/rfc-cilium-cni-duplicate-enispec

created branch time in 2 days

pull request commentcilium/cilium

iptables: de-duplicate code for forward chain rules

test-me-please

tklauser

comment created time in 2 days

PR opened cilium/cilium

iptables: de-duplicate code for forward chain rules

Move the installation of the forward chain rules into a separate function which is called from (*IptablesManager).TransientRulesStart and (*IptablesManager).InstallRules.

De-duplicate code in (*IptablesManager).ciliumNoTrackXfrmRules.

+69 -84

0 comment

1 changed file

pr created time in 2 days

push eventcilium/cilium

Tobias Klauser

commit sha c03fae17fbe79d595e249f49ea811248e56e8cb9

iptables: de-duplicate code in (*IptablesManager).ciliumNoTrackXfrmRules Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 2 days

push eventcilium/cilium

Tobias Klauser

commit sha 6af97cb7c8deed204649d81c758dd95908e5f084

iptables: de-duplicate code for forward chain rules Move the installation of the forward chain rules into a separate function which is called from (*IptablesManager).TransientRulesStart and (*IptablesManager).InstallRules. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 2 days

push eventcilium/cilium

Tobias Klauser

commit sha b78b2ed23ae73d40d50d3200ae6a33a8c3bf6b62

iptables: de-duplicate code for forward chain rules Move the installation of the forward chain rules into a separate function which is called from (*IptablesManager).TransientRulesStart and (*IptablesManager).InstallRules. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 2 days

create barnchcilium/cilium

branch : pr/tklauser/datapath-iptables-deduplicate-code

created branch time in 2 days

pull request commentcilium/cilium

bpf: use syscall.BytePtrFromString instead of deprecated syscall.StringBytePtr

@joestringer not really a bugfix, rather a cleanup

tklauser

comment created time in 2 days

pull request commentcilium/cilium

bpf: use syscall.BytePtrFromString instead of deprecated syscall.StringBytePtr

test-me-please

tklauser

comment created time in 2 days

push eventcilium/cilium

André Martins

commit sha 40657fa1ed98f10f90453b02cd69c67b6fce192b

test: upgrade tests from v1.7 to master Signed-off-by: André Martins <andre@cilium.io>

view details

Tobias Klauser

commit sha f5d76918395ddb5564f166967c4a5d688c0a8215

datapath/loader: always set all args to bpf/init.sh Passing empty strings to bpf/init.sh will lead to arguments being misinterpreted as their index is no longer correct. This can e.g. lead to the MTU not being set in "vxlan" mode as seen in #10228. Thus, always set all 17 (current value initArgMax) arguments top non-empty values. Use "<nil>" as a default empty value if the arg is not used by bpf/init.sh. Fixes #10228 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 01fb5de90b6e76a658302d82a70c9c5dea75d5ba

daemon: remove deprecated --enable-legacy-services option The option was announced to be deprecated in Cilium 1.6 with commit 6eb4d1d89e6a ("daemon: Deprecate `enable-legacy-services` option"). It no longer had any effect, so remove it now. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Martynas Pumputis

commit sha 5ceca6336eb447a145732d691772ecf950edd6c0

sysctl: Add Read function The function can be used for reading sysctl parameters. Signed-off-by: Martynas Pumputis <m@lambda.lt>

view details

Martynas Pumputis

commit sha 1099ecfea1535d38417ceb2bba44e4b4438ea260

option: Check nodePortMax < ephermeralPortMin in agent Previously, if the ephermeral range min port was not greater than the nodeport range max port, the compilation of bpf_netdev was failing with a cryptic message: level=warning msg="In file included from /var/lib/cilium/bpf/bpf_overlay.c:39:" subsys=daemon level=warning msg="/var/lib/cilium/bpf/lib/nodeport.h:898:3: error: array size is negative" subsys=daemon level=warning msg=" build_bug_on(!(NODEPORT_PORT_MAX < EPHERMERAL_MIN));" subsys=daemon level=warning msg=" ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" subsys=daemon level=warning msg="/var/lib/cilium/bpf/lib/utils.h:124:45: note: expanded from macro 'build_bug_on'" subsys=daemon level=warning msg="# define build_bug_on(e) ((void)sizeof(char[1 - 2*!!(e)]))" subsys=daemon level=warning msg=" ^~~~~~~~~~~" subsys=daemon level=warning msg="3 warnings and 1 error generated." subsys=daemon Fix this by checking the constraint in the agent, and log a helpful message how to fix it. Signed-off-by: Martynas Pumputis <m@lambda.lt>

view details

Martynas Pumputis

commit sha 6051681bdb7a392a1567219fcd8895befda639e9

bpf,option: Fix EPHE**R**MERAL typo It's a ephemeral port range, not a ephermeral port range. Signed-off-by: Martynas Pumputis <m@lambda.lt>

view details

Martynas Pumputis

commit sha bc73555928809e1515c6c59ce80e4bd5c3a28db6

daemon: Ignore nodeport and ephemeral port check in non-strict mode Otherwise, we might see some users unexpectedly seeing the panic, as in v1.7 we started to enable NodePort by default. Signed-off-by: Martynas Pumputis <m@lambda.lt>

view details

Tobias Klauser

commit sha a15b7a6817ce2a21eb4fbccfc9f1675a2eea14ae

all: remove unused global log vars The `log` var is unused in some packages, so remove it where this is the case. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha ae2ec9643ee71e0bbfb2c73e5e39e4ea69c0c799

pkg/bpf: remove unused Map.once member Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha b5b3b3fc92e3eee16342cf806188acd9796fba06

fqdn: remove unused prepareNameMatch function This is unused since commit 1121202121f7 ("fqdn: L3-aware L7 DNS policy enforcement") Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 5ddace3bde3fc5011e20a440b714d775f4286744

datapath: remove unused configWriter member of type linuxDatapath Also reorder initialization in NewDatapath so that embedded types are initialized first. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha c7d132b57f4f070cdc6ac6703f618c3251cf043c

datapath: move lookupDirectRoute to node_linux_test.go (*linuxNodeHandler).lookupDirectRoute is only used in test code and does not use any members of linuxNodeHandler, so make it a regular function and move it to node_linux_test.go Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 5c11390d3a5becf4930e9bca75da27173e761cea

datapath: remove unused getLogger func Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha c509d107509f162350e3efc166e9957c32d6ed0b

endpoint: remove unused funcs and types type EndpointPolicyVisibilityEventResult, (*Endpoint).getIDandLabels and (*Endpoint).removeProxyRedirect are unused, remove them. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 81e906beb9501a5d044de1d2636d31bcc53515b7

cni: remove unused func releaseIPs Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha e2b162fb68fe0772908151cb151863a453860048

daemon: remove unused type and func Remove unused type rulesManager and func checkLocks. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 800a47f5d5b4e9b717c5719bc94bad7c85052449

aws/eni: remove unuse type instance Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 0477814556249f4cd496791bff0cd874b0f32215

ipam: remove unuse type owner Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha aecbc10016269befce95256c147beb98403c54ad

ipcache: remove unused const fieldIdentities Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha e644fc15ebe5ad17d134913579d7342dbd4234bf

kvstore/allocator: remove unused consts and type member Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 2 days

delete branch tklauser/cilium

delete branch : vagrant-start-k8s-nofail

delete time in 3 days

pull request commentcilium/cilium

bpf: don't use fixed size integer types from stdint.h

test-me-please

tklauser

comment created time in 3 days

push eventcilium/cilium

André Martins

commit sha 40657fa1ed98f10f90453b02cd69c67b6fce192b

test: upgrade tests from v1.7 to master Signed-off-by: André Martins <andre@cilium.io>

view details

Tobias Klauser

commit sha f5d76918395ddb5564f166967c4a5d688c0a8215

datapath/loader: always set all args to bpf/init.sh Passing empty strings to bpf/init.sh will lead to arguments being misinterpreted as their index is no longer correct. This can e.g. lead to the MTU not being set in "vxlan" mode as seen in #10228. Thus, always set all 17 (current value initArgMax) arguments top non-empty values. Use "<nil>" as a default empty value if the arg is not used by bpf/init.sh. Fixes #10228 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 4c8a858c01275055a7df0bec75acdd5bff8e012a

bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) This allows to get rid of the x32 libc header dependency to pull in the GNU libc stub headers needed by stdint.h. This should thus more easily allow to compile the BPF programs on platforms other than amd64 (e.g. arm64, ppc64). Also clean up some other unused includes. For some reason these changes lead to clang complaining about several functions defined in .h files being unused. Mark these as __maybe_unused or if they are used in a single place move them to the .c file. Fixes #368 Fixes #8529 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 3 days

issue commentcilium/cilium

Agent memory optimization

Another simple short-term solution would be to copy type ENISpec into cilium-cni/types and add comments to make sure any future updates would be done to both structures.

tgraf

comment created time in 3 days

issue commentcilium/cilium

Agent memory optimization

Interesting comment here wrt. ctmap size:

https://github.com/cilium/cilium/blob/405a7ae27330562c6f2b6de397b953bf45f0ae51/pkg/option/config.go#L428-L431

tgraf

comment created time in 3 days

pull request commentcilium/cilium

bpf: use syscall.BytePtrFromString instead of deprecated syscall.StringBytePtr

test-me-please

tklauser

comment created time in 3 days

pull request commentcilium/cilium

daemon: remove deprecated --enable-legacy-services option

test-me-please

tklauser

comment created time in 3 days

Pull request review commentcilium/cilium

daemon: Create all global maps in cilium-agent

 func (m *Map) DumpEntries() (string, error) {  // NewMap creates a new CT map of the specified type with the specified name. func NewMap(mapName string, mapType MapType) *Map {

While at it, I think you could unexport this function (maybe in a separate commit). It is only used within the ctmap package.

pchaigno

comment created time in 3 days

pull request commentcilium/cilium

bpf: don't use fixed size integer types from stdint.h

test-me-please

tklauser

comment created time in 3 days

pull request commentcilium/cilium

daemon: remove deprecated --enable-legacy-services option

test-me-please

tklauser

comment created time in 3 days

pull request commentcilium/cilium

daemon: remove deprecated --enable-legacy-services option

test-docs-please

tklauser

comment created time in 3 days

PR opened cilium/cilium

daemon: remove deprecated --enable-legacy-services option pending-review release-note/minor

The option was announced to be deprecated in Cilium 1.6 with commit 6eb4d1d89e6a ("daemon: Deprecate enable-legacy-services option"). It no longer had any effect, so remove it now.

The deprecared `--enable-legacy-service` option was removed.
+7 -8

0 comment

3 changed files

pr created time in 3 days

push eventtklauser/netsniff-ng

Michael R. Torres

commit sha 8d84c45d196f5d5c4209f82388df7688e7196ddd

mz: Fix accidental assignment in conditional statement Corrects the accidental assignment of _c_ to 'c' or 'p' due to a missing equals sign. This enables the proper display of the missing argument error message for all relevant options. Signed-off-by: Michael R Torres <mic.ric.tor@gmail.com>

view details

push time in 3 days

pull request commentcilium/cilium

bpf: use syscall.BytePtrFromString instead of deprecated syscall.StringBytePtr

test-me-please

tklauser

comment created time in 3 days

pull request commentcilium/cilium

Remove unused funcs, types and global vars

test-me-please

tklauser

comment created time in 3 days

pull request commentcilium/cilium

datapath/loader: always set all args to bpf/init.sh

test-me-please

tklauser

comment created time in 3 days

push eventcilium/cilium

Tobias Klauser

commit sha 77890e638bf737cdf699aa6373f1809be290c4d2

datapath/loader: always set all args to bpf/init.sh Passing empty strings to bpf/init.sh will lead to arguments being misinterpreted as their index is no longer correct. This can e.g. lead to the MTU not being set in "vxlan" mode as seen in #10228. Thus, always set all 17 (current value initArgMax) arguments top non-empty values. Use "<nil>" as a default empty value if the arg is not used by bpf/init.sh. Fixes #10228 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 3 days

pull request commentnetsniff-ng/netsniff-ng

mz: Fix accidental assignment in conditional

Thanks!

micrictor

comment created time in 3 days

PR merged netsniff-ng/netsniff-ng

mz: Fix accidental assignment in conditional

Discovered via static code analysis courtesy of CodeQL

+2 -2

0 comment

1 changed file

micrictor

pr closed time in 3 days

push eventnetsniff-ng/netsniff-ng

Michael R. Torres

commit sha 8d84c45d196f5d5c4209f82388df7688e7196ddd

mz: Fix accidental assignment in conditional statement Corrects the accidental assignment of _c_ to 'c' or 'p' due to a missing equals sign. This enables the proper display of the missing argument error message for all relevant options. Signed-off-by: Michael R Torres <mic.ric.tor@gmail.com>

view details

push time in 3 days

pull request commentcilium/cilium

bpf: don't use fixed size integer types from stdint.h

test-me-please

tklauser

comment created time in 3 days

pull request commentcilium/cilium

bpf: don't use fixed size integer types from stdint.h

test-me-please

tklauser

comment created time in 3 days

pull request commentcilium/cilium

datapath/loader: always set all args to bpf/init.sh

test-me-please

tklauser

comment created time in 3 days

push eventcilium/cilium

Tobias Klauser

commit sha 56c17631ed57786e9756318bacee3ad4c9aac9bf

datapath/loader: always set all args to bpf/init.sh Passing empty strings to bpf/init.sh will lead to arguments being misinterpreted as their index is no longer correct. This can e.g. lead to the MTU not being set in "vxlan" mode as seen in #10228. Thus, always set all 17 (current value initArgMax) arguments top non-empty values. Use "<nil>" as a default empty value if the arg is not used by bpf/init.sh. Fixes #10228 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 3 days

push eventcilium/cilium

Tobias Klauser

commit sha 405a7ae27330562c6f2b6de397b953bf45f0ae51

datapath: convert global variables to consts where possible Also unexport consts/vars not used outside the package. This also slightly reduces the binary size of cilium-agent: == daemon/cilium-agent == bss 7752192 7752128 -64 data 894041 893913 -128 dec 64553770 64551603 -2167 hex 3d9032a 3d8fab3 -877 text 55907537 55905562 -1975 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha fea74172b282d329a64a63ac60f9caafede9e914

bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) This allows to get rid of the x32 libc header dependency to pull in the GNU libc stub headers needed by stdint.h. This should thus more easily allow to compile the BPF programs on platforms other than amd64 (e.g. arm64, ppc64). Also clean up some other unused includes. For some reason these changes lead to clang complaining about several functions defined in .h files being unused. Mark these as __maybe_unused or if they are used in a single place move them to the .c file. Fixes #368 Fixes #8529 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 3 days

Pull request review commentcilium/cilium

bpf: don't use fixed size integer types from stdint.h

 #ifndef _ASM_X86_BYTEORDER_H #define _ASM_X86_BYTEORDER_H -#include <endian.h>--#if __BYTE_ORDER == __LITTLE_ENDIAN+#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__

Was a bit too quick to reply. Looks like it is still needed for __constant_htonl in bpf/lib/utils.h.

tklauser

comment created time in 3 days

Pull request review commentcilium/cilium

bpf: don't use fixed size integer types from stdint.h

 var badLogMessages = map[string][]string{ 	NACKreceived:      nil, 	RunInitFailed:     {"signal: terminated", "signal: killed"}, 	sizeMismatch:      nil,+	emptyBPFInitArg:   nil,

Oops, indeed. This should have gone into #10230. Will remove.

tklauser

comment created time in 3 days

Pull request review commentcilium/cilium

bpf: don't use fixed size integer types from stdint.h

 func compileAndLink(ctx context.Context, prog *progInfo, dir *directoryInfo, deb 	return err } -// progLDFlags determines the compiler flags for the specified prog and paths.+var (+	unameOnce sync.Once++	// default fallback+	machineName = "x86_64"+)++// getMachineName returns the machine hardware name of this host.+func getMachineName() string {+	unameOnce.Do(func() {+		var uts unix.Utsname+		err := unix.Uname(&uts)+		if err == nil {+			machineName = string(uts.Machine[:bytes.IndexByte(uts.Machine[:], 0)])+		}

Good point. I think this might even deserve a warning?

tklauser

comment created time in 3 days

Pull request review commentcilium/cilium

bpf: don't use fixed size integer types from stdint.h

 static inline __u32 bpf_ktime_get_sec(void) 	return (__u64)(bpf_ktime_get_nsec() / NSEC_PER_SEC); } -#if __BYTE_ORDER == __LITTLE_ENDIAN+#if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \+	__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__

These are defined by both GCC (https://gcc.gnu.org/onlinedocs/cpp/Common-Predefined-Macros.html) and LLVM and it's e.g. what the Abseil C++ library uses: https://github.com/abseil/abseil-cpp/blob/c44657f55692eddf5504156645d1f4ec7b3acabd/absl/base/config.h#L444-L465

tklauser

comment created time in 3 days

Pull request review commentcilium/cilium

bpf: don't use fixed size integer types from stdint.h

 #ifndef _ASM_X86_BYTEORDER_H #define _ASM_X86_BYTEORDER_H -#include <endian.h>--#if __BYTE_ORDER == __LITTLE_ENDIAN+#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__

Doesn't seem to be needed anymore. Will remove it.

tklauser

comment created time in 3 days

Pull request review commentcilium/cilium

bpf: don't use fixed size integer types from stdint.h

 #include "lib/conntrack.h" #include "lib/dbg.h" #include "lib/drop.h"+#define SKIP_UNDEF_LPM_LOOKUP_FN

Just another cleanup which was surfaced by several functions suddenly being complained about by the compiler as being unused after this change. I'm still not sure why there weren't any -Wunused-function errors before this change though.

tklauser

comment created time in 3 days

pull request commentcilium/cilium

bpf: use syscall.BytePtrFromString instead of deprecated syscall.StringBytePtr

test-me-please

tklauser

comment created time in 3 days

push eventcilium/cilium

Daniel Borkmann

commit sha 5c8537cb09aad56ad0f1774c1a6ce5e1651a2d32

bpf, daemon: fix CT_REPORT_FLAGS truncation warning The value really needs to be 0xff. We got that correct in the shipped bpf/node_config.h file, but not for the go generated header where it is currently ^uint16(0). Therefore fix up TCPFlags. [...] level=warning msg="+ clang -O2 -g -target bpf -emit-llvm -Wno-address-of-packed-member -Wno-unknown-warning-option -I. -I/run/cilium/state/globals -I/var/lib/cilium/bpf -I/var/lib/cilium/bpf/include -D__NR_CPUS__=2 -DENABLE_ARP_RESPONDER -DHANDLE_NS -DSECLABEL=2 -DLB_L3 -DLB_L4 -DBPF_PKT_DIR=0 '-DNODE_MAC={.addr={0x42,0x09,0x4d,0x59,0x33,0xe9}}' -DCALLS_MAP=cilium_calls_netdev_2 -c /var/lib/cilium/bpf/bpf_netdev.c -o -" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:50:" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/lib/nat.h:32:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/conntrack.h:178:8: warning: implicit conversion from 'int' to 'uint8_t' (aka 'unsigned char') changes value from 65535 to 255 [-Wconstant-conversion]" subsys=datapath-loader level=warning msg=" CT_REPORT_FLAGS);" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~~~~~~" subsys=datapath-loader level=warning msg="/run/cilium/state/globals/node_config.h:28:25: note: expanded from macro 'CT_REPORT_FLAGS'" subsys=datapath-loader level=warning msg="#define CT_REPORT_FLAGS 0xffff" subsys=datapath-loader level=warning msg=" ^~~~~~" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:50:" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/lib/nat.h:32:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/conntrack.h:296:22: warning: implicit conversion from 'int' to 'uint8_t' (aka 'unsigned char') changes value from 65535 to 255 [-Wconstant-conversion]" subsys=datapath-loader level=warning msg=" seen_flags, CT_REPORT_FLAGS);" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~~~~~~" subsys=datapath-loader level=warning msg="/run/cilium/state/globals/node_config.h:28:25: note: expanded from macro 'CT_REPORT_FLAGS'" subsys=datapath-loader level=warning msg="#define CT_REPORT_FLAGS 0xffff" subsys=datapath-loader level=warning msg=" ^~~~~~" subsys=datapath-loader [...] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

view details

Daniel Borkmann

commit sha 211883c85c45f65d76c3e2f81c5b2d283f115278

bpf: fix incompatible pointer type warning on mac addr [...] level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:52:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/nodeport.h:1057:26: warning: incompatible pointer types passing 'uint8_t (*)[6]' to parameter of type 'uint8_t *' (aka 'unsigned char *') [-Wincompatible-pointer-types]" subsys=datapath-loader level=warning msg=" if (eth_load_saddr(skb, &smac.addr, 0) < 0)" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/eth.h:63:63: note: passing argument to parameter 'mac' here" subsys=datapath-loader level=warning msg="static inline int eth_load_saddr(struct __sk_buff *skb, __u8 *mac, int off)" subsys=datapath-loader level=warning msg=" ^" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:52:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/nodeport.h:1151:32: warning: incompatible pointer types passing 'uint8_t (*)[6]' to parameter of type 'uint8_t *' (aka 'unsigned char *') [-Wincompatible-pointer-types]" subsys=datapath-loader level=warning msg=" if (eth_store_daddr(skb, &dmac->addr, 0) < 0)" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~~" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/eth.h:78:64: note: passing argument to parameter 'mac' here" subsys=datapath-loader level=warning msg="static inline int eth_store_daddr(struct __sk_buff *skb, __u8 *mac, int off)" subsys=datapath-loader level=warning msg=" ^" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:52:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/nodeport.h:1153:32: warning: incompatible pointer types passing 'uint8_t (*)[6]' to parameter of type 'uint8_t *' (aka 'unsigned char *') [-Wincompatible-pointer-types]" subsys=datapath-loader level=warning msg=" if (eth_store_saddr(skb, &mac->addr, 0) < 0)" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/eth.h:68:64: note: passing argument to parameter 'mac' here" subsys=datapath-loader level=warning msg="static inline int eth_store_saddr(struct __sk_buff *skb, __u8 *mac, int off)" subsys=datapath-loader level=warning msg=" ^" subsys=datapath-loader [...] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

view details

Daniel Borkmann

commit sha abf5366a5d4418f01432563d8e402fb957cd12e7

daemon, probe: whether CONFIG_CGROUP_BPF is compiled in Given for new deployments, we probe the kernel and selectivly disable kube-proxy replacement features, we need to dig a bit deeper to check whether CONFIG_CGROUP_BPF is compiled in as otherwise we'd try to proceed with host-reachable services and will later fail to start-up in init.sh given we cannot attach: [...] level=warning msg="+ bpftool cgroup attach /var/run/cilium/cgroupv2 post_bind6 pinned /sys/fs/bpf/tc/globals/cilium_cgroups_post_bind6" subsys=datapath-loader level=warning msg="Error: failed to attach program" subsys=datapath-loader I went improving TestDummyProg() rather than relying on a .config to determine availability of CONFIG_CGROUP_BPF since a config may not necessarily be available on the underlying system. I've explicitly used an invalid fd as target cgroup fd to probe on EBADFD code. When compiled out, we'll simply always get an EINVAL for all kernels. Fixes: #10097 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

view details

Thomas Graf

commit sha 074b092685aff1797ed0224d060b6997f82aabc5

Documentation: Switch EKS documentation to default to ENI ENI has been rock-solid and it is time to point the default EKS documentation to use ENI mode. Signed-off-by: Thomas Graf <thomas@cilium.io>

view details

André Martins

commit sha a86c3a1ffa81482500eec0868aa3ad089a8e9cc7

install/kubernetes: add option to hold cilium agent on clean In the upgrade test we clean up all Cilium state to perform a clean upgrade test. Since that clean up requires that a Cilium agent is not running we need to change the arguments of the Cilium container image to avoid running Cilium at the same time we are clean its state. Thus, this commit introduces a new helm option that changes the Cilium container image cmd argument to not perform any action in the node while cleaning up its state. Signed-off-by: André Martins <andre@cilium.io>

view details

Daniel Borkmann

commit sha 022673fa29dc19a42800694d1d2e8f1442df1a5e

bpf, sock: fix post-bind-sock{4,6} not found in ELF file If kube-proxy replacement is in partial mode and only host-reachable services are enabled, the agent will bail out with the following error: [...] level=warning msg="+ tc exec bpf pin /sys/fs/bpf/tc/globals/cilium_cgroups_post_bind4 obj bpf_sock.o type sock attach_type post_bind4 sec post-bind-sock4" subsys=datapath-loader level=warning msg="Program section 'post-bind-sock4' not found in ELF file!" subsys=datapath-loader [...] Given externalIPs depends on NodePort, we can reuse $NODE_PORT in init.sh. Also fix up some small code nits in bpf_sock in bind sections. Fixes: #10120 Fixes: b25663e65d31 ("bpf: Add post_bind{4,6} programs to block NodePorts") Reported-by: Paul Chaignon <paul@isovalent.com> Reported-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

view details

Martynas Pumputis

commit sha 1239278985e54d21c1ce38712e6bd811d46e1f5d

bpf: Remove bpf_netdev.o from previously used devices This commit makes cilium-agent to remove bpf_netdev.o from devices which no longer suppose to have the program attached. This can happen when e.g. a user has specified a different device for NodePort via `--device` or they switched from the direct routing mode to the tunnel mode. Signed-off-by: Martynas Pumputis <m@lambda.lt>

view details

Martynas Pumputis

commit sha 7fc73b855d9198a3cdf76232b65096c9aee45a4b

test: Do not remove tc filter from native dev The programs will be removed by cilium-agent during its bootstrap. Signed-off-by: Martynas Pumputis <m@lambda.lt>

view details

Thomas Graf

commit sha 54d9254abba5b4bb76df58f7074a0aaa4895253b

kubernetes: Updated connectivity check Improved connectivity check with the ability to test various connectivity and policy variations. Signed-off-by: Thomas Graf <thomas@cilium.io>

view details

Thomas Graf

commit sha c58d749816d943c4f9426f67738013f4e8778463

bpf: Fix proxy redirection for egress programs * Handling of the proxy redirection was missing entirely in the to-container section for IPv6. Add it. * The to-container section case was assuming that any proxy redirection is indicated by ipv{46}_policy() returning a non-zero proxy port. This is no longer true since commit 830adba. Fix this by using a separate return code to indicate proxy redirection and treating the proxy port as optional. The above deficits lead to proxy redirection being ineffective when the setting EnableEndpointRoutes was set. Fixes: 830adba1c02 ("bpf: Support proxy using original source address and port.") Fixes: 25a80dfdd5e ("bpf: Add to-container section to bpf_lxc") Fixes: #10105 Signed-off-by: Thomas Graf <thomas@cilium.io>

view details

Maciej Kwiek

commit sha 7b03642caeb64fc00d02e0a7c2c586b0f7c6498a

Add required etcd version for external etcd guide Signed-off-by: Maciej Kwiek <maciej@isovalent.com>

view details

Thomas Graf

commit sha 6b9559ecf021ef2a73025243fa1833fbfdc6b1b1

doc: Document L7 limitation in azure-cni chaining mode Signed-off-by: Thomas Graf <thomas@cilium.io>

view details

Sebastian Wicki

commit sha 02aba8bff4356c664c61bb15ce1f8eeca9a67a29

docs: Mention direct routing mode requirement for DSR Direct Server Return (DSR) currently requires Cilium to be deployed in direct routing mode. This patch updates the kube-proxy-free documentation to reflect this. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>

view details

Dmitry Kharitonov

commit sha 5f62b560e64843492423be0fd297019571b7207d

fixed padding after code blocks Signed-off-by: Dmitry Kharitonov <geakstr@me.com>

view details

André Martins

commit sha 25ee77eb9c3e524ff6001d79cd2b566e30d2d124

test: fix upgrade-downgrade test with helm instalation Signed-off-by: André Martins <andre@cilium.io>

view details

André Martins

commit sha dd534bc55947d54b8071ae067238ae9cdbe1b66b

docs: reclarify upgrade guide for deprecated label As removing the labels is an operation extreamly complex we should warn the users that the label was removed but still give them the option to keep the label to upgrade from older versions to v1.7. During testing it was found that following the existing upgrade guide could leave 2 Cilium pods running per each node when performing a downgrade. Signed-off-by: André Martins <andre@cilium.io>

view details

Thomas Graf

commit sha 3fd7a6a25125d7d1f1c8e9025539e206f7add2e3

doc: Mark encryption as stable for direct-routing and ENI mode Fixes: #10123 Signed-off-by: Thomas Graf <thomas@cilium.io>

view details

Jarno Rajahalme

commit sha aff13556af9aa8c62138d54dc6d2d0de91bf97b4

policy: Fix test combining of L4 and L7. Specify slice size as 0 when making it so that it is not full of zero entries to begin with. This has no effect on test results, but fixing this reduces confusion in reading the test output. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>

view details

Jarno Rajahalme

commit sha 55be11b58e72cc7745042b0cafffffe08627c49f

daemon: Add L3-dependent L7 policy test Signed-off-by: Jarno Rajahalme <jarno@covalent.io>

view details

Jarno Rajahalme

commit sha ba98f0ea3ead15c9a0816ea65166cb741b6daa72

policy: Unify CachedSelectors and L7RulesPerEp Currently all selectors used by a policy are stored in 'CachedSelectors', while a subset of them having L7 rules are present in the L7RulesPerEp. Moving to an on-demand L7 wildcarding sceme requires keeping track of selectors without L7 rules (as those need wildcarding if merged with a filter with L7 rules). Do this by placing all selectors into L7RulesPerEp, while renaming it to 'L7RulesPerSelector'. Selectors without L7 rules have a value 'nil' in this map, which now represents "L7 wildcard". Remove 'CachedSelectors' as it is now fully redundant. Proxies (DNS, Kafka, Envoy) are updated to accept 'nil' as a wildcard rule. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>

view details

push time in 3 days

pull request commentcilium/cilium

Remove unused funcs, types and global vars

test-me-please

tklauser

comment created time in 3 days

pull request commentcilium/cilium

datapath/loader: always set all args to bpf/init.sh

test-me-please

tklauser

comment created time in 3 days

push eventcilium/cilium

Tobias Klauser

commit sha eb450e1f69a9c575242c57b16151e694543c78e1

option: mark --keep-bpf-templates as deprecated With go-bindata being removed, the flag becomes a no-op. Mark it as deprecated and announce removal in v1.9. Updates #10075 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha ff22f483938da1c090145ec973401769f0673a53

make: remove the need for go-bindata Use of go-bindata dates back from times when people ran Cilium as static binary. This has become uncommon and users either use the container image or a package manager which will both ship /var/lib/cilium directly so there is no need to unpack any assets via the binary. For people still wanting to use Cilium as a static binary, e.g. for local development provide the `install-bpf` Makefile target to install the BPF assets into `/var/lib/cilium`. This saves ~380 kB in the resulting cilium-agent binary: == daemon/cilium-agent == bss 7752192 7752160 -32 data 894041 651280 -242761 dec 64545230 64166071 -379159 hex 3d8e1ce 3d318b7 -5c917 text 55898997 55762631 -136366 Updates #10056 Fixes #10075 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 405a7ae27330562c6f2b6de397b953bf45f0ae51

datapath: convert global variables to consts where possible Also unexport consts/vars not used outside the package. This also slightly reduces the binary size of cilium-agent: == daemon/cilium-agent == bss 7752192 7752128 -64 data 894041 893913 -128 dec 64553770 64551603 -2167 hex 3d9032a 3d8fab3 -877 text 55907537 55905562 -1975 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 18d34deb4070324922d4481626e88b27352da8c9

datapath/loader: always set all args to bpf/init.sh Passing empty strings to bpf/init.sh will lead to arguments being misinterpreted as their index is no longer correct. This can e.g. lead to the MTU not being set in "vxlan" mode as seen in #10228. Thus, always set all 17 (current value initArgMax) arguments top non-empty values. Use "<nil>" as a default empty value if the arg is not used by bpf/init.sh. Fixes #10228 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 3 days

pull request commentcilium/cilium

bpf: don't use fixed size integer types from stdint.h

CI finally passed on the latest iteration. PTAL.

tklauser

comment created time in 3 days

pull request commentcilium/cilium

[WIP] bpf: don't use fixed size integer types from stdint.h

test-me-please

tklauser

comment created time in 3 days

push eventcilium/cilium

Tobias Klauser

commit sha eb450e1f69a9c575242c57b16151e694543c78e1

option: mark --keep-bpf-templates as deprecated With go-bindata being removed, the flag becomes a no-op. Mark it as deprecated and announce removal in v1.9. Updates #10075 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha ff22f483938da1c090145ec973401769f0673a53

make: remove the need for go-bindata Use of go-bindata dates back from times when people ran Cilium as static binary. This has become uncommon and users either use the container image or a package manager which will both ship /var/lib/cilium directly so there is no need to unpack any assets via the binary. For people still wanting to use Cilium as a static binary, e.g. for local development provide the `install-bpf` Makefile target to install the BPF assets into `/var/lib/cilium`. This saves ~380 kB in the resulting cilium-agent binary: == daemon/cilium-agent == bss 7752192 7752160 -32 data 894041 651280 -242761 dec 64545230 64166071 -379159 hex 3d8e1ce 3d318b7 -5c917 text 55898997 55762631 -136366 Updates #10056 Fixes #10075 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 446519c68a279e0cee2bddb60f1cd17de1bf1bca

bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) This allows to get rid of the x32 libc header dependency to pull in the GNU libc stub headers needed by stdint.h. This should thus more easily allow to compile the BPF programs on platforms other than amd64 (e.g. arm64, ppc64). Also clean up some other unused includes. For some reason these changes lead to clang complaining about several functions defined in .h files being unused. Mark these as __maybe_unused or if they are used in a single place move them to the .c file. Fixes #368 Fixes #8529 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 3 days

pull request commentcilium/cilium

datapath: convert global variables to consts where possible

test-me-please

tklauser

comment created time in 3 days

pull request commentcilium/cilium

datapath/loader: always set all args to bpf/init.sh

test-me-please

tklauser

comment created time in 3 days

push eventcilium/cilium

Thomas Graf

commit sha 293bdc5a247f5e9eb0009b35b797afce2575912d

agent: Remove awareness of IPv4 cluster-range While operating in direct-routing mode (`--tunnel=disabled`), traffic with a destination address matching a particular CIDR is automatically excluded from being masqueraded. So far, this CIDR consisted of `<alloc-cidr>/<size>` where the size could be set with the option `--ipv4-cluster-cidr-mask-size`. This was not always desirable and limiting, therefore Cilium 1.6 had already introduced the option `--native-routing-cidr` allowing to explicitly specify the CIDR for native routing. With Cilium 1.8, the option `--ipv4-cluster-cidr-mask-size` is being deprecated and all users must use the option `--native-routing-cidr` instead. Updates: #9919 Signed-off-by: Thomas Graf <thomas@cilium.io>

view details

Tobias Klauser

commit sha 480d524bb20dc28220999ee02b80a5fd8a6ac989

datapath/loader: always set all args to bpf/init.sh Passing empty strings to bpf/init.sh will lead to arguments being misinterpreted as their index is no longer correct. This can e.g. lead to the MTU not being set in "vxlan" mode as seen in #10228. Thus, always set all 17 (current value initArgMax) arguments top non-empty values. Use "<nil>" as a default empty value if the arg is not used by bpf/init.sh. Fixes #10228 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 3 days

pull request commentcilium/cilium

[WIP] bpf: don't use fixed size integer types from stdint.h

test-me-please

tklauser

comment created time in 3 days

push eventcilium/cilium

Thomas Graf

commit sha 293bdc5a247f5e9eb0009b35b797afce2575912d

agent: Remove awareness of IPv4 cluster-range While operating in direct-routing mode (`--tunnel=disabled`), traffic with a destination address matching a particular CIDR is automatically excluded from being masqueraded. So far, this CIDR consisted of `<alloc-cidr>/<size>` where the size could be set with the option `--ipv4-cluster-cidr-mask-size`. This was not always desirable and limiting, therefore Cilium 1.6 had already introduced the option `--native-routing-cidr` allowing to explicitly specify the CIDR for native routing. With Cilium 1.8, the option `--ipv4-cluster-cidr-mask-size` is being deprecated and all users must use the option `--native-routing-cidr` instead. Updates: #9919 Signed-off-by: Thomas Graf <thomas@cilium.io>

view details

Tobias Klauser

commit sha 7d84cb416670628942f364eda8ce7b01bfc5c074

bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) This allows to get rid of the x32 libc header dependency to pull in the GNU libc stub headers needed by stdint.h. This should thus more easily allow to compile the BPF programs on platforms other than amd64 (e.g. arm64, ppc64). Also clean up some other unused includes. For some reason these changes lead to clang complaining about several functions defined in .h files being unused. Mark these as __maybe_unused or if they are used in a single place move them to the .c file. Fixes #368 Fixes #8529 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 4 days

pull request commentcilium/cilium

Remove the need for go-bindata

test-docs-please

tklauser

comment created time in 4 days

pull request commentcilium/cilium

Remove the need for go-bindata

test-me-please

tklauser

comment created time in 4 days

push eventcilium/cilium

Michi Mutsuzaki

commit sha 926ad33a7510c88b3a0ad6d31b3328127e1a57a1

monitor: Refactor listener registration logic - Modify registerNewListener() to take MonitorListener as a parameter to allow arbitrary listener to be registered instead of assuming the type of listener is always listenerv1_2. - Add Close() method to MonitorListener so that the Monitor can close listeners without knowing implementation details. - Explicitly call close() on listenerv1_2.queue so that drainQueue gets unblocked during unit test. Ref #9925 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>

view details

Tobias Klauser

commit sha 263af2ab97f03c5013fec2b14dc6aea049665da6

policy: replace go-logging with std log This saves ~35 KB on the cilium-agent and cilium-operator binaries and gets rid of a vendored dependency. Updates #10056 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha f912be76021181fcd88eea6336e5bd8d3e93b098

proxy: remove write-only members from type Redirect The created and lastUpdated timestamps in type Redirect struct are only written but never read. Remove them. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Thomas Graf

commit sha 293bdc5a247f5e9eb0009b35b797afce2575912d

agent: Remove awareness of IPv4 cluster-range While operating in direct-routing mode (`--tunnel=disabled`), traffic with a destination address matching a particular CIDR is automatically excluded from being masqueraded. So far, this CIDR consisted of `<alloc-cidr>/<size>` where the size could be set with the option `--ipv4-cluster-cidr-mask-size`. This was not always desirable and limiting, therefore Cilium 1.6 had already introduced the option `--native-routing-cidr` allowing to explicitly specify the CIDR for native routing. With Cilium 1.8, the option `--ipv4-cluster-cidr-mask-size` is being deprecated and all users must use the option `--native-routing-cidr` instead. Updates: #9919 Signed-off-by: Thomas Graf <thomas@cilium.io>

view details

Tobias Klauser

commit sha 5a5c0116ee8789da3570f874df9fcdd9724e1a6c

option: mark --keep-bpf-templates as deprecated With go-bindata being removed, the flag becomes a no-op. Mark it as deprecated and announce removal in v1.9. Updates #10075 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 0de957d7e94f4d4dc80f488770c8c19d4e6a528d

make: remove the need for go-bindata Use of go-bindata dates back from times when people ran Cilium as static binary. This has become uncommon and users either use the container image or a package manager which will both ship /var/lib/cilium directly so there is no need to unpack any assets via the binary. For people still wanting to use Cilium as a static binary, e.g. for local development provide the `install-bpf` Makefile target to install the BPF assets into `/var/lib/cilium`. This saves ~380 kB in the resulting cilium-agent binary: == daemon/cilium-agent == bss 7752192 7752160 -32 data 894041 651280 -242761 dec 64545230 64166071 -379159 hex 3d8e1ce 3d318b7 -5c917 text 55898997 55762631 -136366 Updates #10056 Fixes #10075 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 4 days

pull request commentcilium/cilium

[WIP] bpf: don't use fixed size integer types from stdint.h

test-me-please

tklauser

comment created time in 4 days

push eventcilium/cilium

Tobias Klauser

commit sha 3e00fd6637d9bf39142fde84c95838232daa191b

bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) This allows to get rid of the x32 libc header dependency to pull in the GNU libc stub headers needed by stdint.h. This should thus more easily allow to compile the BPF programs on platforms other than amd64 (e.g. arm64, ppc64). Also clean up some other unused includes. For some reason these changes lead to clang complaining about several functions defined in .h files being unused. Mark these as __maybe_unused or if they are used in a single place move them to the .c file. Fixes #368 Fixes #8529 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 4 days

push eventcilium/cilium

Michi Mutsuzaki

commit sha 926ad33a7510c88b3a0ad6d31b3328127e1a57a1

monitor: Refactor listener registration logic - Modify registerNewListener() to take MonitorListener as a parameter to allow arbitrary listener to be registered instead of assuming the type of listener is always listenerv1_2. - Add Close() method to MonitorListener so that the Monitor can close listeners without knowing implementation details. - Explicitly call close() on listenerv1_2.queue so that drainQueue gets unblocked during unit test. Ref #9925 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>

view details

Tobias Klauser

commit sha 263af2ab97f03c5013fec2b14dc6aea049665da6

policy: replace go-logging with std log This saves ~35 KB on the cilium-agent and cilium-operator binaries and gets rid of a vendored dependency. Updates #10056 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha f912be76021181fcd88eea6336e5bd8d3e93b098

proxy: remove write-only members from type Redirect The created and lastUpdated timestamps in type Redirect struct are only written but never read. Remove them. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 25321fdc78582c4a7ae76c9f1724747dec16f3e9

bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) This allows to get rid of the x32 libc header dependency to pull in the GNU libc stub headers needed by stdint.h. This should thus more easily allow to compile the BPF programs on platforms other than amd64 (e.g. arm64, ppc64). Also clean up some other unused includes. For some reason these changes lead to clang complaining about several functions defined in .h files being unused. Mark these as __maybe_unused or if they are used in a single place move them to the .c file. Fixes #368 Fixes #8529 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 4 days

pull request commentcilium/cilium

datapath/loader: always set all args to bpf/init.sh

test-me-please

tklauser

comment created time in 4 days

push eventcilium/cilium

Martynas Pumputis

commit sha 279f1248b20aca36f408f667d8e25f33e2021ef8

cli: Do not panic if BPF map does not exist This commit changes the behavior of the following cmds: - cilium bpf ct flush - cilium bpf ct list - cilium bpf nat list - cilium bpf nat flush The change makes the cmds not to fail if a map does not exist, and instead to continue processing a next map. This was observed when a user was running in the ipv6-only mode, and the listed cmds failed to process ipv6 maps due to missing ipv4 maps. Signed-off-by: Martynas Pumputis <m@lambda.lt>

view details

Weilong Cui

commit sha f8343b3b2cc3e0b9d4628d4fc18f1b11342e19a2

Makes k8s cert generation modular. The oringal scripts that come with Cilium statically generates certificates only on the master node and it limits the worker node number to be <=1. If you try to bring up a cluster with two or more worker nodes, the script will fail and the nodes (except for the master and the first worker) won't be brought up correctly. This moves the cert generation for k8s components and kubelets to the worker nodes so that it will dynamically adapt to the number of workers set with NWORKER. Test: I can successfully bring up a cluster with 2 workers using ``` K8S=1 NWORKERS=2 contrib/vagrant/start.sh ``` Signed-off-by: Weilong Cui <cuiwl@google.com>

view details

Tobias Klauser

commit sha d615dcd3b1f5d9c34875882041a7e3992949e087

contrib/vagrant: only ssh to k8s1 if vagrant up suceeded In case `vagrant up` returned with non-zero status (e.g. due to being canceled or the initial box download failing), the script would still attempt to `vagrant ssh` to k8s1 and print a message in case $K8S is non-zero. Fix this by only executing `vagrant ssh k8s1` if `vagrant up` was successful. Also fix indentation. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Robin Hahling

commit sha cfb7333a064e4bf00ee4bcf95e556b5331b632cd

bpf: remove `Map.DeleteWithErrno()` `Map.Delete()` now wraps the underlying errno when returning an error. Therefore, `Map.DeleteWithErrno()` is rendered obsolete as checking for an error of type `syscall.Errno` can now be done using `errors.Is()` or `errors.As()` with the error returned by `Map.Delete()`. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>

view details

Tobias Klauser

commit sha 7579af6b0327a76fd1cad819256b5d91d0ef958c

daemon: silence log messages during cmdref generation Call genMarkdown as early as possible and extract the cmdref directory directly from viper instead of letting initEnv populate all options first. This avoids log messages related to kvstore when generating cmdref. Also move the os.Exit(0) into daemon_main.go so it is more obvious that the agent exits after generating the command reference. Fixes #10081 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 8e6c3d1fa9344af606c83f39d597c27f1484a894

test/bpf: remove unused event.h It's unused since commit ae53f9cf7913 ("bpf: Delete perf event reader implementation"). Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Robin Hahling

commit sha 2cebc7fc0b3d1d9fa159d7c04767c6d8ce8118dc

datapath/linux,maps/ipcache: consistently use BackedByLPM() helper This commit introduces no functional changes. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>

view details

Tobias Klauser

commit sha 84d5af36be34b5d89d885a6b449dfea771a86cc2

vendor: re-vendor golang.org/x/sys and github.com/vishvananda/netlink This pulls in several unsafe.Pointer usage fixes found in these packages using the Go 1.14 `-d=checkptr` compiler flag. Updates #10133 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 942b8bd9080333cfe71ae35b2143adc7c592bf16

docs: de-duplicate AWS cluster scale up instructions Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Lehner Florian

commit sha 1fd54f938a3885cbea6b5f616f72ac81b1289cbe

pkg/datapath/linux/route: reduce duplicate code Signed-off-by: Lehner Florian <dev@der-flo.net>

view details

Tobias Klauser

commit sha 48327b9726f07e8bac3ff09484a60f22d6eeffeb

bpf: remove unused GetProgNextID and GetProgFDByID These are not used by Cilium. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

André Martins

commit sha 50cabdc3c80a13d54426112e329a34374a2e80df

Update for release v1.7.0 Signed-off-by: André Martins <andre@cilium.io>

view details

Wenxian Li

commit sha 3b6de5f28af9b83eceeb14653684037a87181c84

daemon: adding support for egress policy tracing Previously, only ingress policy tracing is supported. Fixes: #9790 Signed-off-by: Wenxian Li <wofanli@gmail.com>

view details

Chris Tarazi

commit sha c3582661dbee7c551ee5f838e80970617dea5947

Refactor NodePortRange code into separate function This change separates out the NodePortRange logic from Populate() into a separate function to enable easier unit testing. This commit also brings in said unit tests. Signed-off-by: Chris Tarazi <tarazichris@gmail.com>

view details

Chris Tarazi

commit sha 5e7b791d04cda22fee88dc98abde82e0712869bb

Validate NodePortRange length We can rely on the defaults to set NodePortRange to a slice of length 2 when it has NOT been passed in by the user explicitly. If NodePortRange is passed in explicitly, then we ensure that it must be of length 2. If it is explicitly empty, we simply log a warning. Signed-off-by: Chris Tarazi <tarazichris@gmail.com>

view details

Tobias Klauser

commit sha 0dec7e67f897eaa41e85486a162e6099c84a4921

daemon: remove unused type rulesManager It's been unused since commit 5882053964eb ("datapath: make `Datapath` an `IptablesManager`") Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 11525c11d17332ab65377139261b68935f7b8ef0

pkg/maps/encrypt: allocate BPF map in MapCreate only if EnableIPSec is set Allocate encryptMap in MapCreate which is only called if EnableIPSec is true (default is false) to avoid unnecessarily allocating memory for the map. Updates #10056 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 4271b542ef0d26474bbab07af50c79f534022787

datapath: use net.IP.IsLoopback instead of string comparison Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Zhiyuan Hou

commit sha 132807dd2cec2441749cb43a0ae295aed0918baa

policy: fix innermap's flag error in eppolicymap The policymap is created with BPF_F_NO_PREALLOC flag, but the innermap in eppolicymap uses a flag 0. When enable sockops, the eppolicymap will be update failed because of the different bpf-map metadatas. This commit changes the innermap's flag and fixes it. Signed-off-by: Zhiyuan Hou <zhiyuan2048@linux.alibaba.com>

view details

Paul Chaignon

commit sha d1411960bfdf63627eec6d20f450f1c8f47b02b4

test: Reduce length of log filenames With some filesystems (e.g., ecryptfs), the maximum filename length is lower than 255, that of ext4. On these filesystems, the tests fail with the following error because log filenames are too long: K8sPolicyTest Basic Test Redirects traffic to proxy when no policy is applied with proxy-visibility annotation Tests HTTP proxy visibility without policy at /cilium/cilium/test/ginkgo-ext/scopes.go:430 [Could not read monitor log Expected <*os.PathError | 0xc000e1fec0>: { Op: "open", Path: "test_results/117-/K8sPolicyTest_Basic_Test_Redirects_traffic_to_proxy_when_no_policy_is_applied_with_proxy-visibility_annotation_Tests_HTTP_proxy_visibility_without_policy/monitor-13f3cf9b-4f30-11ea-b222-60f262b6c493.log", Err: 0x24, } to be nil] This commit updates the name of the tests (from which the log filename is derived) to be consistent with other tests' names. Signed-off-by: Paul Chaignon <paul@cilium.io>

view details

push time in 4 days

push eventcilium/cilium

Tobias Klauser

commit sha f912be76021181fcd88eea6336e5bd8d3e93b098

proxy: remove write-only members from type Redirect The created and lastUpdated timestamps in type Redirect struct are only written but never read. Remove them. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 9cc6d0a6704439f06b367ea48d12dee883858bf4

datapath: convert global variables to consts where possible Also unexport consts/vars not used outside the package. This also slightly reduces the binary size of cilium-agent: == daemon/cilium-agent == bss 7752192 7752128 -64 data 894041 893913 -128 dec 64553770 64551603 -2167 hex 3d9032a 3d8fab3 -877 text 55907537 55905562 -1975 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 4 days

push eventcilium/cilium

Maciej Kwiek

commit sha ae9619af6377cbb6217e2a80dbe795f31bfa52ea

[CI] Randomize ns in policy tests Signed-off-by: Maciej Kwiek <maciej@isovalent.com>

view details

Tobias Klauser

commit sha 8ffed85b902ca711a21bf6d5eb46f48bb969e2e1

bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) This allows to get rid of the x32 libc header dependency to pull in the GNU libc stub headers needed by stdint.h. This should thus more easily allow to compile the BPF programs on platforms other than amd64 (e.g. arm64, ppc64). Also clean up some other unused includes. For some reason these changes lead to clang complaining about several functions defined in .h files being unused. Mark these as __maybe_unused or if they are used in a single place move them to the .c file. Fixes #368 Fixes #8529 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 4 days

push eventcilium/cilium

Tobias Klauser

commit sha e8a475f9cbc37417413fc4750feb98504fe79829

datapath/loader: always set all args to bpf/init.sh Passing empty strings to bpf/init.sh will lead to arguments being misinterpreted as their index is no longer correct. This can e.g. lead to the MTU not being set in "vxlan" mode as seen in #10228. Thus, always set all 17 (current value initArgMax) arguments top non-empty values. Use "<nil>" as a default empty value if the arg is not used by bpf/init.sh. Fixes #10228 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 4 days

push eventcilium/cilium

Tobias Klauser

commit sha 12b2ec72f8fa61c954aa1f4872b31d1b2bad4716

make: consistently use $(GO) to invoke the Go tool Otherwise when building with e.g. GO=go1.14rc1 make, the version log message still shows: level=info msg="Cilium 1.7.90 7051378bf234 2020-02-11T11:05:47+01:00 go version go1.13.8 linux/amd64" subsys=daemon while e.g. `go version /usr/bin/cilium-agent` correctly shows: /usr/bin/cilium-agent: go1.14rc1 Also use $(GO) when checking for `-mod=vendor0` support. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Paul Chaignon

commit sha c402767a2b19d866387725672d0da36bb0a57305

bpf: Add test for __ct_lookup return value Check that __ct_lookup returns CT_NEW when given tuple wasn't previously connection-tracked. Fixes: #9303 Signed-off-by: Paul Chaignon <paul@isovalent.com>

view details

Thomas Graf

commit sha 76581e6c29bc4897e4449b2124ff8673f0e3b38b

agent: Remove leftovers from IPv6 /96 prefix requirement The requirement for the Kubernetes `-node-cidr-mask-size` to be a /96 has been lifted a while ago but there were still some remaining leftovers hinting that it exists. Remove them. Fixes: #6804 Signed-off-by: Thomas Graf <thomas@cilium.io>

view details

Tobias Klauser

commit sha 78fefa7c577ed89d753916be55d6c00eb1f6d77f

daemon: remove alignchecker import The alignchecker package doesn't have any side effects (anymore), so it doesn't need to be underscore-imported. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha c6f3240a27e8b0ef395571aa2d4d5aa863b1fd89

alignchecker: split alignment checks for monitor types into own package The datapath/alignchecker package also checks the monitor types for proper alignment and thus needs to import the monitor package. These types are not used in the agend but importing the package ends up pulling in github.com/google/gopacket which adds quite a lot to the binary size. Thus, split out the alignment checks for the monitor types into its own subpackage of package monitor, monitor/alignchecker and call the corresponding CheckStructAlignments from tools/alignchecker/main.go as well. This reduces the binary size of cilium-agent by ~2MB. Updates #10056 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Sebastian Wicki

commit sha ce71fc191dfc217c10231d2bfa34d3d460e73589

service: Fix HealthCheckNodePort not displayed in API The `HealthCheckNodePort` field was not copied in `deepCopyToLBSVC`, thus causing the field to never show up in the Cilium API. Signed-off-by: Sebastian Wicki <gandro@gmx.net>

view details

Tobias Klauser

commit sha 1d01a1748323e06c0f95cec92cfc204785621132

all: remove unused global log vars The `log` var is unused in some packages, so remove it where this is the case. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha a2f701643baaed1071f4fe820cf725f179b40157

pkg/bpf: remove unused Map.once member Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 7853d7a9b06f0288c00c2cbf9e6e0b0f63b93311

fqdn: remove unused prepareNameMatch function This is unused since commit 1121202121f7 ("fqdn: L3-aware L7 DNS policy enforcement") Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 11b1e45991ec95105de2dd8db39dd4daee4cdb79

datapath: remove unused configWriter member of type linuxDatapath Also reorder initialization in NewDatapath so that embedded types are initialized first. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 5f8b05352ef88054db750498dd573d32ffb5a857

datapath: move lookupDirectRoute to node_linux_test.go (*linuxNodeHandler).lookupDirectRoute is only used in test code and does not use any members of linuxNodeHandler, so make it a regular function and move it to node_linux_test.go Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 9731c1fe1f6121ad92d660e17d5dff3626fd931e

datapath: remove unused getLogger func Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 631d5586ef2e541c612a1af679e699ea753affa2

endpoint: remove unused funcs and types type EndpointPolicyVisibilityEventResult, (*Endpoint).getIDandLabels and (*Endpoint).removeProxyRedirect are unused, remove them. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 94f826ac04b8f74727dbcb549c70336b07939efb

cni: remove unused func releaseIPs Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 13e0bbecab106dddabb370cc89dee0379b66c9a8

daemon: remove unused type and func Remove unused type rulesManager and func checkLocks. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha abfa633062906e4b3097bc006c8a482118c8d2d9

aws/eni: remove unuse type instance Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 461834b113c3c3b484425048075aaafd7f55deda

ipam: remove unuse type owner Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha f23f91ea2a257307d0216ae824cd376f4216c003

ipcache: remove unused const fieldIdentities Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 99790492b49dc9c26f710b5e9d6a55c83b86bd53

kvstore/allocator: remove unused consts and type member Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha ba64caf0f69eb309f85639c087e9546f4bb78d68

eppolicymap: remove unused func newEndpointKey Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 4 days

pull request commentcilium/cilium

Remove the need for go-bindata

test-me-please

tklauser

comment created time in 4 days

push eventcilium/cilium

Tobias Klauser

commit sha 12b2ec72f8fa61c954aa1f4872b31d1b2bad4716

make: consistently use $(GO) to invoke the Go tool Otherwise when building with e.g. GO=go1.14rc1 make, the version log message still shows: level=info msg="Cilium 1.7.90 7051378bf234 2020-02-11T11:05:47+01:00 go version go1.13.8 linux/amd64" subsys=daemon while e.g. `go version /usr/bin/cilium-agent` correctly shows: /usr/bin/cilium-agent: go1.14rc1 Also use $(GO) when checking for `-mod=vendor0` support. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Paul Chaignon

commit sha c402767a2b19d866387725672d0da36bb0a57305

bpf: Add test for __ct_lookup return value Check that __ct_lookup returns CT_NEW when given tuple wasn't previously connection-tracked. Fixes: #9303 Signed-off-by: Paul Chaignon <paul@isovalent.com>

view details

Thomas Graf

commit sha 76581e6c29bc4897e4449b2124ff8673f0e3b38b

agent: Remove leftovers from IPv6 /96 prefix requirement The requirement for the Kubernetes `-node-cidr-mask-size` to be a /96 has been lifted a while ago but there were still some remaining leftovers hinting that it exists. Remove them. Fixes: #6804 Signed-off-by: Thomas Graf <thomas@cilium.io>

view details

Tobias Klauser

commit sha 78fefa7c577ed89d753916be55d6c00eb1f6d77f

daemon: remove alignchecker import The alignchecker package doesn't have any side effects (anymore), so it doesn't need to be underscore-imported. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha c6f3240a27e8b0ef395571aa2d4d5aa863b1fd89

alignchecker: split alignment checks for monitor types into own package The datapath/alignchecker package also checks the monitor types for proper alignment and thus needs to import the monitor package. These types are not used in the agend but importing the package ends up pulling in github.com/google/gopacket which adds quite a lot to the binary size. Thus, split out the alignment checks for the monitor types into its own subpackage of package monitor, monitor/alignchecker and call the corresponding CheckStructAlignments from tools/alignchecker/main.go as well. This reduces the binary size of cilium-agent by ~2MB. Updates #10056 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Sebastian Wicki

commit sha ce71fc191dfc217c10231d2bfa34d3d460e73589

service: Fix HealthCheckNodePort not displayed in API The `HealthCheckNodePort` field was not copied in `deepCopyToLBSVC`, thus causing the field to never show up in the Cilium API. Signed-off-by: Sebastian Wicki <gandro@gmx.net>

view details

Maciej Kwiek

commit sha ae9619af6377cbb6217e2a80dbe795f31bfa52ea

[CI] Randomize ns in policy tests Signed-off-by: Maciej Kwiek <maciej@isovalent.com>

view details

Tobias Klauser

commit sha 9f0d1c200dae6f4e646469e1f84d9482bd07ab77

option: mark --keep-bpf-templates as deprecated With go-bindata being removed, the flag becomes a no-op. Mark it as deprecated and announce removal in v1.9. Updates #10075 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha 2973e14341267ccc55ef395360a16536a8f87ec4

make: remove the need for go-bindata Use of go-bindata dates back from times when people ran Cilium as static binary. This has become uncommon and users either use the container image or a package manager which will both ship /var/lib/cilium directly so there is no need to unpack any assets via the binary. For people still wanting to use Cilium as a static binary, e.g. for local development provide the `install-bpf` Makefile target to install the BPF assets into `/var/lib/cilium`. This saves ~380 kB in the resulting cilium-agent binary: == daemon/cilium-agent == bss 7752192 7752160 -32 data 894041 651280 -242761 dec 64545230 64166071 -379159 hex 3d8e1ce 3d318b7 -5c917 text 55898997 55762631 -136366 Updates #10056 Fixes #10075 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 4 days

pull request commentcilium/cilium

[WIP] bpf: don't use fixed size integer types from stdint.h

test-me-please

tklauser

comment created time in 4 days

push eventcilium/cilium

Tobias Klauser

commit sha 12b2ec72f8fa61c954aa1f4872b31d1b2bad4716

make: consistently use $(GO) to invoke the Go tool Otherwise when building with e.g. GO=go1.14rc1 make, the version log message still shows: level=info msg="Cilium 1.7.90 7051378bf234 2020-02-11T11:05:47+01:00 go version go1.13.8 linux/amd64" subsys=daemon while e.g. `go version /usr/bin/cilium-agent` correctly shows: /usr/bin/cilium-agent: go1.14rc1 Also use $(GO) when checking for `-mod=vendor0` support. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Paul Chaignon

commit sha c402767a2b19d866387725672d0da36bb0a57305

bpf: Add test for __ct_lookup return value Check that __ct_lookup returns CT_NEW when given tuple wasn't previously connection-tracked. Fixes: #9303 Signed-off-by: Paul Chaignon <paul@isovalent.com>

view details

Thomas Graf

commit sha 76581e6c29bc4897e4449b2124ff8673f0e3b38b

agent: Remove leftovers from IPv6 /96 prefix requirement The requirement for the Kubernetes `-node-cidr-mask-size` to be a /96 has been lifted a while ago but there were still some remaining leftovers hinting that it exists. Remove them. Fixes: #6804 Signed-off-by: Thomas Graf <thomas@cilium.io>

view details

Tobias Klauser

commit sha 78fefa7c577ed89d753916be55d6c00eb1f6d77f

daemon: remove alignchecker import The alignchecker package doesn't have any side effects (anymore), so it doesn't need to be underscore-imported. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Tobias Klauser

commit sha c6f3240a27e8b0ef395571aa2d4d5aa863b1fd89

alignchecker: split alignment checks for monitor types into own package The datapath/alignchecker package also checks the monitor types for proper alignment and thus needs to import the monitor package. These types are not used in the agend but importing the package ends up pulling in github.com/google/gopacket which adds quite a lot to the binary size. Thus, split out the alignment checks for the monitor types into its own subpackage of package monitor, monitor/alignchecker and call the corresponding CheckStructAlignments from tools/alignchecker/main.go as well. This reduces the binary size of cilium-agent by ~2MB. Updates #10056 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

Sebastian Wicki

commit sha ce71fc191dfc217c10231d2bfa34d3d460e73589

service: Fix HealthCheckNodePort not displayed in API The `HealthCheckNodePort` field was not copied in `deepCopyToLBSVC`, thus causing the field to never show up in the Cilium API. Signed-off-by: Sebastian Wicki <gandro@gmx.net>

view details

Tobias Klauser

commit sha 7d06c68a2ca845dbcbbcd61df1d6115d346d00f5

bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) This allows to get rid of the x32 libc header dependency to pull in the GNU libc stub headers needed by stdint.h. This should thus more easily allow to compile the BPF programs on platforms other than amd64 (e.g. arm64, ppc64). Also clean up some other unused includes. For some reason these changes lead to clang complaining about several functions defined in .h files being unused. Mark these as __maybe_unused or if they are used in a single place move them to the .c file. Fixes #368 Fixes #8529 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

view details

push time in 4 days

pull request commentcilium/cilium

policy: replace go-logging with std log

test-me-please

tklauser

comment created time in 4 days

pull request commentcilium/cilium

Remove unused funcs, types and global vars

test-me-please

tklauser

comment created time in 4 days

more