v1.16 Backports 2025-01-07 #36872
Merged
v1.16 Backports 2025-01-07 #36872
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
viktor-kurchenko
added
kind/backports
viktor-kurchenko
requested review from
julianwiedmann,
gentoo-root,
giorio94 and
geakstr
Not seeing the patch in this PR though ;) |
giorio94
approved these changes
Jan 7, 2025
gentoo-root
approved these changes
Jan 7, 2025
@julianwiedmann sorry my bad. |
julianwiedmann
requested changes
Jan 7, 2025
viktor-kurchenko
force-pushed
the
pr/v1.16-backport-2025-01-07-04-07
branch
from
fd6cd12 to
e6cef56
Compare
|
/test |
brlbil
approved these changes
Jan 7, 2025
geakstr
approved these changes
Jan 8, 2025
[ upstream commit 3a73f24 ] We have been recently witnessing a few conformance ipsec runs reporting leaked packets. In order to simplify troubleshooting these issues, and figure out whether they are legitimate or flakes, let's additionally print whether the detected packet was encapsulated or not. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
[ upstream commit 40a4df7 ] We have been recently witnessing a few conformance ipsec runs reporting leaked packets, with some referring to DNS answers from a coredns pod to a CiliumInternalIP. To simplify troubleshooting these issues, and figure out whether they are legitimate or flakes, let's additionally print information about the DNS message itself, so that we can trace down which component performed the request. The output is along the lines of: [10:27:49:245997] 10.244.1.67:49662 -> 10.244.0.10:53 (proto: 17, encap: 1, ifindex: 43, netns: f0000000) [10:27:49:246003] Detected DNS message, ID: 17ef, Flags 120, QD: 1, AN: 0, NS: 0, AR: 1, query googlecom [10:27:49:246315] 10.244.0.10:53 -> 10.244.1.67:49662 (proto: 17, encap: 1, ifindex: 45, netns: f0000000) [10:27:49:246317] Detected DNS message, ID: 17ef, Flags 8580, QD: 1, AN: 1, NS: 0, AR: 1, query googlecom Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
[ upstream commit 483b009 ] Normally, the script only flags traffic whose source and destination IP addresses belong to the PodCIDR and, when encapsulation is enabled, don't match the CiliumInternalIPs specified as parameters. However, this filter is overridden when the traffic comes from a proxy, so that it gets flagged even in case it is subsequently masqueraded. Let's additionally output whether displayed traffic got actually flagged due to this reason, to simplify troubleshooting possible flakes. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
[ upstream commit b780df6 ] Let's additionally output the TCP flags in case of leaked traffic, as potentially useful while troubleshooting possible flakes. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
[ upstream commit 055b7a3 ] In each iteration of pod in function processConfigWithSinglePort and processConfigWithNamedPorts bes4 and bes6 need to be cleared. Otherwise, when size of pods is larger than one, aka when the iteration time is more than one, bes4 and bes6 will aggregate all of the backends. For example, in the first iteration backend 10.0.2.250:80 is added, then in the second iteration [10.0.2.250:80, 10.0.2.199:80] are added. 10.108.13.48:80 LocalRedirect 1 => 10.0.2.199:80 2 => 10.0.2.250:80 3 => 10.0.2.250:80 Fixes: e7bb8a7 ("k8s/cilium Event handlers and processing logic for LRPs") Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
[ upstream commit a3489f1 ] Without CORS headers browsers will prevent calling hubble ui backend api on another domain. Signed-off-by: Dmitry Kharitonov <dmitry@isovalent.com> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
…parated string [ upstream commit 5c08f95 ] Signed-off-by: John Roche <john.roche@swyftx.com.au> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
[ upstream commit 550d2f5 ] Signed-off-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
[ upstream commit cdecbcb ] GNU make on the host may use --jobserver-style=fifo (default on my machine). It also implies --jobserver-auth=fifo:/tmp/GMfifo$MAKE_PID, an undocumented flag, used internally by make and passed to the child instances of make. This flag appears in $(MAKEFLAGS). The cilium-build target in Documentation/Makefile passes MAKEFLAGS to another make instance, called in a docker image. The problem is that --jobserver-auth passed to make inside docker points to a file that doesn't exist in the container filesystem namespace, and make fails with an error like this: make: *** internal error: invalid --jobserver-auth string 'fifo:/tmp/GMfifo361142'. Stop. make: *** [Makefile:48: cilium-build] Error 2 make: Leaving directory '/home/max/.opt/go/src/github.com/cilium/cilium-snat/Documentation' Fix this by filtering out --jobserver-auth=... from MAKEFLAGS when passing it to make inside docker. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
viktor-kurchenko
force-pushed
the
pr/v1.16-backport-2025-01-07-04-07
branch
from
e6cef56 to
9365b3a
Compare
|
/test |
|
Looks like connectivity tests constantly fail in the E2E upgrade workflow after downgrade for the kernel: |
|
/test |
Sorry, missed this :/. Nothing obvious - let's drop that backport to unblock, and let me have a try manually. (already discussed with @joamaki) |
joamaki
force-pushed
the
pr/v1.16-backport-2025-01-07-04-07
branch
from
9365b3a to
ccc9759
Compare
|
/test |
fyi #36988 looks good now. Think it's the missing |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Skipped:
Once this PR is merged, a GitHub action will update the labels of these PRs: