Conversation
28e7496 to
35f2213
Compare
qmonnet
reviewed
Apr 22, 2020
Member
qmonnet
left a comment
There was a problem hiding this comment.
Series looks great, thanks!
Some nits and remarks, mostly low-level.
Should we maybe add something to the Documentation/? Documentation/policy/intro.rst and Documentation/policy/language.rst look like good candidates.
e3705b0 to
48f70f4
Compare
joestringer
reviewed
Apr 25, 2020
Member
joestringer
left a comment
There was a problem hiding this comment.
Exciting stuff! I only got about 3-4 commits in as it's a pretty big PR, will come back later.
Is there any chance we can further split this PR? The Github UI is painfully slow to interact with for this PR in its current state.
936277e to
bf8ca9f
Compare
Member
Author
|
@joe I've addressed (or answered) your comments. Please note I had to add a commit ( |
bf8ca9f to
76c8466
Compare
Member
Author
|
Failed with: retest-4.9 |
b489494 to
11821ee
Compare
bpf_netdev.c is renamed to bpf_host and bpf_hostdev_ingress is included, in preparation for the host endpoint that requires a single object file. Signed-off-by: Paul Chaignon <paul@cilium.io>
For the host firewall, we need to have a single bpf_host object file
containing both the from-host and the from-netdev paths, to load it from
the Go side. We therefore turn FROM_HOST into a variable set to true or
false depending on the entry point (i.e., from_host() vs. from_netdev()).
The other option (to avoid the increased code complexity in datapath) is
to let the Go side handle several object files and header files for the
special host endpoint. That second option is likely to just move the
increase code complexity to the Go side.
The CILIUM_CALL_IPV{4,6}_FROM_LXC entry points (and handle_ipv{4,6}) are
broken into CILIUM_CALL_IPV{4,6}_FROM_LXC and
CILIUM_CALL_IPV{4,6}_FROM_HOST based on the value of from_host. This
change allows the compiler to perform dead code elimination on from_host
and reduce the program sizes to <4096.
Signed-off-by: Paul Chaignon <paul@cilium.io>
handle_ipv{4,6} have the highest complexity as reported by the BPF
verifier. We can extract the source ID resolution from these programs
and execute it before the tail calls. This comes at zero cost in term of
metadata slots since we already use the same metadata slot to transfer the
source identity from the proxy across the tail call.
Signed-off-by: Paul Chaignon <paul@cilium.io>
The package contains a single constant definition right now but will have more with the host endpoint in later commits. Signed-off-by: Paul Chaignon <paul@cilium.io>
This function is also going to be used to create the host endpoint in subsequent commits. Signed-off-by: Paul Chaignon <paul@cilium.io>
This commit adds a special Cilium endpoint on each node to represent the node itself. It takes the reserved security ID 1. The special endpoint is created by endpoint.CreateLocalNodeEndpoint on daemon startup if that endpoint wasn't already restored. When the datapath for the special endpoint is regenerated, it loads bpf_host.o instead of bpf_lxc.o. bpf_host enforces policies for both traffic to/from pods and traffic to/from the outside world. It follows the same template generation path as traditional bpf_lxc files. ENABLE_EXTRA_HOST_DEV was only defined in init.sh for the from_host path. It is now defined from the Go side for all paths, and we check whether from_host is true in the C code instead. Signed-off-by: Paul Chaignon <paul@cilium.io>
We define IPV6_NODEPORT and IPV6_DIRECT_ROUTING both from Golang (for bpf_netdev) and init.sh (for bpf_xdp). On Go side it is defined as static data whose value is patched before loading. In init.sh the values are given as simple macros. IPv6 addresses defined as static data rely on BPF_V6(), but BPF_V6() doesn't support macros. Thus, we define BPF_V6_NODEPORT() and BPF_V6_DIRECT_ROUTING() which will fallback to BPF_V6 in case of static data and just copy the value otherwise. For IPV6_DIRECT_ROUTING, this workaround can be removed once we move it's definition to node_config.h. For IPV6_NODEPORT, a better, long-term fix would be to load the bpf_xdp program from Golang. Signed-off-by: Paul Chaignon <paul@cilium.io>
Because we changed the C header filenames (from lxc_config.h to ep_config.h), endpoints don't get properly restored on upgrades and downgrades. This commit fixes the up/downgrade paths by 1) creating a lxc_config.h symlink for new ep_config.h header files and 2) renaming the header file and creating the symlink when restoring endpoints on an upgrade. On a downgrade, Cilium will pick up the lxc_config.h symlink. Signed-off-by: Paul Chaignon <paul@cilium.io>
11821ee to
f8e8b7b
Compare
Member
Author
|
This last push fixes a couple bugs:
|
Because the host endpoint relies on bpf_host instead of bpf_lxc, it needs the CIDR prefixes maintained by the Daemon instead of endpoint-specific CIDR prefixes. The former are already printed in netdev_config.h but the host endpoint datapath doesn't use that header file anymore. Instead, we need to print the appropriate CIDR prefixes (the Daemon's) into the host endpoint's ep_config.h header file. We therefore also need to regenerate the host endpoint whenever CIDR policies change, as we already do for the base programs. Signed-off-by: Paul Chaignon <paul@cilium.io>
f8e8b7b to
1cc2f9c
Compare
Member
Author
|
test-me-please |
Member
Author
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request adds the special host endpoint (needed for subsequent host network policies PR). See commit messages for details. As a summary:
bpf_netdevandbpf_hostdev_ingress) into single filebpf_host.FROM_HOSTmacro to be able to compile from Go side.handle_ipv{4,6}to reduce complexity.pkg/maps/callsmappackage for constants of internal calls map.createEndpointfunction.BPF_V6_NODEPORTandBPF_V6_DIRECT_ROUTINGto allow loading IPv6 addresses as either static data or a macro.