v1.7 backports 2020-06-04

[christarazi]

• ci: Change vagrant timeout mechanism #11858 -- ci: Change vagrant timeout mechanism (@nebril)
• docs: Include directions to restart pods in the k3s install guide #11879 -- docs: Include directions to restart pods in the k3s install guide (@seanmwinn)
• service: Fix wrong localEndpoints count in HealthCheckNodePort #11863 -- service: Fix wrong localEndpoints count in HealthCheckNodePort (@gandro)
  • Note: Kept most of the PR intact except for dropping changes in tests, see here.
• test: Add simple retries for flaky Helm operations #11762 -- test: Add simple retries for flaky Helm operations (@christarazi)

Skipped due to non-trivial conflicts:

• bpf: getpeername hook implementation for socket lb #11617 -- bpf: getpeername hook implementation for socket lb (@borkmann)
• Protect ENI and Azure IPAM from misbehaving cloud APIs #11231 -- Protect ENI and Azure IPAM from misbehaving cloud APIs (@tgraf)
  • Note: seems to depend on changes from Prepare for GCP IPAM #10691

Skipped as it depends on #11766:
* #11804 -- fix(datarace): Fix possible nil pointer dereference (@sayboras)
The above PR doesn't need to be backported, see here. Removing.

Skipped as it will be handled by original author:

• Add anti-affinity for Cilium pods #11830 -- Add anti-affinity for Cilium pods (@nebril)

Once this PR is merged, you can update the PR labels via:

$ for pr in 11858 11879 11863 11762; do contrib/backporting/set-labels.py $pr done 1.7; done

[christarazi]

test-backport-1.7

[christarazi]

test-backport-1.7

[christarazi]

test-backport-1.7

[christarazi]

test-backport-1.7

[christarazi]

test-backport-1.7

[christarazi]

test-missed-k8s

Edit: timed out

[christarazi]

restart-ginkgo

Edit: timed out

[nebril]

LGTM for my changes!

[christarazi]

restart-ginkgo

[christarazi]

test-missed-k8s

[christarazi]

restart-ginkgo

[christarazi]

test-missed-k8s

[christarazi]

The ManagedEtcd tests were failing legitimately because the anti-affinity changes caused the cilium-etcd-operator to be stuck in the pending scheduling state because the anti-affinity is set as a Helm global. This caused unsuspecting Charts such as cilium-etcd-operator's deployment YAML which references Values.global.affinity to apply anti-affinity rules. (Certain tests provision cilium-etcd-operator with global.affinity set, which is why that existed in its deployment YAML to begin with.)

When these rules were applied, they rendered either the Cilium daemonset or the cilium-etcd-operator deployment to get stuck pending to schedule, depending on who races first to be deployed on a node. The other would then get stuck pending, ultimately, causing the test to timeout. Working on a fix.

master was not failing due to this PR #11544.

Update: fix is in commit 1c6bf9f

[christarazi]

test-backport-1.7

[christarazi]

restart-ginkgo

[christarazi]

test-focus K8sDatapathConfig.Encapsulation Check connectivity.

[christarazi]

test-focus K8sDatapathConfig.Encapsulation.(Check connectivity with sockops|Check connectivity with VXLAN|Check connectivity with Geneve)

Edit: qauy hit 502: https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-Validated-Focus/248/console

[christarazi]

test-focus K8sDatapathConfig.Encapsulation.(Check connectivity with sockops|Check connectivity with VXLAN|Check connectivity with Geneve)

Edit: quay might be down :( ...

[christarazi]

test-focus K8sDatapathConfig.Encapsulation.(Check connectivity with sockops|Check connectivity with VXLAN|Check connectivity with Geneve)

Edit: still failing on the above tests: https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-Validated-Focus/250/

The same tests have passed locally 35 times in a row...not sure what's going on.

[gandro]

#11863 looks fine. We also need #11952 eventually as a follow-up before we cut a 1.7 release.

[christarazi]

Temporarily reverting #11863 to see if it causes the encryption tests to fail (shot in the dark).

[christarazi]

test-focus K8sDatapathConfig.Encapsulation.(Check connectivity with sockops|Check connectivity with VXLAN|Check connectivity with Geneve)

Edit: looks like it has failed again (1.11 netnext), but passes for 1.17
Edit2: on second thought, it may be that the CI trigger phrases for backport PRs run the wrong tests. Trying the whole suite now...

[christarazi]

test-backport-1.7

Edit: trying without net-next label

[christarazi]

test-backport-1.7

[errordeveloper]

From the last Cilium-Ginkgo-Tests run:

02:47:15  • Failure [124.782 seconds]
02:47:15  K8sDatapathConfig
02:47:15  /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:395
02:47:15    Encapsulation
02:47:15    /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:395
02:47:15      Check connectivity with sockops and VXLAN encapsulation [It]
02:47:15      /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:430
02:47:15  
02:47:15      Did not find expected number of entries in BPF tunnel map
[2020-06-10T01:47:15.531Z]     Expected
[2020-06-10T01:47:15.531Z]         <int>: 5
[2020-06-10T01:47:15.531Z]     to equal
[2020-06-10T01:47:15.531Z]         <int>: 3
02:47:15  
02:47:15      /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/k8sT/DatapathConfiguration.go:213

02:49:00  • Failure [104.960 seconds]
02:49:00  K8sDatapathConfig
02:49:00  /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:395
02:49:00    Encapsulation
02:49:00    /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:395
02:49:00      Check connectivity with VXLAN encapsulation [It]
02:49:00      /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:430
02:49:00  
02:49:00      Did not find expected number of entries in BPF tunnel map
[2020-06-10T01:49:00.445Z]     Expected
[2020-06-10T01:49:00.445Z]         <int>: 5
[2020-06-10T01:49:00.445Z]     to equal
[2020-06-10T01:49:00.445Z]         <int>: 3
02:49:00  
02:49:00      /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/k8sT/DatapathConfiguration.go:213

02:50:49  • Failure [108.853 seconds]
02:50:49  K8sDatapathConfig
02:50:49  /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:395
02:50:49    Encapsulation
02:50:49    /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:395
02:50:49      Check connectivity with Geneve encapsulation [It]
02:50:49      /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:430
02:50:49  
02:50:49      Did not find expected number of entries in BPF tunnel map
[2020-06-10T01:50:49.965Z]     Expected
[2020-06-10T01:50:49.965Z]         <int>: 5
[2020-06-10T01:50:49.965Z]     to equal
[2020-06-10T01:50:49.965Z]         <int>: 3
02:50:49  
02:50:49      /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/k8sT/DatapathConfiguration.go:213

03:35:26  • Failure [156.322 seconds]
03:35:26  K8sServicesTest
03:35:26  /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:395
03:35:26    Checks service across nodes
03:35:26    /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:395
03:35:26      Tests NodePort BPF
03:35:26      /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:395
03:35:26        Tests with direct routing
03:35:26        /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:395
03:35:26          Tests GH#10983 [It]
03:35:26          /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:430
03:35:26  
03:35:26          Can not connect to service "http://192.168.36.12:31466" from outside cluster
[2020-06-10T02:35:26.119Z]         Expected command: kubectl exec -n kube-system log-gatherer-gbnrk -- curl --path-as-is -s -D /dev/stderr --fail --connect-timeout 5 --max-time 8 --local-port 64002 http://192.168.36.12:31466 -w "time-> DNS: '%{time_namelookup}(%{remote_ip})', Connect: '%{time_connect}',Transfer '%{time_starttransfer}', total '%{time_total}'" 
[2020-06-10T02:35:26.119Z]         To succeed, but it failed:
[2020-06-10T02:35:26.119Z]         Exitcode: 28 
[2020-06-10T02:35:26.119Z]         Stdout:
[2020-06-10T02:35:26.119Z]          	 time-> DNS: '0.000018()', Connect: '0.000000',Transfer '0.000000', total '5.001164'
[2020-06-10T02:35:26.119Z]         Stderr:
[2020-06-10T02:35:26.119Z]          	 command terminated with exit code 28
[2020-06-10T02:35:26.119Z]         	 
[2020-06-10T02:35:26.119Z]         
03:35:26  
03:35:26          /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/k8sT/Services.go:749

03:39:53  • Failure [252.718 seconds]
03:39:53  K8sServicesTest
03:39:53  /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:395
03:39:53    Checks service across nodes
03:39:53    /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:395
03:39:53      Tests NodePort BPF
03:39:53      /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:395
03:39:53        Tests with direct routing and DSR [It]
03:39:53        /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:430
03:39:53  
03:39:53        NAT entry was not evicted
[2020-06-10T02:39:53.155Z]       Expected
[2020-06-10T02:39:53.155Z]           <string>: 
[2020-06-10T02:39:53.155Z]       not to be empty
03:39:53  
03:39:53        /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/test/k8sT/Services.go:807

[errordeveloper]

Closed by accident... apologies.

[errordeveloper]

test-backport-1.7

[christarazi]

Ah, finally was able to reproduce locally. The difference between local and CI was that CI is running 3 K8s nodes. I was only running 2. Looking closer into fix now

[christarazi]

Synced with @nebril offline and we decided to remove his PR #11830. He'll take over backporting that and ensuring that the 1.7 CI hasn't regressed.

[christarazi]

test-backport-1.7

EDIT(@joestringer): This didn't seem to trigger for some reason, retrying.

[joestringer]

test-backport-1.7

[christarazi]

Looks like the previous regression is gone and only failures are known flakes #10442. This is probably good to go, @joestringer please double-check

[joestringer]

I agree that these are caused by the known flake. Two tests fail specifically with the symptoms and another two tests fail in the BeforeAll, seemingly because Cilium is already in a state that the testsuite believes is not ready so it cannot proceed with those tests.

Merging.