Conversation
|
retest-4.9 |
|
K8s-1.19-kernel-4.9 passed lets try again. |
|
retest-4.9 |
|
tbd patch needs a fixes tag. |
|
2/2 try again. |
|
retest-4.9 |
|
3/3, try entire set now. |
|
test-me-please |
|
test-missed-k8s |
|
test-missed-k8s |
|
Commits eba3a68263bb18332b3f6972fc5c706e7822c193, 48613bf7cce85447599a62355c92910c6291947b, 0a5e16d6186f4e005c62f2cd984f6d65dd4ea2d4 do not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
|
So test-missed-k8s failed on encryption tests lets try leaving the code refactor in place, but revert the host changes. |
|
test-missed-k8s |
|
Commits cfab5acf03ead0f0b1a0e1488eec92f80d940bbc, 8261efe98f5b36f4d6bd3f8d4a4e84b38b43355b, 033086efc12068e7e47fe6e95a6de93002b34bf7 do not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
|
test-missed-k8s |
|
Commits cfab5acf03ead0f0b1a0e1488eec92f80d940bbc, 8261efe98f5b36f4d6bd3f8d4a4e84b38b43355b, 033086efc12068e7e47fe6e95a6de93002b34bf7, bc17f82073de14b7432081548dee1a855cdffe03 do not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
|
test-missed-k8s |
|
Commits cfab5acf03ead0f0b1a0e1488eec92f80d940bbc, 8261efe98f5b36f4d6bd3f8d4a4e84b38b43355b, 033086efc12068e7e47fe6e95a6de93002b34bf7 do not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
|
test-missed-k8s |
When moving encryption code into a library we made some errors. First, we created a path where we redirect non-encrypted data to cilium_ifindex. Usually this is fine except for the case where we need to use the iptables snat/dnat rules on the traffic and we bypass those by doing a BPF redirect. This manifested as a failure when running the cilium test-connectivity example yaml. The host to pod service IP was broke. Next, we also skipped doing data_pull in all cases which causes some issues up the stack if we have not pulled the data in after popping the IP header off. Fixes: 9ed106a ("cilium: create lib for encryption") Signed-off-by: John Fastabend <john.fastabend@gmail.com>
|
test-missed-k8s |
joestringer
left a comment
There was a problem hiding this comment.
Minor query on ctx->mark handling in case where pulling fails, plus it would be nice to have the PR description text in the commit message as well just for git log background.
Oh and CI looks like it needs a look.
There was a problem hiding this comment.
Do we need to clear ctx->mark in these cases?
There was a problem hiding this comment.
Probably a nice touch to clear the mark so we don't try to decrypt a decrypted packet if the data_pull fails after encryption.
|
@joestringer wrt CI, none of those tests should even have encryption enabled. |
|
Suite-k8s-1.13.K8sDatapathConfig Encapsulation Check vxlan connectivity with per-endpoint routes; https://datastudio.google.com/s/n0v8X8zXamo |
|
K8sDatapathConfig Encapsulation Check iptables masquerading with random-fully: https://datastudio.google.com/s/poztQoaWOL8 Only a couple failures on this one, but seems unrelated to this PR. |
|
|
|
test-me-please |
|
test-me-please |
|
k8s-1.12-kernel-netnext failure: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.12-net-next/900/ (Suite-k8s-1.12.K8sServicesTest Checks service across nodes Tests NodePort BPF Tests with direct routing and DSR) |
|
retest-net-next |
|
Runtime-4.9 failure: https://jenkins.cilium.io/job/Cilium-PR-Runtime-4.9/2227/ (Suite-runtime.RuntimePolicies Tests Egress To World) |
|
retest-runtime |
When we created a lib for encryption the pull_data call was pulled
into the per protocol cases versus being called regardless of if
its been decrypted already or not.
Lets pull it back to the previous location.
Next we returned a drop code DROP_INVALID incorrectly as well
so lets make that an accept return code. We shouldn't be dropping
packets from here, lets let the stack or upper layer Cilium code do
that if it needs to.
Finally for same reason above lets allow all non esp packets to
go up the stack. The will still hit a Cilium policy program later
so let that code work as expected.
Fixes #13528
Signed-off-by: John Fastabend john.fastabend@gmail.com
@nebril bisected an encryption failure back to this patch 7ba0e83 and this corrects the difference between the old code and the new lib based code. However it seems that the pull should be unnecessary to me unless we have a miss in the cilium_host codebase as well?