Skip to content

wireguard: cleanup cilium_calls map upon downgrading from v1.18#38595

Merged
julianwiedmann merged 1 commit intov1.17from
pr/smagnani96/cleanups-wg-callsmap-downgrade
Apr 2, 2025
Merged

wireguard: cleanup cilium_calls map upon downgrading from v1.18#38595
julianwiedmann merged 1 commit intov1.17from
pr/smagnani96/cleanups-wg-callsmap-downgrade

Conversation

@smagnani96
Copy link
Copy Markdown
Contributor

@smagnani96 smagnani96 commented Mar 28, 2025
edited
Loading

This patch is needed by #38077, where we are forced to rename the cilium_calls_wireguard_ map to prevent MissingTailCall when downgrading from v1.18 to v1.17.
In that case, the program detach logic would smoothly work, but as soon as the Wireguard program in v1.17 (only to-wireguard) is recompiled and the loader invokes commit(), the tail call map is being completely overwritten. However, there would still be the from-wireguard program from v1.18 attached to the ingress, and it would lose the reference to those tail calls.

For further details, please refer to the commit message.

@smagnani96 smagnani96 added kind/enhancement This would improve or streamline existing functionality. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. release-note/misc This PR makes changes that have no direct user impact. feature/wireguard Relates to Cilium's Wireguard feature labels Mar 28, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels Mar 28, 2025
@smagnani96 smagnani96 mentioned this pull request Mar 28, 2025
Merged
4 tasks
@smagnani96
Copy link
Copy Markdown
Contributor Author

smagnani96 commented Mar 31, 2025

/test

@smagnani96 smagnani96 removed kind/backports This PR provides functionality previously merged into master. backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. labels Mar 31, 2025
@smagnani96 smagnani96 requested a review from rgo3 April 1, 2025 09:35
@smagnani96 smagnani96 force-pushed the pr/smagnani96/cleanups-wg-callsmap-downgrade branch 2 times, most recently from 8828f07 to 188bd9a Compare April 1, 2025 10:22
@smagnani96
wireguard: cleanup cilium_calls map upon downgrading from v1.18
07b6c69 
This patch introduces the logic to remove the cilium_calls map from v1.18
after a succesfull downgrade to v1.17. In v1.18, we're renaming this calls
map to account for the ifindex name rather than using ReservedIdentityWorld.
This means that the name is not `cilium_calls_wireguard_2` anymore, but
`cilium_calls_wireguard_<ifindex>`. During downgrade, three different
scenarios have been identified:

1. WG is being disabled: the interface would not exist anymore. We are not
   handling the calls_map removal use case when wireguard/overlay is not
   needed anymore after a Cilium patch/upgrade/downgrade, therefore we do
   not consider this scenario here either.
2. WG enabled, but ingress hook not needed: in this case, the
   `replaceWireguardDatapath()` function will account for the removal of
   this dangling calls map right after detaching any previous program
   that was referencing it.
3. WG enabled and ingress hook still required: `attachNetworkDevices()`
   will account also for removing this calls map as soon as it replaces
   the ingress program with the old cil_from_netdev.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96 smagnani96 force-pushed the pr/smagnani96/cleanups-wg-callsmap-downgrade branch from 188bd9a to 07b6c69 Compare April 1, 2025 10:59
@smagnani96
Copy link
Copy Markdown
Contributor Author

smagnani96 commented Apr 1, 2025

/test

@smagnani96 smagnani96 added kind/backports This PR provides functionality previously merged into master. backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. labels Apr 1, 2025
@smagnani96 smagnani96 marked this pull request as ready for review April 1, 2025 15:49
@smagnani96 smagnani96 requested a review from a team as a code owner April 1, 2025 15:49
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 2, 2025
@julianwiedmann julianwiedmann added this pull request to the merge queue Apr 2, 2025
Merged via the queue into v1.17 with commit 523e63c Apr 2, 2025
281 of 282 checks passed
@julianwiedmann julianwiedmann deleted the pr/smagnani96/cleanups-wg-callsmap-downgrade branch April 2, 2025 07:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@christarazi christarazi christarazi approved these changes

@rgo3 rgo3 rgo3 approved these changes

Assignees

No one assigned

Labels

area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. feature/wireguard Relates to Cilium's Wireguard feature kind/backports This PR provides functionality previously merged into master. kind/enhancement This would improve or streamline existing functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@smagnani96 @christarazi @rgo3 @msune @julianwiedmann