Merged
Conversation
gentoo-root
approved these changes
Aug 25, 2025
HadrienPatte
approved these changes
Aug 25, 2025
Artyop
requested changes
Aug 25, 2025
Contributor
There was a problem hiding this comment.
I don't see the changes of #41299
Edit: after checking out v1.18 branch has the old value and no changes are displayed when I check the commit alone
2c3fc2e to
67c0e9e
Compare
Member
Author
|
/test
Now it should be fixed, thanks for the heads up! |
b677930 to
5d7dd54
Compare
Member
Author
Member
Author
|
/test |
[ upstream commit e69bd64 ] When shrinking a CiliumPodIPPool the operator could crash with a nil pointer dereference in updateCIDRSets. The loop deletes entries from the slice it is iterating over, leaving behind nil slots that are dereferenced in the next iteration. This change skips over nil items in the slice. Signed-off-by: alimehrabikoshki <79400736+alimehrabikoshki@users.noreply.github.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 2b39a67 ] The correct command is `cilium clustermesh inspect-policy-default-local-cluster --all-namespaces`. It appears that the command name was changed, and it was forgotten to change it here too. Fixes: 260af0e ("doc: add early warning for policy-default-local-cluster") Signed-off-by: Florian Ströger <florian@florianstroeger.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 0b63209 ] This commit fixes some errorhandling cases in the neighbor calculator where the value of the error is not checked before joining with other errors. This leads to the incorrect health status being reported. e.g. ``` desired neighbor calculator errored: failed to insert desired neighbor: %!w(<nil>)\nfailed to insert desired neighbor: %!w(<nil>) ``` Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit f180e6e ] This PR removes the global `nCPU` variable from the `pkg/maps/policymap` package and replaces usage of [`ebpf.MustPossibleCPU`](https://pkg.go.dev/github.com/cilium/ebpf#MustPossibleCPU) with [`ebpf.PossibleCPU`](https://pkg.go.dev/github.com/cilium/ebpf#PossibleCPU) by logging the error in case of failure and assuming a single CPU is available. Note: the underlying implementation of [`ebpf.PossibleCPU`] uses [`sync.OnceValues`](https://github.com/cilium/ebpf/blob/ae226118949d4e3de64520195b66a09591116ea0/cpu_other.go#L11-L13) so there's no overhead to calling it multiple times. Signed-off-by: Hadrien Patte <hadrien.patte@datadoghq.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit a5242c5 ] Signed-off-by: Ashwin Pillai <pillaiashwin96@gmail.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 4a33221 ] Bump the checkpatch version, and explicitly pass the GH token with read permissions to retrieve the list of commits for the target PR, instead of relying on the fact that the target repository is public. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 9acb306 ] [ backporter's notes: Updated cilium-node-init sha256 digest according to the version uploaded to quay.io. ] This first bump of startup-script to the new tagging way will allow renovate to handle future updates Signed-off-by: Antony Reynaud <antony.reynaud@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit b5ed1e0 ] Some CI environment variables were missing in our CI for some images. We should enable them not only for the agent. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit b25102d ] Performing the Sanitization of a network policy will result its object on being modified, therefore we need to make sure we DeepCopy the object before doing it. Fixes: 38f30ae ("policy: parse policies in the operator, update informational conditions") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit af352a2 ] This key is already defined in the logger thus we don't need to set it again when creating a sub-logger. Since slog contains a slice of keys, and not a map as logrus, they key will be appended to the existing keys which will result in duplicated keys. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 06da5d7 ] Instead of using the duplicated log key "resource" we should be more specific and use the "parentResource" log key instead. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 45f3085 ] Previously, the checkpatch script used to internally skip the checks when not targeting the main branch. The blamed commit bumped it to a more zealous version that runs against all target branches, and explicitly fails in case any internal command fails. However, this check is now failing both on push and merge queue events, as the GITHUB_REF does not point to a PR. Let's prevent this by making it run on PR events only, to restore the previous behavior in this case. There's not much point in running checkpatch on already merged commits anyways; similarly, no reason for running it as part of the merge queue, given that the check is not required, and the result does not depend on whether the branch is rebased. Fixes: 4a33221 ("checkpatch: bump checkpatch version, and minor adaptations") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit bf1d7e5 ] Make it more clear that the Cilium agent never pulls in this code, but that this is really only used from unit tests. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 26b5bbc ] Dmitriy says: When --bpf-lb-algorithm-annotation feature is enabled, BPF code in run-time may not select load balancer algorithm for service at all for previously existing services. Thus, this behavior broke all new network connections to the service if it had an unknown algorithm value in service bpf map entry. This bug is stably reproducible for NodePort, HostPort, LocalRedirect service types. This commit solves the problem as follows: in the situation where the BPF service map contains an unknown LB algorithm, it simply uses the default LB algorithm from the --bpf-lb-algorithm option. lb{4,6}_algorithm() should return a proper algorithm that is going to be used in the datapath. Either a service had an annotation, or if not then the user configured default should be picked. One corner case is when we come from a future Cilium version where users had an algorithm annotation on the service, which the current Cilium version does not support. In that case we can only treat this as a hint and need to fallback to the default. Note that in the old code before the LB control plane rework, the GetAnnotationServiceLoadBalancingAlgorithm() was pushing through any annotation which was not loadbalancer.SVCLoadBalancingAlgorithmUndef and otherwise the function was returning the default selected algorithm. After the rework we just propagate loadbalancer.ToSVCLoadBalancingAlgorithm() directly. This meant that handling of loadbalancer.SVCLoadBalancingAlgorithmUndef was pushed to runtime, therefore for services with no explicit annotation this triggered the default case which led to drops. Another side-note: loadbalancer.ToSVCLoadBalancingAlgorithm() does not translate LB_SELECTION_FIRST. The latter is only ever used in BPF unit tests. Co-developed-by: Dmitriy Andreychenko <dmitriy.andreychenko@flant.com> Signed-off-by: Dmitriy Andreychenko <dmitriy.andreychenko@flant.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit ec378db ] Some distributions (e.g. AWS EKS clusters without AWS VPC CNI plugin) do not install the `portmap` binary on the nodes, leading to confusion when trying to use the portmap plugin. This commit documents the requirement and hints at a solution for providing binaries if needed. Co-authored-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit ff9a230 ] Internal ARP-handling functions such as those in lib/arp.h expect linearized ARP packets. However, no code exist to linearize this packet type. This means user-facing features such as L2 Announcements break easily if the kernel decides to split ARP request in chunks. Implement revalidate_data_arp_pull() and call it the same way it is done for IPv4/IPv6 packets to prevent this from happening and keep things consistent across protocols. Fixes: #40419 Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 4415e13 ] This change adds error-handling logic that fixes routing for local addresses which have been passed in --exclude-local-address. Previously, the routing code would always attempt a FIB lookup for packets destined to these addresses which would always fail with BPF_FIB_LKUP_RET_NOT_FWDED because the addresses are local. The routing code will now remediate this by passing the packet to the kernel's routing stack when encountering this scenario. The additional revalidate_data check on the ipv4 pointer is needed because it can get invalidated in fib_redirect_v4 so it should be checked before being passed further Signed-off-by: Anton Ippolitov <anton.ippolitov@datadoghq.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 56a0504 ] [ backporter's notes: Fixes minor conflicts due to different signature for setupIPSecSuitePrivileged in stable branch. ] As in #41006, this commits adds the TestPrivileged prefix to some xfrm tests we missed to modify in the latest PR. With this, all the unparallel tests should be executed properly in CI. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
5d7dd54 to
1888655
Compare
Member
Author
|
/test |
aanm
approved these changes
Aug 26, 2025
nbusseneau
approved these changes
Aug 26, 2025
mhofstetter
approved these changes
Sep 1, 2025
Contributor
|
@borkmann @antonipp @pillai-ashwin kind ping) |
Contributor
|
Hi, I already approved my change: #41365 (review) |
Preisschild
approved these changes
Sep 1, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
16 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
cilium-dbgfrom panicing when/sysis not mounted #41287 (@HadrienPatte)Once this PR is merged, a GitHub action will update the labels of these PRs: