Hello community, here is the log from the commit of package cilium for openSUSE:Factory checked in at 2020-06-23 21:02:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cilium (Old) and /work/SRC/openSUSE:Factory/.cilium.new.2956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cilium" Tue Jun 23 21:02:19 2020 rev:27 rq:814777 version:1.7.5 Changes: -------- --- /work/SRC/openSUSE:Factory/cilium/cilium.changes 2020-06-12 21:36:38.479610595 +0200 +++ /work/SRC/openSUSE:Factory/.cilium.new.2956/cilium.changes 2020-06-23 21:02:46.669491238 +0200 @@ -1,0 +2,30 @@ +Mon Jun 15 16:13:44 UTC 2020 - MichaĆ Rostecki <[email protected]> + +- Fix cniInstallScript and cniUninstallScript values in helm chart. + +------------------------------------------------------------------- +Fri Jun 12 14:00:51 UTC 2020 - Dirk Mueller <[email protected]> + +- Update to 1.7.5 + + Too many bugfixes to list here, see + https://github.com/cilium/cilium/releases/tag/v1.7.5 + https://github.com/cilium/cilium/releases/tag/v1.7.4 + https://github.com/cilium/cilium/releases/tag/v1.7.3 + https://github.com/cilium/cilium/releases/tag/v1.7.2 + https://github.com/cilium/cilium/releases/tag/v1.7.1 + +- rename 0002-bpf-re-add-a-proper-types.h-mapper.patch to + 0005-bpf-re-add-a-proper-types.h-mapper.patch +- rename 0001-build-Avoid-using-git-if-not-in-a-git-repo.patch to + 0006-build-Avoid-using-git-if-not-in-a-git-repo.patch +- rename 0005-rename-PolicyMapMaxEntries-to-PolicyMapEntries-and-define-policy-map-size-limits-as-consts.patch to + 0007-option-rename-PolicyMapMaxEntries-to-PolicyMapEntrie.patch +- rename 0006-allow-to-configure-bpf-nat-global-max-using-helm.patch to + 0008-helm-allow-to-configure-bpf-nat-global-max-using-Hel.patch +- rename 0007-reduce-default-number-for-TCP-CT-and-NAT-table-max-entries.patch to + 0009-option-reduce-default-number-for-TCP-CT-and-NAT-tabl.patch +- rename 0008-add-option-to-dynamically-size-BPF-maps-based-on-system-memory.patch to + 0010-daemon-add-option-to-dynamically-size-BPF-maps-based.patch +- remove 0001-datapath-Switch-to-upstream-bpftool-remove-additiona.patch + +------------------------------------------------------------------- Old: ---- 0001-build-Avoid-using-git-if-not-in-a-git-repo.patch 0001-datapath-Switch-to-upstream-bpftool-remove-additiona.patch 0002-bpf-re-add-a-proper-types.h-mapper.patch 0005-rename-PolicyMapMaxEntries-to-PolicyMapEntries-and-define-policy-map-size-limits-as-consts.patch 0006-allow-to-configure-bpf-nat-global-max-using-helm.patch 0007-reduce-default-number-for-TCP-CT-and-NAT-table-max-entries.patch 0008-add-option-to-dynamically-size-BPF-maps-based-on-system-memory.patch cilium-1.7.0.obscpio New: ---- 0005-bpf-re-add-a-proper-types.h-mapper.patch 0006-build-Avoid-using-git-if-not-in-a-git-repo.patch 0007-option-rename-PolicyMapMaxEntries-to-PolicyMapEntrie.patch 0008-helm-allow-to-configure-bpf-nat-global-max-using-Hel.patch 0009-option-reduce-default-number-for-TCP-CT-and-NAT-tabl.patch 0010-daemon-add-option-to-dynamically-size-BPF-maps-based.patch cilium-1.7.5.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cilium.spec ++++++ --- /var/tmp/diff_new_pack.TZFIMP/_old 2020-06-23 21:02:48.509497159 +0200 +++ /var/tmp/diff_new_pack.TZFIMP/_new 2020-06-23 21:02:48.513497172 +0200 @@ -35,7 +35,7 @@ %endif Name: cilium -Version: 1.7.0 +Version: 1.7.5 Release: 0 Summary: Linux Native, HTTP Aware Networking and Security for Containers License: Apache-2.0 AND GPL-2.0-or-later @@ -45,29 +45,27 @@ Source2: cilium-cni-install Source3: cilium-cni-uninstall # PATCH-FIX-UPSTREAM 0001-option-mark-keep-bpf-templates-as-deprecated.patch -Patch0: 0001-option-mark-keep-bpf-templates-as-deprecated.patch +Patch1: 0001-option-mark-keep-bpf-templates-as-deprecated.patch # PATCH-FIX-UPSTREAM 0002-make-remove-the-need-for-go-bindata.patch -Patch1: 0002-make-remove-the-need-for-go-bindata.patch +Patch2: 0002-make-remove-the-need-for-go-bindata.patch # PATCH-FIX-UPSTREAM 0003-bpf-don-t-use-fixed-size-integer-types-from-stdint.h.patch -Patch2: 0003-bpf-don-t-use-fixed-size-integer-types-from-stdint.h.patch +Patch3: 0003-bpf-don-t-use-fixed-size-integer-types-from-stdint.h.patch # PATCH-FIX-OPENSUSE 0004-helm-Allow-variables-for-compatibility-with-openSUSE.patch # TODO(mrostecki): Submit it upstream after we confirm that our images work 100% # fine, also on aarch64. -Patch3: 0004-helm-Allow-variables-for-compatibility-with-openSUSE.patch -# PATCH-FIX-UPSTREAM 0005-rename-PolicyMapMaxEntries-to-PolicyMapEntries-and-define-policy-map-size-limits-as-consts.patch -Patch5: 0005-rename-PolicyMapMaxEntries-to-PolicyMapEntries-and-define-policy-map-size-limits-as-consts.patch -# PATCH-FIX-UPSTREAM 0006-add-option-to-dynamically-size-BPF-maps-based-on-system-memory.patch -Patch6: 0006-allow-to-configure-bpf-nat-global-max-using-helm.patch -# PATCH-FIX-UPSTREAM 0007-reduce-default-number-for-TCP-CT-and-NAT-table-max-entries.patch -Patch7: 0007-reduce-default-number-for-TCP-CT-and-NAT-table-max-entries.patch -# PATCH-FIX-UPSTREAM 0008-add-option-to-dynamically-size-BPF-maps-based-on-system-memory.patch -Patch8: 0008-add-option-to-dynamically-size-BPF-maps-based-on-system-memory.patch -# PATCH-FIX-UPSTREAM 0002-bpf-re-add-a-proper-types.h-mapper.patch -Patch10: 0002-bpf-re-add-a-proper-types.h-mapper.patch -# PATCH-FIX-UPSTREAM 0001-build-Avoid-using-git-if-not-in-a-git-repo.patch -Patch11: 0001-build-Avoid-using-git-if-not-in-a-git-repo.patch -# PATCH-FIX-UPSTREAM 0001-datapath-Switch-to-upstream-bpftool-remove-additiona.patch -Patch12: 0001-datapath-Switch-to-upstream-bpftool-remove-additiona.patch +Patch4: 0004-helm-Allow-variables-for-compatibility-with-openSUSE.patch +# PATCH-FIX-UPSTREAM 0005-bpf-re-add-a-proper-types.h-mapper.patch +Patch5: 0005-bpf-re-add-a-proper-types.h-mapper.patch +# PATCH-FIX-UPSTREAM 0006-build-Avoid-using-git-if-not-in-a-git-repo.patch +Patch6: 0006-build-Avoid-using-git-if-not-in-a-git-repo.patch +# PATCH-FIX-UPSTREAM 0007-option-rename-PolicyMapMaxEntries-to-PolicyMapEntrie.patch +Patch7: 0007-option-rename-PolicyMapMaxEntries-to-PolicyMapEntrie.patch +# PATCH-FIX-UPSTREAM 0008-helm-allow-to-configure-bpf-nat-global-max-using-Hel.patch +Patch8: 0008-helm-allow-to-configure-bpf-nat-global-max-using-Hel.patch +# PATCH-FIX-UPSTREAM 0009-option-reduce-default-number-for-TCP-CT-and-NAT-tabl.patch +Patch9: 0009-option-reduce-default-number-for-TCP-CT-and-NAT-tabl.patch +# PATCH-FIX-UPSTREAM 0010-daemon-add-option-to-dynamically-size-BPF-maps-based.patch +Patch10: 0010-daemon-add-option-to-dynamically-size-BPF-maps-based.patch # Cilium needs to be aware of the version string of cilium-proxy BuildRequires: cilium-proxy BuildRequires: clang @@ -263,8 +261,8 @@ -e 's|tag: v%{version}|tag: %{version}|' \ %{buildroot}%{_datadir}/k8s-helm/cilium/values.yaml sed -i \ - -e 's|cniInstallScript: /cni-install.sh|cilium-cni-install|' \ - -e 's|cniUninstallScript: /cni-uninstall.sh|cilium-cni-uninstall|' \ + -e 's|cniInstallScript: /cni-install.sh|cniInstallScript: cilium-cni-install|' \ + -e 's|cniUninstallScript: /cni-uninstall.sh|cniUninstallScript: cilium-cni-uninstall|' \ -e 's|initScript: /init-container.sh|initScript: cilium-init|' \ %{buildroot}%{_datadir}/k8s-helm/cilium/charts/agent/values.yaml sed -i \ ++++++ 0001-option-mark-keep-bpf-templates-as-deprecated.patch ++++++ --- /var/tmp/diff_new_pack.TZFIMP/_old 2020-06-23 21:02:48.537497249 +0200 +++ /var/tmp/diff_new_pack.TZFIMP/_new 2020-06-23 21:02:48.537497249 +0200 @@ -1,7 +1,7 @@ -From 58eb131a65d85735b44d5a2151d2fc554df30b84 Mon Sep 17 00:00:00 2001 +From 467b6d5ad568809fc217dae3879890857bb3c32c Mon Sep 17 00:00:00 2001 From: Tobias Klauser <[email protected]> Date: Wed, 12 Feb 2020 14:07:41 +0100 -Subject: [PATCH 1/4] option: mark --keep-bpf-templates as deprecated +Subject: [PATCH 01/10] option: mark --keep-bpf-templates as deprecated With go-bindata being removed, the flag becomes a no-op. Mark it as deprecated and announce removal in v1.9. @@ -16,22 +16,22 @@ 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/Documentation/cmdref/cilium-agent.md b/Documentation/cmdref/cilium-agent.md -index 9853f7f25..c99206643 100644 +index 1f51903dc..8925944db 100644 --- a/Documentation/cmdref/cilium-agent.md +++ b/Documentation/cmdref/cilium-agent.md -@@ -111,7 +111,6 @@ cilium-agent [flags] - --k8s-require-ipv6-pod-cidr Require IPv6 PodCIDR to be specified in node resource - --k8s-watcher-endpoint-selector string K8s endpoint watcher will watch for these k8s endpoints (default "metadata.name!=kube-scheduler,metadata.name!=kube-controller-manager,metadata.name!=etcd-operator,metadata.name!=gcp-controller-manager") - --k8s-watcher-queue-size uint Queue size used to serialize each k8s event type (default 1024) -- --keep-bpf-templates Do not restore BPF template files from binary - --keep-config When restoring state, keeps containers' configuration in place - --kube-proxy-replacement string auto-enable available features for kube-proxy replacement ("probe"), or enable only selected features (will panic if any selected feature cannot be enabled) ("partial") or enable all features (will panic if any feature cannot be enabled) ("strict"), or completely disable it (ignores any selected feature) ("disabled") (default "partial") - --kvstore string Key-value store type +@@ -117,7 +117,6 @@ cilium-agent [flags] + --k8s-require-ipv6-pod-cidr Require IPv6 PodCIDR to be specified in node resource + --k8s-watcher-endpoint-selector string K8s endpoint watcher will watch for these k8s endpoints (default "metadata.name!=kube-scheduler,metadata.name!=kube-controller-manager,metadata.name!=etcd-operator,metadata.name!=gcp-controller-manager") + --k8s-watcher-queue-size uint Queue size used to serialize each k8s event type (default 1024) +- --keep-bpf-templates Do not restore BPF template files from binary + --keep-config When restoring state, keeps containers' configuration in place + --kube-proxy-replacement string auto-enable available features for kube-proxy replacement ("probe"), or enable only selected features (will panic if any selected feature cannot be enabled) ("partial") or enable all features (will panic if any feature cannot be enabled) ("strict"), or completely disable it (ignores any selected feature) ("disabled") (default "partial") + --kvstore string Key-value store type diff --git a/daemon/daemon_main.go b/daemon/daemon_main.go -index a07d757d9..b778722fe 100644 +index 89dd07b54..5acb48281 100644 --- a/daemon/daemon_main.go +++ b/daemon/daemon_main.go -@@ -453,6 +453,7 @@ func init() { +@@ -461,6 +461,7 @@ func init() { flags.Bool(option.KeepBPFTemplates, false, "Do not restore BPF template files from binary") option.BindEnv(option.KeepBPFTemplates) @@ -40,7 +40,7 @@ flags.String(option.KVStore, "", "Key-value store type") option.BindEnv(option.KVStore) diff --git a/pkg/option/config.go b/pkg/option/config.go -index 525bfc340..77b661d4d 100644 +index 630dc2fda..52e05a0ef 100644 --- a/pkg/option/config.go +++ b/pkg/option/config.go @@ -223,6 +223,8 @@ const ( @@ -53,5 +53,5 @@ // KVStore key-value store type -- -2.25.1 +2.26.2 ++++++ 0002-make-remove-the-need-for-go-bindata.patch ++++++ --- /var/tmp/diff_new_pack.TZFIMP/_old 2020-06-23 21:02:48.553497301 +0200 +++ /var/tmp/diff_new_pack.TZFIMP/_new 2020-06-23 21:02:48.553497301 +0200 @@ -1,7 +1,7 @@ -From 4ffd46ee1f8d0f71165d6538283456fae44496b7 Mon Sep 17 00:00:00 2001 +From d80e4fbf8c2b522700adc054f31bcbefc04e85e3 Mon Sep 17 00:00:00 2001 From: Tobias Klauser <[email protected]> Date: Thu, 13 Feb 2020 11:09:40 +0100 -Subject: [PATCH 2/4] make: remove the need for go-bindata +Subject: [PATCH 02/10] make: remove the need for go-bindata Use of go-bindata dates back from times when people ran Cilium as static binary. This has become uncommon and users either use the container @@ -28,7 +28,6 @@ --- .travis/prepare.sh | 1 - CODEOWNERS | 43 +++++++++++++++++++ - Dockerfile | 2 +- Dockerfile.builder | 6 +-- .../contributing/development/dev_setup.rst | 2 - Makefile | 14 +++--- @@ -46,7 +45,7 @@ pkg/datapath/linux/requirements.go | 3 ++ test/docker-compose.yml | 2 +- test/packet/scripts/install.sh | 1 - - 21 files changed, 73 insertions(+), 157 deletions(-) + 19 files changed, 72 insertions(+), 154 deletions(-) delete mode 100755 contrib/scripts/bindata.sh delete mode 100755 contrib/scripts/fix-sha.sh delete mode 100644 daemon/bpf.sha @@ -116,21 +115,8 @@ pkg/apisocket/ @cilium/api pkg/monitor/payload @cilium/api pkg/policy/api/ @cilium/api -diff --git a/Dockerfile b/Dockerfile -index 538baaba1..25e9278cb 100644 ---- a/Dockerfile -+++ b/Dockerfile -@@ -13,7 +13,7 @@ FROM quay.io/cilium/cilium-envoy:c31482c3e49670980c05cafc914320f7949b266f as cil - # versions to be built while allowing the new versions to make changes - # that are not backwards compatible. - # --FROM quay.io/cilium/cilium-builder:2020-02-13 as builder -+FROM quay.io/cilium/cilium-builder:2020-02-19 as builder - LABEL maintainer="[email protected]" - WORKDIR /go/src/github.com/cilium/cilium - COPY . ./ diff --git a/Dockerfile.builder b/Dockerfile.builder -index e51853892..6f53d2261 100644 +index 5190100af..78bf0e752 100644 --- a/Dockerfile.builder +++ b/Dockerfile.builder @@ -56,8 +56,4 @@ RUN curl -sfL https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz | tar @@ -144,12 +130,12 @@ - go install github.com/cilium/go-bindata/go-bindata + go install diff --git a/Documentation/contributing/development/dev_setup.rst b/Documentation/contributing/development/dev_setup.rst -index 82b691766..2fdfd6b21 100644 +index 4bd8e59b7..e9d0371b6 100644 --- a/Documentation/contributing/development/dev_setup.rst +++ b/Documentation/contributing/development/dev_setup.rst @@ -30,8 +30,6 @@ contribute to Cilium: +----------------------------------------------------------------------------------+--------------------------+-------------------------------------------------------------------------------+ - | `go <https://golang.org/dl/>`_ | 1.13.8 | N/A (OS-specific) | + | `go <https://golang.org/dl/>`_ | |GO_RELEASE| | N/A (OS-specific) | +----------------------------------------------------------------------------------+--------------------------+-------------------------------------------------------------------------------+ -| `go-bindata <https://github.com/cilium/go-bindata>`_ | ``a0ff2567cfb`` | ``go get -u github.com/cilium/go-bindata/...`` | -+----------------------------------------------------------------------------------+--------------------------+-------------------------------------------------------------------------------+ @@ -157,7 +143,7 @@ +----------------------------------------------------------------------------------+--------------------------+-------------------------------------------------------------------------------+ + `gomega <https://github.com/onsi/gomega>`_ | >= 1.2.0 | ``go get -u github.com/onsi/gomega`` | diff --git a/Makefile b/Makefile -index 6086de77f..a91fa53ae 100644 +index 829d78832..0977c664e 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,4 @@ @@ -447,17 +433,17 @@ - $(GO_BINDATA) -o ./bindata.go $(BPF_FILES) diff --git a/daemon/bpf.sha b/daemon/bpf.sha deleted file mode 100644 -index d846a53a0..000000000 +index a60ff9fbd..000000000 --- a/daemon/bpf.sha +++ /dev/null @@ -1,2 +0,0 @@ --GO_BINDATA_SHA1SUM=cbfa4658613722c813e201abf9cab36a5653b20f +-GO_BINDATA_SHA1SUM=b251f59546cc7ea8afebc6214c4c8c53b476f038 -BPF_FILES=../bpf/COPYING ../bpf/Makefile ../bpf/Makefile.bpf ../bpf/bpf_alignchecker.c ../bpf/bpf_features.h ../bpf/bpf_hostdev_ingress.c ../bpf/bpf_ipsec.c ../bpf/bpf_lxc.c ../bpf/bpf_netdev.c ../bpf/bpf_network.c ../bpf/bpf_overlay.c ../bpf/bpf_sock.c ../bpf/bpf_xdp.c ../bpf/cilium-map-migrate.c ../bpf/filter_config.h ../bpf/include/bpf/api.h ../bpf/include/elf/elf.h ../bpf/include/elf/gelf.h ../bpf/include/elf/libelf.h ../bpf/include/iproute2/bpf_elf.h ../bpf/include/linux/bpf.h ../bpf/include/linux/bpf_common.h ../bpf/include/linux/byteorder.h ../bpf/include/linux/byteorder/big_endian.h ../bpf/include/linux/byteorder/little_endian.h ../bpf/include/linux/icmp.h ../bpf/include/linux/icmpv6.h ../bpf/include/linux/if_arp.h ../bpf/include/linux/if_ether.h ../bpf/include/linux/if_packet.h ../bpf/include/linux/in.h ../bpf/include/linux/in6.h ../bpf/include/linux/ioctl.h ../bpf/include/linux/ip.h ../bpf/include/linux/ipv6.h ../bpf/include/linux/perf_event.h ../bpf/include/linux/swab.h ../bpf/include/linux/tcp.h ../bpf/include/linux/type_mapper.h ../bpf/include/linux/udp.h ../bpf/init.sh ../bpf/lib/arp.h ../bpf/lib/common.h ../bpf/lib/config.h ../bpf/lib/conntrack.h ../bpf/lib/conntrack_map.h ../bpf/lib/conntrack_test.h ../bpf/lib/csum.h ../bpf/lib/dbg.h ../bpf/lib/drop.h ../bpf/lib/encap.h ../bpf/lib/eps.h ../bpf/lib/eth.h ../bpf/lib/events.h ../bpf/lib/icmp6.h ../bpf/lib/identity.h ../bpf/lib/ipv4.h ../bpf/lib/ipv6.h ../bpf/lib/ipv6_test.h ../bpf/lib/l3.h ../bpf/lib/l4.h ../bpf/lib/lb.h ../bpf/lib/lxc.h ../bpf/lib/maps.h ../bpf/lib/metrics.h ../bpf/lib/nat.h ../bpf/lib/nat46.h ../bpf/lib/nodeport.h ../bpf/lib/policy.h ../bpf/lib/signal.h ../bpf/lib/tailcall.h ../bpf/lib/trace.h ../bpf/lib/utils.h ../bpf/lib/xdp.h ../bpf/lxc_config.h ../bpf/netdev_config.h ../bpf/node_config.h ../bpf/probes/raw_change_tail.t ../bpf/probes/raw_fib_lookup.t ../bpf/probes/raw_insn.h ../bpf/probes/raw_invalidate_hash.t ../bpf/probes/raw_lpm_map.t ../bpf/probes/raw_lru_map.t ../bpf/probes/raw_main.c ../bpf/probes/raw_max_insn.t ../bpf/probes/raw_sock_cookie.t ../bpf/run_probes.sh ../bpf/sockops/Makefile ../bpf/sockops/bpf_redir.c ../bpf/sockops/bpf_sockops.c ../bpf/sockops/bpf_sockops.h ../bpf/sockops/sockops_config.h diff --git a/daemon/daemon_main.go b/daemon/daemon_main.go -index b778722fe..7e7c89374 100644 +index 5acb48281..4b3a933a4 100644 --- a/daemon/daemon_main.go +++ b/daemon/daemon_main.go -@@ -718,9 +718,9 @@ func init() { +@@ -743,9 +743,9 @@ func init() { viper.BindPFlags(flags) } @@ -469,7 +455,7 @@ fileList := []string{} err := filepath.Walk(searchDir, func(path string, f os.FileInfo, err error) error { for _, pattern := range patterns { -@@ -881,20 +881,11 @@ func initEnv(cmd *cobra.Command) { +@@ -918,20 +918,11 @@ func initEnv(cmd *cobra.Command) { if err := os.MkdirAll(option.Config.LibDir, defaults.RuntimePathRights); err != nil { scopedLog.WithError(err).Fatal("Could not create library directory") } @@ -522,7 +508,7 @@ - "./../:/go/src/github.com/cilium/cilium/" privileged: true diff --git a/test/packet/scripts/install.sh b/test/packet/scripts/install.sh -index d5181b0e1..ffd1038e2 100644 +index 23a7ddd0e..c320e40d7 100644 --- a/test/packet/scripts/install.sh +++ b/test/packet/scripts/install.sh @@ -65,7 +65,6 @@ sudo ln -s /usr/local/go/bin/* /usr/local/bin/ @@ -534,5 +520,5 @@ go get -u github.com/onsi/ginkgo/ginkgo go get -u github.com/onsi/gomega/... -- -2.25.1 +2.26.2 ++++++ 0003-bpf-don-t-use-fixed-size-integer-types-from-stdint.h.patch ++++++ --- /var/tmp/diff_new_pack.TZFIMP/_old 2020-06-23 21:02:48.561497326 +0200 +++ /var/tmp/diff_new_pack.TZFIMP/_new 2020-06-23 21:02:48.565497339 +0200 @@ -1,7 +1,7 @@ -From 9ca0ca84f5db2ae24fca015c9d048037e7dec2b7 Mon Sep 17 00:00:00 2001 +From 7daa01fc7a23f83f6088b6eb43917cefa9944937 Mon Sep 17 00:00:00 2001 From: Tobias Klauser <[email protected]> Date: Mon, 17 Feb 2020 11:58:32 +0100 -Subject: [PATCH 3/4] bpf: don't use fixed size integer types from stdint.h +Subject: [PATCH 03/10] bpf: don't use fixed size integer types from stdint.h Use stddef.h to get size_t, use kernel definitions for fixed size types where appropriate (e.g. uint32_t -> __u32) @@ -81,7 +81,7 @@ delete mode 100644 bpf/include/linux/type_mapper.h diff --git a/.travis.yml b/.travis.yml -index f9f5a027b..a2556c327 100644 +index 1d4c88d5f..3e4f815b9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -11,7 +11,7 @@ if: branch = master OR type = pull_request @@ -107,7 +107,7 @@ before_install: ./.travis/prepare.sh diff --git a/Documentation/contributing/development/dev_setup.rst b/Documentation/contributing/development/dev_setup.rst -index 2fdfd6b21..aa5c853a9 100644 +index e9d0371b6..903b2f363 100644 --- a/Documentation/contributing/development/dev_setup.rst +++ b/Documentation/contributing/development/dev_setup.rst @@ -20,8 +20,6 @@ contribute to Cilium: @@ -182,7 +182,7 @@ #include "lib/dbg.h" diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c -index 3fe9dc329..81f11c1c8 100644 +index 497edf48c..41a951c38 100644 --- a/bpf/bpf_lxc.c +++ b/bpf/bpf_lxc.c @@ -22,9 +22,6 @@ @@ -196,7 +196,7 @@ #include <linux/if_packet.h> diff --git a/bpf/bpf_netdev.c b/bpf/bpf_netdev.c -index a1cefd8dd..dfa70e128 100644 +index 4291794ff..9c0ec50d5 100644 --- a/bpf/bpf_netdev.c +++ b/bpf/bpf_netdev.c @@ -29,9 +29,6 @@ @@ -238,7 +238,7 @@ #include "lib/tailcall.h" diff --git a/bpf/bpf_sock.c b/bpf/bpf_sock.c -index 57dded0ac..874d427dd 100644 +index 7ab29f0a8..965df6a6b 100644 --- a/bpf/bpf_sock.c +++ b/bpf/bpf_sock.c @@ -21,9 +21,6 @@ @@ -275,7 +275,7 @@ #include <linux/if_ether.h> diff --git a/bpf/include/bpf/api.h b/bpf/include/bpf/api.h -index c7e0f1e8a..a71854f4e 100644 +index b13c9347e..7cfda0ba8 100644 --- a/bpf/include/bpf/api.h +++ b/bpf/include/bpf/api.h @@ -8,7 +8,7 @@ @@ -289,11 +289,11 @@ @@ -111,14 +111,14 @@ /* Map access/manipulation */ - static void *BPF_FUNC(map_lookup_elem, void *map, const void *key); - static int BPF_FUNC(map_update_elem, void *map, const void *key, + static void *BPF_FUNC(map_lookup_elem, const void *map, const void *key); + static int BPF_FUNC(map_update_elem, const void *map, const void *key, - const void *value, uint32_t flags); + const void *value, __u32 flags); - static int BPF_FUNC(map_delete_elem, void *map, const void *key); + static int BPF_FUNC(map_delete_elem, const void *map, const void *key); /* Time access */ -static uint64_t BPF_FUNC(ktime_get_ns); @@ -676,10 +676,10 @@ struct udphdr { __be16 source; diff --git a/bpf/init.sh b/bpf/init.sh -index 71326b47f..56f253daf 100755 +index 8d18c4145..5036ca3f7 100755 --- a/bpf/init.sh +++ b/bpf/init.sh -@@ -56,6 +56,8 @@ rm $RUNDIR/encap.state 2> /dev/null || true +@@ -57,6 +57,8 @@ rm $RUNDIR/encap.state 2> /dev/null || true # This directory was created by the daemon and contains the per container header file DIR="$PWD/globals" @@ -688,7 +688,7 @@ function setup_dev() { local -r NAME=$1 -@@ -269,6 +271,7 @@ function bpf_compile() +@@ -270,6 +272,7 @@ function bpf_compile() clang -O2 -g -target bpf -emit-llvm \ -Wno-address-of-packed-member -Wno-unknown-warning-option \ @@ -697,7 +697,7 @@ -D__NR_CPUS__=$(nproc) \ -DENABLE_ARP_RESPONDER \ diff --git a/bpf/lib/common.h b/bpf/lib/common.h -index 136375c29..5aed79e0e 100644 +index bde713507..ace0561dc 100644 --- a/bpf/lib/common.h +++ b/bpf/lib/common.h @@ -23,8 +23,8 @@ @@ -710,7 +710,7 @@ // FIXME: GH-3239 LRU logic is not handling timeouts gracefully enough // #ifndef HAVE_LRU_MAP_TYPE -@@ -695,7 +695,7 @@ static inline int redirect_self(struct __sk_buff *skb) +@@ -698,7 +698,7 @@ static inline int redirect_self(struct __sk_buff *skb) #endif } @@ -883,7 +883,7 @@ /** * update_metrics diff --git a/bpf/lib/nat.h b/bpf/lib/nat.h -index 42afca5bd..6836904e9 100644 +index 67be931c5..a8ccff000 100644 --- a/bpf/lib/nat.h +++ b/bpf/lib/nat.h @@ -70,20 +70,21 @@ static __always_inline __be16 __snat_clamp_port_range(__u16 start, __u16 end, @@ -1022,10 +1022,10 @@ int ret = TC_ACT_OK; diff --git a/bpf/lib/nodeport.h b/bpf/lib/nodeport.h -index e579fc6b8..f511fcf6b 100644 +index 9ac89419b..50cc42890 100644 --- a/bpf/lib/nodeport.h +++ b/bpf/lib/nodeport.h -@@ -754,8 +754,8 @@ static __always_inline int handle_dsr_v4(struct __sk_buff *skb, bool *dsr) +@@ -758,8 +758,8 @@ static __always_inline int handle_dsr_v4(struct __sk_buff *skb, bool *dsr) // Check whether IPv4 header contains a 64-bit option (IPv4 header // w/o option (5 x 32-bit words) + the DSR option (2 x 32-bit words)) if (ip4->ihl == 0x7) { @@ -1248,7 +1248,7 @@ int bpf_redir_proxy(struct sk_msg_md *msg) { diff --git a/bpf/sockops/bpf_sockops.c b/bpf/sockops/bpf_sockops.c -index e45749562..6cb92d921 100644 +index 2a9bbcd6f..87cf42530 100644 --- a/bpf/sockops/bpf_sockops.c +++ b/bpf/sockops/bpf_sockops.c @@ -22,9 +22,6 @@ @@ -1512,5 +1512,5 @@ #include "lib/conntrack_test.h" -- -2.25.1 +2.26.2 ++++++ 0004-helm-Allow-variables-for-compatibility-with-openSUSE.patch ++++++ --- /var/tmp/diff_new_pack.TZFIMP/_old 2020-06-23 21:02:48.577497377 +0200 +++ /var/tmp/diff_new_pack.TZFIMP/_new 2020-06-23 21:02:48.577497377 +0200 @@ -1,7 +1,7 @@ -From 6f533168004d9bdc7be259e0b0860bc6b4792936 Mon Sep 17 00:00:00 2001 +From 7fc312d45653e8d3247ba8cc2ad6f50bab6c99c9 Mon Sep 17 00:00:00 2001 From: Michal Rostecki <[email protected]> Date: Mon, 24 Feb 2020 19:57:31 +0100 -Subject: [PATCH 4/4] helm: Allow variables for compatibility with openSUSE +Subject: [PATCH 04/10] helm: Allow variables for compatibility with openSUSE images tl;dr: Few minor variables, which have no impact for users of Cilium @@ -48,7 +48,7 @@ 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/install/kubernetes/cilium/charts/agent/templates/daemonset.yaml b/install/kubernetes/cilium/charts/agent/templates/daemonset.yaml -index fe99c9e53..de24ad7c4 100644 +index 975f9d5c3..03444ea46 100644 --- a/install/kubernetes/cilium/charts/agent/templates/daemonset.yaml +++ b/install/kubernetes/cilium/charts/agent/templates/daemonset.yaml @@ -136,12 +136,12 @@ spec: @@ -116,5 +116,5 @@ # Specifies the maximum number of Pods that can be unavailable during the # update process. -- -2.25.1 +2.26.2 ++++++ 0002-bpf-re-add-a-proper-types.h-mapper.patch -> 0005-bpf-re-add-a-proper-types.h-mapper.patch ++++++ --- /work/SRC/openSUSE:Factory/cilium/0002-bpf-re-add-a-proper-types.h-mapper.patch 2020-06-12 21:36:37.667607610 +0200 +++ /work/SRC/openSUSE:Factory/.cilium.new.2956/0005-bpf-re-add-a-proper-types.h-mapper.patch 2020-06-23 21:02:33.789449796 +0200 @@ -1,7 +1,7 @@ -From 1b9593941d7c8e35e4c1a9dc7385cc59413cdc70 Mon Sep 17 00:00:00 2001 +From f590267aed3d373586e9ac8fff5bf63cc4bb10a1 Mon Sep 17 00:00:00 2001 From: Daniel Borkmann <[email protected]> Date: Thu, 19 Mar 2020 23:36:15 +0100 -Subject: [PATCH 2/2] bpf: re-add a proper types.h mapper +Subject: [PATCH 05/10] bpf: re-add a proper types.h mapper Commit a1d93e044c1f ("bpf: don't use fixed size integer types from stdint.h") removed the types.h mapper to avoid dependency on stdint.h ++++++ 0001-build-Avoid-using-git-if-not-in-a-git-repo.patch -> 0006-build-Avoid-using-git-if-not-in-a-git-repo.patch ++++++ --- /work/SRC/openSUSE:Factory/cilium/0001-build-Avoid-using-git-if-not-in-a-git-repo.patch 2020-06-12 21:36:36.707604080 +0200 +++ /work/SRC/openSUSE:Factory/.cilium.new.2956/0006-build-Avoid-using-git-if-not-in-a-git-repo.patch 2020-06-23 21:02:34.369451662 +0200 @@ -1,7 +1,7 @@ -From 0c80bde138150fc7f5a275b075995ad8ba11caa9 Mon Sep 17 00:00:00 2001 +From adcb5e534caacbd369ddac63c6fe2c4734bb7e99 Mon Sep 17 00:00:00 2001 From: Jarno Rajahalme <[email protected]> Date: Fri, 15 May 2020 17:33:01 -0700 -Subject: [PATCH] build: Avoid using git if not in a git repo +Subject: [PATCH 06/10] build: Avoid using git if not in a git repo Do not use git if not in a git repo. @@ -14,14 +14,14 @@ Signed-off-by: Jarno Rajahalme <[email protected]> --- - .gitignore | 1 + - Makefile | 9 ++++++--- - Makefile.defs | 11 ++++++++--- - 3 files changed, 15 insertions(+), 6 deletions(-) + Makefile.defs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) +diff --git a/Makefile.defs b/Makefile.defs +index 2e472a839..c32a5e02f 100644 --- a/Makefile.defs +++ b/Makefile.defs -@@ -38,7 +38,7 @@ +@@ -38,7 +38,7 @@ GOLDFLAGS += -X "github.com/cilium/cilium/pkg/envoy.RequiredEnvoyVersionSHA=$(CI BPF_FILES_EVAL := $(shell git ls-files $(ROOT_DIR)/bpf/ | grep -v .gitignore | tr "\n" ' ') BPF_FILES ?= $(BPF_FILES_EVAL) @@ -30,3 +30,6 @@ CILIUM_DATAPATH_SHA=$(shell cat $(BPF_FILES) | sha1sum | awk '{print $$1}') GOLDFLAGS += -X "github.com/cilium/cilium/pkg/datapath/loader.DatapathSHA=$(CILIUM_DATAPATH_SHA)" +-- +2.26.2 + ++++++ 0007-option-rename-PolicyMapMaxEntries-to-PolicyMapEntrie.patch ++++++ From 3d5a59c46ea00133f81b8c22aaf2b5e764b83935 Mon Sep 17 00:00:00 2001 From: Tobias Klauser <[email protected]> Date: Mon, 6 Apr 2020 20:13:13 +0200 Subject: [PATCH 07/10] option: rename PolicyMapMaxEntries to PolicyMapEntries This matches the other map entry size vars and also avoids confusion with the const PolicyMapMax used for upper bound policy map size. Signed-off-by: Tobias Klauser <[email protected]> (cherry picked from commit 4c127422e06f6f497a75a82c892205cbf9380883) --- daemon/daemon.go | 2 +- pkg/option/config.go | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/daemon/daemon.go b/daemon/daemon.go index 314be6fed..c722cb8bd 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -266,7 +266,7 @@ func NewDaemon(ctx context.Context, dp datapath.Datapath) (*Daemon, *endpointRes ctmap.InitMapInfo(option.Config.CTMapEntriesGlobalTCP, option.Config.CTMapEntriesGlobalAny, option.Config.EnableIPv4, option.Config.EnableIPv6, ) - policymap.InitMapInfo(option.Config.PolicyMapMaxEntries) + policymap.InitMapInfo(option.Config.PolicyMapEntries) if option.Config.DryMode == false { if err := bpf.ConfigureResourceLimits(); err != nil { diff --git a/pkg/option/config.go b/pkg/option/config.go index 52e05a0ef..df24ad98b 100644 --- a/pkg/option/config.go +++ b/pkg/option/config.go @@ -1010,9 +1010,9 @@ type DaemonConfig struct { // in the BPF NAT table NATMapEntriesGlobal int - // PolicyMapMaxEntries is the maximum number of peer identities that an + // PolicyMapEntries is the maximum number of peer identities that an // endpoint may allow traffic to exchange traffic with. - PolicyMapMaxEntries int + PolicyMapEntries int // DisableCiliumEndpointCRD disables the use of CiliumEndpoint CRD DisableCiliumEndpointCRD bool @@ -1631,13 +1631,13 @@ func (c *DaemonConfig) Validate() error { policyMapMin := (1 << 8) policyMapMax := (1 << 16) - if c.PolicyMapMaxEntries < policyMapMin { + if c.PolicyMapEntries < policyMapMin { return fmt.Errorf("specified PolicyMap max entries %d must exceed minimum %d", - c.PolicyMapMaxEntries, policyMapMin) + c.PolicyMapEntries, policyMapMin) } - if c.PolicyMapMaxEntries > policyMapMax { + if c.PolicyMapEntries > policyMapMax { return fmt.Errorf("specified PolicyMap max entries %d must not exceed maximum %d", - c.PolicyMapMaxEntries, policyMapMax) + c.PolicyMapEntries, policyMapMax) } // Validate that the KVStore Lease TTL value lies between a particular range. if c.KVstoreLeaseTTL > defaults.KVstoreLeaseMaxTTL || c.KVstoreLeaseTTL < defaults.LockLeaseTTL { @@ -1864,7 +1864,7 @@ func (c *DaemonConfig) Populate() { c.NAT46Range = viper.GetString(NAT46Range) c.FlannelMasterDevice = viper.GetString(FlannelMasterDevice) c.FlannelUninstallOnExit = viper.GetBool(FlannelUninstallOnExit) - c.PolicyMapMaxEntries = viper.GetInt(PolicyMapEntriesName) + c.PolicyMapEntries = viper.GetInt(PolicyMapEntriesName) c.PProf = viper.GetBool(PProf) c.PreAllocateMaps = viper.GetBool(PreAllocateMapsName) c.PrependIptablesChains = viper.GetBool(PrependIptablesChainsName) -- 2.26.2 ++++++ 0008-helm-allow-to-configure-bpf-nat-global-max-using-Hel.patch ++++++ From 4f5f79074ddd974f48238540e586a4b7d9286c0b Mon Sep 17 00:00:00 2001 From: Dirk Mueller <[email protected]> Date: Fri, 12 Jun 2020 19:20:09 +0200 Subject: [PATCH 08/10] helm: allow to configure bpf-nat-global-max using Helm Set the value to the current value of option.NATMapEntriesGlobalDefault A successive PR will reduce it for #10056 Signed-off-by: Tobias Klauser <[email protected]> Cherry-Pick of https://github.com/cilium/cilium/commit/20f6083d6fabfcce302a1c43d81ddf639a23f7a6 --- .../kubernetes/cilium/charts/config/templates/configmap.yaml | 4 ++++ install/kubernetes/cilium/values.yaml | 3 +++ install/kubernetes/quick-install.yaml | 4 ++++ 3 files changed, 11 insertions(+) diff --git a/install/kubernetes/cilium/charts/config/templates/configmap.yaml b/install/kubernetes/cilium/charts/config/templates/configmap.yaml index adf1d0b37..0180b17d8 100644 --- a/install/kubernetes/cilium/charts/config/templates/configmap.yaml +++ b/install/kubernetes/cilium/charts/config/templates/configmap.yaml @@ -136,6 +136,10 @@ data: # policy map (per endpoint) bpf-policy-map-max: "{{ .Values.global.bpf.policyMapMax }}" + # bpf-nat-global-max specified the maximum number of entries in the BPF NAT + # table. + bpf-nat-global-max: "{{ .Values.global.bpf.natMax }}" + # Pre-allocation of map entries allows per-packet latency to be reduced, at # the expense of up-front memory allocation for the entries in the maps. The # default value below will minimize memory usage in the default installation; diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml index bf011a6ee..9409f90e7 100644 --- a/install/kubernetes/cilium/values.yaml +++ b/install/kubernetes/cilium/values.yaml @@ -209,6 +209,9 @@ global: # tracking table ctAnyMax: 262144 + # natMax is the maximum number of entries for the NAT table + natMax: 841429 + # policyMapMax is the maximum number of entries in endpoint policy map (per endpoint) policyMapMax: 16384 diff --git a/install/kubernetes/quick-install.yaml b/install/kubernetes/quick-install.yaml index 21e499268..cca20a800 100644 --- a/install/kubernetes/quick-install.yaml +++ b/install/kubernetes/quick-install.yaml @@ -79,6 +79,10 @@ data: # policy map (per endpoint) bpf-policy-map-max: "16384" + # bpf-nat-global-max specified the maximum number of entries in the BPF NAT + # table. + bpf-nat-global-max: "841429" + # Pre-allocation of map entries allows per-packet latency to be reduced, at # the expense of up-front memory allocation for the entries in the maps. The # default value below will minimize memory usage in the default installation; -- 2.26.2 ++++++ 0009-option-reduce-default-number-for-TCP-CT-and-NAT-tabl.patch ++++++ From 4c362fd543c00aeb4257ac6bcc64fe102e05f31e Mon Sep 17 00:00:00 2001 From: Tobias Klauser <[email protected]> Date: Fri, 21 Feb 2020 15:22:29 +0100 Subject: [PATCH 09/10] option: reduce default number for TCP CT and NAT table max entries Commit e824a86bba21 ("daemon: Allow configuration of CT max entries") bumped the default value to 1000000 in order to ease upgrades from Cilium 1.2. In the helm charts, the value was again set to 512KB via the `ct-global-max-entries-tcp` option. However, if Cilium is not deployed via helm charts (e.g. when running as a systemd service in the devel VM) the large default number of entries is used. Set the default value for `bpf-ct-global-tcp-max` to 512KB again and instead advise users in the helm chart comments to set it to 1000000 in case they're upgrading or changed the size manually using Helm. Since the default value of `bpf-nat-global-max` for the NAT table size is derived from the default for `bpf-ct-global-tcp-max`, this commit will also decrease the the NAT table size to 512K. Document possible consequences of upgrading Cilium installations with larger TCP CT and NAT table sizes. This saves about ~150MB of memory at runtime. Updates #10056 Signed-off-by: Tobias Klauser <[email protected]> --- Documentation/cmdref/cilium-agent.md | 4 +- Documentation/install/upgrade.rst | 315 ++++++++++++++++++ .../charts/config/templates/configmap.yaml | 4 +- install/kubernetes/cilium/values.yaml | 2 +- install/kubernetes/quick-install.yaml | 2 +- pkg/option/config.go | 2 +- 6 files changed, 322 insertions(+), 7 deletions(-) diff --git a/Documentation/cmdref/cilium-agent.md b/Documentation/cmdref/cilium-agent.md index 8925944db..e7e7a755a 100644 --- a/Documentation/cmdref/cilium-agent.md +++ b/Documentation/cmdref/cilium-agent.md @@ -25,14 +25,14 @@ cilium-agent [flags] --blacklist-conflicting-routes Don't blacklist IP allocations conflicting with local non-cilium routes (default true) --bpf-compile-debug Enable debugging of the BPF compilation process --bpf-ct-global-any-max int Maximum number of entries in non-TCP CT table (default 262144) - --bpf-ct-global-tcp-max int Maximum number of entries in TCP CT table (default 1000000) + --bpf-ct-global-tcp-max int Maximum number of entries in TCP CT table (default 524288) --bpf-ct-timeout-regular-any duration Timeout for entries in non-TCP CT table (default 1m0s) --bpf-ct-timeout-regular-tcp duration Timeout for established entries in TCP CT table (default 6h0m0s) --bpf-ct-timeout-regular-tcp-fin duration Teardown timeout for entries in TCP CT table (default 10s) --bpf-ct-timeout-regular-tcp-syn duration Establishment timeout for entries in TCP CT table (default 1m0s) --bpf-ct-timeout-service-any duration Timeout for service entries in non-TCP CT table (default 1m0s) --bpf-ct-timeout-service-tcp duration Timeout for established service entries in TCP CT table (default 6h0m0s) - --bpf-nat-global-max int Maximum number of entries for the global BPF NAT table (default 841429) + --bpf-nat-global-max int Maximum number of entries for the global BPF NAT table (default 524288) --bpf-policy-map-max int Maximum number of entries in endpoint policy map (per endpoint) (default 16384) --bpf-root string Path to BPF filesystem --certificates-directory string Root directory to find certificates specified in L7 TLS policy enforcement (default "/var/run/cilium/certs") diff --git a/Documentation/install/upgrade.rst b/Documentation/install/upgrade.rst index 75c162e9d..001b2aa86 100644 --- a/Documentation/install/upgrade.rst +++ b/Documentation/install/upgrade.rst @@ -311,6 +311,321 @@ Annotations: upgrade. Connections should successfully re-establish without requiring clients to reconnect. +.. _1.8_upgrade_notes: + +1.8 Upgrade Notes +----------------- + +.. _current_release_required_changes: + +.. _1.8_required_changes: + +IMPORTANT: Changes required before upgrading to 1.8.0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. warning:: + + Do not upgrade to 1.8.0 before reading the following section and completing + the required steps. + +* While operating in direct-routing mode (``--tunnel=disabled``), traffic with + a destination address matching a particular CIDR is automatically excluded + from being masqueraded. So far, this CIDR consisted of + ``<alloc-cidr>/<size>`` where the size could be set with the option + ``--ipv4-cluster-cidr-mask-size``. This was not always desirable and + limiting, therefore Cilium 1.6 had already introduced the option + ``--native-routing-cidr`` allowing to explicitly specify the CIDR for native + routing. With Cilium 1.8, the option ``--ipv4-cluster-cidr-mask-size`` is + being deprecated and all users must use the option ``--native-routing-cidr`` + instead. + + .. note:: The ENI IPAM mode automatically derives the native routing CIDR so + no action is required. + +Deprecated options +~~~~~~~~~~~~~~~~~~ + +* ``keep-bpf-templates``: This option no longer has any effect due to the BPF + assets not being compiled into the cilium-agent binary anymore. The option is + deprecated and will be removed in Cilium 1.9. +* ``access-log``: L7 access logs have been available via Hubble since Cilium + 1.6. The ``access-log`` option to log to a file has been removed. +* ``--disable-k8s-services`` option from cilium-agent has been deprecated + and will be removed in Cilium 1.9. + +Renamed Metrics +~~~~~~~~~~~~~~~ + +The following metrics have been renamed: + +* ``cilium_operator_eni_ips`` to ``cilium_operator_ipam_ips`` +* ``cilium_operator_eni_allocation_ops`` to ``cilium_operator_ipam_allocation_ops`` +* ``cilium_operator_eni_interface_creation_ops`` to ``cilium_operator_ipam_interface_creation_ops`` +* ``cilium_operator_eni_available`` to ``cilium_operator_ipam_available`` +* ``cilium_operator_eni_nodes_at_capacity`` to ``cilium_operator_ipam_nodes_at_capacity`` +* ``cilium_operator_eni_resync_total`` to ``cilium_operator_ipam_resync_total`` +* ``cilium_operator_eni_aws_api_duration_seconds`` to ``cilium_operator_ipam_api_duration_seconds`` +* ``cilium_operator_eni_ec2_rate_limit_duration_seconds`` to ``cilium_operator_ipam_api_rate_limit_duration_seconds`` + +Deprecated cilium-operator options +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* ``metrics-address``: This option is being deprecated and a new flag is + introduced to replace its usage. The new option is ``operator-prometheus-serve-addr``. + This old option will be removed in Cilium 1.9 + +* ``ccnp-node-status-gc``: This option is being deprecated. Disabling CCNP node + status GC can be done with ``cnp-node-status-gc-interval=0``. (Note that this + is not a typo, it is meant to be ``cnp-node-status-gc-interval``). + This old option will be removed in Cilium 1.9 + +* ``cnp-node-status-gc``: This option is being deprecated. Disabling CNP node + status GC can be done with ``cnp-node-status-gc-interval=0``. + This old option will be removed in Cilium 1.9 + +* ``cilium-endpoint-gc``: This option is being deprecated. Disabling cilium + endpoint GC can be done with ``cilium-endpoint-gc-interval=0``. + This old option will be removed in Cilium 1.9 + +* ``api-server-port``: This option is being deprecated. The API Server address + and port can be enabled with ``operator-api-serve-addr=127.0.0.1:9234`` + or ``operator-api-serve-addr=[::1]:9234`` for IPv6-only clusters. + This old option will be removed in Cilium 1.9 + +* ``eni-parallel-workers``: This option in the Operator has been renamed to + ``parallel-alloc-workers``. The obsolete option name ``eni-parallel-workers`` + has been deprecated and will be removed in v1.9. + +* ``aws-client-burst``: This option in the Operator has been renamed to + ``limit-ipam-api-burst``. The obsolete option name ``aws-client-burst`` has been + deprecated and will be removed in v1.9. + +* ``aws-client-qps``: This option in the Operator has been renamed to + ``limit-ipam-api-qps``. The obsolete option name ``aws-client-qps`` has been + deprecated and will be removed in v1.9. + +Removed options +~~~~~~~~~~~~~~~ + +* ``enable-legacy-services``: This option was deprecated in Cilium 1.6 and is + now removed. + +Removed helm options +~~~~~~~~~~~~~~~~~~~~ +* ``operator.synchronizeK8sNodes``: was removed and replaced with ``global.synchronizeK8sNodes`` + +Removed resource fields +~~~~~~~~~~~~~~~~~~~~~~~ + +* The fields ``CiliumEndpoint.Status.Status``, + ``CiliumEndpoint.Status.Spec``, and ``EndpointIdentity.LabelsSHA256``, + deprecated in 1.4, have been removed. + +======= +.. _1.8_upgrade_notes: + +1.8 Upgrade Notes +----------------- + +.. _current_release_required_changes: + +.. _1.8_required_changes: + +IMPORTANT: Changes required before upgrading to 1.8.0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. warning:: + + Do not upgrade to 1.8.0 before reading the following section and completing + the required steps. + +* While operating in direct-routing mode (``--tunnel=disabled``), traffic with + a destination address matching a particular CIDR is automatically excluded + from being masqueraded. So far, this CIDR consisted of + ``<alloc-cidr>/<size>`` where the size could be set with the option + ``--ipv4-cluster-cidr-mask-size``. This was not always desirable and + limiting, therefore Cilium 1.6 had already introduced the option + ``--native-routing-cidr`` allowing to explicitly specify the CIDR for native + routing. With Cilium 1.8, the option ``--ipv4-cluster-cidr-mask-size`` is + being deprecated and all users must use the option ``--native-routing-cidr`` + instead. + + .. note:: The ENI IPAM mode automatically derives the native routing CIDR so + no action is required. + +Upgrading from >=1.7.0 to 1.8.y +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Since Cilium 1.5, the TCP connection tracking table size parameter + ``bpf-ct-global-tcp-max`` in the daemon was set to the default value + ``1000000`` to retain backwards compatibility with previous versions. In + Cilium 1.8 the default value is set to 512K by default in order to reduce the + agent memory consumption. + + If Cilium was deployed using Helm, the new default value of 512K was already + effective in Cilium 1.6 or later, unless it was manually configured to a + different value. + + If the table size was configured to a value different from 512K in the + previous installation, ongoing connections will be disrupted during the + upgrade. To avoid connection breakage, ``bpf-ct-global-tcp-max`` needs to be + manually adjusted. + + To check whether any action is required the following command can be used to + check the currently configured maximum number of TCP conntrack entries: + + .. code:: bash + + sudo grep -R CT_MAP_SIZE_TCP /var/run/cilium/state/templates/ + + If the maximum number is 524288, no action is required. If the number is + different, ``bpf-ct-global-tcp-max`` needs to be adjusted in the `ConfigMap` + to the value shown by the command above (100000 in the example below): + +.. tabs:: + .. group-tab:: kubectl + + .. parsed-literal:: + + helm template cilium \\ + --namespace=kube-system \\ + ... + --set global.bpf.ctTcpMax=100000 + ... + > cilium.yaml + kubectl apply -f cilium.yaml + + .. group-tab:: Helm + + .. parsed-literal:: + + helm upgrade cilium --namespace=kube-system \\ + --set global.bpf.ctTcpMax=100000 + +* The default value for the NAT table size parameter ``bpf-nat-global-max`` in + the daemon is derived from the default value of the conntrack table size + parameter ``bpf-ct-global-tcp-max``. Since the latter was changed (see + above), the default NAT table size decreased from ~820K to 512K. + + The NAT table is only used if either BPF NodePort (``enable-node-port`` + parameter) or masquerading (``masquerade`` parameter) are enabled. No action + is required if neither of the parameters is enabled. + + If either of the parameters is enabled, ongoing connections will be disrupted + during the upgrade. In order to avoid connection breakage, + ``bpf-nat-global-max`` needs to be manually adjusted. + + To check whether any adjustment is required the following command can be used + to check the currently configured maximum number of NAT table entries: + + .. code:: bash + + sudo grep -R SNAT_MAPPING_IPV[46]_SIZE /var/run/cilium/state/globals/ + + If the command does not return any value or if the returned maximum number is + 524288, no action is required. If the number is different, + ``bpf-nat-global-max`` needs to be adjusted in the `ConfigMap` to the value + shown by the command above (841429 in the example below): + +.. tabs:: + .. group-tab:: kubectl + + .. parsed-literal:: + + helm template cilium \\ + --namespace=kube-system \\ + ... + --set global.bpf.natMax=841429 + ... + > cilium.yaml + kubectl apply -f cilium.yaml + + .. group-tab:: Helm + + .. parsed-literal:: + + helm upgrade cilium --namespace=kube-system \\ + --set global.bpf.natMax=841429 + +Deprecated options +~~~~~~~~~~~~~~~~~~ + +* ``keep-bpf-templates``: This option no longer has any effect due to the BPF + assets not being compiled into the cilium-agent binary anymore. The option is + deprecated and will be removed in Cilium 1.9. +* ``access-log``: L7 access logs have been available via Hubble since Cilium + 1.6. The ``access-log`` option to log to a file has been removed. +* ``--disable-k8s-services`` option from cilium-agent has been deprecated + and will be removed in Cilium 1.9. + +Renamed Metrics +~~~~~~~~~~~~~~~ + +The following metrics have been renamed: + +* ``cilium_operator_eni_ips`` to ``cilium_operator_ipam_ips`` +* ``cilium_operator_eni_allocation_ops`` to ``cilium_operator_ipam_allocation_ops`` +* ``cilium_operator_eni_interface_creation_ops`` to ``cilium_operator_ipam_interface_creation_ops`` +* ``cilium_operator_eni_available`` to ``cilium_operator_ipam_available`` +* ``cilium_operator_eni_nodes_at_capacity`` to ``cilium_operator_ipam_nodes_at_capacity`` +* ``cilium_operator_eni_resync_total`` to ``cilium_operator_ipam_resync_total`` +* ``cilium_operator_eni_aws_api_duration_seconds`` to ``cilium_operator_ipam_api_duration_seconds`` +* ``cilium_operator_eni_ec2_rate_limit_duration_seconds`` to ``cilium_operator_ipam_api_rate_limit_duration_seconds`` + +Deprecated cilium-operator options +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* ``metrics-address``: This option is being deprecated and a new flag is + introduced to replace its usage. The new option is ``operator-prometheus-serve-addr``. + This old option will be removed in Cilium 1.9 + +* ``ccnp-node-status-gc``: This option is being deprecated. Disabling CCNP node + status GC can be done with ``cnp-node-status-gc-interval=0``. (Note that this + is not a typo, it is meant to be ``cnp-node-status-gc-interval``). + This old option will be removed in Cilium 1.9 + +* ``cnp-node-status-gc``: This option is being deprecated. Disabling CNP node + status GC can be done with ``cnp-node-status-gc-interval=0``. + This old option will be removed in Cilium 1.9 + +* ``cilium-endpoint-gc``: This option is being deprecated. Disabling cilium + endpoint GC can be done with ``cilium-endpoint-gc-interval=0``. + This old option will be removed in Cilium 1.9 + +* ``api-server-port``: This option is being deprecated. The API Server address + and port can be enabled with ``operator-api-serve-addr=127.0.0.1:9234`` + or ``operator-api-serve-addr=[::1]:9234`` for IPv6-only clusters. + This old option will be removed in Cilium 1.9 + +* ``eni-parallel-workers``: This option in the Operator has been renamed to + ``parallel-alloc-workers``. The obsolete option name ``eni-parallel-workers`` + has been deprecated and will be removed in v1.9. + +* ``aws-client-burst``: This option in the Operator has been renamed to + ``limit-ipam-api-burst``. The obsolete option name ``aws-client-burst`` has been + deprecated and will be removed in v1.9. + +* ``aws-client-qps``: This option in the Operator has been renamed to + ``limit-ipam-api-qps``. The obsolete option name ``aws-client-qps`` has been + deprecated and will be removed in v1.9. + +Removed options +~~~~~~~~~~~~~~~ + +* ``enable-legacy-services``: This option was deprecated in Cilium 1.6 and is + now removed. + +Removed helm options +~~~~~~~~~~~~~~~~~~~~ +* ``operator.synchronizeK8sNodes``: was removed and replaced with ``global.synchronizeK8sNodes`` + +Removed resource fields +~~~~~~~~~~~~~~~~~~~~~~~ + +* The fields ``CiliumEndpoint.Status.Status``, + ``CiliumEndpoint.Status.Spec``, and ``EndpointIdentity.LabelsSHA256``, + deprecated in 1.4, have been removed. + .. _1.7_upgrade_notes: 1.7 Upgrade Notes diff --git a/install/kubernetes/cilium/charts/config/templates/configmap.yaml b/install/kubernetes/cilium/charts/config/templates/configmap.yaml index 0180b17d8..77fa80523 100644 --- a/install/kubernetes/cilium/charts/config/templates/configmap.yaml +++ b/install/kubernetes/cilium/charts/config/templates/configmap.yaml @@ -118,7 +118,7 @@ data: # Only effective when monitor aggregation is set to "medium" or higher. monitor-aggregation-flags: {{ .Values.global.bpf.monitorFlags }} - # ct-global-max-entries-* specifies the maximum number of connections + # bpf-ct-global-*-max specifies the maximum number of connections # supported across all endpoints, split by protocol: tcp or other. One pair # of maps uses these values for IPv4 connections, and another pair of maps # use these values for IPv6 connections. @@ -128,7 +128,7 @@ data: # policy drops or a change in loadbalancing decisions for a connection. # # For users upgrading from Cilium 1.2 or earlier, to minimize disruption - # during the upgrade process, comment out these options. + # during the upgrade process, set bpf-ct-global-tcp-max to 1000000. bpf-ct-global-tcp-max: "{{ .Values.global.bpf.ctTcpMax }}" bpf-ct-global-any-max: "{{ .Values.global.bpf.ctAnyMax }}" diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml index 9409f90e7..302e7b4c3 100644 --- a/install/kubernetes/cilium/values.yaml +++ b/install/kubernetes/cilium/values.yaml @@ -210,7 +210,7 @@ global: ctAnyMax: 262144 # natMax is the maximum number of entries for the NAT table - natMax: 841429 + natMax: 524288 # policyMapMax is the maximum number of entries in endpoint policy map (per endpoint) policyMapMax: 16384 diff --git a/install/kubernetes/quick-install.yaml b/install/kubernetes/quick-install.yaml index cca20a800..ab2f4a261 100644 --- a/install/kubernetes/quick-install.yaml +++ b/install/kubernetes/quick-install.yaml @@ -71,7 +71,7 @@ data: # policy drops or a change in loadbalancing decisions for a connection. # # For users upgrading from Cilium 1.2 or earlier, to minimize disruption - # during the upgrade process, comment out these options. + # during the upgrade process, set bpf-ct-global-tcp-max to 1000000. bpf-ct-global-tcp-max: "524288" bpf-ct-global-any-max: "262144" diff --git a/pkg/option/config.go b/pkg/option/config.go index df24ad98b..187a38286 100644 --- a/pkg/option/config.go +++ b/pkg/option/config.go @@ -440,7 +440,7 @@ const ( // CTMapEntriesGlobalTCP retains the Cilium 1.2 (or earlier) size to // minimize disruption during upgrade. - CTMapEntriesGlobalTCPDefault = 1000000 + CTMapEntriesGlobalTCPDefault = 2 << 18 // 512Ki CTMapEntriesGlobalAnyDefault = 2 << 17 // 256Ki CTMapEntriesGlobalTCPName = "bpf-ct-global-tcp-max" CTMapEntriesGlobalAnyName = "bpf-ct-global-any-max" -- 2.26.2 ++++++ 0010-daemon-add-option-to-dynamically-size-BPF-maps-based.patch ++++++ ++++ 778 lines (skipped) ++++++ _service ++++++ --- /var/tmp/diff_new_pack.TZFIMP/_old 2020-06-23 21:02:48.645497596 +0200 +++ /var/tmp/diff_new_pack.TZFIMP/_new 2020-06-23 21:02:48.649497609 +0200 @@ -4,7 +4,7 @@ <param name="scm">git</param> <param name="exclude">.git</param> <param name="versionformat">@PARENT_TAG@</param> - <param name="revision">refs/tags/v1.7.0</param> + <param name="revision">refs/tags/v1.7.5</param> <param name="filename">cilium</param> <param name="changesgenerate">disable</param> </service> ++++++ cilium-1.7.0.obscpio -> cilium-1.7.5.obscpio ++++++ /work/SRC/openSUSE:Factory/cilium/cilium-1.7.0.obscpio /work/SRC/openSUSE:Factory/.cilium.new.2956/cilium-1.7.5.obscpio differ: char 49, line 1 ++++++ cilium.obsinfo ++++++ --- /var/tmp/diff_new_pack.TZFIMP/_old 2020-06-23 21:02:48.709497802 +0200 +++ /var/tmp/diff_new_pack.TZFIMP/_new 2020-06-23 21:02:48.709497802 +0200 @@ -1,5 +1,5 @@ name: cilium -version: 1.7.0 -mtime: 1582065165 -commit: adeaf8c04371e7f1ab17379578a0b74814793587 +version: 1.7.5 +mtime: 1591966538 +commit: f524ca028289bc4f7a0cf5c8009eec6206bd05b4
