cilium / cilium / 40861
39%

DEFAULT BRANCH: master
Ran
Jobs 3
Files 933
Run time 46min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 34.243% (+0.03%) from 34.216%
40861

push

travis-ci-com

borkmann 
cilium: Add scope knob for local address to be considered host id in ipcache

In some advanced environments, there may be devices in the hostns which could
have a link scoped 10.x.y.z address. The default behavior of Cilium when
populating its local ipcache is to skip all link local addresses as per
listLocalAddresses().

Depending on the datapath configuration, this may cause issues when a Pod
wants to talk to such an address in the hostns. For example, when routing
doesn't go via stack such as the case in BPF host routing, then for such
addresses, the ipcache will fall-back to WORLD id instead of HOST id. The
datapath then assumes that this needs to be xmitted to the given device
from tc layer instead of pushing traffic up the local stack as the case
with HOST id traffic. Then, if such device is f.e. a dummy dev, such traffic
is being blackholed.

We tested that changing scope to global for such address would make traffic
flow working, so the culprit really is in listLocalAddresses()'s logic
which unconditionally skips all addr.Scope == int(netlink.SCOPE_LINK).

Allow to customize this, given the kernel also allows many other scope
values. The agent gets a new --local-max-addr-scope param for this so
that e.g. link local scope can be included via `--local-max-addr-scope=253`
or via `--local-max-addr-scope=link`. To preserve the default, it's still
excluded.

Example, default:

  # ./daemon/cilium-agent --identity-allocation-mode=crd \
  --enable-ipv6=true --enable-ipv4=true --disable-envoy-version-check=true \
  --tunnel=disabled --k8s-kubeconfig-path=$HOME/.kube/config \
  --kube-proxy-replacement=strict --enable-l7-proxy=false \
  --auto-direct-node-routes=true --enable-bandwidth-manager=true \
  --ipv4-native-routing-cidr=10.91.0.0/16 --ipv6-native-routing-cidr=f00d::a5b:0:0:0/96 \
  --enable-ipv4-masquerade=false --enable-ipv6-masquerade=false

  root@zh-lab-node-1:~/go/src/github.com/cilium/cilium# ./cilium/cilium bpf ipcache list | grep "ident... (continued)

47257 of 138004 relevant lines covered (34.24%)

6231.0 hits per line

Jobs
ID Job ID Ran Files Coverage
1 40861.1 0
34.23
 Travis Job 40861.1
2 40861.2 0
34.21
 Travis Job 40861.2
3 40861.3 (RACE=1 BASE_IMAGE=quay.io/cilium/cilium-runtime:fbffa51a34a16a156cbee235c206894f687114fa@sha256:294918335a8a86a0719c1e24f402aa7ee37bd948750893e1a28e7dd3b2a79ed2 LOCKDEBUG=1) 0
34.24
 Travis Job 40861.3
Source Files on build 40861
Detailed source file information is not available for this build.