From 7a1e1cc0a2d697127ffad6433ec1dde773aa8b0f Mon Sep 17 00:00:00 2001 From: l1b0k Date: Fri, 16 Dec 2022 11:46:42 +0800 Subject: [PATCH] policy: update cilium to 1.12.4 --- Dockerfile | 2 +- Dockerfile.policy | 6 +-- .../cilium/0001-cilium-terway-datapath.patch | 18 ++++----- ...-overwrite-endpoint-when-conflicting.patch | 6 +-- policy/cilium/0003-run-operator.patch | 24 +++++++----- .../cilium/0004-adapt-1.10-for-terway.patch | 6 +-- ...ag-to-control-in-cluster-loadBalance.patch | 12 +++--- ...-terway-support-kubelet-health-check.patch | 8 ++-- ...0007-add-bandwidth-for-terway-ipvlan.patch | 39 +++++++++++++++++-- policy/cilium/0008-adapt-1.12.patch | 2 +- .../cilium/0009-add-cmd-to-register-crd.patch | 2 +- 11 files changed, 80 insertions(+), 45 deletions(-) diff --git a/Dockerfile b/Dockerfile index 302d3884..d21ab933 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG TERWAY_POLICY_IMAGE=registry.cn-hongkong.aliyuncs.com/acs/terway:policy-20221118-d172822@sha256:903a69c6cd344017b009b34d59ef4ef7499614298034cbed939a6cf7303dc1f2 +ARG TERWAY_POLICY_IMAGE=registry.cn-hongkong.aliyuncs.com/acs/terway:policy-20221222-2ecf844@sha256:271c05807fdfe444eb803f3f82b173aec99ac459fc53aff0de160708e6d8a4a9 ARG CILIUM_LLVM_IMAGE=quay.io/cilium/cilium-llvm:547db7ec9a750b8f888a506709adb41f135b952e@sha256:4d6fa0aede3556c5fb5a9c71bc6b9585475ac9b1064f516d4c45c8fb691c9d9e ARG CILIUM_BPFTOOL_IMAGE=quay.io/cilium/cilium-bpftool:78448c1a37ff2b790d5e25c3d8b8ec3e96e6405f@sha256:99a9453a921a8de99899ef82e0822f0c03f65d97005c064e231c06247ad8597d ARG CILIUM_IPROUTE2_IMAGE=quay.io/cilium/cilium-iproute2:3570d58349efb2d6b0342369a836998c93afd291@sha256:1abcd7a5d2117190ab2690a163ee9cd135bc9e4cf8a4df662a8f993044c79342 diff --git a/Dockerfile.policy b/Dockerfile.policy index c316533b..979d717b 100644 --- a/Dockerfile.policy +++ b/Dockerfile.policy @@ -18,7 +18,7 @@ RUN cd /go/src/github.com/projectcalico/felix && \ ( ! $(readelf -d bin/calico-felix | grep -q NEEDED) || ( echo "Error: bin/calico-felix was not statically linked"; false )) \ && chmod +x /go/src/github.com/projectcalico/felix/bin/calico-felix -FROM --platform=$TARGETPLATFORM quay.io/cilium/cilium-builder:203448b6efdbcff0fa9c00a082ae1b802047c6f9@sha256:32dda3d71a1f9259a69f72e46d689eb6b3d27a5cf4858f7a10be632ceb51fbdd as cilium-builder +FROM --platform=$TARGETPLATFORM quay.io/cilium/cilium-builder:f3ff491f1fb923136b8b5276fafd9d2ee460a265@sha256:764cc4a2ee14cdf57be3d4dbce132baa0fd7e62379ef6f6c05f3db4a7ccd64ba as cilium-builder ARG GOPROXY ENV GOPROXY $GOPROXY ARG CILIUM_SHA="" @@ -26,8 +26,8 @@ LABEL cilium-sha=${CILIUM_SHA} LABEL maintainer="maintainer@cilium.io" WORKDIR /go/src/github.com/cilium RUN rm -rf cilium -ENV GIT_TAG=v1.12.1 -ENV GIT_COMMIT=4c9a6302c9423e821c00930ca00f8eb6a34e9313 +ENV GIT_TAG=v1.12.4 +ENV GIT_COMMIT=6eaecaf87e165f7551fcf560f2ff8968e5056fe2 RUN git clone -b $GIT_TAG --depth 1 https://github.com/cilium/cilium.git && \ cd cilium && \ [ "`git rev-parse HEAD`" = "${GIT_COMMIT}" ] diff --git a/policy/cilium/0001-cilium-terway-datapath.patch b/policy/cilium/0001-cilium-terway-datapath.patch index 78d17183..eabedbed 100644 --- a/policy/cilium/0001-cilium-terway-datapath.patch +++ b/policy/cilium/0001-cilium-terway-datapath.patch @@ -20,10 +20,10 @@ Signed-off-by: l1b0k create mode 100644 plugins/cilium-cni/chaining/terway/terway.go diff --git a/daemon/cmd/endpoint.go b/daemon/cmd/endpoint.go -index af6fb5f52f..7fce43739a 100644 +index 9605f8ad3f..02137811e4 100644 --- a/daemon/cmd/endpoint.go +++ b/daemon/cmd/endpoint.go -@@ -440,6 +440,12 @@ func (d *Daemon) createEndpoint(ctx context.Context, owner regeneration.Owner, e +@@ -442,6 +442,12 @@ func (d *Daemon) createEndpoint(ctx context.Context, owner regeneration.Owner, e return d.errorDuringCreation(ep, fmt.Errorf("unable to insert endpoint into manager: %s", err)) } @@ -261,7 +261,7 @@ index f39d064078..0865a8451d 100644 func (ep *epInfoCache) IPv4Address() addressing.CiliumIPv4 { return ep.ipv4 diff --git a/pkg/endpoint/endpoint.go b/pkg/endpoint/endpoint.go -index f8314e71a5..e878937435 100644 +index 605d178beb..916c3f72b7 100644 --- a/pkg/endpoint/endpoint.go +++ b/pkg/endpoint/endpoint.go @@ -19,6 +19,7 @@ import ( @@ -325,7 +325,7 @@ index f8314e71a5..e878937435 100644 return e.ifName } -@@ -2099,6 +2118,32 @@ func (e *Endpoint) IsDisconnecting() bool { +@@ -2100,6 +2119,32 @@ func (e *Endpoint) IsDisconnecting() bool { return e.state == StateDisconnected || e.state == StateDisconnecting } @@ -359,10 +359,10 @@ index f8314e71a5..e878937435 100644 e.buildMutex.Lock() defer e.buildMutex.Unlock() diff --git a/pkg/endpoint/restore.go b/pkg/endpoint/restore.go -index d70bf02375..c26f366e9e 100644 +index 97f2b1a910..ba905543f0 100644 --- a/pkg/endpoint/restore.go +++ b/pkg/endpoint/restore.go -@@ -381,6 +381,7 @@ func (e *Endpoint) toSerializedEndpoint() *serializableEndpoint { +@@ -383,6 +383,7 @@ func (e *Endpoint) toSerializedEndpoint() *serializableEndpoint { ContainerID: e.containerID, DockerNetworkID: e.dockerNetworkID, DockerEndpointID: e.dockerEndpointID, @@ -370,7 +370,7 @@ index d70bf02375..c26f366e9e 100644 IfName: e.ifName, IfIndex: e.ifIndex, OpLabels: e.OpLabels, -@@ -429,6 +430,9 @@ type serializableEndpoint struct { +@@ -431,6 +432,9 @@ type serializableEndpoint struct { // libnetwork DockerEndpointID string @@ -380,7 +380,7 @@ index d70bf02375..c26f366e9e 100644 // ifName is the name of the host facing interface (veth pair) which // connects into the endpoint IfName string -@@ -516,6 +520,7 @@ func (ep *Endpoint) fromSerializedEndpoint(r *serializableEndpoint) { +@@ -518,6 +522,7 @@ func (ep *Endpoint) fromSerializedEndpoint(r *serializableEndpoint) { ep.containerID = r.ContainerID ep.dockerNetworkID = r.DockerNetworkID ep.dockerEndpointID = r.DockerEndpointID @@ -730,5 +730,5 @@ index 5eca17daeb..1ee2227373 100644 ) -- -2.37.3 +2.39.0 diff --git a/policy/cilium/0002-overwrite-endpoint-when-conflicting.patch b/policy/cilium/0002-overwrite-endpoint-when-conflicting.patch index bcee1cfb..de24552a 100644 --- a/policy/cilium/0002-overwrite-endpoint-when-conflicting.patch +++ b/policy/cilium/0002-overwrite-endpoint-when-conflicting.patch @@ -9,10 +9,10 @@ Signed-off-by: l1b0k 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/daemon/cmd/endpoint.go b/daemon/cmd/endpoint.go -index 7fce43739a..57776f0f1d 100644 +index 02137811e4..6399bb770f 100644 --- a/daemon/cmd/endpoint.go +++ b/daemon/cmd/endpoint.go -@@ -355,7 +355,9 @@ func (d *Daemon) createEndpoint(ctx context.Context, owner regeneration.Owner, e +@@ -357,7 +357,9 @@ func (d *Daemon) createEndpoint(ctx context.Context, owner regeneration.Owner, e if err != nil { return invalidDataError(ep, err) } else if oldEp != nil { @@ -24,5 +24,5 @@ index 7fce43739a..57776f0f1d 100644 } -- -2.37.3 +2.39.0 diff --git a/policy/cilium/0003-run-operator.patch b/policy/cilium/0003-run-operator.patch index 29512e33..08391d82 100644 --- a/policy/cilium/0003-run-operator.patch +++ b/policy/cilium/0003-run-operator.patch @@ -5,13 +5,13 @@ Subject: [PATCH] run operator Signed-off-by: l1b0k --- - daemon/cmd/daemon_main.go | 22 ++-- + daemon/cmd/daemon_main.go | 25 +++-- operator/Makefile | 2 +- - operator/main.go | 218 -------------------------------------- - 3 files changed, 16 insertions(+), 226 deletions(-) + operator/main.go | 219 -------------------------------------- + 3 files changed, 19 insertions(+), 227 deletions(-) diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go -index 14daa753ef..3880abdd9c 100644 +index 8948ece323..7ca1c4af6e 100644 --- a/daemon/cmd/daemon_main.go +++ b/daemon/cmd/daemon_main.go @@ -14,13 +14,6 @@ import ( @@ -49,11 +49,14 @@ index 14daa753ef..3880abdd9c 100644 ) const ( -@@ -1613,6 +1613,14 @@ func (d *Daemon) initKVStore() { +@@ -1617,6 +1617,17 @@ func (d *Daemon) initKVStore() { } func runDaemon() { + go func() { ++ if os.Getenv("DISABLE_CILIUM_OPERATOR") == "true" { ++ return ++ } + cmd := exec.CommandContext(server.ServerCtx, "cilium-operator-generic", "--skip-crd-creation", "--k8s-namespace", os.Getenv("CILIUM_K8S_NAMESPACE"), "--identity-gc-interval", "10m", "--identity-heartbeat-timeout", "20m") + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr @@ -78,7 +81,7 @@ index ebd1285e3d..1710880c84 100644 cilium-operator-aws: GO_TAGS_FLAGS+=ipam_provider_aws cilium-operator-azure: GO_TAGS_FLAGS+=ipam_provider_azure diff --git a/operator/main.go b/operator/main.go -index 803a95322a..9d6c2522a2 100644 +index ac0ad59924..9d6c2522a2 100644 --- a/operator/main.go +++ b/operator/main.go @@ -15,29 +15,22 @@ import ( @@ -311,7 +314,7 @@ index 803a95322a..9d6c2522a2 100644 - // Once the CiliumNodes are synchronized with the operator we will - // be able to watch for K8s Node events which they will be used - // to create the remaining CiliumNodes. -- <-k8sCiliumNodesCacheSynced +- <-ciliumNodeManagerQueueSynced - - // We don't want CiliumNodes that don't have podCIDRs to be - // allocated with a podCIDR already being used by another node. @@ -326,7 +329,7 @@ index 803a95322a..9d6c2522a2 100644 if operatorOption.Config.IdentityGCInterval != 0 { identityRateLimiter = rate.NewLimiter( operatorOption.Config.IdentityGCRateInterval, -@@ -566,30 +372,6 @@ func onOperatorStartLeading(ctx context.Context) { +@@ -566,31 +372,6 @@ func onOperatorStartLeading(ctx context.Context) { enableCiliumEndpointSyncGC(true) } @@ -346,7 +349,8 @@ index 803a95322a..9d6c2522a2 100644 - ingressController, err := ingress.NewIngressController( - ingress.WithHTTPSEnforced(operatorOption.Config.EnforceIngressHTTPS), - ingress.WithSecretsSyncEnabled(operatorOption.Config.EnableIngressSecretsSync), -- ingress.WithSecretsNamespace(operatorOption.Config.IngressSecretsNamespace)) +- ingress.WithSecretsNamespace(operatorOption.Config.IngressSecretsNamespace), +- ingress.WithLBAnnotationPrefixes(operatorOption.Config.IngressLBAnnotationPrefixes)) - if err != nil { - log.WithError(err).WithField(logfields.LogSubsys, ingress.Subsys).Fatal( - "Failed to start ingress controller") @@ -358,5 +362,5 @@ index 803a95322a..9d6c2522a2 100644 <-shutdownSignal -- -2.37.3 +2.39.0 diff --git a/policy/cilium/0004-adapt-1.10-for-terway.patch b/policy/cilium/0004-adapt-1.10-for-terway.patch index af74fc54..2e22dce2 100644 --- a/policy/cilium/0004-adapt-1.10-for-terway.patch +++ b/policy/cilium/0004-adapt-1.10-for-terway.patch @@ -9,10 +9,10 @@ Signed-off-by: l1b0k 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/pkg/option/config.go b/pkg/option/config.go -index e18af26c48..ca69edd2a5 100644 +index 23c8c8b84c..4fd430f1d1 100644 --- a/pkg/option/config.go +++ b/pkg/option/config.go -@@ -3155,16 +3155,16 @@ func (c *DaemonConfig) Populate() { +@@ -3170,16 +3170,16 @@ func (c *DaemonConfig) Populate() { } } @@ -40,5 +40,5 @@ index e18af26c48..ca69edd2a5 100644 c.KubeProxyReplacementHealthzBindAddr = viper.GetString(KubeProxyReplacementHealthzBindAddr) -- -2.37.3 +2.39.0 diff --git a/policy/cilium/0005-add-flag-to-control-in-cluster-loadBalance.patch b/policy/cilium/0005-add-flag-to-control-in-cluster-loadBalance.patch index 994e308c..dd383034 100644 --- a/policy/cilium/0005-add-flag-to-control-in-cluster-loadBalance.patch +++ b/policy/cilium/0005-add-flag-to-control-in-cluster-loadBalance.patch @@ -11,10 +11,10 @@ Signed-off-by: l1b0k 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go -index 3880abdd9c..1c979ecb62 100644 +index 7ca1c4af6e..b68980bdae 100644 --- a/daemon/cmd/daemon_main.go +++ b/daemon/cmd/daemon_main.go -@@ -389,6 +389,9 @@ func initializeFlags() { +@@ -390,6 +390,9 @@ func initializeFlags() { flags.Bool(option.EnableExternalIPs, defaults.EnableExternalIPs, fmt.Sprintf("Enable k8s service externalIPs feature (requires enabling %s)", option.EnableNodePort)) option.BindEnv(option.EnableExternalIPs) @@ -38,7 +38,7 @@ index bbd35f3365..a055344850 100644 k8sLoadBalancerIPs = parseIPs(loadBalancerIPs) } else if option.Config.BGPAnnounceLBIP { diff --git a/pkg/option/config.go b/pkg/option/config.go -index ca69edd2a5..0df3422dac 100644 +index 4fd430f1d1..93340bb1c8 100644 --- a/pkg/option/config.go +++ b/pkg/option/config.go @@ -244,6 +244,9 @@ const ( @@ -51,7 +51,7 @@ index ca69edd2a5..0df3422dac 100644 // EnableSVCSourceRangeCheck enables check of service source range checks EnableSVCSourceRangeCheck = "enable-svc-source-range-check" -@@ -1823,6 +1826,9 @@ type DaemonConfig struct { +@@ -1826,6 +1829,9 @@ type DaemonConfig struct { // EnableNodePort enables k8s NodePort service implementation in BPF EnableNodePort bool @@ -61,7 +61,7 @@ index ca69edd2a5..0df3422dac 100644 // EnableSVCSourceRangeCheck enables check of loadBalancerSourceRanges EnableSVCSourceRangeCheck bool -@@ -2796,6 +2802,7 @@ func (c *DaemonConfig) Populate() { +@@ -2808,6 +2814,7 @@ func (c *DaemonConfig) Populate() { c.EnableTracing = viper.GetBool(EnableTracing) c.EnableUnreachableRoutes = viper.GetBool(EnableUnreachableRoutes) c.EnableNodePort = viper.GetBool(EnableNodePort) @@ -70,5 +70,5 @@ index ca69edd2a5..0df3422dac 100644 c.EnableHostPort = viper.GetBool(EnableHostPort) c.EnableHostLegacyRouting = viper.GetBool(EnableHostLegacyRouting) -- -2.37.3 +2.39.0 diff --git a/policy/cilium/0006-terway-support-kubelet-health-check.patch b/policy/cilium/0006-terway-support-kubelet-health-check.patch index c8102b42..f326a052 100644 --- a/policy/cilium/0006-terway-support-kubelet-health-check.patch +++ b/policy/cilium/0006-terway-support-kubelet-health-check.patch @@ -11,10 +11,10 @@ Signed-off-by: l1b0k 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c -index ce5a9f65f5..1bca01a43f 100644 +index 63202a77c3..9a535a4c27 100644 --- a/bpf/bpf_lxc.c +++ b/bpf/bpf_lxc.c -@@ -1626,8 +1626,7 @@ int tail_ipv6_to_endpoint(struct __ctx_buff *ctx) +@@ -1628,8 +1628,7 @@ int tail_ipv6_to_endpoint(struct __ctx_buff *ctx) * as the host. So we can ignore the ipcache * if it reports the source as HOST_ID. */ @@ -24,7 +24,7 @@ index ce5a9f65f5..1bca01a43f 100644 } } cilium_dbg(ctx, info ? DBG_IP_ID_MAP_SUCCEED6 : DBG_IP_ID_MAP_FAILED6, -@@ -1968,8 +1967,7 @@ int tail_ipv4_to_endpoint(struct __ctx_buff *ctx) +@@ -1970,8 +1969,7 @@ int tail_ipv4_to_endpoint(struct __ctx_buff *ctx) * as the host. So we can ignore the ipcache * if it reports the source as HOST_ID. */ @@ -35,5 +35,5 @@ index ce5a9f65f5..1bca01a43f 100644 } cilium_dbg(ctx, info ? DBG_IP_ID_MAP_SUCCEED4 : DBG_IP_ID_MAP_FAILED4, -- -2.37.3 +2.39.0 diff --git a/policy/cilium/0007-add-bandwidth-for-terway-ipvlan.patch b/policy/cilium/0007-add-bandwidth-for-terway-ipvlan.patch index 7de2c197..f46eb0d6 100644 --- a/policy/cilium/0007-add-bandwidth-for-terway-ipvlan.patch +++ b/policy/cilium/0007-add-bandwidth-for-terway-ipvlan.patch @@ -6,14 +6,15 @@ Subject: [PATCH] add bandwidth for terway ipvlan Signed-off-by: l1b0k --- bpf/bpf_lxc.c | 15 +++++++++++++-- + pkg/bandwidth/bandwidth.go | 12 ++++++------ pkg/datapath/linux/config/config.go | 6 ++++++ - 2 files changed, 19 insertions(+), 2 deletions(-) + 3 files changed, 25 insertions(+), 8 deletions(-) diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c -index 1bca01a43f..9e554506d6 100644 +index 9a535a4c27..b0b2193452 100644 --- a/bpf/bpf_lxc.c +++ b/bpf/bpf_lxc.c -@@ -1333,17 +1333,28 @@ int handle_xgress(struct __ctx_buff *ctx) +@@ -1335,17 +1335,28 @@ int handle_xgress(struct __ctx_buff *ctx) goto out; } @@ -44,6 +45,36 @@ index 1bca01a43f..9e554506d6 100644 ep_tail_call(ctx, CILIUM_CALL_IPV4_FROM_LXC); ret = DROP_MISSED_TAIL_CALL; break; +diff --git a/pkg/bandwidth/bandwidth.go b/pkg/bandwidth/bandwidth.go +index ef652dfce7..b01c94930e 100644 +--- a/pkg/bandwidth/bandwidth.go ++++ b/pkg/bandwidth/bandwidth.go +@@ -87,11 +87,11 @@ func InitBandwidthManager() { + return + } + +- if len(option.Config.GetDevices()) == 0 { +- log.Warn("BPF bandwidth manager could not detect host devices. Disabling the feature.") +- option.Config.EnableBandwidthManager = false +- return +- } ++ //if len(option.Config.GetDevices()) == 0 { ++ // log.Warn("BPF bandwidth manager could not detect host devices. Disabling the feature.") ++ // option.Config.EnableBandwidthManager = false ++ // return ++ //} + // Going via host stack will orphan skb->sk, so we do need BPF host + // routing for it to work properly. + if option.Config.EnableBBR && option.Config.EnableHostLegacyRouting { +@@ -130,7 +130,7 @@ func InitBandwidthManager() { + }).Fatal("Failed to set sysctl needed by BPF bandwidth manager.") + } + } +- ++ return + for _, device := range option.Config.GetDevices() { + link, err := netlink.LinkByName(device) + if err != nil { diff --git a/pkg/datapath/linux/config/config.go b/pkg/datapath/linux/config/config.go index ea542dd527..0f078ad502 100644 --- a/pkg/datapath/linux/config/config.go @@ -62,5 +93,5 @@ index ea542dd527..0f078ad502 100644 ctmap.WriteBPFMacros(fw, e) } else { -- -2.37.3 +2.39.0 diff --git a/policy/cilium/0008-adapt-1.12.patch b/policy/cilium/0008-adapt-1.12.patch index 28b00ef9..81513f8c 100644 --- a/policy/cilium/0008-adapt-1.12.patch +++ b/policy/cilium/0008-adapt-1.12.patch @@ -61,5 +61,5 @@ index 3783cbcb5a..562b76a79b 100644 } -- -2.37.3 +2.39.0 diff --git a/policy/cilium/0009-add-cmd-to-register-crd.patch b/policy/cilium/0009-add-cmd-to-register-crd.patch index 04a305e8..37feb969 100644 --- a/policy/cilium/0009-add-cmd-to-register-crd.patch +++ b/policy/cilium/0009-add-cmd-to-register-crd.patch @@ -81,5 +81,5 @@ index 5057987ae4..43dc1f1bda 100644 + } +} -- -2.37.3 +2.39.0