daemon: Check nodePortMax < ephemeralPortMin in agent #10260
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The function can be used for reading sysctl parameters. Signed-off-by: Martynas Pumputis <[email protected]>
Previously, if the ephermeral range min port was not greater than the
nodeport range max port, the compilation of bpf_netdev was failing with
a cryptic message:
level=warning msg="In file included from /var/lib/cilium/bpf/bpf_overlay.c:39:" subsys=daemon
level=warning msg="/var/lib/cilium/bpf/lib/nodeport.h:898:3: error: array size is negative" subsys=daemon
level=warning msg=" build_bug_on(!(NODEPORT_PORT_MAX < EPHERMERAL_MIN));" subsys=daemon
level=warning msg="
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" subsys=daemon
level=warning msg="/var/lib/cilium/bpf/lib/utils.h:124:45: note: expanded from macro 'build_bug_on'" subsys=daemon
level=warning msg="# define build_bug_on(e) ((void)sizeof(char[1 - 2*!!(e)]))" subsys=daemon
level=warning msg=" ^~~~~~~~~~~" subsys=daemon
level=warning msg="3 warnings and 1 error generated." subsys=daemon
Fix this by checking the constraint in the agent, and log a helpful
message how to fix it.
Signed-off-by: Martynas Pumputis <[email protected]>
|
Release note label not set, please set the appropriate release note. |
2 similar comments
|
Release note label not set, please set the appropriate release note. |
|
Release note label not set, please set the appropriate release note. |
|
test-me-please |
brb
added
the
release-note/misc
It's a ephemeral port range, not a ephermeral port range. Signed-off-by: Martynas Pumputis <[email protected]>
brb
changed the title
|
test-me-please |
Otherwise, we might see some users unexpectedly seeing the panic, as in v1.7 we started to enable NodePort by default. Signed-off-by: Martynas Pumputis <[email protected]>
brb
changed the title
|
test-me-please |
borkmann
approved these changes
Feb 20, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, if the ephermeral range min port was not greater than the nodeport range max port, the compilation of bpf_netdev was failing with a cryptic message:
Fix this by checking the constraint in the agent, and log a helpful message how to fix it. E.g.:
Also, when running in the non-strict mode (
kubeProxyReplacement=probe), we should not panic if the constraint is not met, and just disable the feature.Keeping the
build_bug_on(!(NODEPORT_PORT_MAX < EPHERMERAL_MIN))check in the datapath code, as it helps readers to understand the NodePort/SNAT code.This change is