Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proxy: Do not panic on local error #25969

Merged
merged 3 commits into from
Jun 7, 2023
Merged

proxy: Do not panic on local error #25969

merged 3 commits into from
Jun 7, 2023

Conversation

jrajahalme
Copy link
Member

@jrajahalme jrajahalme commented Jun 7, 2023
edited

CreateOrUpdateRedirect called nil revertFunc when any local error was returned. This was done using the pattern return 0, err, nil, nil which sets the revertFunc return variable as nil, but this was called on a deferred function to revert any changes on a local error.

Fix this by calling ReverStack.Revert() directly on the deferred function, and setting the return variable if there was no local error.

Another panic was possible when updating an existing redirect the proxy port of which had been released. Check that the proxy port is initialized before reusing the (possibly stale) redirect.

This was hit any time a CiliumNetworkPolicy referred to a non-existing listener.

Add a test case that reproduced the panic and works after the fix.

Increment proxy port on failure for non-DNS ports, even if DNS has been configured with a static port.

Fixed Cilium agent crash when policy refers to a non-existing Envoy listener.

@jrajahalme
proxy: Do not panic on local error
5855385 
CreateOrUpdateRedirect called nil revertFunc when any local error was
returned. This was done using the pattern `return 0, err, nil, nil` which
sets the revertFunc return variable as nil, but this was called on a
deferred function to revert any changes on a local error.

Fix this by calling ReverStack.Revert() directly on the deferred
function, and setting the return variable if there was no local error.

This was hit any time a CiliumNetworkPolicy referred to a non-existing
listener.

Add a test case that reproduced the panic and works after the fix.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. release-blocker/1.13 This issue will prevent the release of the next version of Cilium. needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch release-blocker/1.14 This issue will prevent the release of the next version of Cilium. labels Jun 7, 2023
@jrajahalme jrajahalme requested a review from a team as a code owner June 7, 2023 08:16
@jrajahalme jrajahalme requested a review from sayboras June 7, 2023 08:16
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.13.4 Jun 7, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.12.11 Jun 7, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.11.18 Jun 7, 2023
@jrajahalme
proxy: Only update redirects with configured proxy ports
9b1a685 
Only update an existing redirect if it is configured. This prevents
Cilium agent panic when trying to update redirect with released proxy
port.

This has only been observed to happen with explicit Envoy listener
redirects in CiliumNetworkPolicy when the listener has been removed.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
proxy: Increment non-DNS proxy ports on failure
01b40e2 
Increment non-DNS proxy ports on failure even if DNS has been configured
with a static port.

Fixes: cilium#20896
Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@maintainer-s-little-helper maintainer-s-little-helper bot removed this from Needs backport from main in 1.12.11 Jun 7, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed this from Needs backport from main in 1.11.18 Jun 7, 2023
@jrajahalme
Copy link
Member Author

/test

sayboras
sayboras approved these changes Jun 7, 2023
View reviewed changes
Copy link
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ✔️

@jrajahalme jrajahalme self-assigned this Jun 7, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 7, 2023
@dylandreimerink dylandreimerink merged commit 894aa4e into cilium:main Jun 7, 2023
61 of 63 checks passed
@qmonnet qmonnet added this to Needs backport from main in 1.13.5 Jun 9, 2023
@qmonnet qmonnet removed this from Needs backport from main in 1.13.4 Jun 9, 2023
@pchaigno pchaigno mentioned this pull request Jun 9, 2023
Merged
5 tasks
@pchaigno pchaigno added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed release-blocker/1.13 This issue will prevent the release of the next version of Cilium. labels Jun 9, 2023
@qmonnet qmonnet removed this from Needs backport from main in 1.13.5 Jun 9, 2023
@qmonnet qmonnet added this to Backport pending to v1.13 in 1.13.4 Jun 9, 2023
@michi-covalent michi-covalent added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Jun 9, 2023
@michi-covalent michi-covalent moved this from Backport pending to v1.13 to Backport done to v1.13 in 1.13.4 Jun 9, 2023
@michi-covalent michi-covalent mentioned this pull request Jun 9, 2023
Closed
@mhofstetter mhofstetter mentioned this pull request Jun 12, 2023
Merged
This was referenced Jun 13, 2023
Closed
Merged
@jrajahalme jrajahalme mentioned this pull request Jun 19, 2023
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.11.18 Jun 21, 2023
@jrajahalme jrajahalme removed the needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch label Jun 21, 2023
@jrajahalme
Copy link
Member Author

Added Fixes, additional backports to 1.12, 1.11

@nbusseneau nbusseneau mentioned this pull request Jun 22, 2023
Merged
7 tasks
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.11 in 1.11.18 Jun 22, 2023
@nbusseneau nbusseneau mentioned this pull request Jun 22, 2023
Merged
10 tasks
@tklauser tklauser added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. and removed backport-pending/1.11 labels Jun 29, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.11 to Backport done to v1.11 in 1.11.18 Jun 29, 2023
@tklauser tklauser added backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.12 labels Jun 29, 2023
This was referenced Jul 26, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sayboras sayboras sayboras approved these changes

Assignees

@jrajahalme jrajahalme

Labels
backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-blocker/1.14 This issue will prevent the release of the next version of Cilium. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
No open projects
1.11.18
Backport done to v1.11
1.13.4
Backport done to v1.13
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@jrajahalme @sayboras @tklauser @pchaigno @dylandreimerink @nbusseneau @michi-covalent