Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND' #30543

Merged
merged 1 commit into from Feb 2, 2024
Merged

envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND' #30543

merged 1 commit into from Feb 2, 2024

Conversation

chaunceyjiang
Copy link
Member

@chaunceyjiang chaunceyjiang commented Jan 31, 2024
edited by sayboras

Refer to:
envoyproxy/envoy#18107 (comment)
solo-io/gloo#5842

envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND'

@chaunceyjiang
socket options - change from 'STATE_LISTENING' to 'STATE_PREBIND'
ac42dc9 
Signed-off-by: chaunceyjiang <chaunceyjiang@gmail.com>
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 31, 2024
@chaunceyjiang
Copy link
Member Author

/test

@chaunceyjiang chaunceyjiang marked this pull request as ready for review January 31, 2024 14:35
@chaunceyjiang chaunceyjiang requested a review from a team as a code owner January 31, 2024 14:35
@chaunceyjiang
Copy link
Member Author

/cc @sayboras Please take a look.

@sayboras sayboras changed the title socket options - change from 'STATE_LISTENING' to 'STATE_PREBIND' ingress: Update socket option from 'STATE_LISTENING' to 'STATE_PREBIND' Feb 1, 2024
@sayboras sayboras added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Feb 1, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 1, 2024
@sayboras
Copy link
Member

sayboras commented Feb 1, 2024

The changes seem reasonable for AWS NLB, however, I am not 100% sure if it will fix the mentioned issues. Can you explain a little bit more ?

Also, please help to update commit message why this change is required. Thank a lot.

@sayboras sayboras self-requested a review February 1, 2024 10:52
@chaunceyjiang
Copy link
Member Author

I am not 100% sure if it will fix the mentioned issues.

@acelinkio is testing with the image built from this PR, as he often encountered the issues mentioned in the issue in his environment. We can wait for his test results.

@ekarlso
Copy link

ekarlso commented Feb 1, 2024

@chaunceyjiang I just tested the built image and it doesn't help any in my case. I am still seeing the issues mentioned in my issue.

@acelinkio
Copy link

I am still seeing the upstream connect error or disconnect/reset before headers. reset reason: connection timeout when using the gateway/routes. I am able to reliably reproduce this issue by cycling through the ~10 websites hosted. I noticed if I restart the Cilium daemonset, the error will typically jump to another website.

This was tested with:

  • Version 1.15.0 helm
autoDirectNodeRoutes: true
bpf:
  masquerade: true
cluster:
  name: home-cluster
  id: 1
containerRuntime:
  integration: containerd
  socketPath: /var/run/k3s/containerd/containerd.sock
endpointRoutes:
  enabled: true
externalIPs:
  enabled: true
hubble:
  enabled: true
  metrics:
    enabled:
      - dns:query
      - drop
      - tcp
      - flow
      - port-distribution
      - icmp
      - http
  relay:
    enabled: true
    rollOutPods: true
  ui:
    enabled: true
    rollOutPods: true
    ingress:
      enabled: false
ipam:
  mode: kubernetes
ipv4NativeRoutingCIDR: "10.42.0.0/16"
k8sServiceHost: "192.168.1.195"
k8sServicePort: 6443
kubeProxyReplacement: true
kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
l2announcements:
  enabled: true
  # https://github.com/cilium/cilium/issues/26586
  leaseDuration: 120s
  leaseRenewDeadline: 60s
  leaseRetryPeriod: 1s
loadBalancer:
  algorithm: maglev
  mode: dsr
localRedirectPolicy: true
operator:
  replicas: 1
  rollOutPods: true
rollOutCiliumPods: true
securityContext:
  privileged: true
routingMode: native
gatewayAPI:
  enabled: true
  secretsNamespace:
    create: false
    name: cilium-secrets
ingressController:
  enabled: false
  loadbalancerMode: shared
  enforceHttps: false
  secretsNamespace:
    create: false
    name: cilium-secrets
  service:
    allocateLoadBalancerNodePorts: false
  • Version 1.15.0 helm with the following additional values to consume CI images from this pipeline
image:
  override: "quay.io/cilium/cilium-ci:ac42dc9c3899d5bcc21fda3e72f6687e5b5c128f"
operator:
  image:
    override: "quay.io/cilium/operator-generic-ci:ac42dc9c3899d5bcc21fda3e72f6687e5b5c128f"

I see the following error on the daemonset pod where the websites are failing.

level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=251
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=251
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=255
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=248
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=251
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=251
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=247
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=248
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=242
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=248
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=251
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=247
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=245
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=245
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=245
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=247
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=247
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=242
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=253
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=255
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=255
level=info msg="[cilium.bpf_metadata: IPv4 conntrack map global lookup failed: Success" subsys=envoy-filter threadID=242
level=info msg="Endpoint garbage collection is ineffective, ignoring endpoint" helpMessage="For more information, see the linked URL. Pass endpoint-gc-interval=\"0\" to disable" subsys=endpoint url="https://github.com/cilium/cilium/pull/14541"
level=info msg="Envoy: Version 13f6142b9c02268b10d547c8b093ef16724538e3/1.27.2/Distribution/RELEASE/BoringSSL" subsys=envoy-manager

I think #30581 seems related, not that I am not using any network policies tho.

sayboras
sayboras approved these changes Feb 2, 2024
View reviewed changes
Copy link
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this change didn't fix mentioned issue, it's still a good improvement.

@sayboras sayboras changed the title ingress: Update socket option from 'STATE_LISTENING' to 'STATE_PREBIND' envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND' Feb 2, 2024
@sayboras sayboras added needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels Feb 2, 2024
@sayboras sayboras added this pull request to the merge queue Feb 2, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.14.7 Feb 2, 2024
Merged via the queue into cilium:main with commit 92c2641 Feb 2, 2024
63 checks passed
@chaunceyjiang chaunceyjiang deleted the tcp_keeplive branch February 4, 2024 01:57
@nbusseneau nbusseneau mentioned this pull request Feb 8, 2024
Merged
9 tasks
@nbusseneau nbusseneau added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Feb 8, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.14 in 1.14.7 Feb 8, 2024
@nbusseneau nbusseneau mentioned this pull request Feb 8, 2024
Merged
12 tasks
@nbusseneau nbusseneau added the backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. label Feb 8, 2024
@nbusseneau nbusseneau removed the needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch label Feb 8, 2024
@github-actions github-actions bot added backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. and removed backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. labels Feb 9, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed this from Backport pending to v1.14 in 1.14.7 Feb 9, 2024
This was referenced Feb 13, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sayboras sayboras sayboras approved these changes

@meyskens meyskens Awaiting requested review from meyskens meyskens is a code owner automatically assigned from cilium/sig-servicemesh

Assignees
No one assigned
Labels
backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@chaunceyjiang @sayboras @ekarlso @acelinkio @nbusseneau