8000 cilium: Fix device controller's dependency on netfilter by borkmann · Pull Request #38777 · cilium/cilium · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

cilium: Fix device controller's dependency on netfilter #38777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 7, 2025
Merged

cilium: Fix device controller's dependency on netfilter #38777

merged 1 commit into from
Apr 7, 2025

Conversation

borkmann
Copy link
Member
@borkmann borkmann commented Apr 7, 2025

(see commit msg)

@borkmann borkmann added the release-note/misc This PR makes changes that have no direct user impact. label Apr 7, 2025
@borkmann borkmann requested a review from a team as a code owner April 7, 2025 10:51
@borkmann
cilium: Fix device controller's dependency on netfilter
f13d4f8 
When trying to disable netfilter in the kernel and starting up Cilium with
the below options, it fails as follows:

  kernel# cat .config | grep NETFILTER
  # CONFIG_NETFILTER is not set

  # ./daemon/cilium-agent --enable-ipv4=true --enable-ipv6=false \
      --bpf-lb-algorithm=maglev --bpf-lb-maglev-table-size=2039  \
      --bpf-lb-mode=dsr --bpf-lb-acceleration=native --devices=enp5s0 \
      --bpf-lb-dsr-dispatch=ipip --disable-envoy-version-check=true \
      --k8s-kubeconfig-path=$HOME/.kube/config \
      --kube-proxy-replacement=true --routing-mode=native \
      --enable-ipv4-masquerade=false --ipam=cluster-pool \
      --enable-ipip-termination --install-iptables-rules=false \
      --enable-l7-proxy=false
  [...]
  time=2025-04-07T10:40:05Z level=info msg="All Cilium CRDs have been found and are available" module=agent.infra.k8s-synced-crdsync
  time="2025-04-07T10:40:05.954428144Z" level=info msg="Local boot ID is \"5efaef07-4a21-4db1-82e7-05c73687cff8\"" subsys=node
  time=2025-04-07T10:40:05Z level=error msg="Start hook failed" function="*linux.devicesController.Start (agent.datapath.devices-controller)" error="creating netlink handle: protocol not supported"
  time=2025-04-07T10:40:05Z level=error msg="Failed to start hive" error="creating netlink handle: protocol not supported" duration=57.406398ms
  time=2025-04-07T10:40:05Z level=info msg="Stopping hive"
  time=2025-04-07T10:40:05Z level=info msg="agent.datapath.sysctl.job-reconcile (rev=8)" module=health
  time=2025-04-07T10:40:05Z level=info msg="agent.datapath.sysctl.job-refresh (rev=9)" module=health
  time=2025-04-07T10:40:05Z level=info msg="agent.infra.k8s-synced-crdsync.job-sync-crds (rev=7)" module=health
  time="2025-04-07T10:40:05.955728969Z" level=info msg="Stopped gops server" address="127.0.0.1:9890" subsys=gops
  time="2025-04-07T10:40:05.955744039Z" level=fatal msg="failed to start: creating netlink handle: protocol not supported" subsys=daemon

The device controller itself doesn't need anything netfilter related, thus
fix up the handle.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
@borkmann
Copy link
Member Author
borkmann commented Apr 7, 2025

/test

@borkmann borkmann added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 7, 2025
8000
@borkmann borkmann merged commit 1dd7cea into main Apr 7, 2025
283 of 292 checks passed
@borkmann borkmann deleted the pr/dc-nf branch April 7, 2025 12:17
@julianwiedmann
Copy link
Member

ah nice, we're slowly stripping this down to the minimum:
#37123

Should we backport as well?

@borkmann borkmann added the needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch label Apr 7, 2025
@borkmann
Copy link
Member Author
borkmann commented Apr 7, 2025

ah nice, we're slowly stripping this down to the minimum: #37123

Should we backport as well?

Yes, that would be good indeed.

@borkmann borkmann added the needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch label Apr 7, 2025
@tklauser tklauser mentioned this pull request Apr 15, 2025
Merged
8 tasks
@tklauser tklauser added backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. and removed needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels Apr 15, 2025
@tklauser tklauser mentioned this pull request Apr 15, 2025
Merged
7 tasks
@tklauser tklauser added backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. and removed needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Apr 15, 2025
@github-actions github-actions bot added backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. and removed backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. labels Apr 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dylandreimerink dylandreimerink dylandreimerink approved these changes

@aspsk aspsk aspsk approved these changes

Assignees
No one assigned
Labels
backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@borkmann @julianwiedmann @dylandreimerink @aspsk @tklauser
0