fix per-package lb

Signed-off-by: l1b0k <[email protected]>
AliyunContainerService · Oct 12, 2024 · 68d62bd · 68d62bd
1 parent 5a310b0
commit 68d62bd
Show file tree

Hide file tree

Showing 2 changed files with 107 additions and 1 deletion.
diff --git a/policy/cilium/0032-fix-disable-per-package-lb.patch b/policy/cilium/0032-fix-disable-per-package-lb.patch
@@ -0,0 +1,101 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: l1b0k <[email protected]>
+Date: Sat, 12 Oct 2024 09:33:24 +0800
+Subject: fix disable per-package lb
+
+Signed-off-by: l1b0k <[email protected]>
+---
+ bpf/bpf_lxc.c                       | 5 ++---
+ daemon/cmd/daemon_main.go           | 3 +++
+ pkg/datapath/linux/config/config.go | 5 +++++
+ pkg/option/config.go                | 6 ++++++
+ 4 files changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
+index 2773e2c276..7e424204e2 100644
+--- a/bpf/bpf_lxc.c
++++ b/bpf/bpf_lxc.c
+@@ -58,9 +58,9 @@
+  * Most services with L7 LB flag can not be redirected to their proxy port
+  * in bpf_sock, so we must check for those via per packet LB as well.
+  */
+-#if !defined(ENABLE_SOCKET_LB_FULL) || \
++#if (!defined(ENABLE_SOCKET_LB_FULL) || \
+     defined(ENABLE_SOCKET_LB_HOST_ONLY) || \
+-    defined(ENABLE_L7_LB)
++    defined(ENABLE_L7_LB) ) && !defined(DISABLE_PER_PACKET_LB)
+ # define ENABLE_PER_PACKET_LB 1
+ #endif
+
+@@ -1247,7 +1247,6 @@ static __always_inline int __tail_handle_ipv4(struct __ctx_buff *ctx)
+
+ 	if (unlikely(!is_valid_lxc_src_ipv4(ip4)))
+ 		return DROP_INVALID_SIP;
+-
+ #ifdef ENABLE_PER_PACKET_LB
+ 	{
+ 		struct ipv4_ct_tuple tuple = {};
+diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
+index de2ad4900b..8b495d972f 100644
+--- a/daemon/cmd/daemon_main.go
++++ b/daemon/cmd/daemon_main.go
+@@ -1147,6 +1147,9 @@ func initializeFlags() {
+ 	flags.MarkHidden(option.EnableStaleCiliumEndpointCleanup)
+ 	option.BindEnv(option.EnableStaleCiliumEndpointCleanup)
+
++	flags.Bool(option.DisablePerPacketLB, false, "Disable svc func.")
++	option.BindEnv(option.DisablePerPacketLB)
++
+ 	viper.BindPFlags(flags)
+ }
+
+diff --git a/pkg/datapath/linux/config/config.go b/pkg/datapath/linux/config/config.go
+index 060328adf9..4201e878fb 100644
+--- a/pkg/datapath/linux/config/config.go
++++ b/pkg/datapath/linux/config/config.go
+@@ -98,6 +98,11 @@ func (h *HeaderfileWriter) WriteNodeConfig(w io.Writer, cfg *datapath.LocalNodeC
+
+ 	cDefinesMap["KERNEL_HZ"] = fmt.Sprintf("%d", option.Config.KernelHz)
+
++	if option.Config.DisablePerPacketLB {
++		log.Infof("Disabling per-packet LB policy")
++		cDefinesMap["DISABLE_PER_PACKET_LB"] = "1"
++	}
++
+ 	if option.Config.EnableIPv6 {
+ 		extraMacrosMap["ROUTER_IP"] = routerIP.String()
+ 		fw.WriteString(defineIPv6("ROUTER_IP", routerIP))
+diff --git a/pkg/option/config.go b/pkg/option/config.go
+index d4d9643f4e..80b5eb2c7c 100644
+--- a/pkg/option/config.go
++++ b/pkg/option/config.go
+@@ -1104,6 +1104,8 @@ const (
+ 	// EnableStaleCiliumEndpointCleanup sets whether Cilium should perform cleanup of
+ 	// stale CiliumEndpoints during init.
+ 	EnableStaleCiliumEndpointCleanup = "enable-stale-cilium-endpoint-cleanup"
++
++	DisablePerPacketLB = "disable-per-package-lb"
+ )
+
+ // Default string arguments
+@@ -2262,6 +2264,8 @@ type DaemonConfig struct {
+ 	// This will attempt to remove local CiliumEndpoints that are not managed by Cilium
+ 	// following Endpoint restoration.
+ 	EnableStaleCiliumEndpointCleanup bool
++
++	DisablePerPacketLB bool
+ }
+
+ var (
+@@ -3257,6 +3261,8 @@ func (c *DaemonConfig) Populate() {
+ 	c.EnableK8sTerminatingEndpoint = viper.GetBool(EnableK8sTerminatingEndpoint)
+ 	c.EnableStaleCiliumEndpointCleanup = viper.GetBool(EnableStaleCiliumEndpointCleanup)
+
++	c.DisablePerPacketLB = viper.GetBool(DisablePerPacketLB)
++
+ 	// Disable Envoy version check if L7 proxy is disabled.
+ 	c.DisableEnvoyVersionCheck = viper.GetBool(DisableEnvoyVersionCheck)
+ 	if !c.EnableL7Proxy {
+-- 
+2.46.0
+
diff --git a/policy/policyinit.sh b/policy/policyinit.sh
@@ -171,13 +171,18 @@ fi
          ENABLE_POLICY="never"
        fi
        # shellcheck disable=SC2086
+       DISABLE_PER_PACKAGE_LB="false"
+       if [ "$(terway_config_val 'cilium_disable_per_package_lb' | tr '[:upper:]' '[:lower:]')" = "true" ]; then
+         DISABLE_PER_PACKAGE_LB="true"
+       fi
+
        exec cilium-agent --kube-proxy-replacement=disabled --tunnel=disabled --enable-ipv4-masquerade=false --enable-ipv6-masquerade=false \
             --enable-policy=$ENABLE_POLICY \
             --agent-health-port=9099 --disable-envoy-version-check=true \
             --enable-local-node-route=false --ipv4-range=169.254.10.0/30 --ipv6-range=fe80:2400:3200:baba::/30 --enable-endpoint-health-checking=false \
             --enable-health-checking=false --enable-service-topology=true --disable-cnp-status-updates=true --k8s-heartbeat-timeout=0 --enable-session-affinity=true \
             --install-iptables-rules=false --enable-l7-proxy=false \
-            --ipam=cluster-pool
+            --ipam=cluster-pool --disable-per-package-lb=$DISABLE_PER_PACKAGE_LB
      else
        echo "unsupported kernel version"
        exit 1