Skip to content

[v1.30] Socket option no policy reference #1012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sayboras merged 3 commits into from
Nov 26, 2024
Merged

[v1.30] Socket option no policy reference #1012

sayboras merged 3 commits into from
Nov 26, 2024

Conversation

@jrajahalme
Copy link
Member

@jrajahalme jrajahalme commented Nov 26, 2024

@jrajahalme
.github: include more tests in cilium-integration-tests
610b88a 
Include also sni test not having "l7" in it's name, and check the logs
for errors as well.

Test with embedded cilium-envoy so that Envoy error and warning logs will
also be checked for.

Signed-off-by: Jarno Rajahalme <[email protected]>
@jrajahalme
debug: Assert policy destruction happens in the main thread
3af7ea8 
Add a runtime assert that the policy destruction happens from the main or
test thread. The "test thread" case also covers the destruction from the
initial thread, which happens for the static members of
'AllowAllEgressPolicyInstanceImpl' when running `cilium-envoy version',
for example.

Signed-off-by: Jarno Rajahalme <[email protected]>
@jrajahalme
policy: Do not store policy reference in cilium socket option
3c7cbdd 
Remove the member 'initial_policy_' from the Cilium SocketOption class,
as that reference was possibly kept after the policy had already been
deleted. This made it possible for the policy to be destructed from the
worker thread, which can lead to Envoy crash.

'initial_policy_' was stored as we already did the policy lookup and the
same policy is needed in other Cilium filters. Have the cilium.network
and cilium.tls_wrapper filters do their own policy lookups instead, so
that we do not need to keep the reference in SocketOption.

Worker threads do the policy lookup from their own thread local maps,
which hold a reference to the policy. These thread local references are
relinquished from post function during policy update, which will release
worker thread's last reference to the policy at the time. The main thread
is the last one to update or delete policy, so the policy instance
destruction happens from the main thread. For this to work it is
imperative to only hold policy references in these thread local maps.

Note that even keeping a weak reference accessible to the worker threads
outside of the policy maps is risky, as then the worker thread could
convert that weak reference to a shared pointer while the reference has
already been relinquished from the thread's local policy map. In this
situation the other threads could also relinquish their references
concurrently to the worker thread holding the shared pointer, which would
then become the last reference and destruction would happen from the
worker thread again.

Signed-off-by: Jarno Rajahalme <[email protected]>
@jrajahalme jrajahalme requested a review from a team as a code owner November 26, 2024 06:25
@jrajahalme jrajahalme requested review from sayboras and removed request for a team November 26, 2024 06:25
@sayboras sayboras merged commit 2aa20ee into v1.30 Nov 26, 2024
4 of 5 checks passed
@sayboras sayboras deleted the socket-option-no-policy-reference-1.30 branch November 26, 2024 07:21
@sayboras sayboras mentioned this pull request Dec 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sayboras sayboras sayboras approved these changes

Assignees

No one assigned

Labels

backport/1.30 kind/backports

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jrajahalme @sayboras