Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade Cilium's eBPF library version to 0.16 #4397

Merged
merged 1 commit into from
Sep 14, 2024

Conversation

rafaelroquetto
Copy link
Contributor

@rafaelroquetto rafaelroquetto commented Sep 10, 2024

Upgrade the cilium version to 0.16 (latest). There are many important fixes in between (e.g. cilium/ebpf#1348) that would be nice to have downstream.

This PR basically updates the version of the cilium package and its dependencies, and fixes libcontainer/cgroups/devices/ebpf_linux.go to reflext the new API.

Disclaimer: I am not well acquainted with the codebase, so apologies in advance for anything stupid I may be doing.

Resolves: #4396

@rafaelroquetto rafaelroquetto marked this pull request as draft September 10, 2024 16:53
@rafaelroquetto rafaelroquetto force-pushed the main branch 5 times, most recently from 3d516ee to b00d33b Compare September 10, 2024 17:53
@rafaelroquetto rafaelroquetto marked this pull request as ready for review September 10, 2024 18:17
go.mod Outdated Show resolved Hide resolved
go.mod Outdated Show resolved Hide resolved
@AkihiroSuda
Copy link
Member

Upgrade Cilium version to 0.16

s/Cilium/Cilium's eBPF library/

@rafaelroquetto rafaelroquetto changed the title Upgrade Cilium version to 0.16 Upgrade Cilium's eBPF library version to 0.16 Sep 10, 2024
@rafaelroquetto
Copy link
Contributor Author

I've pushed two different commits to illustrate the points being discussed, but if everything is accepted, I intend to squash-merge them as a single commit (happy to amend the PR for that).

Copy link
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rafaelroquetto how is this solving a bug? You use the libcontainer module in your program and can't update the cilium dep to that version there due to runc using the old one? Or can you clarify that?

If that is the case, too bad cilium doesn't provide a 1.x release :(

}

if useReplaceProg {
attachProgramOptions.Anchor = link.ReplaceProgram(oldProgs[0])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not adding the flag too, as it was done before?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are now handled by the underlying code and are no longer explicitly allowed. See /~https://github.com/cilium/ebpf/blob/15d4f245e548eb00383aa88a24da934f0d26fc43/link/program.go#L34

Copy link
Member

@rata rata Sep 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. For the next time, pointing this out in the commit/PR makes the review simpler :)

@rafaelroquetto
Copy link
Contributor Author

@rata you're spont on! We have a situation in which one of our projects (Grafana Beyla) requires fixes from more recent Cilium's eBPF releases (notoriously cilium/ebpf#1348). We then have another project, Grafana Alloy, which depends both on Beyla and runc, and as you correctly guessed, we can't update the cilium dependency. :(

@rafaelroquetto
Copy link
Contributor Author

(@wildum can perhaps offer further context)

@wildum
Copy link

wildum commented Sep 11, 2024

That's correct, and on a more generic case, I expect all projects that have a dependency to github.com/opencontainers/runc and to cilium/ebpf won't be able to upgrade their cilium/ebpf dependency to the latest release that contains the fix mentioned above.
That's why this upgrade is quite important.

@kolyshkin
Copy link
Contributor

The breaking change is from cilium/ebpf#1163 and it first appeared in v0.13.0 (which is probably the reason why dependabot never opened a PR to upgrade it).

@cyphar PTAL

@AkihiroSuda
Copy link
Member

Please squash commits

@rafaelroquetto rafaelroquetto force-pushed the main branch 3 times, most recently from d893c36 to 7bf75e1 Compare September 12, 2024 00:39
@rafaelroquetto
Copy link
Contributor Author

@AkihiroSuda done

@kolyshkin
Copy link
Contributor

@rafaelroquetto due to #4393 merge (which vendored golang.org/x/sys) this needs a rebase.

@rafaelroquetto rafaelroquetto force-pushed the main branch 2 times, most recently from e55604b to e3a1e1c Compare September 12, 2024 15:46
@rafaelroquetto
Copy link
Contributor Author

@kolyshkin done - interestingly it no longer complains and requires the change from go 1.22 => go 1.22.0.

Thank you all again for taking time to review this.

Signed-off-by: Rafael Roquetto <rafael.roquetto@grafana.com>
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM; thanks!

@kolyshkin kolyshkin merged commit 1590491 into opencontainers:main Sep 14, 2024
42 checks passed
@dims
Copy link
Contributor

dims commented Oct 10, 2024

@kolyshkin @AkihiroSuda would this PR qualify to be cherry-picked on the 1.1 branch? would love to pay down some debt in kubernetes/kubernetes w.r.t dependencies if we can move up to newer cilium

@AkihiroSuda
Copy link
Member

Yes, feel free to submit a cherrypick PR

@kolyshkin
Copy link
Contributor

@kolyshkin @AkihiroSuda would this PR qualify to be cherry-picked on the 1.1 branch? would love to pay down some debt in kubernetes/kubernetes w.r.t dependencies if we can move up to newer cilium

1.1 still uses go 1.18, so that would not be simple.

As of today, I'd rather release 1.2.0-final out the door (and use it in k8s).

@dims
Copy link
Contributor

dims commented Oct 10, 2024

As of today, I'd rather release 1.2.0-final out the door (and use it in k8s).

@kolyshkin that sounds awesome!

@cyphar
Copy link
Member

cyphar commented Dec 6, 2024

It seems that this caused a regression of #3008 because while cilium/ebpf@417f8a2 was handled for the actual implementation of loadAttachCgroupDeviceFilter it seems that we forgot to update the sync.Once check to not use BPF_F_REPLACE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Upgrade github.com/cilium/ebpf to v0.16.0
7 participants