cilium: CI: xDS hosts cache has duplicate IP/policy entries for the host IP. (L7Policies test failed due to error configuring proxy redirects)

Build link: https://jenkins.cilium.io/job/Ginkgo-CI-Tests-Pipeline/2628/testReport/junit/(root)/runtime/RuntimeValidatedPolicies_L7_Checks/

Stacktrace:

/home/jenkins/workspace/Ginkgo-CI-Tests-Pipeline/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:373
Expected
    <*errors.errorString | 0xc4201985a0>: {
        s: "Timeout reached: could not import policy",
    }
to be nil
/home/jenkins/workspace/Ginkgo-CI-Tests-Pipeline/src/github.com/cilium/cilium/vendor/github.com/onsi/gomega/internal/assertion/assertion.go:27

Stdout:

STEP: Setting PolicyEnforcement=default
�[1mSTEP�[0m: Setting up policy: /home/vagrant/go/src/github.com/cilium/cilium/test/runtime/manifests/Policies-l7-simple.json
STEP: Simple Ingress
STEP: Client "app1" attempting to "curl public URL on" "httpd1"
STEP: Client "app1" attempting to "curl public URL on" "httpd1"
STEP: Client "app1" attempting to "curl private URL on" "httpd1"
STEP: Client "app1" attempting to "curl private URL on" "httpd1"
STEP: Client "app2" attempting to "curl public URL on" "httpd1"
STEP: Client "app2" attempting to "curl public URL on" "httpd1"
STEP: Simple Egress
STEP: Client "app2" attempting to "curl public URL on" "httpd2"
STEP: Client "app2" attempting to "curl public URL on" "httpd2"
STEP: Client "app2" attempting to "curl private URL on" "httpd2"
STEP: Client "app2" attempting to "curl private URL on" "httpd2"
STEP: Disabling all the policies. All should work
STEP: Client "app1" attempting to "ping" "httpd1"
STEP: Client "app1" attempting to "ping" "httpd1"
STEP: Client "app1" attempting to "curl public URL on" "httpd1"
STEP: Client "app1" attempting to "curl public URL on" "httpd1"
STEP: Client "app1" attempting to "curl private URL on" "httpd1"
STEP: Client "app1" attempting to "curl private URL on" "httpd1"
STEP: Client "app2" attempting to "ping" "httpd1"
STEP: Client "app2" attempting to "ping" "httpd1"
STEP: Client "app2" attempting to "curl public URL on" "httpd1"
STEP: Client "app2" attempting to "curl public URL on" "httpd1"
STEP: Client "app2" attempting to "curl private URL on" "httpd1"
STEP: Client "app2" attempting to "curl private URL on" "httpd1"
STEP: Multiple Ingress
�[1mSTEP�[0m: Setting up policy: /home/vagrant/go/src/github.com/cilium/cilium/test/runtime/manifests/Policies-l7-multiple.json
===================== TEST FAILED =====================
cmd: sudo cilium endpoint list
ENDPOINT   POLICY (ingress)   POLICY (egress)   IDENTITY   LABELS (source:key[=value])   IPv6                 IPv4            STATUS   
           ENFORCEMENT        ENFORCEMENT                                                                                     
10572      Disabled           Disabled          4          reserved:health               f00d::a0f:0:0:294c   10.15.91.32     ready       
16275      Enabled            Disabled          48404      container:id.httpd2           f00d::a0f:0:0:3f93   10.15.30.223    ready       
                                                           container:id.service1                                                          
31770      Disabled           Disabled          7322       container:id.app1             f00d::a0f:0:0:7c1a   10.15.25.236    ready       
40645      Disabled           Disabled          47704      container:id.app3             f00d::a0f:0:0:9ec5   10.15.169.53    ready       
42753      Disabled           Enabled           300        container:id.app2             f00d::a0f:0:0:a701   10.15.128.220   not-ready   
46043      Enabled            Disabled          5899       container:id.httpd1           f00d::a0f:0:0:b3db   10.15.200.94    not-ready   
                                                           container:id.service1                                                          
51876      Disabled           Disabled          49623      container:id.httpd3           f00d::a0f:0:0:caa4   10.15.244.249   ready       
                                                           container:id.service1                                                          

===================== EXITING REPORT GENERATION =====================

Logs: 9acb0442_RuntimeValidatedPolicies_L7_Checks.zip

Endpoints in not-ready state due to proxy-redirect configuration failure:

Endpoint Log 42753

Timestamp              Status    State                   Message
2018-05-29T14:47:55Z   Failure   ready                   Error regenerating endpoint: Error while configuring proxy redirects: proxy state changes failed: context deadline exceeded
2018-05-29T14:47:55Z   OK        ready                   Completed endpoint regeneration with no pending regeneration requests
2018-05-29T14:47:45Z   OK        regenerating            Regenerating Endpoint BPF: endpoint policy updated & changes were needed
...

About this issue

Original URL
State: closed
Created 6 years ago
Comments: 40 (40 by maintainers)

Commits related to this issue

daemon: Delete old ID mapping when updating the IP for a reserved ID Fix logging. Homogenize the code calling OnIPIdentityCacheChange to make it easier to maintain. Fixes: https://github.com/cilium/... — committed to cilium/cilium by rlenglet 6 years ago
daemon: Delete old ID mapping when updating the IP for a reserved ID Fix logging. Homogenize the code calling OnIPIdentityCacheChange to make it easier to maintain. Fixes: https://github.com/cilium/... — committed to cilium/cilium by rlenglet 6 years ago

Most upvoted comments

The health endpoint has its own IP, why do we associate it with the host IP?

joestringer on Jun 4, 2018

I’ll send a PR shortly.

rlenglet on Jun 5, 2018