Merge remote-tracking branch 'upstream/master'

Author: ctartici

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:master-f765f42b0bbcfbfffc112630404904784118a25b",
+  "image": "gcr.io/istio-testing/build-tools:master-dbd3c673faecfbd1910fdb09012099fa184dde92",
   "privileged": true,
   "remoteEnv": {
     "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",

.gitignore

@@ -63,4 +63,5 @@ var/
 .DS_Store
 /manifests/charts/**/charts/
 /manifests/charts/**/Chart.lock
-/cni/pkg/plugin/istio-cni.log
+coverage.out
+/cni/pkg/plugin/istio-cni.log

Makefile.core.mk

@@ -49,7 +49,7 @@ endif
 export VERSION
 
 # Base version of Istio image to use
-BASE_VERSION ?= master-2025-02-25T19-01-37
+BASE_VERSION ?= master-2025-03-04T19-02-02
 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release
 
 export GO111MODULE ?= on

Makefile.overrides.mk

@@ -36,3 +36,7 @@ endif
 .PHONY: istioctl-install
 istioctl-install: istioctl-install-container
 	cp out/$(TARGET_OS)_$(TARGET_ARCH)/istioctl ${GOPATH}/bin
+
+.PHONY: coverage
+coverage:
+	prow/coverage.sh

cni/pkg/install/install.go

@@ -59,6 +59,10 @@ func (in *Installer) installAll(ctx context.Context) (sets.String, error) {
 	// and we harm no one by doing so.
 	copiedFiles, err := copyBinaries(in.cfg.CNIBinSourceDir, in.cfg.CNIBinTargetDirs)
 	if err != nil {
+		if strings.Contains(err.Error(), "read-only file system") {
+			log.Warnf("hint: some Kubernetes environments require customization of the CNI directory." +
+				" Ensure you properly set global.platform=<name> during installation")
+		}
 		cniInstalls.With(resultLabel.Value(resultCopyBinariesFailure)).Increment()
 		return copiedFiles, fmt.Errorf("copy binaries: %v", err)
 	}

cni/pkg/nodeagent/meshdataplane_linux.go

@@ -63,12 +63,14 @@ func (s *meshDataplane) Stop(skipCleanup bool) {
 
 		log.Debug("removing host iptables rules")
 		s.hostIptables.DeleteHostRules()
-
-		log.Debug("destroying host ipset")
-		s.hostsideProbeIPSet.Flush()
-		if err := s.hostsideProbeIPSet.DestroySet(); err != nil {
-			log.Warnf("could not destroy host ipset on shutdown")
-		}
+		_ = util.RunAsHost(func() error {
+			log.Debug("destroying host ipset")
+			s.hostsideProbeIPSet.Flush()
+			if err := s.hostsideProbeIPSet.DestroySet(); err != nil {
+				log.Warnf("could not destroy host ipset on shutdown")
+			}
+			return nil
+		})
 	}
 
 	s.netServer.Stop(skipCleanup)
@@ -247,16 +249,22 @@ func (s *meshDataplane) addPodToHostNSIpset(pod *corev1.Pod, podIPs []netip.Addr
 	var ipsetAddrErrs []error
 	var addedIps []netip.Addr
 
-	// For each pod IP
-	for _, pip := range podIPs {
-		// Add to host ipset
-		log.Debugf("adding probe ip %s to set", pip)
-		if err := s.hostsideProbeIPSet.AddIP(pip, ipProto, podUID, true); err != nil {
-			ipsetAddrErrs = append(ipsetAddrErrs, err)
-			log.Errorf("failed adding ip %s to set, error was %s", pip, err)
-		} else {
-			addedIps = append(addedIps, pip)
+	err := util.RunAsHost(func() error {
+		// For each pod IP
+		for _, pip := range podIPs {
+			// Add to host ipset
+			log.Debugf("adding probe ip %s to set", pip)
+			if err := s.hostsideProbeIPSet.AddIP(pip, ipProto, podUID, true); err != nil {
+				ipsetAddrErrs = append(ipsetAddrErrs, err)
+				log.Errorf("failed adding ip %s to set, error was %s", pip, err)
+			} else {
+				addedIps = append(addedIps, pip)
+			}
 		}
+		return nil
+	})
+	if err != nil {
+		ipsetAddrErrs = append(ipsetAddrErrs, err)
 	}
 
 	return addedIps, errors.Join(ipsetAddrErrs...)
@@ -267,13 +275,18 @@ func (s *meshDataplane) addPodToHostNSIpset(pod *corev1.Pod, podIPs []netip.Addr
 //
 // We will unconditionally flush our set before use here, so it shouldn't matter.
 func createHostsideProbeIpset(isV6 bool) (ipset.IPSet, error) {
-	linDeps := ipset.RealNlDeps()
-	probeSet, err := ipset.NewIPSet(iptables.ProbeIPSet, isV6, linDeps)
-	if err != nil {
-		return probeSet, err
-	}
-	probeSet.Flush()
-	return probeSet, nil
+	var probeSet ipset.IPSet
+	runErr := util.RunAsHost(func() error {
+		var err error
+		linDeps := ipset.RealNlDeps()
+		probeSet, err = ipset.NewIPSet(iptables.ProbeIPSet, isV6, linDeps)
+		if err != nil {
+			return err
+		}
+		probeSet.Flush()
+		return nil
+	})
+	return probeSet, runErr
 }
 
 // removePodFromHostNSIpset will remove (v4, v6) pod IPs from the host IP set(s).
@@ -284,32 +297,35 @@ func removePodFromHostNSIpset(pod *corev1.Pod, hostsideProbeSet *ipset.IPSet) er
 	log := log.WithLabels("ns", pod.Namespace, "name", pod.Name, "podUID", podUID, "ipset", hostsideProbeSet.Prefix)
 
 	podIPs := util.GetPodIPsIfPresent(pod)
-	for _, pip := range podIPs {
-		if uidMismatch, err := hostsideProbeSet.ClearEntriesWithIPAndComment(pip, podUID); err != nil {
-			return err
-		} else if uidMismatch != "" {
-			log.Warnf("pod ip %s could not be removed from ipset, found entry with pod UID %s instead", pip, uidMismatch)
+	return util.RunAsHost(func() error {
+		for _, pip := range podIPs {
+			if uidMismatch, err := hostsideProbeSet.ClearEntriesWithIPAndComment(pip, podUID); err != nil {
+				return err
+			} else if uidMismatch != "" {
+				log.Warnf("pod ip %s could not be removed from ipset, found entry with pod UID %s instead", pip, uidMismatch)
+			}
+			log.Debugf("removed pod from host ipset by ip %s", pip)
 		}
-		log.Debugf("removed pod from host ipset by ip %s", pip)
-	}
-
-	return nil
+		return nil
+	})
 }
 
 func pruneHostIPset(expected sets.Set[netip.Addr], hostsideProbeSet *ipset.IPSet) error {
-	actualIPSetContents, err := hostsideProbeSet.ListEntriesByIP()
-	if err != nil {
-		log.Warnf("unable to list IPSet: %v", err)
-		return err
-	}
-	actual := sets.New(actualIPSetContents...)
-	stales := actual.DifferenceInPlace(expected)
-
-	for staleIP := range stales {
-		if err := hostsideProbeSet.ClearEntriesWithIP(staleIP); err != nil {
+	return util.RunAsHost(func() error {
+		actualIPSetContents, err := hostsideProbeSet.ListEntriesByIP()
+		if err != nil {
+			log.Warnf("unable to list IPSet: %v", err)
 			return err
 		}
-		log.Debugf("removed stale ip %s from host ipset %s", staleIP, hostsideProbeSet.Prefix)
-	}
-	return nil
+		actual := sets.New(actualIPSetContents...)
+		stales := actual.DifferenceInPlace(expected)
+
+		for staleIP := range stales {
+			if err := hostsideProbeSet.ClearEntriesWithIP(staleIP); err != nil {
+				return err
+			}
+			log.Debugf("removed stale ip %s from host ipset %s", staleIP, hostsideProbeSet.Prefix)
+		}
+		return nil
+	})
 }

cni/pkg/nodeagent/server.go

@@ -70,7 +70,7 @@ func NewServer(ctx context.Context, ready *atomic.Value, pluginSocket string, ar
 
 	s.dataplane, err = initMeshDataplane(client, args)
 	if err != nil {
-		return nil, fmt.Errorf("error initializing mesh dataplane")
+		return nil, fmt.Errorf("error initializing mesh dataplane: %w", err)
 	}
 
 	s.NotReady()

common/.commonfiles.sha

@@ -1 +1 @@
-f48640e24b3bbca425d82d33f582bffb048b6b2e
+be2062872f1e6f4e619cd416402d405d83d81a70

common/config/.golangci.yml

@@ -94,7 +94,7 @@ linters-settings:
       - name: constant-logical-expr
       - name: bool-literal-in-expr
       - name: redefines-builtin-id
-      - name: imports-blacklist
+      - name: imports-blocklist
       - name: range-val-in-closure
       - name: range-val-address
       - name: waitgroup-by-value

common/scripts/run.sh

@@ -49,6 +49,7 @@ read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}"
     --sig-proxy=true \
     --cap-add=SYS_ADMIN \
     ${DOCKER_SOCKET_MOUNT:--v /var/run/docker.sock:/var/run/docker.sock} \
+    -e DOCKER_HOST=${DOCKER_SOCKET_HOST:-unix:///var/run/docker.sock} \
     $CONTAINER_OPTIONS \
     --env-file <(env | grep -v ${ENV_BLOCKLIST}) \
     -e IN_BUILD_CONTAINER=1 \

common/scripts/setup_env.sh

@@ -75,7 +75,7 @@ fi
 TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io}
 PROJECT_ID=${PROJECT_ID:-istio-testing}
 if [[ "${IMAGE_VERSION:-}" == "" ]]; then
-  IMAGE_VERSION=master-f765f42b0bbcfbfffc112630404904784118a25b
+  IMAGE_VERSION=master-dbd3c673faecfbd1910fdb09012099fa184dde92
 fi
 if [[ "${IMAGE_NAME:-}" == "" ]]; then
   IMAGE_NAME=build-tools