diff --git a/ENVOY_VERSION b/ENVOY_VERSION index 1ea9a0fb8..03c8400d2 100644 --- a/ENVOY_VERSION +++ b/ENVOY_VERSION @@ -1 +1 @@ -envoy-1.36.5 +envoy-1.37.0 diff --git a/WORKSPACE b/WORKSPACE index f1aefb479..bcee3757b 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -12,8 +12,8 @@ ENVOY_REPO = "envoy" # # No other line in this file may have ENVOY_SHA followed by an equals sign! # -# renovate: datasource=github-releases depName=envoyproxy/envoy digestVersion=v1.36.4 -ENVOY_SHA = "0c30f2cfb88356984f8089fd973919deeb1cf7c2" +# renovate: datasource=github-releases depName=envoyproxy/envoy digestVersion=v1.37.0 +ENVOY_SHA = "6d9bb7d9a85d616b220d1f8fe67b61f82bbdb8d3" # // clang-format off: unexpected @bazel_tools reference, please indirect via a definition in //bazel load("@bazel_tools//tools/build_defs/repo:git.bzl", "git_repository") @@ -41,7 +41,7 @@ git_repository( "@//patches:0002-listener-add-socket-options.patch", "@//patches:0003-original_dst_cluster-Avoid-multiple-hosts-for-the-sa.patch", "@//patches:0004-thread_local-reset-slot-in-worker-threads-first.patch", - "@//patches:0005-http-header-expose-attribute.patch", + "//patches:0005-http-header-expose-attribute.patch", "@//patches:0006-build-Fix-arm-build-for-liburing.patch", "@//patches:0007-Add-latomic-back-for-arm-build.patch", ], @@ -67,14 +67,14 @@ load("@envoy//bazel:api_repositories.bzl", "envoy_api_dependencies") envoy_api_dependencies() -load("@envoy//bazel:repo.bzl", "envoy_repo") - -envoy_repo() - load("@envoy//bazel:repositories.bzl", "envoy_dependencies") envoy_dependencies() +load("@envoy//bazel:bazel_deps.bzl", "envoy_bazel_dependencies") + +envoy_bazel_dependencies() + load("@envoy//bazel:repositories_extra.bzl", "envoy_dependencies_extra") envoy_dependencies_extra() @@ -87,6 +87,14 @@ load("@envoy//bazel:dependency_imports.bzl", "envoy_dependency_imports") envoy_dependency_imports() +load("@envoy//bazel:repo.bzl", "envoy_repo") + +envoy_repo() + +load("@envoy//bazel:toolchains.bzl", "envoy_toolchains") + +envoy_toolchains() + load("@envoy//bazel:dependency_imports_extra.bzl", "envoy_dependency_imports_extra") envoy_dependency_imports_extra() diff --git a/cilium/grpc_subscription.cc b/cilium/grpc_subscription.cc index b7b1bfd6e..2353139f5 100644 --- a/cilium/grpc_subscription.cc +++ b/cilium/grpc_subscription.cc @@ -183,13 +183,13 @@ subscribe(const std::string& type_url, const LocalInfo::LocalInfo& local_info, Config::SubscriptionFactory::RetryInitialDelayMs, Config::SubscriptionFactory::RetryMaxDelayMs, random), /*target_xds_authority_=*/"", - /*eds_resources_cache_=*/nullptr // EDS cache is only used for ADS. + /*eds_resources_cache_=*/nullptr, // EDS cache is only used for ADS. + /*skip_subsequent_node_=*/api_config_source.set_node_on_first_message_only(), }; return std::make_unique( - std::make_shared(grpc_mux_context, - api_config_source.set_node_on_first_message_only()), - callbacks, resource_decoder, stats, type_url, dispatcher, init_fetch_timeout, + std::make_shared(grpc_mux_context), callbacks, resource_decoder, stats, type_url, + dispatcher, init_fetch_timeout, /*is_aggregated*/ false, options); } diff --git a/cilium/grpc_subscription.h b/cilium/grpc_subscription.h index 496ee0568..5fe34dc71 100644 --- a/cilium/grpc_subscription.h +++ b/cilium/grpc_subscription.h @@ -25,8 +25,8 @@ extern envoy::config::core::v3::ConfigSource cilium_xds_api_config; // GrpcMux wrapper to get access to control plane identifier class GrpcMuxImpl : public Config::GrpcMuxImpl { public: - GrpcMuxImpl(Config::GrpcMuxContext& grpc_mux_context, bool skip_subsequent_node) - : Config::GrpcMuxImpl(grpc_mux_context, skip_subsequent_node) {} + explicit GrpcMuxImpl(Config::GrpcMuxContext& grpc_mux_context) + : Config::GrpcMuxImpl(grpc_mux_context) {} ~GrpcMuxImpl() override = default; diff --git a/cilium/secret_watcher.cc b/cilium/secret_watcher.cc index 2155b776d..90e09a23b 100644 --- a/cilium/secret_watcher.cc +++ b/cilium/secret_watcher.cc @@ -156,15 +156,14 @@ DownstreamTLSContext::DownstreamTLSContext(const NetworkPolicyMapImpl& parent, server_names_.emplace_back(config.server_names(i)); } auto server_config_or_error = Extensions::TransportSockets::Tls::ServerContextConfigImpl::create( - context_config, parent.transportFactoryContext(), false); + context_config, parent.transportFactoryContext(), server_names_, false); // NOLINTNEXTLINE(performance-unnecessary-copy-initialization) THROW_IF_NOT_OK(server_config_or_error.status()); server_config_ = std::move(server_config_or_error.value()); auto create_server_context = [this]() { ENVOY_LOG(debug, "Server secret is updated."); - auto ctx_or_error = - manager_.createSslServerContext(scope_, *server_config_, server_names_, nullptr); + auto ctx_or_error = manager_.createSslServerContext(scope_, *server_config_, nullptr); // NOLINTNEXTLINE(performance-unnecessary-copy-initialization) THROW_IF_NOT_OK(ctx_or_error.status()); auto ctx = std::move(ctx_or_error.value()); diff --git a/envoy.bazelrc b/envoy.bazelrc index 7814226b2..5af2c3c3a 100644 --- a/envoy.bazelrc +++ b/envoy.bazelrc @@ -1,4 +1,6 @@ -# Envoy specific Bazel build/test options. +############################################################################# +# startup +############################################################################# # Bazel doesn't need more than 200MB of memory for local build based on memory profiling: # https://docs.bazel.build/versions/master/skylark/performance.html#memory-profiling @@ -10,6 +12,12 @@ # Startup options cannot be selected via config. # TODO: Adding just to test android startup --host_jvm_args=-Xmx3g +startup --host_jvm_args="-DBAZEL_TRACK_SOURCE_DIRECTORIES=1" + + +############################################################################# +# global +############################################################################# common --noenable_bzlmod @@ -24,7 +32,6 @@ build --java_runtime_version=remotejdk_11 build --tool_java_runtime_version=remotejdk_11 build --java_language_version=11 build --tool_java_language_version=11 -build --platform_mappings=bazel/platform_mappings # silence absl logspam. build --copt=-DABSL_MIN_LOG_LEVEL=4 # Global C++ standard and common warning suppressions @@ -32,31 +39,18 @@ build --cxxopt=-std=c++20 --host_cxxopt=-std=c++20 build --copt=-Wno-deprecated-declarations build --define envoy_mobile_listener=enabled build --experimental_repository_downloader_retries=2 +build --experimental_cc_static_library build --enable_platform_specific_config build --incompatible_merge_fixed_and_default_shell_env # A workaround for slow ICU download. build --http_timeout_scaling=6.0 -# Pass CC, CXX and LLVM_CONFIG variables from the environment. -# We assume they have stable values, so this won't cause action cache misses. -build --action_env=CC --host_action_env=CC -build --action_env=CXX --host_action_env=CXX -build --action_env=LLVM_CONFIG --host_action_env=LLVM_CONFIG -# Do not pass through PATH however. -# It tends to have machine-specific values, such as dynamically created temp folders. -# This would make it impossible to share remote action cache hits among machines. -# build --action_env=PATH --host_action_env=PATH -# To make our own CI green, we do need that flag on Windows though. -build:windows --action_env=PATH --host_action_env=PATH - # Allow stamped caches to bust when local filesystem changes. # Requires setting `BAZEL_VOLATILE_DIRTY` in the env. build --action_env=BAZEL_VOLATILE_DIRTY --host_action_env=BAZEL_VOLATILE_DIRTY build --test_summary=terse -build:docs-ci --action_env=DOCS_RST_CHECK=1 --host_action_env=DOCS_RST_CHECK=1 - # TODO(keith): Remove once these 2 are the default build --incompatible_config_setting_private_default_visibility build --incompatible_enforce_config_setting_visibility @@ -67,6 +61,31 @@ test --experimental_ui_max_stdouterr_bytes=11712829 #default 1048576 # Allow tags to influence execution requirements common --experimental_allow_tags_propagation +# Python +common --@rules_python//python/config_settings:bootstrap_impl=script +build --incompatible_default_to_explicit_init_py + +# We already have absl in the build, define absl=1 to tell googletest to use absl for backtrace. +build --define absl=1 + +# Disable ICU linking for googleurl. +build --@googleurl//build_config:system_icu=0 + +# Test options +build --test_env=HEAPCHECK=normal --test_env=PPROF_PATH + +# Coverage options +coverage --config=coverage +coverage --build_tests_only + +# Specifies the rustfmt.toml for all rustfmt_test targets. +build --@rules_rust//rust/settings:rustfmt.toml=@envoy//:rustfmt.toml + + +############################################################################# +# os +############################################################################# + build:linux --copt=-fdebug-types-section # Enable position independent code (this is the default on macOS and Windows) # (Workaround for https://github.com/bazelbuild/rules_foreign_cc/issues/421) @@ -75,39 +94,34 @@ build:linux --cxxopt=-fsized-deallocation --host_cxxopt=-fsized-deallocation build:linux --conlyopt=-fexceptions build:linux --fission=dbg,opt build:linux --features=per_object_debug_info -build:linux --action_env=BAZEL_LINKLIBS=-l%:libstdc++.a -build:linux --action_env=BAZEL_LINKOPTS=-lm:-fuse-ld=gold -# We already have absl in the build, define absl=1 to tell googletest to use absl for backtrace. -build --define absl=1 +# macOS +build:macos --action_env=PATH=/opt/homebrew/bin:/opt/local/bin:/usr/local/bin:/usr/bin:/bin +build:macos --host_action_env=PATH=/opt/homebrew/bin:/opt/local/bin:/usr/local/bin:/usr/bin:/bin +build:macos --define tcmalloc=disabled +build:macos --cxxopt=-Wno-nullability-completeness +build:macos --@toolchains_llvm//toolchain/config:compiler-rt=false +build:macos --@toolchains_llvm//toolchain/config:libunwind=false -# Disable ICU linking for googleurl. -build --@googleurl//build_config:system_icu=0 -# Common flags for sanitizers -build:sanitizer --define tcmalloc=disabled -build:sanitizer --linkopt -ldl +############################################################################# +# compiler +############################################################################# # Common flags for Clang (shared between all clang variants) -build:clang-common --action_env=BAZEL_COMPILER=clang -build:clang-common --linkopt=-fuse-ld=lld -build:clang-common --action_env=CC=clang --host_action_env=CC=clang -build:clang-common --action_env=CXX=clang++ --host_action_env=CXX=clang++ -build:clang-common --incompatible_enable_cc_toolchain_resolution=false +common:clang-common --linkopt=-fuse-ld=lld +common:clang-common --@toolchains_llvm//toolchain/config:compiler-rt=false +common:clang-common --@toolchains_llvm//toolchain/config:libunwind=false # Clang with libc++ (default) -build:clang --config=clang-common -build:clang --config=libc++ - -build:arm64-clang --config=clang - -# Flags for Clang + PCH -build:clang-pch --spawn_strategy=local -build:clang-pch --define=ENVOY_CLANG_PCH=1 +common:clang --config=clang-common +common:clang --config=libc++ +common:clang --host_platform=@clang_platform +common:clang --repo_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1 -# libstdc++ - currently only used for gcc -build:libstdc++ --@envoy//bazel:libc++=false -build:libstdc++ --@envoy//bazel:libstdc++=true +# Clang installed to non-standard location (ie not /opt/llvm/) +common:clang-local --config=clang-common +common:clang-local --config=libc++ # Use gold linker for gcc compiler. build:gcc --config=libstdc++ @@ -126,16 +140,103 @@ build:gcc --copt=-Wno-error=uninitialized build:gcc --cxxopt=-Wno-missing-requires build:gcc --cxxopt=-Wno-dangling-reference build:gcc --cxxopt=-Wno-nonnull-compare -build:gcc --incompatible_enable_cc_toolchain_resolution=false +build:gcc --cxxopt=-Wno-trigraphs build:gcc --linkopt=-fuse-ld=gold --host_linkopt=-fuse-ld=gold +build:gcc --host_platform=@envoy//bazel/rbe/toolchains:rbe_linux_gcc_platform +build:gcc --linkopt=-fuse-ld=gold --host_linkopt=-fuse-ld=gold +build:gcc --action_env=BAZEL_LINKOPTS=-lm:-fuse-ld=gold -# Clang-tidy -# TODO(phlax): enable this, its throwing some errors as well as finding more issues -# build:clang-tidy --@envoy_toolshed//format/clang_tidy:executable=@envoy//tools/clang-tidy -build:clang-tidy --@envoy_toolshed//format/clang_tidy:config=//:clang_tidy_config -build:clang-tidy --aspects @envoy_toolshed//format/clang_tidy:clang_tidy.bzl%clang_tidy_aspect -build:clang-tidy --output_groups=report -build:clang-tidy --build_tag_filters=-notidy +# libc++ - default for clang +common:libc++ --action_env=CXXFLAGS=-stdlib=libc++ +common:libc++ --action_env=LDFLAGS="-stdlib=libc++ -fuse-ld=lld" +common:libc++ --action_env=BAZEL_CXXOPTS=-stdlib=libc++ +common:libc++ --action_env=BAZEL_LINKLIBS=-l%:libc++.a:-l%:libc++abi.a +common:libc++ --action_env=BAZEL_LINKOPTS=-lm:-pthread +common:libc++ --define force_libcpp=enabled +common:libc++ --@envoy//bazel:libc++=true + +# libstdc++ - currently only used for gcc +build:libstdc++ --action_env=BAZEL_LINKLIBS=-l%:libstdc++.a +build:libstdc++ --@envoy//bazel:libc++=false +build:libstdc++ --@envoy//bazel:libstdc++=true + + +############################################################################# +# tests +############################################################################# + +# Coverage +build:coverage --action_env=BAZEL_USE_LLVM_NATIVE_COVERAGE=1 +build:coverage --action_env=GCOV=llvm-profdata +build:coverage --copt=-DNDEBUG +# 1.5x original timeout + 300s for trace merger in all categories +build:coverage --test_timeout=390,750,1500,5700 +build:coverage --define=ENVOY_CONFIG_COVERAGE=1 +build:coverage --cxxopt="-DENVOY_CONFIG_COVERAGE=1" +build:coverage --test_env=HEAPCHECK= +build:coverage --combined_report=lcov +build:coverage --strategy=TestRunner=remote,sandboxed,local +build:coverage --strategy=CoverageReport=sandboxed,local +build:coverage --experimental_use_llvm_covmap +build:coverage --experimental_generate_llvm_lcov +build:coverage --experimental_split_coverage_postprocessing +build:coverage --experimental_fetch_all_coverage_outputs +build:coverage --collect_code_coverage +build:coverage --instrumentation_filter="^//source(?!/common/quic/platform)[/:],^//envoy[/:],^//contrib(?!/.*/test)[/:]" +build:coverage --remote_download_minimal +build:coverage --define=tcmalloc=gperftools +build:coverage --define=no_debug_info=1 +# `--no-relax` is required for coverage to not err with `relocation R_X86_64_REX_GOTPCRELX` +build:coverage --linkopt=-Wl,-s,--no-relax +build:coverage --test_env=ENVOY_IP_TEST_VERSIONS=v4only +build:coverage --define=dynamic_link_tests=false +# Use custom report generator that also generates HTML +build:coverage --coverage_report_generator=@envoy//tools/coverage:report_generator + +build:test-coverage --test_arg="-l trace" +build:test-coverage --test_arg="--log-path /dev/null" +build:test-coverage --test_tag_filters=-nocoverage,-fuzz_target + +## Compile-time-options testing +# Right now, none of the available compile-time options conflict with each other. If this +# changes, this build type may need to be broken up. +build:compile-time-options --define=admin_html=disabled +build:compile-time-options --define=signal_trace=disabled +build:compile-time-options --define=hot_restart=disabled +build:compile-time-options --define=google_grpc=disabled +build:compile-time-options --define=boringssl=fips +build:compile-time-options --define=log_debug_assert_in_release=enabled +build:compile-time-options --define=path_normalization_by_default=true +build:compile-time-options --define=deprecated_features=disabled +build:compile-time-options --define=tcmalloc=gperftools +build:compile-time-options --define=zlib=ng +build:compile-time-options --define=uhv=enabled +# gRPC has a lot of deprecated-enum-enum-conversion warnings with C++20 +build:compile-time-options --copt=-Wno-error=deprecated-enum-enum-conversion +build:compile-time-options --test_env=ENVOY_HAS_EXTRA_EXTENSIONS=true +build:compile-time-options --@envoy//bazel:http3=False +build:compile-time-options --@envoy//source/extensions/filters/http/kill_request:enabled + + +############################################################################# +# sanitizers +############################################################################# + +# Common flags for sanitizers +build:sanitizer --define tcmalloc=disabled +build:sanitizer --linkopt -ldl +test:sanitizer --build_tests_only + +# ASAN config with clang runtime +build:asan --config=asan-common +build:asan --linkopt --rtlib=compiler-rt +build:asan --linkopt --unwindlib=libgcc +build:asan --linkopt=-l:libclang_rt.ubsan_standalone.a +build:asan --linkopt=-l:libclang_rt.ubsan_standalone_cxx.a +build:asan --action_env=ENVOY_UBSAN_VPTR=1 +build:asan --copt=-fsanitize=vptr,function +build:asan --linkopt=-fsanitize=vptr,function +build:asan --linkopt='-L/opt/llvm/lib/clang/18/lib/x86_64-unknown-linux-gnu' # Basic ASAN/UBSAN that works for gcc or llvm build:asan-common --config=sanitizer @@ -159,22 +260,6 @@ build:asan-common --test_env=ASAN_SYMBOLIZER_PATH build:asan-common --copt -O1 build:asan-common --copt -fno-optimize-sibling-calls -# ASAN config with clang runtime -build:asan --config=asan-common -build:asan --linkopt --rtlib=compiler-rt -build:asan --linkopt --unwindlib=libgcc -build:asan --linkopt=-l:libclang_rt.ubsan_standalone.a -build:asan --linkopt=-l:libclang_rt.ubsan_standalone_cxx.a -build:asan --action_env=ENVOY_UBSAN_VPTR=1 -build:asan --copt=-fsanitize=vptr,function -build:asan --linkopt=-fsanitize=vptr,function -build:asan --linkopt='-L/opt/llvm/lib/clang/18/lib/x86_64-unknown-linux-gnu' - -# macOS -build:macos --action_env=PATH=/opt/homebrew/bin:/opt/local/bin:/usr/local/bin:/usr/bin:/bin -build:macos --host_action_env=PATH=/opt/homebrew/bin:/opt/local/bin:/usr/local/bin:/usr/bin:/bin -build:macos --define tcmalloc=disabled - # macOS ASAN/UBSAN build:macos-asan --config=asan # Workaround, see https://github.com/bazelbuild/bazel/issues/6932 @@ -185,22 +270,6 @@ build:macos-asan --copt -DGRPC_BAZEL_BUILD # Dynamic link cause issues like: `dyld: malformed mach-o: load commands size (59272) > 32768` build:macos-asan --dynamic_mode=off -# Base TSAN config -build:tsan --action_env=ENVOY_TSAN=1 -build:tsan --config=sanitizer -build:tsan --define ENVOY_CONFIG_TSAN=1 -build:tsan --copt -fsanitize=thread -build:tsan --linkopt -fsanitize=thread -build:tsan --copt -DTHREAD_SANITIZER=1 -build:tsan --build_tag_filters=-no_san,-no_tsan -build:tsan --test_tag_filters=-no_san,-no_tsan -# Needed due to https://github.com/libevent/libevent/issues/777 -build:tsan --copt -DEVENT__DISABLE_DEBUG_MODE -# https://github.com/abseil/abseil-cpp/issues/760 -# https://github.com/google/sanitizers/issues/953 -build:tsan --test_env="TSAN_OPTIONS=report_atomic_races=0" -build:tsan --test_timeout=120,600,1500,4800 - # Base MSAN config build:msan --action_env=ENVOY_MSAN=1 build:msan --config=sanitizer @@ -216,57 +285,40 @@ build:msan --test_env=MSAN_SYMBOLIZER_PATH build:msan --copt -O1 build:msan --copt -fno-optimize-sibling-calls -build:libc++ --action_env=CXXFLAGS=-stdlib=libc++ -build:libc++ --action_env=LDFLAGS=-stdlib=libc++ -build:libc++ --action_env=BAZEL_CXXOPTS=-stdlib=libc++ -build:libc++ --action_env=BAZEL_LINKLIBS=-l%:libc++.a:-l%:libc++abi.a -build:libc++ --action_env=BAZEL_LINKOPTS=-lm:-pthread -build:libc++ --define force_libcpp=enabled -build:libc++ --@envoy//bazel:libc++=true - - - +# Base TSAN config +build:tsan --action_env=ENVOY_TSAN=1 +build:tsan --config=sanitizer +build:tsan --define ENVOY_CONFIG_TSAN=1 +build:tsan --copt -fsanitize=thread +build:tsan --linkopt -fsanitize=thread +build:tsan --copt -DTHREAD_SANITIZER=1 +build:tsan --build_tag_filters=-no_san,-no_tsan +build:tsan --test_tag_filters=-no_san,-no_tsan +# Needed due to https://github.com/libevent/libevent/issues/777 +build:tsan --copt -DEVENT__DISABLE_DEBUG_MODE +# https://github.com/abseil/abseil-cpp/issues/760 +# https://github.com/google/sanitizers/issues/953 +build:tsan --test_env="TSAN_OPTIONS=report_atomic_races=0" +build:tsan --test_timeout=120,600,1500,4800 -# Optimize build for binary size reduction. -build:sizeopt -c opt --copt -Os -# Test options -build --test_env=HEAPCHECK=normal --test_env=PPROF_PATH +############################################################################# +# fuzzing +############################################################################# -# Coverage options -coverage --config=coverage -coverage --build_tests_only +## Fuzz builds +# Shared fuzzing configuration. +build:fuzzing --define=ENVOY_CONFIG_ASAN=1 +build:fuzzing --copt=-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -build:coverage --action_env=BAZEL_USE_LLVM_NATIVE_COVERAGE=1 -build:coverage --action_env=GCOV=llvm-profdata -build:coverage --copt=-DNDEBUG -# 1.5x original timeout + 300s for trace merger in all categories -build:coverage --test_timeout=390,750,1500,5700 -build:coverage --define=ENVOY_CONFIG_COVERAGE=1 -build:coverage --cxxopt="-DENVOY_CONFIG_COVERAGE=1" -build:coverage --test_env=HEAPCHECK= -build:coverage --combined_report=lcov -build:coverage --strategy=TestRunner=remote,sandboxed,local -build:coverage --strategy=CoverageReport=sandboxed,local -build:coverage --experimental_use_llvm_covmap -build:coverage --experimental_generate_llvm_lcov -build:coverage --experimental_split_coverage_postprocessing -build:coverage --experimental_fetch_all_coverage_outputs -build:coverage --collect_code_coverage -build:coverage --instrumentation_filter="^//source(?!/common/quic/platform)[/:],^//envoy[/:],^//contrib(?!/.*/test)[/:]" -build:coverage --remote_download_minimal -build:coverage --define=tcmalloc=gperftools -build:coverage --define=no_debug_info=1 -# `--no-relax` is required for coverage to not err with `relocation R_X86_64_REX_GOTPCRELX` -build:coverage --linkopt=-Wl,-s,--no-relax -build:coverage --test_env=ENVOY_IP_TEST_VERSIONS=v4only -build:coverage --define=dynamic_link_tests=false -# Use custom report generator that also generates HTML -build:coverage --coverage_report_generator=@envoy//tools/coverage:report_generator +# ASAN fuzzer +build:asan-fuzzer --config=plain-fuzzer +build:asan-fuzzer --config=asan +build:asan-fuzzer --copt=-fno-omit-frame-pointer +# Remove UBSAN halt_on_error to avoid crashing on protobuf errors. +build:asan-fuzzer --test_env=UBSAN_OPTIONS=print_stacktrace=1 +build:asan-fuzzer --linkopt=-lc++ -build:test-coverage --test_arg="-l trace" -build:test-coverage --test_arg="--log-path /dev/null" -build:test-coverage --test_tag_filters=-nocoverage,-fuzz_target build:fuzz-coverage --config=plain-fuzzer build:fuzz-coverage --run_under=@envoy//bazel/coverage:fuzz_coverage_wrapper.sh build:fuzz-coverage --test_tag_filters=-nocoverage @@ -277,109 +329,102 @@ build:fuzz-coverage --define=wasm=disabled build:fuzz-coverage --config=fuzz-coverage-config build:fuzz-coverage-config --//tools/coverage:config=@envoy//test:fuzz_coverage_config -build:cache-local --remote_cache=grpc://localhost:9092 - -# Remote execution: https://docs.bazel.build/versions/master/remote-execution.html -build:rbe-toolchain --action_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1 -build:rbe-toolchain --incompatible_enable_cc_toolchain_resolution=false - -build:rbe-toolchain-clang --config=rbe-toolchain -build:rbe-toolchain-clang --config=clang -build:rbe-toolchain-clang --platforms=@envoy//bazel/rbe/toolchains:rbe_linux_clang_platform -build:rbe-toolchain-clang --host_platform=@envoy//bazel/rbe/toolchains:rbe_linux_clang_platform -build:rbe-toolchain-clang --crosstool_top=@envoy//bazel/rbe/toolchains/configs/linux/clang/cc:toolchain -build:rbe-toolchain-clang --extra_toolchains=@envoy//bazel/rbe/toolchains/configs/linux/clang/config:cc-toolchain -build:rbe-toolchain-clang --action_env=CC=clang --action_env=CXX=clang++ - - -build:rbe-toolchain-arm64-clang --config=rbe-toolchain -build:rbe-toolchain-arm64-clang --config=clang -build:rbe-toolchain-arm64-clang --platforms=@envoy//bazel/rbe/toolchains:rbe_linux_arm64_clang_platform -build:rbe-toolchain-arm64-clang --host_platform=@envoy//bazel/rbe/toolchains:rbe_linux_arm64_clang_platform -build:rbe-toolchain-arm64-clang --crosstool_top=@envoy//bazel/rbe/toolchains/configs/linux/clang/cc:toolchain -build:rbe-toolchain-arm64-clang --extra_toolchains=@envoy//bazel/rbe/toolchains/configs/linux/clang/config:cc-toolchain-arm64 -build:rbe-toolchain-arm64-clang --action_env=CC=clang --action_env=CXX=clang++ - - -# Sanitizer configs - CI uses the *-common configs directly -# Note: clang config comes from rbe-toolchain-clang to avoid duplication - -build:rbe-toolchain-gcc --config=rbe-toolchain -build:rbe-toolchain-gcc --platforms=@envoy//bazel/rbe/toolchains:rbe_linux_gcc_platform -build:rbe-toolchain-gcc --host_platform=@envoy//bazel/rbe/toolchains:rbe_linux_gcc_platform -build:rbe-toolchain-gcc --crosstool_top=@envoy//bazel/rbe/toolchains/configs/linux/gcc/cc:toolchain -build:rbe-toolchain-gcc --extra_toolchains=@envoy//bazel/rbe/toolchains/configs/linux/gcc/config:cc-toolchain - -build:remote --spawn_strategy=remote,sandboxed,local -build:remote --strategy=Javac=remote,sandboxed,local -build:remote --strategy=Closure=remote,sandboxed,local -build:remote --strategy=Genrule=remote,sandboxed,local +build:oss-fuzz --config=fuzzing +build:oss-fuzz --config=libc++ +build:oss-fuzz --define=FUZZING_ENGINE=oss-fuzz +build:oss-fuzz --@rules_fuzzing//fuzzing:cc_engine_instrumentation=oss-fuzz +build:oss-fuzz --@rules_fuzzing//fuzzing:cc_engine_sanitizer=none +build:oss-fuzz --dynamic_mode=off +build:oss-fuzz --strip=never +build:oss-fuzz --copt=-fno-sanitize=vptr +build:oss-fuzz --linkopt=-fno-sanitize=vptr +build:oss-fuzz --define=tcmalloc=disabled +build:oss-fuzz --define=signal_trace=disabled +build:oss-fuzz --copt=-D_LIBCPP_DISABLE_DEPRECATION_WARNINGS +build:oss-fuzz --define=force_libcpp=enabled +build:oss-fuzz --linkopt=-lc++ +build:oss-fuzz --linkopt=-pthread -# Windows bazel does not allow sandboxed as a spawn strategy -build:remote-windows --spawn_strategy=remote,local -build:remote-windows --strategy=Javac=remote,local -build:remote-windows --strategy=Closure=remote,local -build:remote-windows --strategy=Genrule=remote,local -build:remote-windows --strategy=CppLink=local -build:remote-windows --remote_timeout=7200 -build:remote-windows --google_default_credentials=true -build:remote-windows --remote_download_toplevel +# Fuzzing without ASAN. This is useful for profiling fuzzers without any ASAN artifacts. +build:plain-fuzzer --config=fuzzing +build:plain-fuzzer --define=FUZZING_ENGINE=libfuzzer +# The fuzzing rules provide their own instrumentation, but it is currently +# disabled due to bazelbuild/bazel#12888. Instead, we provide instrumentation at +# the top level through these options. +build:plain-fuzzer --copt=-fsanitize=fuzzer-no-link +build:plain-fuzzer --linkopt=-fsanitize=fuzzer-no-link -build:remote-clang --config=remote -build:remote-clang --config=rbe-toolchain-clang +############################################################################# +# miscellaneous +############################################################################# -build:remote-arm64-clang --config=remote -build:remote-arm64-clang --config=rbe-toolchain-arm64-clang +build:cache-local --remote_cache=grpc://localhost:9092 +# Flags for Clang + PCH +build:clang-pch --spawn_strategy=local +build:clang-pch --define=ENVOY_CLANG_PCH=1 -build:remote-gcc --config=remote -build:remote-gcc --config=gcc -build:remote-gcc --config=rbe-toolchain-gcc +# Clang-tidy +build:clang-tidy --@envoy_toolshed//format/clang_tidy:executable=@envoy//tools/clang-tidy +build:clang-tidy --@envoy_toolshed//format/clang_tidy:config=//:clang_tidy_config +build:clang-tidy --aspects @envoy_toolshed//format/clang_tidy:clang_tidy.bzl%clang_tidy_aspect +build:clang-tidy --output_groups=report +build:clang-tidy --build_tag_filters=-notidy -build:remote-asan --config=remote -build:remote-asan --config=rbe-toolchain-clang -build:remote-asan --config=asan +# Compile database generation config +build:compdb --build_tag_filters=-nocompdb -build:remote-msan --config=remote -build:remote-msan --config=rbe-toolchain-clang -build:remote-msan --config=msan +common:cves --//tools/dependency:cve-data=//tools/dependency:cve-data-dir -build:remote-tsan --config=remote -build:remote-tsan --config=rbe-toolchain-clang -build:remote-tsan --config=tsan +build:docs-ci --action_env=DOCS_RST_CHECK=1 --host_action_env=DOCS_RST_CHECK=1 -build:remote-msvc-cl --config=remote-windows -build:remote-msvc-cl --config=msvc-cl -build:remote-msvc-cl --config=rbe-toolchain-msvc-cl +# Optimize build for binary size reduction. +build:sizeopt -c opt --copt -Os -build:remote-clang-cl --config=remote-windows -build:remote-clang-cl --config=clang-cl -build:remote-clang-cl --config=rbe-toolchain-clang-cl -## Compile-time-options testing -# Right now, none of the available compile-time options conflict with each other. If this -# changes, this build type may need to be broken up. -build:compile-time-options --define=admin_html=disabled -build:compile-time-options --define=signal_trace=disabled -build:compile-time-options --define=hot_restart=disabled -build:compile-time-options --define=google_grpc=disabled -build:compile-time-options --define=boringssl=fips -build:compile-time-options --define=log_debug_assert_in_release=enabled -build:compile-time-options --define=path_normalization_by_default=true -build:compile-time-options --define=deprecated_features=disabled -build:compile-time-options --define=tcmalloc=gperftools -build:compile-time-options --define=zlib=ng -build:compile-time-options --define=uhv=enabled -# gRPC has a lot of deprecated-enum-enum-conversion warnings with C++20 -build:compile-time-options --copt=-Wno-error=deprecated-enum-enum-conversion -build:compile-time-options --test_env=ENVOY_HAS_EXTRA_EXTENSIONS=true -build:compile-time-options --@envoy//bazel:http3=False -build:compile-time-options --@envoy//source/extensions/filters/http/kill_request:enabled +############################################################################# +# remote: Setup for cache, BES, RBE, and Docker workers +############################################################################# -# Docker sandbox -# NOTE: Update this from https://github.com/envoyproxy/envoy-build-tools/blob/main/toolchains/rbe_toolchains_config.bzl#L8 -build:docker-sandbox --experimental_docker_image=docker.io/envoyproxy/envoy-build-ubuntu:f4a881a1205e8e6db1a57162faf3df7aed88eae8@sha256:b10346fe2eee41733dbab0e02322c47a538bf3938d093a5daebad9699860b814 +build:remote --spawn_strategy=remote,sandboxed,local +build:remote --strategy=Javac=remote,sandboxed,local +build:remote --strategy=Closure=remote,sandboxed,local +build:remote --strategy=Genrule=remote,sandboxed,local +build:remote --action_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1 +# This flag may be more generally useful - it sets foreign_cc builds -jauto. +# It is only set here because if it were the default it risks OOMing on local builds. +build:remote --@envoy//bazel/foreign_cc:parallel_builds + +## RBE (Engflow Envoy) + +# this is not included in the `--config=rbe` target - set it to publish to engflow ui +common:bes --bes_backend=grpcs://mordenite.cluster.engflow.com/ +common:bes --bes_results_url=https://mordenite.cluster.engflow.com/invocation/ +common:bes --bes_timeout=3600s +common:bes --bes_upload_mode=fully_async +common:bes --nolegacy_important_outputs + +common:engflow-common --google_default_credentials=false +common:engflow-common --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh +common:engflow-common --grpc_keepalive_time=60s +common:engflow-common --grpc_keepalive_timeout=30s +common:engflow-common --remote_cache_compression + +# this provides access to RBE+cache +common:rbe --config=remote-cache +common:rbe --config=remote-exec + +# this provides access to just cache +common:remote-cache --config=engflow-common +common:remote-cache --remote_cache=grpcs://mordenite.cluster.engflow.com +common:remote-cache --remote_timeout=3600s + +common:remote-exec --remote_executor=grpcs://mordenite.cluster.engflow.com +common:remote-exec --jobs=200 +common:remote-exec --define=engflow_rbe=true + +# Docker sandboxes build:docker-sandbox --spawn_strategy=docker build:docker-sandbox --strategy=Javac=docker build:docker-sandbox --strategy=Closure=docker @@ -389,25 +434,28 @@ build:docker-sandbox --experimental_docker_verbose build:docker-sandbox --experimental_enable_docker_sandbox build:docker-clang --config=docker-sandbox -build:docker-clang --config=rbe-toolchain-clang - +build:docker-clang --config=clang build:docker-gcc --config=docker-sandbox build:docker-gcc --config=gcc -build:docker-gcc --config=rbe-toolchain-gcc build:docker-asan --config=docker-sandbox -build:docker-asan --config=rbe-toolchain-clang +build:docker-asan --config=clang build:docker-asan --config=asan build:docker-msan --config=docker-sandbox -build:docker-msan --config=rbe-toolchain-clang +build:docker-msan --config=clang build:docker-msan --config=msan build:docker-tsan --config=docker-sandbox -build:docker-tsan --config=rbe-toolchain-clang +build:docker-tsan --config=clang build:docker-tsan --config=tsan + +############################################################################# +# ci +############################################################################# + # CI configurations build:remote-ci --config=ci build:remote-ci --remote_download_minimal @@ -417,152 +465,6 @@ common:ci --noshow_progress common:ci --noshow_loading_progress common:ci --test_output=errors -# Fuzz builds - -# Shared fuzzing configuration. -build:fuzzing --define=ENVOY_CONFIG_ASAN=1 -build:fuzzing --copt=-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION - -# Fuzzing without ASAN. This is useful for profiling fuzzers without any ASAN artifacts. -build:plain-fuzzer --config=fuzzing -build:plain-fuzzer --define=FUZZING_ENGINE=libfuzzer -# The fuzzing rules provide their own instrumentation, but it is currently -# disabled due to bazelbuild/bazel#12888. Instead, we provide instrumentation at -# the top level through these options. -build:plain-fuzzer --copt=-fsanitize=fuzzer-no-link -build:plain-fuzzer --linkopt=-fsanitize=fuzzer-no-link - -# ASAN fuzzer -build:asan-fuzzer --config=plain-fuzzer -build:asan-fuzzer --config=asan -build:asan-fuzzer --copt=-fno-omit-frame-pointer -# Remove UBSAN halt_on_error to avoid crashing on protobuf errors. -build:asan-fuzzer --test_env=UBSAN_OPTIONS=print_stacktrace=1 -build:asan-fuzzer --linkopt=-lc++ - -build:oss-fuzz --config=fuzzing -build:oss-fuzz --config=libc++ -build:oss-fuzz --define=FUZZING_ENGINE=oss-fuzz -build:oss-fuzz --@rules_fuzzing//fuzzing:cc_engine_instrumentation=oss-fuzz -build:oss-fuzz --@rules_fuzzing//fuzzing:cc_engine_sanitizer=none -build:oss-fuzz --dynamic_mode=off -build:oss-fuzz --strip=never -build:oss-fuzz --copt=-fno-sanitize=vptr -build:oss-fuzz --linkopt=-fno-sanitize=vptr -build:oss-fuzz --define=tcmalloc=disabled -build:oss-fuzz --define=signal_trace=disabled -build:oss-fuzz --copt=-D_LIBCPP_DISABLE_DEPRECATION_WARNINGS -build:oss-fuzz --define=force_libcpp=enabled -build:oss-fuzz --linkopt=-lc++ -build:oss-fuzz --linkopt=-pthread - -# Compile database generation config -build:compdb --build_tag_filters=-nocompdb - -# Windows build quirks -build:windows --action_env=TMPDIR -build:windows --define signal_trace=disabled -build:windows --define hot_restart=disabled -build:windows --define tcmalloc=disabled -build:windows --define wasm=disabled -build:windows --define manual_stamp=manual_stamp -build:windows --cxxopt="/std:c++20" -build:windows --output_groups=+pdb_file - -# TODO(wrowe,sunjayBhatia): Resolve bugs upstream in curl and rules_foreign_cc -# See issue https://github.com/bazelbuild/rules_foreign_cc/issues/301 -build:windows --copt="-DCARES_STATICLIB" -build:windows --copt="-DNGHTTP2_STATICLIB" -build:windows --copt="-DCURL_STATICLIB" - -# Override any clang preference if building msvc-cl -# Drop the determinism feature (-DDATE etc are a no-op in msvc-cl) -build:msvc-cl --action_env=USE_CLANG_CL="" -build:msvc-cl --define clang_cl=0 -build:msvc-cl --features=-determinism - -# Windows build behaviors when using clang-cl -build:clang-cl --action_env=USE_CLANG_CL=1 -build:clang-cl --define clang_cl=1 - -# Required to work around Windows clang-cl build defects -# Ignore conflicting definitions of _WIN32_WINNT -# Override determinism flags (DATE etc) is valid on clang-cl compiler -build:clang-cl --copt="-Wno-macro-redefined" -build:clang-cl --copt="-Wno-builtin-macro-redefined" -# Workaround problematic missing override declarations of mocks -# TODO: resolve this class of problematic mocks, e.g. -# ./test/mocks/http/stream.h(16,21): error: 'addCallbacks' -# overrides a member function but is not marked 'override' -# MOCK_METHOD(void, addCallbacks, (StreamCallbacks & callbacks)); -build:clang-cl --copt="-Wno-inconsistent-missing-override" - -# Defaults to 'auto' - Off for windows, so override to linux behavior -build:windows --enable_runfiles=yes - -# This should become adopted by bazel as the default -build:windows --features=compiler_param_file - -# These options attempt to force a monolithic binary including the CRT -build:windows --features=fully_static_link -build:windows --features=static_link_msvcrt -build:windows --dynamic_mode=off - -# RBE (Google) -build:cache-google --google_default_credentials=true -build:cache-google --remote_cache=grpcs://remotebuildexecution.googleapis.com -build:cache-google --remote_instance_name=projects/envoy-ci/instances/default_instance -build:cache-google --remote_timeout=7200 -build:rbe-google --remote_executor=grpcs://remotebuildexecution.googleapis.com -build:rbe-google --config=cache-google - -build:rbe-google-bes --bes_backend=grpcs://buildeventservice.googleapis.com -build:rbe-google-bes --bes_results_url=https://source.cloud.google.com/results/invocations/ -build:rbe-google-bes --bes_upload_mode=fully_async - -# RBE (Engflow mobile) -build:rbe-engflow --google_default_credentials=false -build:rbe-engflow --remote_cache=grpcs://envoy.cluster.engflow.com -build:rbe-engflow --remote_executor=grpcs://envoy.cluster.engflow.com -build:rbe-engflow --bes_backend=grpcs://envoy.cluster.engflow.com/ -build:rbe-engflow --bes_results_url=https://envoy.cluster.engflow.com/invocation/ -build:rbe-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh -build:rbe-engflow --grpc_keepalive_time=60s -build:rbe-engflow --grpc_keepalive_timeout=30s -build:rbe-engflow --remote_timeout=3600s -build:rbe-engflow --bes_timeout=3600s -build:rbe-engflow --bes_upload_mode=fully_async -build:rbe-engflow --nolegacy_important_outputs - -# RBE (Engflow Envoy) -common:common-envoy-engflow --google_default_credentials=false -common:common-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh -common:common-envoy-engflow --grpc_keepalive_time=60s -common:common-envoy-engflow --grpc_keepalive_timeout=30s -common:common-envoy-engflow --remote_cache_compression - -common:cache-envoy-engflow --remote_cache=grpcs://mordenite.cluster.engflow.com -common:cache-envoy-engflow --remote_timeout=3600s -# common:cache-envoy-engflow --remote_instance_name=llvm-18 -common:bes-envoy-engflow --bes_backend=grpcs://mordenite.cluster.engflow.com/ -common:bes-envoy-engflow --bes_results_url=https://mordenite.cluster.engflow.com/invocation/ -common:bes-envoy-engflow --bes_timeout=3600s -common:bes-envoy-engflow --bes_upload_mode=fully_async -common:bes-envoy-engflow --nolegacy_important_outputs -common:rbe-envoy-engflow --remote_executor=grpcs://mordenite.cluster.engflow.com -common:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:95d7afdea0f0f8881e88fa5e581db4f50907d0745ac8d90e00357ac1a316abe5 -common:rbe-envoy-engflow --jobs=200 -common:rbe-envoy-engflow --define=engflow_rbe=true - -common:remote-envoy-engflow --config=common-envoy-engflow -common:remote-envoy-engflow --config=cache-envoy-engflow -common:remote-envoy-engflow --config=rbe-envoy-engflow - -common:remote-cache-envoy-engflow --config=common-envoy-engflow -common:remote-cache-envoy-engflow --config=cache-envoy-engflow - -# Specifies the rustfmt.toml for all rustfmt_test targets. -build --@rules_rust//rust/settings:rustfmt.toml=@envoy//:rustfmt.toml ############################################################################# # debug: Various Bazel debugging flags diff --git a/patches/0001-network-Add-callback-for-upstream-authorization.patch b/patches/0001-network-Add-callback-for-upstream-authorization.patch index 8f07fda83..e38c9ca07 100644 --- a/patches/0001-network-Add-callback-for-upstream-authorization.patch +++ b/patches/0001-network-Add-callback-for-upstream-authorization.patch @@ -1,4 +1,4 @@ -From 45146648631921dde64032f0cb57eb559951ada4 Mon Sep 17 00:00:00 2001 +From 501b3d339e52ce7f5a180a6de5cd87a3f9c98f32 Mon Sep 17 00:00:00 2001 From: Jarno Rajahalme Date: Mon, 5 May 2025 11:15:52 +1000 Subject: [PATCH 1/7] network: Add callback for upstream authorization @@ -23,6 +23,7 @@ adding the callback, as the calls to the callbacks are only ever be done from the tcp_proxy or router filter in the same filter chain. Signed-off-by: Jarno Rajahalme +Signed-off-by: Tam Mach --- envoy/http/filter.h | 8 ++++++ envoy/network/filter.h | 28 +++++++++++++++++++ @@ -42,13 +43,13 @@ Signed-off-by: Jarno Rajahalme 15 files changed, 125 insertions(+) diff --git a/envoy/http/filter.h b/envoy/http/filter.h -index 1295ddfcc1..7ddcce6661 100644 +index ff9e6e5..05c497c 100644 --- a/envoy/http/filter.h +++ b/envoy/http/filter.h @@ -837,6 +837,14 @@ public: virtual absl::optional upstreamOverrideHost() const PURE; - + + /** + * Invokes all the added network level callbacks before establishing a connection to the + * selected upstream host. @@ -61,13 +62,13 @@ index 1295ddfcc1..7ddcce6661 100644 * @return true if the filter should shed load based on the system pressure, typically memory. */ diff --git a/envoy/network/filter.h b/envoy/network/filter.h -index 48d4909821..a91858a16c 100644 +index 48d4909..a91858a 100644 --- a/envoy/network/filter.h +++ b/envoy/network/filter.h @@ -148,6 +148,22 @@ public: - + using WriteFilterSharedPtr = std::shared_ptr; - + +/** + * UpstreamCallback can be used to reject upstream host selection made by the TCP proxy filter. + * This callback is passed the Upstream::HostDescriptionConstSharedPtr, and StreamInfo. @@ -90,7 +91,7 @@ index 48d4909821..a91858a16c 100644 @@ -207,6 +223,18 @@ public: */ virtual bool startUpstreamSecureTransport() PURE; - + + /* + * Adds the given callback to be executed later via iterateUpstreamCallbacks(). + */ @@ -107,7 +108,7 @@ index 48d4909821..a91858a16c 100644 * Control the filter close status for read filters. * diff --git a/envoy/tcp/upstream.h b/envoy/tcp/upstream.h -index fb8facfe63..2f19b5dfa9 100644 +index fb8facf..2f19b5d 100644 --- a/envoy/tcp/upstream.h +++ b/envoy/tcp/upstream.h @@ -84,6 +84,11 @@ public: @@ -120,16 +121,16 @@ index fb8facfe63..2f19b5dfa9 100644 + */ + virtual Upstream::HostDescriptionConstSharedPtr host() const PURE; }; - + // An API for the UpstreamRequest to get callbacks from either an HTTP or TCP diff --git a/source/common/http/async_client_impl.h b/source/common/http/async_client_impl.h -index ffd6ce5075..56093bad0a 100644 +index a41d370..982af7e 100644 --- a/source/common/http/async_client_impl.h +++ b/source/common/http/async_client_impl.h -@@ -264,6 +264,11 @@ private: +@@ -285,6 +285,11 @@ private: ResponseHeaderMapOptRef responseHeaders() override { return {}; } ResponseTrailerMapOptRef responseTrailers() override { return {}; } - + + bool iterateUpstreamCallbacks(Upstream::HostDescriptionConstSharedPtr, + StreamInfo::StreamInfo&) override { + return true; @@ -139,12 +140,12 @@ index ffd6ce5075..56093bad0a 100644 void dumpState(std::ostream& os, int indent_level) const override { const char* spaces = spacesForLevel(indent_level); diff --git a/source/common/http/conn_manager_impl.h b/source/common/http/conn_manager_impl.h -index ea036c0c36..708e46c836 100644 +index 5e783b9..7f5d205 100644 --- a/source/common/http/conn_manager_impl.h +++ b/source/common/http/conn_manager_impl.h -@@ -328,6 +328,12 @@ private: +@@ -330,6 +330,12 @@ private: } - + absl::optional routeConfig(); + + bool iterateUpstreamCallbacks(Upstream::HostDescriptionConstSharedPtr host, @@ -153,16 +154,16 @@ index ea036c0c36..708e46c836 100644 + } + void traceRequest(); - + // Updates the snapped_route_config_ (by reselecting scoped route configuration), if a scope is diff --git a/source/common/http/filter_manager.cc b/source/common/http/filter_manager.cc -index 9e124fe23e..f408c02a22 100644 +index fbf9a72..9dca87a 100644 --- a/source/common/http/filter_manager.cc +++ b/source/common/http/filter_manager.cc -@@ -1988,5 +1988,11 @@ ActiveStreamDecoderFilter::upstreamOverrideHost() const { +@@ -1977,5 +1977,11 @@ ActiveStreamDecoderFilter::upstreamOverrideHost() const { parent_.upstream_override_host_.second}; } - + +bool ActiveStreamDecoderFilter::iterateUpstreamCallbacks(Upstream::HostDescriptionConstSharedPtr host, + StreamInfo::StreamInfo& stream_info) { + return parent_.filter_manager_callbacks_.iterateUpstreamCallbacks(host, stream_info); @@ -172,7 +173,7 @@ index 9e124fe23e..f408c02a22 100644 } // namespace Http } // namespace Envoy diff --git a/source/common/http/filter_manager.h b/source/common/http/filter_manager.h -index 5f1b179e91..c9a193407b 100644 +index ab810d6..535bd6f 100644 --- a/source/common/http/filter_manager.h +++ b/source/common/http/filter_manager.h @@ -300,6 +300,8 @@ struct ActiveStreamDecoderFilter : public ActiveStreamFilterBase, @@ -181,10 +182,10 @@ index 5f1b179e91..c9a193407b 100644 bool shouldLoadShed() const override; + bool iterateUpstreamCallbacks(Upstream::HostDescriptionConstSharedPtr host, + StreamInfo::StreamInfo& stream_info) override; - void sendGoAwayAndClose() override; - + void sendGoAwayAndClose(bool graceful = false) override; + // Each decoder filter instance checks if the request passed to the filter is gRPC -@@ -585,6 +587,12 @@ public: +@@ -583,6 +585,12 @@ public: * This is used for HTTP/1.1 codec. */ virtual bool isHalfCloseEnabled() PURE; @@ -195,10 +196,10 @@ index 5f1b179e91..c9a193407b 100644 + virtual bool iterateUpstreamCallbacks(Upstream::HostDescriptionConstSharedPtr, + StreamInfo::StreamInfo&) const PURE; }; - + /** diff --git a/source/common/network/filter_manager_impl.h b/source/common/network/filter_manager_impl.h -index 6453048610..d4132a33ca 100644 +index 6453048..d4132a3 100644 --- a/source/common/network/filter_manager_impl.h +++ b/source/common/network/filter_manager_impl.h @@ -156,6 +156,13 @@ private: @@ -212,13 +213,13 @@ index 6453048610..d4132a33ca 100644 + StreamInfo::StreamInfo& stream_info) override { + return parent_.iterateUpstreamCallbacks(host, stream_info); + } - + FilterManagerImpl& parent_; ReadFilterSharedPtr filter_; @@ -190,6 +197,20 @@ private: FilterStatus onWrite(ActiveWriteFilter* filter, WriteBufferSource& buffer_source); void onResumeWriting(ActiveWriteFilter* filter, WriteBufferSource& buffer_source); - + + void addUpstreamCallback(const UpstreamCallback& cb) { + decoder_filter_upstream_cbs_.emplace_back(cb); + } @@ -237,13 +238,13 @@ index 6453048610..d4132a33ca 100644 const ConnectionSocket& socket_; Upstream::HostDescriptionConstSharedPtr host_description_; diff --git a/source/common/router/router.cc b/source/common/router/router.cc -index 91f2f3e96b..277676dd98 100644 +index 076a511..03cbc3a 100644 --- a/source/common/router/router.cc +++ b/source/common/router/router.cc -@@ -756,6 +756,14 @@ bool Filter::continueDecodeHeaders(Upstream::ThreadLocalCluster* cluster, - return false; +@@ -760,6 +760,14 @@ bool Filter::continueDecodeHeaders(Upstream::ThreadLocalCluster* cluster, } - + Upstream::HostDescriptionConstSharedPtr host = generic_conn_pool->host(); + + bool accepted = callbacks_->iterateUpstreamCallbacks(host, callbacks_->streamInfo()); + if (!accepted) { + callbacks_->streamInfo().setResponseFlag(StreamInfo::CoreResponseFlag::UnauthorizedExternalService); @@ -252,17 +253,17 @@ index 91f2f3e96b..277676dd98 100644 + return false; + } + - hedging_params_ = FilterUtility::finalHedgingParams(*route_entry_, headers); - - timeout_ = FilterUtility::finalTimeout(*route_entry_, headers, !config_->suppress_envoy_headers_, + // If we've been instructed not to forward the request upstream, send an empty local response. + if (auto* debug_config = + callbacks_->streamInfo().filterState()->getDataReadOnly(DebugConfig::key()); diff --git a/source/common/router/upstream_request.h b/source/common/router/upstream_request.h -index 2fbb90e66e..6b089ee052 100644 +index 7144b51..fc46921 100644 --- a/source/common/router/upstream_request.h +++ b/source/common/router/upstream_request.h @@ -354,6 +354,11 @@ public: } OptRef upstreamCallbacks() override { return {*this}; } - + + bool iterateUpstreamCallbacks(Upstream::HostDescriptionConstSharedPtr, + StreamInfo::StreamInfo&) const override { + return true; @@ -272,10 +273,10 @@ index 2fbb90e66e..6b089ee052 100644 StreamInfo::StreamInfo& upstreamStreamInfo() override { return upstream_request_.streamInfo(); } OptRef upstream() override { diff --git a/source/common/tcp_proxy/tcp_proxy.cc b/source/common/tcp_proxy/tcp_proxy.cc -index 557228963e..3c2e3b5e8b 100644 +index eb78400..b2d4d10 100644 --- a/source/common/tcp_proxy/tcp_proxy.cc +++ b/source/common/tcp_proxy/tcp_proxy.cc -@@ -730,6 +730,13 @@ bool Filter::maybeTunnel(Upstream::ThreadLocalCluster& cluster) { +@@ -773,6 +773,13 @@ bool Filter::maybeTunnel(Upstream::ThreadLocalCluster& cluster) { upstream_decoder_filter_callbacks_, getStreamInfo()); } if (generic_conn_pool_) { @@ -290,10 +291,10 @@ index 557228963e..3c2e3b5e8b 100644 connect_attempts_++; getStreamInfo().setAttemptCount(connect_attempts_); diff --git a/source/common/tcp_proxy/tcp_proxy.h b/source/common/tcp_proxy/tcp_proxy.h -index d451e58075..7d95211feb 100644 +index 0d10513..3a83ed6 100644 --- a/source/common/tcp_proxy/tcp_proxy.h +++ b/source/common/tcp_proxy/tcp_proxy.h -@@ -598,6 +598,10 @@ public: +@@ -608,6 +608,10 @@ public: return absl::nullopt; } bool shouldLoadShed() const override { return false; } @@ -304,22 +305,22 @@ index d451e58075..7d95211feb 100644 void restoreContextOnContinue(ScopeTrackedObjectStack& tracked_object_stack) override { tracked_object_stack.add(*this); } -@@ -641,6 +645,7 @@ protected: +@@ -651,6 +655,7 @@ protected: NoHealthyUpstream, ResourceLimitExceeded, NoRoute, + UnauthorizedExternalService, }; - + // Callbacks for different error and success states during connection establishment diff --git a/source/common/tcp_proxy/upstream.cc b/source/common/tcp_proxy/upstream.cc -index 58012be58f..578dc08927 100644 +index 58012be..578dc08 100644 --- a/source/common/tcp_proxy/upstream.cc +++ b/source/common/tcp_proxy/upstream.cc @@ -297,6 +297,10 @@ void TcpConnPool::newStream(GenericConnectionPoolCallbacks& callbacks) { } } - + +Upstream::HostDescriptionConstSharedPtr TcpConnPool::host() const { + return conn_pool_data_.value().host(); +} @@ -330,7 +331,7 @@ index 58012be58f..578dc08927 100644 @@ -403,6 +407,10 @@ void HttpConnPool::newStream(GenericConnectionPoolCallbacks& callbacks) { } } - + +Upstream::HostDescriptionConstSharedPtr HttpConnPool::host() const { + return conn_pool_data_.value().host(); +} @@ -339,27 +340,27 @@ index 58012be58f..578dc08927 100644 absl::string_view failure_reason, Upstream::HostDescriptionConstSharedPtr host) { diff --git a/source/common/tcp_proxy/upstream.h b/source/common/tcp_proxy/upstream.h -index 2fdf1bd373..9f1a0af392 100644 +index 2fdf1bd..9f1a0af 100644 --- a/source/common/tcp_proxy/upstream.h +++ b/source/common/tcp_proxy/upstream.h @@ -41,6 +41,7 @@ public: - + // GenericConnPool void newStream(GenericConnectionPoolCallbacks& callbacks) override; + Upstream::HostDescriptionConstSharedPtr host() const override; - + // Tcp::ConnectionPool::Callbacks void onPoolFailure(ConnectionPool::PoolFailureReason reason, @@ -98,6 +99,7 @@ public: - + // GenericConnPool void newStream(GenericConnectionPoolCallbacks& callbacks) override; + Upstream::HostDescriptionConstSharedPtr host() const override; - + // Http::ConnectionPool::Callbacks, void onPoolFailure(ConnectionPool::PoolFailureReason reason, diff --git a/source/extensions/api_listeners/default_api_listener/api_listener_impl.h b/source/extensions/api_listeners/default_api_listener/api_listener_impl.h -index e6053dd0c2..0eeec9616f 100644 +index e6053dd..0eeec96 100644 --- a/source/extensions/api_listeners/default_api_listener/api_listener_impl.h +++ b/source/extensions/api_listeners/default_api_listener/api_listener_impl.h @@ -81,6 +81,9 @@ protected: @@ -369,9 +370,9 @@ index e6053dd0c2..0eeec9616f 100644 + void addUpstreamCallback(const Network::UpstreamCallback&) override {} + bool iterateUpstreamCallbacks(Upstream::HostDescriptionConstSharedPtr, + StreamInfo::StreamInfo&) override { return true; } - + // Synthetic class that acts as a stub for the connection backing the // Network::ReadFilterCallbacks. --- -2.43.0 +-- +2.52.0 diff --git a/patches/0002-listener-add-socket-options.patch b/patches/0002-listener-add-socket-options.patch index e35709ccb..54f06eefb 100644 --- a/patches/0002-listener-add-socket-options.patch +++ b/patches/0002-listener-add-socket-options.patch @@ -1,4 +1,4 @@ -From 3d5bed191ef7900b8c76ce76f52e312b60c55faa Mon Sep 17 00:00:00 2001 +From 86b63c6bacd6abca176c25eb60e74fc4551e09fb Mon Sep 17 00:00:00 2001 From: Jarno Rajahalme Date: Mon, 14 Aug 2023 10:01:21 +0300 Subject: [PATCH 2/7] listener: add socket options @@ -15,7 +15,7 @@ Signed-off-by: Jarno Rajahalme 5 files changed, 21 insertions(+), 1 deletion(-) diff --git a/envoy/server/factory_context.h b/envoy/server/factory_context.h -index ee9fa05618..d6b8c7e097 100644 +index ee9fa05..d6b8c7e 100644 --- a/envoy/server/factory_context.h +++ b/envoy/server/factory_context.h @@ -341,7 +341,13 @@ public: @@ -30,14 +30,14 @@ index ee9fa05618..d6b8c7e097 100644 + */ + virtual void addListenSocketOptions(const Network::Socket::OptionsSharedPtr& options) PURE; +}; - + /** * FactoryContext for ProtocolOptionsFactory. diff --git a/source/common/listener_manager/listener_impl.cc b/source/common/listener_manager/listener_impl.cc -index fc93131aa9..a925a1fdcc 100644 +index 2f8232a..7008d08 100644 --- a/source/common/listener_manager/listener_impl.cc +++ b/source/common/listener_manager/listener_impl.cc -@@ -932,6 +932,9 @@ Configuration::ServerFactoryContext& PerListenerFactoryContextImpl::serverFactor +@@ -954,6 +954,9 @@ Configuration::ServerFactoryContext& PerListenerFactoryContextImpl::serverFactor Stats::Scope& PerListenerFactoryContextImpl::listenerScope() { return listener_factory_context_base_->listenerScope(); } @@ -45,25 +45,25 @@ index fc93131aa9..a925a1fdcc 100644 + listener_impl_.addListenSocketOptions(options); +} Init::Manager& PerListenerFactoryContextImpl::initManager() { return listener_impl_.initManager(); } - + bool ListenerImpl::createNetworkFilterChain( diff --git a/source/common/listener_manager/listener_impl.h b/source/common/listener_manager/listener_impl.h -index 9dcd00035f..4f3c9f1f77 100644 +index 746043f..42b19ec 100644 --- a/source/common/listener_manager/listener_impl.h +++ b/source/common/listener_manager/listener_impl.h @@ -185,6 +185,8 @@ public: - + Stats::Scope& listenerScope() override; - + + void addListenSocketOptions(const Network::Socket::OptionsSharedPtr& options) override; + ListenerFactoryContextBaseImpl& parentFactoryContext() { return *listener_factory_context_base_; } friend class ListenerImpl; - + @@ -332,6 +334,13 @@ public: return listener_factory_context_->listener_factory_context_base_->listener_info_; } - + + void addListenSocketOptions(const Network::Socket::OptionsSharedPtr& append_options) { + for (std::vector::size_type i = 0; + i < addresses_.size(); i++) { @@ -75,7 +75,7 @@ index 9dcd00035f..4f3c9f1f77 100644 if (options == nullptr) { options = std::make_shared>(); diff --git a/test/mocks/server/factory_context.h b/test/mocks/server/factory_context.h -index 9dec1cb0da..605ccf6c78 100644 +index 9dec1cb..605ccf6 100644 --- a/test/mocks/server/factory_context.h +++ b/test/mocks/server/factory_context.h @@ -30,6 +30,7 @@ public: @@ -83,21 +83,21 @@ index 9dec1cb0da..605ccf6c78 100644 MOCK_METHOD(Stats::Scope&, listenerScope, ()); MOCK_METHOD(const Network::ListenerInfo&, listenerInfo, (), (const)); + MOCK_METHOD(void, addListenSocketOptions, (const Network::Socket::OptionsSharedPtr&)); - + testing::NiceMock server_factory_context_; testing::NiceMock init_manager_; diff --git a/test/mocks/server/listener_factory_context.h b/test/mocks/server/listener_factory_context.h -index dfdb937433..f78dcb90a5 100644 +index dfdb937..f78dcb9 100644 --- a/test/mocks/server/listener_factory_context.h +++ b/test/mocks/server/listener_factory_context.h @@ -21,6 +21,7 @@ public: MockListenerFactoryContext(); ~MockListenerFactoryContext() override; - + + MOCK_METHOD(void, addListenSocketOptions, (const Network::Socket::OptionsSharedPtr&)); MOCK_METHOD(ServerFactoryContext&, serverFactoryContext, ()); MOCK_METHOD(const Network::DrainDecision&, drainDecision, ()); MOCK_METHOD(Init::Manager&, initManager, ()); --- -2.43.0 +-- +2.52.0 diff --git a/patches/0003-original_dst_cluster-Avoid-multiple-hosts-for-the-sa.patch b/patches/0003-original_dst_cluster-Avoid-multiple-hosts-for-the-sa.patch index 314a6e4d1..5304214a1 100644 --- a/patches/0003-original_dst_cluster-Avoid-multiple-hosts-for-the-sa.patch +++ b/patches/0003-original_dst_cluster-Avoid-multiple-hosts-for-the-sa.patch @@ -1,7 +1,7 @@ -From cd2352dcfd3ee27fbf115330524e5ecef59abfc1 Mon Sep 17 00:00:00 2001 +From b55bc60e9488f2970391cb6b597abf7a57cb0d25 Mon Sep 17 00:00:00 2001 From: Jarno Rajahalme Date: Fri, 24 May 2024 18:27:28 +0200 -Subject: [PATCH 3/6] original_dst_cluster: Avoid multiple hosts for the same +Subject: [PATCH 3/7] original_dst_cluster: Avoid multiple hosts for the same address Connection pool containers use HostSharedPtr as map keys, rather than the @@ -25,18 +25,18 @@ map updates. Signed-off-by: Jarno Rajahalme --- - .../original_dst/original_dst_cluster.cc | 261 +++++++++++------- + .../original_dst/original_dst_cluster.cc | 259 +++++++++++------- .../original_dst/original_dst_cluster.h | 43 +-- - 2 files changed, 190 insertions(+), 114 deletions(-) + 2 files changed, 189 insertions(+), 113 deletions(-) diff --git a/source/extensions/clusters/original_dst/original_dst_cluster.cc b/source/extensions/clusters/original_dst/original_dst_cluster.cc -index 511f46abad..eb2d9a30ad 100644 +index 2536292..60e598e 100644 --- a/source/extensions/clusters/original_dst/original_dst_cluster.cc +++ b/source/extensions/clusters/original_dst/original_dst_cluster.cc @@ -29,6 +29,19 @@ OriginalDstClusterHandle::~OriginalDstClusterHandle() { dispatcher.post([cluster = std::move(cluster)]() mutable { cluster.reset(); }); } - + +namespace { +HostConstSharedPtr findHost(const HostUseMap& map, const std::string& address) { + auto it = map.find(address); @@ -74,7 +74,7 @@ index 511f46abad..eb2d9a30ad 100644 - HostSharedPtr host(std::shared_ptr(THROW_OR_RETURN_VALUE( - HostImpl::create( - info, info->name() + dst_addr.asString(), std::move(host_ip_port), nullptr, nullptr, -- 1, envoy::config::core::v3::Locality().default_instance(), +- 1, std::make_shared(), - envoy::config::endpoint::v3::Endpoint::HealthCheckConfig().default_instance(), 0, - envoy::config::core::v3::UNKNOWN), - std::unique_ptr))); @@ -111,7 +111,7 @@ index 511f46abad..eb2d9a30ad 100644 @@ -216,47 +196,146 @@ OriginalDstCluster::OriginalDstCluster(const envoy::config::cluster::v3::Cluster cleanup_timer_->enableTimer(cleanup_interval_ms_); } - + -void OriginalDstCluster::addHost(HostSharedPtr& host) { - std::string address = host->address()->asString(); - HostMultiMapSharedPtr new_host_map = std::make_shared(*getCurrentHostMap()); @@ -127,9 +127,6 @@ index 511f46abad..eb2d9a30ad 100644 - // The first worker that creates a host for the address defines the primary - // host structure. - new_host_map->emplace(address, std::make_shared(host)); -- } -- ENVOY_LOG(debug, "addHost() adding {} {}.", *host, address); -- setHostMap(new_host_map); +// getHost returns the host for the address. A new host is created when needed. +// Called from the worker threads. +// When multiple worker threads call this at the same time the updates of the @@ -151,7 +148,7 @@ index 511f46abad..eb2d9a30ad 100644 + + // Scope the lock for reading the host_map_ + { -+ absl::ReaderMutexLock lock(&host_map_lock_); ++ absl::ReaderMutexLock lock(host_map_lock_); + // Check if a host with the destination address is already in the host map. + // This may have been updated since the loadbalancer was created. + chost = findHost(*host_map_.get(), address); @@ -190,7 +187,7 @@ index 511f46abad..eb2d9a30ad 100644 + Network::Utility::copyInternetAddressAndPort(*dst_ip)); + host = std::shared_ptr(THROW_OR_RETURN_VALUE( + HostImpl::create(info(), info()->name() + ":" + address, std::move(host_ip_port), nullptr, -+ nullptr, 1, envoy::config::core::v3::Locality().default_instance(), ++ nullptr, 1, std::make_shared(), + envoy::config::endpoint::v3::Endpoint::HealthCheckConfig().default_instance(), 0, + envoy::config::core::v3::UNKNOWN), std::unique_ptr)); + ENVOY_LOG(debug, "Created host {}.", *host); @@ -226,7 +223,7 @@ index 511f46abad..eb2d9a30ad 100644 + // Consolidate updates into the new host map + // Loadbalancers can not add any updates while we keep these locks, so keep this short! + { -+ absl::WriterMutexLock lock(&host_map_lock_); ++ absl::WriterMutexLock lock(host_map_lock_); + absl::WriterMutexLock updates_lock(&updates_map_lock_); + + if (updates_map_->empty()) { @@ -243,8 +240,10 @@ index 511f46abad..eb2d9a30ad 100644 + // Make available for load balancers + host_map_ = new_host_map; + updates_map_.swap(empty_map); -+ } - + } +- ENVOY_LOG(debug, "addHost() adding {} {}.", *host, address); +- setHostMap(new_host_map); + - // Given the current config, only EDS clusters support multiple priorities. ASSERT(priority_set_.hostSetsPerPriority().size() == 1); const auto& first_host_set = priority_set_.getOrCreateHostSet(0); @@ -258,7 +257,7 @@ index 511f46abad..eb2d9a30ad 100644 - {}, {std::move(host)}, {}, absl::nullopt, absl::nullopt); + {}, {std::move(new_hosts)}, {}, absl::nullopt, absl::nullopt); } - + void OriginalDstCluster::cleanup() { - HostVectorSharedPtr keeping_hosts(new HostVector); - HostVector to_be_removed; @@ -353,23 +352,23 @@ index 511f46abad..eb2d9a30ad 100644 - 0, HostSetImpl::partitionHosts(keeping_hosts, HostsPerLocalityImpl::empty()), {}, {}, - to_be_removed, false, absl::nullopt); } - + cleanup_timer_->enableTimer(cleanup_interval_ms_); diff --git a/source/extensions/clusters/original_dst/original_dst_cluster.h b/source/extensions/clusters/original_dst/original_dst_cluster.h -index df12c06b41..3152af8664 100644 +index 5590556..3bade83 100644 --- a/source/extensions/clusters/original_dst/original_dst_cluster.h +++ b/source/extensions/clusters/original_dst/original_dst_cluster.h @@ -22,25 +22,21 @@ namespace Upstream { class OriginalDstClusterFactory; class OriginalDstClusterTest; - + -struct HostsForAddress { - HostsForAddress(HostSharedPtr& host) : host_(host), used_(true) {} +// HostUse tracks the recent use of a host to avoid clearing out a host +// which is not recorded as used in any connection pool. +struct HostUse { + HostUse(HostSharedPtr& host) : host_(host), used_(true) {} - + - // Primary host for the address. This is set by the first worker that posts - // to the main to add a host. The field is read by all workers. + // The host for an address. @@ -382,7 +381,7 @@ index df12c06b41..3152af8664 100644 // Marks as recently used by load balancers. std::atomic used_; }; - + -using HostsForAddressSharedPtr = std::shared_ptr; -using HostMultiMap = absl::flat_hash_map; -using HostMultiMapSharedPtr = std::shared_ptr; @@ -391,9 +390,9 @@ index df12c06b41..3152af8664 100644 +using HostUseMap = absl::flat_hash_map; +using HostUseMapUniquePtr = std::unique_ptr; +using HostUseMapConstSharedPtr = std::shared_ptr; - + class OriginalDstCluster; - + @@ -65,7 +61,8 @@ using OriginalDstClusterHandleSharedPtr = std::shared_ptr& httpHeaderName() { return http_header_name_; } @@ -158,17 +155,23 @@ private: const OriginalDstClusterHandleSharedPtr cluster_; }; - + - HostMultiMapConstSharedPtr getCurrentHostMap() { + const HostUseMap* getHostMap() { -+ absl::ReaderMutexLock lock(&host_map_lock_); ++ absl::ReaderMutexLock lock(host_map_lock_); + return host_map_.get(); + } + + HostUseMapConstSharedPtr getCurrentHostMap() { - absl::ReaderMutexLock lock(&host_map_lock_); + absl::ReaderMutexLock lock(host_map_lock_); return host_map_; } - + - void setHostMap(const HostMultiMapConstSharedPtr& new_host_map) { + void setHostMap(const HostUseMapConstSharedPtr& new_host_map) { - absl::WriterMutexLock lock(&host_map_lock_); + absl::WriterMutexLock lock(host_map_lock_); host_map_ = new_host_map; } - + - void addHost(HostSharedPtr&); + HostConstSharedPtr getHost(const Network::Address::Instance&); + void updateHosts(); void cleanup(); - + // ClusterImplBase @@ -179,7 +182,9 @@ private: Event::TimerPtr cleanup_timer_; - + absl::Mutex host_map_lock_; - HostMultiMapConstSharedPtr host_map_ ABSL_GUARDED_BY(host_map_lock_); + HostUseMapConstSharedPtr host_map_ ABSL_GUARDED_BY(host_map_lock_); @@ -451,6 +450,6 @@ index df12c06b41..3152af8664 100644 absl::optional http_header_name_; absl::optional metadata_key_; absl::optional port_override_; --- -2.43.0 +-- +2.52.0 diff --git a/patches/0004-thread_local-reset-slot-in-worker-threads-first.patch b/patches/0004-thread_local-reset-slot-in-worker-threads-first.patch index 2869a1347..c7ef79a92 100644 --- a/patches/0004-thread_local-reset-slot-in-worker-threads-first.patch +++ b/patches/0004-thread_local-reset-slot-in-worker-threads-first.patch @@ -1,4 +1,4 @@ -From 32f28c899fec90aec45dc96387e378e73511585d Mon Sep 17 00:00:00 2001 +From 17858febc86eb44b332c78e2cef93111962b7bfe Mon Sep 17 00:00:00 2001 From: Jarno Rajahalme Date: Mon, 23 Dec 2024 22:43:15 +0100 Subject: [PATCH 4/7] thread_local: reset slot in worker threads first @@ -18,7 +18,7 @@ Signed-off-by: Jarno Rajahalme 4 files changed, 36 insertions(+), 2 deletions(-) diff --git a/envoy/thread_local/thread_local.h b/envoy/thread_local/thread_local.h -index 13ff7496ff..da982ccea5 100644 +index 13ff749..da982cc 100644 --- a/envoy/thread_local/thread_local.h +++ b/envoy/thread_local/thread_local.h @@ -248,6 +248,13 @@ public: @@ -33,10 +33,10 @@ index 13ff7496ff..da982ccea5 100644 + virtual void runOnAllWorkerThreads(std::function worker_cb, std::function main_cb) const PURE; + }; - + } // namespace ThreadLocal diff --git a/source/common/thread_local/thread_local_impl.cc b/source/common/thread_local/thread_local_impl.cc -index 2a49789a09..e57b2fd70d 100644 +index 2a49789..e57b2fd 100644 --- a/source/common/thread_local/thread_local_impl.cc +++ b/source/common/thread_local/thread_local_impl.cc @@ -165,7 +165,8 @@ void InstanceImpl::removeSlot(uint32_t slot) { @@ -61,12 +61,12 @@ index 2a49789a09..e57b2fd70d 100644 + // worker thread. + runOnAllWorkerThreads(cb, cb); } - + void InstanceImpl::runOnAllThreads(std::function cb) { @@ -208,6 +214,22 @@ void InstanceImpl::runOnAllThreads(std::function cb, } } - + +void InstanceImpl::runOnAllWorkerThreads(std::function cb, + std::function worker_threads_complete_cb) const { + ASSERT_IS_MAIN_OR_TEST_THREAD(); @@ -87,7 +87,7 @@ index 2a49789a09..e57b2fd70d 100644 if (thread_local_data_.data_.size() <= index) { thread_local_data_.data_.resize(index + 1); diff --git a/source/common/thread_local/thread_local_impl.h b/source/common/thread_local/thread_local_impl.h -index 719418991e..685457afe5 100644 +index 7194189..685457a 100644 --- a/source/common/thread_local/thread_local_impl.h +++ b/source/common/thread_local/thread_local_impl.h @@ -29,6 +29,7 @@ public: @@ -95,11 +95,11 @@ index 719418991e..685457afe5 100644 Event::Dispatcher& dispatcher() override; bool isShutdown() const override { return shutdown_; } + void runOnAllWorkerThreads(std::function worker_cb, std::function main_cb) const override; - + private: // On destruction returns the slot index to the deferred delete queue (detaches it). This allows diff --git a/test/mocks/thread_local/mocks.h b/test/mocks/thread_local/mocks.h -index 09dff23777..88d7cea1a9 100644 +index 09dff23..88d7cea 100644 --- a/test/mocks/thread_local/mocks.h +++ b/test/mocks/thread_local/mocks.h @@ -27,6 +27,10 @@ public: @@ -110,9 +110,9 @@ index 09dff23777..88d7cea1a9 100644 + worker_cb(); + main_cb(); + } - + SlotPtr allocateSlotMock() { return SlotPtr{new SlotImpl(*this, current_slot_++)}; } void runOnAllThreads1(std::function cb) { cb(); } --- -2.43.0 +-- +2.52.0 diff --git a/patches/0005-http-header-expose-attribute.patch b/patches/0005-http-header-expose-attribute.patch index cc19b0c75..349f11bfb 100644 --- a/patches/0005-http-header-expose-attribute.patch +++ b/patches/0005-http-header-expose-attribute.patch @@ -1,4 +1,4 @@ -From 3b833ef38f6d7f32cffbc38cb2a3e757e4da1e4b Mon Sep 17 00:00:00 2001 +From 22bd31b0d18afe3fa50419b7a669177119afa977 Mon Sep 17 00:00:00 2001 From: Tam Mach Date: Wed, 19 Mar 2025 21:07:05 +1100 Subject: [PATCH 5/7] Expose HTTP Header matcher attribute @@ -9,13 +9,13 @@ Signed-off-by: Tam Mach 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/source/common/http/header_utility.h b/source/common/http/header_utility.h -index 16c4d2a28c..0d305922eb 100644 +index 16c4d2a..0d30592 100644 --- a/source/common/http/header_utility.h +++ b/source/common/http/header_utility.h @@ -92,7 +92,6 @@ public: return present_ != invert_match_; }; - + - private: const LowerCaseString name_; const bool invert_match_; @@ -27,7 +27,7 @@ index 16c4d2a28c..0d305922eb 100644 + const LowerCaseString name_; + const bool invert_match_; + const bool treat_missing_as_empty_; - + protected: // A matcher specific implementation to match the given header_value. virtual bool specificMatchesHeaders(absl::string_view header_value) const PURE; @@ -35,12 +35,12 @@ index 16c4d2a28c..0d305922eb 100644 - const bool invert_match_; - const bool treat_missing_as_empty_; }; - + // Corresponds to the exact_match from the HeaderMatchSpecifier proto in the RDS API. @@ -139,11 +138,12 @@ public: HeaderDataExactMatch(const envoy::config::route::v3::HeaderMatcher& config) : HeaderDataBaseImpl(config), expected_value_(config.exact_match()) {} - + + const std::string expected_value_; + private: @@ -49,14 +49,14 @@ index 16c4d2a28c..0d305922eb 100644 }; - const std::string expected_value_; }; - + // Corresponds to the safe_regex_match from the HeaderMatchSpecifier proto in the RDS API. @@ -158,6 +158,7 @@ public: return std::unique_ptr( new HeaderDataRegexMatch(config, std::move(*regex_or_error))); } + const Regex::CompiledMatcherPtr regex_; - + protected: HeaderDataRegexMatch(const envoy::config::route::v3::HeaderMatcher& config, @@ -168,7 +169,6 @@ public: @@ -65,7 +65,7 @@ index 16c4d2a28c..0d305922eb 100644 }; - const Regex::CompiledMatcherPtr regex_; }; - + // Corresponds to the range_match from the HeaderMatchSpecifier proto in the RDS API. @@ -177,6 +177,8 @@ public: HeaderDataRangeMatch(const envoy::config::route::v3::HeaderMatcher& config) @@ -73,7 +73,7 @@ index 16c4d2a28c..0d305922eb 100644 range_end_(config.range_match().end()) {} + const int64_t range_start_; + const int64_t range_end_; - + private: bool specificMatchesHeaders(absl::string_view header_value) const override { @@ -184,9 +186,6 @@ public: @@ -84,26 +84,26 @@ index 16c4d2a28c..0d305922eb 100644 - const int64_t range_start_; - const int64_t range_end_; }; - + // Corresponds to the prefix_match from the HeaderMatchSpecifier proto in the RDS API. @@ -194,12 +193,12 @@ public: public: HeaderDataPrefixMatch(const envoy::config::route::v3::HeaderMatcher& config) : HeaderDataBaseImpl(config), prefix_(config.prefix_match()) {} + const std::string prefix_; - + private: bool specificMatchesHeaders(absl::string_view header_value) const override { return absl::StartsWith(header_value, prefix_); }; - const std::string prefix_; }; - + // Corresponds to the suffix_match from the HeaderMatchSpecifier proto in the RDS API. @@ -208,11 +207,12 @@ public: HeaderDataSuffixMatch(const envoy::config::route::v3::HeaderMatcher& config) : HeaderDataBaseImpl(config), suffix_(config.suffix_match()) {} - + + const std::string suffix_; + private: @@ -112,36 +112,36 @@ index 16c4d2a28c..0d305922eb 100644 }; - const std::string suffix_; }; - + // Corresponds to the contains_match from the HeaderMatchSpecifier proto in the RDS API. @@ -220,12 +220,12 @@ public: public: HeaderDataContainsMatch(const envoy::config::route::v3::HeaderMatcher& config) : HeaderDataBaseImpl(config), expected_substr_(config.contains_match()) {} + const std::string expected_substr_; - + private: bool specificMatchesHeaders(absl::string_view header_value) const override { return absl::StrContains(header_value, expected_substr_); }; - const std::string expected_substr_; }; - + // Corresponds to the string_match from the HeaderMatchSpecifier proto in the RDS API. @@ -235,12 +235,12 @@ public: Server::Configuration::CommonFactoryContext& factory_context) : HeaderDataBaseImpl(config), string_match_(std::make_unique( config.string_match(), factory_context)) {} + const Matchers::StringMatcherPtr string_match_; - + private: bool specificMatchesHeaders(absl::string_view header_value) const override { return string_match_->match(header_value); }; - const Matchers::StringMatcherPtr string_match_; }; - + using HeaderDataPtr = std::unique_ptr; --- -2.43.0 +-- +2.52.0 diff --git a/patches/0006-build-Fix-arm-build-for-liburing.patch b/patches/0006-build-Fix-arm-build-for-liburing.patch index 7fa57658d..61e0b15f1 100644 --- a/patches/0006-build-Fix-arm-build-for-liburing.patch +++ b/patches/0006-build-Fix-arm-build-for-liburing.patch @@ -1,37 +1,80 @@ -From e994434cc738138434708372719517b31fdc81c5 Mon Sep 17 00:00:00 2001 +From f04dc6aa0c540167e31784a2abcf1d1823aa321a Mon Sep 17 00:00:00 2001 From: Tam Mach -Date: Wed, 14 May 2025 11:27:14 +1000 -Subject: [PATCH 6/7] build: Fix arm build for liburing +Date: Fri, 16 Jan 2026 16:09:08 +1100 +Subject: [PATCH 6/7] bazel: Fix arm build for liburing +Add a config_setting that matches when building for linux_aarch64 with +the clang compiler. This is a specialization of both clang_build and +linux_aarch64, which resolves select() ambiguity in foreign_cc/BUILD +when both conditions are true during ARM cross-compilation with clang. + +Note: We use config_setting instead of config_setting_group because +Bazel does not support config_setting_group for specialization resolution +(see https://github.com/bazelbuild/bazel/issues/16139). + +Also add the clang_linux_aarch64 case to the liburing select() for ARM +cross-compilation with clang. Since clang_linux_aarch64 is a +config_setting that is a specialization of both clang_build (via +flag_values) and linux_aarch64 (via constraint_values), Bazel will +correctly resolve the select() without ambiguity. + +Signed-off-by: Tam Mach --- - bazel/foreign_cc/BUILD | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) + bazel/BUILD | 14 ++++++++++++++ + bazel/foreign_cc/BUILD | 16 ++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/bazel/BUILD b/bazel/BUILD +index aaaaaaa..bbbbbbb 100644 +--- a/bazel/BUILD ++++ b/bazel/BUILD +@@ -600,5 +600,19 @@ config_setting( + ], + ) ++# Combined config setting for ARM64 cross-compilation with clang. ++# This is a specialization of both clang_build and linux_aarch64, ++# which resolves select() ambiguity in foreign_cc/BUILD. ++config_setting( ++ name = "clang_linux_aarch64", ++ constraint_values = [ ++ "@platforms//cpu:aarch64", ++ "@platforms//os:linux", ++ ], ++ flag_values = { ++ "@bazel_tools//tools/cpp:compiler": "clang", ++ }, ++) ++ + config_setting( + name = "linux_ppc", diff --git a/bazel/foreign_cc/BUILD b/bazel/foreign_cc/BUILD -index dc07b536d3..6c49ca1cb0 100644 +index ccccccc..ddddddd 100644 --- a/bazel/foreign_cc/BUILD +++ b/bazel/foreign_cc/BUILD -@@ -28,6 +28,20 @@ config_setting( - configure_make( +@@ -28,6 +28,22 @@ configure_make( name = "liburing", configure_in_place = True, -+ env = select({ -+ # (sayboras) Ideally, this should be passed as part of environment variables during cross-compilation, -+ # but somehow it doesn't work. So, we have to pass them manually for arm cross-compilation. + env = {"ENABLE_SHARED": "0"} | select({ ++ # (sayboras) ARM cross-compilation with clang. This config_setting ++ # is a specialization of both clang_build and linux_aarch64, ++ # so Bazel will correctly select it without ambiguity. ++ # The settings include both the cross-compilation flags AND the ++ # clang AR/RANLIB settings. + # The config should be kept in sync with bazel/toolchains/BUILD -+ "//bazel:linux_aarch64": { ++ "//bazel:clang_linux_aarch64": { + "CFLAGS": "--target=aarch64-unknown-linux-gnu -fuse-ld=lld-18", + "CPPFLAGS": "--target=aarch64-unknown-linux-gnu -fuse-ld=lld-18", + "LDFLAGS": "-Wl,-S --target=aarch64-unknown-linux-gnu -fuse-ld=lld-18 -Wl,-no-as-needed -Wl,-z,relro,-z,now -lm -l:libstdc++.a -lc", + "CC": "/usr/bin/clang-18", + "CXX": "/usr/bin/clang-18", + "LD": "/usr/bin/lld-18", ++ "AR": "$(AR)", ++ "RANLIB": "$(AR) -s", + }, -+ "//conditions:default": {}, -+ }), - lib_source = "@com_github_axboe_liburing//:all", - tags = [ - "nocompdb", + "//bazel:clang_build": { + "AR": "$(AR)", + "RANLIB": "$(AR) -s", -- -2.43.0 +2.52.0 diff --git a/patches/0007-Add-latomic-back-for-arm-build.patch b/patches/0007-Add-latomic-back-for-arm-build.patch index 69eda5e2f..44d8033dd 100644 --- a/patches/0007-Add-latomic-back-for-arm-build.patch +++ b/patches/0007-Add-latomic-back-for-arm-build.patch @@ -1,14 +1,15 @@ -From 12fc5290979e744543e3d144f333788c51694f99 Mon Sep 17 00:00:00 2001 +From c8b405d11fb5aa9d1cb0f3db1a4afced83d90398 Mon Sep 17 00:00:00 2001 From: Tam Mach Date: Fri, 12 Dec 2025 13:45:27 +1100 Subject: [PATCH 7/7] Add latomic back for arm build +Signed-off-by: Tam Mach --- bazel/v8.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bazel/v8.patch b/bazel/v8.patch -index 9b0cb2374f..512b22ebf4 100644 +index 9b0cb23..512b22e 100644 --- a/bazel/v8.patch +++ b/bazel/v8.patch @@ -284,7 +284,7 @@ index 39663c97df4..14b90ec6905 100644 @@ -21,5 +22,5 @@ index 9b0cb2374f..512b22ebf4 100644 ":should_add_rdynamic": ["-rdynamic"], "//conditions:default": [], -- -2.43.0 +2.52.0 diff --git a/patches/BUILD b/patches/BUILD index 779d1695d..b544f05dd 100644 --- a/patches/BUILD +++ b/patches/BUILD @@ -1 +1,3 @@ licenses(["notice"]) # Apache 2 + +exports_files(glob(["*.patch"]))