pkg/bpf/collection: Temporarily don't error on unused maps#41379
Merged
joestringer merged 1 commit intocilium:mainfrom Aug 26, 2025
Merged
Conversation
When we introduced the new unused map pruning logic we added a verification step which, after loading, confirms we did everything as expected. This works by reading back the loaded program instructions. However, on GKE the process of reading back the instructions fails inside of cilium/ebpf logic. To unblock CI until the root cause can be resolved, let us not throw an error in the verification step. Signed-off-by: Dylan Reimerink <[email protected]>
dylandreimerink
added
the
release-note/misc
Member
Author
|
/test |
Member
Author
|
/ci-gke |
joestringer
approved these changes
Aug 26, 2025
Member
joestringer
left a comment
joestringer
left a comment
There was a problem hiding this comment.
Thanks, this is a much more surgical mitigation of the immediate failure for GKE. Given that commit 059977b introduced this check and it seems the repercussions are just that Cilium may load additional maps (which is what it would have done prior to the optimization), this seems like a safe workaround for now.
Member
|
ci-eks run: hit known issue #36428 . Not sure why @cilium/loader was not pulled in for review, but as I understand there's a lack of bandwidth there at the moment. Given this should allow us to mitigate reliable failures on GKE for the immediate term I think this is valuable to push in as-is. |
dylandreimerink
added a commit
to dylandreimerink/cilium
that referenced
this pull request
Nov 5, 2025
In cilium#41379 we stopped returning errors from unused map verification because on systems with sysctls set to restrict instruction readback the verification would always fail and block CI. In cilium/ebpf#1858 an `ErrRestrictedKernel` error was added to indicate this specific case. This allows us to now differentiate between genuine unused map errors and the restricted kernel case, and only ignore the latter. Thus we can re-enable unused map verification errors on systems that support it. Signed-off-by: Dylan Reimerink <[email protected]>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Nov 11, 2025
In #41379 we stopped returning errors from unused map verification because on systems with sysctls set to restrict instruction readback the verification would always fail and block CI. In cilium/ebpf#1858 an `ErrRestrictedKernel` error was added to indicate this specific case. This allows us to now differentiate between genuine unused map errors and the restricted kernel case, and only ignore the latter. Thus we can re-enable unused map verification errors on systems that support it. Signed-off-by: Dylan Reimerink <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When we introduced the new unused map pruning logic we added a verification step which, after loading, confirms we did everything as expected. This works by reading back the loaded program instructions.
However, on GKE the process of reading back the instructions fails inside of cilium/ebpf logic. To unblock CI until the root cause can be resolved, let us not throw an error in the verification step.
See #41245