Enable cilium lb by default

hmahmood · hmahmood · commit b982623be680 · 2025-06-11T18:51:51.000-05:00
diff --git a/pkg/config/setup/system_probe.go b/pkg/config/setup/system_probe.go
@@ -219,7 +219,7 @@ func InitSystemProbeConfig(cfg pkgconfigmodel.Config) {
 	cfg.BindEnvAndSetDefault(join(netNS, "conntrack_init_timeout"), 10*time.Second)
 	cfg.BindEnvAndSetDefault(join(netNS, "allow_netlink_conntracker_fallback"), true)
 	cfg.BindEnvAndSetDefault(join(netNS, "enable_ebpf_conntracker"), true)
-	cfg.BindEnvAndSetDefault(join(netNS, "enable_cilium_lb_conntracker"), false)
+	cfg.BindEnvAndSetDefault(join(netNS, "enable_cilium_lb_conntracker"), true)
 
 	cfg.BindEnvAndSetDefault(join(spNS, "source_excludes"), map[string][]string{})
 	cfg.BindEnvAndSetDefault(join(spNS, "dest_excludes"), map[string][]string{})
diff --git a/pkg/network/tracer/cilium_lb.go b/pkg/network/tracer/cilium_lb.go
@@ -13,6 +13,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"os"
 	"sync"
 	"time"
 	"unsafe"
@@ -27,6 +28,7 @@ import (
 	"github.com/DataDog/datadog-agent/pkg/network/netlink"
 	"github.com/DataDog/datadog-agent/pkg/process/util"
 	"github.com/DataDog/datadog-agent/pkg/telemetry"
+	"github.com/DataDog/datadog-agent/pkg/util/kernel"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 )
 
@@ -106,28 +108,18 @@ type ciliumLoadBalancerConntracker struct {
 
 func newCiliumLoadBalancerConntracker(cfg *config.Config) (netlink.Conntracker, error) {
 	if !cfg.EnableCiliumLBConntracker {
-		return netlink.NewNoOpConntracker(), nil
+		return nil, nil
 	}
 
-	ctTCP, err := ebpf.LoadPinnedMap("/sys/fs/bpf/tc/globals/cilium_ct4_global", &ebpf.LoadPinOptions{
-		ReadOnly: true,
-	})
+	ctTCP, ctUDP, backends, err := loadMaps()
 	if err != nil {
-		return nil, fmt.Errorf("error loading pinned ct TCP map: %w", err)
-	}
+		// special case where we couldn't find at least one map
+		if os.IsNotExist(err) {
+			log.Info("not loading cilium conntracker since cilium maps are not present")
+			return nil, nil
+		}
 
-	ctUDP, err := ebpf.LoadPinnedMap("/sys/fs/bpf/tc/globals/cilium_ct_any4_global", &ebpf.LoadPinOptions{
-		ReadOnly: true,
-	})
-	if err != nil {
-		return nil, fmt.Errorf("error loading pinned ct UDP map: %w", err)
-	}
-
-	backends, err := ebpf.LoadPinnedMap("/sys/fs/bpf/tc/globals/cilium_lb4_backends_v3", &ebpf.LoadPinOptions{
-		ReadOnly: true,
-	})
-	if err != nil {
-		return nil, fmt.Errorf("error loading pinned backends map: %w", err)
+		return nil, err
 	}
 
 	clb := &ciliumLoadBalancerConntracker{
@@ -161,6 +153,50 @@ func newCiliumLoadBalancerConntracker(cfg *config.Config) (netlink.Conntracker,
 	return clb, nil
 }
 
+func loadMaps() (ctTCP, ctUDP, backends *ebpf.Map, err error) {
+	defer func() {
+		if err != nil {
+			ctTCP.Close()
+			ctUDP.Close()
+			backends.Close()
+		}
+	}()
+
+	ctTCP, err = loadMap(kernel.HostSys("/fs/bpf/tc/globals/cilium_ct4_global"))
+	if ctTCP == nil {
+		return nil, nil, nil, err
+	}
+
+	ctUDP, err = loadMap(kernel.HostSys("/fs/bpf/tc/globals/cilium_ct_any4_global"))
+	if ctUDP == nil {
+		return nil, nil, nil, err
+	}
+
+	backends, err = loadMap(kernel.HostSys("/fs/bpf/tc/globals/cilium_lb4_backends_v3"))
+	if backends == nil {
+		return nil, nil, nil, err
+	}
+
+	return ctTCP, ctUDP, backends, nil
+}
+
+func loadMap(path string) (m *ebpf.Map, err error) {
+	// check if the path exists first, since the errors returned
+	// from LoadPinnedMap are not consistent if it doesn't
+	if _, err = os.Stat(path); err != nil {
+		return nil, err
+	}
+
+	m, err = ebpf.LoadPinnedMap(path, &ebpf.LoadPinOptions{
+		ReadOnly: true,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("error loading pinned cilium map at %s: %w", path, err)
+	}
+
+	return m, nil
+}
+
 func ntohs(n uint16) uint16 {
 	return binary.BigEndian.Uint16([]byte{byte(n), byte(n >> 8)})
 }
@@ -290,6 +326,7 @@ func (clb *ciliumLoadBalancerConntracker) Close() {
 		clb.stop <- struct{}{}
 		<-clb.stop
 		clb.ctTCP.Map().Close()
+		clb.ctUDP.Map().Close()
 		clb.backends.Map().Close()
 	})
 }
diff --git a/pkg/network/tracer/conntracker_test.go b/pkg/network/tracer/conntracker_test.go
@@ -294,3 +294,15 @@ func testConntrackerCrossNamespaceNATonRoot(t *testing.T, ct netlink.Conntracker
 
 	assert.Equal(t, util.AddressFromString("1.1.1.1"), trans.ReplSrcIP)
 }
+
+func TestCiliumConntrackerEnabledByDefault(t *testing.T) {
+	cfg := config.New()
+	assert.True(t, cfg.EnableCiliumLBConntracker)
+
+	// most unit tests environments don't have cilium enabled (including CI)
+	// so this should not load the cilium conntracker even if it enabled, without
+	// any error
+	clb, err := newCiliumLoadBalancerConntracker(cfg)
+	assert.NoError(t, err)
+	assert.Nil(t, clb)
+}
diff --git a/test/new-e2e/tests/npm/cilium_lb_conntracker_test.go b/test/new-e2e/tests/npm/cilium_lb_conntracker_test.go
@@ -86,7 +86,7 @@ func testCiliumLBConntracker(t *testing.T, ciliumVersion string) {
 			awskubernetes.KindProvisioner(
 				awskubernetes.WithName(name),
 				awskubernetes.WithCiliumOptions(cilium.WithHelmValues(ciliumHelmValues), cilium.WithVersion(ciliumVersion)),
-				awskubernetes.WithAgentOptions(kubernetesagentparams.WithHelmValues(systemProbeConfigWithCiliumLB)),
+				awskubernetes.WithAgentOptions(kubernetesagentparams.WithHelmValues(systemProbeConfigNPMHelmValues)),
 				awskubernetes.WithWorkloadApp(httpBinServiceInstall),
 				awskubernetes.WithWorkloadApp(npmToolsWorkload),
 			),
diff --git a/test/new-e2e/tests/npm/config.go b/test/new-e2e/tests/npm/config.go
@@ -30,6 +30,3 @@ func systemProbeConfigNPMEnv() []dockeragentparams.Option {
 		dockeragentparams.WithAgentServiceEnvVariable("DD_SYSTEM_PROBE_NETWORK_ENABLED", pulumi.StringPtr("true")),
 	}
 }
-
-//go:embed config/npm-helm-cilium-lb-values.yaml
-var systemProbeConfigWithCiliumLB string
diff --git a/test/new-e2e/tests/npm/config/npm-helm-cilium-lb-values.yaml b/test/new-e2e/tests/npm/config/npm-helm-cilium-lb-values.yaml

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,3 @@ func systemProbeConfigNPMEnv() []dockeragentparams.Option {`
`30`	`30`	`dockeragentparams.WithAgentServiceEnvVariable("DD_SYSTEM_PROBE_NETWORK_ENABLED", pulumi.StringPtr("true")),`
`31`	`31`	`}`
`32`	`32`	`}`
`33`		`-`
`34`		`-//go:embed config/npm-helm-cilium-lb-values.yaml`
`35`		`-var systemProbeConfigWithCiliumLB string`