We’ve just released Calico v3.25! This milestone release includes a number of eBPF dataplane improvements designed to deliver an even faster upgrade experience, smaller memory footprint, and shorter eBPF networking object load time speed.
But before we get into the details of these changes, let’s welcome and thank our new community problem-solvers who got their first contribution requests merged into our beloved project.
Community shoutout
Documentation is the most essential part of any project since that is the go-to place for everyone to get a better idea about the capabilities or deployment of that project. So let’s start by giving a big shout-out to @cavcrosby, @Congrool, @chenbojian, and @gopihc for their attention to detail and fixing issues in the project documentation.
Shoutout to @OrvilleQ and @masap for extending the exclusion list of interfaces to make the automatic interface selection of Calico even faster.
Shoutout to @gregwhorley, @dlipovetsky, @nickperry, and @tamcore for their updates to `tigera-operator` that will make the installation and maintenance experience of Calico even better.
Shoutout to @ramanujadasu for enhancing the logic behind the unicast IP address hashing.
Shoutout to @chrisjohnson00 and @vitaliy-leschenko for enhancing the Calico windows installer and adding backward compatibility to the kubelet installer script.
Shoutout to @mtryfoss for extending the service load balancer IP announcement to individual IPs in both IPv4 and IPv6.
Shoutout to @tamcore for adding a missing feature to the project template files.
Shoutout to @zhaojul for updating the flannel images in the project template files.
Shoutout to @neoaggelos for catching and fixing a pesky bug that could’ve rejected valid interfaces from being validated.
Shoutout to @huiyizzz for fixing SyncLabels validation for the Kubernetes datastore.
Shoutout to @wdoekes for fixing an issue that could’ve caused a localhost name lookup failure.
Shoutout to @Juneezee for upgrading the imported notification library, a simple change that usually gets overlooked and can cause security problems.
Not to forget @cyclinder and @Muff1nman who were awarded the Calico hero title by Tigera engineers during our Calico v3.25 community meetings for their significant contributions to the implementation of VXLAN for IPv6 in this milestone release.
Many improvements and new features are built into Calico V3.25 to enhance and improve your cloud-native environment. Let’s take a look at the details of this release.
Typha performance improvements
Calico Typha is a lesser-known component of Calico. It is a caching layer that sits between Calico and the Kubernetes API server to offload the data distribution and query processing functions of Calico. While users might not directly interact with Typha, it is a vital piece of Calico in massive clusters.
With this release, we are adding automatic compression to the Typha protocol. This minimizes Typha’s impact on the network and speeds up resyncs, adds graceful shutdown to better control a Calico upgrade, and provides better observability of Typha snapshots by utilizing the power of Prometheus metrics. Combined together, these all improve performance at scale, especially during upgrades.
eBPF improvements
With the goal of improving cloud networking and security for everyone, the Calico v3.25 release brings many improvements and enhancements to our eBPF-based dataplane.
Host conntrack bypass
Conntrack is one of the most important components inside the Linux kernel that allows the system to record information about a packet.
It is now possible to completely bypass the Linux original conntrack table in the host machines by using Calico’s eBPF dataplane implementation of conntrack in your cluster. This allows you to surpass the maximum conntrack cap in the kernel by utilizing the efficiency of eBPF maps, allowing you to handle even more connections. This change can be better observed in workloads that handle a massive number of short-lived connections, such as in-memory databases like Redis and Memcached.
Learn more about the Linux Conntrack in our blog post, Linux Conntrack: Why it breaks down and avoiding the problem dives more into.
You can try this by using the following command:
kubectl patch --type=merge felixconfiguration default --patch='{"spec":{"BPFHostConntrackBypass": "true"}}'
Connect time load balancer fix for IPv4 addresses disguised as IPv6
Some applications like those using gRPC make their lives easier by turning every address into an IPv6 address. Even though these IPv4 to IPv6 address transitions are difficult to spot since they are received as IPv4 on the wire, the connection in the kernel is initiated via the v6 version of the connect system call. To solve this, Calico v3.25 uses BPF calls that can hook into the inner working of the Linux kernel to monitor the system calls that were initiated by the gRPC library to properly resolve these services.
Less overhead for forwarded nodeport return traffic
Previously, when a lookup for forwarding information base (FIB) entry was not found, the Linux kernel would apply strict reverse-path forwarding (RPF), which could casue packets to be dropped by the host namespace on the pod’s interface. This forced users into taking extra steps to ensure the preservation of the pod’s source when returning a packet to a tunnel—a problem for source-based routing in some environments like EKS.
But with Calico v3.25, the extra steps are not required anymore since strict RPF filtering is entirely handeled in BPF and there is a realx attitude in the recent EKS Kernels toward Linux’s per-device RPF.Packets now leave the pod’s interface fully encapsulated for the forwarding tunnel and users do not need to touch the packet on the host interface, packet flow and improving performance.
Faster loading of eBPF programs
For historical reasons and to support older kernels, prior to this release, we used to patch eBPF programs at load time to set their configuration. In Calico v3.25, we have completely changed our method to loading programs from object (machine code) files with libbpf to reduce load-time overhead, and to speed up pod startup time. We also do not load some programs when they are not needed, further optimizingstart-up times.
Overall, this release provides a faster and smoother experience for anyone who likes to run a cloud or containerized environment with the latest technologies. We look forward to enhancing your experience with Calico and our eBPF dataplane with every release!
Join our community
If you like to work on the next anticipated Calico Open Source feature, join our contributor’s Slack channel. Feel free to tell us about your vision and the community will help you achieve it.
You’re also welcome to take part in our next virtual community meeting event, where we discuss the future of Calico Open Source and spotlight community members who might have made some of the favorite features you are currently using.
Did you know we have an ambassador program? Join Calico Big Cats today and help us grow our Calico Open Source community.
Join our mailing list
Get updates on blog posts, workshops, certification programs, new releases, and more!
