Skip to content

[backplane] pin envoy to v1.35.13 instead of floating latest#89

Closed
dilyevsky wants to merge 1 commit into
mainfrom
dsky/pin-envoy-version
Closed

[backplane] pin envoy to v1.35.13 instead of floating latest#89
dilyevsky wants to merge 1 commit into
mainfrom
dsky/pin-envoy-version

Conversation

@dilyevsky

Copy link
Copy Markdown
Contributor

Forward-port of the v0.11.24 hotfix (commit 0656862 on dsky/release-v0.11.24).

The backplane image bake (--download_envoy_only) and runtime download resolved the Envoy version via GetLatestRelease, so every image build silently picked up whatever upstream had just released. The v0.11.22/23 builds jumped 1.35.3 → 1.38.0/1.38.2, which regressed the golang filter: Envoy segfaults in tcmalloc on the cgo thread-adoption path (x_cgo_getstackboundpthread_getattr_npcalloc) under listener reload churn, crash-looping production backplanes and surfacing as Cloudflare 52x at the edge. Verified against two prod cores; identical deterministic crash site on both.

This adds --envoy_version (default v1.35.13) plumbed through the proxy reconciler into GitHubRelease for both the image bake and runtime download paths. Empty value restores latest-release behavior; --envoy_release_url still takes precedence.

Note for main: 1.35.13 is the conservative last-known-good line. If main's consumers need a newer Envoy, bump the pin deliberately in its own commit after soaking the golang filter under listener-reload churn — never let it float.

The backplane image bake (--download_envoy_only) and runtime download
resolved the Envoy version via GetLatestRelease, so every image build
silently picked up whatever upstream had just released. The v0.11.22/23
builds jumped 1.35.3 -> 1.38.0/1.38.2, which regressed the golang
filter: Envoy segfaults in tcmalloc on the cgo thread-adoption path
(x_cgo_getstackbound -> pthread_getattr_np -> calloc) under listener
reload churn, crash-looping production backplanes and surfacing as
Cloudflare 52x at the edge.

Add --envoy_version (default v1.35.13: the last known-good 1.35 line
plus upstream security backports) and plumb it through the proxy
reconciler into GitHubRelease for both the image bake and the runtime
download paths. An empty value restores the old latest-release
behavior; --envoy_release_url still takes precedence.
@dilyevsky dilyevsky closed this Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant