Bug 1330201 - atomic-openshift-node does not reconcile iptables rules when the iptables service is restarted
Summary: atomic-openshift-node does not reconcile iptables rules when the iptables ser...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.1.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Ravi Sankar
QA Contact: Meng Bo
URL:
Whiteboard:
Depends On:
Blocks: OSOPS_V3
TreeView+ depends on / blocked
 
Reported: 2016-04-25 15:23 UTC by Matt Woodson
Modified: 2017-02-19 22:32 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-27 09:31:24 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1933 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.3 Release Advisory 2016-09-27 13:24:36 UTC
Origin (Github) 10465 None None None 2016-08-17 20:22:17 UTC

Description Matt Woodson 2016-04-25 15:23:45 UTC
Description of problem:

We have a use case where we are manipulating iptables service outside of openshift-node on the system.  Rules were added to /etc/sysconfig/iptables.  Then, iptables service was restarted, and the iptables rules that were put in place by atomic-openshift-node are no longer there as they are overwritten by what was in iptables.

Restarting the atomic-openshift-node service brings back the iptables rules that are needed by openshift, and also includes the iptables rules from /etc/sysconfig/iptables.


Just a note, firewalld is not installed on the system.

Version-Release number of selected component (if applicable):

atomic-openshift-node-3.1.1.6-5.git.35.0742c54.

How reproducible:

Very

Steps to Reproduce:
1. run 'iptables-save'; note the output
2. optional: edit /etc/sysconfig/iptables
3.  restart iptables service: systemctl restart iptables
4. run 'iptables-save'; note the output is different than #1


Actual results:

openshift iptables rules are gone.

Expected results:

We need to not lose the openshift iptables rules.

Comment 2 Ravi Sankar 2016-06-28 17:45:13 UTC
Fixed in https://github.com/openshift/origin/pull/9014

Comment 3 Meng Bo 2016-06-29 10:17:28 UTC
This should be tested on latest OSE build.
Please move it back once the changes are merged into OSE.

Comment 4 Troy Dawson 2016-07-20 22:16:32 UTC
This has been merged and is in OSE v3.3.0.8 or newer.

Comment 5 Meng Bo 2016-08-09 05:42:41 UTC
Checked on aos build v3.3.0.17

The kubernetes iptables rules will not be recovered after deleted.

Assign the bug back.

Steps:
1. Delete the openshift iptables on node
# iptables -D INPUT -i tun0 -m comment --comment "traffic from docker for internet" -j ACCEPT
2. Delete the kubernetes iptables on node
# iptables -D OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
# iptables -t nat -D  KUBE-SERVICES -d 172.31.0.1/32 -p tcp -m comment --comment "default/kubernetes:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-BA6I5HTZKAAAJT56
3. Watch the iptables rules

Result:
Only the openshift iptables rules are recovered.

Comment 6 Ravi Sankar 2016-08-16 19:20:58 UTC
Fixed in https://github.com/openshift/origin/pull/10465

Comment 7 openshift-github-bot 2016-08-17 22:03:04 UTC
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/5f8c0a2d71d5387fb6a37815d37e5044891e6f60
Bug 1330201 - Periodically sync k8s iptables rules

Comment 8 Troy Dawson 2016-08-19 21:11:18 UTC
This has been merged into ose and is in OSE v3.3.0.23 or newer.

Comment 10 Meng Bo 2016-08-22 10:16:10 UTC
Checked on ose build v3.3.0.23.

Issue has been fixed.

Both OpenShift SDN iptables rules and k8s iptables rules can be restored automatically after deleted.

Comment 12 errata-xmlrpc 2016-09-27 09:31:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1933


Note You need to log in before you can comment on or make changes to this bug.