Red Hat Bugzilla – Bug 1330201
atomic-openshift-node does not reconcile iptables rules when the iptables service is restarted
Last modified: 2017-02-19 17:32:01 EST
Description of problem: We have a use case where we are manipulating iptables service outside of openshift-node on the system. Rules were added to /etc/sysconfig/iptables. Then, iptables service was restarted, and the iptables rules that were put in place by atomic-openshift-node are no longer there as they are overwritten by what was in iptables. Restarting the atomic-openshift-node service brings back the iptables rules that are needed by openshift, and also includes the iptables rules from /etc/sysconfig/iptables. Just a note, firewalld is not installed on the system. Version-Release number of selected component (if applicable): atomic-openshift-node-3.1.1.6-5.git.35.0742c54. How reproducible: Very Steps to Reproduce: 1. run 'iptables-save'; note the output 2. optional: edit /etc/sysconfig/iptables 3. restart iptables service: systemctl restart iptables 4. run 'iptables-save'; note the output is different than #1 Actual results: openshift iptables rules are gone. Expected results: We need to not lose the openshift iptables rules.
Related card: https://trello.com/c/gLIWwGZU/203-monitor-our-iptables-rules-in-the-main-chains
Fixed in https://github.com/openshift/origin/pull/9014
This should be tested on latest OSE build. Please move it back once the changes are merged into OSE.
This has been merged and is in OSE v3.3.0.8 or newer.
Checked on aos build v3.3.0.17 The kubernetes iptables rules will not be recovered after deleted. Assign the bug back. Steps: 1. Delete the openshift iptables on node # iptables -D INPUT -i tun0 -m comment --comment "traffic from docker for internet" -j ACCEPT 2. Delete the kubernetes iptables on node # iptables -D OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES # iptables -t nat -D KUBE-SERVICES -d 172.31.0.1/32 -p tcp -m comment --comment "default/kubernetes:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-BA6I5HTZKAAAJT56 3. Watch the iptables rules Result: Only the openshift iptables rules are recovered.
Fixed in https://github.com/openshift/origin/pull/10465
Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/5f8c0a2d71d5387fb6a37815d37e5044891e6f60 Bug 1330201 - Periodically sync k8s iptables rules
This has been merged into ose and is in OSE v3.3.0.23 or newer.
Checked on ose build v3.3.0.23. Issue has been fixed. Both OpenShift SDN iptables rules and k8s iptables rules can be restored automatically after deleted.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1933