Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1330201

Summary: atomic-openshift-node does not reconcile iptables rules when the iptables service is restarted
Product: OpenShift Container Platform Reporter: Matt Woodson <mwoodson>
Component: NetworkingAssignee: Ravi Sankar <rpenta>
Status: CLOSED ERRATA QA Contact: Meng Bo <bmeng>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.1.0CC: aos-bugs, charles_sheridan, eparis, tdawson, twiest, xtian
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-27 09:31:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1303130    

Description Matt Woodson 2016-04-25 15:23:45 UTC 
Description of problem:

We have a use case where we are manipulating iptables service outside of openshift-node on the system.  Rules were added to /etc/sysconfig/iptables.  Then, iptables service was restarted, and the iptables rules that were put in place by atomic-openshift-node are no longer there as they are overwritten by what was in iptables.

Restarting the atomic-openshift-node service brings back the iptables rules that are needed by openshift, and also includes the iptables rules from /etc/sysconfig/iptables.


Just a note, firewalld is not installed on the system.

Version-Release number of selected component (if applicable):

atomic-openshift-node-3.1.1.6-5.git.35.0742c54.

How reproducible:

Very

Steps to Reproduce:
1. run 'iptables-save'; note the output
2. optional: edit /etc/sysconfig/iptables
3.  restart iptables service: systemctl restart iptables
4. run 'iptables-save'; note the output is different than #1


Actual results:

openshift iptables rules are gone.

Expected results:

We need to not lose the openshift iptables rules.
Comment 1 Ben Bennett 2016-04-25 15:26:54 UTC 
Related card:
  https://trello.com/c/gLIWwGZU/203-monitor-our-iptables-rules-in-the-main-chains
Comment 2 Ravi Sankar 2016-06-28 17:45:13 UTC 
Fixed in https://github.com/openshift/origin/pull/9014
Comment 3 Meng Bo 2016-06-29 10:17:28 UTC 
This should be tested on latest OSE build.
Please move it back once the changes are merged into OSE.
Comment 4 Troy Dawson 2016-07-20 22:16:32 UTC 
This has been merged and is in OSE v3.3.0.8 or newer.
Comment 5 Meng Bo 2016-08-09 05:42:41 UTC 
Checked on aos build v3.3.0.17

The kubernetes iptables rules will not be recovered after deleted.

Assign the bug back.

Steps:
1. Delete the openshift iptables on node
# iptables -D INPUT -i tun0 -m comment --comment "traffic from docker for internet" -j ACCEPT
2. Delete the kubernetes iptables on node
# iptables -D OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
# iptables -t nat -D  KUBE-SERVICES -d 172.31.0.1/32 -p tcp -m comment --comment "default/kubernetes:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-BA6I5HTZKAAAJT56
3. Watch the iptables rules

Result:
Only the openshift iptables rules are recovered.
Comment 6 Ravi Sankar 2016-08-16 19:20:58 UTC 
Fixed in https://github.com/openshift/origin/pull/10465
Comment 7 openshift-github-bot 2016-08-17 22:03:04 UTC 
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/5f8c0a2d71d5387fb6a37815d37e5044891e6f60
Bug 1330201 - Periodically sync k8s iptables rules
Comment 8 Troy Dawson 2016-08-19 21:11:18 UTC 
This has been merged into ose and is in OSE v3.3.0.23 or newer.
Comment 10 Meng Bo 2016-08-22 10:16:10 UTC 
Checked on ose build v3.3.0.23.

Issue has been fixed.

Both OpenShift SDN iptables rules and k8s iptables rules can be restored automatically after deleted.
Comment 12 errata-xmlrpc 2016-09-27 09:31:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1933