Description of problem:
We have a use case where we are manipulating iptables service outside of openshift-node on the system. Rules were added to /etc/sysconfig/iptables. Then, iptables service was restarted, and the iptables rules that were put in place by atomic-openshift-node are no longer there as they are overwritten by what was in iptables.
Restarting the atomic-openshift-node service brings back the iptables rules that are needed by openshift, and also includes the iptables rules from /etc/sysconfig/iptables.
Just a note, firewalld is not installed on the system.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. run 'iptables-save'; note the output
2. optional: edit /etc/sysconfig/iptables
3. restart iptables service: systemctl restart iptables
4. run 'iptables-save'; note the output is different than #1
openshift iptables rules are gone.
We need to not lose the openshift iptables rules.
Fixed in https://github.com/openshift/origin/pull/9014
This should be tested on latest OSE build.
Please move it back once the changes are merged into OSE.
This has been merged and is in OSE v184.108.40.206 or newer.
Checked on aos build v220.127.116.11
The kubernetes iptables rules will not be recovered after deleted.
Assign the bug back.
1. Delete the openshift iptables on node
# iptables -D INPUT -i tun0 -m comment --comment "traffic from docker for internet" -j ACCEPT
2. Delete the kubernetes iptables on node
# iptables -D OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
# iptables -t nat -D KUBE-SERVICES -d 172.31.0.1/32 -p tcp -m comment --comment "default/kubernetes:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-BA6I5HTZKAAAJT56
3. Watch the iptables rules
Only the openshift iptables rules are recovered.
Fixed in https://github.com/openshift/origin/pull/10465
Commit pushed to master at https://github.com/openshift/origin
Bug 1330201 - Periodically sync k8s iptables rules
This has been merged into ose and is in OSE v18.104.22.168 or newer.
Checked on ose build v22.214.171.124.
Issue has been fixed.
Both OpenShift SDN iptables rules and k8s iptables rules can be restored automatically after deleted.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.