Bug 1732885 - Wrong iptables rules are saved during upgrades
Summary: Wrong iptables rules are saved during upgrades
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.11.z
Assignee: Russell Teague
QA Contact: Johnny Liu
Depends On:
TreeView+ depends on / blocked
Reported: 2019-07-24 15:34 UTC by Borja Aranda
Modified: 2020-06-18 12:52 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-10-15 13:37:18 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Borja Aranda 2019-07-24 15:34:50 UTC
Description of problem:

The installer uses the os_firewall to add rules to iptables during upgrades/installations, and that leads under certain circumstances to persist rules that shouldn't be persisted, such as "-A KUBE-SERVICES" or "-A KUBE-SVC-X".

The playbooks calls https://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_node/tasks/firewall.yml#L5-L11

This initializes the module, which saves the current iptables rules in https://github.com/openshift/openshift-ansible/blob/release-3.11/roles/lib_utils/library/os_firewall_manage_iptables.py#L67

This gen_save_cmd saves all the current iptables rules:
def gen_save_cmd(self):  # pylint: disable=no-self-use
  return ['/usr/libexec/iptables/iptables.init', 'save']

That could lead to saving iptables rules that shouldn't be saved, as stated earlier, for example:
-A KUBE-SEP-CNQERSD3TC7SLBPT -s -m comment --comment "default/router:80-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-CNQERSD3TC7SLBPT -p tcp -m comment --comment "default/router:80-tcp" -m tcp -j DNAT --to-destination
-A KUBE-SEP-CXODZIVCMSLDI3N7 -s -m comment --comment "default/kubernetes:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-CXODZIVCMSLDI3N7 -p udp -m comment --comment "default/kubernetes:dns" -m udp -j DNAT --to-destination
-A KUBE-SERVICES ! -s -d -p tcp -m comment --comment "default/registry-console:registry-console cluster IP" -m tcp --dport 9000 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d -p tcp -m comment --comment "default/registry-console:registry-console cluster IP" -m tcp --dport 9000 -j KUBE-SVC-DEGCXZMVXZMJS2KL

Those rules should be dinamically created by the kubelet and never saved in /etc/sysconfig/iptables

Version-Release number of the following components:
All 3.11.X

How reproducible:

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:

Comment 1 Scott Dodson 2019-10-15 13:37:18 UTC
Customer case has closed. Ultimately the SDN should be reconciling these as part of its operation but it may not happen immediately.

Note You need to log in before you can comment on or make changes to this bug.