1732885 – Wrong iptables rules are saved during upgrades

Bug 1732885 - Wrong iptables rules are saved during upgrades

Summary: Wrong iptables rules are saved during upgrades

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	3.11.z
Assignee:	Russell Teague
QA Contact:	Johnny Liu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-24 15:34 UTC by Borja Aranda
Modified:	2023-12-15 16:38 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-10-15 13:37:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Borja Aranda 2019-07-24 15:34:50 UTC

Description of problem:

The installer uses the os_firewall to add rules to iptables during upgrades/installations, and that leads under certain circumstances to persist rules that shouldn't be persisted, such as "-A KUBE-SERVICES" or "-A KUBE-SVC-X".

The playbooks calls https://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_node/tasks/firewall.yml#L5-L11

This initializes the module, which saves the current iptables rules in https://github.com/openshift/openshift-ansible/blob/release-3.11/roles/lib_utils/library/os_firewall_manage_iptables.py#L67

This gen_save_cmd saves all the current iptables rules:
~~~
def gen_save_cmd(self):  # pylint: disable=no-self-use
  return ['/usr/libexec/iptables/iptables.init', 'save']
~~~

That could lead to saving iptables rules that shouldn't be saved, as stated earlier, for example:
~~~
-A KUBE-SEP-CNQERSD3TC7SLBPT -s 10.74.178.134/32 -m comment --comment "default/router:80-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-CNQERSD3TC7SLBPT -p tcp -m comment --comment "default/router:80-tcp" -m tcp -j DNAT --to-destination 10.74.178.134:80
-A KUBE-SEP-CXODZIVCMSLDI3N7 -s 10.74.178.148/32 -m comment --comment "default/kubernetes:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-CXODZIVCMSLDI3N7 -p udp -m comment --comment "default/kubernetes:dns" -m udp -j DNAT --to-destination 10.74.178.148:8053
-A KUBE-SERVICES ! -s 10.128.0.0/14 -d 172.30.14.144/32 -p tcp -m comment --comment "default/registry-console:registry-console cluster IP" -m tcp --dport 9000 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 172.30.14.144/32 -p tcp -m comment --comment "default/registry-console:registry-console cluster IP" -m tcp --dport 9000 -j KUBE-SVC-DEGCXZMVXZMJS2KL
~~~

Those rules should be dinamically created by the kubelet and never saved in /etc/sysconfig/iptables

Version-Release number of the following components:
All 3.11.X

How reproducible:
Always

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:

Comment 1 Scott Dodson 2019-10-15 13:37:18 UTC

Customer case has closed. Ultimately the SDN should be reconciling these as part of its operation but it may not happen immediately.

Note You need to log in before you can comment on or make changes to this bug.