Skip to content

Fix CNS Program iptables for delegated IPAM #1499

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Aug 15, 2022
Merged

Fix CNS Program iptables for delegated IPAM #1499

merged 14 commits into from
Aug 15, 2022

Conversation

@nddq
Copy link
Member

@nddq nddq commented Jul 31, 2022

^

@nddq nddq requested review from a team, matmerr and rbtr as code owners July 31, 2022 23:17
@nddq nddq added cns Related to CNS. fix Fixes something. labels Jul 31, 2022
rbtr
rbtr requested changes Aug 1, 2022
View reviewed changes
Copy link
Collaborator

@rbtr rbtr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the conflist needs to exist

azure-container-networking/dropgz/build/cni.Dockerfile

Line 18 in 3ecb7fb

COPY --from=azure-ipam /azure-ipam/*.conflist pkg/embed/fs

@nddq
Copy link
Member Author

nddq commented Aug 1, 2022

the conflist needs to exist

azure-container-networking/dropgz/build/cni.Dockerfile

Line 18 in 3ecb7fb

COPY --from=azure-ipam /azure-ipam/*.conflist pkg/embed/fs

For the cns image?

@rbtr
Copy link
Collaborator

rbtr commented Aug 1, 2022

for the dropgz build. you've deleted that unrelated file in this change, it needs to be put back.

rbtr
rbtr reviewed Aug 2, 2022
View reviewed changes
cns/restserver/internalapi.go Outdated
iptables.RuleExists(iptables.V4, iptables.Nat, iptables.Swift, azureIMDSMatch, snatHostIPJump) {
// Only check for existence of other iptables rule if SWIFT chain exists.
if chainExist {
postroutingToSwiftJumpexist, err := ipt.Exists(iptables.Nat, iptables.Postrouting, "-j", "SWIFT-POSTROUTING")
Copy link
Collaborator

@rbtr rbtr Aug 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why the change from iptables.Swift to "SWIFT-POSTROUTING"? that really should be a const since it is reused so much

Copy link
Member Author

@nddq nddq Aug 2, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tamilmani1989 thinks we should term it like that instead of SWIFT. I can make it a const.

@nddq
Copy link
Member Author

nddq commented Aug 5, 2022

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Aug 5, 2022

Azure Pipelines successfully started running 1 pipeline(s).

@nddq nddq force-pushed the cnsProgramIptables branch from dd5c973 to 5d33af7 Compare August 5, 2022 18:02
tamilmani1989
tamilmani1989 reviewed Aug 6, 2022
View reviewed changes
cns/restserver/internalapi.go Outdated
return types.FailedToRunIPTableCmd, "[Azure CNS] failed to create SWIFT chain : " + err.Error()
}
logger.Printf("[Azure CNS] Append SWIFT Chain to POSTROUTING ...")
err = ipt.Append(iptables.Nat, iptables.Postrouting, "-j", SwiftChainName)
Copy link
Member

@tamilmani1989 tamilmani1989 Aug 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what if this rule exist in this chain? will it return failure if rule exists?

@nddq nddq force-pushed the cnsProgramIptables branch 2 times, most recently from 823684f to 14742bb Compare August 10, 2022 19:25
tamilmani1989
tamilmani1989 previously approved these changes Aug 10, 2022
View reviewed changes
@nddq nddq enabled auto-merge (squash) August 10, 2022 21:00
rbtr
rbtr previously approved these changes Aug 11, 2022
View reviewed changes
Copy link
Collaborator

@rbtr rbtr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, aks-e tests are broken and won't pass

@nddq nddq disabled auto-merge August 11, 2022 19:03
@nddq nddq enabled auto-merge (squash) August 11, 2022 19:03
@nddq nddq dismissed stale reviews from rbtr and tamilmani1989 via b208476 August 11, 2022 21:15
@nddq nddq force-pushed the cnsProgramIptables branch from 44b2837 to b208476 Compare August 11, 2022 21:15
@nddq nddq force-pushed the cnsProgramIptables branch from b208476 to 55c35b0 Compare August 12, 2022 23:05
@nddq nddq disabled auto-merge August 13, 2022 00:26
tamilmani1989
tamilmani1989 approved these changes Aug 15, 2022
View reviewed changes
Copy link
Member

@tamilmani1989 tamilmani1989 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@rbtr
Copy link
Collaborator

rbtr commented Aug 15, 2022

bypassing broken aks-e check

@rbtr rbtr merged commit 8779700 into Azure:master Aug 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tamilmani1989 tamilmani1989 tamilmani1989 approved these changes

@rbtr rbtr rbtr left review comments

@matmerr matmerr Awaiting requested review from matmerr

Assignees

No one assigned

Labels

cns Related to CNS. fix Fixes something.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nddq @rbtr @tamilmani1989