-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add network to iptables command #72
Conversation
When running in some environments, e.g. Kubernetes, the iptables command can cause the CNI to have issues. In my case, both calico-typha and calico-node began to fail health checks once the original iptables command was executed. Adding the ocserv network to the command allowed it to work as expected.
Thanks for this PR, but local IP cannot be hardcoded in Could you please change it, so it reads |
This subnet is already hardcoded in two other places, so it doesn't seem very configurable as it stands. I can update it as you suggest, though; no problem.
|
@aminvakil I've updated the PR to allow the network/netmask to be configurable (via env var). Please let me know if you have any questions/feedback. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please fix the hadolint bug.
This will break some users if they had changed the IPs manually from routes.txt, but that would be wrong anyway.
I will put another commit changing the README.md, and putting a release note about this later.
@aminvakil I need to make a change actually; please hold on merging if you could, please. Thank you! |
Sure. |
I should have put the envsubst in the entrypoint so that users can supply the network params via env var at runtime and not need to rebuild the image. I just pushed the commit to make that happen. Thank you! |
Thank you for doing this! |
When running in some environments, e.g. Kubernetes, the iptables command can cause the CNI to have issues. In my case, both calico-typha and calico-node began to fail health checks once the original iptables command was executed. Adding the ocserv network to the command allowed it to work as expected.