Iptables wrapper 1.9 (#3341)

* Signed-off-by: changluyi <clyi@alauda.io> 1. add kubectl ko log for release-1.9 2. add iptables-wrapper-install.sh to release-1.9 * fix security
kubeovn · Oct 26, 2023 · e5bb59b · e5bb59b
1 parent 574f9bb
commit e5bb59b
Show file tree

Hide file tree

Showing 13 changed files with 639 additions and 49 deletions.
diff --git a/.github/workflows/build-x86-image.yaml b/.github/workflows/build-x86-image.yaml
@@ -284,6 +284,19 @@ jobs:
           E2E_NETWORK_MODE: ${{ matrix.mode }}
         run: make k8s-conformance-e2e
 
+      - name: kubectl ko log
+        if: failure()
+        run: |
+          make kubectl-ko-log
+          mv kubectl-ko-log.tar.gz k8s-conformance-e2e-${{ matrix.ip-family }}-${{ matrix.mode }}-ko-log.tar.gz
+
+      - name: upload kubectl ko log
+        uses: actions/upload-artifact@v3
+        if: failure()
+        with:
+          name: k8s-conformance-e2e-${{ matrix.ip-family }}-${{ matrix.mode }}-ko-log
+          path: k8s-conformance-e2e-${{ matrix.ip-family }}-${{ matrix.mode }}-ko-log.tar.gz
+
   k8s-netpol-e2e:
     name: Kubernetes Network Policy E2E
     if: |
@@ -548,6 +561,19 @@ jobs:
           E2E_NETWORK_MODE: ${{ matrix.mode }}
         run: make kube-ovn-conformance-e2e
 
+      - name: kubectl ko log
+        if: failure()
+        run: |
+          make kubectl-ko-log
+          mv kubectl-ko-log.tar.gz kube-ovn-conformance-e2e-${{ matrix.mode }}-${{ matrix.ip-family }}-ko-log.tar.gz
+
+      - name: upload kubectl ko log
+        uses: actions/upload-artifact@v3
+        if: failure()
+        with:
+          name: kube-ovn-conformance-e2e-${{ matrix.mode }}-${{ matrix.ip-family }}-ko-log
+          path: kube-ovn-conformance-e2e-${{ matrix.mode }}-${{ matrix.ip-family }}-ko-log.tar.gz
+
       - name: Cleanup
         run: |
           if [ "${{ matrix.mode }}" != underlay ]; then
@@ -774,6 +800,20 @@ jobs:
           ENABLE_LB: "false"
         run: make kind-install
 
+      - name: kubectl ko log
+        if: failure()
+        run: |
+          make kubectl-ko-log
+          mv kube-ovn-no-lb-ko-log.tar.gz
+
+      - name: upload kubectl ko log
+        uses: actions/upload-artifact@v3
+        if: failure()
+        with:
+          name: kube-ovn-no-lb-ko-log
+          path: kube-ovn-no-lb-ko-log.tar.gz
+
+
       - name: Cleanup
         run: sh dist/images/cleanup.sh
 

diff --git a/Makefile b/Makefile
@@ -495,6 +495,12 @@ scan:
 ut:
 	ginkgo -mod=mod -progress -reportPassed --slowSpecThreshold=60 test/unittest
 
+
+.PHONY: kubectl-ko-log
+kubectl-ko-log:
+	/usr/local/bin/kubectl-ko log all
+	tar -zcvf kubectl-ko-log.tar.gz kubectl-ko-log/
+
 .PHONY: clean
 clean:
 	$(RM) dist/images/kube-ovn dist/images/kube-ovn-cmd

diff --git a/dist/images/Dockerfile b/dist/images/Dockerfile
@@ -15,6 +15,7 @@ COPY logrotate/* /etc/logrotate.d/
 COPY grace_stop_ovn_controller /usr/share/ovn/scripts/grace_stop_ovn_controller
 
 WORKDIR /kube-ovn
+RUN /kube-ovn/iptables-wrapper-installer.sh --no-sanity-check
 
 RUN rm -f /usr/bin/nc &&\
     rm -f /usr/bin/netcat

diff --git a/dist/images/Dockerfile.base b/dist/images/Dockerfile.base
@@ -85,9 +85,6 @@ RUN apt update && apt upgrade -y && apt install ca-certificates python3 hostname
         tcpdump ipset curl uuid-runtime openssl inetutils-ping arping ndisc6 \
         logrotate dnsutils net-tools nmap -y --no-install-recommends && \
         rm -rf /var/lib/apt/lists/* && \
-        cd /usr/sbin && \
-        ln -sf /usr/sbin/iptables-legacy iptables && \
-        ln -sf /usr/sbin/ip6tables-legacy ip6tables && \
         rm -rf /etc/localtime
 
 RUN mkdir -p /var/run/openvswitch && \

diff --git a/dist/images/install.sh b/dist/images/install.sh
@@ -2554,6 +2554,7 @@ showHelp(){
   echo "  reload restart all kube-ovn components"
   echo "  env-check check the environment configuration"
   echo "  perf [image] performance test default image is kubeovn/test:v1.12.0"
+  echo "  log {kube-ovn|ovn|ovs|linux|all}    save log to ./kubectl-ko-log/"
 }
 
 # usage: ipv4_to_hex 192.168.0.1
@@ -3201,6 +3202,126 @@ checkDeployment(){
   fi
 }
 
+init_dir() {
+    mkdir -p kubectl-ko-log
+    podNames=`kubectl get pod -n kube-system -l app=kube-ovn-cni -o 'jsonpath={.items[*].metadata.name}'`
+    for pod in $podNames; do
+      nodeName=$(kubectl get pod "$pod" -n kube-system -o jsonpath={.spec.nodeName})
+      mkdir -p ./kubectl-ko-log/$nodeName/
+    done
+}
+
+log_kube_ovn(){
+  echo "Collecting kube-ovn logging files"
+  podNames=`kubectl get pod -n kube-system -l app=kube-ovn-cni -o 'jsonpath={.items[*].metadata.name}'`
+  for pod in $podNames; do
+    nodeName=$(kubectl get pod "$pod" -n kube-system -o jsonpath={.spec.nodeName})
+    mkdir -p ./kubectl-ko-log/$nodeName/kube-ovn
+    kubectl cp $pod:/var/log/kube-ovn ./kubectl-ko-log/$nodeName/kube-ovn -n kube-system -c cni-server > /dev/null || :
+  done
+}
+
+log_ovn_ovs(){
+  component_param=$1
+  echo "Collecting $component_param logging files"
+  podNames=`kubectl get pod -n kube-system -l app=ovs -o 'jsonpath={.items[*].metadata.name}'`
+  for pod in $podNames; do
+    nodeName=$(kubectl get pod "$pod" -n kube-system -o jsonpath={.spec.nodeName})
+    mkdir -p ./kubectl-ko-log/$nodeName/$component_param
+    kubectl cp $pod:/var/log/$component_param ./kubectl-ko-log/$nodeName/$component_param -n kube-system > /dev/null || :
+  done
+}
+
+log_linux(){
+  component_param=$1
+  sub_component_param=$2
+  echo "Collecting $component_param $sub_component_param files"
+  podNames=`kubectl get pod -n kube-system -l app=ovs -o 'jsonpath={.items[*].metadata.name}'`
+  for pod in $podNames; do
+    nodeName=$(kubectl get pod "$pod" -n kube-system -o jsonpath={.spec.nodeName})
+    mkdir -p ./kubectl-ko-log/$nodeName/$component_param
+    if [[ "$sub_component_param" == "dmesg" ]]; then
+      kubectl exec $pod -n kube-system -- dmesg -T > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+    elif [[ "$sub_component_param" == "iptables-legacy" ]]; then
+      kubectl exec $pod -n kube-system -- /usr/sbin/iptables-legacy -V > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+      echo "******************legacy filter v4 ************************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
+      kubectl exec $pod -n kube-system -- /usr/sbin/iptables-legacy -S >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+      echo "****************** legacy nat v4 ************************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
+      kubectl exec $pod -n kube-system -- /usr/sbin/iptables-legacy -S -t nat >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+      echo "******************legacy filter v6 ************************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
+      kubectl exec $pod -n kube-system -- /usr/sbin/ip6tables-legacy -S >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+      echo "****************** legacy nat v6 ************************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
+      kubectl exec $pod -n kube-system -- /usr/sbin/ip6tables-legacy -S -t nat >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+    elif [[ "$sub_component_param" == "iptables-nft" ]]; then
+      kubectl exec $pod -n kube-system -- /usr/sbin/iptables-nft -V > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log 2>/dev/null || :
+      echo "*********************nft filter v4 ************************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
+      kubectl exec $pod -n kube-system -- /usr/sbin/iptables-nft -S >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log 2>/dev/null || :
+      echo "********************* nft nat v4 ************************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
+      kubectl exec $pod -n kube-system -- /usr/sbin/iptables-nft -S -t nat >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log 2>/dev/null || :
+      echo "*********************nft filter v6 ************************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
+      kubectl exec $pod -n kube-system -- /usr/sbin/ip6tables-nft -S >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log 2>/dev/null || :
+      echo "********************* nft nat v6 ************************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
+      kubectl exec $pod -n kube-system -- /usr/sbin/ip6tables-nft -S -t nat >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log 2>/dev/null || :
+    elif [[ "$sub_component_param" == "route" ]]; then
+      kubectl exec $pod -n kube-system -- ip route show > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+      kubectl exec $pod -n kube-system -- ip -6 route show >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+    elif [[ "$sub_component_param" == "link" ]]; then
+      kubectl exec $pod -n kube-system -- ip -d link show > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+    elif [[ "$sub_component_param" == "neigh" ]]; then
+      kubectl exec $pod -n kube-system -- ip n > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+      kubectl exec $pod -n kube-system -- ip -6 n >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+    elif [[ "$sub_component_param" == "memory" ]]; then
+      kubectl exec $pod -n kube-system -- free -m > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+    elif [[ "$sub_component_param" == "top" ]]; then
+      kubectl exec $pod -n kube-system -- top -b -n 1 > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+    elif [[ "$sub_component_param" == "sysctl" ]]; then
+      kubectl exec $pod -n kube-system -- sysctl -a > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+    elif [[ "$sub_component_param" == "netstat" ]]; then
+      kubectl exec $pod -n kube-system -- netstat -tunlp > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+    elif [[ "$sub_component_param" == "addr" ]]; then
+      kubectl exec $pod -n kube-system -- ip addr show > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+    elif [[ "$sub_component_param" == "ipset" ]]; then
+      kubectl exec $pod -n kube-system -- ipset list > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+    elif [[ "$sub_component_param" == "tcp" ]]; then
+      kubectl exec $pod -n kube-system -- cat /proc/net/sockstat > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
+    fi
+  done
+}
+
+
+log(){
+  component="$1"
+  components=("kube-ovn" "ovs" "ovn" "linux" "all")
+  linux_sub_components=("dmesg" "iptables-legacy" "iptables-nft" "route" "link" "neigh" "memory" "top" "sysctl" "netstat" "addr" "ipset" "tcp")
+
+  if [[ ! " ${components[@]} " =~ " $component " ]]; then
+      echo "invalid component $component"
+      exit 1
+  fi
+
+  init_dir
+
+  if [[ "$component" == "kube-ovn" || "$component" == "all" ]]; then
+    log_kube_ovn
+  fi
+
+  if [[ "$component" == "ovn" || "$component" == "all" ]]; then
+    log_ovn_ovs "ovn"
+  fi
+
+  if [[ "$component" == "ovs" || "$component" == "all" ]]; then
+    log_ovn_ovs "openvswitch"
+  fi
+
+  if [[ "$component" == "linux" || "$component" == "all" ]]; then
+      for linux_sub_component in ${linux_sub_components[@]}; do
+        log_linux "linux" "$linux_sub_component"
+      done
+  fi
+
+  echo "Collected files have been saved in the directory $PWD/kubectl-ko-log "
+}
+
 checkKubeProxy(){
   if kubectl get ds -n kube-system --no-headers -o custom-columns=NAME:.metadata.name | grep '^kube-proxy$' >/dev/null; then
     checkDaemonSet kube-proxy
@@ -3812,6 +3933,9 @@ case $subcommand in
   perf)
     perf "$@"
     ;;
+  log)
+    log "$@"
+    ;;
   *)
   showHelp
     ;;