New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v1.9.6 RHEL/CENTOS 7.6 iptables-restore failing. No Service rules #71751

Open
jamestutton opened this Issue Dec 5, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@jamestutton

jamestutton commented Dec 5, 2018

What happened:

Services fail to create iptables rules and errors with

iptables-restore: invalid option -- '5'

What you expected to happen:

iptables-restore should complete and add nat rules for services

How to reproduce it (as minimally and precisely as possible):

Install Centos 7.6. and kubernetes and try to enable a load balanced service

Anything else we need to know?:

-w switch is not and has never been valid switch should be --wait=5

> iptables-restore --help

Usage: iptables-restore [-b] [-c] [-v] [-V]  [-t] [-h] [-W usecs]
           [ --binary ]
           [ --counters ]
           [ --verbose ]
           [ --version]
           [ --test ]
           [ --help ]
           [ --noflush ]
           [ --wait=<seconds>
           [ --wait-interval=<usecs>
           [ --table=<TABLE> ]
           [ --modprobe=<command>]

> iptables-restore -V

iptables-restore v1.4.21

Environment:

  • Kubernetes version (use kubectl version):
    Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.6", GitCommit:"9f8ebd171479bec0ada837d7ee641dec2f8c6dd1", GitTreeState:"clean", BuildDate:"2018-03-21T15:21:50Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
    Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.6", GitCommit:"9f8ebd171479bec0ada837d7ee641dec2f8c6dd1", GitTreeState:"clean", BuildDate:"2018-03-21T15:13:31Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

  • Cloud provider or hardware configuration:
    Base Metal

  • OS (e.g. from /etc/os-release):
    CentOS Linux release 7.6.1810 (Core)

  • Kernel (e.g. uname -a):
    3.10.0-957.1.3.el7.x86_64 #1 SMP Thu Nov 29 14:49:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Extended Explanation:

Based on the comments i made on #58956

This is now potentially a larger issue with release of centos 7.6 and RHEL 7.6 as it now a blocking error it seems due to a fix by rhel bug 1465078

This also impacts updated el 7.5 as below

  cat /etc/redhat-release

CentOS Linux release 7.5.1804 (Core)

yum list iptables
Installed Packages
iptables.x86_64                                                             1.4.21-24.1.el7_5

#   iptables-restore -w5
iptables-restore: invalid option -- '5'

so in iptables-1.4.21-24.1.el7 the flag is invalid but the restore goes ahead with an error

But in iptables1.4.21-28.el7

yum update iptables

yum list installed iptables

Installed Packages
iptables.x86_64                                                                1.4.21-28.el7


iptables-restore -w5
iptables-restore: invalid option -- '5'
Try `iptables-restore -h' for more information.

We now have a BLOCKING ERROR and the restore fails meaning the iptables rules do not apply or update correctly and kubernetes services do not nat correctly

/kind bug

@jamestutton

This comment has been minimized.

jamestutton commented Dec 5, 2018

/sig network

@k8s-ci-robot k8s-ci-robot added sig/network and removed needs-sig labels Dec 5, 2018

@danwinship

This comment has been minimized.

Contributor

danwinship commented Dec 5, 2018

* Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.6",

The bug was fixed in 1.9.7, which was released 8 months ago

@jamestutton

This comment has been minimized.

jamestutton commented Dec 5, 2018

Ok that good to know. Unfortunately we using kubernetes version packaged as part of a vendors product so will push back on them as cant directly upgrade the kubernetes version.

Although i would still strongly argue for the --wait=5 arg to be used vs the -w 5 with or without a space as the former appears to less ambiguous and better supported across platforms so struggle to see benefits of using the short arg in this instance.

@jamestutton jamestutton changed the title from RHEL/CENTOS 7.6 iptables-restore failing. No Service rules to v1.9.6 RHEL/CENTOS 7.6 iptables-restore failing. No Service rules Dec 7, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment