-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix use of "-w" flag to iptables-restore #60978
Fix use of "-w" flag to iptables-restore #60978
Conversation
iptables accepts "-w5" but iptables-restore requires "-w 5"
/kind bug |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: danwinship, eparis The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The problem also exist in iptables-restore v1.4.21.
|
"Real" iptables 1.4.21 doesn't support --version or -w, and kubernetes won't try to use the flag with it. RHEL ships iptables 1.4.21 plus a lot of backports, including the --version and -w patches. Unfortunately, iptables-restore 1.4.21 doesn't consider it a fatal error to pass an unrecognized flag (like iptables-restore 1.6.2 does); it prints an error about the "5", but it doesn't exit, and it still accepts the "-w". So that's how the bug slipped in to kubernetes; it was tested against the RHEL version of iptables, and the |
I changed my OS from CentOS 7 to Fedora 27 now running iptables v1.6.1. It dont get the -w5 error in journalctl, but the rules still not showing in Now i get this :
Made an issue here : #61005 |
Am I the only one that thinks that Red Hat not changing the version number but expecting the new flag to work is somewhat wrong? Or am I misunderstanding? |
You could argue that it's wrong, but that's totally separate from this PR (which is needed in order to support the official upstream iptables release). And the "detecting whether iptables-restore supports -w or not" part is working fine anyway. It's the "actually use -w" part that was broken. |
This should get whatever tags, milestones, etc, are needed to make sure it ends up in 1.10.x as soon as possible after the .0 freeze ends |
/retest Review the full test history for this PR. Silence the bot with an |
[MILESTONENOTIFIER] Milestone Pull Request Labels Incomplete Action required: This pull request requires label changes. If the required changes are not made within 3 days, the pull request will be moved out of the v1.10 milestone. priority: Must specify exactly one of |
Automatic merge from submit-queue (batch tested with PRs 60978, 60985). If you want to cherry-pick this change to another branch, please follow the instructions here. |
Is there any way this could be merged into v1.9 milestone? We upgraded to v1.9.5 in order to fix some other issues, then began encountering this. Please let us know what can be done, thanks! |
Automatic merge from submit-queue. Fix use of "-w" flag to iptables-restore Backport of #60978. Will be needed by kube 1.9 users who upgrade to iptables 1.6.2. (Older kube releases had different code and don't need the backport.) **Release note**: ```release-note Fixed kube-proxy to work correctly with iptables 1.6.2 and later. ```
I am using kops debain stretch image which has iptables 1.6.0 and even after upgrading the cluster to 1.9.7 which has this fix backported the issue still remains. I still see the error in the logs and the services present on the node started crashing with liveness failures. |
iptables 1.6.0 does not need this fix. you presumably have a different problem |
iptables accepts "-w5" but iptables-restore requires "-w 5", so kube-proxy is currently broken for people with an iptables-restore new enough that kube-proxy tries to use the new flags.
Fixes #58956
Release note: