Remove chain jump rules as part of cleanup #4

grampelberg · 2019-11-14T23:57:37Z

This does a couple things:

Adds delete for the jump rules to potentially address All linkerd components in Init:CrashLoopBackOff linkerd2#3563
Moves cleanup to run before everything instead of during configuration for personal sanity
Simplifies the nsenter code a little so that the log output includes the commands run
Improves readability of log output
Uses iptables-save to get all rules instead of just the nat table
Fixes a personal pet peeve of if/else statements.

Here's the new output:

Tracing this script execution as [1573775205]
current state
------------------------------------------------------------
:; iptables-save


cleanup
------------------------------------------------------------
:; iptables -t nat -D OUTPUT -j PROXY_INIT_OUTPUT -m comment --comment proxy-init/install-proxy-init-prerouting/1573775205
iptables v1.6.0: Couldn't load target `PROXY_INIT_OUTPUT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

:; iptables -t nat -D PREROUTING -j PROXY_INIT_REDIRECT -m comment --comment proxy-init/install-proxy-init-prerouting/1573775205
iptables v1.6.0: Couldn't load target `PROXY_INIT_REDIRECT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

:; iptables -t nat -F PROXY_INIT_OUTPUT
iptables: No chain/target/match by that name.

:; iptables -t nat -X PROXY_INIT_OUTPUT
iptables: No chain/target/match by that name.

:; iptables -t nat -F PROXY_INIT_REDIRECT
iptables: No chain/target/match by that name.

:; iptables -t nat -X PROXY_INIT_REDIRECT
iptables: No chain/target/match by that name.



configuration
------------------------------------------------------------
Will ignore port 4190 on chain PROXY_INIT_REDIRECT
Will ignore port 4191 on chain PROXY_INIT_REDIRECT
Will redirect all INPUT ports to proxy
Ignoring uid 2102
Will ignore port 443 on chain PROXY_INIT_OUTPUT
Redirecting all OUTPUT to 4140


adding rules
------------------------------------------------------------
:; iptables -t nat -N PROXY_INIT_REDIRECT -m comment --comment proxy-init/redirect-common-chain/1573775205
:; iptables -t nat -A PROXY_INIT_REDIRECT -p tcp --destination-port 4190 -j RETURN -m comment --comment proxy-init/ignore-port-4190/1573775205
:; iptables -t nat -A PROXY_INIT_REDIRECT -p tcp --destination-port 4191 -j RETURN -m comment --comment proxy-init/ignore-port-4191/1573775205
:; iptables -t nat -A PROXY_INIT_REDIRECT -p tcp -j REDIRECT --to-port 4143 -m comment --comment proxy-init/redirect-all-incoming-to-proxy-port/1573775205
:; iptables -t nat -A PREROUTING -j PROXY_INIT_REDIRECT -m comment --comment proxy-init/install-proxy-init-prerouting/1573775205
:; iptables -t nat -N PROXY_INIT_OUTPUT -m comment --comment proxy-init/redirect-common-chain/1573775205
:; iptables -t nat -A PROXY_INIT_OUTPUT -m owner --uid-owner 2102 -o lo ! -d 127.0.0.1/32 -j PROXY_INIT_REDIRECT -m comment --comment proxy-init/redirect-non-loopback-local-traffic/1573775205
:; iptables -t nat -A PROXY_INIT_OUTPUT -m owner --uid-owner 2102 -j RETURN -m comment --comment proxy-init/ignore-proxy-user-id/1573775205
:; iptables -t nat -A PROXY_INIT_OUTPUT -o lo -j RETURN -m comment --comment proxy-init/ignore-loopback/1573775205
:; iptables -t nat -A PROXY_INIT_OUTPUT -p tcp --destination-port 443 -j RETURN -m comment --comment proxy-init/ignore-port-443/1573775205
:; iptables -t nat -A PROXY_INIT_OUTPUT -p tcp -j REDIRECT --to-port 4140 -m comment --comment proxy-init/redirect-all-outgoing-to-proxy-port/1573775205
:; iptables -t nat -A OUTPUT -j PROXY_INIT_OUTPUT -m comment --comment proxy-init/install-proxy-init-output/1573775205


end state
------------------------------------------------------------
:; iptables-save
# Generated by iptables-save v1.6.0 on Thu Nov 14 23:46:45 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PROXY_INIT_OUTPUT - [0:0]
:PROXY_INIT_REDIRECT - [0:0]
-A PREROUTING -m comment --comment "proxy-init/install-proxy-init-prerouting/1573775205" -j PROXY_INIT_REDIRECT
-A OUTPUT -m comment --comment "proxy-init/install-proxy-init-output/1573775205" -j PROXY_INIT_OUTPUT
-A PROXY_INIT_OUTPUT ! -d 127.0.0.1/32 -o lo -m owner --uid-owner 2102 -m comment --comment "proxy-init/redirect-non-loopback-local-traffic/1573775205" -j PROXY_INIT_REDIRECT
-A PROXY_INIT_OUTPUT -m owner --uid-owner 2102 -m comment --comment "proxy-init/ignore-proxy-user-id/1573775205" -j RETURN
-A PROXY_INIT_OUTPUT -o lo -m comment --comment "proxy-init/ignore-loopback/1573775205" -j RETURN
-A PROXY_INIT_OUTPUT -p tcp -m tcp --dport 443 -m comment --comment "proxy-init/ignore-port-443/1573775205" -j RETURN
-A PROXY_INIT_OUTPUT -p tcp -m comment --comment "proxy-init/redirect-all-outgoing-to-proxy-port/1573775205" -j REDIRECT --to-ports 4140
-A PROXY_INIT_REDIRECT -p tcp -m tcp --dport 4190 -m comment --comment "proxy-init/ignore-port-4190/1573775205" -j RETURN
-A PROXY_INIT_REDIRECT -p tcp -m tcp --dport 4191 -m comment --comment "proxy-init/ignore-port-4191/1573775205" -j RETURN
-A PROXY_INIT_REDIRECT -p tcp -m comment --comment "proxy-init/redirect-all-incoming-to-proxy-port/1573775205" -j REDIRECT --to-ports 4143
COMMIT
# Completed on Thu Nov 14 23:46:45 2019

grampelberg · 2019-11-25T20:20:23Z

The cleanup rules here never worked. Just cleaning our own rules up will add some complexity and potentially paper over more fundamental underlying issues. @adleong and I chatted and agreed that the correct solution is to detect if any of our rules still exist. If they do exist, error out in a reasonable fashion and produce a sane error message to help the users dig into what's going on.

adleong

This updated structure and output format is great!

As we discussed, I think making this error out if existing Linkerd rules are detected is a good idea.

alpeb · 2019-11-25T22:37:20Z

@grampelberg Nice refactor 👍
FWIW, the cleanup rules didn't work because, apparently, you have to feed the exactly same comment:

$ iptables-save | grep A.OUTPUT
-A OUTPUT -m comment --comment "proxy-init/install-proxy-init-output/1574720803" -j PROXY_INIT_OUTPUT
$ iptables -t nat -D OUTPUT -j PROXY_INIT_OUTPUT -m comment --comment proxy-init/install-proxy-init-prerouting/1574303985
iptables: No chain/target/match by that name.
$ iptables -t nat -D OUTPUT -j PROXY_INIT_OUTPUT -m comment --comment proxy-init/install-proxy-init-output/1574720803   
# success

So that'd require parsing the iptables-save output to extract those timestamps.

grampelberg · 2019-11-26T16:20:44Z

@alpeb yeah, there's no guarantee those are the only two rules as well. It'd be pretty easy with bash and way more complex than I'd like with how this is currently written.

Signed-off-by: Charles Pretzer <charles@buoyant.io>

cpretzer

Tested this locally against main and it's working as expected.

cpretzer · 2020-07-20T23:18:57Z

@alpeb What do you think is the right next step on this one? The comments above are correct in that this implementation is incomplete and chain rules can be left dangling or will be duplicated with different timestamps, which sounds like a different PR that will require some thought around the implementation.

alpeb · 2020-07-22T13:51:12Z

@cpretzer I think we can rescue all the code cleanup made in this PR, removing the rules cleanup added int ConfigureFirewall(). Then in a different PR indeed, we can tackle erroring whenever any of the linkerd rules are detected to exist already.

Signed-off-by: Charles Pretzer <charles@buoyant.io>

cpretzer · 2020-07-29T00:00:20Z

@alpeb this is updated with the feedback you provided

alpeb

Thanks @cpretzer (and @grampelberg) , this looks good to me 👍

Followup to #4 `iptables-save` doesn't accept the `-w` argument, which is causing the script to error, when used in CNI.

Followup to #4 `iptables-save` doesn't accept the `-w` argument, which is causing the script to error, when used in CNI. Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>

* iptables rules were failing in CNI when using --use-wait-flag Followup to #4 `iptables-save` doesn't accept the `-w` argument, which is causing the script to error, when used in CNI. Also, properly escape nsenter args. Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>

Signed-off-by: Steve Jenson <stevej@buoyant.io>

* modifying import paths and making a temporary copy of testutil/annotations.go Signed-off-by: Steve Jenson <stevej@buoyant.io> * removed testutil, dockerized cni installer tests now pass Signed-off-by: Steve Jenson <stevej@buoyant.io> * moving internal to pkg/linkerd-, removing Dockerfile until fixed, changining imports, removing linkerd2 k8s client with client-go Signed-off-by: Steve Jenson <stevej@buoyant.io> * gofmt install-cni_test.go Signed-off-by: Steve Jenson <stevej@buoyant.io> * go mod updates Signed-off-by: Steve Jenson <stevej@buoyant.io> * adding pkg to Docker image Signed-off-by: Steve Jenson <stevej@buoyant.io> * updating dev from v32 to v35 for go Signed-off-by: Steve Jenson <stevej@buoyant.io> * moving back to old dev image Signed-off-by: Steve Jenson <stevej@buoyant.io> * use dev:v32-go for go lint workflow Signed-off-by: Steve Jenson <stevej@buoyant.io> * fixing linter complaints Signed-off-by: Steve Jenson <stevej@buoyant.io> * fixing linter complaints Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #1 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #2 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #3 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #4 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #5 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #6 Signed-off-by: Steve Jenson <stevej@buoyant.io> * Replace pkg/ with internal/ (#148) * Replace pkg/ with internal/ There's no need for a public library export. We can share code within this repo via the `internal` directory. * simplify package names Signed-off-by: Oliver Gould <ver@buoyant.io> * adding internal back. whoopsie Signed-off-by: Steve Jenson <stevej@buoyant.io> * bumping dev go version Signed-off-by: Steve Jenson <stevej@buoyant.io> * replace deprecated ioutil functions with io functions. Signed-off-by: Steve Jenson <stevej@buoyant.io> * increasing timeout to help with linter issues, adding verbose Signed-off-by: Steve Jenson <stevej@buoyant.io> * replace TODO with literals, wait for the linter to complain so we can give it the magic incantation to sleep now Signed-off-by: Steve Jenson <stevej@buoyant.io> * more linter Signed-off-by: Steve Jenson <stevej@buoyant.io> * gofmt Signed-off-by: Steve Jenson <stevej@buoyant.io> * swap position of comment and argument as the linter has an opinion here, too Signed-off-by: Steve Jenson <stevej@buoyant.io> * Update cni-plugin/main.go Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io> * Update cni-plugin/main.go Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io> * Update cni-plugin/main.go Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io> * Update cni-plugin/main.go Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io> * simplify lint call Signed-off-by: Steve Jenson <stevej@buoyant.io> * removed unneeded abstraction Signed-off-by: Steve Jenson <stevej@buoyant.io> * linter for cni-plugin and all go code Signed-off-by: Steve Jenson <stevej@buoyant.io> * giving flags to go linter Signed-off-by: Steve Jenson <stevej@buoyant.io> * run the test on the moved internal package Signed-off-by: Steve Jenson <stevej@buoyant.io> * adding keys back for annotation lookup Signed-off-by: Steve Jenson <stevej@buoyant.io> Signed-off-by: Steve Jenson <stevej@buoyant.io> Signed-off-by: Oliver Gould <ver@buoyant.io> Co-authored-by: Oliver Gould <ver@buoyant.io> Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io>

* modifying import paths and making a temporary copy of testutil/annotations.go Signed-off-by: Steve Jenson <stevej@buoyant.io> * removed testutil, dockerized cni installer tests now pass Signed-off-by: Steve Jenson <stevej@buoyant.io> * moving internal to pkg/linkerd-, removing Dockerfile until fixed, changining imports, removing linkerd2 k8s client with client-go Signed-off-by: Steve Jenson <stevej@buoyant.io> * gofmt install-cni_test.go Signed-off-by: Steve Jenson <stevej@buoyant.io> * go mod updates Signed-off-by: Steve Jenson <stevej@buoyant.io> * adding pkg to Docker image Signed-off-by: Steve Jenson <stevej@buoyant.io> * updating dev from v32 to v35 for go Signed-off-by: Steve Jenson <stevej@buoyant.io> * moving back to old dev image Signed-off-by: Steve Jenson <stevej@buoyant.io> * use dev:v32-go for go lint workflow Signed-off-by: Steve Jenson <stevej@buoyant.io> * fixing linter complaints Signed-off-by: Steve Jenson <stevej@buoyant.io> * fixing linter complaints Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #1 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #2 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #3 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #4 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #5 Signed-off-by: Steve Jenson <stevej@buoyant.io> * turning off noisy lint #6 Signed-off-by: Steve Jenson <stevej@buoyant.io> * adding in Dockerfile, just rules for building, and a workflow for testing the cni-plugin installer script Signed-off-by: Steve Jenson <stevej@buoyant.io> * remember to setup docker Signed-off-by: Steve Jenson <stevej@buoyant.io> * remember to setup docker-qemu Signed-off-by: Steve Jenson <stevej@buoyant.io> * where is docker? Signed-off-by: Steve Jenson <stevej@buoyant.io> * back to a named ubuntu version, removing devcontainer Signed-off-by: Steve Jenson <stevej@buoyant.io> * we need just Signed-off-by: Steve Jenson <stevej@buoyant.io> * WIP import of CNI plugin integration test environment. does not run due to image pull errors. Signed-off-by: Steve Jenson <stevej@buoyant.io> * rewriting just rules to match new rules Signed-off-by: Steve Jenson <stevej@buoyant.io> * bumping dev version, renaming smoke test Signed-off-by: Steve Jenson <stevej@buoyant.io> * WIP for running smoke tests Signed-off-by: Steve Jenson <stevej@buoyant.io> * go workflow fix Signed-off-by: Steve Jenson <stevej@buoyant.io> * also rid ourselves of ioutil in this branch Signed-off-by: Steve Jenson <stevej@buoyant.io> * adding a second, passing test Signed-off-by: Steve Jenson <stevej@buoyant.io> * let's run the test in CI Signed-off-by: Steve Jenson <stevej@buoyant.io> * name the test properly for CI to run it Signed-off-by: Steve Jenson <stevej@buoyant.io> * made the installer integration tests more in-line with the other integration tests Signed-off-by: Steve Jenson <stevej@buoyant.io> * cni-plugin integration test workflow Signed-off-by: Steve Jenson <stevej@buoyant.io> * breaking up steps, renaming test Signed-off-by: Steve Jenson <stevej@buoyant.io> * just Signed-off-by: Steve Jenson <stevej@buoyant.io> * bringing changes from linkerd2 over Signed-off-by: Steve Jenson <stevej@buoyant.io> * tests running within cni-plugin context Signed-off-by: Steve Jenson <stevej@buoyant.io> * create service account and don't delete so we can inspect Signed-off-by: Steve Jenson <stevej@buoyant.io> * fix namespaces, use matei's k3d/k3s mountPaths in the hopes that CNI will run in our pod. Signed-off-by: Steve Jenson <stevej@buoyant.io> * WIP for debugging why CNI won't run in my own pods despite everything looking normal Signed-off-by: Steve Jenson <stevej@buoyant.io> * adding whitespace, fixing comment, removing unneeded variable Signed-off-by: Steve Jenson <stevej@buoyant.io> * fixing some small things Signed-off-by: Steve Jenson <stevej@buoyant.io> * improving Dockerfile, going back to edge for linkerd-cni Signed-off-by: Steve Jenson <stevej@buoyant.io> * cleaned up Dockerfile Signed-off-by: Steve Jenson <stevej@buoyant.io> * using --link for 50% size improvement Signed-off-by: Steve Jenson <stevej@buoyant.io> * cleanup unusued functions, run network-validator before test suite Signed-off-by: Steve Jenson <stevej@buoyant.io> * remove qemu setup, add comment about log level Signed-off-by: Steve Jenson <stevej@buoyant.io> * add wiring to see cni-net-dir and check for kubeconfig Signed-off-by: Steve Jenson <stevej@buoyant.io> * checking that linkerd-cni is the last plugin in the conflist Signed-off-by: Steve Jenson <stevej@buoyant.io> * renaming smoke_test to flannel Signed-off-by: Steve Jenson <stevej@buoyant.io> * rename files, update justfile * name a test file _test so the test runner will run my test Signed-off-by: Steve Jenson <stevej@buoyant.io> * renaming to flannel Signed-off-by: Steve Jenson <stevej@buoyant.io> * remove hardcoded filename Signed-off-by: Steve Jenson <stevej@buoyant.io> * clarified comment Signed-off-by: Steve Jenson <stevej@buoyant.io> * fixed merge conflict error Signed-off-by: Steve Jenson <stevej@buoyant.io> * fix log levels Signed-off-by: Steve Jenson <stevej@buoyant.io> * fix a log level Signed-off-by: Steve Jenson <stevej@buoyant.io> * run test on all files in ./cni-plugin Signed-off-by: Steve Jenson <stevej@buoyant.io> * hcomment explaining why there's no ENTRYPOINT Signed-off-by: Steve Jenson <stevej@buoyant.io> * use a map instead of an array for simplicity Signed-off-by: Steve Jenson <stevej@buoyant.io> * abstract which integration test subdirectory gets used, add internal to ensure those packages are tested Signed-off-by: Steve Jenson <stevej@buoyant.io> * go.yml is already running these tests are there no integration tests in there to run Signed-off-by: Steve Jenson <stevej@buoyant.io> * breaking up a line Signed-off-by: Steve Jenson <stevej@buoyant.io> * renaming SUBDIRECTORY to SCENARIO and renaming a run just target to flannel to signify that this is the rule to crib for other scenarios Signed-off-by: Steve Jenson <stevej@buoyant.io> * better error handling of the cleanup() function, print more diagnostic information if linkerd-cni rollout fails Signed-off-by: Steve Jenson <stevej@buoyant.io> * add error handling for describe ds and logs Signed-off-by: Steve Jenson <stevej@buoyant.io> Signed-off-by: Steve Jenson <stevej@buoyant.io>

grampelberg requested a review from alpeb November 14, 2019 23:57

cpretzer mentioned this pull request Nov 21, 2019

All linkerd components in Init:CrashLoopBackOff linkerd/linkerd2#3563

Closed

adleong reviewed Nov 25, 2019

View reviewed changes

grampelberg and others added 2 commits July 16, 2020 16:19

Remove chain jump rules as part of cleanup

6a9285c

rebase with HEAD

b0bd9d4

Signed-off-by: Charles Pretzer <charles@buoyant.io>

cpretzer force-pushed the grampelberg/print-rules branch from e13ddb2 to b0bd9d4 Compare July 17, 2020 16:35

fix lint

82bb24c

Signed-off-by: Charles Pretzer <charles@buoyant.io>

cpretzer approved these changes Jul 17, 2020

View reviewed changes

ihcsim assigned cpretzer Jul 20, 2020

cpretzer added 2 commits July 23, 2020 11:09

Remove cleanup section, per PR feedback

0541874

Signed-off-by: Charles Pretzer <charles@buoyant.io>

fixing lint

f937777

Signed-off-by: Charles Pretzer <charles@buoyant.io>

cpretzer force-pushed the grampelberg/print-rules branch from 39e211f to f937777 Compare July 23, 2020 21:11

alpeb approved these changes Jul 29, 2020

View reviewed changes

cpretzer merged commit a38ea17 into master Jul 29, 2020

alpeb added a commit that referenced this pull request Aug 6, 2020

iptables rules were failing in CNI when using --use-wait-flag

b430664

Followup to #4 `iptables-save` doesn't accept the `-w` argument, which is causing the script to error, when used in CNI.

alpeb mentioned this pull request Aug 6, 2020

iptables rules were failing in CNI when using --use-wait-flag #24

Merged

cpretzer mentioned this pull request Nov 6, 2020

linkerd + linkerd-cni does not recover when a node restarts linkerd/linkerd2#4789

Closed

olix0r deleted the grampelberg/print-rules branch August 18, 2022 00:04

stevej pushed a commit that referenced this pull request Dec 3, 2022

turning off noisy lint #4

0990cf0

Signed-off-by: Steve Jenson <stevej@buoyant.io>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Remove chain jump rules as part of cleanup #4

Remove chain jump rules as part of cleanup #4

Uh oh!

grampelberg commented Nov 14, 2019

Uh oh!

grampelberg commented Nov 25, 2019 •

edited

Loading

Uh oh!

adleong left a comment •

edited

Loading

Uh oh!

alpeb commented Nov 25, 2019

Uh oh!

grampelberg commented Nov 26, 2019

Uh oh!

cpretzer left a comment

Uh oh!

cpretzer commented Jul 20, 2020

Uh oh!

alpeb commented Jul 22, 2020

Uh oh!

cpretzer commented Jul 29, 2020

Uh oh!

alpeb left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Remove chain jump rules as part of cleanup #4

Remove chain jump rules as part of cleanup #4

Uh oh!

Conversation

grampelberg commented Nov 14, 2019

Uh oh!

grampelberg commented Nov 25, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

adleong left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

alpeb commented Nov 25, 2019

Uh oh!

grampelberg commented Nov 26, 2019

Uh oh!

cpretzer left a comment

Choose a reason for hiding this comment

Uh oh!

cpretzer commented Jul 20, 2020

Uh oh!

alpeb commented Jul 22, 2020

Uh oh!

cpretzer commented Jul 29, 2020

Uh oh!

alpeb left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

grampelberg commented Nov 25, 2019 •

edited

Loading

adleong left a comment •

edited

Loading