Resolution to Issue 3, IPAM and iptable rules' solution

[cmyers-mieweb]

Solution for Issue 3 that does the following.

1. Copies over a present copy of the nginx port map from the load balancer into the pve1 temp directory
2. Compiles a pct list of intern-phxdc-pve1 and intern-phxdc-pve2 and records current hostnames of systems.
3. Checks for containers not present within the pct list and removes iptables rules for hostnames' correlated IP address and ports, freeing them for a new container.
4. Logs all results to /var/log/prune_iptables.log
   Test results posted below.
   
   

Additional Considerations

• Removing the DHCP lease was also considered, however after inspecting the dnsmasq lease file, it appears that dnsmasq already handles this. I am guessing that the permanent reservation will check whether or not the container is still active and reassign the address with more lease time. Otherwise reserve for when that MAC address re-enters the online state.
• A cronjob still needs to be configured after this script is reviewed.

[maxklema]

Some hosts that are still in the cluster have their IP rules removed when the script is ran (without the -u flag in pitfall).

With the -u flag in pitfall, running the script gives me an unbound variable error:

pct list gives the hostnames in the fourth column. Can the hostnames be scraped this way instead of iterating into each CTID's configuration file and scraping the hostname from the hostname field?

In addition to removing iptables, the script should also remove the JSON entry for all hostnames that need to be removed in /etc/nginx/port_map.json. After re-reading the code, I was reading the logic backwards. Scraping hostnames from the pct list and then checking if hostnames in the port_map.json are not in that list is the right way to go about this. I read it the other way around, originally.

[cmyers-mieweb]

Fixes that have been requested have been implemented in the recent commit. Detailed logging has also been added to illustrate specific steps in the prune process to better show the script's behavior and functions. Verification has also been added to ensure that the port_map.json file is correct and stable to match the exact environment present at the time of script execution. If iptables rules have already been removed, manually, the script will identify this and notify in the logs that it could not locate an iptable rule for the given address tied to the removed container.

[maxklema]

The script is mostly working as expected. Tested and deleted hosts were removed from the JSON port map, and that was copied over correctly to the nginx container.

The only issue is that the iptables for these hosts were not removed. I believe it has to do with the line:

# Capture rules into an array first to avoid subshell issues with 'while read'
mapfile -t RULES_TO_DELETE < <(sudo iptables -t nat -S | grep "$hostname" || true) # Added sudo, || true to prevent pipefail if grep finds nothing

Here, it is filtering by the hostname instead of the IP address. IP table rules do not contain the hostname, so there will never be any results. Changing this should return the expected behavior.

[cmyers-mieweb]

Thanks for catching this, this was resolved by changing the conditional variable from hostname > ip with an additional 'w' flag on the grep to ensure we strictly check for the exact IP. See screenshots of runs below.

Container is made using create-container tool

Rules are checked to ensure a rule was made.

Container is destroyed and script is ran.

Log Output

[maxklema]

Tested the script and it successfully pruned iptable rules for no-longer existing containers. Good to merge PR.