keepalived vip (vrrp) requires 224.0.0.18/32 #11327
Conversation
|
@knobunc @rajatchopra @ramr - this change makes the ipf pod create a rule for 224.0.0.18 if none exists. |
| @@ -46,6 +46,14 @@ function setup_failover() { | |||
| echo "ERROR: Module ip_vs is NOT available." | |||
| fi | |||
|
|
|||
| echo " - Check for iptables rule for keepalived multicast (224.0.0.18) ..." | |||
| iptables -S | grep 224.0.0.18 > /dev/null | |||
| if [ $? -eq 1 ]; then | |||
There was a problem hiding this comment.
Prefer explicit result check:
if ! iptables -S | grep -q "224.0.0.18"; then
There was a problem hiding this comment.
Might be better to explicitly check if there is an input rule matching that multicast address - iptables has a
check option with -C and change as @stevekuznetsov mentioned. Something like:
if ! iptables -C INPUT -d 224.0.0.18/32 -j ACCEPT > /dev/null ; then
...
iptables -I INPUT 1 -d 224.0.0.18/32 -j ACCEPT > /dev/null
fi There was a problem hiding this comment.
I made Steve's change. Ram, I have found the reference in OS_FIREWALL_ALLOW as well.That is why I just look for the address. Also, an admin can put the rule anywhere it will work.
|
@stevekuznetsov @ramr @rajatchopra @knobunc I made Steve's change. PTAL |
| @@ -46,6 +46,13 @@ function setup_failover() { | |||
| echo "ERROR: Module ip_vs is NOT available." | |||
| fi | |||
|
|
|||
| echo " - Check for iptables rule for keepalived multicast (224.0.0.18) ..." | |||
There was a problem hiding this comment.
Can we please make this behavior configurable by an ENV? Default it to enabled.
| if ! iptables -S | grep 224.0.0.18 > /dev/null ; then | ||
| # Add the rule to the beginning of the INPUT chain. | ||
| echo " - adding iptables rule to access 224.0.0.18." | ||
| iptables -I INPUT 1 -d 224.0.0.18/32 -j ACCEPT > /dev/null |
There was a problem hiding this comment.
Make the chain ENV configurable. Default to INPUT.
pecameron
force-pushed
the
bz1381632
branch
2 times, most recently
from
773f68a
to
3ee8514
Compare
|
@openshift/team-atomicopenshift PTAL This version makes sure an iptables rule to pass 224.0.0.18 exists. If not a rule is added to the head of chain $OPENSHIFT_HA_CHAIN, if present otherwise chain INPUT. |
|
@stevekuznetsov @knobunc I have made your recommended changes PTAL |
|
@knobunc I am confused. The new OPENSHIFT_HA_CHAIN variable allows the desired chain to be set in the ipf's dc. What would you like to change? |
|
@knobunc click the "View changes" button at the end of the red x line |
|
@pecameron I want a second knob that I can set to tell the ipfailover not to touch iptables at all. |
|
@knobunc I made the change to not alter existing deployments on upgrade. PTAL |
|
Looks like this was closed accidentally. |
|
@stevekuznetsov It was closed by accident. You still have a requested change. PTAL @knobunc there needs to be a doc change for this. I will write it up and get a doc PR going. Do we need a different bug number? |
|
I like @ramr idea of a more explicit |
|
@stevekuznetsov I'd argue for the grep because we want to do this by default (for new ipfailover setups), and the user may have already created a rule in iptables to handle it. Since we don't know how the chains are laid out, it could be in a different chain that they jump to (e.g. OS_FIREWALL_ALLOW). However, I see your argument for a more robust check now that we allow specification of a chain, and allow the feature to be disabled. So I could be swayed. Thoughts? |
|
I'm always in favor of more restrictive checks, but if we can't control the |
|
@knobunc @stevekuznetsov @ramr After speaking with Ben we decided to add a new option, --iptables-chain to the oadm ipfailover command. I updated the (origin based) docs and tests as well. PTAL |
| # (OPENSHIFT_HA_IPTABLES_CHAIN) make sure the rule to pass keepalived | ||
| # multicast (224.0.0.18) is in the table. | ||
| chain="${OPENSHIFT_HA_IPTABLES_CHAIN:-""}" | ||
| if [ ! -z ${chain} ]; then |
There was a problem hiding this comment.
Unless this needs POSIX compliance, prefer [[ over [. In ether case, use -n instead of ! -z.
There was a problem hiding this comment.
I made the changes
| @@ -95,6 +95,7 @@ func NewCmdIPFailoverConfig(f *clientcmd.Factory, parentName, name string, out, | |||
| cmd.Flags().BoolVar(&options.Create, "create", options.Create, "Create the configuration if it does not exist.") | |||
|
|
|||
| cmd.Flags().StringVar(&options.VirtualIPs, "virtual-ips", "", "A set of virtual IP ranges and/or addresses that the routers bind and serve on and provide IP failover capability for.") | |||
| cmd.Flags().StringVar(&options.IptablesChain, "iptables-chain", "INPUT", "Add a rule to this iptables chain to accept 224.0.0.28 multicast packets if no rule exists. When iptables-chain is empty donot change iptables.") | |||
There was a problem hiding this comment.
Maybe something like:
"If specified and no matching iptables rules exist, adds a rule to this iptables chain that accepts packets sent to an multicast address 224.0.0.28. Defaults to using the iptables INPUT chain.
|
Minor corrections but otherwise looks good to me |
|
[test] |
|
"FAILURE: Generated docs up to date, but generated man pages out of date. Please run hack/update-generated-docs.sh" |
|
[test] |
|
flake #11374 re-[test] |
| @@ -71,6 +71,7 @@ os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --dry- | |||
| os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --dry-run -o yaml' 'name: ipfailover' | |||
| os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --dry-run -o name' 'deploymentconfig/ipfailover' | |||
| os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --dry-run -o yaml' '1.2.3.4' | |||
| os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --iptables-chain="MY_CHAIN"--dry-run -o yaml' 'value: MY_CHAIN' | |||
There was a problem hiding this comment.
Do we need a space here between MY_CHAIN" and --dry-run ?
There was a problem hiding this comment.
Yes, and if this current syntax doesn't fail this test we need to look into why.
There was a problem hiding this comment.
@dcbw - Yes it does. Good spot, thanks for looking at this.
I fixed it.
| @@ -71,6 +71,7 @@ os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --dry- | |||
| os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --dry-run -o yaml' 'name: ipfailover' | |||
| os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --dry-run -o name' 'deploymentconfig/ipfailover' | |||
| os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --dry-run -o yaml' '1.2.3.4' | |||
| os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --iptables-chain="MY_CHAIN"--dry-run -o yaml' 'value: MY_CHAIN' | |||
There was a problem hiding this comment.
Yes, and if this current syntax doesn't fail this test we need to look into why.
|
[test] |
|
@stevekuznetsov PTAL. |
|
@knobunc which part should I be looking at? |
| chain="${OPENSHIFT_HA_IPTABLES_CHAIN:-""}" | ||
| if [[ -n ${chain} ]]; then | ||
| echo " - check for iptables rule for keepalived multicast (224.0.0.18) ..." | ||
| if ! iptables -S | grep 224.0.0.18 > /dev/null ; then |
There was a problem hiding this comment.
If something were to go wrong with this, you'll get stuff from stderr popping out -- maybe this is intended? If not, > /dev/null 2>&1.
There was a problem hiding this comment.
I can go either way with this. I'll make the change.
| if ! iptables -S | grep 224.0.0.18 > /dev/null ; then | ||
| # Add the rule to the beginning of the chain. | ||
| echo " - adding iptables rule to $chain to access 224.0.0.18." | ||
| iptables -I ${chain} 1 -d 224.0.0.18/32 -j ACCEPT > /dev/null |
There was a problem hiding this comment.
Why do we want to suppress the output of this command?
There was a problem hiding this comment.
The echo above notes that we are doing it. I'll display the output (if any)
|
@stevekuznetsov just asking you to re-review and flip your NAK to an ACK if appropriate. Thanks! |
Modified the ipf pod startup to check for iptables rule to allow 224.0.0.18
and if missing add it. By default the rule is added to the head of the
INPUT chain. This can be overridden by OPENSHIFT_HA_CHAIN environment
variable in the ipf dc.
Existing deployments do not have OPENSHIFT_HA_CHAIN and no changes will
be made to the iptables. It is assumed that they are configured
properly. New deployments will have OPENSHIFT_HA_CHAIN and as long as it
is not empty ("") the rule for 224.0.0.18 will be inserted if not
present.
Added --iptables-chain="" option to oadm ipfailover command to pass
the desired iptables chain. Default is INPUT. When string is ""
no changes are made to iptables.
When keepalived traffic over 224.0.0.18 is blocked multiple nodes
will report as master. This change checks for an iptables rule and
adds it if missing.
Documentation changes are in openshift-docs (PR ....)
Resolves: 1381632
Signed-off-by: Phil Cameron <pcameron@redhat.com>
|
@stevekuznetsov I made your suggested changes. |
|
Evaluated for origin test up to b5d81e1 |
|
LGTM |
|
LGTM [merge] |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/10206/) (Base Commit: a941850) |
|
Flake #11442 [merge] |
|
@knobunc you merged this yesterday and it seems to be stuck. |
|
@pecameron as is written in the comment above, you are in the merge queue and will just have to wait your turn |
|
@stevekuznetsov Thanks for the reply. I didn't know how long this should take and after 23 hours I thought it might be hung. |
|
Evaluated for origin merge up to b5d81e1 |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/10373/) (Base Commit: 4a1aec0) (Image: devenv-rhel7_5212) |
Modified the ipf pod startup to check for iptables rule to allow 224.0.0.18 and if missing add it. By default the rule is added to the head of the INPUT chain. This can be overridden by OPENSHIFT_HA_IPTABLES_CHAIN environment variable in the ipf dc.
Existing deployments do not have OPENSHIFT_HA_IPTABLES_CHAIN and no changes will
be made to the iptables. It is assumed that they are configured
properly. New deployments will have OPENSHIFT_HA_IPTABLES_CHAIN and as long as it
is not empty ("") the rule for 224.0.0.18 will be inserted if not
present.
Added --iptables-chain="" option to oadm ipfailover command to pass
the desired iptables chain. Default is INPUT. When string is ""
no changes are made to iptables.
When keepalived traffic over 224.0.0.18 is blocked multiple nodes
will report as master. This change checks for an iptables rule and
adds it if missing.
Resolves: 1381632
See: openshift/openshift-docs PR 3051
Signed-off-by: Phil Cameron pcameron@redhat.com