-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bump iptables version to v1.8.8 #8416
Conversation
ac1615b
to
ec3272a
Compare
/sem-approve |
Thanks a lot @cyclinder, I've kicked off CI. |
Failing with this error:
|
Thanks @fasaxc
Yeah, This is the issue I mentioned in #8403 (comment), and I'm trying to fix it now..., so this PR is in draft state. As soon as I fix it, I'll mark it as ready. |
hey @matthewdupre @mazdakn Could you mind give me some advices? curently, I'm stuck at this point. Any suggestions would be appreciated. Thanks! |
In fact we can be sure that ip6tables is there, but I wonder why this script is complaining that it has been deleted. but why
|
@cyclinder |
@coutinhop Yes, We have not found
I'm more inclined to say that the symlink is incorrect, and |
It think the whole point of that custom build logic is to build the legacy and nft versions of iptables. Normally, RPMs contain one or the other with the same name |
So it seems that iptables-legacy is not included in our custom compiled iptables...Or it needs to be compiled separately |
We may need to get iptables legacy from a different source to iptables-nft - I think that's OK, and probably inevitable given the deprecation progress of iptables. |
ec3272a
to
4c5e703
Compare
thanks @matthewdupre .yeah, We really should build both legacy and NFT and then let Runtime choose which one to use. @fasaxc Can you help trigger the CI and then see what happens with the CI? |
4c5e703
to
98757fb
Compare
/sem-approve |
node/Dockerfile.arm64
Outdated
ARG LIBNFTNL_SOURCERPM_URL=${CENTOS_MIRROR_BASE_URL}/BaseOS/Source/SPackages/libnftnl-${LIBNFTNL_VER}.el9.src.rpm | ||
ARG IPTABLES_SOURCERPM_URL=${CENTOS_MIRROR_BASE_URL}/BaseOS/Source/SPackages/iptables-${IPTABLES_VER}.el9.src.rpm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
arm64 build failed with a 404 on this package, changing the URL to match the amd64 build seems to fix it:
ARG LIBNFTNL_SOURCERPM_URL=${CENTOS_MIRROR_BASE_URL}/BaseOS/Source/SPackages/libnftnl-${LIBNFTNL_VER}.el9.src.rpm | |
ARG IPTABLES_SOURCERPM_URL=${CENTOS_MIRROR_BASE_URL}/BaseOS/Source/SPackages/iptables-${IPTABLES_VER}.el9.src.rpm | |
ARG LIBNFTNL_SOURCERPM_URL=${CENTOS_MIRROR_BASE_URL}/BaseOS/source/tree/Packages/libnftnl-${LIBNFTNL_VER}.el9.src.rpm | |
ARG IPTABLES_SOURCERPM_URL=${CENTOS_MIRROR_BASE_URL}/BaseOS/source/tree/Packages/iptables-${IPTABLES_VER}.el9.src.rpm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, I forgot to commit the changes in Dockerfile.arm64
, now let me resubmit them!
98757fb
to
1bc4203
Compare
1bc4203
to
1e85aff
Compare
/sem-approve |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CI is green and image looks good:
$ make image
(...)
$ docker run -it --rm calico/node sh
sh-4.4# iptables --version
iptables v1.8.8 (legacy)
sh-4.4# iptables-nft --version
iptables v1.8.8 (nf_tables)
Thanks @cyclinder! 🎉
Description
Currently, the iptables version of calico-node is 1.8.4, The
iptables-nft-save -t raw
are incompatible. This patch will bump iptables to 1.8.8, which can solve the incompatible issue.Related issues/PRs
fixes #8403
Todos
Release Note
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one
docs-*
label.docs-pr-required
: This change requires a change to the documentation that has not been completed yet.docs-completed
: This change has all necessary documentation completed.docs-not-required
: This change has no user-facing impact and requires no docs.Every PR needs one
release-note-*
label.release-note-required
: This PR has user-facing changes. Most PRs should have this label.release-note-not-required
: This PR has no user-facing changes.Other optional labels:
cherry-pick-candidate
: This PR should be cherry-picked to an earlier release. For bug fixes only.needs-operator-pr
: This PR is related to install and requires a corresponding change to the operator.