Modified the ipf pod startup to check for iptables rule to allow 224.0.0.18
and if missing add it. By default the rule is added to the head of the
INPUT chain. This can be overridden by OPENSHIFT_HA_CHAIN environment
variable in the ipf dc.
Existing deployments do not have OPENSHIFT_HA_CHAIN and no changes will
be made to the iptables. It is assumed that they are configured
properly. New deployments will have OPENSHIFT_HA_CHAIN and as long as it
is not empty ("") the rule for 224.0.0.18 will be inserted if not
present.
Added --iptables-chain="" option to oadm ipfailover command to pass
the desired iptables chain. Default is INPUT. When string is ""
no changes are made to iptables.
When keepalived traffic over 224.0.0.18 is blocked multiple nodes
will report as master. This change checks for an iptables rule and
adds it if missing.
Documentation changes are in openshift-docs (PR ....)
Resolves: 1381632
Signed-off-by: Phil Cameron <pcameron@redhat.com>
... | ... |
@@ -2289,6 +2289,8 @@ _oadm_ipfailover() |
2289 | 2289 |
flags+=("--interface=") |
2290 | 2290 |
two_word_flags+=("-i") |
2291 | 2291 |
local_nonpersistent_flags+=("--interface=") |
2292 |
+ flags+=("--iptables-chain=") |
|
2293 |
+ local_nonpersistent_flags+=("--iptables-chain=") |
|
2292 | 2294 |
flags+=("--latest-images") |
2293 | 2295 |
local_nonpersistent_flags+=("--latest-images") |
2294 | 2296 |
flags+=("--output=") |
... | ... |
@@ -2376,6 +2376,8 @@ _oc_adm_ipfailover() |
2376 | 2376 |
flags+=("--interface=") |
2377 | 2377 |
two_word_flags+=("-i") |
2378 | 2378 |
local_nonpersistent_flags+=("--interface=") |
2379 |
+ flags+=("--iptables-chain=") |
|
2380 |
+ local_nonpersistent_flags+=("--iptables-chain=") |
|
2379 | 2381 |
flags+=("--latest-images") |
2380 | 2382 |
local_nonpersistent_flags+=("--latest-images") |
2381 | 2383 |
flags+=("--output=") |
... | ... |
@@ -2289,6 +2289,8 @@ _openshift_admin_ipfailover() |
2289 | 2289 |
flags+=("--interface=") |
2290 | 2290 |
two_word_flags+=("-i") |
2291 | 2291 |
local_nonpersistent_flags+=("--interface=") |
2292 |
+ flags+=("--iptables-chain=") |
|
2293 |
+ local_nonpersistent_flags+=("--iptables-chain=") |
|
2292 | 2294 |
flags+=("--latest-images") |
2293 | 2295 |
local_nonpersistent_flags+=("--latest-images") |
2294 | 2296 |
flags+=("--output=") |
... | ... |
@@ -6797,6 +6799,8 @@ _openshift_cli_adm_ipfailover() |
6797 | 6797 |
flags+=("--interface=") |
6798 | 6798 |
two_word_flags+=("-i") |
6799 | 6799 |
local_nonpersistent_flags+=("--interface=") |
6800 |
+ flags+=("--iptables-chain=") |
|
6801 |
+ local_nonpersistent_flags+=("--iptables-chain=") |
|
6800 | 6802 |
flags+=("--latest-images") |
6801 | 6803 |
local_nonpersistent_flags+=("--latest-images") |
6802 | 6804 |
flags+=("--output=") |
... | ... |
@@ -18710,6 +18714,8 @@ _openshift_ex_ipfailover() |
18710 | 18710 |
flags+=("--interface=") |
18711 | 18711 |
two_word_flags+=("-i") |
18712 | 18712 |
local_nonpersistent_flags+=("--interface=") |
18713 |
+ flags+=("--iptables-chain=") |
|
18714 |
+ local_nonpersistent_flags+=("--iptables-chain=") |
|
18713 | 18715 |
flags+=("--latest-images") |
18714 | 18716 |
local_nonpersistent_flags+=("--latest-images") |
18715 | 18717 |
flags+=("--output=") |
... | ... |
@@ -2450,6 +2450,8 @@ _oadm_ipfailover() |
2450 | 2450 |
flags+=("--interface=") |
2451 | 2451 |
two_word_flags+=("-i") |
2452 | 2452 |
local_nonpersistent_flags+=("--interface=") |
2453 |
+ flags+=("--iptables-chain=") |
|
2454 |
+ local_nonpersistent_flags+=("--iptables-chain=") |
|
2453 | 2455 |
flags+=("--latest-images") |
2454 | 2456 |
local_nonpersistent_flags+=("--latest-images") |
2455 | 2457 |
flags+=("--output=") |
... | ... |
@@ -2537,6 +2537,8 @@ _oc_adm_ipfailover() |
2537 | 2537 |
flags+=("--interface=") |
2538 | 2538 |
two_word_flags+=("-i") |
2539 | 2539 |
local_nonpersistent_flags+=("--interface=") |
2540 |
+ flags+=("--iptables-chain=") |
|
2541 |
+ local_nonpersistent_flags+=("--iptables-chain=") |
|
2540 | 2542 |
flags+=("--latest-images") |
2541 | 2543 |
local_nonpersistent_flags+=("--latest-images") |
2542 | 2544 |
flags+=("--output=") |
... | ... |
@@ -2450,6 +2450,8 @@ _openshift_admin_ipfailover() |
2450 | 2450 |
flags+=("--interface=") |
2451 | 2451 |
two_word_flags+=("-i") |
2452 | 2452 |
local_nonpersistent_flags+=("--interface=") |
2453 |
+ flags+=("--iptables-chain=") |
|
2454 |
+ local_nonpersistent_flags+=("--iptables-chain=") |
|
2453 | 2455 |
flags+=("--latest-images") |
2454 | 2456 |
local_nonpersistent_flags+=("--latest-images") |
2455 | 2457 |
flags+=("--output=") |
... | ... |
@@ -6958,6 +6960,8 @@ _openshift_cli_adm_ipfailover() |
6958 | 6958 |
flags+=("--interface=") |
6959 | 6959 |
two_word_flags+=("-i") |
6960 | 6960 |
local_nonpersistent_flags+=("--interface=") |
6961 |
+ flags+=("--iptables-chain=") |
|
6962 |
+ local_nonpersistent_flags+=("--iptables-chain=") |
|
6961 | 6963 |
flags+=("--latest-images") |
6962 | 6964 |
local_nonpersistent_flags+=("--latest-images") |
6963 | 6965 |
flags+=("--output=") |
... | ... |
@@ -18871,6 +18875,8 @@ _openshift_ex_ipfailover() |
18871 | 18871 |
flags+=("--interface=") |
18872 | 18872 |
two_word_flags+=("-i") |
18873 | 18873 |
local_nonpersistent_flags+=("--interface=") |
18874 |
+ flags+=("--iptables-chain=") |
|
18875 |
+ local_nonpersistent_flags+=("--iptables-chain=") |
|
18874 | 18876 |
flags+=("--latest-images") |
18875 | 18877 |
local_nonpersistent_flags+=("--latest-images") |
18876 | 18878 |
flags+=("--output=") |
... | ... |
@@ -51,6 +51,10 @@ value that matches the number of nodes for the given labeled selector. |
51 | 51 |
Network interface bound by VRRP to use for the set of virtual IP ranges/addresses specified. |
52 | 52 |
|
53 | 53 |
.PP |
54 |
+\fB\-\-iptables\-chain\fP="INPUT" |
|
55 |
+ Add a rule to this iptables chain to accept 224.0.0.28 multicast packets if no rule exists. When iptables\-chain is empty do not change iptables. |
|
56 |
+ |
|
57 |
+.PP |
|
54 | 58 |
\fB\-\-latest\-images\fP=false |
55 | 59 |
If true, attempt to use the latest images instead of the current release |
56 | 60 |
|
... | ... |
@@ -51,6 +51,10 @@ value that matches the number of nodes for the given labeled selector. |
51 | 51 |
Network interface bound by VRRP to use for the set of virtual IP ranges/addresses specified. |
52 | 52 |
|
53 | 53 |
.PP |
54 |
+\fB\-\-iptables\-chain\fP="INPUT" |
|
55 |
+ Add a rule to this iptables chain to accept 224.0.0.28 multicast packets if no rule exists. When iptables\-chain is empty do not change iptables. |
|
56 |
+ |
|
57 |
+.PP |
|
54 | 58 |
\fB\-\-latest\-images\fP=false |
55 | 59 |
If true, attempt to use the latest images instead of the current release |
56 | 60 |
|
... | ... |
@@ -51,6 +51,10 @@ value that matches the number of nodes for the given labeled selector. |
51 | 51 |
Network interface bound by VRRP to use for the set of virtual IP ranges/addresses specified. |
52 | 52 |
|
53 | 53 |
.PP |
54 |
+\fB\-\-iptables\-chain\fP="INPUT" |
|
55 |
+ Add a rule to this iptables chain to accept 224.0.0.28 multicast packets if no rule exists. When iptables\-chain is empty do not change iptables. |
|
56 |
+ |
|
57 |
+.PP |
|
54 | 58 |
\fB\-\-latest\-images\fP=false |
55 | 59 |
If true, attempt to use the latest images instead of the current release |
56 | 60 |
|
... | ... |
@@ -51,6 +51,10 @@ value that matches the number of nodes for the given labeled selector. |
51 | 51 |
Network interface bound by VRRP to use for the set of virtual IP ranges/addresses specified. |
52 | 52 |
|
53 | 53 |
.PP |
54 |
+\fB\-\-iptables\-chain\fP="INPUT" |
|
55 |
+ Add a rule to this iptables chain to accept 224.0.0.28 multicast packets if no rule exists. When iptables\-chain is empty do not change iptables. |
|
56 |
+ |
|
57 |
+.PP |
|
54 | 58 |
\fB\-\-latest\-images\fP=false |
55 | 59 |
If true, attempt to use the latest images instead of the current release |
56 | 60 |
|
... | ... |
@@ -51,6 +51,10 @@ value that matches the number of nodes for the given labeled selector. |
51 | 51 |
Network interface bound by VRRP to use for the set of virtual IP ranges/addresses specified. |
52 | 52 |
|
53 | 53 |
.PP |
54 |
+\fB\-\-iptables\-chain\fP="INPUT" |
|
55 |
+ Add a rule to this iptables chain to accept 224.0.0.28 multicast packets if no rule exists. When iptables\-chain is empty do not change iptables. |
|
56 |
+ |
|
57 |
+.PP |
|
54 | 58 |
\fB\-\-latest\-images\fP=false |
55 | 59 |
If true, attempt to use the latest images instead of the current release |
56 | 60 |
|
... | ... |
@@ -46,6 +46,19 @@ function setup_failover() { |
46 | 46 |
echo "ERROR: Module ip_vs is NOT available." |
47 | 47 |
fi |
48 | 48 |
|
49 |
+ # When the DC supplies an (non null) iptables chain |
|
50 |
+ # (OPENSHIFT_HA_IPTABLES_CHAIN) make sure the rule to pass keepalived |
|
51 |
+ # multicast (224.0.0.18) is in the table. |
|
52 |
+ chain="${OPENSHIFT_HA_IPTABLES_CHAIN:-""}" |
|
53 |
+ if [[ -n ${chain} ]]; then |
|
54 |
+ echo " - check for iptables rule for keepalived multicast (224.0.0.18) ..." |
|
55 |
+ if ! iptables -S | grep 224.0.0.18 > /dev/null 2>&1 ; then |
|
56 |
+ # Add the rule to the beginning of the chain. |
|
57 |
+ echo " - adding iptables rule to $chain to access 224.0.0.18." |
|
58 |
+ iptables -I ${chain} 1 -d 224.0.0.18/32 -j ACCEPT |
|
59 |
+ fi |
|
60 |
+ fi |
|
61 |
+ |
|
49 | 62 |
echo " - Generating and writing config to $KEEPALIVED_CONFIG" |
50 | 63 |
generate_failover_config > "$KEEPALIVED_CONFIG" |
51 | 64 |
} |
... | ... |
@@ -95,6 +95,7 @@ func NewCmdIPFailoverConfig(f *clientcmd.Factory, parentName, name string, out, |
95 | 95 |
cmd.Flags().BoolVar(&options.Create, "create", options.Create, "Create the configuration if it does not exist.") |
96 | 96 |
|
97 | 97 |
cmd.Flags().StringVar(&options.VirtualIPs, "virtual-ips", "", "A set of virtual IP ranges and/or addresses that the routers bind and serve on and provide IP failover capability for.") |
98 |
+ cmd.Flags().StringVar(&options.IptablesChain, "iptables-chain", ipfailover.DefaultIptablesChain, "Add a rule to this iptables chain to accept 224.0.0.28 multicast packets if no rule exists. When iptables-chain is empty do not change iptables.") |
|
98 | 99 |
cmd.Flags().StringVarP(&options.NetworkInterface, "interface", "i", "", "Network interface bound by VRRP to use for the set of virtual IP ranges/addresses specified.") |
99 | 100 |
|
100 | 101 |
cmd.Flags().IntVarP(&options.WatchPort, "watch-port", "w", ipfailover.DefaultWatchPort, "Port to monitor or watch for resource availability.") |
... | ... |
@@ -69,6 +69,7 @@ func generateEnvEntries(name string, options *ipfailover.IPFailoverConfigCmdOpti |
69 | 69 |
"OPENSHIFT_HA_VRRP_ID_OFFSET": VRRPIDOffset, |
70 | 70 |
"OPENSHIFT_HA_REPLICA_COUNT": replicas, |
71 | 71 |
"OPENSHIFT_HA_USE_UNICAST": "false", |
72 |
+ "OPENSHIFT_HA_IPTABLES_CHAIN": options.IptablesChain, |
|
72 | 73 |
// "OPENSHIFT_HA_UNICAST_PEERS": "127.0.0.1", |
73 | 74 |
}) |
74 | 75 |
return env |
... | ... |
@@ -21,6 +21,10 @@ const ( |
21 | 21 |
// DefaultSelector is the default resource selector. |
22 | 22 |
DefaultSelector = "ipfailover=<name>" |
23 | 23 |
|
24 |
+ // DefaultIptablesChain is the default iptables chain on which to add |
|
25 |
+ // a rule that accesses 224.0.0.18 (if none exists). |
|
26 |
+ DefaultIptablesChain = "INPUT" |
|
27 |
+ |
|
24 | 28 |
// DefaultInterface is the default network interface. |
25 | 29 |
DefaultInterface = "eth0" |
26 | 30 |
) |
... | ... |
@@ -39,6 +43,7 @@ type IPFailoverConfigCmdOptions struct { |
39 | 39 |
|
40 | 40 |
// Failover options. |
41 | 41 |
VirtualIPs string |
42 |
+ IptablesChain string |
|
42 | 43 |
NetworkInterface string |
43 | 44 |
WatchPort int |
44 | 45 |
VRRPIDOffset int |
... | ... |
@@ -71,6 +71,7 @@ os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --dry- |
71 | 71 |
os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --dry-run -o yaml' 'name: ipfailover' |
72 | 72 |
os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --dry-run -o name' 'deploymentconfig/ipfailover' |
73 | 73 |
os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --dry-run -o yaml' '1.2.3.4' |
74 |
+os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --iptables-chain="MY_CHAIN" --dry-run -o yaml' 'value: MY_CHAIN' |
|
74 | 75 |
os::cmd::expect_success 'oadm policy remove-scc-from-user privileged -z ipfailover' |
75 | 76 |
# TODO add tests for normal ipfailover creation |
76 | 77 |
# os::cmd::expect_success_and_text 'oadm ipfailover' 'deploymentconfig "ipfailover" created' |