GitList

Browse code

keepalived vip (vrrp) requires 224.0.0.18/32

Modified the ipf pod startup to check for iptables rule to allow 224.0.0.18
and if missing add it. By default the rule is added to the head of the
INPUT chain. This can be overridden by OPENSHIFT_HA_CHAIN environment
variable in the ipf dc.

Existing deployments do not have OPENSHIFT_HA_CHAIN and no changes will
be made to the iptables. It is assumed that they are configured
properly. New deployments will have OPENSHIFT_HA_CHAIN and as long as it
is not empty ("") the rule for 224.0.0.18 will be inserted if not
present.

Added --iptables-chain="" option to oadm ipfailover command to pass
the desired iptables chain. Default is INPUT. When string is ""
no changes are made to iptables.

When keepalived traffic over 224.0.0.18 is blocked multiple nodes
will report as master. This change checks for an iptables rule and
adds it if missing.

Documentation changes are in openshift-docs (PR ....)

Resolves: 1381632

Signed-off-by: Phil Cameron <pcameron@redhat.com>

Phil Cameron authored on 2016/10/12 03:07:10
Showing 16 changed files

contrib/completions/bash/oadm index 077ffee..616abdd 100644
contrib/completions/bash/oc index 86de7a4..076de59 100644
contrib/completions/bash/openshift index c6a65de..6c8866f 100644
contrib/completions/zsh/oadm index 1b816a1..caea811 100644
contrib/completions/zsh/oc index 26ca77e..7df2967 100644
contrib/completions/zsh/openshift index f24550a..d8d8df1 100644
docs/man/man1/oadm-ipfailover.1 index 9f2b81c..8e128be 100644
docs/man/man1/oc-adm-ipfailover.1 index c251325..afcf93b 100644
docs/man/man1/openshift-admin-ipfailover.1 index 7114bf8..a7a8c44 100644
docs/man/man1/openshift-cli-adm-ipfailover.1 index 6bd7a64..3c189fd 100644
docs/man/man1/openshift-ex-ipfailover.1 index f2916c8..91a8e49 100644
images/ipfailover/keepalived/lib/failover-functions.sh index 4eea922..216411f 100755
pkg/cmd/experimental/ipfailover/ipfailover.go index 0b93cd7..346475e 100644
pkg/ipfailover/keepalived/generator.go index 715da7d..58573b6 100644
pkg/ipfailover/types.go index 06be9f6..84386dc 100644
test/cmd/router.sh index 5a2dad0..364b5ef 100755

@@ -2289,6 +2289,8 @@ _oadm_ipfailover()
                          flags+=("--interface=")
                          two_word_flags+=("-i")
                          local_nonpersistent_flags+=("--interface=")
                     +    flags+=("--iptables-chain=")
                     +    local_nonpersistent_flags+=("--iptables-chain=")
                          flags+=("--latest-images")
                          local_nonpersistent_flags+=("--latest-images")
                          flags+=("--output=")

@@ -51,6 +51,10 @@ value that matches the number of nodes for the given labeled selector.
                          Network interface bound by VRRP to use for the set of virtual IP ranges/addresses specified.
                      .PP
                     +\fB\-\-iptables\-chain\fP="INPUT"
                     +    Add a rule to this iptables chain to accept 224.0.0.28 multicast packets if no rule exists. When iptables\-chain is empty do not change iptables.
+                    +
                     +.PP
                      \fB\-\-latest\-images\fP=false
                          If true, attempt to use the latest images instead of the current release

@@ -46,6 +46,19 @@ function setup_failover() {
                          echo "ERROR: Module ip_vs is NOT available."
                        fi
                     +  # When the DC supplies an (non null) iptables chain
                     +  # (OPENSHIFT_HA_IPTABLES_CHAIN) make sure the rule to pass keepalived
                     +  # multicast (224.0.0.18) is in the table.
                     +  chain="${OPENSHIFT_HA_IPTABLES_CHAIN:-""}"
                     +  if [[ -n ${chain} ]]; then
                     +    echo "  - check for iptables rule for keepalived multicast (224.0.0.18) ..."
                     +    if ! iptables -S | grep 224.0.0.18 > /dev/null 2>&1 ; then
                     +      # Add the rule to the beginning of the chain.
                     +      echo "  - adding iptables rule to $chain to access 224.0.0.18."
                     +      iptables -I ${chain} 1 -d 224.0.0.18/32 -j ACCEPT
                     +    fi
                     +  fi
+                    +
                        echo "  - Generating and writing config to $KEEPALIVED_CONFIG"
                        generate_failover_config > "$KEEPALIVED_CONFIG"
+                     }

@@ -95,6 +95,7 @@ func NewCmdIPFailoverConfig(f *clientcmd.Factory, parentName, name string, out,
                      	cmd.Flags().BoolVar(&options.Create, "create", options.Create, "Create the configuration if it does not exist.")
                      	cmd.Flags().StringVar(&options.VirtualIPs, "virtual-ips", "", "A set of virtual IP ranges and/or addresses that the routers bind and serve on and provide IP failover capability for.")
                     +	cmd.Flags().StringVar(&options.IptablesChain, "iptables-chain", ipfailover.DefaultIptablesChain, "Add a rule to this iptables chain to accept 224.0.0.28 multicast packets if no rule exists. When iptables-chain is empty do not change iptables.")
                      	cmd.Flags().StringVarP(&options.NetworkInterface, "interface", "i", "", "Network interface bound by VRRP to use for the set of virtual IP ranges/addresses specified.")
                      	cmd.Flags().IntVarP(&options.WatchPort, "watch-port", "w", ipfailover.DefaultWatchPort, "Port to monitor or watch for resource availability.")

@@ -69,6 +69,7 @@ func generateEnvEntries(name string, options *ipfailover.IPFailoverConfigCmdOpti
                      		"OPENSHIFT_HA_VRRP_ID_OFFSET":    VRRPIDOffset,
                      		"OPENSHIFT_HA_REPLICA_COUNT":     replicas,
                      		"OPENSHIFT_HA_USE_UNICAST":       "false",
                     +		"OPENSHIFT_HA_IPTABLES_CHAIN":    options.IptablesChain,
                      		// "OPENSHIFT_HA_UNICAST_PEERS":     "127.0.0.1",
                      	})
                      	return env

@@ -21,6 +21,10 @@ const (
                      	// DefaultSelector is the default resource selector.
                      	DefaultSelector = "ipfailover=<name>"
                     +	// DefaultIptablesChain is the default iptables chain on which to add
                     +	// a rule that accesses 224.0.0.18 (if none exists).
                     +	DefaultIptablesChain = "INPUT"
+                    +
                      	// DefaultInterface is the default network interface.
                      	DefaultInterface = "eth0"
+                     )
@@ -39,6 +43,7 @@ type IPFailoverConfigCmdOptions struct {
                      	//  Failover options.
                      	VirtualIPs       string
                     +	IptablesChain    string
                      	NetworkInterface string
                      	WatchPort        int
                      	VRRPIDOffset     int

@@ -71,6 +71,7 @@ os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --dry-
                      os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --dry-run -o yaml' 'name: ipfailover'
                      os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --dry-run -o name' 'deploymentconfig/ipfailover'
                      os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --dry-run -o yaml' '1.2.3.4'
                     +os::cmd::expect_success_and_text 'oadm ipfailover --virtual-ips="1.2.3.4" --iptables-chain="MY_CHAIN" --dry-run -o yaml' 'value: MY_CHAIN'
                      os::cmd::expect_success 'oadm policy remove-scc-from-user privileged -z ipfailover'
                      # TODO add tests for normal ipfailover creation
                      # os::cmd::expect_success_and_text 'oadm ipfailover' 'deploymentconfig "ipfailover" created'