github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-04-29 12:14:48 +00:00
Code Issues Projects Releases Wiki Activity

fix(agent): fix iptables binary path in guest

Browse Source 
Some rootfs put iptables-save and iptables-restore
under /usr/sbin instead of /sbin. This pr checks both
and returns the one exist.

Fixes: #5608
Signed-off-by: Ji-Xinyou <jerryji0414@outlook.com>
This commit is contained in:
Ji-Xinyou 2022-11-08 10:47:00 +08:00
parent f02bb1a9cb
commit 1d93a93468
1 changed files with 47 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
src/agent/src/rpc.rs
View File

@ -84,9 +84,15 @@ use std::path::PathBuf;
const CONTAINER_BASE: &str = "/run/kata-containers"; const CONTAINER_BASE: &str = "/run/kata-containers";
const MODPROBE_PATH: &str = "/sbin/modprobe"; const MODPROBE_PATH: &str = "/sbin/modprobe";
/// the iptables seriers binaries could appear either in /sbin
/// or /usr/sbin, we need to check both of them
const USR_IPTABLES_SAVE: &str = "/usr/sbin/iptables-save";
const IPTABLES_SAVE: &str = "/sbin/iptables-save"; const IPTABLES_SAVE: &str = "/sbin/iptables-save";
const USR_IPTABLES_RESTORE: &str = "/usr/sbin/iptables-store";
const IPTABLES_RESTORE: &str = "/sbin/iptables-restore"; const IPTABLES_RESTORE: &str = "/sbin/iptables-restore";
const USR_IP6TABLES_SAVE: &str = "/usr/sbin/ip6tables-save";
const IP6TABLES_SAVE: &str = "/sbin/ip6tables-save"; const IP6TABLES_SAVE: &str = "/sbin/ip6tables-save";
const USR_IP6TABLES_RESTORE: &str = "/usr/sbin/ip6tables-save";
const IP6TABLES_RESTORE: &str = "/sbin/ip6tables-restore"; const IP6TABLES_RESTORE: &str = "/sbin/ip6tables-restore";
const ERR_CANNOT_GET_WRITER: &str = "Cannot get writer"; const ERR_CANNOT_GET_WRITER: &str = "Cannot get writer";
@ -998,8 +1004,18 @@ impl agent_ttrpc::AgentService for AgentService {
info!(sl!(), "get_ip_tables: request received"); info!(sl!(), "get_ip_tables: request received");
// the binary could exists in either /usr/sbin or /sbin
// here check both of the places and return the one exists
// if none exists, return the /sbin one, and the rpc will
// returns an internal error
let cmd = if req.is_ipv6 { let cmd = if req.is_ipv6 {
if Path::new(USR_IP6TABLES_SAVE).exists() {
USR_IP6TABLES_SAVE
} else {
IP6TABLES_SAVE IP6TABLES_SAVE
}
} else if Path::new(USR_IPTABLES_SAVE).exists() {
USR_IPTABLES_SAVE
} else { } else {
IPTABLES_SAVE IPTABLES_SAVE
} }
@ -1027,8 +1043,18 @@ impl agent_ttrpc::AgentService for AgentService {
info!(sl!(), "set_ip_tables request received"); info!(sl!(), "set_ip_tables request received");
// the binary could exists in both /usr/sbin and /sbin
// here check both of the places and return the one exists
// if none exists, return the /sbin one, and the rpc will
// returns an internal error
let cmd = if req.is_ipv6 { let cmd = if req.is_ipv6 {
if Path::new(USR_IP6TABLES_RESTORE).exists() {
USR_IP6TABLES_RESTORE
} else {
IP6TABLES_RESTORE IP6TABLES_RESTORE
}
} else if Path::new(USR_IPTABLES_RESTORE).exists() {
USR_IPTABLES_RESTORE
} else { } else {
IPTABLES_RESTORE IPTABLES_RESTORE
} }
@ -2756,17 +2782,26 @@ OtherField:other
async fn test_ip_tables() { async fn test_ip_tables() {
skip_if_not_root!(); skip_if_not_root!();
if !check_command(IPTABLES_SAVE) let iptables_cmd_list = [
|| !check_command(IPTABLES_RESTORE) USR_IPTABLES_SAVE,
|| !check_command(IP6TABLES_SAVE) USR_IP6TABLES_SAVE,
|| !check_command(IP6TABLES_RESTORE) USR_IPTABLES_RESTORE,
{ USR_IP6TABLES_RESTORE,
IPTABLES_SAVE,
IP6TABLES_SAVE,
IPTABLES_RESTORE,
IP6TABLES_RESTORE,
];
for cmd in iptables_cmd_list {
if !check_command(cmd) {
warn!( warn!(
sl!(), sl!(),
"one or more commands for ip tables test are missing, skip it" "one or more commands for ip tables test are missing, skip it"
); );
return; return;
} }
}
let logger = slog::Logger::root(slog::Discard, o!()); let logger = slog::Logger::root(slog::Discard, o!());
let sandbox = Sandbox::new(&logger).unwrap(); let sandbox = Sandbox::new(&logger).unwrap();