From 16e01c65c4552879a4635c037dd2eed5ebd163de Mon Sep 17 00:00:00 2001 From: Devan Goodwin Date: Fri, 25 Nov 2016 14:58:00 -0400 Subject: [PATCH] Warn if firewalld service is enabled. In future we might try to verify ports are actually exposed in firewalld policy, but this can be quite complex. Instead lets just warn the user if we see firewalld is running. --- cmd/kubeadm/app/preflight/checks.go | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/cmd/kubeadm/app/preflight/checks.go b/cmd/kubeadm/app/preflight/checks.go index 1b0950745ff..3e238eca6f6 100644 --- a/cmd/kubeadm/app/preflight/checks.go +++ b/cmd/kubeadm/app/preflight/checks.go @@ -80,6 +80,32 @@ func (sc ServiceCheck) Check() (warnings, errors []error) { return warnings, errors } +// FirewalldCheck checks if firewalld is enabled or active, and if so outputs a warning. +type FirewalldCheck struct { + ports []int +} + +func (fc FirewalldCheck) Check() (warnings, errors []error) { + initSystem, err := initsystem.GetInitSystem() + if err != nil { + return []error{err}, nil + } + + warnings = []error{} + + if !initSystem.ServiceExists("firewalld") { + return nil, nil + } + + if initSystem.ServiceIsActive("firewalld") { + warnings = append(warnings, + fmt.Errorf("firewalld is active, please ensure ports %v are open or your cluster may not function correctly", + fc.ports)) + } + + return warnings, errors +} + // PortOpenCheck ensures the given port is available for use. type PortOpenCheck struct { port int @@ -220,6 +246,7 @@ func RunInitMasterChecks(cfg *kubeadmapi.MasterConfiguration) error { HostnameCheck{}, ServiceCheck{Service: "kubelet"}, ServiceCheck{Service: "docker"}, + FirewalldCheck{ports: []int{int(cfg.API.BindPort), int(cfg.Discovery.BindPort), 10250}}, PortOpenCheck{port: int(cfg.API.BindPort)}, PortOpenCheck{port: 2379}, PortOpenCheck{port: 8080},