github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-21 10:51:29 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #37663 from Random-Liu/fix-node-e2e-firewall-configure

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 37094, 37663, 37442, 37808, 37826)

Node E2E: Fix node e2e firewall configure.

Get rid of the misleading error message:
```
W1129 12:57:16.967] E1129 12:57:16.967130   29815 remote.go:204] Failed to configured firewall: command [ssh -i /home/jenkins/.ssh/google_compute_engine -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o CheckHostIP=no -o StrictHostKeyChecking=no -o ServerAliveInterval=30 -o LogLevel=ERROR 104.154.201.208 -- sudo sh -c 'iptables -L INPUT | grep "Chain INPUT (policy DROP)"&&(iptables -C INPUT -w -p TCP -j ACCEPT || iptables -A INPUT -w -p TCP -j ACCEPT)&&(iptables -C INPUT -w -p UDP -j ACCEPT || iptables -A INPUT -w -p UDP -j ACCEPT)&&(iptables -C INPUT -w -p ICMP -j ACCEPT || iptables -A INPUT -w -p ICMP -j ACCEPT)'] failed with error: exit status 1 output: 
W1129 12:57:17.271] E1129 12:57:17.271169   29815 remote.go:213] Failed to configured firewall: command [ssh -i /home/jenkins/.ssh/google_compute_engine -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o CheckHostIP=no -o StrictHostKeyChecking=no -o ServerAliveInterval=30 -o LogLevel=ERROR 104.154.201.208 -- sudo sh -c 'iptables -L FORWARD | grep "Chain FORWARD (policy DROP)" > /dev/null&&(iptables -C FORWARD -w -p TCP -j ACCEPT || iptables -A FORWARD -w -p TCP -j ACCEPT)&&(iptables -C FORWARD -w -p UDP -j ACCEPT || iptables -A FORWARD -w -p UDP -j ACCEPT)&&(iptables -C FORWARD -w -p ICMP -j ACCEPT || iptables -A FORWARD -w -p ICMP -j ACCEPT)'] failed with error: exit status 1 output: 
W1129 12:57:17.557] E1129 12:57:17.556683   29815 remote.go:204] Failed to configured firewall: command [ssh -i /home/jenkins/.ssh/google_compute_engine -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o CheckHostIP=no -o StrictHostKeyChecking=no -o ServerAliveInterval=30 -o LogLevel=ERROR 104.154.128.178 -- sudo sh -c 'iptables -L INPUT | grep "Chain INPUT (policy DROP)"&&(iptables -C INPUT -w -p TCP -j ACCEPT || iptables -A INPUT -w -p TCP -j ACCEPT)&&(iptables -C INPUT -w -p UDP -j ACCEPT || iptables -A INPUT -w -p UDP -j ACCEPT)&&(iptables -C INPUT -w -p ICMP -j ACCEPT || iptables -A INPUT -w -p ICMP -j ACCEPT)'] failed with error: exit status 1 output: 
W1129 12:57:17.771] I1129 12:57:17.771236   29815 remote.go:231] Killing any existing node processes on tmp-node-e2e-a1212c32-gci-dev-56-8977-0-0
W1129 12:57:17.877] E1129 12:57:17.877123   29815 remote.go:213] Failed to configured firewall: command [ssh -i /home/jenkins/.ssh/google_compute_engine -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o CheckHostIP=no -o StrictHostKeyChecking=no -o ServerAliveInterval=30 -o LogLevel=ERROR 104.154.128.178 -- sudo sh -c 'iptables -L FORWARD | grep "Chain FORWARD (policy DROP)" > /dev/null&&(iptables -C FORWARD -w -p TCP -j ACCEPT || iptables -A FORWARD -w -p TCP -j ACCEPT)&&(iptables -C FORWARD -w -p UDP -j ACCEPT || iptables -A FORWARD -w -p UDP -j ACCEPT)&&(iptables -C FORWARD -w -p ICMP -j ACCEPT || iptables -A FORWARD -w -p ICMP -j ACCEPT)'] failed with error: exit status 1 output: 
W1129 12:57:17.898] I1129 12:57:17.898711   29815 remote.go:239] Extracting tar on tmp-node-e2e-a1212c32-gci-dev-56-8977-0-0
W1129 12:57:17.941] E1129 12:57:17.941566   29815 remote.go:204] Failed to configured firewall: command [ssh -i /home/jenkins/.ssh/google_compute_engine -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o CheckHostIP=no -o StrictHostKeyChecking=no -o ServerAliveInterval=30 -o LogLevel=ERROR 104.154.154.237 -- sudo sh -c 'iptables -L INPUT | grep "Chain INPUT (policy DROP)"&&(iptables -C INPUT -w -p TCP -j ACCEPT || iptables -A INPUT -w -p TCP -j ACCEPT)&&(iptables -C INPUT -w -p UDP -j ACCEPT || iptables -A INPUT -w -p UDP -j ACCEPT)&&(iptables -C INPUT -w -p ICMP -j ACCEPT || iptables -A INPUT -w -p ICMP -j ACCEPT)'] failed with error: exit status 1 output: 
W1129 12:57:18.020] I1129 12:57:18.019802   29815 remote.go:231] Killing any existing node processes on tmp-node-e2e-a1212c32-coreos-alpha-1122-0-0-v20160727
W1129 12:57:18.024] E1129 12:57:18.024044   29815 remote.go:213] Failed to configured firewall: command [ssh -i /home/jenkins/.ssh/google_compute_engine -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o CheckHostIP=no -o StrictHostKeyChecking=no -o ServerAliveInterval=30 -o LogLevel=ERROR 104.154.154.237 -- sudo sh -c 'iptables -L FORWARD | grep "Chain FORWARD (policy DROP)" > /dev/null&&(iptables -C FORWARD -w -p TCP -j ACCEPT || iptables -A FORWARD -w -p TCP -j ACCEPT)&&(iptables -C FORWARD -w -p UDP -j ACCEPT || iptables -A FORWARD -w -p UDP -j ACCEPT)&&(iptables -C FORWARD -w -p ICMP -j ACCEPT || iptables -A FORWARD -w -p ICMP -j ACCEPT)'] failed with error: exit status 1 output: 
```

The problem is that the command 'iptables -L FORWARD | grep "Chain FORWARD (policy DROP)" returns an error when the rule is not found, which is not expected behaviour.

@freehan
This commit is contained in:
Kubernetes Submit Queue 2016-12-03 04:27:48 -08:00 committed by GitHub
commit ba62dafe39
1 changed files with 24 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
test/e2e_node/remote/remote.go
View File

@ -194,23 +194,33 @@ func RunRemote(archive string, host string, cleanup bool, junitFilePrefix string
// Configure iptables firewall rules
// TODO: consider calling bootstrap script to configure host based on OS
cmd = getSSHCommand("&&",
`iptables -L INPUT | grep "Chain INPUT (policy DROP)"`,
"(iptables -C INPUT -w -p TCP -j ACCEPT || iptables -A INPUT -w -p TCP -j ACCEPT)",
"(iptables -C INPUT -w -p UDP -j ACCEPT || iptables -A INPUT -w -p UDP -j ACCEPT)",
"(iptables -C INPUT -w -p ICMP -j ACCEPT || iptables -A INPUT -w -p ICMP -j ACCEPT)")
output, err := SSH(host, "sh", "-c", cmd)
output, err := SSH(host, "iptables", "-L", "INPUT")
if err != nil {
glog.Errorf("Failed to configured firewall: %v output: %v", err, output)
return "", false, fmt.Errorf("failed to get iptables INPUT: %v output: %q", err, output)
}
cmd = getSSHCommand("&&",
`iptables -L FORWARD | grep "Chain FORWARD (policy DROP)" > /dev/null`,
"(iptables -C FORWARD -w -p TCP -j ACCEPT || iptables -A FORWARD -w -p TCP -j ACCEPT)",
"(iptables -C FORWARD -w -p UDP -j ACCEPT || iptables -A FORWARD -w -p UDP -j ACCEPT)",
"(iptables -C FORWARD -w -p ICMP -j ACCEPT || iptables -A FORWARD -w -p ICMP -j ACCEPT)")
output, err = SSH(host, "sh", "-c", cmd)
if strings.Contains(output, "Chain INPUT (policy DROP)") {
cmd = getSSHCommand("&&",
"(iptables -C INPUT -w -p TCP -j ACCEPT || iptables -A INPUT -w -p TCP -j ACCEPT)",
"(iptables -C INPUT -w -p UDP -j ACCEPT || iptables -A INPUT -w -p UDP -j ACCEPT)",
"(iptables -C INPUT -w -p ICMP -j ACCEPT || iptables -A INPUT -w -p ICMP -j ACCEPT)")
output, err := SSH(host, "sh", "-c", cmd)
if err != nil {
return "", false, fmt.Errorf("failed to configured firewall: %v output: %v", err, output)
}
}
output, err = SSH(host, "iptables", "-L", "FORWARD")
if err != nil {
glog.Errorf("Failed to configured firewall: %v output: %v", err, output)
return "", false, fmt.Errorf("failed to get iptables FORWARD: %v output: %q", err, output)
}
if strings.Contains(output, "Chain FORWARD (policy DROP)") {
cmd = getSSHCommand("&&",
"(iptables -C FORWARD -w -p TCP -j ACCEPT || iptables -A FORWARD -w -p TCP -j ACCEPT)",
"(iptables -C FORWARD -w -p UDP -j ACCEPT || iptables -A FORWARD -w -p UDP -j ACCEPT)",
"(iptables -C FORWARD -w -p ICMP -j ACCEPT || iptables -A FORWARD -w -p ICMP -j ACCEPT)")
output, err = SSH(host, "sh", "-c", cmd)
if err != nil {
return "", false, fmt.Errorf("failed to configured firewall: %v output: %v", err, output)
}
}
// Copy the archive to the staging directory