From ffe93b3979486feb41a0f85191bdd189cbd56ccc Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Thu, 7 Nov 2019 15:10:39 -0500 Subject: [PATCH] Update debian-iptables iptables-wrapper script The debian-iptables v12.0.0 build didn't work because of another previously-undiscovered iptables 1.8.x bug. Work around it for now and bump the version to v12.0.1; we can revert back to the original version of the script once iptables 1.8.4 is available in buster-backports. --- build/common.sh | 2 +- build/debian-iptables/Makefile | 2 +- build/debian-iptables/iptables-wrapper | 16 +++++++++++++--- build/workspace.bzl | 2 +- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/build/common.sh b/build/common.sh index be629257283..58591eafdd0 100755 --- a/build/common.sh +++ b/build/common.sh @@ -95,7 +95,7 @@ readonly KUBE_CONTAINER_RSYNC_PORT=8730 kube::build::get_docker_wrapped_binaries() { local arch=$1 local debian_base_version=v2.0.0 - local debian_iptables_version=v12.0.0 + local debian_iptables_version=v12.0.1 ### If you change any of these lists, please also update DOCKERIZED_BINARIES ### in build/BUILD. And kube::golang::server_image_targets local targets=( diff --git a/build/debian-iptables/Makefile b/build/debian-iptables/Makefile index 2f80f566184..ff1d0bd724d 100644 --- a/build/debian-iptables/Makefile +++ b/build/debian-iptables/Makefile @@ -16,7 +16,7 @@ REGISTRY?="staging-k8s.gcr.io" IMAGE=$(REGISTRY)/debian-iptables -TAG?=v12.0.0 +TAG?=v12.0.1 ARCH?=amd64 ALL_ARCH = amd64 arm arm64 ppc64le s390x TEMP_DIR:=$(shell mktemp -d) diff --git a/build/debian-iptables/iptables-wrapper b/build/debian-iptables/iptables-wrapper index 0f8e8f2bc35..c114ef0eb4b 100755 --- a/build/debian-iptables/iptables-wrapper +++ b/build/debian-iptables/iptables-wrapper @@ -19,12 +19,22 @@ set -e # Detect whether the base system is using iptables-legacy or # iptables-nft. This assumes that some non-containerized process (eg # kubelet) has already created some iptables rules. + +# Bugs in iptables-nft 1.8.3 may cause it to get stuck in a loop in +# some circumstances, so we have to run the nft check in a timeout. To +# avoid hitting that timeout, we only bother to even check nft if +# legacy iptables was empty / mostly empty. + num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l) -num_nft_lines=$( (iptables-nft-save || true; ip6tables-nft-save || true) 2>/dev/null | grep '^-' | wc -l) -if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then +if [ "${num_legacy_lines}" -ge 10 ]; then mode=legacy else - mode=nft + num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep '^-' | wc -l) + if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then + mode=legacy + else + mode=nft + fi fi update-alternatives --set iptables "/usr/sbin/iptables-${mode}" > /dev/null diff --git a/build/workspace.bzl b/build/workspace.bzl index 9dd5347d55d..f8796499015 100644 --- a/build/workspace.bzl +++ b/build/workspace.bzl @@ -122,7 +122,7 @@ def debian_image_dependencies(): digest = _digest(_DEBIAN_IPTABLES_DIGEST, arch), registry = "k8s.gcr.io", repository = "debian-iptables", - tag = "v12.0.0", # ignored, but kept here for documentation + tag = "v12.0.1", # ignored, but kept here for documentation ) container_pull(