Port hostport code from iptables to nftables #8684
Conversation
openshift-ci
bot
added
do-not-merge/work-in-progress
|
Hi @danwinship. Thanks for your PR. I'm waiting for a cri-o member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
(meant to imply: I could rewrite it to support both iptables and nftables (though that would obviously be more complicated). It just didn't occur to me until I was filing the PR that we might want that.) |
|
/ok-to-test |
openshift-ci
bot
added
ok-to-test
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8684 +/- ##
==========================================
+ Coverage 46.96% 47.24% +0.28%
==========================================
Files 154 155 +1
Lines 21978 22232 +254
==========================================
+ Hits 10322 10504 +182
- Misses 10594 10657 +63
- Partials 1062 1071 +9 |
danwinship
force-pushed
the
nftables
branch
5 times, most recently
from
d43803d to
fd31b5e
Compare
|
/test all |
|
@danwinship, we are making an assumption here that all users of CRI-O are going to be using nftables, isn't it? |
|
@kwilczynski it assumes that all users of CRI-O 1.32 will be on distros with new-enough nftables (see the "Special notes for your reviewer" section of the initial comment). It doesn't assume they'll be using nftables for kube-proxy or firewalling or anything else. The hostport rules are independent. (And I can rewrite it to support either iptables or nftables if necessary. It will just be more complicated...) |
|
So there's only one test of HostPorts in the e2e suite ( |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
correct! Can we optimistically use nftables and if that fails fallback to iptables? I'm fine dropping iptables in our docs and recommending nftables but I Think there should be some transition time so we don't pull the rug out from underneath users who use older OSs (I know of some using debian, not sure which version) |
|
@haircommander done, though probably this needs some hand-testing to make sure it really is supporting both modes (and the linter doesn't like what I did with the unit tests...) Does it need to do both-iptables-and-nftables-cleanup on Remove? (eg, does it need to support the possibility of upgrading and restarting cri-o without rebooting). |
Unfortunately, yes |
openshift-merge-robot
added
the
needs-rebase
openshift-merge-robot
removed
the
needs-rebase
|
note: #8757 contains the first half of this (unit test updates) which can be reviewed separately |
danwinship
force-pushed
the
nftables
branch
3 times, most recently
from
eb12f2c to
a6842ee
Compare
It turns out it's more convenient to have an IPv4/IPv6 split for nftables too, plus we will need to work with both iptables and nftables at the same time for backward-compatibility, and the meta manager helps with that too. This reverts commit 0262d19. (but includes the up-to-date fixed dual-stack unit test rather than the original broken original one) Signed-off-by: Dan Winship <danwinship@redhat.com>
hostport.PodPortMapping is only used to aggregate the arguments to HostPortManager.Add() and .Remove(), but they could just as easily be passed separately (which will turn out to be useful later). (Also, the existence of the struct was hiding the fact that the toplevel code was not actually passing the Namespace field. Since this only ended up being used for an iptables comment anyway, I just removed it and simplified the code to work only with the pod name.) Signed-off-by: Dan Winship <danwinship@redhat.com>
Signed-off-by: Dan Winship <danwinship@redhat.com>
Signed-off-by: Dan Winship <danwinship@redhat.com>
Put all of the iptables-specific code from hostport.go and hostport_manager.go into hostport_iptables.go (and all of the iptables-specific tests into hostport_iptables_test.go), leaving just the type definitions in hostport_manager.go and test case data in hostport_manager_test.go. Signed-off-by: Dan Winship <danwinship@redhat.com>
IPTables will not be supported in RHEL 10, and is deprecated / not being improved in general. This adds a new nftables-based HostPortManager (but does not yet make it the default). Signed-off-by: Dan Winship <danwinship@redhat.com>
If either iptables or nftables is not present, just use only the other one. If both are present, use nftables for Add, but both for Remove (so that old iptables rules eventually get cleaned up correctly). Signed-off-by: Dan Winship <danwinship@redhat.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: danwinship The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@danwinship: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@danwinship do we need this for 1.32 or is it possible to defer to 1.33? |
|
It can be deferred to 1.33 |
|
Moved it to the next milestone, thank you! |
What type of PR is this?
/kind cleanup
/kind other
What this PR does / why we need it:
Ports hostport code from iptables to nftables, which will be needed when RHEL 10 drops support for iptables.
Which issue(s) this PR fixes:
None (but it's part of https://issues.redhat.com/browse/OCPSTRAT-940)
Special notes for your reviewer:
I'm not sure exactly what sort of compatibility constraints cri-o has but note that:
nftreleases before 1.0.1 are problematic (see discussion here) so the knftables package requires that version or newer. This means using a mid-2021-or-later distro, meaning not RHEL 7, Debian buster or bullseye, or Ubuntu 20.04 (which are all allegedly currently supported according toinstall.md).Also, the arm64 integration tests are currently failing because the image used for them doesn't include
nft. I tried updating.github/workflows/integration.ymlto do that, but the PR seems to be ignoring it. Maybe it has to be updated separately? (Or I did something wrong...)Does this PR introduce a user-facing change?