github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/pkg/util/iptables/iptables_test.go

1154 lines
43 KiB
Go
Raw Normal View History

Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
/*
Remove "All rights reserved" from all the headers.
2016-06-03 00:25:58 +00:00
Copyright 2014 The Kubernetes Authors.
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package iptables
import (
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
"strings"
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
"testing"
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
"time"
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
start the apimachinery repo
2017-01-11 14:09:48 +00:00
"k8s.io/apimachinery/pkg/util/sets"
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
"k8s.io/kubernetes/pkg/util/dbus"
rewrite go imports
2015-08-05 22:03:47 +00:00
"k8s.io/kubernetes/pkg/util/exec"
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
)
Clean up IPTables caps i.e.: sed -i "s/Iptables/IPTables/g"
2016-08-27 03:06:15 +00:00
func getIPTablesCommand(protocol Protocol) string {
Initial ipv6 / iptables work
2014-11-03 16:04:42 +00:00
if protocol == ProtocolIpv4 {
Clean up IPTables caps i.e.: sed -i "s/Iptables/IPTables/g"
2016-08-27 03:06:15 +00:00
return cmdIPTables
Initial ipv6 / iptables work
2014-11-03 16:04:42 +00:00
}
if protocol == ProtocolIpv6 {
Add Save, SaveAll, Restore, RestoreAll to pkg/util/iptables Adds utility wrappers for `iptables-save` and `iptables-restore` to the iptables Interface in pkg/util/iptables. Also const’s command strings.
2015-08-07 20:54:48 +00:00
return cmdIp6tables
Initial ipv6 / iptables work
2014-11-03 16:04:42 +00:00
}
panic("Unknown protocol")
}
func testEnsureChain(t *testing.T, protocol Protocol) {
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
Check iptables for -C flag at construct time Also, reorganize the code a bit in preparation for checking for another flag as well. And, if semver.NewVersion() returns an error, it means there's a bug in the code somewhere (we should only ever be passing it valid version strings), so just log that error rather than returning it to the caller.
2015-08-26 14:08:37 +00:00
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
// Success.
func() ([]byte, error) { return []byte{}, nil },
// Exists.
Correcting all go vet errors
2015-08-08 01:52:23 +00:00
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
// Failure.
Correcting all go vet errors
2015-08-08 01:52:23 +00:00
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 2} },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Check iptables for -C flag at construct time Also, reorganize the code a bit in preparation for checking for another flag as well. And, if semver.NewVersion() returns an error, it means there's a bug in the code somewhere (we should only ever be passing it valid version strings), so just log that error rather than returning it to the caller.
2015-08-26 14:08:37 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
runner := New(&fexec, dbus.NewFake(nil, nil), protocol)
defer runner.Destroy()
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
// Success.
exists, err := runner.EnsureChain(TableNAT, Chain("FOOBAR"))
if err != nil {
Clean up error logs. Use %v for errors, tidy some messages, make error messages start lowe-case (as per go guidelines). Just accumulated nits.
2014-11-20 10:00:36 +00:00
t.Errorf("expected success, got %v", err)
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
if exists {
t.Errorf("expected exists = false")
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
Clean up IPTables caps i.e.: sed -i "s/Iptables/IPTables/g"
2016-08-27 03:06:15 +00:00
cmd := getIPTablesCommand(protocol)
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[2]...).HasAll(cmd, "-t", "nat", "-N", "FOOBAR") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
// Exists.
exists, err = runner.EnsureChain(TableNAT, Chain("FOOBAR"))
if err != nil {
Clean up error logs. Use %v for errors, tidy some messages, make error messages start lowe-case (as per go guidelines). Just accumulated nits.
2014-11-20 10:00:36 +00:00
t.Errorf("expected success, got %v", err)
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
if !exists {
t.Errorf("expected exists = true")
}
// Failure.
_, err = runner.EnsureChain(TableNAT, Chain("FOOBAR"))
if err == nil {
t.Errorf("expected failure")
}
}
Initial ipv6 / iptables work
2014-11-03 16:04:42 +00:00
func TestEnsureChainIpv4(t *testing.T) {
testEnsureChain(t, ProtocolIpv4)
}
func TestEnsureChainIpv6(t *testing.T) {
testEnsureChain(t, ProtocolIpv6)
}
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
func TestFlushChain(t *testing.T) {
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
Check iptables for -C flag at construct time Also, reorganize the code a bit in preparation for checking for another flag as well. And, if semver.NewVersion() returns an error, it means there's a bug in the code somewhere (we should only ever be passing it valid version strings), so just log that error rather than returning it to the caller.
2015-08-26 14:08:37 +00:00
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
// Success.
func() ([]byte, error) { return []byte{}, nil },
// Failure.
Correcting all go vet errors
2015-08-08 01:52:23 +00:00
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Check iptables for -C flag at construct time Also, reorganize the code a bit in preparation for checking for another flag as well. And, if semver.NewVersion() returns an error, it means there's a bug in the code somewhere (we should only ever be passing it valid version strings), so just log that error rather than returning it to the caller.
2015-08-26 14:08:37 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
// Success.
err := runner.FlushChain(TableNAT, Chain("FOOBAR"))
if err != nil {
Clean up error logs. Use %v for errors, tidy some messages, make error messages start lowe-case (as per go guidelines). Just accumulated nits.
2014-11-20 10:00:36 +00:00
t.Errorf("expected success, got %v", err)
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[2]...).HasAll("iptables", "-t", "nat", "-F", "FOOBAR") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
// Failure.
err = runner.FlushChain(TableNAT, Chain("FOOBAR"))
if err == nil {
t.Errorf("expected failure")
}
}
Split portals into host and container After this DNS is resolvable from the host, if the DNS server is targetted explicitly. This does NOT add the cluster DNS to the host's resolv.conf. That is a larger problem, with distro-specific tie-ins and circular deps.
2014-11-28 07:54:55 +00:00
func TestDeleteChain(t *testing.T) {
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
Check iptables for -C flag at construct time Also, reorganize the code a bit in preparation for checking for another flag as well. And, if semver.NewVersion() returns an error, it means there's a bug in the code somewhere (we should only ever be passing it valid version strings), so just log that error rather than returning it to the caller.
2015-08-26 14:08:37 +00:00
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
Split portals into host and container After this DNS is resolvable from the host, if the DNS server is targetted explicitly. This does NOT add the cluster DNS to the host's resolv.conf. That is a larger problem, with distro-specific tie-ins and circular deps.
2014-11-28 07:54:55 +00:00
// Success.
func() ([]byte, error) { return []byte{}, nil },
// Failure.
Correcting all go vet errors
2015-08-08 01:52:23 +00:00
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
Split portals into host and container After this DNS is resolvable from the host, if the DNS server is targetted explicitly. This does NOT add the cluster DNS to the host's resolv.conf. That is a larger problem, with distro-specific tie-ins and circular deps.
2014-11-28 07:54:55 +00:00
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Check iptables for -C flag at construct time Also, reorganize the code a bit in preparation for checking for another flag as well. And, if semver.NewVersion() returns an error, it means there's a bug in the code somewhere (we should only ever be passing it valid version strings), so just log that error rather than returning it to the caller.
2015-08-26 14:08:37 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Split portals into host and container After this DNS is resolvable from the host, if the DNS server is targetted explicitly. This does NOT add the cluster DNS to the host's resolv.conf. That is a larger problem, with distro-specific tie-ins and circular deps.
2014-11-28 07:54:55 +00:00
},
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
Split portals into host and container After this DNS is resolvable from the host, if the DNS server is targetted explicitly. This does NOT add the cluster DNS to the host's resolv.conf. That is a larger problem, with distro-specific tie-ins and circular deps.
2014-11-28 07:54:55 +00:00
// Success.
err := runner.DeleteChain(TableNAT, Chain("FOOBAR"))
if err != nil {
t.Errorf("expected success, got %v", err)
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
Split portals into host and container After this DNS is resolvable from the host, if the DNS server is targetted explicitly. This does NOT add the cluster DNS to the host's resolv.conf. That is a larger problem, with distro-specific tie-ins and circular deps.
2014-11-28 07:54:55 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[2]...).HasAll("iptables", "-t", "nat", "-X", "FOOBAR") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
Split portals into host and container After this DNS is resolvable from the host, if the DNS server is targetted explicitly. This does NOT add the cluster DNS to the host's resolv.conf. That is a larger problem, with distro-specific tie-ins and circular deps.
2014-11-28 07:54:55 +00:00
}
// Failure.
err = runner.DeleteChain(TableNAT, Chain("FOOBAR"))
if err == nil {
t.Errorf("expected failure")
}
}
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
func TestEnsureRuleAlreadyExists(t *testing.T) {
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
// Success.
func() ([]byte, error) { return []byte{}, nil },
},
}
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// iptables version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// The second Command() call is checking the rule. Success of that exec means "done".
Add support for git volumes.
2014-10-21 23:23:05 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
Proxy infrastructure for NodePorts A service with a NodePort set will listen on that port, on every node. This is both handy for some load balancers (AWS ELB) and for people that want to expose a service without using a load balancer.
2015-05-22 21:19:45 +00:00
exists, err := runner.EnsureRule(Append, TableNAT, ChainOutput, "abc", "123")
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
if err != nil {
Clean up error logs. Use %v for errors, tidy some messages, make error messages start lowe-case (as per go guidelines). Just accumulated nits.
2014-11-20 10:00:36 +00:00
t.Errorf("expected success, got %v", err)
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
if !exists {
t.Errorf("expected exists = true")
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[2]...).HasAll("iptables", "-t", "nat", "-C", "OUTPUT", "abc", "123") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
}
func TestEnsureRuleNew(t *testing.T) {
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
// Status 1 on the first call.
Correcting all go vet errors
2015-08-08 01:52:23 +00:00
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
// Success on the second call.
func() ([]byte, error) { return []byte{}, nil },
},
}
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// iptables version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// The second Command() call is checking the rule. Failure of that means create it.
Add support for git volumes.
2014-10-21 23:23:05 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
Proxy infrastructure for NodePorts A service with a NodePort set will listen on that port, on every node. This is both handy for some load balancers (AWS ELB) and for people that want to expose a service without using a load balancer.
2015-05-22 21:19:45 +00:00
exists, err := runner.EnsureRule(Append, TableNAT, ChainOutput, "abc", "123")
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
if err != nil {
Clean up error logs. Use %v for errors, tidy some messages, make error messages start lowe-case (as per go guidelines). Just accumulated nits.
2014-11-20 10:00:36 +00:00
t.Errorf("expected success, got %v", err)
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
if exists {
t.Errorf("expected exists = false")
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 4 {
t.Errorf("expected 4 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[3]...).HasAll("iptables", "-t", "nat", "-A", "OUTPUT", "abc", "123") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[3])
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
}
func TestEnsureRuleErrorChecking(t *testing.T) {
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
// Status 2 on the first call.
Correcting all go vet errors
2015-08-08 01:52:23 +00:00
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 2} },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// iptables version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// The second Command() call is checking the rule. Failure of that means create it.
Add support for git volumes.
2014-10-21 23:23:05 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
Proxy infrastructure for NodePorts A service with a NodePort set will listen on that port, on every node. This is both handy for some load balancers (AWS ELB) and for people that want to expose a service without using a load balancer.
2015-05-22 21:19:45 +00:00
_, err := runner.EnsureRule(Append, TableNAT, ChainOutput, "abc", "123")
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
if err == nil {
t.Errorf("expected failure")
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
}
func TestEnsureRuleErrorCreating(t *testing.T) {
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
// Status 1 on the first call.
Correcting all go vet errors
2015-08-08 01:52:23 +00:00
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
// Status 1 on the second call.
Correcting all go vet errors
2015-08-08 01:52:23 +00:00
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// iptables version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// The second Command() call is checking the rule. Failure of that means create it.
Add support for git volumes.
2014-10-21 23:23:05 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
Proxy infrastructure for NodePorts A service with a NodePort set will listen on that port, on every node. This is both handy for some load balancers (AWS ELB) and for people that want to expose a service without using a load balancer.
2015-05-22 21:19:45 +00:00
_, err := runner.EnsureRule(Append, TableNAT, ChainOutput, "abc", "123")
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
if err == nil {
t.Errorf("expected failure")
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 4 {
t.Errorf("expected 4 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
}
func TestDeleteRuleAlreadyExists(t *testing.T) {
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
// Status 1 on the first call.
Correcting all go vet errors
2015-08-08 01:52:23 +00:00
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// iptables version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// The second Command() call is checking the rule. Failure of that exec means "does not exist".
Add support for git volumes.
2014-10-21 23:23:05 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
err := runner.DeleteRule(TableNAT, ChainOutput, "abc", "123")
if err != nil {
Clean up error logs. Use %v for errors, tidy some messages, make error messages start lowe-case (as per go guidelines). Just accumulated nits.
2014-11-20 10:00:36 +00:00
t.Errorf("expected success, got %v", err)
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[2]...).HasAll("iptables", "-t", "nat", "-C", "OUTPUT", "abc", "123") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
}
func TestDeleteRuleNew(t *testing.T) {
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
// Success on the first call.
func() ([]byte, error) { return []byte{}, nil },
// Success on the second call.
func() ([]byte, error) { return []byte{}, nil },
},
}
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// iptables version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// The second Command() call is checking the rule. Success of that means delete it.
Add support for git volumes.
2014-10-21 23:23:05 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
err := runner.DeleteRule(TableNAT, ChainOutput, "abc", "123")
if err != nil {
Clean up error logs. Use %v for errors, tidy some messages, make error messages start lowe-case (as per go guidelines). Just accumulated nits.
2014-11-20 10:00:36 +00:00
t.Errorf("expected success, got %v", err)
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 4 {
t.Errorf("expected 4 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[3]...).HasAll("iptables", "-t", "nat", "-D", "OUTPUT", "abc", "123") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[3])
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
}
func TestDeleteRuleErrorChecking(t *testing.T) {
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
// Status 2 on the first call.
Correcting all go vet errors
2015-08-08 01:52:23 +00:00
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 2} },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// iptables version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// The second Command() call is checking the rule. Failure of that means create it.
Add support for git volumes.
2014-10-21 23:23:05 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
err := runner.DeleteRule(TableNAT, ChainOutput, "abc", "123")
if err == nil {
t.Errorf("expected failure")
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
}
func TestDeleteRuleErrorCreating(t *testing.T) {
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
// Success on the first call.
func() ([]byte, error) { return []byte{}, nil },
// Status 1 on the second call.
Correcting all go vet errors
2015-08-08 01:52:23 +00:00
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Add support for git volumes.
2014-10-21 23:23:05 +00:00
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// iptables version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
// The second Command() call is checking the rule. Success of that means delete it.
Add support for git volumes.
2014-10-21 23:23:05 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
},
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
err := runner.DeleteRule(TableNAT, ChainOutput, "abc", "123")
if err == nil {
t.Errorf("expected failure")
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 4 {
t.Errorf("expected 4 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
}
}
Clean up IPTables caps i.e.: sed -i "s/Iptables/IPTables/g"
2016-08-27 03:06:15 +00:00
func TestGetIPTablesHasCheckCommand(t *testing.T) {
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
testCases := []struct {
Version string
Err bool
Expected bool
}{
{"iptables v1.4.7", false, false},
{"iptables v1.4.11", false, true},
{"iptables v1.4.19.1", false, true},
{"iptables v2.0.0", false, true},
{"total junk", true, false},
}
for _, testCase := range testCases {
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
func() ([]byte, error) { return []byte(testCase.Version), nil },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
},
}
Clean up IPTables caps i.e.: sed -i "s/Iptables/IPTables/g"
2016-08-27 03:06:15 +00:00
version, err := getIPTablesVersionString(&fexec)
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
if (err != nil) != testCase.Err {
t.Errorf("Expected error: %v, Got error: %v", testCase.Err, err)
}
Check iptables for -C flag at construct time Also, reorganize the code a bit in preparation for checking for another flag as well. And, if semver.NewVersion() returns an error, it means there's a bug in the code somewhere (we should only ever be passing it valid version strings), so just log that error rather than returning it to the caller.
2015-08-26 14:08:37 +00:00
if err == nil {
Clean up IPTables caps i.e.: sed -i "s/Iptables/IPTables/g"
2016-08-27 03:06:15 +00:00
check := getIPTablesHasCheckCommand(version)
Check iptables for -C flag at construct time Also, reorganize the code a bit in preparation for checking for another flag as well. And, if semver.NewVersion() returns an error, it means there's a bug in the code somewhere (we should only ever be passing it valid version strings), so just log that error rather than returning it to the caller.
2015-08-26 14:08:37 +00:00
if testCase.Expected != check {
t.Errorf("Expected result: %v, Got result: %v", testCase.Expected, check)
}
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
}
}
}
func TestCheckRuleWithoutCheckPresent(t *testing.T) {
iptables_save_output := `# Generated by iptables-save v1.4.7 on Wed Oct 29 14:56:01 2014
*nat
:PREROUTING ACCEPT [2136997:197881818]
:POSTROUTING ACCEPT [4284525:258542680]
:OUTPUT ACCEPT [5901660:357267963]
Better compat with very old iptables Older iptables expanded things like 0x4000 into 0x00004000, which defeats the fallback "check" logic.
2016-11-29 01:44:06 +00:00
-A PREROUTING -m addrtype --dst-type LOCAL -m mark --mark 0x00004000/0x00004000 -j DOCKER
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
COMMIT
# Completed on Wed Oct 29 14:56:01 2014`
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
// Success.
func() ([]byte, error) { return []byte(iptables_save_output), nil },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
// The first Command() call is checking the rule. Success of that exec means "done".
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
},
}
runner := &runner{exec: &fexec}
Better compat with very old iptables Older iptables expanded things like 0x4000 into 0x00004000, which defeats the fallback "check" logic.
2016-11-29 01:44:06 +00:00
exists, err := runner.checkRuleWithoutCheck(
TableNAT, ChainPrerouting,
"-m", "addrtype",
"-m", "mark", "--mark", "0x4000/0x4000",
"-j", "DOCKER",
"--dst-type", "LOCAL")
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
if err != nil {
Clean up error logs. Use %v for errors, tidy some messages, make error messages start lowe-case (as per go guidelines). Just accumulated nits.
2014-11-20 10:00:36 +00:00
t.Errorf("expected success, got %v", err)
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
}
if !exists {
t.Errorf("expected exists = true")
}
if fcmd.CombinedOutputCalls != 1 {
t.Errorf("expected 1 CombinedOutput() call, got %d", fcmd.CombinedOutputCalls)
}
Move util.StringSet into its own package A lot of packages use StringSet, but they don't use anything else from the util package. Moving StringSet into another package will shrink their dependency trees significantly.
2015-09-09 17:45:01 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[0]...).HasAll("iptables-save", "-t", "nat") {
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[0])
}
}
func TestCheckRuleWithoutCheckAbsent(t *testing.T) {
iptables_save_output := `# Generated by iptables-save v1.4.7 on Wed Oct 29 14:56:01 2014
*nat
:PREROUTING ACCEPT [2136997:197881818]
:POSTROUTING ACCEPT [4284525:258542680]
:OUTPUT ACCEPT [5901660:357267963]
Add Save, SaveAll, Restore, RestoreAll to pkg/util/iptables Adds utility wrappers for `iptables-save` and `iptables-restore` to the iptables Interface in pkg/util/iptables. Also const’s command strings.
2015-08-07 20:54:48 +00:00
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
COMMIT
# Completed on Wed Oct 29 14:56:01 2014`
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
// Success.
func() ([]byte, error) { return []byte(iptables_save_output), nil },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
// The first Command() call is checking the rule. Success of that exec means "done".
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
},
}
runner := &runner{exec: &fexec}
exists, err := runner.checkRuleWithoutCheck(TableNAT, ChainPrerouting, "-m", "addrtype", "-j", "DOCKER")
if err != nil {
Clean up error logs. Use %v for errors, tidy some messages, make error messages start lowe-case (as per go guidelines). Just accumulated nits.
2014-11-20 10:00:36 +00:00
t.Errorf("expected success, got %v", err)
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
}
if exists {
t.Errorf("expected exists = false")
}
if fcmd.CombinedOutputCalls != 1 {
t.Errorf("expected 1 CombinedOutput() call, got %d", fcmd.CombinedOutputCalls)
}
Move util.StringSet into its own package A lot of packages use StringSet, but they don't use anything else from the util package. Moving StringSet into another package will shrink their dependency trees significantly.
2015-09-09 17:45:01 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[0]...).HasAll("iptables-save", "-t", "nat") {
Allow proxy to run on systems with iptables <1.4.11
2014-11-11 00:53:26 +00:00
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[0])
Add a pkg for iptables support This makes iptables an injectable dependency. The test for this started off simple, but got a bit out of hand. It's starting to become a mocking framework.
2014-09-22 06:58:11 +00:00
}
}
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
Clean up IPTables caps i.e.: sed -i "s/Iptables/IPTables/g"
2016-08-27 03:06:15 +00:00
func TestIPTablesWaitFlag(t *testing.T) {
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
testCases := []struct {
Version string
Result string
}{
{"0.55.55", ""},
{"1.0.55", ""},
{"1.4.19", ""},
{"1.4.20", "-w"},
{"1.4.21", "-w"},
{"1.4.22", "-w2"},
{"1.5.0", "-w2"},
{"2.0.0", "-w2"},
}
for _, testCase := range testCases {
Clean up IPTables caps i.e.: sed -i "s/Iptables/IPTables/g"
2016-08-27 03:06:15 +00:00
result := getIPTablesWaitFlag(testCase.Version)
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
if strings.Join(result, "") != testCase.Result {
t.Errorf("For %s expected %v got %v", testCase.Version, testCase.Result, result)
}
}
}
func TestWaitFlagUnavailable(t *testing.T) {
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.4.19"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
// Success.
func() ([]byte, error) { return []byte{}, nil },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
// iptables-restore version check
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
},
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
err := runner.DeleteChain(TableNAT, Chain("FOOBAR"))
if err != nil {
t.Errorf("expected success, got %v", err)
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if sets.NewString(fcmd.CombinedOutputLog[2]...).HasAny("-w", "-w2") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
}
}
func TestWaitFlagOld(t *testing.T) {
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.4.20"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
// Success.
func() ([]byte, error) { return []byte{}, nil },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
},
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
err := runner.DeleteChain(TableNAT, Chain("FOOBAR"))
if err != nil {
t.Errorf("expected success, got %v", err)
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[2]...).HasAll("iptables", "-w") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if sets.NewString(fcmd.CombinedOutputLog[2]...).HasAny("-w2") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
}
}
func TestWaitFlagNew(t *testing.T) {
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.4.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
// Success.
func() ([]byte, error) { return []byte{}, nil },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
},
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
err := runner.DeleteChain(TableNAT, Chain("FOOBAR"))
if err != nil {
t.Errorf("expected success, got %v", err)
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[2]...).HasAll("iptables", "-w2") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if sets.NewString(fcmd.CombinedOutputLog[2]...).HasAny("-w") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
Use iptables --wait flag if available Use iptables --wait (if available) to avoid race conditions with util.iptables failing if it tries to modify the tables at the same time as another process.
2015-08-03 17:39:45 +00:00
}
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
func TestReload(t *testing.T) {
dbusConn := dbus.NewFakeConnection()
dbusConn.SetBusObject(func(method string, args ...interface{}) ([]interface{}, error) { return nil, nil })
dbusConn.AddObject(firewalldName, firewalldPath, func(method string, args ...interface{}) ([]interface{}, error) { return nil, nil })
fdbus := dbus.NewFake(dbusConn, nil)
reloaded := make(chan bool, 2)
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.4.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
// first reload
// EnsureChain
func() ([]byte, error) { return []byte{}, nil },
// EnsureRule abc check
fix a few go-vet errors
2016-02-09 21:20:31 +00:00
func() ([]byte, error) { return []byte{}, &exec.FakeExitError{Status: 1} },
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
// EnsureRule abc
func() ([]byte, error) { return []byte{}, nil },
// second reload
// EnsureChain
func() ([]byte, error) { return []byte{}, nil },
// EnsureRule abc check
fix a few go-vet errors
2016-02-09 21:20:31 +00:00
func() ([]byte, error) { return []byte{}, &exec.FakeExitError{Status: 1} },
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
// EnsureRule abc
func() ([]byte, error) { return []byte{}, nil },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
},
}
runner := New(&fexec, fdbus, ProtocolIpv4)
defer runner.Destroy()
runner.AddReloadFunc(func() {
exists, err := runner.EnsureChain(TableNAT, Chain("FOOBAR"))
if err != nil {
t.Errorf("expected success, got %v", err)
}
if exists {
t.Errorf("expected exists = false")
}
reloaded <- true
})
runner.AddReloadFunc(func() {
exists, err := runner.EnsureRule(Append, TableNAT, ChainOutput, "abc", "123")
if err != nil {
t.Errorf("expected success, got %v", err)
}
if exists {
t.Errorf("expected exists = false")
}
reloaded <- true
})
dbusConn.EmitSignal("org.freedesktop.DBus", "/org/freedesktop/DBus", "org.freedesktop.DBus", "NameOwnerChanged", firewalldName, "", ":1.1")
<-reloaded
<-reloaded
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 5 {
t.Errorf("expected 5 CombinedOutput() calls total, got %d", fcmd.CombinedOutputCalls)
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[2]...).HasAll("iptables", "-t", "nat", "-N", "FOOBAR") {
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[3]...).HasAll("iptables", "-t", "nat", "-C", "OUTPUT", "abc", "123") {
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[3])
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[4]...).HasAll("iptables", "-t", "nat", "-A", "OUTPUT", "abc", "123") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[4])
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
go func() { time.Sleep(time.Second / 100); reloaded <- true }()
dbusConn.EmitSignal(firewalldName, firewalldPath, firewalldInterface, "DefaultZoneChanged", "public")
dbusConn.EmitSignal("org.freedesktop.DBus", "/org/freedesktop/DBus", "org.freedesktop.DBus", "NameOwnerChanged", "io.k8s.Something", "", ":1.1")
<-reloaded
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 5 {
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
t.Errorf("Incorrect signal caused a reload")
}
dbusConn.EmitSignal(firewalldName, firewalldPath, firewalldInterface, "Reloaded")
<-reloaded
<-reloaded
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 8 {
t.Errorf("expected 8 CombinedOutput() calls total, got %d", fcmd.CombinedOutputCalls)
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[5]...).HasAll("iptables", "-t", "nat", "-N", "FOOBAR") {
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[5])
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[6]...).HasAll("iptables", "-t", "nat", "-C", "OUTPUT", "abc", "123") {
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[6])
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[7]...).HasAll("iptables", "-t", "nat", "-A", "OUTPUT", "abc", "123") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[7])
}
Watch for firewalld restart, to allow reloading iptables rules
2015-08-14 16:36:15 +00:00
}
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
func TestSave(t *testing.T) {
output := `# Generated by iptables-save v1.6.0 on Thu Jan 19 11:38:09 2017
*filter
:INPUT ACCEPT [15079:38410730]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11045:521562]
COMMIT
# Completed on Thu Jan 19 11:38:09 2017`
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
func() ([]byte, error) { return []byte(output), nil },
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
},
}
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
// Success.
o, err := runner.Save(TableNAT)
if err != nil {
t.Fatalf("expected success, got %v", err)
}
if string(o[:len(output)]) != output {
t.Errorf("expected output to be equal to mocked one, got %v", o)
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[2]...).HasAll("iptables-save", "-t", "nat") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
}
// Failure.
_, err = runner.Save(TableNAT)
if err == nil {
t.Errorf("expected failure")
}
}
func TestSaveAll(t *testing.T) {
output := `# Generated by iptables-save v1.6.0 on Thu Jan 19 11:38:09 2017
*filter
:INPUT ACCEPT [15079:38410730]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11045:521562]
COMMIT
# Completed on Thu Jan 19 11:38:09 2017`
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
func() ([]byte, error) { return []byte(output), nil },
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
},
}
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
// Success.
o, err := runner.SaveAll()
if err != nil {
t.Fatalf("expected success, got %v", err)
}
if string(o[:len(output)]) != output {
t.Errorf("expected output to be equal to mocked one, got %v", o)
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if !sets.NewString(fcmd.CombinedOutputLog[2]...).HasAll("iptables-save") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
}
// Failure.
_, err = runner.SaveAll()
if err == nil {
t.Errorf("expected failure")
}
}
func TestRestore(t *testing.T) {
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
func() ([]byte, error) { return []byte{}, nil },
func() ([]byte, error) { return []byte{}, nil },
func() ([]byte, error) { return []byte{}, nil },
func() ([]byte, error) { return []byte{}, nil },
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
},
}
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
// both flags true
err := runner.Restore(TableNAT, []byte{}, FlushTables, RestoreCounters)
if err != nil {
t.Errorf("expected success, got %v", err)
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
commandSet := sets.NewString(fcmd.CombinedOutputLog[2]...)
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
if !commandSet.HasAll("iptables-restore", "-T", string(TableNAT), "--counters") || commandSet.HasAny("--noflush") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[1])
}
// FlushTables, NoRestoreCounters
err = runner.Restore(TableNAT, []byte{}, FlushTables, NoRestoreCounters)
if err != nil {
t.Errorf("expected success, got %v", err)
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
commandSet = sets.NewString(fcmd.CombinedOutputLog[3]...)
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
if !commandSet.HasAll("iptables-restore", "-T", string(TableNAT)) || commandSet.HasAny("--noflush", "--counters") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
}
// NoFlushTables, RestoreCounters
err = runner.Restore(TableNAT, []byte{}, NoFlushTables, RestoreCounters)
if err != nil {
t.Errorf("expected success, got %v", err)
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
commandSet = sets.NewString(fcmd.CombinedOutputLog[4]...)
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
if !commandSet.HasAll("iptables-restore", "-T", string(TableNAT), "--noflush", "--counters") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[3])
}
// NoFlushTables, NoRestoreCounters
err = runner.Restore(TableNAT, []byte{}, NoFlushTables, NoRestoreCounters)
if err != nil {
t.Errorf("expected success, got %v", err)
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
commandSet = sets.NewString(fcmd.CombinedOutputLog[5]...)
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
if !commandSet.HasAll("iptables-restore", "-T", string(TableNAT), "--noflush") || commandSet.HasAny("--counters") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[4])
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
if fcmd.CombinedOutputCalls != 6 {
t.Errorf("expected 6 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
}
// Failure.
err = runner.Restore(TableNAT, []byte{}, FlushTables, RestoreCounters)
if err == nil {
t.Errorf("expected failure")
}
}
// TestRestoreAll tests only the simplest use case, as flag handling code is already tested in TestRestore
func TestRestoreAll(t *testing.T) {
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
func() ([]byte, error) { return []byte{}, nil },
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
},
}
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
err := runner.RestoreAll([]byte{}, NoFlushTables, RestoreCounters)
if err != nil {
t.Errorf("expected success, got %v", err)
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
commandSet := sets.NewString(fcmd.CombinedOutputLog[2]...)
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
if !commandSet.HasAll("iptables-restore", "--counters", "--noflush") {
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
}
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
}
// Failure.
err = runner.Restore(TableNAT, []byte{}, FlushTables, RestoreCounters)
if err == nil {
t.Errorf("expected failure")
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
}
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
}
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
util/iptables: check for and use new iptables-restore 'wait' argument iptables-restore did not previously perform any locking, meaning that when callers (like kube-proxy) asked iptables-restore to write large numbers of rules, the iptables-restore process might run in parallel with other 'iptables' invocations in kubelet (hostports), docker, and other software. This causes errors like: "CNI request failed with status 400: 'Failed to ensure that nat chain POSTROUTING jumps to MASQUERADE: error checking rule: exit status 4: iptables: Resource temporarily unavailable." or from Docker "Failed to allocate and map port 1095-1095: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1095 -j DNAT --to-destination 10.1.0.2:1095 ! -i lbr0: iptables: Resource temporarily unavailable.\n (exit status 4)" iptables-restore "wait" functionality was added in iptables git commit 999eaa241212d3952ddff39a99d0d55a74e3639e but is NOT YET in a released version of iptables. See also https://bugzilla.redhat.com/show_bug.cgi?id=1417234
2017-03-23 16:54:34 +00:00
// TestRestoreAllWait tests that the "wait" flag is passed to a compatible iptables-restore
func TestRestoreAllWait(t *testing.T) {
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
// iptables-restore version check
func() ([]byte, error) { return []byte("iptables-restore v1.9.22"), nil },
func() ([]byte, error) { return []byte{}, nil },
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
},
}
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
err := runner.RestoreAll([]byte{}, NoFlushTables, RestoreCounters)
if err != nil {
t.Errorf("expected success, got %v", err)
}
commandSet := sets.NewString(fcmd.CombinedOutputLog[2]...)
if !commandSet.HasAll("iptables-restore", "--wait=2", "--counters", "--noflush") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
}
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
}
// Failure.
err = runner.Restore(TableNAT, []byte{}, FlushTables, RestoreCounters)
if err == nil {
t.Errorf("expected failure")
}
}
// TestRestoreAllWaitOldIptablesRestore tests that the "wait" flag is not passed
// to a in-compatible iptables-restore
func TestRestoreAllWaitOldIptablesRestore(t *testing.T) {
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
// iptables-restore version check
func() ([]byte, error) { return []byte("unrecognized option: --version"), nil },
func() ([]byte, error) { return []byte{}, nil },
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
},
}
runner := New(&fexec, dbus.NewFake(nil, nil), ProtocolIpv4)
defer runner.Destroy()
err := runner.RestoreAll([]byte{}, NoFlushTables, RestoreCounters)
if err != nil {
t.Errorf("expected success, got %v", err)
}
commandSet := sets.NewString(fcmd.CombinedOutputLog[2]...)
if !commandSet.HasAll("iptables-restore", "--counters", "--noflush") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[2])
}
if commandSet.HasAny("--wait=2") {
t.Errorf("wrong CombinedOutput() log (unexpected --wait=2 option), got %s", fcmd.CombinedOutputLog[2])
}
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
pkg/util/iptables missing unit tests Added tests for Save, SaveAll, Restore and RestoreAll
2017-01-19 13:25:40 +00:00
}
// Failure.
err = runner.Restore(TableNAT, []byte{}, FlushTables, RestoreCounters)
if err == nil {
t.Errorf("expected failure")
}
}