github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #30727 from asalkeld/iptables-caps 

Automatic merge from submit-queue

Clean up IPTables caps i.e.: sed -i "s/Iptables/IPTables/g"

Fixes #30651
pull/6/head
Kubernetes Submit Queue 2016-09-06 09:01:27 -07:00 committed by GitHub
parent 34f3633b0b f785f3d3ef
commit 2a7d0df30d
13 changed files with 107 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
cmd/kube-proxy/app/server.go
View File

@ -68,14 +68,14 @@ type ProxyServer struct {
const (
proxyModeUserspace = "userspace"
proxyModeIptables = "iptables"
proxyModeIPTables = "iptables"
experimentalProxyModeAnnotation = options.ExperimentalProxyModeAnnotation
betaProxyModeAnnotation = "net.beta.kubernetes.io/proxy-mode"
)
func checkKnownProxyMode(proxyMode string) bool {
switch proxyMode {
case "", proxyModeUserspace, proxyModeIptables:
case "", proxyModeUserspace, proxyModeIPTables:
return true
}
return false
@ -199,18 +199,18 @@ func NewProxyServerDefault(config *options.ProxyServerConfig) (*ProxyServer, err
var endpointsHandler proxyconfig.EndpointsConfigHandler
proxyMode := getProxyMode(string(config.Mode), client.Nodes(), hostname, iptInterface, iptables.LinuxKernelCompatTester{})
if proxyMode == proxyModeIptables {
if proxyMode == proxyModeIPTables {
glog.V(0).Info("Using iptables Proxier.")
if config.IPTablesMasqueradeBit == nil {
// IPTablesMasqueradeBit must be specified or defaulted.
return nil, fmt.Errorf("Unable to read IPTablesMasqueradeBit from config")
}
proxierIptables, err := iptables.NewProxier(iptInterface, utilsysctl.New(), execer, config.IPTablesSyncPeriod.Duration, config.MasqueradeAll, int(*config.IPTablesMasqueradeBit), config.ClusterCIDR, hostname, getNodeIP(client, hostname))
proxierIPTables, err := iptables.NewProxier(iptInterface, utilsysctl.New(), execer, config.IPTablesSyncPeriod.Duration, config.MasqueradeAll, int(*config.IPTablesMasqueradeBit), config.ClusterCIDR, hostname, getNodeIP(client, hostname))
if err != nil {
glog.Fatalf("Unable to create proxier: %v", err)
}
proxier = proxierIptables
endpointsHandler = proxierIptables
proxier = proxierIPTables
endpointsHandler = proxierIPTables
// No turning back. Remove artifacts that might still exist from the userspace Proxier.
glog.V(0).Info("Tearing down userspace rules.")
userspace.CleanupLeftovers(iptInterface)
@ -350,28 +350,28 @@ type nodeGetter interface {
Get(hostname string) (*api.Node, error)
}
func getProxyMode(proxyMode string, client nodeGetter, hostname string, iptver iptables.IptablesVersioner, kcompat iptables.KernelCompatTester) string {
func getProxyMode(proxyMode string, client nodeGetter, hostname string, iptver iptables.IPTablesVersioner, kcompat iptables.KernelCompatTester) string {
if proxyMode == proxyModeUserspace {
return proxyModeUserspace
} else if proxyMode == proxyModeIptables {
return tryIptablesProxy(iptver, kcompat)
} else if proxyMode == proxyModeIPTables {
return tryIPTablesProxy(iptver, kcompat)
} else if proxyMode != "" {
glog.Warningf("Flag proxy-mode=%q unknown, assuming iptables proxy", proxyMode)
return tryIptablesProxy(iptver, kcompat)
return tryIPTablesProxy(iptver, kcompat)
}
// proxyMode == "" - choose the best option.
if client == nil {
glog.Errorf("nodeGetter is nil: assuming iptables proxy")
return tryIptablesProxy(iptver, kcompat)
return tryIPTablesProxy(iptver, kcompat)
}
node, err := client.Get(hostname)
if err != nil {
glog.Errorf("Can't get Node %q, assuming iptables proxy, err: %v", hostname, err)
return tryIptablesProxy(iptver, kcompat)
return tryIPTablesProxy(iptver, kcompat)
}
if node == nil {
glog.Errorf("Got nil Node %q, assuming iptables proxy", hostname)
return tryIptablesProxy(iptver, kcompat)
return tryIPTablesProxy(iptver, kcompat)
}
proxyMode, found := node.Annotations[betaProxyModeAnnotation]
if found {
@ -387,19 +387,19 @@ func getProxyMode(proxyMode string, client nodeGetter, hostname string, iptver i
glog.V(1).Infof("Annotation demands userspace proxy")
return proxyModeUserspace
}
return tryIptablesProxy(iptver, kcompat)
return tryIPTablesProxy(iptver, kcompat)
}
func tryIptablesProxy(iptver iptables.IptablesVersioner, kcompat iptables.KernelCompatTester) string {
func tryIPTablesProxy(iptver iptables.IPTablesVersioner, kcompat iptables.KernelCompatTester) string {
var err error
// guaranteed false on error, error only necessary for debugging
useIptablesProxy, err := iptables.CanUseIptablesProxier(iptver, kcompat)
useIPTablesProxy, err := iptables.CanUseIPTablesProxier(iptver, kcompat)
if err != nil {
glog.Errorf("Can't determine whether to use iptables proxy, using userspace proxier: %v", err)
return proxyModeUserspace
}
if useIptablesProxy {
return proxyModeIptables
if useIPTablesProxy {
return proxyModeIPTables
}
// Fallback.
glog.V(1).Infof("Can't use iptables proxy, using userspace proxier: %v", err)

26
cmd/kube-proxy/app/server_test.go
View File

@ -38,12 +38,12 @@ func (fake *fakeNodeInterface) Get(hostname string) (*api.Node, error) {
return &fake.node, nil
}
type fakeIptablesVersioner struct {
type fakeIPTablesVersioner struct {
version string // what to return
err error // what to return
}
func (fake *fakeIptablesVersioner) GetVersion() (string, error) {
func (fake *fakeIPTablesVersioner) GetVersion() (string, error) {
return fake.version, fake.err
}
@ -95,7 +95,7 @@ func Test_getProxyMode(t *testing.T) {
flag: "iptables",
iptablesVersion: iptables.MinCheckVersion,
kernelCompat: true,
expected: proxyModeIptables,
expected: proxyModeIPTables,
},
{ // detect, error
flag: "",
@ -117,7 +117,7 @@ func Test_getProxyMode(t *testing.T) {
flag: "",
iptablesVersion: iptables.MinCheckVersion,
kernelCompat: true,
expected: proxyModeIptables,
expected: proxyModeIPTables,
},
{ // annotation says userspace
flag: "",
@ -153,7 +153,7 @@ func Test_getProxyMode(t *testing.T) {
annotationVal: "iptables",
iptablesVersion: iptables.MinCheckVersion,
kernelCompat: true,
expected: proxyModeIptables,
expected: proxyModeIPTables,
},
{ // annotation says something else, version ok
flag: "",
@ -161,7 +161,7 @@ func Test_getProxyMode(t *testing.T) {
annotationVal: "other",
iptablesVersion: iptables.MinCheckVersion,
kernelCompat: true,
expected: proxyModeIptables,
expected: proxyModeIPTables,
},
{ // annotation says nothing, version ok
flag: "",
@ -169,7 +169,7 @@ func Test_getProxyMode(t *testing.T) {
annotationVal: "",
iptablesVersion: iptables.MinCheckVersion,
kernelCompat: true,
expected: proxyModeIptables,
expected: proxyModeIPTables,
},
{ // annotation says userspace
flag: "",
@ -205,7 +205,7 @@ func Test_getProxyMode(t *testing.T) {
annotationVal: "iptables",
iptablesVersion: iptables.MinCheckVersion,
kernelCompat: true,
expected: proxyModeIptables,
expected: proxyModeIPTables,
},
{ // annotation says something else, version ok
flag: "",
@ -213,7 +213,7 @@ func Test_getProxyMode(t *testing.T) {
annotationVal: "other",
iptablesVersion: iptables.MinCheckVersion,
kernelCompat: true,
expected: proxyModeIptables,
expected: proxyModeIPTables,
},
{ // annotation says nothing, version ok
flag: "",
@ -221,7 +221,7 @@ func Test_getProxyMode(t *testing.T) {
annotationVal: "",
iptablesVersion: iptables.MinCheckVersion,
kernelCompat: true,
expected: proxyModeIptables,
expected: proxyModeIPTables,
},
{ // flag says userspace, annotation disagrees
flag: "userspace",
@ -236,7 +236,7 @@ func Test_getProxyMode(t *testing.T) {
annotationVal: "userspace",
iptablesVersion: iptables.MinCheckVersion,
kernelCompat: true,
expected: proxyModeIptables,
expected: proxyModeIPTables,
},
{ // flag says userspace, annotation disagrees
flag: "userspace",
@ -251,13 +251,13 @@ func Test_getProxyMode(t *testing.T) {
annotationVal: "userspace",
iptablesVersion: iptables.MinCheckVersion,
kernelCompat: true,
expected: proxyModeIptables,
expected: proxyModeIPTables,
},
}
for i, c := range cases {
getter := &fakeNodeInterface{}
getter.node.Annotations = map[string]string{c.annotationKey: c.annotationVal}
versioner := &fakeIptablesVersioner{c.iptablesVersion, c.iptablesError}
versioner := &fakeIPTablesVersioner{c.iptablesVersion, c.iptablesError}
kcompater := &fakeKernelCompatTester{c.kernelCompat}
r := getProxyMode(c.flag, getter, "host", versioner, kcompater)
if r != c.expected {

11
pkg/kubelet/eviction/eviction_manager.go
View File

@ -98,12 +98,8 @@ func (m *managerImpl) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAd
return lifecycle.PodAdmitResult{Admit: true}
}
// Check the node conditions to identify the resource under pressure.
// The resource can only be either disk or memory; set the default to disk.
resource := api.ResourceStorage
if hasNodeCondition(m.nodeConditions, api.NodeMemoryPressure) {
resource = api.ResourceMemory
// the node has memory pressure, admit if not best-effort
if hasNodeCondition(m.nodeConditions, api.NodeMemoryPressure) {
notBestEffort := qos.BestEffort != qos.GetPodQOS(attrs.Pod)
if notBestEffort {
return lifecycle.PodAdmitResult{Admit: true}
@ -111,11 +107,11 @@ func (m *managerImpl) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAd
}
// reject pods when under memory pressure (if pod is best effort), or if under disk pressure.
glog.Warningf("Failed to admit pod %q - node has conditions: %v", format.Pod(attrs.Pod), m.nodeConditions)
glog.Warningf("Failed to admit pod %v - %s", format.Pod(attrs.Pod), "node has conditions: %v", m.nodeConditions)
return lifecycle.PodAdmitResult{
Admit: false,
Reason: reason,
Message: getMessage(resource),
Message: message,
}
}
@ -248,7 +244,6 @@ func (m *managerImpl) synchronize(diskInfoProvider DiskInfoProvider, podFunc Act
glog.Infof("eviction manager: pods ranked for eviction: %s", format.Pods(activePods))
// we kill at most a single pod during each eviction interval
message := getMessage(resourceToReclaim)
for i := range activePods {
pod := activePods[i]
status := api.PodStatus{

8
pkg/kubelet/eviction/helpers.go
View File

@ -37,8 +37,8 @@ const (
unsupportedEvictionSignal = "unsupported eviction signal %v"
// the reason reported back in status.
reason = "Evicted"
// the message format associated with the reason.
messageFmt = "The node was low on %s."
// the message associated with the reason.
message = "The node was low on compute resources."
// disk, in bytes. internal to this module, used to account for local disk usage.
resourceDisk api.ResourceName = "disk"
// inodes, number. internal to this module, used to account for local disk inode consumption.
@ -894,7 +894,3 @@ func deleteImages(imageGC ImageGC, reportBytesFreed bool) nodeReclaimFunc {
return resource.NewQuantity(reclaimed, resource.BinarySI), nil
}
}
func getMessage(resource api.ResourceName) string {
return fmt.Sprintf(messageFmt, resource)
}

42
pkg/kubelet/network/hostport/fake_iptables.go
View File

@ -35,21 +35,21 @@ type fakeTable struct {
chains map[string]*fakeChain
}
type fakeIptables struct {
type fakeIPTables struct {
tables map[string]*fakeTable
}
func NewFakeIptables() *fakeIptables {
return &fakeIptables{
func NewFakeIPTables() *fakeIPTables {
return &fakeIPTables{
tables: make(map[string]*fakeTable, 0),
}
}
func (f *fakeIptables) GetVersion() (string, error) {
func (f *fakeIPTables) GetVersion() (string, error) {
return "1.4.21", nil
}
func (f *fakeIptables) getTable(tableName utiliptables.Table) (*fakeTable, error) {
func (f *fakeIPTables) getTable(tableName utiliptables.Table) (*fakeTable, error) {
table, ok := f.tables[string(tableName)]
if !ok {
return nil, fmt.Errorf("Table %s does not exist", tableName)
@ -57,7 +57,7 @@ func (f *fakeIptables) getTable(tableName utiliptables.Table) (*fakeTable, error
return table, nil
}
func (f *fakeIptables) getChain(tableName utiliptables.Table, chainName utiliptables.Chain) (*fakeTable, *fakeChain, error) {
func (f *fakeIPTables) getChain(tableName utiliptables.Table, chainName utiliptables.Chain) (*fakeTable, *fakeChain, error) {
table, err := f.getTable(tableName)
if err != nil {
return nil, nil, err
@ -71,7 +71,7 @@ func (f *fakeIptables) getChain(tableName utiliptables.Table, chainName utilipta
return table, chain, nil
}
func (f *fakeIptables) ensureChain(tableName utiliptables.Table, chainName utiliptables.Chain) (bool, *fakeChain) {
func (f *fakeIPTables) ensureChain(tableName utiliptables.Table, chainName utiliptables.Chain) (bool, *fakeChain) {
table, chain, err := f.getChain(tableName, chainName)
if err != nil {
// either table or table+chain don't exist yet
@ -92,12 +92,12 @@ func (f *fakeIptables) ensureChain(tableName utiliptables.Table, chainName utili
return true, chain
}
func (f *fakeIptables) EnsureChain(tableName utiliptables.Table, chainName utiliptables.Chain) (bool, error) {
func (f *fakeIPTables) EnsureChain(tableName utiliptables.Table, chainName utiliptables.Chain) (bool, error) {
existed, _ := f.ensureChain(tableName, chainName)
return existed, nil
}
func (f *fakeIptables) FlushChain(tableName utiliptables.Table, chainName utiliptables.Chain) error {
func (f *fakeIPTables) FlushChain(tableName utiliptables.Table, chainName utiliptables.Chain) error {
_, chain, err := f.getChain(tableName, chainName)
if err != nil {
return err
@ -106,7 +106,7 @@ func (f *fakeIptables) FlushChain(tableName utiliptables.Table, chainName utilip
return nil
}
func (f *fakeIptables) DeleteChain(tableName utiliptables.Table, chainName utiliptables.Chain) error {
func (f *fakeIPTables) DeleteChain(tableName utiliptables.Table, chainName utiliptables.Chain) error {
table, _, err := f.getChain(tableName, chainName)
if err != nil {
return err
@ -125,7 +125,7 @@ func findRule(chain *fakeChain, rule string) int {
return -1
}
func (f *fakeIptables) ensureRule(position utiliptables.RulePosition, tableName utiliptables.Table, chainName utiliptables.Chain, rule string) (bool, error) {
func (f *fakeIPTables) ensureRule(position utiliptables.RulePosition, tableName utiliptables.Table, chainName utiliptables.Chain, rule string) (bool, error) {
_, chain, err := f.getChain(tableName, chainName)
if err != nil {
_, chain = f.ensureChain(tableName, chainName)
@ -192,7 +192,7 @@ func normalizeRule(rule string) (string, error) {
return normalized, nil
}
func (f *fakeIptables) EnsureRule(position utiliptables.RulePosition, tableName utiliptables.Table, chainName utiliptables.Chain, args ...string) (bool, error) {
func (f *fakeIPTables) EnsureRule(position utiliptables.RulePosition, tableName utiliptables.Table, chainName utiliptables.Chain, args ...string) (bool, error) {
ruleArgs := make([]string, 0)
for _, arg := range args {
// quote args with internal spaces (like comments)
@ -204,7 +204,7 @@ func (f *fakeIptables) EnsureRule(position utiliptables.RulePosition, tableName
return f.ensureRule(position, tableName, chainName, strings.Join(ruleArgs, " "))
}
func (f *fakeIptables) DeleteRule(tableName utiliptables.Table, chainName utiliptables.Chain, args ...string) error {
func (f *fakeIPTables) DeleteRule(tableName utiliptables.Table, chainName utiliptables.Chain, args ...string) error {
_, chain, err := f.getChain(tableName, chainName)
if err == nil {
rule := strings.Join(args, " ")
@ -217,7 +217,7 @@ func (f *fakeIptables) DeleteRule(tableName utiliptables.Table, chainName utilip
return nil
}
func (f *fakeIptables) IsIpv6() bool {
func (f *fakeIPTables) IsIpv6() bool {
return false
}
@ -227,7 +227,7 @@ func saveChain(chain *fakeChain, data *bytes.Buffer) {
}
}
func (f *fakeIptables) Save(tableName utiliptables.Table) ([]byte, error) {
func (f *fakeIPTables) Save(tableName utiliptables.Table) ([]byte, error) {
table, err := f.getTable(tableName)
if err != nil {
return nil, err
@ -246,7 +246,7 @@ func (f *fakeIptables) Save(tableName utiliptables.Table) ([]byte, error) {
return data.Bytes(), nil
}
func (f *fakeIptables) SaveAll() ([]byte, error) {
func (f *fakeIPTables) SaveAll() ([]byte, error) {
data := bytes.NewBuffer(nil)
for _, table := range f.tables {
tableData, err := f.Save(table.name)
@ -260,7 +260,7 @@ func (f *fakeIptables) SaveAll() ([]byte, error) {
return data.Bytes(), nil
}
func (f *fakeIptables) restore(restoreTableName utiliptables.Table, data []byte, flush utiliptables.FlushFlag) error {
func (f *fakeIPTables) restore(restoreTableName utiliptables.Table, data []byte, flush utiliptables.FlushFlag) error {
buf := bytes.NewBuffer(data)
var tableName utiliptables.Table
for {
@ -320,16 +320,16 @@ func (f *fakeIptables) restore(restoreTableName utiliptables.Table, data []byte,
return nil
}
func (f *fakeIptables) Restore(tableName utiliptables.Table, data []byte, flush utiliptables.FlushFlag, counters utiliptables.RestoreCountersFlag) error {
func (f *fakeIPTables) Restore(tableName utiliptables.Table, data []byte, flush utiliptables.FlushFlag, counters utiliptables.RestoreCountersFlag) error {
return f.restore(tableName, data, flush)
}
func (f *fakeIptables) RestoreAll(data []byte, flush utiliptables.FlushFlag, counters utiliptables.RestoreCountersFlag) error {
func (f *fakeIPTables) RestoreAll(data []byte, flush utiliptables.FlushFlag, counters utiliptables.RestoreCountersFlag) error {
return f.restore("", data, flush)
}
func (f *fakeIptables) AddReloadFunc(reloadFunc func()) {
func (f *fakeIPTables) AddReloadFunc(reloadFunc func()) {
}
func (f *fakeIptables) Destroy() {
func (f *fakeIPTables) Destroy() {
}

4
pkg/kubelet/network/hostport/hostport.go
View File

@ -162,7 +162,7 @@ func writeLine(buf *bytes.Buffer, words ...string) {
//hostportChainName takes containerPort for a pod and returns associated iptables chain.
// This is computed by hashing (sha256)
// then encoding to base32 and truncating with the prefix "KUBE-SVC-". We do
// this because Iptables Chain Names must be <= 28 chars long, and the longer
// this because IPTables Chain Names must be <= 28 chars long, and the longer
// they are the harder they are to read.
func hostportChainName(cp api.ContainerPort, podFullName string) utiliptables.Chain {
hash := sha256.Sum256([]byte(string(cp.HostPort) + string(cp.Protocol) + podFullName))
@ -293,7 +293,7 @@ func (h *handler) SyncHostports(natInterfaceName string, runningPods []*RunningP
writeLine(natRules, args...)
// Create hostport chain to DNAT traffic to final destination
// Iptables will maintained the stats for this chain
// IPTables will maintained the stats for this chain
args = []string{
"-A", string(hostportChain),
"-m", "comment", "--comment", fmt.Sprintf(`"%s hostport %d"`, target.podFullName, containerPort.HostPort),

8
pkg/kubelet/network/hostport/hostport_test.go
View File

@ -52,11 +52,11 @@ type ruleMatch struct {
}
func TestOpenPodHostports(t *testing.T) {
fakeIptables := NewFakeIptables()
fakeIPTables := NewFakeIPTables()
h := &handler{
hostPortMap: make(map[hostport]closeable),
iptables: fakeIptables,
iptables: fakeIPTables,
portOpener: openFakeSocket,
}
@ -198,7 +198,7 @@ func TestOpenPodHostports(t *testing.T) {
}
for _, rule := range genericRules {
_, chain, err := fakeIptables.getChain(utiliptables.TableNAT, utiliptables.Chain(rule.chain))
_, chain, err := fakeIPTables.getChain(utiliptables.TableNAT, utiliptables.Chain(rule.chain))
if err != nil {
t.Fatalf("Expected NAT chain %s did not exist", rule.chain)
}
@ -211,7 +211,7 @@ func TestOpenPodHostports(t *testing.T) {
for _, test := range tests {
for _, match := range test.matches {
// Ensure chain exists
_, chain, err := fakeIptables.getChain(utiliptables.TableNAT, utiliptables.Chain(match.chain))
_, chain, err := fakeIPTables.getChain(utiliptables.TableNAT, utiliptables.Chain(match.chain))
if err != nil {
t.Fatalf("Expected NAT chain %s did not exist", match.chain)
}

6
pkg/kubelet/network/kubenet/kubenet_linux.go
View File

@ -54,7 +54,7 @@ const (
BridgeName = "cbr0"
DefaultCNIDir = "/opt/cni/bin"
sysctlBridgeCallIptables = "net/bridge/bridge-nf-call-iptables"
sysctlBridgeCallIPTables = "net/bridge/bridge-nf-call-iptables"
// fallbackMTU is used if an MTU is not specified, and we cannot determine the MTU
fallbackMTU = 1460
@ -142,9 +142,9 @@ func (plugin *kubenetNetworkPlugin) Init(host network.Host, hairpinMode componen
// was built-in, we simply ignore the error here. A better thing to do is
// to check the kernel version in the future.
plugin.execer.Command("modprobe", "br-netfilter").CombinedOutput()
err := plugin.sysctl.SetSysctl(sysctlBridgeCallIptables, 1)
err := plugin.sysctl.SetSysctl(sysctlBridgeCallIPTables, 1)
if err != nil {
glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err)
glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIPTables, err)
}
plugin.loConfig, err = libcni.ConfFromBytes([]byte(`{

6
pkg/kubelet/network/plugins.go
View File

@ -154,7 +154,7 @@ func UnescapePluginName(in string) string {
type NoopNetworkPlugin struct {
}
const sysctlBridgeCallIptables = "net/bridge/bridge-nf-call-iptables"
const sysctlBridgeCallIPTables = "net/bridge/bridge-nf-call-iptables"
func (plugin *NoopNetworkPlugin) Init(host Host, hairpinMode componentconfig.HairpinMode, nonMasqueradeCIDR string, mtu int) error {
// Set bridge-nf-call-iptables=1 to maintain compatibility with older
@ -166,8 +166,8 @@ func (plugin *NoopNetworkPlugin) Init(host Host, hairpinMode componentconfig.Hai
// Ensure the netfilter module is loaded on kernel >= 3.18; previously
// it was built-in.
utilexec.New().Command("modprobe", "br-netfilter").CombinedOutput()
if err := utilsysctl.New().SetSysctl(sysctlBridgeCallIptables, 1); err != nil {
glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err)
if err := utilsysctl.New().SetSysctl(sysctlBridgeCallIPTables, 1); err != nil {
glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIPTables, err)
}
return nil

16
pkg/proxy/iptables/proxier.go
View File

@ -74,8 +74,8 @@ const (
KubeMarkDropChain utiliptables.Chain = "KUBE-MARK-DROP"
)
// IptablesVersioner can query the current iptables version.
type IptablesVersioner interface {
// IPTablesVersioner can query the current iptables version.
type IPTablesVersioner interface {
// returns "X.Y.Z"
GetVersion() (string, error)
}
@ -86,12 +86,12 @@ type KernelCompatTester interface {
IsCompatible() error
}
// CanUseIptablesProxier returns true if we should use the iptables Proxier
// CanUseIPTablesProxier returns true if we should use the iptables Proxier
// instead of the "classic" userspace Proxier. This is determined by checking
// the iptables version and for the existence of kernel features. It may return
// an error if it fails to get the iptables version without error, in which
// case it will also return false.
func CanUseIptablesProxier(iptver IptablesVersioner, kcompat KernelCompatTester) (bool, error) {
func CanUseIPTablesProxier(iptver IPTablesVersioner, kcompat KernelCompatTester) (bool, error) {
minVersion, err := semver.NewVersion(iptablesMinVersion)
if err != nil {
return false, err
@ -127,7 +127,7 @@ func (lkct LinuxKernelCompatTester) IsCompatible() error {
}
const sysctlRouteLocalnet = "net/ipv4/conf/all/route_localnet"
const sysctlBridgeCallIptables = "net/bridge/bridge-nf-call-iptables"
const sysctlBridgeCallIPTables = "net/bridge/bridge-nf-call-iptables"
// internal struct for string service information
type serviceInfo struct {
@ -211,7 +211,7 @@ func NewProxier(ipt utiliptables.Interface, sysctl utilsysctl.Interface, exec ut
// Proxy needs br_netfilter and bridge-nf-call-iptables=1 when containers
// are connected to a Linux bridge (but not SDN bridges). Until most
// plugins handle this, log when config is missing
if val, err := sysctl.GetSysctl(sysctlBridgeCallIptables); err == nil && val != 1 {
if val, err := sysctl.GetSysctl(sysctlBridgeCallIPTables); err == nil && val != 1 {
glog.Infof("missing br-netfilter module or unset sysctl br-nf-call-iptables; proxy may not work as intended")
}
@ -639,7 +639,7 @@ func flattenValidEndpoints(endpoints []hostPortInfo) []string {
// portProtoHash takes the ServicePortName and protocol for a service
// returns the associated 16 character hash. This is computed by hashing (sha256)
// then encoding to base32 and truncating to 16 chars. We do this because Iptables
// then encoding to base32 and truncating to 16 chars. We do this because IPTables
// Chain Names must be <= 28 chars long, and the longer they are the harder they are to read.
func portProtoHash(s proxy.ServicePortName, protocol string) string {
hash := sha256.Sum256([]byte(s.String() + protocol))
@ -664,7 +664,7 @@ func serviceFirewallChainName(s proxy.ServicePortName, protocol string) utilipta
// serviceLBPortChainName takes the ServicePortName for a service and
// returns the associated iptables chain. This is computed by hashing (sha256)
// then encoding to base32 and truncating with the prefix "KUBE-XLB-". We do
// this because Iptables Chain Names must be <= 28 chars long, and the longer
// this because IPTables Chain Names must be <= 28 chars long, and the longer
// they are the harder they are to read.
func serviceLBChainName(s proxy.ServicePortName, protocol string) utiliptables.Chain {
return utiliptables.Chain("KUBE-XLB-" + portProtoHash(s, protocol))

34
pkg/util/iptables/iptables.go
View File

@ -97,9 +97,9 @@ const (
)
const (
cmdIptablesSave string = "iptables-save"
cmdIptablesRestore string = "iptables-restore"
cmdIptables string = "iptables"
cmdIPTablesSave string = "iptables-save"
cmdIPTablesRestore string = "iptables-restore"
cmdIPTables string = "iptables"
cmdIp6tables string = "ip6tables"
)
@ -138,7 +138,7 @@ type runner struct {
// New returns a new Interface which will exec iptables.
func New(exec utilexec.Interface, dbus utildbus.Interface, protocol Protocol) Interface {
vstring, err := getIptablesVersionString(exec)
vstring, err := getIPTablesVersionString(exec)
if err != nil {
glog.Warningf("Error checking iptables version, assuming version at least %s: %v", MinCheckVersion, err)
vstring = MinCheckVersion
@ -147,8 +147,8 @@ func New(exec utilexec.Interface, dbus utildbus.Interface, protocol Protocol) In
exec: exec,
dbus: dbus,
protocol: protocol,
hasCheck: getIptablesHasCheckCommand(vstring),
waitFlag: getIptablesWaitFlag(vstring),
hasCheck: getIPTablesHasCheckCommand(vstring),
waitFlag: getIPTablesWaitFlag(vstring),
}
runner.connectToFirewallD()
return runner
@ -191,7 +191,7 @@ func (runner *runner) connectToFirewallD() {
// GetVersion returns the version string.
func (runner *runner) GetVersion() (string, error) {
return getIptablesVersionString(runner.exec)
return getIPTablesVersionString(runner.exec)
}
// EnsureChain is part of Interface.
@ -296,7 +296,7 @@ func (runner *runner) Save(table Table) ([]byte, error) {
// run and return
args := []string{"-t", string(table)}
glog.V(4).Infof("running iptables-save %v", args)
return runner.exec.Command(cmdIptablesSave, args...).CombinedOutput()
return runner.exec.Command(cmdIPTablesSave, args...).CombinedOutput()
}
// SaveAll is part of Interface.
@ -306,7 +306,7 @@ func (runner *runner) SaveAll() ([]byte, error) {
// run and return
glog.V(4).Infof("running iptables-save")
return runner.exec.Command(cmdIptablesSave, []string{}...).CombinedOutput()
return runner.exec.Command(cmdIPTablesSave, []string{}...).CombinedOutput()
}
// Restore is part of Interface.
@ -337,7 +337,7 @@ func (runner *runner) restoreInternal(args []string, data []byte, flush FlushFla
// run the command and return the output or an error including the output and error
glog.V(4).Infof("running iptables-restore %v", args)
cmd := runner.exec.Command(cmdIptablesRestore, args...)
cmd := runner.exec.Command(cmdIPTablesRestore, args...)
cmd.SetStdin(bytes.NewBuffer(data))
b, err := cmd.CombinedOutput()
if err != nil {
@ -350,7 +350,7 @@ func (runner *runner) iptablesCommand() string {
if runner.IsIpv6() {
return cmdIp6tables
} else {
return cmdIptables
return cmdIPTables
}
}
@ -379,7 +379,7 @@ func (runner *runner) checkRule(table Table, chain Chain, args ...string) (bool,
// of hack and half-measures. We should nix this ASAP.
func (runner *runner) checkRuleWithoutCheck(table Table, chain Chain, args ...string) (bool, error) {
glog.V(1).Infof("running iptables-save -t %s", string(table))
out, err := runner.exec.Command(cmdIptablesSave, "-t", string(table)).CombinedOutput()
out, err := runner.exec.Command(cmdIPTablesSave, "-t", string(table)).CombinedOutput()
if err != nil {
return false, fmt.Errorf("error checking rule: %v", err)
}
@ -453,7 +453,7 @@ func makeFullArgs(table Table, chain Chain, args ...string) []string {
}
// Checks if iptables has the "-C" flag
func getIptablesHasCheckCommand(vstring string) bool {
func getIPTablesHasCheckCommand(vstring string) bool {
minVersion, err := semver.NewVersion(MinCheckVersion)
if err != nil {
glog.Errorf("MinCheckVersion (%s) is not a valid version string: %v", MinCheckVersion, err)
@ -471,7 +471,7 @@ func getIptablesHasCheckCommand(vstring string) bool {
}
// Checks if iptables version has a "wait" flag
func getIptablesWaitFlag(vstring string) []string {
func getIPTablesWaitFlag(vstring string) []string {
version, err := semver.NewVersion(vstring)
if err != nil {
glog.Errorf("vstring (%s) is not a valid version string: %v", vstring, err)
@ -499,11 +499,11 @@ func getIptablesWaitFlag(vstring string) []string {
}
}
// getIptablesVersionString runs "iptables --version" to get the version string
// getIPTablesVersionString runs "iptables --version" to get the version string
// in the form "X.X.X"
func getIptablesVersionString(exec utilexec.Interface) (string, error) {
func getIPTablesVersionString(exec utilexec.Interface) (string, error) {
// this doesn't access mutable state so we don't need to use the interface / runner
bytes, err := exec.Command(cmdIptables, "--version").CombinedOutput()
bytes, err := exec.Command(cmdIPTables, "--version").CombinedOutput()
if err != nil {
return "", err
}

16
pkg/util/iptables/iptables_test.go
View File

@ -26,9 +26,9 @@ import (
"k8s.io/kubernetes/pkg/util/sets"
)
func getIptablesCommand(protocol Protocol) string {
func getIPTablesCommand(protocol Protocol) string {
if protocol == ProtocolIpv4 {
return cmdIptables
return cmdIPTables
}
if protocol == ProtocolIpv6 {
return cmdIp6tables
@ -70,7 +70,7 @@ func testEnsureChain(t *testing.T, protocol Protocol) {
if fcmd.CombinedOutputCalls != 2 {
t.Errorf("expected 2 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
}
cmd := getIptablesCommand(protocol)
cmd := getIPTablesCommand(protocol)
if !sets.NewString(fcmd.CombinedOutputLog[1]...).HasAll(cmd, "-t", "nat", "-N", "FOOBAR") {
t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[1])
}
@ -427,7 +427,7 @@ func TestDeleteRuleErrorCreating(t *testing.T) {
}
}
func TestGetIptablesHasCheckCommand(t *testing.T) {
func TestGetIPTablesHasCheckCommand(t *testing.T) {
testCases := []struct {
Version string
Err bool
@ -451,12 +451,12 @@ func TestGetIptablesHasCheckCommand(t *testing.T) {
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
},
}
version, err := getIptablesVersionString(&fexec)
version, err := getIPTablesVersionString(&fexec)
if (err != nil) != testCase.Err {
t.Errorf("Expected error: %v, Got error: %v", testCase.Err, err)
}
if err == nil {
check := getIptablesHasCheckCommand(version)
check := getIPTablesHasCheckCommand(version)
if testCase.Expected != check {
t.Errorf("Expected result: %v, Got result: %v", testCase.Expected, check)
}
@ -540,7 +540,7 @@ COMMIT
}
}
func TestIptablesWaitFlag(t *testing.T) {
func TestIPTablesWaitFlag(t *testing.T) {
testCases := []struct {
Version string
Result string
@ -556,7 +556,7 @@ func TestIptablesWaitFlag(t *testing.T) {
}
for _, testCase := range testCases {
result := getIptablesWaitFlag(testCase.Version)
result := getIPTablesWaitFlag(testCase.Version)
if strings.Join(result, "") != testCase.Result {
t.Errorf("For %s expected %v got %v", testCase.Version, testCase.Result, result)
}

10
test/e2e_node/environment/conformance.go
View File

@ -195,7 +195,7 @@ const iptablesForwardRegexStr = `Chain FORWARD \(policy DROP\)`
func firewall() error {
out, err := exec.Command("iptables", "-L", "INPUT").CombinedOutput()
if err != nil {
return printSuccess("Firewall Iptables Check %s: Could not run iptables", skipped)
return printSuccess("Firewall IPTables Check %s: Could not run iptables", skipped)
}
inputRegex, err := regexp.Compile(iptablesInputRegexStr)
if err != nil {
@ -203,13 +203,13 @@ func firewall() error {
panic(err)
}
if inputRegex.Match(out) {
return printError("Firewall Iptables Check %s: Found INPUT rule matching %s", failed, iptablesInputRegexStr)
return printError("Firewall IPTables Check %s: Found INPUT rule matching %s", failed, iptablesInputRegexStr)
}
// Check GCE forward rules
out, err = exec.Command("iptables", "-L", "FORWARD").CombinedOutput()
if err != nil {
return printSuccess("Firewall Iptables Check %s: Could not run iptables", skipped)
return printSuccess("Firewall IPTables Check %s: Could not run iptables", skipped)
}
forwardRegex, err := regexp.Compile(iptablesForwardRegexStr)
if err != nil {
@ -217,10 +217,10 @@ func firewall() error {
panic(err)
}
if forwardRegex.Match(out) {
return printError("Firewall Iptables Check %s: Found FORWARD rule matching %s", failed, iptablesInputRegexStr)
return printError("Firewall IPTables Check %s: Found FORWARD rule matching %s", failed, iptablesInputRegexStr)
}
return printSuccess("Firewall Iptables Check %s", success)
return printSuccess("Firewall IPTables Check %s", success)
}
// daemons checks that the required node programs are running: kubelet, kube-proxy, and docker