Merging iptables scripts #3562
Merging iptables scripts #3562
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Assign the PR to them by writing The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
pilot/docker/prepare_proxy.sh
Outdated
| echo ' -i: Comma separated list of IP ranges in CIDR form to redirect to envoy (optional)' | ||
| echo '' | ||
| } | ||
|
|
||
| IP_RANGES_INCLUDE="" | ||
| REDIRECT_INBOUND_TRAFFIC="yes" # Route all inbound traffic to Envoy by default |
There was a problem hiding this comment.
nit: TRAP_INBOUND_TRAFFIC and change the rest to reflect this statement.. In general, we want TRAP_INBOUND, TRAP_OUTBOUND, etc.. If at all possible, use a different flag than -g.
And this does not have much to do with gateway btw, as gateways will not have any IPTables stuff.
pilot/docker/prepare_proxy.sh
Outdated
| @@ -28,6 +30,9 @@ while getopts ":p:u:e:i:h" opt; do | |||
| i) | |||
| IP_RANGES_INCLUDE=${OPTARG} | |||
| ;; | |||
| g) | |||
| REDIRECT_INBOUND_TRAFFIC="no" # For gateways, do not redirect inbound traffic | |||
There was a problem hiding this comment.
Please remove gateway, as it implies that we need IPtables for gateways.. What you need here is a customization for the use case you point to (trap outbound but not inbound). That could apply to any normal pod as well.
pilot/docker/prepare_proxy.sh
Outdated
| iptables -t nat -N ISTIO_REDIRECT -m comment --comment "istio/redirect-common-chain" | ||
| iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-port ${ENVOY_PORT} -m comment --comment "istio/redirect-to-envoy-port" | ||
|
|
||
| # Redirect all inbound traffic to Envoy. | ||
| iptables -t nat -A PREROUTING -j ISTIO_REDIRECT -m comment --comment "istio/install-istio-prerouting" | ||
| # Redirect all inbound traffic to Envoy (if not configuring a gateway). |
|
A simpler and less riskier option would be to have the nginx ingress controller generate 127.0.0.1 as the upstream address for each entry.. You could then run both nginx and envoy as two processes without any IPtables interception business (this becomes especially useful when you install firewalls and other such stuff that may in turn have more IPtables stuff). But this is something left to the end user's appetite. |
5f0a5da to
4902439
Compare
91a899b to
06a973b
Compare
|
FYI, I've backed off on the original change to instead focus on making the two scripts within istio identical. Renamed this PR accordingly. |
There was a problem hiding this comment.
If you are going to be touching the core script, we need to test this thoroughly with all e2e tests.
I suggest you tweak the circleci file to add all the jobs to the “all” workflow (bookinfo and mixer). Make sure they all pass. Once they do, undo the change to circleci config, and then merge.
|
In particular, the state on the proxy_init in the circleci test: |
|
/test e2e-suite-rbac-auth |
|
now (beginning of 0.7 cycle) is the perfect time to get this left over from 0.2 cleanup as well as get the feature we do need. but yes it does mean all tests should be good one thing to do is check / compare the output of iptables-save on a pod with this script and on a pod with the last release |
4e900bd to
7e1a809
Compare
23b773a to
344e853
Compare
tools/deb/istio-iptables.sh
Outdated
| @@ -30,19 +28,26 @@ | |||
| # After more testing, the goal is to replace and unify the script in K8S - by generating | |||
| # the sidecar image using the .deb file created by proxy. | |||
|
|
|||
| set -o errexit | |||
There was a problem hiding this comment.
in short, this makes it fail because it's doing -D commands that are expected to fail; those commands should have || true
|
ping |
|
@nmittler can we get this done for 0.8 ? |
7b5964c to
dcef0dc
Compare
dcef0dc to
539aad7
Compare
| fi | ||
|
|
||
| # Remove the old chains, to generate new configs. | ||
| iptables -t nat -D PREROUTING -p tcp -j ISTIO_INBOUND 2>/dev/null |
There was a problem hiding this comment.
This will result in an unexpected message the first time it is run. ( and next lines - the second time it is run ).
I think ignoring the err is useful and avoids confusion
There was a problem hiding this comment.
@costinm that's fine .... doing this seems to negate the set -x at the top of the file, resulting in the echo for each statement also being redirected to /dev/null. Do you happen to know some bash magic that might make it work?
|
/test istio-presubmit |
|
@xiaolanz The race test is also failing for this PR. See the output here: https://circleci.com/gh/istio/istio/62253?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link |
|
/test e2e-suite-rbac-auth |
|
/test istio-pilot-e2e-v1alpha3 |
|
@costinm looks like CI is happy .... can you lgtm? |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ldemailly The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. |
Automatic merge from submit-queue. Merging iptables scripts
Fixes #3514