Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Persist the bridge-nf-call-iptables across rke2 restart #884

Merged
merged 1 commit into from
Dec 16, 2024
Merged

Persist the bridge-nf-call-iptables across rke2 restart #884

merged 1 commit into from
Dec 16, 2024

Conversation

mingshuoqiu
Copy link
Contributor

@mingshuoqiu mingshuoqiu commented Nov 26, 2024
edited
Loading

The bridge-nf-call-iptables should be disabled by network-controller. But rke2 will toggle it back to enable. Need to make sure it stays at disabled.

Problem:
harvester/harvester#7041

Solution:
persist the bridge-nf-call-iptables across rke2 restart

Related Issue:
harvester/harvester#3960

Test plan:

  1. Install Harvester on any Node
  2. Make sure the value is 0 of command sysctl -a | grep net.bridge.bridge-nf-call-iptables
  3. do systemctl restart rke2-server on management node
  4. do systemctl restart rke2-agent on worker node
  5. verify the value of step 2 and make sure it's still zero

@mingshuoqiu @mschiu77
files: persist the bridge-nf-call-iptables across rke2 restart
853e4e3 
The bridge-nf-call-iptables should be disabled by network-controller.
But rke2 will toggle it back to enable. Need to make sure it stays
at disabled.

Signed-off-by: Chris Chiu <[email protected]>
@mingshuoqiu mingshuoqiu mentioned this pull request Nov 27, 2024
Closed
w13915984028
w13915984028 reviewed Nov 27, 2024
View reviewed changes
Copy link
Member

@w13915984028 w13915984028 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about another 2 options? thanks.

sysctl -a | grep bridge
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 0

https://wiki.libvirt.org/Net.bridge.bridge-nf-call_and_sysctl.conf.html

starbops
starbops approved these changes Nov 27, 2024
View reviewed changes
Copy link
Member

@starbops starbops left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this is the only way to cope with the issue right now. The kernel tunable is hardcoded to 1 in k3s: https://github.com/k3s-io/k3s/blob/55cda2200e0f3e670970b044871f9ea09134cff6/pkg/agent/syssetup/setup.go#L48

LGTM, thank you.

@mingshuoqiu
Copy link
Contributor Author

How about another 2 options? thanks.

sysctl -a | grep bridge
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 0

https://wiki.libvirt.org/Net.bridge.bridge-nf-call_and_sysctl.conf.html

The ip6tables doesn't take effect since we support IPv4 only now.
the arptables is for ARP packet which won't affect the HTTP(s) traffic in this case.
I'll leave them as-is.

@mingshuoqiu
Copy link
Contributor Author

How about another 2 options? thanks.

sysctl -a | grep bridge
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 0

https://wiki.libvirt.org/Net.bridge.bridge-nf-call_and_sysctl.conf.html

The ip6tables doesn't take effect since we support IPv4 only now. the arptables is for ARP packet which won't affect the HTTP(s) traffic in this case. I'll leave them as-is.

@w13915984028 gentle ping. What do you think about it? Thanks

w13915984028
w13915984028 approved these changes Dec 16, 2024
View reviewed changes
Copy link
Member

@w13915984028 w13915984028 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks.

@bk201 bk201 merged commit 8ff5515 into harvester:master Dec 16, 2024
7 checks passed
@w13915984028 w13915984028 mentioned this pull request Dec 18, 2024
Open
@WebberHuang1118 WebberHuang1118 mentioned this pull request Dec 18, 2024
Closed
This was referenced Dec 19, 2024
Open
Open
Closed
@bk201
Copy link
Member

bk201 commented Dec 26, 2024

@mingshuoqiu The PR needs to be backported to the v1.4/v1.3 branch before moving the issue to ready for testing.

This was referenced Dec 26, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@w13915984028 w13915984028 w13915984028 approved these changes

@starbops starbops starbops approved these changes

@bk201 bk201 bk201 approved these changes

Assignees
No one assigned
Labels
backport-to/v1.3 backport-to/v1.4
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mingshuoqiu @bk201 @starbops @w13915984028