From 03ade159c397764e77f6069dcda78fd3a8385d03 Mon Sep 17 00:00:00 2001 From: Tim Hockin Date: Wed, 13 Aug 2014 13:26:03 -0700 Subject: [PATCH] Proper ip-per-pod on GCE. Back out the second iptables rule, now that we know what the problem was - we need to open a firewal rule on each minion. --- cluster/gce/util.sh | 13 +++++++++++ .../saltbase/salt/_states/container_bridge.py | 22 +++++-------------- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh index 669cf634075..b81bb1325e0 100755 --- a/cluster/gce/util.sh +++ b/cluster/gce/util.sh @@ -171,6 +171,13 @@ function kube-up { grep -v "^#" $(dirname $0)/templates/salt-minion.sh ) > ${KUBE_TEMP}/minion-start-${i}.sh + gcutil addfirewall ${MINION_NAMES[$i]}-all \ + --norespect_terminal_width \ + --project ${PROJECT} \ + --network ${NETWORK} \ + --allowed_ip_sources ${MINION_IP_RANGES[$i]} \ + --allowed "tcp,udp,icmp,esp,ah,sctp" & + gcutil addinstance ${MINION_NAMES[$i]} \ --norespect_terminal_width \ --project ${PROJECT} \ @@ -277,6 +284,12 @@ function kube-down { --zone ${ZONE} \ ${MASTER_NAME} & + gcutil deletefirewall \ + --project ${PROJECT} \ + --norespect_terminal_width \ + --force \ + ${MINION_NAMES[*]/%/-all} & + gcutil deleteinstance \ --project ${PROJECT} \ --norespect_terminal_width \ diff --git a/cluster/saltbase/salt/_states/container_bridge.py b/cluster/saltbase/salt/_states/container_bridge.py index 8001d2f0897..63158926c25 100644 --- a/cluster/saltbase/salt/_states/container_bridge.py +++ b/cluster/saltbase/salt/_states/container_bridge.py @@ -34,16 +34,11 @@ def ensure(name, cidr, mtu=1460): ''' ret = {'name': name, 'changes': {}, 'result': False, 'comment': ''} - iptables_rule_1 = { + iptables_rule = { 'table': 'nat', 'chain': 'POSTROUTING', 'rule': '-o eth0 -j MASQUERADE \! -d 10.0.0.0/8' } - iptables_rule_2 = { - 'table': 'nat', - 'chain': 'POSTROUTING', - 'rule': '-s %s -j MASQUERADE \! -d %s' % (cidr, cidr) - } def bridge_exists(name): 'Determine if a bridge exists already.' @@ -95,10 +90,8 @@ def ensure(name, cidr, mtu=1460): ret['details'] = {} # This module function is strange and returns True if the rule exists. # If not, it returns a string with the error from the call to iptables. - ret['iptables_rule_1_exists'] = \ - __salt__['iptables.check'](**iptables_rule_1) == True - ret['iptables_rule_2_exists'] = \ - __salt__['iptables.check'](**iptables_rule_2) == True + ret['iptables_rule_exists'] = \ + __salt__['iptables.check'](**iptables_rule) == True return ret # This is a little hacky. I should probably import a real library for this @@ -119,8 +112,7 @@ def ensure(name, cidr, mtu=1460): and current_state['details']['mtu'] == mtu and desired_network in current_state['details']['networks'] and current_state['details']['up'] - and current_state['iptables_rule_1_exists'] - and current_state['iptables_rule_2_exists']): + and current_state['iptables_rule_exists']): ret['result'] = True ret['comment'] = 'System already in the correct state' return ret @@ -155,10 +147,8 @@ def ensure(name, cidr, mtu=1460): __salt__['cmd.run']( 'ip link set dev {0} up'.format(name)) new_state = get_current_state() - if not new_state['iptables_rule_1_exists']: - __salt__['iptables.append'](**iptables_rule_1) - if not new_state['iptables_rule_2_exists']: - __salt__['iptables.append'](**iptables_rule_2) + if not new_state['iptables_rule_exists']: + __salt__['iptables.append'](**iptables_rule) new_state = get_current_state() ret['comment'] = 'The state of "{0}" was changed!'.format(name)