Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix bootpd check on macOS >= 15 #20400

Merged
merged 1 commit into from
Feb 11, 2025
Merged

Fix bootpd check on macOS >= 15 #20400

merged 1 commit into from
Feb 11, 2025

Conversation

nirs
Copy link
Contributor

@nirs nirs commented Feb 10, 2025

On macOS >= 15 bootpd is likely allowed to receive incoming connections as built-in software, and it will not be listed in the allowed applications. In this case we decide that bootpd is blocked and force the user to try to add and unblock it, which will never succeed.

Fixed using the new --getallowedsigned option. If the option is enabled, we know that bootpd is not blocked. If the option is not enabled, or the fails, we fallback to checking the list.

Tested on macOS 15.3.

fixes #20399

@nirs
Fix bootpd check on macOS >= 15
62166c5 
On macOS >= 15 bootpd is likely allowed to receive incoming connections
as built-in software, and it will not be listed in the allowed
applications. In this case we decide that bootpd is blocked and force
the user to try to add and unblock it, which will never succeed.

Fixed using the new --getallowedsigned option. If the option is enabled,
we know that bootpd is not blocked. If the option is not enabled, or the
fails, we fallback to checking the list.

Tested on macOS 15.3.
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Feb 10, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @nirs. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 10, 2025
@minikube-bot
Copy link
Collaborator

Can one of the admins verify this patch?

medyagh
medyagh approved these changes Feb 11, 2025
View reviewed changes
Copy link
Member

@medyagh medyagh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you for fixing this, if yiou have acess to macos 15+ do you mind pasting output of the minikube before anfter this PR?

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 11, 2025
@medyagh
Copy link
Member

medyagh commented Feb 11, 2025

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 11, 2025
@minikube-pr-bot
Copy link

kvm2 driver with docker runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 20400) |
+----------------+----------+---------------------+
| minikube start | 50.0s    | 50.8s               |
| enable ingress | 15.2s    | 15.0s               |
+----------------+----------+---------------------+

Times for minikube start: 49.7s 50.7s 49.9s 50.1s 49.5s
Times for minikube (PR 20400) start: 49.2s 49.3s 54.0s 50.4s 51.3s

Times for minikube ingress: 15.6s 15.0s 14.6s 15.0s 16.0s
Times for minikube (PR 20400) ingress: 14.4s 15.9s 15.0s 14.5s 15.0s

docker driver with docker runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 20400) |
+----------------+----------+---------------------+
| minikube start | 22.4s    | 21.9s               |
| enable ingress | 12.9s    | 12.9s               |
+----------------+----------+---------------------+

Times for minikube ingress: 13.8s 12.3s 12.3s 12.8s 13.3s
Times for minikube (PR 20400) ingress: 12.8s 12.8s 12.8s 13.3s 12.8s

Times for minikube start: 24.0s 21.4s 21.6s 21.0s 24.2s
Times for minikube (PR 20400) start: 20.7s 21.8s 24.1s 21.1s 21.7s

docker driver with containerd runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 20400) |
+----------------+----------+---------------------+
| minikube start | 22.4s    | 21.6s               |
| enable ingress | 38.8s    | 38.9s               |
+----------------+----------+---------------------+

Times for minikube start: 23.3s 22.9s 20.5s 22.2s 23.2s
Times for minikube (PR 20400) start: 22.8s 23.5s 21.2s 20.8s 19.7s

Times for minikube ingress: 38.8s 38.8s 38.8s 38.8s 38.8s
Times for minikube (PR 20400) ingress: 38.8s 38.8s 38.8s 38.8s 39.3s

@minikube-pr-bot
Copy link

Here are the number of top 10 failed tests in each environments with lowest flake rate.

Environment Test Name Flake Rate
Docker_Windows (2 failed) TestErrorSpam/setup(gopogh) Unknown
Docker_Windows (2 failed) TestStartStop/group/old-k8s-version/serial/Pause(gopogh) Unknown

Besides the following environments also have failed tests:

To see the flake rates of all tests by environment, click here.

@nirs
Copy link
Contributor Author

nirs commented Feb 11, 2025

do you mind pasting output of the minikube before anfter this PR?

Sure, I did not include it before because the output before it included in the issue, and the output after is just the normal output, but it is a good idea since you may not be able to test this.

Before

%  minikube start --driver qemu --network socket_vmnet
😄  minikube v1.35.0 on Darwin 15.3 (arm64)
✨  Using the qemu2 driver based on user configuration
🔑  Your firewall is blocking bootpd which is required for this configuration. The following commands will be executed to unblock bootpd:

    $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /usr/libexec/bootpd 
    $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblock /usr/libexec/bootpd 


Password:

After

% out/minikube start --driver qemu --network socket_vmnet
😄  minikube v1.35.0 on Darwin 15.3 (arm64)
✨  Using the qemu2 driver based on user configuration
💿  Downloading VM boot image ...
    > minikube-v1.35.0-arm64.iso....:  65 B / 65 B [---------] 100.00% ? p/s 0s
    > minikube-v1.35.0-arm64.iso:  393.15 MiB / 393.15 MiB  100.00% 26.76 MiB p
👍  Starting "minikube" primary control-plane node in "minikube" cluster
💾  Downloading Kubernetes v1.32.1 preload ...
    > preloaded-images-k8s-v18-v1...:  314.96 MiB / 314.96 MiB  100.00% 22.64 M
🔥  Creating qemu2 VM (CPUs=2, Memory=6000MB, Disk=20000MB) ...
🐳  Preparing Kubernetes v1.32.1 on Docker 27.4.0 ...
    ▪ Generating certificates and keys ...
    ▪ Booting up control plane ...
    ▪ Configuring RBAC rules ...
🔗  Configuring bridge CNI (Container Networking Interface) ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

Logs:
log.txt

Note that I don't have any machine with macOS 14. We need to find someone with older version to test this.

@medyagh
Copy link
Member

medyagh commented Feb 11, 2025

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 11, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: medyagh, nirs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@medyagh
Copy link
Member

medyagh commented Feb 11, 2025

thank you @nirs

@medyagh medyagh merged commit 8c8c23b into kubernetes:master Feb 11, 2025
14 of 21 checks passed
@nirs nirs deleted the bootpd-check-macos-15 branch February 11, 2025 18:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@medyagh medyagh medyagh approved these changes

@spowelljr spowelljr Awaiting requested review from spowelljr

Assignees

@medyagh medyagh

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Wrong check for bootpd firewall configuration on macOS 15.3
5 participants
@nirs @k8s-ci-robot @minikube-bot @medyagh @minikube-pr-bot