Skip to content

Commit

Permalink
feat(images/kuma-init): use iptables-wrapper to use correct iptables …
Browse files Browse the repository at this point in the history
…version (#9701)

As of iptables 1.8, the iptables command line clients come in two different
versions/modes: "legacy", which uses the kernel iptables API just like
iptables 1.6 and earlier did, and "nft", which translates the iptables
command-line API into the kernel nftables API.

Because they connect to two different subsystems in the kernel, you cannot mix
and match between them; in particular, if you are adding a new rule that needs
to run either before or after some existing rules (such as the system firewall
rules), then you need to create your rule with the same iptables mode as
the other rules were created with, since otherwise the ordering may not be what
you expect. (eg, if you prepend a rule using the nft-based client, it will
still run after all rules that were added with the legacy iptables client.)

Signed-off-by: Bart Smykla <bartek@smykla.com>
  • Loading branch information
bartsmykla authored Mar 26, 2024
1 parent 2754b3f commit a33eec8
Show file tree
Hide file tree
Showing 5 changed files with 40 additions and 4 deletions.
6 changes: 6 additions & 0 deletions mk/build.mk
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,12 @@ build/artifacts-$(1)-$(2)/envoy:
build/artifacts-$(1)-$(2)/test-server:
$(Build_Go_Application) ./test/server

.PHONY: build/artifacts-$(1)-$(2)/iptables-wrapper
build/artifacts-$(1)-$(2)/iptables-wrapper:
mkdir -p $$(@)
[ -f $$(@)/iptables-wrapper ] && [ -f $$(@)/iptables-wrapper-installer.sh ] || \
curl -s --fail --location https://github.com/kumahq/iptables-wrappers/releases/download/v0.1.0/iptables-wrapper-$(1)-$(2).tar.gz | tar -C $$(@) -xz

endef
$(foreach goos,$(SUPPORTED_GOOSES),$(foreach goarch,$(SUPPORTED_GOARCHES),$(eval $(call BUILD_TARGET,$(goos),$(goarch)))))

Expand Down
2 changes: 1 addition & 1 deletion mk/check.mk
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ tidy:

.PHONY: shellcheck
shellcheck:
find . -name "*.sh" -not -path "./.git/*" -exec $(SHELLCHECK) -P SCRIPTDIR -x {} +
find . -name "*.sh" -not -path "./.git/*" -and -not -path "./build/*" -exec $(SHELLCHECK) -P SCRIPTDIR -x {} +

.PHONY: golangci-lint
golangci-lint: ## Dev: Runs golangci-lint linter
Expand Down
2 changes: 1 addition & 1 deletion mk/docker.mk
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ image/kumactl/$(1): image/base/$(1) build/artifacts-linux-$(1)/kumactl ## Dev: R
docker build -t $$(call build_image,kumactl,$(1)) --build-arg ARCH=$(1) --platform=linux/$(1) -f $(TOOLS_DIR)/releases/dockerfiles/kumactl.Dockerfile .

.PHONY: image/kuma-init/$(1)
image/kuma-init/$(1): build/artifacts-linux-$(1)/kumactl ## Dev: Rebuild `kuma-init` Docker image
image/kuma-init/$(1): build/artifacts-linux-$(1)/kumactl build/artifacts-linux-$(1)/iptables-wrapper ## Dev: Rebuild `kuma-init` Docker image
docker build -t $$(call build_image,kuma-init,$(1)) --build-arg ARCH=$(1) --platform=linux/$(1) -f $(TOOLS_DIR)/releases/dockerfiles/kuma-init.Dockerfile .

.PHONY: image/kuma-cni/$(1)
Expand Down
26 changes: 24 additions & 2 deletions tools/releases/dockerfiles/kuma-init.Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,30 @@ COPY /tools/releases/templates/LICENSE \

COPY /tools/releases/templates/NOTICE /kuma/NOTICE

RUN update-alternatives --set iptables /usr/sbin/iptables-legacy && \
adduser --system --disabled-password --group kumactl --uid 5678
RUN adduser --system --disabled-password --group kumactl --uid 5678

# As of iptables 1.8, the iptables command line clients come in two different versions/modes:
# "legacy", which uses the kernel iptables API just like iptables 1.6 and earlier did, and
# "nft", which translates the iptables command-line API into the kernel nftables API.
#
# Because they connect to two different subsystems in the kernel, you cannot mix and match
# between them; in particular, if you are adding a new rule that needs to run either before
# or after some existing rules (such as the system firewall rules), then you need to create
# your rule with the same iptables mode as the other rules were created with, since otherwise
# the ordering may not be what you expect. (eg, if you prepend a rule using the nft-based
# client, it will still run after all rules that were added with the legacy iptables client.)
#
# In particular, this means that if you create a container image that will make changes to
# iptables rules in the host network namespace, and you want that container to be able to work
# on any host, then you need to figure out at run time which mode the host is using, and then
# also use that mode yourself. This wrapper is designed to do that for you.
#
# ref. https://github.com/kubernetes-sigs/iptables-wrappers
COPY /build/artifacts-linux-$ARCH/iptables-wrapper/iptables-wrapper-installer.sh \
/build/artifacts-linux-$ARCH/iptables-wrapper/iptables-wrapper \
/

RUN /iptables-wrapper-installer.sh

ENTRYPOINT ["/usr/bin/kumactl"]
CMD ["install", "transparent-proxy"]
8 changes: 8 additions & 0 deletions tools/releases/dockerfiles/kuma-init.Dockerfile.dockerignore
Original file line number Diff line number Diff line change
@@ -1,8 +1,16 @@
*
!build/artifacts-linux-amd64/kumactl/kumactl
!build/artifacts-linux-arm64/kumactl/kumactl
!build/artifacts-linux-amd64/iptables-wrapper/iptables-wrapper
!build/artifacts-linux-amd64/iptables-wrapper/iptables-wrapper-installer.sh
!build/artifacts-linux-arm64/iptables-wrapper/iptables-wrapper
!build/artifacts-linux-arm64/iptables-wrapper/iptables-wrapper-installer.sh
!build/artifacts-darwin-amd64/kumactl/kumactl
!build/artifacts-darwin-arm64/kumactl/kumactl
!build/artifacts-darwin-amd64/iptables-wrapper/iptables-wrapper
!build/artifacts-darwin-amd64/iptables-wrapper/iptables-wrapper-installer.sh
!build/artifacts-darwin-arm64/iptables-wrapper/iptables-wrapper
!build/artifacts-darwin-arm64/iptables-wrapper/iptables-wrapper-installer.sh
!tools/releases/templates/LICENSE
!tools/releases/templates/NOTICE
!tools/releases/templates/README

0 comments on commit a33eec8

Please sign in to comment.