feat(preflights): add arp filtering related preflights #1454
Conversation
|
@ricardomaraschini we're keeping this on pause while we look into: But yeah, if we end up going with this PR we should use the collector you introduced. |
Oh, nice. In the end we would migrate this (and mine) to use the new collector and analyzer. Thanks. |
|
This PR has been released (on staging) and is available for download with a embedded-cluster-smoke-test-staging-app license ID. Online Installer: Airgap Installer (may take a few minutes before the airgap bundle is built): Happy debugging! |
JGAntunes
force-pushed
the
jgantunes/sc-114999/add-preflights-for-arp-filter-and-arp-ignore
branch
from
25f513b
to
0d909cf
Compare
|
@ajp-io I've updated the spec, feel free to 👀 the preflight text and push any changes that you deem worth. I'll work on updating troubleshoot and test the spec next week. |
pkg/preflights/host-preflight.yaml
Outdated
| - fail: | ||
| when: 'net.ipv4.conf.default.arp_filter > 0' | ||
| message: "ARP filtering is enabled by default for newly created interfaces on the host. Disable it by running 'sysctl net.ipv4.conf.default.arp_filter=0'." | ||
| - fail: | ||
| when: 'net.ipv4.conf.default.arp_ignore > 0' | ||
| message: "ARP ignore is enabled by default for newly created interfaces on the host. Disable it by running 'sysctl net.ipv4.conf.default.arp_ignore=0'." | ||
| - fail: | ||
| when: 'net.ipv4.conf.all.arp_filter > 0' | ||
| message: "ARP filtering is enabled for all interfaces on the host. Disable it by running 'sysctl net.ipv4.conf.all.arp_filter=0'." | ||
| - fail: | ||
| when: 'net.ipv4.conf.all.arp_ignore > 0' | ||
| message: "ARP ignore is enabled for all interfaces on the host. Disable it by running 'sysctl net.ipv4.conf.all.arp_ignore=0'." |
There was a problem hiding this comment.
I think you want a pass condition here too.
As I understand Troubleshoot, you hit a matching when and drop out there. So if someone has filter and ignore set incorrectly, they would only get the message that comes first in this list. Is that correct? If so, can we make this so that all failure conditions would show? Not sure if that needs to be two analyzers or something else.
There was a problem hiding this comment.
You're right, I misunderstood troubleshoot in that aspect. Tested it out locally now and looks 👍
There was a problem hiding this comment.
The separate analyzers looks good. I still think you need a pass for each in addition to the fail. See the other analyzers in there, like here.
There was a problem hiding this comment.
Addressed via - 3735481
pkg/preflights/host-preflight.yaml
Outdated
| outcomes: | ||
| - fail: | ||
| when: 'net.ipv4.conf.default.arp_filter > 0' | ||
| message: "ARP filtering is enabled by default for newly created interfaces on the host. Disable it by running 'sysctl net.ipv4.conf.default.arp_filter=0'." |
There was a problem hiding this comment.
I'm not sure these instructions make the change permanent. I think you might want to edit /etc/sysctl.conf and then use sysctl -p.
There was a problem hiding this comment.
True, changed the instructions in - 6c800ba
JGAntunes
force-pushed
the
jgantunes/sc-114999/add-preflights-for-arp-filter-and-arp-ignore
branch
from
b93b64b
to
3bb1fef
Compare
|
@ajp-io addressed your review and have run this locally: root@node0:/replicatedhq/embedded-cluster# output/bin/embedded-cluster install run-preflights --no-prompt --license local-dev/Joao.yaml
✔ Host files materialized!
✔ Host preflights succeeded!
Host preflights completed successfully
root@node0:/replicatedhq/embedded-cluster# sysctl net.ipv4.conf.default.arp_filter=1
net.ipv4.conf.default.arp_filter = 1
root@node0:/replicatedhq/embedded-cluster# sysctl net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.default.arp_ignore = 1
root@node0:/replicatedhq/embedded-cluster# sysctl net.ipv4.conf.all.arp_filter=1
net.ipv4.conf.all.arp_filter = 1
root@node0:/replicatedhq/embedded-cluster# sysctl net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.all.arp_ignore = 1
root@node0:/replicatedhq/embedded-cluster# output/bin/embedded-cluster install run-preflights --no-prompt --license local-dev/Joao.yaml
✔ Host files materialized!
✗ 4 host preflights failed
• ARP filtering is enabled by default for newly created interfaces on the host. Disable it by editing `/etc/sysctl.conf` and adding the line
`net.ipv4.conf.default.arp_filter=0` followed by running `sudo sysctl -p`.
• ARP ignore is enabled by default for newly created interfaces on the host. Disable it by editing `/etc/sysctl.conf` and adding the line
`net.ipv4.conf.default.arp_ignore=0` followed by running `sudo sysctl -p`.
• ARP filtering is enabled for all interfaces on the host. Disable it by editing `/etc/sysctl.conf` and adding the line
`net.ipv4.conf.all.arp_filter=0` followed by running `sudo sysctl -p`.
• ARP ignore is enabled for all interfaces on the host. Disable it by editing `/etc/sysctl.conf` and adding the line
`net.ipv4.conf.all.arp_ignore=0` followed by running `sudo sysctl -p`.
Please address these issues and try again. |
|
I left a comment on an outdated comment, which means you might not see it. Here it is #1454 (comment) |
|
lgtm, though I don't know if you need an engineer's review too |
JGAntunes
deleted the
jgantunes/sc-114999/add-preflights-for-arp-filter-and-arp-ignore
branch
What this PR does / why we need it:
Keeping the PR in draft mode as we try to createsysctlspecifc preflights instead:sysctlhost collector troubleshoot#1674sysctlhost analyzer troubleshoot#1675Changes have been merged, I'll work on releasing troubleshoot and testing the spec.
Docs for reference - https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html
Which issue(s) this PR fixes:
https://app.shortcut.com/replicated/story/114999/add-preflights-for-arp-filter-and-arp-ignore-kernel-parameters
Does this PR require a test?
Simple spec change, but run a test locally:
Does this PR require a release note?
Does this PR require documentation?
NONE