-
Notifications
You must be signed in to change notification settings - Fork 209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(capture): ignore known copy failure and fix iptables issue #903
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Qingchuan Hao <[email protected]>
5834c7f
to
b95d2e4
Compare
We install iptables legacy on Mariner image when building the image, but when it runs on ubuntu host, the command returns empty result, which works fine on iptables nft mode. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add Testing Done
section.
nftIptablesModeAvaiable := true | ||
legacyIptablesModeAvaiable := true | ||
legacySaveOut, err := exec.Command("iptables-legacy-save").CombinedOutput() | ||
if err != nil && strings.Contains(err.Error(), "command not found") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about errors with running the command? How should we handle them?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I treat all command errors as unavailability of that mode and log the error for us to investigate.
// Since iptables v1.8, nf_tables are introduced as an improvement of legacy iptables, but provides the same user | ||
// interface as legacy iptables through iptables-nft command. | ||
// based on: https://github.com/kubernetes-sigs/iptables-wrappers/blob/97b01f43a8e8db07840fc4b95e833a37c0d36b12/iptables-wrapper-installer.sh | ||
legacySaveOut, _ := exec.Command("iptables-legacy-save").CombinedOutput() | ||
|
||
// when both iptables modes available, we choose the one with more rules. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the thinking behind this? Can you not list all the rules using either one of the modes? Given one is named legacy, shouldn't nft
be default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When both modes available, we should use the one list more rules, and the one list less rules normally just return empty rules.
I am referring to https://github.com/kubernetes-sigs/iptables-wrappers/blob/97b01f43a8e8db07840fc4b95e833a37c0d36b12/iptables-wrapper-installer.sh, which is also mentioned in L377
nftIptablesMode iptablesMode = "nft" | ||
) | ||
|
||
func obtainIptablesMode(l *log.ZapLogger) iptablesMode { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you should return unhandled errors along with mode.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ideas in my mind is the failed iptables rules does not break the whole capture.
…a into capture/fix-iptables-error
30b2834
to
8e7d3b2
Compare
Signed-off-by: Qingchuan Hao <[email protected]>
8e7d3b2
to
b173ff7
Compare
legacySaveOut, err := exec.Command("iptables-legacy-save").CombinedOutput() | ||
if err != nil && strings.Contains(err.Error(), "command not found") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Grepping the error string is an anti-pattern. To accomplish this, you're better off using exec.LookPath("iptables-legacy-save")
. This looks up the executable in the same way and expands it to an absolute path. It returns an error if the executable was not found. If you still need to run iptables-legacy-save
, you can pass that absolute path to exec.Command
and just handle any unexpected errors without trying to interpret them.
Description
Related Issue
If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request.
Checklist
git commit -S -s ...
). See this documentation on signing commits.Screenshots (if applicable) or Testing Completed
Additional Notes
None
Please refer to the CONTRIBUTING.md file for more information on how to contribute to this project.