devstack: Set and clean iptables

We were only setting API LB member iptables in gates. This patch makes
them available in development devstack scenarios and adds cleanup of
kuryr devstack set iptables.

Change-Id: I8ebfe20aabd8d94062490063325806cee0d08436
Signed-off-by: Antoni Segura Puimedon <asegurap@redhat.com>
This commit is contained in:
Antoni Segura Puimedon 2018-07-05 00:58:04 +02:00 committed by Antoni Segura Puimedon
parent 889a0d969c
commit 7133a73e24
2 changed files with 25 additions and 3 deletions

View File

@ -80,8 +80,14 @@ function ovs_bind_for_kubelet() {
done
sudo ip route add "$service_subnet_cidr" via "$pod_subnet_gw" dev "$ifname"
if [ -n "$port_number" ]; then
# Ignore the error if openstack-INPUT chain doesn't exist.
sudo iptables -I openstack-INPUT 1 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport $port_number -j ACCEPT || true
# if openstack-INPUT chain doesn't exist we create it in INPUT (for
# local development envs since openstack-INPUT is usually only in gates)
sudo iptables -I openstack-INPUT 1 \
-p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport $port_number -j ACCEPT || \
sudo iptables -I INPUT 1 \
-p tcp -m conntrack --ctstate NEW \
-m tcp --dport "$port_number" \
-m comment --comment "kuryr-devstack: Access to OpenShift API" -j ACCEPT
fi
}
@ -1170,7 +1176,7 @@ except-interface=lo
EOF
#Open port 53 so pods can reach the DNS server
sudo iptables -I INPUT 1 -p udp -m udp --dport 53 -j ACCEPT
sudo iptables -I INPUT 1 -p udp -m udp --dport 53 -m comment --comment "kuryr-devstack: Access to OpenShift API" -j ACCEPT
dnsmasq_binary="$(command -v dnsmasq)"
cmd="${dnsmasq_binary} -k -C ${openshift_dnsmasq_conf_path}"
@ -1220,3 +1226,17 @@ function run_openshift_dns {
run_process openshift-dns "sudo $command"
fi
}
# cleanup_kuryr_devstack_iptables
# Description: Fins all the iptables rules we set and deletes them
function cleanup_kuryr_devstack_iptables {
local chains
chains=( INPUT FORWARD OUTPUT )
for chain in ${chains[@]}; do
sudo iptables -n -L "$chain" -v --line-numbers | \
awk -v chain="$chain" \
'/kuryr-devstack/ {print "sudo iptables -D " chain " " $1}' | \
tac | bash /dev/stdin
done
}

View File

@ -911,6 +911,8 @@ if [[ "$1" == "unstack" ]]; then
if is_service_enabled legacy_etcd; then
stop_container etcd
fi
cleanup_kuryr_devstack_iptables
fi
if [[ "$1" == "clean" ]]; then