devstack: Set and clean iptables
We were only setting API LB member iptables in gates. This patch makes them available in development devstack scenarios and adds cleanup of kuryr devstack set iptables. Change-Id: I8ebfe20aabd8d94062490063325806cee0d08436 Signed-off-by: Antoni Segura Puimedon <asegurap@redhat.com>
This commit is contained in:
parent
889a0d969c
commit
7133a73e24
|
@ -80,8 +80,14 @@ function ovs_bind_for_kubelet() {
|
|||
done
|
||||
sudo ip route add "$service_subnet_cidr" via "$pod_subnet_gw" dev "$ifname"
|
||||
if [ -n "$port_number" ]; then
|
||||
# Ignore the error if openstack-INPUT chain doesn't exist.
|
||||
sudo iptables -I openstack-INPUT 1 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport $port_number -j ACCEPT || true
|
||||
# if openstack-INPUT chain doesn't exist we create it in INPUT (for
|
||||
# local development envs since openstack-INPUT is usually only in gates)
|
||||
sudo iptables -I openstack-INPUT 1 \
|
||||
-p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport $port_number -j ACCEPT || \
|
||||
sudo iptables -I INPUT 1 \
|
||||
-p tcp -m conntrack --ctstate NEW \
|
||||
-m tcp --dport "$port_number" \
|
||||
-m comment --comment "kuryr-devstack: Access to OpenShift API" -j ACCEPT
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -1170,7 +1176,7 @@ except-interface=lo
|
|||
EOF
|
||||
|
||||
#Open port 53 so pods can reach the DNS server
|
||||
sudo iptables -I INPUT 1 -p udp -m udp --dport 53 -j ACCEPT
|
||||
sudo iptables -I INPUT 1 -p udp -m udp --dport 53 -m comment --comment "kuryr-devstack: Access to OpenShift API" -j ACCEPT
|
||||
|
||||
dnsmasq_binary="$(command -v dnsmasq)"
|
||||
cmd="${dnsmasq_binary} -k -C ${openshift_dnsmasq_conf_path}"
|
||||
|
@ -1220,3 +1226,17 @@ function run_openshift_dns {
|
|||
run_process openshift-dns "sudo $command"
|
||||
fi
|
||||
}
|
||||
|
||||
# cleanup_kuryr_devstack_iptables
|
||||
# Description: Fins all the iptables rules we set and deletes them
|
||||
function cleanup_kuryr_devstack_iptables {
|
||||
local chains
|
||||
|
||||
chains=( INPUT FORWARD OUTPUT )
|
||||
for chain in ${chains[@]}; do
|
||||
sudo iptables -n -L "$chain" -v --line-numbers | \
|
||||
awk -v chain="$chain" \
|
||||
'/kuryr-devstack/ {print "sudo iptables -D " chain " " $1}' | \
|
||||
tac | bash /dev/stdin
|
||||
done
|
||||
}
|
||||
|
|
|
@ -911,6 +911,8 @@ if [[ "$1" == "unstack" ]]; then
|
|||
if is_service_enabled legacy_etcd; then
|
||||
stop_container etcd
|
||||
fi
|
||||
|
||||
cleanup_kuryr_devstack_iptables
|
||||
fi
|
||||
|
||||
if [[ "$1" == "clean" ]]; then
|
||||
|
|
Loading…
Reference in New Issue