Update debian-iptables iptables-wrapper script

danwinship · danwinship · commit ffe93b397948 · 2019-11-14T09:57:57.000-05:00
The debian-iptables v12.0.0 build didn't work because of another
previously-undiscovered iptables 1.8.x bug. Work around it for now and
bump the version to v12.0.1; we can revert back to the original
version of the script once iptables 1.8.4 is available in
buster-backports.
diff --git a/build/common.sh b/build/common.sh
@@ -95,7 +95,7 @@ readonly KUBE_CONTAINER_RSYNC_PORT=8730
 kube::build::get_docker_wrapped_binaries() {
   local arch=$1
   local debian_base_version=v2.0.0
-  local debian_iptables_version=v12.0.0
+  local debian_iptables_version=v12.0.1
   ### If you change any of these lists, please also update DOCKERIZED_BINARIES
   ### in build/BUILD. And kube::golang::server_image_targets
   local targets=(
diff --git a/build/debian-iptables/Makefile b/build/debian-iptables/Makefile
@@ -16,7 +16,7 @@
 
 REGISTRY?="staging-k8s.gcr.io"
 IMAGE=$(REGISTRY)/debian-iptables
-TAG?=v12.0.0
+TAG?=v12.0.1
 ARCH?=amd64
 ALL_ARCH = amd64 arm arm64 ppc64le s390x
 TEMP_DIR:=$(shell mktemp -d)
diff --git a/build/debian-iptables/iptables-wrapper b/build/debian-iptables/iptables-wrapper
@@ -19,12 +19,22 @@ set -e
 # Detect whether the base system is using iptables-legacy or
 # iptables-nft. This assumes that some non-containerized process (eg
 # kubelet) has already created some iptables rules.
+
+# Bugs in iptables-nft 1.8.3 may cause it to get stuck in a loop in
+# some circumstances, so we have to run the nft check in a timeout. To
+# avoid hitting that timeout, we only bother to even check nft if
+# legacy iptables was empty / mostly empty.
+
 num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l)
-num_nft_lines=$( (iptables-nft-save || true; ip6tables-nft-save || true) 2>/dev/null | grep '^-' | wc -l)
-if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then
+if [ "${num_legacy_lines}" -ge 10 ]; then
     mode=legacy
 else
-    mode=nft
+    num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep '^-' | wc -l)
+    if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then
+	mode=legacy
+    else
+	mode=nft
+    fi
 fi
 
 update-alternatives --set iptables "/usr/sbin/iptables-${mode}" > /dev/null
diff --git a/build/workspace.bzl b/build/workspace.bzl
@@ -122,7 +122,7 @@ def debian_image_dependencies():
             digest = _digest(_DEBIAN_IPTABLES_DIGEST, arch),
             registry = "k8s.gcr.io",
             repository = "debian-iptables",
-            tag = "v12.0.0",  # ignored, but kept here for documentation
+            tag = "v12.0.1",  # ignored, but kept here for documentation
         )
 
         container_pull(

Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,7 @@ def debian_image_dependencies():`
`122`	`122`	`digest = _digest(_DEBIAN_IPTABLES_DIGEST, arch),`
`123`	`123`	`registry = "k8s.gcr.io",`
`124`	`124`	`repository = "debian-iptables",`
`125`		`- tag = "v12.0.0", # ignored, but kept here for documentation`
	`125`	`+ tag = "v12.0.1", # ignored, but kept here for documentation`
`126`	`126`	`)`
`127`	`127`
`128`	`128`	`container_pull(`