Skip to content

Commit

Permalink
Fix firewalld "inactive (dead)" problems (#1475)
Browse files Browse the repository at this point in the history
  • Loading branch information
jakolehm committed Sep 3, 2019
1 parent 212a9a3 commit ecc906f
Show file tree
Hide file tree
Showing 5 changed files with 45 additions and 27 deletions.
12 changes: 12 additions & 0 deletions lib/pharos/host/debian/scripts/configure-firewalld.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,16 @@

set -e

# shellcheck disable=SC1091
. /usr/local/share/pharos/util.sh

mkdir -p /etc/systemd/system/firewalld.service.d
cat <<EOF >/etc/systemd/system/firewalld.service.d/10-pharos.conf
[Service]
Restart=always
Before=kubelet.service
EOF

if ! dpkg -l firewalld > /dev/null; then
export DEBIAN_FRONTEND=noninteractive
apt-get install -y firewalld ipset ebtables
Expand All @@ -10,3 +20,5 @@ if ! dpkg -l firewalld > /dev/null; then
systemctl start firewalld
fi
fi

lineinfile "^CleanupOnExit=" "CleanupOnExit=no" "/etc/firewalld/firewalld.conf"
12 changes: 12 additions & 0 deletions lib/pharos/host/el7/scripts/configure-firewalld.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,16 @@

set -e

# shellcheck disable=SC1091
. /usr/local/share/pharos/util.sh

mkdir -p /etc/systemd/system/firewalld.service.d
cat <<EOF >/etc/systemd/system/firewalld.service.d/10-pharos.conf
[Service]
Restart=always
Before=kubelet.service
EOF

if ! rpm -qi firewalld ; then
yum install -y firewalld

Expand All @@ -10,3 +20,5 @@ if ! rpm -qi firewalld ; then
systemctl start firewalld
fi
fi

lineinfile "^CleanupOnExit=" "CleanupOnExit=no" "/etc/firewalld/firewalld.conf"
12 changes: 12 additions & 0 deletions lib/pharos/host/ubuntu/scripts/configure-firewalld.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,16 @@

set -e

# shellcheck disable=SC1091
. /usr/local/share/pharos/util.sh

mkdir -p /etc/systemd/system/firewalld.service.d
cat <<EOF >/etc/systemd/system/firewalld.service.d/10-pharos.conf
[Service]
Restart=always
Before=kubelet.service
EOF

if ! dpkg -l firewalld > /dev/null; then
export DEBIAN_FRONTEND=noninteractive
systemctl mask ebtables
Expand All @@ -12,3 +22,5 @@ if ! dpkg -l firewalld > /dev/null; then
systemctl start firewalld
fi
fi

lineinfile "^CleanupOnExit=" "CleanupOnExit=no" "/etc/firewalld/firewalld.conf"
12 changes: 0 additions & 12 deletions lib/pharos/resources/calico/25-node-daemonset.yml.erb
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ spec:
# priority scheduling and that its resources are reserved
# if it ever gets evicted.
scheduler.alpha.kubernetes.io/critical-pod: ''
kontena.io/firewalld: "<%= firewalld_enabled %>"
spec:
hostNetwork: true
hostPID: true
Expand All @@ -45,17 +44,6 @@ spec:
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 0
initContainers:
<% if firewalld_enabled && reload_iptables %>
# This container performs firewalld reload
- name: reload-firewalld
image: <%= image_repository %>/alpine:3.9
command: ["/bin/sh", "-c"]
env:
- name: TIMESTAMP
value: "<%= Time.now.to_f %>"
args:
- pkill -HUP firewalld
<% end %>
# This container performs upgrade from host-local IPAM to calico-ipam.
# It can be deleted if this is a fresh installation, or if you have already
# upgraded to use calico-ipam.
Expand Down
24 changes: 9 additions & 15 deletions lib/pharos/resources/weave/daemon-set.yml.erb
Original file line number Diff line number Diff line change
Expand Up @@ -12,21 +12,7 @@ spec:
metadata:
labels:
name: weave-net
annotations:
kontena.io/firewalld: "<%= firewalld_enabled %>"
spec:
<% if firewalld_enabled && reload_iptables %>
initContainers:
# This container performs firewalld reload
- name: reload-firewalld
image: <%= image_repository %>/alpine:3.9
command: ["/bin/sh", "-c"]
env:
- name: TIMESTAMP
value: "<%= Time.now.to_f %>"
args:
- pkill -HUP firewalld
<% end %>
containers:
- name: weave
command:
Expand Down Expand Up @@ -61,12 +47,20 @@ spec:
name: weave-passwd
key: weave-passwd
image: '<%= image_repository %>/weave-kube:<%= version %>'
livenessProbe:
readinessProbe:
httpGet:
host: 127.0.0.1
path: /status
port: 6784
initialDelaySeconds: 30
livenessProbe:
exec:
command:
- /bin/sh
- -c
- iptables-save | grep -E -e '^-A WEAVE.+MASQUERADE$'
initialDelaySeconds: 60
periodSeconds: 60
resources:
requests:
cpu: 10m
Expand Down

0 comments on commit ecc906f

Please sign in to comment.