Question: How to set a persistent iptables rule

[shibumi]

Hello,

I would like to setup a persistent iptables rule on each of my flatcar VMs. How would I do this?
First, I have just set it manually and I thought one of the systemd services would persist it automatically before a controlled reboot/shutdown.

[tormath1]

Hi @shibumi,

You just need two things and they can be done trough ignition:

• add your rule to /var/lib/iptables/rules-save
• enable the systemd service: iptables-restore.service

With this both condition, you should be able to persist your iptables rule across the reboot. Let us know how it goes :)

[shibumi]

Hi @tormath1,

first of all: Wow! That answer was fast. I did not expect that :)

I will check this out. Thanks for the help

[tormath1]

@shibumi : here's a simple example with a basic iptable rule: https://gist.github.com/tormath1/1184ffb73bc393c6413d94bd1317b486

[shibumi]

@tormath1 is the "ct" tool still recommended? Somewhere, I heard that it's deprecated and nobody should use it. If it's not deprecated, can you point me to the github repository? I would like to package it for Arch Linux :)

[tormath1]

@shibumi ct is still maintained by Flatcar - we even released 0.9.1 in June 2021.

We're currently working on adding support for Ignition version 3 specs into Flatcar, ct upgrade will follow to generate Ignition version 3.

I would like to package it for Arch Linux :)

That would be awesome for the community! Do you want add it to the AUR? Don't hesitate to ping in this issue or in the Matrix channel if you need a hand. Thanks a lot!

[shibumi]

ct is still maintained by Flatcar - we even released 0.9.1 in June 2021.

Oh okay. Looks like I visited the wrong repository in the past. I think a few months ago the kinvolk documencation has linked to the containerOS repository instead of the flatcar-linux repo.

That would be awesome for the community! Do you want add it to the AUR? Don't hesitate to ping in this issue or in the Matrix channel if you need a hand. Thanks a lot!

No. I am package maintainer. I would like to push it to the official repositories :) I maintain CNCF-related packages there (kubernetes, istio, helm, etc)..

[shibumi]

@tormath1 https://archlinux.org/packages/community/x86_64/ct/ done

[tormath1]

@shibumi thanks a lot, this is awesome !

Just a nit detail, the version should be passed as a ldflag, so we currently have:

$ ct --version
ct was not built properly

We might need to update the PKGBUILD with something like:

22c22
<   go build -ldflags="-w -s -linkmode=external" -o ct
---
>   go build -ldflags="-w -s -linkmode=external -X github.com/flatcar-linux/container-linux-config-transpiler/internal/version.Raw=${pkgver}" -o ct

To finally have the version:

$ ct --version
ct v0.9.1

[shibumi]

@tormath1 great idea! I will change this ASAP.

[tormath1]

Hi @shibumi , we just released a new version of ct: https://github.com/flatcar-linux/container-linux-config-transpiler/releases/tag/v0.9.2. (I don't know if you susbcribed to the github "release" notification)

[shibumi]

@tormath1 I forgot subscribing. Thanks for the reminder! :)

[tormath1]

Hi @shibumi , I hope you're doing well - we just released a new version of ct: https://github.com/flatcar-linux/container-linux-config-transpiler/releases/tag/v0.9.3 if you want to update it for ArchLinux :)

[shibumi]

Thanks @tormath1 will do it.

[tormath1]

Hi @shibumi,

A new version of ct (0.9.4) is available - it's mainly to follow the recent renaming of flatcar-linux org to flatcar, here's the patch to apply on the PKGBUILD:

--- PKGBUILD	2022-09-14 11:35:38.512089045 +0200
+++ PKGBUILD.new	2022-09-14 11:39:16.874898786 +0200
@@ -4,13 +4,13 @@
 pkgrel=1
 pkgdesc='config transpiler for Flatcar Container Linux'
 arch=('x86_64' 'aarch64')
-url='https://github.com/flatcar-linux/container-linux-config-transpiler'
+url='https://github.com/flatcar/container-linux-config-transpiler'
 license=('Apache')
 depends=('kubectl')
 makedepends=('git' 'go')
-source=("${pkgname}-${pkgver}.tar.gz::https://github.com/flatcar-linux/container-linux-config-transpiler/archive/refs/tags/v${pkgver}.tar.gz")
-sha512sums=('b31000fa24607c9480e6e4df67f779e7052e2da160ce0c08c5a0fbb9666d750003b5b75995af08ccc442abaccb059f0f6e7fe8fdfaadad90c4accdd490082078')
-b2sums=('23c43d103d960deca8075b92545841c34bc553b28212500846c4f2770b31bc9c803d894a2e20f8d67e6a3f4bebfc55aaa1d9a7442008e407af7a6c94353f2e5f')
+source=("${pkgname}-${pkgver}.tar.gz::https://github.com/flatcar/container-linux-config-transpiler/archive/refs/tags/v${pkgver}.tar.gz")
+sha512sums=('a00e3a1ab401630a7c38a18b4f0ffb43d433134353e774ceae633338f32926989db75f18b2d58bcf7ed2103412472da8a8700990136c9197c0211680128edd75')
+b2sums=('90d0c875d523e5223b1015fc2433c389f02437d129ac4cd683699a3d59fe50ec4465e7389cfd7f7636c233bf63b7091a35781fe1a54bbc4ce6fe62e867c00300')
 
 build() {
   cd "container-linux-config-transpiler-${pkgver}/internal"
@@ -19,7 +19,7 @@
   export CGO_CPPFLAGS="$CPPFLAGS"
   export CGO_CXXFLAGS="$CXXFLAGS"
   export GOFLAGS='-buildmode=pie -trimpath -modcacherw -mod=readonly'
-  go build -ldflags="-w -s -linkmode=external -X github.com/flatcar-linux/container-linux-config-transpiler/internal/version.Raw=${pkgver}" -o ct
+  go build -ldflags="-w -s -linkmode=external -X github.com/flatcar/container-linux-config-transpiler/internal/version.Raw=${pkgver}" -o ct
 }
 
 #check() {

I can submit the patch myself if you're busy at the moment. Thanks again for maintaining this on Arch!

[shibumi]

@tormath1 Sorry for the delay :D let me work on it.

[shibumi]

I released 0.9.4. :)

sorry for the delay again, I recently switched the job and the first few weeks were a little bit overwhelming.