From 176c80bc9f7df5b42c32eb53af92d368b6ca3386 Mon Sep 17 00:00:00 2001 From: rambohe Date: Mon, 3 Apr 2023 18:01:12 +0800 Subject: [PATCH] Revert "feat: yurthub automatically recognize nftables or iptables (#1135) (#1327)" This reverts commit 9d0f3165038fb58873d29ecbb4614d48e26256a9. --- hack/dockerfiles/build/Dockerfile.yurthub | 2 - hack/dockerfiles/release/Dockerfile.yurthub | 2 - hack/iptables-wrapper-installer.sh | 208 -------------------- 3 files changed, 212 deletions(-) delete mode 100644 hack/iptables-wrapper-installer.sh diff --git a/hack/dockerfiles/build/Dockerfile.yurthub b/hack/dockerfiles/build/Dockerfile.yurthub index 688b5384518..b233165c2ca 100644 --- a/hack/dockerfiles/build/Dockerfile.yurthub +++ b/hack/dockerfiles/build/Dockerfile.yurthub @@ -5,6 +5,4 @@ ARG TARGETOS TARGETARCH MIRROR_REPO RUN if [ ! -z "${MIRROR_REPO+x}" ]; then sed -i "s/dl-cdn.alpinelinux.org/${MIRROR_REPO}/g" /etc/apk/repositories; fi && \ apk add ca-certificates bash libc6-compat iptables ip6tables && update-ca-certificates && rm /var/cache/apk/* COPY ./_output/local/bin/${TARGETOS}/${TARGETARCH}/yurthub /usr/local/bin/yurthub -COPY hack/iptables-wrapper-installer.sh / -RUN chmod +x /iptables-wrapper-installer.sh && /iptables-wrapper-installer.sh ENTRYPOINT ["/usr/local/bin/yurthub"] \ No newline at end of file diff --git a/hack/dockerfiles/release/Dockerfile.yurthub b/hack/dockerfiles/release/Dockerfile.yurthub index d6f8cfbe9d3..53b83d1e117 100644 --- a/hack/dockerfiles/release/Dockerfile.yurthub +++ b/hack/dockerfiles/release/Dockerfile.yurthub @@ -11,6 +11,4 @@ ARG TARGETOS TARGETARCH MIRROR_REPO RUN if [ ! -z "${MIRROR_REPO+x}" ]; then sed -i "s/dl-cdn.alpinelinux.org/${MIRROR_REPO}/g" /etc/apk/repositories; fi && \ apk add ca-certificates bash libc6-compat iptables ip6tables && update-ca-certificates && rm /var/cache/apk/* COPY --from=builder /build/_output/local/bin/${TARGETOS}/${TARGETARCH}/yurthub /usr/local/bin/yurthub -COPY hack/iptables-wrapper-installer.sh / -RUN chmod +x /iptables-wrapper-installer.sh && /iptables-wrapper-installer.sh ENTRYPOINT ["/usr/local/bin/yurthub"] \ No newline at end of file diff --git a/hack/iptables-wrapper-installer.sh b/hack/iptables-wrapper-installer.sh deleted file mode 100644 index e6eb7d8210d..00000000000 --- a/hack/iptables-wrapper-installer.sh +++ /dev/null @@ -1,208 +0,0 @@ -#!/bin/sh - -# Copyright 2020 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Usage: -# -# iptables-wrapper-installer.sh [--no-sanity-check] -# -# Installs a wrapper iptables script in a container that will figure out -# whether iptables-legacy or iptables-nft is in use on the host and then -# replaces itself with the correct underlying iptables version. -# -# Unless "--no-sanity-check" is passed, it will first verify that the -# container already contains a suitable version of iptables. - -# NOTE: This can only use POSIX /bin/sh features; the build container -# might not contain bash. - -set -eu - -# Find iptables binary location -if [ -d /usr/sbin -a -e /usr/sbin/iptables ]; then - sbin="/usr/sbin" -elif [ -d /sbin -a -e /sbin/iptables ]; then - sbin="/sbin" -else - echo "ERROR: iptables is not present in either /usr/sbin or /sbin" 1>&2 - exit 1 -fi - -# Determine how the system selects between iptables-legacy and iptables-nft -if [ -x /usr/sbin/alternatives ]; then - # Fedora/SUSE style alternatives - altstyle="fedora" -elif [ -x /usr/sbin/update-alternatives ]; then - # Debian style alternatives - altstyle="debian" -else - # No alternatives system - altstyle="none" -fi - -if [ "${1:-}" != "--no-sanity-check" ]; then - # Ensure dependencies are installed - if ! version=$("${sbin}/iptables-nft" --version 2> /dev/null); then - echo "ERROR: iptables-nft is not installed" 1>&2 - exit 1 - fi - if ! "${sbin}/iptables-legacy" --version > /dev/null 2>&1; then - echo "ERROR: iptables-legacy is not installed" 1>&2 - exit 1 - fi - - case "${version}" in - *v1.8.[0123]\ *) - echo "ERROR: iptables 1.8.0 - 1.8.3 have compatibility bugs." 1>&2 - echo " Upgrade to 1.8.4 or newer." 1>&2 - exit 1 - ;; - *) - # 1.8.4+ are OK - ;; - esac -fi - -# Start creating the wrapper... -rm -f "${sbin}/iptables-wrapper" -cat > "${sbin}/iptables-wrapper" </dev/null | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-KUBELET-CANARY)' | wc -l) -if [ "\${nft_kubelet_rules}" -ne 0 ]; then - mode=nft -else - # Check for kubernetes 1.17-or-later with iptables-legacy. We - # can't pass "-t mangle" to iptables-legacy-save because it would - # cause the kernel to create that table if it didn't already - # exist, which we don't want. So we have to grab all the rules - legacy_kubelet_rules=\$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-KUBELET-CANARY)' | wc -l) - if [ "\${legacy_kubelet_rules}" -ne 0 ]; then - mode=legacy - else - # With older kubernetes releases there may not be any _specific_ - # rules we can look for, but we assume that some non-containerized process - # (possibly kubelet) will have created _some_ iptables rules. - num_legacy_lines=\$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l) - num_nft_lines=\$( (iptables-nft-save || true; ip6tables-nft-save || true) 2>/dev/null | grep '^-' | wc -l) - if [ "\${num_legacy_lines}" -gt "\${num_nft_lines}" ]; then - mode=legacy - else - mode=nft - fi - fi -fi - -EOF - -# Write out the appropriate alternatives-selection commands -case "${altstyle}" in - fedora) -cat >> "${sbin}/iptables-wrapper" < /dev/null || failed=1 -EOF - ;; - - debian) -cat >> "${sbin}/iptables-wrapper" < /dev/null || failed=1 -update-alternatives --set ip6tables "/usr/sbin/ip6tables-\${mode}" > /dev/null || failed=1 -EOF - ;; - - *) -cat >> "${sbin}/iptables-wrapper" </dev/null || failed=1 -EOF - ;; -esac - -# Write out the post-alternatives-selection error checking and final wrap-up -cat >> "${sbin}/iptables-wrapper" <&2 - # fake it, though this will probably also fail if they aren't root - exec "${sbin}/xtables-\${mode}-multi" "\$0" "\$@" -fi - -# Now re-exec the original command with the newly-selected alternative -exec "\$0" "\$@" -EOF -chmod +x "${sbin}/iptables-wrapper" - -# Now back in the installer script, point the iptables binaries at our -# wrapper -case "${altstyle}" in - fedora) - alternatives \ - --install /usr/sbin/iptables iptables /usr/sbin/iptables-wrapper 100 \ - --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-wrapper \ - --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-wrapper \ - --slave /usr/sbin/ip6tables iptables /usr/sbin/iptables-wrapper \ - --slave /usr/sbin/ip6tables-restore iptables-restore /usr/sbin/iptables-wrapper \ - --slave /usr/sbin/ip6tables-save iptables-save /usr/sbin/iptables-wrapper - ;; - - debian) - update-alternatives \ - --install /usr/sbin/iptables iptables /usr/sbin/iptables-wrapper 100 \ - --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-wrapper \ - --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-wrapper - update-alternatives \ - --install /usr/sbin/ip6tables ip6tables /usr/sbin/iptables-wrapper 100 \ - --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/iptables-wrapper \ - --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/iptables-wrapper - ;; - - *) - for cmd in iptables iptables-save iptables-restore ip6tables ip6tables-save ip6tables-restore; do - rm -f "${sbin}/${cmd}" - ln -s "${sbin}/iptables-wrapper" "${sbin}/${cmd}" - done - ;; -esac - -# Cleanup -rm -f "$0"