Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[photon-3] iptables rules get over written #632

Closed
kkeshavamurthy opened this issue Jun 16, 2021 · 1 comment · Fixed by #633
Closed

[photon-3] iptables rules get over written #632

kkeshavamurthy opened this issue Jun 16, 2021 · 1 comment · Fixed by #633
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@kkeshavamurthy
Copy link
Member

What steps did you take and what happened:
[A clear and concise description on how to REPRODUCE the bug.]

  • Configure custom iptables rules in custom_role. Ex
-P INPUT DROP
-A INPUT -p tcp -m multiport --dports 30000:32767 -j ACCEPT

  • Sysprep alters the rules by replacing INPUT DROP with INPUT ACCEPT which defeats the purpose of configuring the strict rule.

  • I suggest we move these 2 tasks out of sysprep and into setup role maybe? That way custom roles can over ride them if needed.

What did you expect to happen:
User configured iptables rules should not be tampered by image-builder.

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

Project (Image Builder for Cluster API, kube-deploy/imagebuilder, konfigadm):

Additional info for Image Builder for Cluster API related issues:

  • OS (e.g. from /etc/os-release, or cmd /c ver):
  • Packer Version:
  • Packer Provider:
  • Ansible Version:
  • Cluster-api version (if using):
  • Kubernetes version: (use kubectl version):

/kind bug
[One or more /area label. See https://github.com/kubernetes-sigs/cluster-api/labels?q=area for the list of labels]

CC: @codenrhoden
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jun 16, 2021
@codenrhoden
Copy link
Contributor

@kkeshavamurthy Yeah, I see what you are saying. I think relocating those two tasks into setup/tasks/photon.yml is a good solution.

@kkeshavamurthy kkeshavamurthy mentioned this issue Jun 17, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Prevent custom iptables rules getting overwritten by sysprep kkeshavamurthy/image-builder
3 participants
@codenrhoden @k8s-ci-robot @kkeshavamurthy