From cf5f78e5be5ae5252c065700d581c36760897c3c Mon Sep 17 00:00:00 2001
From: Mohammed Naser <mnaser@vexxhost.com>
Date: Thu, 22 Nov 2018 16:50:21 -0500
Subject: [PATCH] Add iptables -P FORWARD ACCEPT unit

On node reboot, kubelet and kube-proxy set
iptables -P FORWARD DROP which doesn't work with
flannel in the way we use it.
Add a systemd unit to set the rule to ACCEPT after
flannel,docker,kubelet,kube-proxy.

Change-Id: I7f6200a4966fda1cc701749bf1f37ddc492390c5
Co-Authored-By: Spyros Trigazis <spyridon.trigazis@cern.ch>
---
 .../kubernetes/fragments/flannel-service.sh   | 23 +++++++++++++++++++
 .../swarm/fragments/network-service.sh        | 23 +++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/flannel-service.sh b/magnum/drivers/common/templates/kubernetes/fragments/flannel-service.sh
index 1fb130e5cf..9a4b1e4508 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/flannel-service.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/flannel-service.sh
@@ -6,8 +6,10 @@ if [ "$NETWORK_DRIVER" != "flannel" ]; then
     exit 0
 fi
 
+SYSTEMD_UNITS_DIR=/etc/systemd/system/
 FLANNEL_DOCKER_BRIDGE_BIN=/usr/local/bin/flannel-docker-bridge
 FLANNEL_DOCKER_BRIDGE_SERVICE=/etc/systemd/system/flannel-docker-bridge.service
+FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE=flannel-iptables-forward-accept.service
 DOCKER_FLANNEL_CONF=/etc/systemd/system/docker.service.d/flannel.conf
 FLANNEL_DOCKER_BRIDGE_CONF=/etc/systemd/system/flanneld.service.d/flannel-docker-bridge.conf
 
@@ -77,6 +79,27 @@ EOF
 chown root:root $FLANNEL_DOCKER_BRIDGE_CONF
 chmod 0644 $FLANNEL_DOCKER_BRIDGE_CONF
 
+# Workaround for https://github.com/coreos/flannel/issues/799
+# Not solved upstream properly yet.
+cat >> "${SYSTEMD_UNITS_DIR}${FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE}" <<EOF
+[Unit]
+After=flanneld.service docker.service kubelet.service kube-proxy.service
+Requires=flanneld.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/iptables -P FORWARD ACCEPT
+ExecStartPost=/usr/sbin/iptables -S
+
+[Install]
+WantedBy=flanneld.service
+EOF
+
+chown root:root "${SYSTEMD_UNITS_DIR}${FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE}"
+chmod 0644 "${SYSTEMD_UNITS_DIR}${FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE}"
+systemctl daemon-reload
+systemctl enable "${FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE}"
+
 echo "activating service flanneld"
 systemctl enable flanneld
 systemctl start flanneld
diff --git a/magnum/drivers/common/templates/swarm/fragments/network-service.sh b/magnum/drivers/common/templates/swarm/fragments/network-service.sh
index bb779b684b..083071359e 100644
--- a/magnum/drivers/common/templates/swarm/fragments/network-service.sh
+++ b/magnum/drivers/common/templates/swarm/fragments/network-service.sh
@@ -31,9 +31,11 @@ if [ "$NETWORK_DRIVER" != "flannel" ]; then
     exit 0
 fi
 
+SYSTEMD_UNITS_DIR=/etc/systemd/system/
 FLANNELD_CONFIG=/etc/sysconfig/flanneld
 FLANNEL_DOCKER_BRIDGE_BIN=/usr/local/bin/flannel-docker-bridge
 FLANNEL_DOCKER_BRIDGE_SERVICE=/etc/systemd/system/flannel-docker-bridge.service
+FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE=flannel-iptables-forward-accept.service
 DOCKER_FLANNEL_CONF=/etc/systemd/system/docker.service.d/flannel.conf
 FLANNEL_DOCKER_BRIDGE_CONF=/etc/systemd/system/flanneld.service.d/flannel-docker-bridge.conf
 
@@ -112,6 +114,27 @@ EOF
 chown root:root $FLANNEL_DOCKER_BRIDGE_CONF
 chmod 0644 $FLANNEL_DOCKER_BRIDGE_CONF
 
+# Workaround for https://github.com/coreos/flannel/issues/799
+# Not solved upstream properly yet.
+cat >> "${SYSTEMD_UNITS_DIR}${FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE}" <<EOF
+[Unit]
+After=flanneld.service docker.service kubelet.service kube-proxy.service
+Requires=flanneld.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/iptables -P FORWARD ACCEPT
+ExecStartPost=/usr/sbin/iptables -S
+
+[Install]
+WantedBy=flanneld.service
+EOF
+
+chown root:root "${SYSTEMD_UNITS_DIR}${FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE}"
+chmod 0644 "${SYSTEMD_UNITS_DIR}${FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE}"
+systemctl daemon-reload
+systemctl enable "${FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE}"
+
 echo "activating service flanneld"
 systemctl enable flanneld
 systemctl --no-block start flanneld