starlingx
/
update
Code Issues Proposed changes

sw-patch: remove explicit bind on outgoing socket. 

This commit fixes an issue seen during a k8s upgrade from 1.18.1
to 1.19.13.  It was noticed that after upgrading kubelet to 1.19.13,
the sw-patch-controller process would continually restart.

It was found via packet tracing and logging that traffic from the
management interface to the localhost address at port 5489 was being
blocked.  This indicated a likely issue in iptables.

Comparing the iptables rules in 1.18.1 to 1.19.13 shows the reason
why:

Chain KUBE-FIREWALL (2 references)
target prot opt source      destination
DROP   all  --  !loopback/8 loopback/8  \
                                ! ctstate RELATED,ESTABLISHED,DNAT

That is, drop all packets _not_ from the loopback interface _to_
the loopback interface that do not have an existing connection
state.

It was found that this rule was added in the following commit:

https://github.com/kubernetes/kubernetes/pull/91569/files

Which was added to address the security concern identified here:

https://github.com/kubernetes/kubernetes/issues/90259

It appears that the PatchMessageHelloAgent periodically sends
messages to both the patch controller's agent address as well
as to the localhost address.  Since the outgoing socket used
for all messages is explicitly bound to the management
address, the traffic to the localhost address will hit the
drop rule noted above.

The solution in this commit is to not explicitly bind the
outgoing socket to the management address, so as to have the
kernel choosed the correct outgoing interface for both
messages.

Story: 2008972
Task: 43244

Testing:

AIO-SX (unicast traffic), AIO-DX, Standard (multicast traffic).
	Ensure sw-patch-controller stays up after k8s upgrade.
	Install a patch on all nodes.

Signed-off-by: Steven Webster <steven.webster@windriver.com>
Change-Id: I93912b934986dc28196c9ba50f2803bf0fe01513
This commit is contained in:
Steven Webster 2021-09-07 10:21:44 -04:00
parent 688faee942
commit 6adc828b84
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cgcs-patch/cgcs-patch/cgcs_patch/base.py
View File

@ -1,5 +1,5 @@
"""
Copyright (c) 2017-2019 Wind River Systems, Inc.
Copyright (c) 2017-2021 Wind River Systems, Inc.
SPDX-License-Identifier: Apache-2.0
@ -61,7 +61,6 @@ class PatchService(object):
self.sock_out.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.sock_in.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.sock_out.bind((mgmt_ip, 0))
self.sock_in.bind(('', self.port))
if self.mcast_addr: