diff --git a/app/cni/pkg/cni/injector_linux.go b/app/cni/pkg/cni/injector_linux.go index aac4c9767c4b..2a30f62d6218 100644 --- a/app/cni/pkg/cni/injector_linux.go +++ b/app/cni/pkg/cni/injector_linux.go @@ -3,6 +3,7 @@ package cni import ( "bufio" "bytes" + "context" "strconv" "strings" @@ -52,7 +53,7 @@ func Inject(netns string, logger logr.Logger, intermediateConfig *IntermediateCo defer namespace.Close() return namespace.Do(func(_ ns.NetNS) error { - if _, err := transparentproxy.Setup(*cfg); err != nil { + if _, err := transparentproxy.Setup(context.Background(), *cfg); err != nil { return err } diff --git a/app/kumactl/cmd/completion/testdata/bash.golden b/app/kumactl/cmd/completion/testdata/bash.golden index f58567703942..8809d1a65615 100644 --- a/app/kumactl/cmd/completion/testdata/bash.golden +++ b/app/kumactl/cmd/completion/testdata/bash.golden @@ -5454,10 +5454,6 @@ _kumactl_install_transparent-proxy() two_word_flags+=("--redirect-dns-port") local_nonpersistent_flags+=("--redirect-dns-port") local_nonpersistent_flags+=("--redirect-dns-port=") - flags+=("--redirect-dns-upstream-target-chain=") - two_word_flags+=("--redirect-dns-upstream-target-chain") - local_nonpersistent_flags+=("--redirect-dns-upstream-target-chain") - local_nonpersistent_flags+=("--redirect-dns-upstream-target-chain=") flags+=("--redirect-inbound") local_nonpersistent_flags+=("--redirect-inbound") flags+=("--redirect-inbound-port=") diff --git a/app/kumactl/cmd/install/install_transparent_proxy.go b/app/kumactl/cmd/install/install_transparent_proxy.go index 52f723ba3ddb..c83fa2c786c2 100644 --- a/app/kumactl/cmd/install/install_transparent_proxy.go +++ b/app/kumactl/cmd/install/install_transparent_proxy.go @@ -67,7 +67,7 @@ func newInstallTransparentProxy() *cobra.Command { RedirectDNS: false, RedirectAllDNSTraffic: false, AgentDNSListenerPort: "15053", - DNSUpstreamTargetChain: "RETURN", + DNSUpstreamTargetChain: "", StoreFirewalld: false, SkipDNSConntrackZoneSplit: false, EbpfEnabled: false, @@ -221,6 +221,8 @@ runuser -u kuma-dp -- \ cmd.Flags().IntVar(&args.MaxRetries, "max-retries", args.MaxRetries, "flag can be used to specify the maximum number of times to retry an installation before giving up") cmd.Flags().DurationVar(&args.SleepBetweenRetries, "sleep-between-retries", args.SleepBetweenRetries, "flag can be used to specify the amount of time to sleep between retries") + _ = cmd.Flags().MarkDeprecated("redirect-dns-upstream-target-chain", "This flag has no effect anymore. Will be removed in 2.9.x version") + return cmd } @@ -267,7 +269,7 @@ func configureTransparentProxy(cmd *cobra.Command, args *transparentProxyArgs) e RedirectDNS: args.RedirectDNS, RedirectAllDNSTraffic: args.RedirectAllDNSTraffic, AgentDNSListenerPort: args.AgentDNSListenerPort, - DNSUpstreamTargetChain: args.DNSUpstreamTargetChain, + DNSUpstreamTargetChain: "RETURN", SkipDNSConntrackZoneSplit: args.SkipDNSConntrackZoneSplit, EbpfEnabled: args.EbpfEnabled, EbpfInstanceIP: args.EbpfInstanceIP, @@ -285,7 +287,7 @@ func configureTransparentProxy(cmd *cobra.Command, args *transparentProxyArgs) e } tp = transparentproxy.V2() - output, err := tp.Setup(cfg) + output, err := tp.Setup(cmd.Context(), cfg) if err != nil { return errors.Wrap(err, "failed to setup transparent proxy") } diff --git a/app/kumactl/cmd/install/install_transparent_proxy_test.go b/app/kumactl/cmd/install/install_transparent_proxy_test.go index 6576e5e5d52f..a9408b31b0d0 100644 --- a/app/kumactl/cmd/install/install_transparent_proxy_test.go +++ b/app/kumactl/cmd/install/install_transparent_proxy_test.go @@ -79,7 +79,6 @@ var _ = Describe("kumactl install transparent proxy", func() { "--kuma-dp-uid", "0", "--redirect-all-dns-traffic", "--redirect-dns-port", "12345", - "--redirect-dns-upstream-target-chain", "DOCKER_OUTPUT", }, skip: func(stdout, stderr *bytes.Buffer) bool { return strings.HasPrefix( @@ -95,7 +94,6 @@ var _ = Describe("kumactl install transparent proxy", func() { "--kuma-dp-uid", "0", "--redirect-all-dns-traffic", "--redirect-dns-port", "12345", - "--redirect-dns-upstream-target-chain", "DOCKER_OUTPUT", }, skip: func(stdout, stderr *bytes.Buffer) bool { return !strings.HasPrefix( @@ -110,7 +108,6 @@ var _ = Describe("kumactl install transparent proxy", func() { "--kuma-dp-uid", "0", "--redirect-all-dns-traffic", "--redirect-dns-port", "12345", - "--redirect-dns-upstream-target-chain", "DOCKER_OUTPUT", "--skip-dns-conntrack-zone-split", }, goldenFile: "install-transparent-proxy.dns.no-conntrack.golden.txt", diff --git a/app/kumactl/cmd/install/testdata/install-transparent-proxy.dns.no-conntrack.golden.txt b/app/kumactl/cmd/install/testdata/install-transparent-proxy.dns.no-conntrack.golden.txt index 6f9505649c1c..3707c278c1e5 100644 --- a/app/kumactl/cmd/install/testdata/install-transparent-proxy.dns.no-conntrack.golden.txt +++ b/app/kumactl/cmd/install/testdata/install-transparent-proxy.dns.no-conntrack.golden.txt @@ -4,7 +4,7 @@ -N KUMA_MESH_INBOUND_REDIRECT -N KUMA_MESH_OUTBOUND_REDIRECT -A PREROUTING -p tcp -j KUMA_MESH_INBOUND --I OUTPUT 1 -p udp --dport 53 -m owner --uid-owner 0 -j DOCKER_OUTPUT +-I OUTPUT 1 -p udp --dport 53 -m owner --uid-owner 0 -j RETURN -I OUTPUT 2 -p udp --dport 53 -j REDIRECT --to-ports 12345 -A OUTPUT -p tcp -j KUMA_MESH_OUTBOUND -A KUMA_MESH_INBOUND -p tcp -j KUMA_MESH_INBOUND_REDIRECT diff --git a/pkg/transparentproxy/iptables/builder/builder.go b/pkg/transparentproxy/iptables/builder/builder.go index 4a76cbdea833..fd41b0923151 100644 --- a/pkg/transparentproxy/iptables/builder/builder.go +++ b/pkg/transparentproxy/iptables/builder/builder.go @@ -2,12 +2,11 @@ package builder import ( "bufio" + "context" "fmt" "io" "net" "os" - "os/exec" - "regexp" "strings" "time" @@ -19,10 +18,8 @@ import ( ) const ( - iptables = "iptables" - ip6tables = "ip6tables" - iptablesRestore = "iptables-restore" - ip6tablesRestore = "ip6tables-restore" + iptables = "iptables" + ip6tables = "ip6tables" ) type IPTables struct { @@ -121,18 +118,21 @@ func createRulesFile(ipv6 bool) (*os.File, error) { return f, nil } -func runRestoreCmd(cmdName string, params []string) (string, error) { - // #nosec G204 - cmd := exec.Command(cmdName, params...) - output, err := cmd.CombinedOutput() +func restoreIPTables( + ctx context.Context, + cfg config.Config, + dnsServers []string, + ipv6 bool, +) (string, error) { + executables, legacy, err := detectIptablesExecutables(ctx, cfg, ipv6) if err != nil { - return "", fmt.Errorf("executing command failed: %s (with output: %q)", err, output) + return "", fmt.Errorf("unable to detect iptables restore binaries: %s", err) } - return string(output), nil -} + if executables.foundDockerOutputChain { + cfg.Redirect.DNS.UpstreamTargetChain = "DOCKER_OUTPUT" + } -func restoreIPTables(cfg config.Config, dnsServers []string, ipv6 bool) (string, error) { rulesFile, err := createRulesFile(ipv6) if err != nil { return "", err @@ -154,28 +154,40 @@ func restoreIPTables(cfg config.Config, dnsServers []string, ipv6 bool) (string, return "", fmt.Errorf("unable to save iptables restore file: %s", err) } - return restoreIPTablesWithRetry(cfg, rulesFile, ipv6) + return restoreIPTablesWithRetry(ctx, cfg, rulesFile, executables, legacy) } -func restoreIPTablesWithRetry(cfg config.Config, rulesFile *os.File, ipv6 bool) (string, error) { - restoreLegacy, err := checkForIptablesRestoreLegacy(ipv6) - if err != nil { - return "", errors.Wrap(err, "cannot check if version of iptables-restore is legacy") - } - - cmdName, params := buildRestore(cfg, rulesFile, restoreLegacy, ipv6) +func restoreIPTablesWithRetry( + ctx context.Context, + cfg config.Config, + rulesFile *os.File, + e *executables, + legacy bool, +) (string, error) { + params := buildRestoreParameters(cfg, rulesFile, legacy) +<<<<<<< HEAD for i := 0; i <= cfg.Retry.MaxRetries; i++ { output, err := runRestoreCmd(cmdName, params) +======= + maxRetries := pointer.Deref(cfg.Retry.MaxRetries) + for i := 0; i <= maxRetries; i++ { + output, err := e.restore.exec(ctx, params...) +>>>>>>> 8f00873c8 (feat(transparent-proxy): add automatic iptables type detection (#9750)) if err == nil { - return output, nil + return output.String(), nil } _, _ = cfg.RuntimeStderr.Write([]byte(fmt.Sprintf( "# [%d/%d] %s returned error: '%s'", i+1, +<<<<<<< HEAD cfg.Retry.MaxRetries+1, strings.Join(append([]string{cmdName}, params...), " "), +======= + maxRetries+1, + strings.Join(append([]string{e.restore.path}, params...), " "), +>>>>>>> 8f00873c8 (feat(transparent-proxy): add automatic iptables type detection (#9750)) err.Error(), ))) @@ -193,35 +205,10 @@ func restoreIPTablesWithRetry(cfg config.Config, rulesFile *os.File, ipv6 bool) _, _ = cfg.RuntimeStderr.Write([]byte("\n")) - return "", errors.Errorf("%s failed", cmdName) -} - -// checkForIptablesRestoreLegacy checks if the version of ip{6}tables-restore is -// legacy (non-nftables). The --wait and --wait-interval flags are only valid -// with legacy ip{6}tables-restore. These flags are invalid with nftables -// because nftables back end transactions are atomic and there is no need for -// the global xtables lock, which has proven problematic in environments with -// large and/or rapidly changing rulesets. -func checkForIptablesRestoreLegacy(ipv6 bool) (bool, error) { - cmdName := iptablesRestore - if ipv6 { - cmdName = ip6tablesRestore - } - - output, err := exec.Command(cmdName, "--version").Output() - if err != nil { - return false, err - } - - r := regexp.MustCompile(`ip6?tables-restore v.*? \((.*?)\)`) - match := r.FindStringSubmatch(string(output)) - - return len(match) == 2 && match[1] == "legacy", nil + return "", errors.Errorf("%s failed", e.restore.path) } -// RestoreIPTables -// TODO (bartsmykla): add validation if ip{,6}tables are available -func RestoreIPTables(cfg config.Config) (string, error) { +func RestoreIPTables(ctx context.Context, cfg config.Config) (string, error) { cfg = config.MergeConfigWithDefaults(cfg) _, _ = cfg.RuntimeStdout.Write([]byte("# kumactl is about to apply the " + @@ -238,13 +225,13 @@ func RestoreIPTables(cfg config.Config) (string, error) { } } - output, err := restoreIPTables(cfg, dnsIpv4, false) + output, err := restoreIPTables(ctx, cfg, dnsIpv4, false) if err != nil { return "", fmt.Errorf("cannot restore ipv4 iptable rules: %s", err) } if cfg.IPv6 { - ipv6Output, err := restoreIPTables(cfg, dnsIpv6, true) + ipv6Output, err := restoreIPTables(ctx, cfg, dnsIpv6, true) if err != nil { return "", fmt.Errorf("cannot restore ipv6 iptable rules: %s", err) } diff --git a/pkg/transparentproxy/iptables/builder/builder_restore.go b/pkg/transparentproxy/iptables/builder/builder_restore.go index ecd3ff8b9ddc..b188f1724690 100644 --- a/pkg/transparentproxy/iptables/builder/builder_restore.go +++ b/pkg/transparentproxy/iptables/builder/builder_restore.go @@ -1,26 +1,165 @@ package builder import ( + "bytes" + "context" + "fmt" "os" + "os/exec" + "path/filepath" + "regexp" + "strings" + + "github.com/pkg/errors" "github.com/kumahq/kuma/pkg/transparentproxy/config" . "github.com/kumahq/kuma/pkg/transparentproxy/iptables/parameters" ) -func buildRestore( - cfg config.Config, - rulesFile *os.File, - restoreLegacy bool, - ipv6 bool, -) (string, []string) { - cmdName := iptablesRestore +var dockerOutputChainRegex = regexp.MustCompile(`(?m)^:DOCKER_OUTPUT`) + +var fallbackPaths = []string{ + "/usr/sbin", + "/sbin", + "/usr/bin", + "/bin", +} + +func buildRestoreParameters(cfg config.Config, rulesFile *os.File, restoreLegacy bool) []string { + return NewParameters(). + AppendIf(restoreLegacy, Wait(cfg.Wait), WaitInterval(cfg.WaitInterval)). + Append(NoFlush()). + Build(cfg.Verbose, rulesFile.Name()) +} + +func findExecutable(name string) executable { + paths := append( + []string{name}, + fallbackPaths..., + ) + + for _, path := range paths { + foundPath, err := exec.LookPath(path) + if err == nil { + return newExecutable(name, foundPath) + } + + if errors.Is(err, exec.ErrDot) { + if pwd, err := os.Getwd(); err == nil { + return newExecutable(name, filepath.Join(pwd, foundPath)) + } + + return newExecutable(name, foundPath) + } + } + + return executable{name: name} +} + +type executable struct { + name string + path string +} + +func newExecutable(name string, path string) executable { + return executable{ + name: name, + path: path, + } +} + +func (e executable) exec(ctx context.Context, args ...string) (*bytes.Buffer, error) { + var stdout bytes.Buffer + var stderr bytes.Buffer + // #nosec G204 + cmd := exec.CommandContext(ctx, e.path, args...) + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + if err := cmd.Run(); err != nil { + if stderr.Len() > 0 { + return nil, errors.Wrap(err, stderr.String()) + } + + return nil, err + } + + return &stdout, nil +} + +type executables struct { + save executable + restore executable + foundDockerOutputChain bool +} + +func newExecutables(ipv6 bool, mode string) *executables { + prefix := iptables if ipv6 { - cmdName = ip6tablesRestore + prefix = ip6tables } - parameters := NewParameters(). - AppendIf(restoreLegacy, Wait(cfg.Wait), WaitInterval(cfg.WaitInterval)). - Append(NoFlush()) + save := fmt.Sprintf("%s-%s-%s", prefix, mode, "save") + restore := fmt.Sprintf("%s-%s-%s", prefix, mode, "restore") + + return &executables{ + save: findExecutable(save), + restore: findExecutable(restore), + } +} + +func (e *executables) verify(ctx context.Context, cfg config.Config) error { + var missing []string + + if e.save.path == "" { + missing = append(missing, e.save.name) + } + + if e.restore.path == "" { + missing = append(missing, e.restore.name) + } + + if len(missing) > 0 { + return errors.Errorf("couldn't find executables: [%s]", strings.Join(missing, ",")) + } + + // We always need to have access to the "nat" table + if stdout, err := e.save.exec(ctx, "-t", "nat"); err != nil { + return errors.Wrap(err, "couldn't verify if table: 'nat' is available") + } else if cfg.ShouldRedirectDNS() || cfg.ShouldCaptureAllDNS() { + e.foundDockerOutputChain = dockerOutputChainRegex.Match(stdout.Bytes()) + } + + if cfg.ShouldConntrackZoneSplit() { + if _, err := e.save.exec(ctx, "-t", "raw"); err != nil { + return errors.Wrap(err, "couldn't verify if table: 'raw' is available") + } + } + + return nil +} + +func detectIptablesExecutables(ctx context.Context, cfg config.Config, ipv6 bool) (*executables, bool, error) { + nft := newExecutables(ipv6, "nft") + legacy := newExecutables(ipv6, "legacy") + + if err := nft.verify(ctx, cfg); err != nil { + return legacy, true, legacy.verify(ctx, cfg) + } + + // Found DOCKER_OUTPUT chain in iptables-nft + if nft.foundDockerOutputChain { + return nft, false, nil + } + + if err := legacy.verify(ctx, cfg); err != nil { + return nft, false, nil + } + + // Found DOCKER_OUTPUT chain in iptables-legacy + if legacy.foundDockerOutputChain { + return legacy, true, nil + } - return cmdName, parameters.Build(cfg.Verbose, rulesFile.Name()) + return nft, false, nil } diff --git a/pkg/transparentproxy/iptables/setup.go b/pkg/transparentproxy/iptables/setup.go index e74bd5eedb99..d45e521cca89 100644 --- a/pkg/transparentproxy/iptables/setup.go +++ b/pkg/transparentproxy/iptables/setup.go @@ -1,13 +1,14 @@ package iptables import ( + "context" "errors" "github.com/kumahq/kuma/pkg/transparentproxy/config" "github.com/kumahq/kuma/pkg/transparentproxy/iptables/builder" ) -func Setup(cfg config.Config) (string, error) { +func Setup(ctx context.Context, cfg config.Config) (string, error) { if cfg.DryRun { // TODO (bartsmykla): we should generate IPv4 and IPv6 when cfg.IPv6 is // set, but currently in DryRun mode we would just display IPv6 @@ -24,7 +25,7 @@ func Setup(cfg config.Config) (string, error) { return output, nil } - return builder.RestoreIPTables(cfg) + return builder.RestoreIPTables(ctx, cfg) } func Cleanup(cfg config.Config) (string, error) { diff --git a/pkg/transparentproxy/setup.go b/pkg/transparentproxy/setup.go index 4025501d5006..0bb117147479 100644 --- a/pkg/transparentproxy/setup.go +++ b/pkg/transparentproxy/setup.go @@ -1,17 +1,19 @@ package transparentproxy import ( + "context" + "github.com/kumahq/kuma/pkg/transparentproxy/config" "github.com/kumahq/kuma/pkg/transparentproxy/ebpf" "github.com/kumahq/kuma/pkg/transparentproxy/iptables" ) -func Setup(cfg config.Config) (string, error) { +func Setup(ctx context.Context, cfg config.Config) (string, error) { if cfg.Ebpf.Enabled { return ebpf.Setup(cfg) } - return iptables.Setup(cfg) + return iptables.Setup(ctx, cfg) } func Cleanup(cfg config.Config) (string, error) { diff --git a/pkg/transparentproxy/transparentproxy.go b/pkg/transparentproxy/transparentproxy.go index 5ba42b388ef5..08e3f3f9d4d2 100644 --- a/pkg/transparentproxy/transparentproxy.go +++ b/pkg/transparentproxy/transparentproxy.go @@ -1,6 +1,8 @@ package transparentproxy import ( + "context" + "github.com/kumahq/kuma/pkg/transparentproxy/config" ) @@ -15,7 +17,7 @@ type IptablesTranslator interface { type TransparentProxy interface { // Setup returns the stdout and stderr as string and an error if such // has occurred - Setup(cfg *config.TransparentProxyConfig) (string, error) + Setup(ctx context.Context, cfg *config.TransparentProxyConfig) (string, error) // Cleanup returns the stdout and stderr as string and an error if such // has occurred diff --git a/pkg/transparentproxy/transparentproxy_v2.go b/pkg/transparentproxy/transparentproxy_v2.go index a1d71f162eac..89746f58ae25 100644 --- a/pkg/transparentproxy/transparentproxy_v2.go +++ b/pkg/transparentproxy/transparentproxy_v2.go @@ -1,6 +1,7 @@ package transparentproxy import ( + "context" "fmt" "net" "os/exec" @@ -88,7 +89,10 @@ func splitPorts(ports string) ([]uint16, error) { return result, nil } -func (tp *TransparentProxyV2) Setup(tpConfig *config.TransparentProxyConfig) (string, error) { +func (tp *TransparentProxyV2) Setup( + ctx context.Context, + tpConfig *config.TransparentProxyConfig, +) (string, error) { redirectInboundPort, err := parseUint16(tpConfig.RedirectPortInBound) if err != nil { return "", errors.Wrap(err, "parsing inbound redirect port failed") @@ -191,7 +195,7 @@ func (tp *TransparentProxyV2) Setup(tpConfig *config.TransparentProxyConfig) (st }, } - return Setup(cfg) + return Setup(ctx, cfg) } func ParseExcludePortsForUIDs(excludeOutboundPortsForUIDs []string) ([]config.UIDsToPorts, error) { diff --git a/test/blackbox_network_tests/dns_test.go b/test/blackbox_network_tests/dns_test.go index a589f9d5caa5..26399729210d 100644 --- a/test/blackbox_network_tests/dns_test.go +++ b/test/blackbox_network_tests/dns_test.go @@ -1,6 +1,7 @@ package blackbox_network_tests_test import ( + "context" "fmt" "io" "net" @@ -65,7 +66,7 @@ var _ = Describe("Outbound IPv4 DNS/UDP traffic to port 53", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // and @@ -147,7 +148,7 @@ var _ = Describe("Outbound IPv4 DNS/UDP traffic to port 53", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // and @@ -238,7 +239,7 @@ var _ = Describe("Outbound IPv6 DNS/UDP traffic to port 53", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // and @@ -323,7 +324,7 @@ var _ = Describe("Outbound IPv4 DNS/TCP traffic to port 53", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // and @@ -405,7 +406,7 @@ var _ = Describe("Outbound IPv6 DNS/UDP traffic to port 53", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // and @@ -484,7 +485,7 @@ var _ = Describe("Outbound IPv6 DNS/TCP traffic to port 53", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // and @@ -588,7 +589,7 @@ var _ = Describe("Outbound IPv4 DNS/UDP conntrack zone splitting", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) results := udp.NewResultMap() @@ -704,7 +705,7 @@ var _ = Describe("Outbound IPv6 DNS/UDP conntrack zone splitting", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) results := udp.NewResultMap() @@ -791,7 +792,7 @@ var _ = Describe("Outbound IPv4 DNS/UDP traffic to port 53 only for addresses in // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // and @@ -867,7 +868,7 @@ var _ = Describe("Outbound IPv6 DNS/UDP traffic to port 53 only for addresses in // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // and @@ -966,7 +967,7 @@ var _ = Describe("Outbound IPv4 DNS/UDP conntrack zone splitting with specific I // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) results := udp.NewResultMap() @@ -1081,7 +1082,7 @@ var _ = Describe("Outbound IPv4 DNS/UDP traffic to port 53 from specific input i // when Eventually(ns2.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // and @@ -1170,7 +1171,7 @@ var _ = Describe("Outbound IPv6 DNS/UDP traffic to port 53 from specific input i // when Eventually(ns2.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // and diff --git a/test/blackbox_network_tests/inbound_redirect_test.go b/test/blackbox_network_tests/inbound_redirect_test.go index d9422a79d243..eecb27dfad47 100644 --- a/test/blackbox_network_tests/inbound_redirect_test.go +++ b/test/blackbox_network_tests/inbound_redirect_test.go @@ -1,6 +1,7 @@ package blackbox_network_tests_test import ( + "context" "fmt" "io" @@ -61,7 +62,7 @@ var _ = Describe("Inbound IPv4 TCP traffic from any ports", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -140,7 +141,7 @@ var _ = Describe("Inbound IPv6 TCP traffic from any ports", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -224,7 +225,7 @@ var _ = Describe("Inbound IPv4 TCP traffic from any ports except excluded ones", // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -314,7 +315,7 @@ var _ = Describe("Inbound IPv6 TCP traffic from any ports except excluded ones", // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -404,7 +405,7 @@ var _ = Describe("Inbound IPv4 TCP traffic only from included ports", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -496,7 +497,7 @@ var _ = Describe("Inbound IPv6 TCP traffic only from included ports", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -577,7 +578,7 @@ var _ = Describe("Inbound IPv4 TCP traffic from any ports", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -653,7 +654,7 @@ var _ = Describe("Inbound IPv6 TCP traffic from any ports", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then diff --git a/test/blackbox_network_tests/outbound_redirect_test.go b/test/blackbox_network_tests/outbound_redirect_test.go index db7ab1ae1b6e..fbdb6bdf6b8f 100644 --- a/test/blackbox_network_tests/outbound_redirect_test.go +++ b/test/blackbox_network_tests/outbound_redirect_test.go @@ -1,6 +1,7 @@ package blackbox_network_tests_test import ( + "context" "fmt" "io" "net" @@ -62,7 +63,7 @@ var _ = Describe("Outbound IPv4 TCP traffic to any address:port", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -141,7 +142,7 @@ var _ = Describe("Outbound IPv6 TCP traffic to any address:port", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -244,7 +245,7 @@ var _ = Describe("Outbound IPv4 TCP traffic to any address:port except excluded // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -357,7 +358,7 @@ var _ = Describe("Outbound IPv4 TCP traffic to any address:port except ports exc // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -467,7 +468,7 @@ var _ = Describe("Outbound IPv6 TCP traffic to any address:port except excluded // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -564,7 +565,7 @@ var _ = Describe("Outbound IPv4 TCP traffic only to included port", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -661,7 +662,7 @@ var _ = Describe("Outbound IPv6 TCP traffic only to included port", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -747,7 +748,7 @@ var _ = Describe("Outbound IPv4 TCP traffic to any address:port", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -824,7 +825,7 @@ var _ = Describe("Outbound IPv6 TCP traffic to any address:port", func() { // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -928,7 +929,7 @@ var _ = Describe("Outbound IPv6 TCP traffic to any address:port except ports exc // when Eventually(ns.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -1027,7 +1028,7 @@ var _ = Describe("Outbound IPv4 TCP traffic from specific interface to other ip // when Eventually(ns2.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then @@ -1118,7 +1119,7 @@ var _ = Describe("Outbound IPv6 TCP traffic from specific interface to other ip // when Eventually(ns2.UnsafeExec(func() { - Expect(builder.RestoreIPTables(tproxyConfig)).Error().To(Succeed()) + Expect(builder.RestoreIPTables(context.Background(), tproxyConfig)).Error().To(Succeed()) })).Should(BeClosed()) // then diff --git a/test/framework/universal_app.go b/test/framework/universal_app.go index a9eabdf94659..7ad38ff06e70 100644 --- a/test/framework/universal_app.go +++ b/test/framework/universal_app.go @@ -491,11 +491,6 @@ func (s *UniversalApp) setupTransparent(builtindns bool) { "--redirect-dns", ) } - if builtindns && Config.OS != "darwin" { - args = append(args, - "--redirect-dns-upstream-target-chain", "DOCKER_OUTPUT", - ) - } app := ssh.NewApp(s.containerName, "", s.verbose, s.ports[sshPort], nil, args) err := app.Run() diff --git a/tools/releases/dockerfiles/kuma-init.Dockerfile b/tools/releases/dockerfiles/kuma-init.Dockerfile index 609958b72c97..cf49db0458b2 100644 --- a/tools/releases/dockerfiles/kuma-init.Dockerfile +++ b/tools/releases/dockerfiles/kuma-init.Dockerfile @@ -15,8 +15,7 @@ COPY /tools/releases/templates/LICENSE \ COPY /tools/releases/templates/NOTICE /kuma/NOTICE -RUN update-alternatives --set iptables /usr/sbin/iptables-legacy && \ - adduser --system --disabled-password --group kumactl --uid 5678 +RUN adduser --system --disabled-password --group kumactl --uid 5678 ENTRYPOINT ["/usr/bin/kumactl"] CMD ["install", "transparent-proxy"]