Look for update-alternatives before using it #1640
Conversation
It is only used with dpkg, not with other systems such as buildroot (that already has iptables legacy as the default)
k8s-ci-robot
added
cncf-cla: yes
|
Hi @afbjorklund. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: afbjorklund The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
size/XS
|
busybox is broken with kubernetes last I checked, e.g. It seems like it would also be possible to place a fake / custom I'd prefer not to silently not update the iptables to match, failing to do so is a bug and will cause problems without surfacing them as obviously. |
|
The image was based on the new minikube.iso, if you want to check it out... Basically we are doing the equivalent of update-alternatives at build time. |
EDIT: thinko, but minikube does run kubernetes already so that buildroot config should be ok
That would work too, we could also do a different check if better (look for symlink etc)
|
Hmm, wrote too fast... I think we replaced some of the busybox with other variants, like util-linux and friends. This was indeed intended for the image itself, too many layers to keep them apart :-) |
|
Note that we are still running the docker containers with ubuntu image, just like kind. This was an experiment, to see if we could have the same OS for both VM and KIC For minikube it would make maintenance easier, by having less default OS variants... Another approach would be to make an Ubuntu-based VM, but it would increase footprint |
|
this was already considered in the original iptables detection scripts |
|
I suppose a fedora-based image is also a possibility, in the sake of diversity (like podman) |
That seems like an enormous waste of resources. The OS of the image is an implementation detail, we're definitely not going to maintain against multiple OS-es for the image contents. As noted in #1640 (comment) this behavior was considered and rejected in the upstream iptables-wrapper, and as mentioned previously failing to set this is a major bug. |
In one aspect you are right, both podman and cri-o are an enormous waste of resources... And so far we haven't added any infrastructure for actually testing on CentOS (or Fedora) There are multiple OS for minikube being used at the moment, but we might change that soon. But for this issue, I'm just going to add a fake |
Right now it only has "legacy", but it turns out that it is simple to implement this "update-alternatives" once both binaries are present. It is just a question of where the Just have to set # Update links to point to the selected binaries
for cmd in iptables iptables-save iptables-restore ip6tables ip6tables-save ip6tables-restore; do
rm -f "${sbin}/\${cmd}"
ln -s "${sbin}/xtables-\${mode}-multi" "${sbin}/\${cmd}"
done
|
It is only used with dpkg, not with other systems such as
buildroot (that already has iptables legacy as the default)
I experimented with doing an image based on "buildroot",
which uses busybox rather than ubuntu for the packages.
See kubernetes/minikube#6942
Also had issues with "hostname --ip-address", but it seems gone