Page MenuHomePhabricator
Create Task
Maniphest T276869

Missing docker iptables nat rules for releases hosts
Closed, ResolvedPublic
Actions

Description

The current puppet configuration for releases1002 and release2002 disable docker's built in iptables rules but don't include our profile::docker::builder which provides such rules via ferm. Without proper iptables nat rules, container networking is effectively disabled.

We should either set iptables: true in profile::docker::engine::settings for releases hosts, or include the builder profile.

Details

SubjectRepoBranchLines +/-
releases: include profile::docker::ferm in releases roleoperations/puppetproduction+1 -0
builder/docker: break out docker ferm rules into own profileoperations/puppetproduction+14 -9
Customize query in gerrit

Event Timeline

dduvall created this task.Mar 9 2021, 12:02 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 9 2021, 12:02 AM
dduvall updated the task description. (Show Details)Mar 9 2021, 12:03 AM
Legoktm subscribed.Mar 9 2021, 12:22 AM

Including profile::docker::builder would be wrong since that also pulls in a bunch of other stuff to build the production-images that isn't needed on releases hosts. But moving that ferm rule elsewhere so it can be reused seems reasonable?

gerritbot added a comment.Mar 9 2021, 8:59 PM

Change 670286 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] builder/docker: break out docker ferm rules into own profile

https://gerrit.wikimedia.org/r/670286

gerritbot added a project: Patch-For-Review.Mar 9 2021, 8:59 PM
gerritbot added a comment.Mar 9 2021, 9:07 PM

Change 670289 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] releases: include profile::docker::ferm in releases role

https://gerrit.wikimedia.org/r/670289

gerritbot added a comment.Mar 10 2021, 9:39 PM

Change 670286 merged by Dzahn:
[operations/puppet@production] builder/docker: break out docker ferm rules into own profile

https://gerrit.wikimedia.org/r/670286

gerritbot added a comment.Mar 10 2021, 9:49 PM

Change 670289 merged by Dzahn:
[operations/puppet@production] releases: include profile::docker::ferm in releases role

https://gerrit.wikimedia.org/r/670289

Stashbot added a comment.Mar 10 2021, 9:53 PM

Mentioned in SAL (#wikimedia-operations) [2021-03-10T21:53:29Z] <mutante> ferm/iptables docker NAT rules applied by puppet on releases servers after breaking out fules into their own profile class (T276869)

Dzahn subscribed.Mar 10 2021, 9:54 PM
[releases1002:~] $  sudo iptables -L | grep DOCKER
DOCKER-ISOLATION  all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            
Chain DOCKER (1 references)
Chain DOCKER-ISOLATION (1 references)


[releases2002:~] $ sudo iptables -L | grep DOCKER
DOCKER-ISOLATION  all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            
Chain DOCKER (1 references)
Chain DOCKER-ISOLATION (1 references)
Dzahn added a comment.Mar 10 2021, 9:55 PM
In T276869#6894650, @Legoktm wrote:

Including profile::docker::builder would be wrong since that also pulls in a bunch of other stuff to build the production-images that isn't needed on releases hosts. But moving that ferm rule elsewhere so it can be reused seems reasonable?

done. the ferm rules have been moved into profile::docker::ferm and that profile is now included in the releases role and the iptables rules exist.

Dzahn added a comment.Mar 10 2021, 9:57 PM

@dduvall Good to resolve?

Dzahn claimed this task.Mar 10 2021, 9:57 PM
Maintenance_bot removed a project: Patch-For-Review.Mar 10 2021, 10:10 PM
dduvall closed this task as Resolved.Mar 10 2021, 10:37 PM

Yes! Thanks so much for the fix.

I've verified that traffic is now being properly routed from the container network through the host on releases1002.

I'm seeing errors during apt-get update now for just http://security.debian.org. However I believe this may be a separate issue and doesn't necessarily block us. I'll look for a relevant task and comment there.

Err:10 http://security.debian.org buster/updates InRelease
  Could not connect to security.debian.org:80 (151.101.130.132), connection timed out
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits