-
Notifications
You must be signed in to change notification settings - Fork 44
/
iptables-22623-22624
executable file
·67 lines (62 loc) · 2.83 KB
/
iptables-22623-22624
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/usr/bin/env bash
# kb: https://access.redhat.com/solutions/5709711
# description: Checks if the nodes iptables rules are blocking 22623/tpc or 22624/tcp
#
# To check if the rule exist, we use iptables -C, it returns 0 if the rule exist
# and if it doesn't exist, it exits 1 with the following message:
# "iptables: Bad rule (does a matching rule exist in that chain?)."
#
# To save cycles, we run every command in the same oc debug session.
# We concatenate all commands with || meaning it will stop if
# some command fails (returns 0, so if the rule exist)
[ -z ${UTILSFILE} ] && source $(echo "$(dirname ${0})/../utils")
tmperrorfile=$(mktemp)
trap "rm ${errorfile}" EXIT
echo 0 >$tmperrorfile
if oc auth can-i debug node >/dev/null 2>&1; then
msg "Checking if ports 22623/tcp and 22624/tcp are blocked (${BLUE}using oc debug, it can take a while${NOCOLOR})"
# shellcheck disable=SC2016
for node in $(oc get nodes -o go-template='{{range .items}}{{$node := .}}{{range .status.conditions}}{{if eq .type "Ready"}}{{if eq .status "True"}}node/{{$node.metadata.name}}{{"\n"}}{{end}}{{end}}{{end}}{{end}}'); do
# See https://medium.com/@robert.i.sandor/getting-started-with-parallelization-in-bash-e114f4353691
((i = i % PARALLELJOBS))
((i++ == 0)) && wait
(
ocdebugorwait # Pause for no OC debug running
# shellcheck disable=2016
OUTPUT=$(oc debug --image="${OCDEBUGIMAGE}" "${node}" -- chroot /host sh -c \
"iptables -C FORWARD -p tcp --dport 22623 -j REJECT --reject-with icmp-port-unreachable &>/dev/null || \
iptables -C FORWARD -p tcp --dport 22624 -j REJECT --reject-with icmp-port-unreachable &>/dev/null || \
iptables -C OUTPUT -p tcp --dport 22623 -j REJECT --reject-with icmp-port-unreachable &>/dev/null || \
iptables -C OUTPUT -p tcp --dport 22624 -j REJECT --reject-with icmp-port-unreachable &>/dev/null || \
echo 'allok'" 2>&1)
# The command stderr and stdout are captured
# If the command output is 'allok' is because every other command
# failed, meaning the iptables rules weren't found
if [[ ${OUTPUT} =~ "allok" ]]; then
# Do nothing
:
elif [[ ${OUTPUT} =~ "Back-off" ]]; then
msg "${ORANGE}Error pulling the oc debug image in ${node}${NOCOLOR}"
elif [[ ${OUTPUT} =~ "unable to create" ]]; then
msg "${ORANGE}Unable to create debug pod in ${node}${NOCOLOR}"
else
msg "${RED}iptables rules for 22623/tcp or 22624/tcp found in ${node}${NOCOLOR}"
echo 1 >$tmperrorfile
fi
) &
done
wait
if [ "$(cat $tmperrorfile)" -eq 1 ]; then
errors=$(("${errors}" + 1))
if [ ! -z "${ERRORFILE}" ]; then
echo $errors >${ERRORFILE}
fi
exit ${OCERROR}
else
exit ${OCOK}
fi
else
msg "Couldn't debug nodes, check permissions"
exit ${OCSKIP}
fi
exit ${OCUNKNOWN}