Switch to iptables-legacy as iptables-nft is not supported yet #143 (!72) · Merge requests · Common Ground / Haven / haven

Bart Jeukendrup requested to merge fix/buster-iptables-legacy into master May 20, 2020

This MR switches new clusters to iptables-legacy.

Updating existing clusters

For updating existing clusters, use the following script:

IGS=$(kops get ig -o json | jq -r '.[] | .metadata.name')
for IG in $IGS; do
    if [[ "bastions" != $IG ]]; then
        kops get ig $IG -o yaml > /tmp/ig.yaml
        sed -i "s/  additionalUserData\:/  additionalUserData\:\n  - name\: busterfix.sh\n    type\: text\/x-shellscript\n    content\: |\n      #\!\/bin\/sh\n      update-alternatives --set iptables \/usr\/sbin\/iptables-legacy\n      update-alternatives --set ip6tables \/usr\/sbin\/ip6tables-legacy\n      update-alternatives --set arptables \/usr\/sbin\/arptables-legacy\n      update-alternatives --set ebtables \/usr\/sbin\/ebtables-legacy/" /tmp/ig.yaml
        echo "---" >> /tmp/igs.yaml
        cat /tmp/ig.yaml >> /tmp/igs.yaml
        rm -f /tmp/ig.yaml
    fi
done

kops replace -f /tmp/igs.yaml

Now run:

kops rolling-update cluster -y

In another terminal:

bin/upgrade-helper

Finally clean up with:

rm /tmp/igs.yaml

Edited May 20, 2020 by Bart Jeukendrup

Switch to iptables-legacy as iptables-nft is not supported yet #143

Updating existing clusters

Merge request reports