mirror of
https://github.com/k3s-io/k3s.git
synced 2024-06-07 19:41:36 +00:00
Merge pull request #1060 from erikwilson/fix-iptables-check-config
Search system path for iptables in check-config
This commit is contained in:
commit
ea69b45477
|
@ -10,7 +10,6 @@ EXITCODE=0
|
||||||
# see also https://github.com/lxc/lxc/blob/lxc-1.0.2/src/lxc/lxc-checkconfig.in
|
# see also https://github.com/lxc/lxc/blob/lxc-1.0.2/src/lxc/lxc-checkconfig.in
|
||||||
|
|
||||||
uname=$(uname -r)
|
uname=$(uname -r)
|
||||||
|
|
||||||
possibleConfigs="
|
possibleConfigs="
|
||||||
/proc/config.gz
|
/proc/config.gz
|
||||||
/boot/config-${uname}
|
/boot/config-${uname}
|
||||||
|
@ -18,6 +17,8 @@ possibleConfigs="
|
||||||
/usr/src/linux-${uname}/.config
|
/usr/src/linux-${uname}/.config
|
||||||
/usr/src/linux/.config
|
/usr/src/linux/.config
|
||||||
"
|
"
|
||||||
|
binDir=$(dirname "$0")
|
||||||
|
configFormat=gz
|
||||||
|
|
||||||
if [ $# -gt 0 ]; then
|
if [ $# -gt 0 ]; then
|
||||||
CONFIG="$1"
|
CONFIG="$1"
|
||||||
|
@ -29,8 +30,6 @@ if ! command -v zgrep >/dev/null 2>&1; then
|
||||||
}
|
}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
configFormat=gz
|
|
||||||
|
|
||||||
dogrep() {
|
dogrep() {
|
||||||
if [ "$configFormat" = "gz" ]; then
|
if [ "$configFormat" = "gz" ]; then
|
||||||
zgrep "$1" "$2"
|
zgrep "$1" "$2"
|
||||||
|
@ -93,7 +92,8 @@ wrap_good() {
|
||||||
echo "$(wrap_color "$1" white): $(wrap_color "$2" green)"
|
echo "$(wrap_color "$1" white): $(wrap_color "$2" green)"
|
||||||
}
|
}
|
||||||
wrap_bad() {
|
wrap_bad() {
|
||||||
echo "$(wrap_color "$1" bold): $(wrap_color "$2" bold red)"
|
echo "$(wrap_color "$1" bold): $(wrap_color "$2 (fail)" bold red)"
|
||||||
|
EXITCODE=$(($EXITCODE+1))
|
||||||
}
|
}
|
||||||
wrap_warn() {
|
wrap_warn() {
|
||||||
echo "$(wrap_color "$1" bold): $(wrap_color "$2" bold yellow)"
|
echo "$(wrap_color "$1" bold): $(wrap_color "$2" bold yellow)"
|
||||||
|
@ -110,7 +110,6 @@ check_flag() {
|
||||||
else
|
else
|
||||||
if [ "$IS_ERROR" = 1 ]; then
|
if [ "$IS_ERROR" = 1 ]; then
|
||||||
wrap_bad "CONFIG_$1" 'missing'
|
wrap_bad "CONFIG_$1" 'missing'
|
||||||
EXITCODE=1
|
|
||||||
else
|
else
|
||||||
wrap_warn "CONFIG_$1" 'missing'
|
wrap_warn "CONFIG_$1" 'missing'
|
||||||
fi
|
fi
|
||||||
|
@ -128,7 +127,6 @@ check_command() {
|
||||||
wrap_good "$1 command" 'available'
|
wrap_good "$1 command" 'available'
|
||||||
else
|
else
|
||||||
wrap_bad "$1 command" 'missing'
|
wrap_bad "$1 command" 'missing'
|
||||||
EXITCODE=1
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -137,7 +135,6 @@ check_device() {
|
||||||
wrap_good "$1" 'present'
|
wrap_good "$1" 'present'
|
||||||
else
|
else
|
||||||
wrap_bad "$1" 'missing'
|
wrap_bad "$1" 'missing'
|
||||||
EXITCODE=1
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -150,7 +147,6 @@ check_distro_userns() {
|
||||||
if ! grep -q "user_namespace.enable=1" /proc/cmdline; then
|
if ! grep -q "user_namespace.enable=1" /proc/cmdline; then
|
||||||
# no user namespace support enabled
|
# no user namespace support enabled
|
||||||
wrap_bad " (RHEL7/CentOS7" "User namespaces disabled; add 'user_namespace.enable=1' to boot command line)"
|
wrap_bad " (RHEL7/CentOS7" "User namespaces disabled; add 'user_namespace.enable=1' to boot command line)"
|
||||||
EXITCODE=1
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -160,9 +156,8 @@ check_distro_userns() {
|
||||||
echo
|
echo
|
||||||
|
|
||||||
{
|
{
|
||||||
BINDIR=$(dirname "$0")
|
cd $binDir
|
||||||
cd $BINDIR
|
echo "Verifying binaries in $binDir:"
|
||||||
echo "Verifying binaries in $BINDIR:"
|
|
||||||
|
|
||||||
if [ -s .sha256sums ]; then
|
if [ -s .sha256sums ]; then
|
||||||
sumsTemp=$(mktemp)
|
sumsTemp=$(mktemp)
|
||||||
|
@ -170,8 +165,7 @@ echo
|
||||||
wrap_good '- sha256sum' 'good'
|
wrap_good '- sha256sum' 'good'
|
||||||
else
|
else
|
||||||
wrap_bad '- sha256sum' 'does not match'
|
wrap_bad '- sha256sum' 'does not match'
|
||||||
cat $sumsTemp | sed -e 's/^/ ... /'
|
cat $sumsTemp | sed 's/^/ ... /'
|
||||||
EXITCODE=1
|
|
||||||
fi
|
fi
|
||||||
rm -f $sumsTemp
|
rm -f $sumsTemp
|
||||||
else
|
else
|
||||||
|
@ -188,8 +182,6 @@ echo
|
||||||
done <.links
|
done <.links
|
||||||
if [ $linkFail -eq 0 ]; then
|
if [ $linkFail -eq 0 ]; then
|
||||||
wrap_good '- links' 'good'
|
wrap_good '- links' 'good'
|
||||||
else
|
|
||||||
EXITCODE=1
|
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
wrap_warn '- links' 'link list unavailable'
|
wrap_warn '- links' 'link list unavailable'
|
||||||
|
@ -204,20 +196,40 @@ echo
|
||||||
version_ge() {
|
version_ge() {
|
||||||
[ "$1" = "$2" ] || [ "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1" ]
|
[ "$1" = "$2" ] || [ "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1" ]
|
||||||
}
|
}
|
||||||
|
which_iptables() {
|
||||||
|
(
|
||||||
|
localIPtables=$(command -v iptables)
|
||||||
|
PATH=$(printf "%s" "$(echo -n $PATH | tr ":" "\n" | grep -v -E "^$binDir$")" | tr "\n" ":")
|
||||||
|
systemIPtables=$(command -v iptables)
|
||||||
|
if [ -n "$systemIPtables" ]; then
|
||||||
|
echo $systemIPtables
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
echo $localIPtables
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
echo "System:"
|
echo "System:"
|
||||||
iptablesInfo=$(iptables --version)
|
|
||||||
iptablesVersion=$(echo $iptablesInfo | awk '{ print $2 }')
|
iptablesCmd=$(which_iptables)
|
||||||
if version_ge $iptablesVersion v1.8.0; then
|
iptablesVersion=
|
||||||
|
if [ "$iptablesCmd" ]; then
|
||||||
|
iptablesInfo=$($iptablesCmd --version 2>/dev/null) || true
|
||||||
|
iptablesVersion=$(echo $iptablesInfo | awk '{ print $2 }')
|
||||||
|
label="$(dirname $iptablesCmd) $iptablesInfo"
|
||||||
|
fi
|
||||||
|
if echo "$iptablesVersion" | grep -v -q -E '^v[0-9]'; then
|
||||||
|
[ "$iptablesCmd" ] || iptablesCmd="unknown iptables"
|
||||||
|
wrap_warn "- $iptablesCmd" "unknown version: $iptablesInfo"
|
||||||
|
elif version_ge $iptablesVersion v1.8.0; then
|
||||||
iptablesMode=$(echo $iptablesInfo | awk '{ print $3 }')
|
iptablesMode=$(echo $iptablesInfo | awk '{ print $3 }')
|
||||||
if [ "$iptablesMode" != "(legacy)" ]; then
|
if [ "$iptablesMode" != "(legacy)" ]; then
|
||||||
wrap_bad "- $iptablesInfo" 'should be older than v1.8.0 or in legacy mode'
|
wrap_bad "- $label" 'should be older than v1.8.0 or in legacy mode'
|
||||||
EXITCODE=1
|
|
||||||
else
|
else
|
||||||
wrap_good "- $iptablesInfo" 'ok'
|
wrap_good "- $label" 'ok'
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
wrap_good "- $iptablesInfo" 'older than v1.8'
|
wrap_good "- $label" 'older than v1.8'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
totalSwap=$(free | grep -i '^swap:' | awk '{ print $2 }')
|
totalSwap=$(free | grep -i '^swap:' | awk '{ print $2 }')
|
||||||
|
@ -242,7 +254,6 @@ echo
|
||||||
if [ "$(cat "$1")" -le "$2" ]; then
|
if [ "$(cat "$1")" -le "$2" ]; then
|
||||||
wrap_bad "- $1" "$(cat "$1")"
|
wrap_bad "- $1" "$(cat "$1")"
|
||||||
wrap_color " This should be set to at least $2, for example set: sysctl -w kernel/keys/root_maxkeys=1000000" bold black
|
wrap_color " This should be set to at least $2, for example set: sysctl -w kernel/keys/root_maxkeys=1000000" bold black
|
||||||
EXITCODE=1
|
|
||||||
else
|
else
|
||||||
wrap_good "- $1" "$(cat "$1")"
|
wrap_good "- $1" "$(cat "$1")"
|
||||||
fi
|
fi
|
||||||
|
@ -293,14 +304,13 @@ echo -n '- '
|
||||||
cgroupSubsystemDir="$(awk '/[, ](cpu|cpuacct|cpuset|devices|freezer|memory)[, ]/ && $3 == "cgroup" { print $2 }' /proc/mounts | head -n1)"
|
cgroupSubsystemDir="$(awk '/[, ](cpu|cpuacct|cpuset|devices|freezer|memory)[, ]/ && $3 == "cgroup" { print $2 }' /proc/mounts | head -n1)"
|
||||||
cgroupDir="$(dirname "$cgroupSubsystemDir")"
|
cgroupDir="$(dirname "$cgroupSubsystemDir")"
|
||||||
if [ -d "$cgroupDir/cpu" ] || [ -d "$cgroupDir/cpuacct" ] || [ -d "$cgroupDir/cpuset" ] || [ -d "$cgroupDir/devices" ] || [ -d "$cgroupDir/freezer" ] || [ -d "$cgroupDir/memory" ]; then
|
if [ -d "$cgroupDir/cpu" ] || [ -d "$cgroupDir/cpuacct" ] || [ -d "$cgroupDir/cpuset" ] || [ -d "$cgroupDir/devices" ] || [ -d "$cgroupDir/freezer" ] || [ -d "$cgroupDir/memory" ]; then
|
||||||
echo "$(wrap_good 'cgroup hierarchy' 'properly mounted') [$cgroupDir]"
|
wrap_good 'cgroup hierarchy' "properly mounted [$cgroupDir]"
|
||||||
else
|
else
|
||||||
if [ "$cgroupSubsystemDir" ]; then
|
if [ "$cgroupSubsystemDir" ]; then
|
||||||
echo "$(wrap_bad 'cgroup hierarchy' 'single mountpoint!') [$cgroupSubsystemDir]"
|
wrap_bad 'cgroup hierarchy' "single mountpoint! [$cgroupSubsystemDir]"
|
||||||
else
|
else
|
||||||
wrap_bad 'cgroup hierarchy' 'nonexistent??'
|
wrap_bad 'cgroup hierarchy' 'nonexistent??'
|
||||||
fi
|
fi
|
||||||
EXITCODE=1
|
|
||||||
echo " $(wrap_color '(see https://github.com/tianon/cgroupfs-mount)' yellow)"
|
echo " $(wrap_color '(see https://github.com/tianon/cgroupfs-mount)' yellow)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -318,7 +328,6 @@ if [ "$(cat /sys/module/apparmor/parameters/enabled 2>/dev/null)" = 'Y' ]; then
|
||||||
else
|
else
|
||||||
wrap_color '(look for an "apparmor" package for your distribution)'
|
wrap_color '(look for an "apparmor" package for your distribution)'
|
||||||
fi
|
fi
|
||||||
EXITCODE=1
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -351,11 +360,9 @@ echo 'Optional Features:'
|
||||||
check_flags CGROUP_PIDS
|
check_flags CGROUP_PIDS
|
||||||
}
|
}
|
||||||
# {
|
# {
|
||||||
# CODE=${EXITCODE}
|
|
||||||
# check_flags MEMCG_SWAP MEMCG_SWAP_ENABLED
|
# check_flags MEMCG_SWAP MEMCG_SWAP_ENABLED
|
||||||
# if [ -e /sys/fs/cgroup/memory/memory.memsw.limit_in_bytes ]; then
|
# if [ -e /sys/fs/cgroup/memory/memory.memsw.limit_in_bytes ]; then
|
||||||
# echo " $(wrap_color '(cgroup swap accounting is currently enabled)' bold black)"
|
# echo " $(wrap_color '(cgroup swap accounting is currently enabled)' bold black)"
|
||||||
# EXITCODE=${CODE}
|
|
||||||
# elif is_set MEMCG_SWAP && ! is_set MEMCG_SWAP_ENABLED; then
|
# elif is_set MEMCG_SWAP && ! is_set MEMCG_SWAP_ENABLED; then
|
||||||
# echo " $(wrap_color '(cgroup swap accounting is currently not enabled, you can enable it by setting boot option "swapaccount=1")' bold black)"
|
# echo " $(wrap_color '(cgroup swap accounting is currently not enabled, you can enable it by setting boot option "swapaccount=1")' bold black)"
|
||||||
# fi
|
# fi
|
||||||
|
@ -438,45 +445,9 @@ check_flags CRYPTO CRYPTO_AEAD CRYPTO_GCM CRYPTO_SEQIV CRYPTO_GHASH \
|
||||||
# echo " - \"$(wrap_color 'ftp,tftp client in container' blue)\":"
|
# echo " - \"$(wrap_color 'ftp,tftp client in container' blue)\":"
|
||||||
# check_flags NF_NAT_FTP NF_CONNTRACK_FTP NF_NAT_TFTP NF_CONNTRACK_TFTP | sed 's/^/ /'
|
# check_flags NF_NAT_FTP NF_CONNTRACK_FTP NF_NAT_TFTP NF_CONNTRACK_TFTP | sed 's/^/ /'
|
||||||
|
|
||||||
# only fail if no storage drivers available
|
|
||||||
CODE=${EXITCODE}
|
|
||||||
EXITCODE=0
|
|
||||||
STORAGE=1
|
|
||||||
|
|
||||||
echo '- Storage Drivers:'
|
echo '- Storage Drivers:'
|
||||||
# echo " - \"$(wrap_color 'aufs' blue)\":"
|
|
||||||
# check_flags AUFS_FS | sed 's/^/ /'
|
|
||||||
# if ! is_set AUFS_FS && grep -q aufs /proc/filesystems; then
|
|
||||||
# echo " $(wrap_color '(note that some kernels include AUFS patches but not the AUFS_FS flag)' bold black)"
|
|
||||||
# fi
|
|
||||||
# [ "$EXITCODE" = 0 ] && STORAGE=0
|
|
||||||
# EXITCODE=0
|
|
||||||
|
|
||||||
# echo " - \"$(wrap_color 'btrfs' blue)\":"
|
|
||||||
# check_flags BTRFS_FS | sed 's/^/ /'
|
|
||||||
# check_flags BTRFS_FS_POSIX_ACL | sed 's/^/ /'
|
|
||||||
# [ "$EXITCODE" = 0 ] && STORAGE=0
|
|
||||||
# EXITCODE=0
|
|
||||||
|
|
||||||
# echo " - \"$(wrap_color 'devicemapper' blue)\":"
|
|
||||||
# check_flags BLK_DEV_DM DM_THIN_PROVISIONING | sed 's/^/ /'
|
|
||||||
# [ "$EXITCODE" = 0 ] && STORAGE=0
|
|
||||||
# EXITCODE=0
|
|
||||||
|
|
||||||
echo " - \"$(wrap_color 'overlay' blue)\":"
|
echo " - \"$(wrap_color 'overlay' blue)\":"
|
||||||
check_flags OVERLAY_FS | sed 's/^/ /'
|
check_flags OVERLAY_FS | sed 's/^/ /'
|
||||||
[ "$EXITCODE" = 0 ] && STORAGE=0
|
|
||||||
EXITCODE=0
|
|
||||||
|
|
||||||
# echo " - \"$(wrap_color 'zfs' blue)\":"
|
|
||||||
# echo -n " - "; check_device /dev/zfs
|
|
||||||
# echo -n " - "; check_command zfs
|
|
||||||
# echo -n " - "; check_command zpool
|
|
||||||
# [ "$EXITCODE" = 0 ] && STORAGE=0
|
|
||||||
# EXITCODE=0
|
|
||||||
|
|
||||||
EXITCODE=$CODE
|
|
||||||
[ "$STORAGE" = 1 ] && EXITCODE=1
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
|
|
||||||
|
@ -484,7 +455,7 @@ echo
|
||||||
if [ $EXITCODE -eq 0 ]; then
|
if [ $EXITCODE -eq 0 ]; then
|
||||||
wrap_good 'STATUS' 'pass'
|
wrap_good 'STATUS' 'pass'
|
||||||
else
|
else
|
||||||
wrap_bad 'STATUS' 'fail'
|
wrap_bad 'STATUS' $EXITCODE
|
||||||
fi
|
fi
|
||||||
|
|
||||||
exit $EXITCODE
|
exit $EXITCODE
|
||||||
|
|
Loading…
Reference in New Issue
Block a user