Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inject user provided nft rules #806

Merged
merged 2 commits into from
Nov 20, 2024
Merged

Inject user provided nft rules #806

merged 2 commits into from
Nov 20, 2024

Conversation

bshephar
Copy link
Contributor

@bshephar bshephar commented Nov 11, 2024
edited
Loading

This change ensures that user provided rules are injected into the edpm_nftables_src directory and loaded during rule generation.

The change adds a new variable to facilitate a user interface for rule injection edpm_nftables_user_rules.

Jira: https://issues.redhat.com/browse/OSPRH-11347

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Nov 11, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@bshephar bshephar force-pushed the nftables-user-var branch 5 times, most recently from 015dcb1 to 8d227c7 Compare November 11, 2024 05:50
@fultonj
Copy link
Contributor

fultonj commented Nov 11, 2024

Looks good to me.

slagle
slagle reviewed Nov 11, 2024
View reviewed changes
Copy link
Contributor

@slagle slagle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bshephar bshephar marked this pull request as ready for review November 11, 2024 21:19
@openshift-ci openshift-ci bot requested review from abays and jpodivin November 11, 2024 21:19
rabi
rabi reviewed Nov 13, 2024
View reviewed changes
roles/edpm_nftables/molecule/action/converge.yml Outdated
- name: "Ensure we drop connections on TCP/1211"
lineinfile:
path: /etc/nftables/edpm-rules.nft
line: 'add rule inet filter EDPM_INPUT tcp dport { 1211 } ct state new counter drop comment "010 testing action"'
register: line_in_file

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is genuine pre-commit job failure with spaces here.

@danpawlik
Copy link

recheck

@openshift-ci openshift-ci bot added the lgtm label Nov 15, 2024
@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/6e30423b78d74f99a7b589781f8346a0

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 05m 02s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 19m 11s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 37m 07s
✔️ edpm-ansible-tempest-multinode SUCCESS in 1h 42m 59s
✔️ edpm-ansible-molecule-edpm_bootstrap SUCCESS in 7m 36s
✔️ edpm-ansible-molecule-edpm_podman SUCCESS in 7m 51s
✔️ edpm-ansible-molecule-edpm_module_load SUCCESS in 6m 02s
✔️ edpm-ansible-molecule-edpm_kernel SUCCESS in 11m 28s
✔️ edpm-ansible-molecule-edpm_libvirt SUCCESS in 10m 25s
✔️ edpm-ansible-molecule-edpm_nova SUCCESS in 13m 20s
✔️ edpm-ansible-molecule-edpm_frr SUCCESS in 9m 15s
✔️ edpm-ansible-molecule-edpm_iscsid SUCCESS in 6m 42s
✔️ edpm-ansible-molecule-edpm_ovn_bgp_agent SUCCESS in 9m 41s
✔️ edpm-ansible-molecule-edpm_ovs SUCCESS in 12m 24s
✔️ edpm-ansible-molecule-edpm_tripleo_cleanup SUCCESS in 3m 47s
✔️ edpm-ansible-molecule-edpm_tuned SUCCESS in 7m 16s
✔️ edpm-ansible-molecule-edpm_telemetry_power_monitoring SUCCESS in 7m 45s
adoption-standalone-to-crc-ceph-provider FAILURE in 2h 25m 57s

@openshift-ci openshift-ci bot removed the lgtm label Nov 15, 2024
@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/9153b95203ec45fd99baede631e95c1a

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 22m 13s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 24m 16s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 30m 33s
✔️ edpm-ansible-tempest-multinode SUCCESS in 1h 41m 37s
✔️ edpm-ansible-molecule-edpm_bootstrap SUCCESS in 5m 37s
✔️ edpm-ansible-molecule-edpm_podman SUCCESS in 4m 19s
✔️ edpm-ansible-molecule-edpm_module_load SUCCESS in 5m 04s
✔️ edpm-ansible-molecule-edpm_kernel SUCCESS in 10m 22s
✔️ edpm-ansible-molecule-edpm_libvirt SUCCESS in 10m 40s
✔️ edpm-ansible-molecule-edpm_nova SUCCESS in 11m 02s
✔️ edpm-ansible-molecule-edpm_frr SUCCESS in 7m 38s
✔️ edpm-ansible-molecule-edpm_iscsid SUCCESS in 4m 47s
✔️ edpm-ansible-molecule-edpm_ovn_bgp_agent SUCCESS in 7m 50s
✔️ edpm-ansible-molecule-edpm_ovs SUCCESS in 12m 28s
✔️ edpm-ansible-molecule-edpm_tripleo_cleanup SUCCESS in 4m 08s
✔️ edpm-ansible-molecule-edpm_tuned SUCCESS in 6m 11s
✔️ edpm-ansible-molecule-edpm_telemetry_power_monitoring SUCCESS in 7m 07s
adoption-standalone-to-crc-ceph-provider FAILURE in 2h 08m 49s

@bshephar
Inject user provided nft rules
fe86852 
This change ensures that user provided rules are injected
into the edpm_nftables_src directory and loaded during rule generation.

The change adds a new variable to facilitate a user interface for rule injection
edpm_nftables_user_rules.

Signed-off-by: Brendan Shephard <[email protected]>
@bshephar
Molecule test for user provided nft rules
08722fa 
Signed-off-by: Brendan Shephard <[email protected]>
@openshift-ci openshift-ci bot added the lgtm label Nov 19, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Nov 19, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bshephar, fao89, slagle

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [bshephar,fao89,slagle]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit b261ece into openstack-k8s-operators:main Nov 20, 2024
35 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rabi rabi rabi left review comments

@fao89 fao89 fao89 approved these changes

@slagle slagle slagle approved these changes

@abays abays Awaiting requested review from abays

@jpodivin jpodivin Awaiting requested review from jpodivin

Assignees

@slagle slagle

@fao89 fao89

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@bshephar @fultonj @danpawlik @rabi @slagle @fao89