feat(preflights): add arp filtering related preflights (#1454)

* feat(preflights): add arp filtering related preflights * chore: change to the soon to be added sysctl collector and analyzer * chore: remove the e2e tests (which are now covered in troubleshoot) * fix: individual arp preflights * chore: bump troubleshoot * Update messages and slightly change order * chore: add pass analyzers to arp preflights --------- Co-authored-by: Alex Parker <[email protected]>
replicatedhq · Nov 13, 2024 · f805a16 · f805a16
1 parent d44af2b
commit f805a16
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 4 deletions.
diff --git a/Makefile b/Makefile
@@ -15,7 +15,7 @@ K0S_GO_VERSION = v1.30.5+k0s.0
 PREVIOUS_K0S_VERSION ?= v1.29.9+k0s.0-ec.0
 PREVIOUS_K0S_GO_VERSION ?= v1.29.9+k0s.0
 K0S_BINARY_SOURCE_OVERRIDE =
-TROUBLESHOOT_VERSION = v0.107.4
+TROUBLESHOOT_VERSION = v0.109.0
 
 KOTS_VERSION = v$(shell awk '/^version/{print $$2}' pkg/addons/adminconsole/static/metadata.yaml | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+).*/\1/')
 # When updating KOTS_BINARY_URL_OVERRIDE, also update the KOTS_VERSION above or

diff --git a/go.mod b/go.mod
@@ -31,7 +31,7 @@ require (
 	github.com/replicatedhq/embedded-cluster/kinds v0.0.0
 	github.com/replicatedhq/embedded-cluster/utils v0.0.0
 	github.com/replicatedhq/kotskinds v0.0.0-20240814191029-3f677ee409a0
-	github.com/replicatedhq/troubleshoot v0.108.1
+	github.com/replicatedhq/troubleshoot v0.109.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/viper v1.19.0

diff --git a/go.sum b/go.sum
@@ -907,8 +907,8 @@ github.com/redis/go-redis/v9 v9.5.2 h1:L0L3fcSNReTRGyZ6AqAEN0K56wYeYAwapBIhkvh0f
 github.com/redis/go-redis/v9 v9.5.2/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
 github.com/replicatedhq/kotskinds v0.0.0-20240814191029-3f677ee409a0 h1:Gi+Fs6583v7GmgQKJyaZuBzcih0z5YXBREDQ8AWY2JM=
 github.com/replicatedhq/kotskinds v0.0.0-20240814191029-3f677ee409a0/go.mod h1:QjhIUu3+OmHZ09u09j3FCoTt8F3BYtQglS+OLmftu9I=
-github.com/replicatedhq/troubleshoot v0.108.1 h1:Yri05zhzIZRrbSYWsvCWjpcp8KzNj2GfrfQRLnZH9UU=
-github.com/replicatedhq/troubleshoot v0.108.1/go.mod h1:mxf8uoKpyFhaYfR3NV1iPwztBf8XWP0B/JpxamZ1UJY=
+github.com/replicatedhq/troubleshoot v0.109.0 h1:lw81hf/lD9/YPj+VOyGdDnw7FSCJkignPQYLVpjnl2k=
+github.com/replicatedhq/troubleshoot v0.109.0/go.mod h1:mxf8uoKpyFhaYfR3NV1iPwztBf8XWP0B/JpxamZ1UJY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=

diff --git a/pkg/preflights/host-preflight.yaml b/pkg/preflights/host-preflight.yaml
@@ -148,6 +148,7 @@ spec:
         exclude: '{{ eq .GlobalCIDR.CIDR "" }}'
         CIDRRangeAlloc: '{{ .GlobalCIDR.CIDR }}'
         desiredCIDR: {{.GlobalCIDR.Size}}
+    - sysctl: {}
   analyzers:
     - cpu:
         checkName: CPU
@@ -834,3 +835,39 @@ spec:
           - pass:
               when: "a-subnet-is-available"
               message: Specified CIDR is available.
+    - sysctl:
+        checkName: "ARP Filter default value for newly created interfaces"
+        outcomes:
+          - fail:
+              when: 'net.ipv4.conf.default.arp_filter > 0'
+              message: "ARP filtering must be disabled by default for newly created interfaces on the host. To disable it, edit /etc/sysctl.conf, add the line 'net.ipv4.conf.default.arp_filter=0', and run 'sudo sysctl -p'."
+          - pass:
+              when: 'net.ipv4.conf.default.arp_filter == 0'
+              message: "ARP filtering is disabled by default for newly created interfaces on the host."
+    - sysctl:
+        checkName: "ARP Filter value for all interfaces"
+        outcomes:
+          - fail:
+              when: 'net.ipv4.conf.all.arp_filter > 0'
+              message: "ARP filtering must be disabled for all interfaces on the host. To disable it, edit /etc/sysctl.conf, add the line 'net.ipv4.conf.all.arp_filter=0', and run 'sudo sysctl -p'."
+          - pass:
+              when: 'net.ipv4.conf.all.arp_filter == 0'
+              message: "ARP filtering is disabled for all interfaces on the host."
+    - sysctl:
+        checkName: "ARP Ignore default value for newly created interfaces"
+        outcomes:
+          - fail:
+              when: 'net.ipv4.conf.default.arp_ignore > 0'
+              message: "ARP ignore must be disabled by default for newly created interfaces on the host. To disable it, edit /etc/sysctl.conf, add the line 'net.ipv4.conf.default.arp_ignore=0', and run 'sudo sysctl -p'."
+          - pass:
+              when: 'net.ipv4.conf.default.arp_ignore == 0'
+              message: "ARP ignore is disabled by default for newly created interfaces on the host."
+    - sysctl:
+        checkName: "ARP Ignore value for all interfaces"
+        outcomes:
+          - fail:
+              when: 'net.ipv4.conf.all.arp_ignore > 0'
+              message: "ARP ignore must be disabled for all interfaces on the host. To disable it, edit /etc/sysctl.conf, add the line 'net.ipv4.conf.all.arp_ignore=0', and run 'sudo sysctl -p'."
+          - pass:
+              when: 'net.ipv4.conf.all.arp_ignore == 0'
+              message: "ARP ignore is disabled for all interfaces on the host."