From f805a169c53ddbef7d4797bbeb0cc155495390cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Antunes?= Date: Wed, 13 Nov 2024 17:07:17 +0000 Subject: [PATCH] feat(preflights): add arp filtering related preflights (#1454) * feat(preflights): add arp filtering related preflights * chore: change to the soon to be added sysctl collector and analyzer * chore: remove the e2e tests (which are now covered in troubleshoot) * fix: individual arp preflights * chore: bump troubleshoot * Update messages and slightly change order * chore: add pass analyzers to arp preflights --------- Co-authored-by: Alex Parker <7272359+ajp-io@users.noreply.github.com> --- Makefile | 2 +- go.mod | 2 +- go.sum | 4 ++-- pkg/preflights/host-preflight.yaml | 37 ++++++++++++++++++++++++++++++ 4 files changed, 41 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 32eac0f5b..75305d1fc 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,7 @@ K0S_GO_VERSION = v1.30.5+k0s.0 PREVIOUS_K0S_VERSION ?= v1.29.9+k0s.0-ec.0 PREVIOUS_K0S_GO_VERSION ?= v1.29.9+k0s.0 K0S_BINARY_SOURCE_OVERRIDE = -TROUBLESHOOT_VERSION = v0.107.4 +TROUBLESHOOT_VERSION = v0.109.0 KOTS_VERSION = v$(shell awk '/^version/{print $$2}' pkg/addons/adminconsole/static/metadata.yaml | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+).*/\1/') # When updating KOTS_BINARY_URL_OVERRIDE, also update the KOTS_VERSION above or diff --git a/go.mod b/go.mod index d4ef81dc4..99bd1abd6 100644 --- a/go.mod +++ b/go.mod @@ -31,7 +31,7 @@ require ( github.com/replicatedhq/embedded-cluster/kinds v0.0.0 github.com/replicatedhq/embedded-cluster/utils v0.0.0 github.com/replicatedhq/kotskinds v0.0.0-20240814191029-3f677ee409a0 - github.com/replicatedhq/troubleshoot v0.108.1 + github.com/replicatedhq/troubleshoot v0.109.0 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.1 github.com/spf13/viper v1.19.0 diff --git a/go.sum b/go.sum index 17ff8e76d..04edf88cf 100644 --- a/go.sum +++ b/go.sum @@ -907,8 +907,8 @@ github.com/redis/go-redis/v9 v9.5.2 h1:L0L3fcSNReTRGyZ6AqAEN0K56wYeYAwapBIhkvh0f github.com/redis/go-redis/v9 v9.5.2/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M= github.com/replicatedhq/kotskinds v0.0.0-20240814191029-3f677ee409a0 h1:Gi+Fs6583v7GmgQKJyaZuBzcih0z5YXBREDQ8AWY2JM= github.com/replicatedhq/kotskinds v0.0.0-20240814191029-3f677ee409a0/go.mod h1:QjhIUu3+OmHZ09u09j3FCoTt8F3BYtQglS+OLmftu9I= -github.com/replicatedhq/troubleshoot v0.108.1 h1:Yri05zhzIZRrbSYWsvCWjpcp8KzNj2GfrfQRLnZH9UU= -github.com/replicatedhq/troubleshoot v0.108.1/go.mod h1:mxf8uoKpyFhaYfR3NV1iPwztBf8XWP0B/JpxamZ1UJY= +github.com/replicatedhq/troubleshoot v0.109.0 h1:lw81hf/lD9/YPj+VOyGdDnw7FSCJkignPQYLVpjnl2k= +github.com/replicatedhq/troubleshoot v0.109.0/go.mod h1:mxf8uoKpyFhaYfR3NV1iPwztBf8XWP0B/JpxamZ1UJY= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= diff --git a/pkg/preflights/host-preflight.yaml b/pkg/preflights/host-preflight.yaml index 546a45c7b..a3d68d7ff 100644 --- a/pkg/preflights/host-preflight.yaml +++ b/pkg/preflights/host-preflight.yaml @@ -148,6 +148,7 @@ spec: exclude: '{{ eq .GlobalCIDR.CIDR "" }}' CIDRRangeAlloc: '{{ .GlobalCIDR.CIDR }}' desiredCIDR: {{.GlobalCIDR.Size}} + - sysctl: {} analyzers: - cpu: checkName: CPU @@ -834,3 +835,39 @@ spec: - pass: when: "a-subnet-is-available" message: Specified CIDR is available. + - sysctl: + checkName: "ARP Filter default value for newly created interfaces" + outcomes: + - fail: + when: 'net.ipv4.conf.default.arp_filter > 0' + message: "ARP filtering must be disabled by default for newly created interfaces on the host. To disable it, edit /etc/sysctl.conf, add the line 'net.ipv4.conf.default.arp_filter=0', and run 'sudo sysctl -p'." + - pass: + when: 'net.ipv4.conf.default.arp_filter == 0' + message: "ARP filtering is disabled by default for newly created interfaces on the host." + - sysctl: + checkName: "ARP Filter value for all interfaces" + outcomes: + - fail: + when: 'net.ipv4.conf.all.arp_filter > 0' + message: "ARP filtering must be disabled for all interfaces on the host. To disable it, edit /etc/sysctl.conf, add the line 'net.ipv4.conf.all.arp_filter=0', and run 'sudo sysctl -p'." + - pass: + when: 'net.ipv4.conf.all.arp_filter == 0' + message: "ARP filtering is disabled for all interfaces on the host." + - sysctl: + checkName: "ARP Ignore default value for newly created interfaces" + outcomes: + - fail: + when: 'net.ipv4.conf.default.arp_ignore > 0' + message: "ARP ignore must be disabled by default for newly created interfaces on the host. To disable it, edit /etc/sysctl.conf, add the line 'net.ipv4.conf.default.arp_ignore=0', and run 'sudo sysctl -p'." + - pass: + when: 'net.ipv4.conf.default.arp_ignore == 0' + message: "ARP ignore is disabled by default for newly created interfaces on the host." + - sysctl: + checkName: "ARP Ignore value for all interfaces" + outcomes: + - fail: + when: 'net.ipv4.conf.all.arp_ignore > 0' + message: "ARP ignore must be disabled for all interfaces on the host. To disable it, edit /etc/sysctl.conf, add the line 'net.ipv4.conf.all.arp_ignore=0', and run 'sudo sysctl -p'." + - pass: + when: 'net.ipv4.conf.all.arp_ignore == 0' + message: "ARP ignore is disabled for all interfaces on the host."