zhangguanzhang's Blog

统信USO 20 hostPort 无法访问

uos
字数统计: 761阅读时长: 3 min
2020/10/30

由来

这些天陆续发现很多客户是统信的系统,部署我们业务后无法访问

环境信息

我自己环境和客户的环境都遇到了无法访问,我自己测试的机器信息是:

1
2
3
4
5
6
7
8
9
10
11
$ cat /etc/os-release
PRETTY_NAME="Uniontech OS Server 20 Enterprise"
NAME="Uniontech OS Server 20 Enterprise"
VERSION_ID="20"
VERSION="20"
ID=UOS
HOME_URL="https://www.chinauos.com/"
BUG_REPORT_URL="http://bbs.chinauos.com"
VERSION_CODENAME=fou
$ uname -a
Linux xxx-PC 4.19.0-arm64-server #1760 SMP Tue Jun 30 19:51:30 CST 2020 aarch64 GNU/Linux

客户信息是:

1
2
3
4
5
6
7
8
9
10
$ cat /etc/os-release
PRETTY_NAME="uos 20 SP1"
NAME="uos"
VERSION_ID="20 SP1"
VERSION="20 SP1"
ID=uos
HOME_URL="https://www.chinauos.com/"
BUG_REPORT_URL="http://bbs.chinauos.com"
$ uname -a
Linux kunpeng-PC 4.19.0-arm64-server #1707 SMP Thu Mar 26 17:43:52 CST 2020 aarch64 GNU/Linux

k8s 版本信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ kubectl version -o json
{
  "clientVersion": {
    "major": "1",
    "minor": "15",
    "gitVersion": "v1.15.12",
    "gitCommit": "e2a822d9f3c2fdb5c9bfbe64313cf9f657f0a725",
    "gitTreeState": "clean",
    "buildDate": "2020-05-06T05:17:59Z",
    "goVersion": "go1.12.17",
    "compiler": "gc",
    "platform": "linux/arm64"
  },
  "serverVersion": {
    "major": "1",
    "minor": "15",
    "gitVersion": "v1.15.12",
    "gitCommit": "e2a822d9f3c2fdb5c9bfbe64313cf9f657f0a725",
    "gitTreeState": "clean",
    "buildDate": "2020-05-06T05:09:48Z",
    "goVersion": "go1.12.17",
    "compiler": "gc",
    "platform": "linux/arm64"
  }
}

理论上v1.15以后的大版本号都不会有这种问题

问题现象和解决手段

问题现象

我们业务入口是一个用的 hostPort 的 nginx ,部署好后无法访问,在宿主机上 curl 也会无法访问,同时 iptables 的条目会异常(下面的-m mark各个系统的先后可能顺序不同):

1
2
3
4
5
6
7
8
9
10
$ iptables -S
...
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
.....
$ iptables -S | grep 'KUBE-FIREWALL' | wc -l
11054

实际上这个问题就是因为统信系统基于 ubuntu 改的,很多新发行版系统包括centos8都是开始使用nf_tables 作为 rule 规则管理,默认的 iptablesnf_tables,低版本kube-proxy对它的兼容性不好,需要我们切换下 iptables 到老版本。

防止相关进程更新 iptables,每台机器都得这样操作,先停掉相关进程

1
systemctl stop docker kubelet kube-proxy

清空iptables

1
2
3
4
5
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
kube-proxy --cleanup

切换到老的 iptables,apt 系列的 update-alternatives 是系统自带的软连接管理,下面是把老的 iptables 做成系统PATH的软连

1
2
3
4
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy

然后启动相关的,恢复正常

1
systemctl start docker kubelet kube-proxy

原文作者:Zhangguanzhang

原文链接:http://zhangguanzhang.github.io/2020/10/30/uos20-nftables/

发表日期:October 30th 2020, 6:31:01 pm

更新日期:October 30th 2020, 6:31:01 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 由来
    1. 1.1. 环境信息
    2. 1.2. 问题现象和解决手段
      1. 1.2.1. 问题现象
Total : 177
2024
2023
2022
2021
2020
2019
2018
2017
2016
linux 微信 diy 8266 总结 ipmi CLP k8s Mismatch Altium Designer ansible consul docker lnmp 安卓 Linux kernel prometheus exporter boot grub cad tcp golang centos6 chromedp chrony kubernetes cni-plugins mips64le kubeconfig swap dlv adguardhome dns Dockerfile e2fsck fsck keepavlied ecs xmrig etcd fio flannel ftp go mod go gobot esp8266 hello world host-gw mqtt 原创 jira confluence kube-controller-manager java springboot vip keepalived ConfigMap PodAffinity kylin arm64 Kylin audit fs nginx microsoft graph onedrive nodeport usb-net overlay kernal preseed Prometheus openstack cloud-init python containerd keepalive shell bash skopeo ssh kubelet systemd dockerhub gcr.io api ubuntu18 initrd tftp uos x86 openwrt zabbix zombie 正则 awk EmuELEC ingress N1 cobra hang cifs http lvs ipvsadm kube-proxy 63s timeout lamp nfc pm3 coredns openshift ocp squashfs timezone rpm rpmbuild segfault suse wireguard raid kubeadm operator exsi redhat8.4 vxlan veth panic supervisor pyinstaller ttf woff hostname qemu binfmt_misc loongarch64 externalIP cgo nfs ipset proxmox non-root containers vmware hung apparmor serviceAccountToken gpu nvidia cri-dockerd pprof
日志 心得 闲搞 ipmi kubernetes ansible kubelet Linux 心得 prometheus boot Auto cad boot golang kubeconfig grub linux centos6 容器 docker docker 容器 openstack boot vsftp go version panic gobot 闲聊 iptables admission kube-controller-manager keepalived k8s Prometheus Job k8s lua microsoft openwrt preseed Prometheus proxmox 总结 CI Kylin ubuntu18 pxe uos graph 运维 zombie 技巧 travis docker onedrive kickstart consul fstab http vxlan coredns node-cache golang kmem suse wireguard raid kubeadm LVM kickstart prometheus raid