def clean_docker_iptables_rules(self, ports):
"""Sometimes when we run docker stop
(version dc9c28f/0.10.0) it doesn't clean
iptables rules, as result when we run new
container on the same port we have two rules
with the same port but with different IPs,
we have to clean this rules to prevent services
unavailability.
Example of the problem:
$ iptables -t nat -S
...
-A DOCKER -p tcp -m tcp --dport 443 -j DNAT \
--to-destination 172.17.0.7:443
-A DOCKER -p tcp -m tcp --dport 443 -j DNAT \
--to-destination 172.17.0.3:443
:param ports: list of ports to clean up
"""
rules_to_deletion = []
patterns = [re.compile(
'^-A DOCKER .+ --dport {0} '
'-j DNAT --to-destination .+'.format(port)) for port in ports]
for rule in utils.exec_cmd_iterator('iptables -t nat -S'):
for pattern in patterns:
if pattern.match(rule):
rules_to_deletion.append(rule)
for rule in rules_to_deletion:
# Remove -A (add) prefix and use -D (delete) instead
utils.exec_cmd('iptables -t nat -D {0}'.format(rule[2:]))
def clean_docker_iptables_rules(self, ports):
"""Sometimes when we run docker stop
(version dc9c28f/0.10.0) it doesn't clean
iptables rules, as result when we run new
container on the same port we have two rules
with the same port but with different IPs,
we have to clean this rules to prevent services
unavailability.
Example of the problem:
$ iptables -t nat -S
...
-A DOCKER -p tcp -m tcp --dport 443 -j DNAT \
--to-destination 172.17.0.7:443
-A DOCKER -p tcp -m tcp --dport 443 -j DNAT \
--to-destination 172.17.0.3:443
:param ports: list of ports to clean up
"""
rules_to_deletion = []
patterns = [
re.compile('^-A DOCKER .+ --dport {0} '
'-j DNAT --to-destination .+'.format(port))
for port in ports
]
for rule in utils.exec_cmd_iterator('iptables -t nat -S'):
for pattern in patterns:
if pattern.match(rule):
rules_to_deletion.append(rule)
for rule in rules_to_deletion:
# Remove -A (add) prefix and use -D (delete) instead
utils.exec_cmd('iptables -t nat -D {0}'.format(rule[2:]))
def check_if_required(self):
# not required if fuel is already higher than 6.1
if compare_version('6.1', self.config.from_version) > 0:
return False
# not required if container is in privileged mode already
container = json.loads('\n'.join(
exec_cmd_iterator('docker inspect {0}'.format(self._container))))
if container[0].get('HostConfig', {}).get('Privileged'):
return False
# not required if docker is already higher than 0.11
output = '\n'.join(exec_cmd_iterator('docker --version'))
match = self._docker_version.match(output)
if match:
version = match.group(1)
return compare_version('0.11.0', version) < 0
return False
def check_if_required(self):
# not required if fuel is already higher than 6.1
if compare_version('6.1', self.config.from_version) > 0:
return False
# not required if container is in privileged mode already
container = json.loads('\n'.join(
exec_cmd_iterator('docker inspect {0}'.format(self._container))))
if container[0].get('HostConfig', {}).get('Privileged'):
return False
# not required if docker is already higher than 0.11
output = '\n'.join(exec_cmd_iterator('docker --version'))
match = self._docker_version.match(output)
if match:
version = match.group(1)
return compare_version('0.11.0', version) < 0
return False
def test_exec_cmd_iterator_raises_error_in_case_of_non_zero_exit_code(
self):
cmd = 'some command'
return_code = 1
process_mock = self.make_process_mock(return_code=return_code)
with patch.object(subprocess, 'Popen', return_value=process_mock):
with self.assertRaisesRegexp(
errors.ExecutedErrorNonZeroExitCode,
'Shell command executed with "{0}" '
'exit code: {1} '.format(return_code, cmd)):
for line in exec_cmd_iterator(cmd):
self.assertTrue(line.startswith('Stdout line '))
def test_exec_cmd_iterator_raises_error_in_case_of_non_zero_exit_code(
self):
cmd = 'some command'
return_code = 1
process_mock = self.make_process_mock(return_code=return_code)
with patch.object(subprocess, 'Popen', return_value=process_mock):
with self.assertRaisesRegexp(
errors.ExecutedErrorNonZeroExitCode,
'Shell command executed with "{0}" '
'exit code: {1} '.format(return_code, cmd)):
for line in exec_cmd_iterator(cmd):
self.assertTrue(line.startswith('Stdout line '))
def test_exec_cmd_iterator_executes_sucessfuly(self):
cmd = 'some command'
process_mock = self.make_process_mock()
with patch.object(subprocess, 'Popen',
return_value=process_mock) as popen_mock:
for line in exec_cmd_iterator(cmd):
self.assertTrue(line.startswith('Stdout line '))
popen_mock.assert_called_once_with(cmd,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
shell=True)
def test_exec_cmd_iterator_executes_sucessfuly(self):
cmd = 'some command'
process_mock = self.make_process_mock()
with patch.object(
subprocess, 'Popen', return_value=process_mock) as popen_mock:
for line in exec_cmd_iterator(cmd):
self.assertTrue(line.startswith('Stdout line '))
popen_mock.assert_called_once_with(
cmd,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
shell=True)
def clean_docker_iptables_rules(self, ports):
"""Sometimes when we run docker stop
(version dc9c28f/0.10.0) it doesn't clean
iptables rules, as result when we run new
container on the same port we have two rules
with the same port but with different IPs,
we have to clean this rules to prevent services
unavailability.
Example of the problem:
$ iptables -t nat -S
...
-A DOCKER -p tcp -m tcp --dport 443 -j DNAT \
--to-destination 172.17.0.7:443
-A DOCKER -p tcp -m tcp --dport 443 -j DNAT \
--to-destination 172.17.0.3:443
:param ports: list of ports to clean up
"""
rules_to_deletion = []
patterns = [re.compile(
'^-A DOCKER .+ --dport {0} '
'-j DNAT --to-destination .+'.format(port)) for port in ports]
for rule in utils.exec_cmd_iterator('iptables -t nat -S'):
for pattern in patterns:
if pattern.match(rule):
rules_to_deletion.append(rule)
for rule in rules_to_deletion:
# Remove -A (add) prefix and use -D (delete) instead
utils.exec_cmd('iptables -t nat -D {0}'.format(rule[2:]))
# NOTE(eli): Run list of rules again,
# it's required to debug the problem
# with inter-container communication
# https://bugs.launchpad.net/fuel/+bug/1349287
utils.exec_cmd('iptables -t nat -S')
utils.exec_cmd('iptables -S')
utils.exec_cmd('cat /etc/sysconfig/iptables')
utils.exec_cmd('cat /etc/sysconfig/iptables.save')
