Skip to content

Commit

Permalink
Create xtables.lock as a file if it doesn't already exist
Browse files Browse the repository at this point in the history
Default host path mounts create a directory if the mounted path
doesn't correspond to anything, which ends up breaking iptables. This
fixes that by ensuring that xtables.lock is created as a file if it
doesn't already exist; subsequent invocations of iptables on the host
(if any) will then be able to use the new file for locking.

Signed-off-by: Stephen Kitt <skitt@redhat.com>
  • Loading branch information
skitt committed Oct 13, 2023
1 parent 25d3fd1 commit 05b0ada
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion controllers/submariner/globalnet_resources.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ func newGlobalnetDaemonSet(cr *v1alpha1.Submariner, name string) *appsv1.DaemonS
Spec: corev1.PodSpec{
Volumes: []corev1.Volume{
{Name: "host-run-xtables-lock", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{
Path: "/run/xtables.lock",
Path: "/run/xtables.lock", Type: ptr.To(corev1.HostPathFileOrCreate),
}}},
},
Containers: []corev1.Container{
Expand Down
2 changes: 1 addition & 1 deletion controllers/submariner/route_agent_resources.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ func newRouteAgentDaemonSet(cr *v1alpha1.Submariner, name string) *appsv1.Daemon
Volumes: []corev1.Volume{
// We need to share /run/xtables.lock with the host for iptables
{Name: "host-run-xtables-lock", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{
Path: "/run/xtables.lock",
Path: "/run/xtables.lock", Type: ptr.To(corev1.HostPathFileOrCreate),
}}},
// We need to share /run/openvswitch/db.sock with the host for OVS
{Name: "host-run-openvswitch-db-sock", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{
Expand Down

0 comments on commit 05b0ada

Please sign in to comment.