[caclmgrd][chassis]: Fix missing acl rules to allow internal docker traffic from fabric namespaces #13
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
traffic from fabric asic namespaces. Signed-off-by: Suvarna Meenakshi <sumeenak@microsoft.com>
|
Can you rebase your branch ? |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Suvarna Meenakshi <sumeenak@microsoft.com>
7 tasks
SuvarnaMeenakshi
added a commit
to sonic-net/sonic-buildimage
that referenced
this pull request
Nov 1, 2022
…docker traffic from fabric namespaces (#11956) Why I did it Changes from master branch PR sonic-net/sonic-host-services#13 est_cacl_application fails on VoQ chassis Supervisor with the error: Failed: Missing expected iptables rules: set(['-A INPUT -s 240.127.1.1/32 -d 240.127.1.1/32 -j ACCEPT', '-A INPUT -s 240.127.1.3/32 -d 240.127.1.1/32 -j ACCEPT', '-A INPUT -s 240.127.1.2/32 -d 240.127.1.1/32 -j ACCEPT']) This failure is seen because acl rules to allow traffic from fabric namespaces is missing. This PR is to include fabric namespace docker mgmt ips so that acl rules to allow traffic from namespace is added for fabric namespace as well. How I did it Get list of fabric namespaces, use this list to get docker mgmt ip of fabric asic namespace as well. How to verify it Verified on voq chassis. unit-test passes
isabelmsft
pushed a commit
to isabelmsft/sonic-host-services
that referenced
this pull request
Dec 31, 2022
Telemetry support for streaming events
ganglyu
pushed a commit
that referenced
this pull request
Feb 13, 2023
…docker traffic from fabric namespaces (#11956) Why I did it Changes from master branch PR #13 est_cacl_application fails on VoQ chassis Supervisor with the error: Failed: Missing expected iptables rules: set(['-A INPUT -s 240.127.1.1/32 -d 240.127.1.1/32 -j ACCEPT', '-A INPUT -s 240.127.1.3/32 -d 240.127.1.1/32 -j ACCEPT', '-A INPUT -s 240.127.1.2/32 -d 240.127.1.1/32 -j ACCEPT']) This failure is seen because acl rules to allow traffic from fabric namespaces is missing. This PR is to include fabric namespace docker mgmt ips so that acl rules to allow traffic from namespace is added for fabric namespace as well. How I did it Get list of fabric namespaces, use this list to get docker mgmt ip of fabric asic namespace as well. How to verify it Verified on voq chassis. unit-test passes
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Suvarna Meenakshi sumeenak@microsoft.com
Requires sonic-net/sonic-buildimage#11793
test_cacl_application fails on VoQ chassis Supervisor with the error:
Failed: Missing expected iptables rules: set(['-A INPUT -s 240.127.1.1/32 -d 240.127.1.1/32 -j ACCEPT', '-A INPUT -s 240.127.1.3/32 -d 240.127.1.1/32 -j ACCEPT', '-A INPUT -s 240.127.1.2/32 -d 240.127.1.1/32 -j ACCEPT'])
This failure is seen because acl rules to allow traffic from fabric namespaces is missing.
This PR is to include fabric namespace docker mgmt ips so that acl rules to allow traffic from namespace is added for fabric namespace as well.
Initial PR which added support for multi-asic for reference: sonic-net/sonic-buildimage#5022