Merge remote-tracking branch 'origin/main' into k0s-1-29

Author: emosbaugh

.github/workflows/distros.yaml

@@ -41,6 +41,9 @@ jobs:
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
+        with:
+          # see https://github.com/tonistiigi/binfmt/issues/215
+          image: tonistiigi/binfmt:qemu-v7.0.0
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3

Makefile

@@ -15,7 +15,7 @@ K0S_GO_VERSION = v1.29.13+k0s.0
 PREVIOUS_K0S_VERSION ?= v1.28.14+k0s.0-ec.0
 PREVIOUS_K0S_GO_VERSION ?= v1.28.14+k0s.0
 K0S_BINARY_SOURCE_OVERRIDE =
-TROUBLESHOOT_VERSION = v0.116.3
+TROUBLESHOOT_VERSION = v0.116.4
 
 KOTS_VERSION = v$(shell awk '/^version/{print $$2}' pkg/addons/adminconsole/static/metadata.yaml | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+).*/\1/')
 # When updating KOTS_BINARY_URL_OVERRIDE, also update the KOTS_VERSION above or

cmd/installer/cli/firewalld.go

@@ -0,0 +1,178 @@
+package cli
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/replicatedhq/embedded-cluster/pkg/helpers/firewalld"
+	"github.com/sirupsen/logrus"
+	"go.uber.org/multierr"
+)
+
+// configureFirewalld configures firewalld for the cluster. It adds the ec-net zone for pod and
+// service communication with default target ACCEPT, and opens the necessary ports in the default
+// zone for k0s and k8s components on the host network.
+func configureFirewalld(ctx context.Context, podNetwork, serviceNetwork string) error {
+	isActive, err := firewalld.IsFirewalldActive(ctx)
+	if err != nil {
+		return fmt.Errorf("check if firewalld is active: %w", err)
+	}
+	if !isActive {
+		logrus.Debugf("firewalld is not active, skipping configuration")
+		return nil
+	}
+
+	logrus.Debugf("firewalld is active, configuring")
+
+	cmdExists, err := firewalld.FirewallCmdExists(ctx)
+	if err != nil {
+		return fmt.Errorf("check if firewall-cmd exists: %w", err)
+	}
+	if !cmdExists {
+		logrus.Debugf("firewall-cmd not found but firewalld is active, skipping firewalld configuration")
+		return nil
+	}
+
+	err = ensureFirewalldECNetZone(ctx, podNetwork, serviceNetwork)
+	if err != nil {
+		return fmt.Errorf("ensure ec-net zone: %w", err)
+	}
+
+	err = ensureFirewalldDefaultZone(ctx)
+	if err != nil {
+		return fmt.Errorf("ensure default zone: %w", err)
+	}
+
+	err = firewalld.Reload(ctx)
+	if err != nil {
+		return fmt.Errorf("reload firewalld: %w", err)
+	}
+
+	return nil
+}
+
+// resetFirewalld removes all firewalld configuration added by the installer.
+func resetFirewalld(ctx context.Context) (finalErr error) {
+	cmdExists, err := firewalld.FirewallCmdExists(ctx)
+	if err != nil {
+		return fmt.Errorf("check if firewall-cmd exists: %w", err)
+	}
+	if !cmdExists {
+		return nil
+	}
+
+	err = resetFirewalldECNetZone(ctx)
+	if err != nil {
+		finalErr = multierr.Append(finalErr, fmt.Errorf("reset ec-net zone: %w", err))
+	}
+
+	err = resetFirewalldDefaultZone(ctx)
+	if err != nil {
+		finalErr = multierr.Append(finalErr, fmt.Errorf("reset default zone: %w", err))
+	}
+
+	err = firewalld.Reload(ctx)
+	if err != nil {
+		return fmt.Errorf("reload firewalld: %w", err)
+	}
+
+	return
+}
+
+func ensureFirewalldECNetZone(ctx context.Context, podNetwork, serviceNetwork string) error {
+	opts := []firewalld.Option{
+		firewalld.IsPermanent(),
+		firewalld.WithZone("ec-net"),
+	}
+
+	exists, err := firewalld.ZoneExists(ctx, "ec-net")
+	if err != nil {
+		return fmt.Errorf("check if ec-net zone exists: %w", err)
+	} else if !exists {
+		err = firewalld.NewZone(ctx, "ec-net", opts...)
+		if err != nil {
+			return fmt.Errorf("create ec-net zone: %w", err)
+		}
+	}
+
+	// Set the default target to ACCEPT for pod and service networks
+	err = firewalld.SetZoneTarget(ctx, "ACCEPT", opts...)
+	if err != nil {
+		return fmt.Errorf("set target to ACCEPT: %w", err)
+	}
+
+	err = firewalld.AddSourceToZone(ctx, podNetwork, opts...)
+	if err != nil {
+		return fmt.Errorf("add pod network source: %w", err)
+	}
+
+	err = firewalld.AddSourceToZone(ctx, serviceNetwork, opts...)
+	if err != nil {
+		return fmt.Errorf("add service network source: %w", err)
+	}
+
+	// Add the calico interfaces
+	// This is redundant and overlaps with the pod network but we add it anyway
+	calicoIfaces := []string{"cali+", "tunl+", "vxlan-v6.calico", "vxlan.calico", "wg-v6.cali", "wireguard.cali"}
+	for _, iface := range calicoIfaces {
+		err = firewalld.AddInterfaceToZone(ctx, iface, opts...)
+		if err != nil {
+			return fmt.Errorf("add %s interface: %w", iface, err)
+		}
+	}
+
+	return nil
+}
+
+func resetFirewalldECNetZone(ctx context.Context) (finalErr error) {
+	opts := []firewalld.Option{
+		firewalld.IsPermanent(),
+	}
+
+	exists, err := firewalld.ZoneExists(ctx, "ec-net")
+	if err != nil {
+		return fmt.Errorf("check if ec-net zone exists: %w", err)
+	} else if !exists {
+		return nil
+	}
+
+	err = firewalld.DeleteZone(ctx, "ec-net", opts...)
+	if err != nil {
+		return fmt.Errorf("delete ec-net zone: %w", err)
+	}
+
+	return
+}
+
+func ensureFirewalldDefaultZone(ctx context.Context) error {
+	opts := []firewalld.Option{
+		firewalld.IsPermanent(),
+	}
+
+	// Allow other nodes to connect to k0s core components
+	ports := []string{"6443/tcp", "10250/tcp", "9443/tcp", "2380/tcp", "4789/udp"}
+	for _, port := range ports {
+		err := firewalld.AddPortToZone(ctx, port, opts...)
+		if err != nil {
+			return fmt.Errorf("add %s port: %w", port, err)
+		}
+	}
+
+	return nil
+}
+
+func resetFirewalldDefaultZone(ctx context.Context) (finalErr error) {
+	opts := []firewalld.Option{
+		firewalld.IsPermanent(),
+	}
+
+	ports := []string{"6443/tcp", "10250/tcp", "9443/tcp", "2380/tcp", "4789/udp"}
+	for _, port := range ports {
+		err := firewalld.RemovePortFromZone(ctx, port, opts...)
+		if err != nil {
+			finalErr = multierr.Append(finalErr, fmt.Errorf("remove %s port: %w", port, err))
+		}
+	}
+
+	return
+}

cmd/installer/cli/install.go

@@ -10,6 +10,7 @@ import (
 	"runtime"
 	"sort"
 	"strings"
+	"syscall"
 	"time"
 
 	"github.com/gosimple/slug"
@@ -171,6 +172,10 @@ func preRunInstall(cmd *cobra.Command, flags *InstallCmdFlags) error {
 		return fmt.Errorf("install command must be run as root")
 	}
 
+	// set the umask to 022 so that we can create files/directories with 755 permissions
+	// this does not return an error - it returns the previous umask
+	_ = syscall.Umask(0o022)
+
 	p, err := parseProxyFlags(cmd)
 	if err != nil {
 		return err
@@ -265,6 +270,11 @@ func runInstall(ctx context.Context, name string, flags InstallCmdFlags, metrics
 		return fmt.Errorf("unable to configure network manager: %w", err)
 	}
 
+	logrus.Debugf("configuring firewalld")
+	if err := configureFirewalld(ctx, flags.cidrCfg.PodCIDR, flags.cidrCfg.ServiceCIDR); err != nil {
+		logrus.Debugf("unable to configure firewalld: %v", err)
+	}
+
 	logrus.Debugf("running install preflights")
 	if err := runInstallPreflights(ctx, flags, metricsReporter); err != nil {
 		if errors.Is(err, preflights.ErrPreflightsHaveFail) {

cmd/installer/cli/join.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	"strings"
+	"syscall"
 
 	ecv1beta1 "github.com/replicatedhq/embedded-cluster/kinds/apis/v1beta1"
 	"github.com/replicatedhq/embedded-cluster/pkg/addons"
@@ -96,6 +97,10 @@ func preRunJoin(flags *JoinCmdFlags) error {
 
 	flags.isAirgap = flags.airgapBundle != ""
 
+	// set the umask to 022 so that we can create files/directories with 755 permissions
+	// this does not return an error - it returns the previous umask
+	_ = syscall.Umask(0o022)
+
 	return nil
 }
 
@@ -153,6 +158,11 @@ func runJoin(ctx context.Context, name string, flags JoinCmdFlags, jcmd *kotsadm
 		return fmt.Errorf("unable to get join CIDR config: %w", err)
 	}
 
+	logrus.Debugf("configuring firewalld")
+	if err := configureFirewalld(ctx, cidrCfg.PodCIDR, cidrCfg.ServiceCIDR); err != nil {
+		logrus.Debugf("unable to configure firewalld: %v", err)
+	}
+
 	logrus.Debugf("running join preflights")
 	if err := runJoinPreflights(ctx, jcmd, flags, cidrCfg, metricsReporter); err != nil {
 		if errors.Is(err, preflights.ErrPreflightsHaveFail) {

cmd/installer/cli/reset.go

@@ -142,6 +142,12 @@ func ResetCmd(ctx context.Context, name string) *cobra.Command {
 				return err
 			}
 
+			logrus.Debugf("Resetting firewalld...")
+			err = resetFirewalld(ctx)
+			if !checkErrPrompt(assumeYes, force, err) {
+				return fmt.Errorf("failed to reset firewalld: %w", err)
+			}
+
 			if err := helpers.RemoveAll(runtimeconfig.PathToK0sConfig()); err != nil {
 				return fmt.Errorf("failed to remove k0s config: %w", err)
 			}
@@ -214,6 +220,8 @@ func ResetCmd(ctx context.Context, name string) *cobra.Command {
 	cmd.Flags().BoolVar(&assumeYes, "yes", false, "Assume yes to all prompts.")
 	cmd.Flags().SetNormalizeFunc(normalizeNoPromptToYes)
 
+	cmd.AddCommand(ResetFirewalldCmd(ctx, name))
+
 	return cmd
 }
 

cmd/installer/cli/reset_firewalld.go

@@ -0,0 +1,44 @@
+package cli
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/replicatedhq/embedded-cluster/pkg/runtimeconfig"
+	rcutil "github.com/replicatedhq/embedded-cluster/pkg/runtimeconfig/util"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func ResetFirewalldCmd(ctx context.Context, name string) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:    "firewalld",
+		Short:  "Remove %s firewalld configuration from the current node",
+		Hidden: true,
+		PreRunE: func(cmd *cobra.Command, args []string) error {
+			if os.Getuid() != 0 {
+				return fmt.Errorf("reset firewalld command must be run as root")
+			}
+
+			rcutil.InitBestRuntimeConfig(cmd.Context())
+
+			os.Setenv("KUBECONFIG", runtimeconfig.PathToKubeConfig())
+			os.Setenv("TMPDIR", runtimeconfig.EmbeddedClusterTmpSubDir())
+
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			err := resetFirewalld(cmd.Context())
+			if err != nil {
+				return fmt.Errorf("failed to reset firewalld: %w", err)
+			}
+
+			logrus.Infof("Firewalld reset successfully")
+
+			return nil
+		},
+	}
+
+	return cmd
+}

cmd/installer/cli/restore.go

@@ -374,6 +374,11 @@ func runRestoreStepNew(ctx context.Context, name string, flags InstallCmdFlags,
 		return fmt.Errorf("unable to configure network manager: %w", err)
 	}
 
+	logrus.Debugf("configuring firewalld")
+	if err := configureFirewalld(ctx, flags.cidrCfg.PodCIDR, flags.cidrCfg.ServiceCIDR); err != nil {
+		logrus.Debugf("unable to configure firewalld: %v", err)
+	}
+
 	logrus.Debugf("materializing binaries")
 	if err := materializeFiles(flags.airgapBundle); err != nil {
 		return fmt.Errorf("unable to materialize binaries: %w", err)

cmd/installer/cli/root.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"syscall"
 
 	"github.com/replicatedhq/embedded-cluster/pkg/dryrun"
 	"github.com/replicatedhq/embedded-cluster/pkg/metrics"
@@ -68,6 +69,10 @@ func RootCmd(ctx context.Context, name string) *cobra.Command {
 				metrics.DisableMetrics()
 			}
 
+			// set the umask to 022 so that we can create files/directories with 755 permissions
+			// this does not return an error - it returns the previous umask
+			_ = syscall.Umask(0o022)
+
 			return nil
 		},
 		PersistentPostRunE: func(cmd *cobra.Command, args []string) error {

cmd/installer/goods/support/host-support-bundle.tmpl.yaml

@@ -431,6 +431,9 @@ spec:
         - fail:
             when: 'ntp == unsynchronized+active'
             message: NTP is enabled but the system clock is not synchronized. Synchronize the system clock to continue.
+        - pass:
+            when: 'ntp == synchronized+inactive' # don't fail as the system clock might be managed by other protocols (e.g. PTP)
+            message: NTP is inactive but the system clock is synchronized
         - pass:
             when: 'ntp == synchronized+active'
             message: NTP is enabled and the system clock is synchronized

cmd/installer/main.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"os"
 	"path"
+	"syscall"
 
 	"github.com/mattn/go-isatty"
 	"github.com/replicatedhq/embedded-cluster/cmd/installer/cli"
@@ -19,5 +20,10 @@ func main() {
 
 	name := path.Base(os.Args[0])
 
+	// set the umask to 022 so that we can create files/directories with 755 permissions
+	// this does not return an error - it returns the previous umask
+	// we do this before calling cli.InitAndExecute so that it is set before the process forks
+	_ = syscall.Umask(0o022)
+
 	cli.InitAndExecute(ctx, name)
 }

cmd/local-artifact-mirror/main.go

@@ -19,6 +19,11 @@ func main() {
 
 	name := path.Base(os.Args[0])
 
+	// set the umask to 022 so that we can create files/directories with 755 permissions
+	// this does not return an error - it returns the previous umask
+	// we do this before calling cli.InitAndExecute so that it is set before the process forks
+	_ = syscall.Umask(0o022)
+
 	InitAndExecute(ctx, name)
 }