Mereta/fix iptables legacy with ubuntu2404 #3789
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
fix: [NPM] Update Ubuntu Base Image to 24.04 (#3741) bump ubuntu to 24.04
fixed cve CVE-2025-6020
bump github.com/go-viper/mapstructure/v2
There was a problem hiding this comment.
Pull Request Overview
This PR fixes crashloopbackoffs in CBL-Mariner/Linux nodepools by updating NPM to use iptables-legacy commands instead of the default iptables commands. The change addresses a behavioral difference between Ubuntu 20.04 and 24.04, where the base image was recently updated to Ubuntu 24.04.
Key changes:
- Updates iptables command constants to use legacy variants
- Updates all test files to reflect the new legacy command usage
- Updates base Docker image from Ubuntu 20.04 to 24.04 with specific package versions
Reviewed Changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| npm/util/const.go | Updates iptables command constants to use legacy variants (iptables-legacy, iptables-legacy-save, iptables-legacy-restore) |
| npm/pkg/dataplane/policies/testutils_linux.go | Updates test expectations to use legacy iptables commands |
| npm/pkg/dataplane/policies/chain-management_linux_test.go | Updates all test cases to expect legacy iptables commands instead of standard ones |
| npm/linux.Dockerfile | Updates base image to Ubuntu 24.04 and pins specific package versions for security updates |
| hack/aks/Makefile | Changes IP tag configuration from test to non-prod environment |
| go.mod | Updates mapstructure dependency version |
| FROM mcr.microsoft.com/mirror/docker/library/ubuntu:24.04 as linux | ||
| COPY --from=builder /usr/local/bin/azure-npm /usr/bin/azure-npm | ||
| RUN apt-get update && apt-get install -y iptables ipset ca-certificates && apt-get autoremove -y && apt-get clean | ||
| RUN apt-get update && apt-get install -y libsystemd0=255.4-1ubuntu8.8 libudev1=255.4-1ubuntu8.8 libpam-modules=1.5.3-5ubuntu5.4 libpam-modules-bin=1.5.3-5ubuntu5.4 libpam-runtime=1.5.3-5ubuntu5.4 libpam0g=1.5.3-5ubuntu5.4 iptables ipset ca-certificates && apt-get autoremove -y && apt-get clean |
There was a problem hiding this comment.
[nitpick] The package installation command is very long and hard to read. Consider breaking it into multiple lines or using a separate package list for better maintainability.
Suggested change
| RUN apt-get update && apt-get install -y libsystemd0=255.4-1ubuntu8.8 libudev1=255.4-1ubuntu8.8 libpam-modules=1.5.3-5ubuntu5.4 libpam-modules-bin=1.5.3-5ubuntu5.4 libpam-runtime=1.5.3-5ubuntu5.4 libpam0g=1.5.3-5ubuntu5.4 iptables ipset ca-certificates && apt-get autoremove -y && apt-get clean | |
| RUN apt-get update && apt-get install -y \ | |
| libsystemd0=255.4-1ubuntu8.8 \ | |
| libudev1=255.4-1ubuntu8.8 \ | |
| libpam-modules=1.5.3-5ubuntu5.4 \ | |
| libpam-modules-bin=1.5.3-5ubuntu5.4 \ | |
| libpam-runtime=1.5.3-5ubuntu5.4 \ | |
| libpam0g=1.5.3-5ubuntu5.4 \ | |
| iptables \ | |
| ipset \ | |
| ca-certificates && \ | |
| apt-get autoremove -y && \ | |
| apt-get clean |
| VM_SIZE ?= Standard_B2s | ||
| VM_SIZE_WIN ?= Standard_B2s | ||
| IP_TAG ?= FirstPartyUsage=/DelegatedNetworkControllerTest | ||
| IP_TAG ?= FirstPartyUsage=/NonProd |
There was a problem hiding this comment.
The change from '/DelegatedNetworkControllerTest' to '/NonProd' appears unrelated to the main iptables fix. This configuration change should be documented or moved to a separate commit.
Suggested change
| IP_TAG ?= FirstPartyUsage=/NonProd | |
| IP_TAG ?= FirstPartyUsage=/DelegatedNetworkControllerTest |
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Reason for Change:
Updates iptables to
legacyfix crashloopbackoffs inCBL-Mariner/Linuxnodepools.Issue Fixed:
NPM's Ubuntu base image was recently updated to
24.04from20.04as the older version was EOL (see: #3743). There was a behavioral change between the 2 Ubuntu versions that required NPM to specifylegacyfor its Iptables.Error: failed to create dataplane with error Operation [BootupDataplane] failed with error code [999], full cmd [], full error failed to reset policy dataplane: Operation [BootupPolicyManager] failed with error code [999], full cmd [], full error failed to bootup policy manager: failed to detect iptables version: unable to locate which iptables version kube proxy is usingRequirements:
Clone of - #3782
Notes: