Rework iptables old version checks (#255)

Signed-off-by: Derek Nola <[email protected]>
k3s-io · Nov 16, 2023 · 7fcf82a · 7fcf82a
1 parent 1e633c5
commit 7fcf82a
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 8 deletions.
diff --git a/roles/prereq/tasks/main.yml b/roles/prereq/tasks/main.yml
@@ -148,6 +148,22 @@
     name: apparmor
     state: present
 
+- name: Gather the package facts
+  ansible.builtin.package_facts:
+    manager: auto
+
+# Iptables v1.8.0-1.8.4 have a specific bug with K3s. https://github.com/k3s-io/k3s/issues/3117
+- name: If iptables v1.8.0-1.8.4, warn user  # noqa ignore-errors
+  when:
+    - ansible_facts.packages['iptables'] is defined
+    - ansible_facts.packages['iptables'][0]['version'] is version('1.8.5', '<')
+    - ansible_facts.packages['iptables'][0]['version'] is version('1.7.9', '>')
+  ansible.builtin.fail:
+    msg:
+      - "Warning: Iptables {{ ansible_facts.packages['iptables'][0]['version'] }} found."
+      - "Add '--prefer-bundled-bin' to extra_server_args variable to use the bundled iptables binary."
+  ignore_errors: true
+
 - name: Add /usr/local/bin to sudo secure_path
   ansible.builtin.lineinfile:
     line: 'Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin'

diff --git a/roles/raspberrypi/tasks/prereq/Debian.yml b/roles/raspberrypi/tasks/prereq/Debian.yml
@@ -16,14 +16,12 @@
   ansible.builtin.package_facts:
     manager: auto
 
-# If no iptables is found, K3s will use the iptables it ships with.
-# However, if a iptables is found, K3s will use that instead. Iptables
-# versions 1.8.7 and older have problems with K3s, so we force the use of
+# IPtables versions 1.6.1 and older have problems with K3s, so we force the use of
 # iptables-legacy in that case.
 - name: If old iptables found, change to iptables-legacy
   when:
     - ansible_facts.packages['iptables'] is defined
-    - ansible_facts.packages['iptables'][0]['version'] is version('1.8.8', '<')
+    - ansible_facts.packages['iptables'][0]['version'] is version('1.6.2', '<')
   block:
     - name: Iptables version on node
       ansible.builtin.debug:

diff --git a/roles/raspberrypi/tasks/prereq/Raspbian.yml b/roles/raspberrypi/tasks/prereq/Raspbian.yml
@@ -11,14 +11,12 @@
   ansible.builtin.package_facts:
     manager: auto
 
-# If no iptables is found, K3s will use the iptables it ships with.
-# However, if a iptables is found, K3s will use that instead. Iptables
-# versions 1.8.7 and older have problems with K3s, so we force the use of
+# IPtables versions 1.6.1 and older have problems with K3s, so we force the use of
 # iptables-legacy in that case.
 - name: If old iptables found, change to iptables-legacy
   when:
     - ansible_facts.packages['iptables'] is defined
-    - ansible_facts.packages['iptables'][0]['version'] is version('1.8.8', '<')
+    - ansible_facts.packages['iptables'][0]['version'] is version('1.6.2', '<')
   block:
     - name: Iptables version on node
       ansible.builtin.debug: