I am trying to delete all calico related Iptables using calico-script . After running this script most of the calico iptables is removed except these:
root#Ubuntu-18-VM:~# iptables -S | grep -oP '(?<!^:)cali-[^ ]+'
cali-FORWARD
cali-INPUT
cali-OUTPUT
cali-cidr-block
cali-from-hep-forward
cali-from-host-endpoint
cali-from-wl-dispatch
cali-from-wl-dispatch-5
cali-fw-cali2847b154969
cali-fw-cali4bb24809f90
cali-fw-cali531f8f2e712
cali-fw-cali5a82b3ff301
cali-pri-_CVSZITRyIpEmH8AB6H
cali-pri-_HayIXLB85hzHkIhWER
cali-pri-_PTRGc0U-L5Kz7V6ERW
cali-pri-_u2Tn2rSoAPffvE7JO6
cali-pri-kns.kube-system
cali-pro-_CVSZITRyIpEmH8AB6H
cali-pro-_HayIXLB85hzHkIhWER
cali-pro-_PTRGc0U-L5Kz7V6ERW
cali-pro-_u2Tn2rSoAPffvE7JO6
cali-pro-kns.kube-system
cali-to-hep-forward
cali-to-host-endpoint
cali-to-wl-dispatch
cali-to-wl-dispatch-5
cali-tw-cali2847b154969
cali-tw-cali4bb24809f90
cali-tw-cali531f8f2e712
cali-tw-cali5a82b3ff301
cali-wl-to-host
Total 31 are still left. I am trying to add one more grep line in the script that should grep above remaining 31 entries and remove those iptables. But when I added below line just after line14
iptables -S | grep -oP '(?<!^:)cali-[^ ]+' | while read line; do iptables -t nat -F $line; done
I am getting below error 31 times:
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
.
.
.
How can I fix this script so that it can grep & delete remaining 31 iptables entries also.
Update Nov 2022:
The removal script from Calico is now located at
https://github.com/projectcalico/calico/blob/master/calico/hack/remove-calico-policy/remove-calico-policy.sh
remove your line
try add below after L36
echo 'Cleaning all calico'
for i in `iptables -L |grep cali|awk '{print $2}'`; do iptables -F $i && iptables -X $i; done
In my case, before this adjustment, script left me 40 out of 242
iptables -S | grep -oP '(?<!^:)cali-[^ ]+' | wc -l
40
after: 0
# iptables -S | grep -oP '(?<!^:)cali-[^ ]+' | wc -l
242
# ./calico-removal.sh
Setting default FORWARD action to ACCEPT...
net.ipv4.ip_forward = 1
Starting the flush Calico policy rules...
Make sure calico-node DaemonSet is stopped before this gets executed.
Flushing all the calico iptables chains in the nat table...
Flushing all the calico iptables chains in the raw table...
Flushing all the calico iptables chains in the mangle table...
Flushing all the calico iptables chains in the filter table...
Cleaning up calico rules from the nat table...
Cleaning up calico rules from the raw table...
Cleaning up calico rules from the mangle table...
Cleaning up calico rules from the filter table...
Cleaning all calico
## iptables -S | grep -oP '(?<!^:)cali-[^ ]+' | wc -l
0
Related
I'm installing Docker on some hosts and using Ansible playbook to do this. However, we have a startup script for Consul that breaks when docker is installed, as Docker adds a virtual NIC and adds an extra value to the variable.
Original Variables
NODEIP=`hostname -I`
NODE=`hostname -I |sed 's/[.]/-/g'`
I can manually change them to the following and this works.
NODEIP=$(hostname -I | grep -o "[^ ]\\+" | awk /^10\./"{print $1}")
NODE=$(hostname -I | grep -o "[^ ]\+" | awk /^10\./"{print $1}" |sed "s/[.]/-/g")
However, I need to add these to an Ansible playbook. I've modified the variable for NODE and it gets updated in the script, but NODEIP does not. See sample playbook code below.
name: Fix consul startup script for Docker virtual network interface
shell: sed -i 's/NODEIP=`hostname -I`/s_.*_NODEIP=$(hostname -I | grep -o \"[^ ]\\+\" | awk /^10\./\"{print \$1}\")' filename
shell: sed -i '/NODE=`hostname -I |sed/s_.*_NODE=$(echo $NODEIP|sed 's/[.]/-/g')_' filename
I'm going insane trying to get this to work properly. Can anyone help?
Whenever you run an ansible-playbook, it will gather_facts by default. This task will populate your ansible-playbook execution with the variables listed here: Ansible facts
In your case, you are looking for:
NODEIP={{ ansible_default_ipv4.address }}
NODE={{ ansible_hostname }}
Below code should solve your requirement
- name: Command for NodeIP
shell: hostname -I | grep -o "[^ ]\\+" | awk /^10\./"{print $1}"
register: NODEIP
- name: Command for NodeName
shell: hostname -I | grep -o "[^ ]\+" | awk /^10\./"{print $1}" |sed "s/[.]/-/g"
register: NODE
Above code will store command output to NODEIP and NODE variables respectively.
To learn more about usage of ansible return values, refer https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html
Thanks to all for the input. Here's what I ended up coming up with (had to escape some characters with backslashes). Delighted it works
- name: replace NODEIP variable in consul startup script
lineinfile:
path: filename
regexp: '^NODEIP='
line: "NODEIP=$(hostname -I | grep -o \"[^ ]\\+\" | awk /^10\\./\"{print $1}\")"
backrefs: yes
- name: replace NODE variable in consul startup script
lineinfile:
path: filename
regexp: '^NODE='
line: "NODE=$(hostname -I | grep -o \"[^ ]\\+\" | awk /^10\\./\"{print $1}\" |sed \"s/[.]/-/g\")"
backrefs: yes
I try to check how many nodes are ready (not including nodes tainted NoSchedule) and write the number to text file output.txt.
Could you give me any advice?
I believe that kubectl get nodes doesn't show taints, so you can't just filter with grep. In that case you can set the output as json and use jq (or yaml and use yq) to process it:
kubectl get nodes -o json | jq -c '.items[].spec.taints' | grep -v NoSchedule | wc -l > output.txt
-c option in jq is to output each element in a single line, instead of pretty printing it, in case you have multiple taints. The rest has already been explained in Abdennour TOUMI's answer
kubectl get nodes | grep Ready | grep -v NotReady | grep -v NoSchedule \
| wc -l > output.txt
This single command will do the job for you:
Notes:
While grep includes lines, grep -v excludes lines
wc -l counts the number of lines.
number of output's lines is the same number of nodes with criteria you described
Full proof Query to get nodes except node has taint effect NoSchedule on it
kubectl get node -o=jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.taints[*].effect}{"\n"}{end}' | grep -v NoSchedule | wc -l
The following command can be used without jq or where jq is not installed.
kubectl get nodes --selector='!node-role.kubernetes.io/master' --no-headers | grep -v SchedulingDisabled | wc -l > output.txt
i would like to do some process, that will block some IP that stores in variables. The syntax that i wrote:
[status4,cmdeks2] = system("sudo tail -1 /var/log/apache2/access.log | cut -d ' ' -f 1");
lm = system(['sudo iptables -A INPUT -s' cmdeks ' -j DROP '])
the cmdeks 2 itself is some IP:
192.168.88.10
But it return some error, that matlab output:
/bin/bash : line 1: -j: command not found
How do i put that cmdeks in the system syntax?
I guess it is because cmdeks2 contains a line feed code and the iptables command breaks by the line feed code.
Extracting only IP address via sscanf will work.
[status4,cmdeks2] = system("tail -1 ./access.log | cut -d ' ' -f 1");
cmdeks2 = sscanf(cmdeks2, '%s\n'); % cmdeks2 contains only IP address
lm = system(['sudo iptables -A INPUT -s ' cmdeks2 ' -j DROP '])
Also, you might have extra iptables rules by your previous trials, so please delete those rules by "iptables -D" command.
I'm trying to identify what application is running on port 56474 without having root access. I know the application was started by me.
Example:
netstat -tunap
tcp 0 0 0.0.0.0:56474 0.0.0.0:* LISTEN -
I've tried using /proc/pid scripts to walk all using grep on ls -l /proc/pid/fd results. Here is my attempt. NOTE: Not sure if I was heading the right direction
for I in `find /proc/*/fd -exec ls -l {} \; 2>/dev/null | awk -F"->|:" '/socket/ {print $4}' | sort -u | sed -e 's/\[//g' -e 's/\]//g'`; do grep $I /proc/*/net/tcp; done
I had no success. Not sure if there is a way. Thanks.
NOTE: Added another answers as lsof was not satisfactory.
This should work:
#! /bin/bash
port=56474
hex_port=$(echo "obase=16; $port" | bc )
inode=$(cat /proc/net/tcp | grep ":$hex_port" | awk '{print $10}')
for i in $(ps axo pid); do
ls -l /proc/$i/fd 2> /dev/null | grep -q ":\[$inode\]" && echo $i
done
Explanation:
Once we have the port number converted to Hexadecimal, we can get the inode number from /proc/net/tcp (10th field), then we loop through /proc/pids/fd and find a symlink pointing to the inode.
If you're sure the application was started by you then you can use lsof:
/usr/sbin/lsof -nP | grep :56474 | awk '{print $2}'
Another technique to resolve pids and ports of all running apps without root:
1.) Get the pids of running apps. Either use the ActivityManager or parse a ps console output.
2.) iterate through /proc/$pid/net/status files and get the matching uid for a pid.
cat /proc/*pid*/net/status | grep Uid:
3.) Call and parse the output of tcp, tcp6,udp, udp6 files to match ports and uids:
cat /proc/net/tcp
...
4.) match the uids of both matchings, get a port-to-pid map without su access.
Cheers,
goethe
I have two web servers running with One load balancer with Haproxy. I need to block IP's that are coming to my load balancer more than often. How do I check all the incoming IP's? Is there a log?
If you want to see the established connections on a Linux server, use this command (via SSH):
netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head -n 10
If you want to log more verbose HAProxy activity, use this setting in haproxy.cfg:
log 127.0.0.1 local0 info
You can view the more verbose output in /var/log/haproxy_0.log
You should try this :
echo 'Client IP: '.$_SERVER["REMOTE_ADDR"];
echo 'Client IP: '.$_SERVER["HTTP_CLIENT_IP"];
These commands displays loadbalancer's IP. More at : https://serverfault.com/a/331909