Skip to content

Commit dea713c

Browse files
zhangzujianzhangzujian
authored
kubectl-ko: collect information about ipsec and xfrm (#5472)
Signed-off-by: zhangzujian <[email protected]>
1 parent 9ae6bb9 commit dea713c

1 file changed

Lines changed: 103 additions & 52 deletions

File tree

dist/images/kubectl-ko

Lines changed: 103 additions & 52 deletions
Original file line numberDiff line numberDiff line change
@@ -657,7 +657,7 @@ diagnose(){
657657
kubectl get crd iptables-fip-rules.kubeovn.io
658658
kubectl get crd iptables-snat-rules.kubeovn.io
659659
kubectl get crd iptables-dnat-rules.kubeovn.io
660-
660+
661661
set +eu
662662
if ! kubectl get svc kube-dns -n kube-system ; then
663663
echo "Warning: kube-dns doesn't exist, maybe there is coredns service."
@@ -669,7 +669,7 @@ diagnose(){
669669
type="$1"
670670
fi
671671
set -eu
672-
672+
673673
kubectl get svc kubernetes -n default
674674
kubectl get sa -n kube-system ovn
675675
kubectl get clusterrole system:ovn
@@ -1102,63 +1102,114 @@ log_linux(){
11021102
component_param=$1
11031103
sub_component_param=$2
11041104
echo "Collecting $component_param $sub_component_param files"
1105-
podNames=`kubectl get pod -n kube-system -l app=ovs -o 'jsonpath={.items[*].metadata.name}'`
1105+
podNames=`kubectl get pod -n kube-system -l app=kube-ovn-cni -o 'jsonpath={.items[*].metadata.name}'`
11061106
for pod in $podNames; do
11071107
nodeName=$(kubectl get pod "$pod" -n kube-system -o jsonpath={.spec.nodeName})
11081108
mkdir -p ./kubectl-ko-log/$nodeName/$component_param
1109-
if [[ "$sub_component_param" == "dmesg" ]]; then
1110-
kubectl exec $pod -n kube-system -- dmesg -T > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1111-
elif [[ "$sub_component_param" == "iptables-legacy" ]]; then
1112-
kubectl exec $pod -n kube-system -- /usr/sbin/iptables-legacy -V > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1113-
echo "******************legacy filter v4 ************************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1114-
kubectl exec $pod -n kube-system -- /usr/sbin/iptables-legacy -S >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1115-
echo "****************** legacy nat v4 ************************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1116-
kubectl exec $pod -n kube-system -- /usr/sbin/iptables-legacy -S -t nat >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1117-
echo "******************legacy filter v6 ************************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1118-
kubectl exec $pod -n kube-system -- /usr/sbin/ip6tables-legacy -S >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1119-
echo "****************** legacy nat v6 ************************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1120-
kubectl exec $pod -n kube-system -- /usr/sbin/ip6tables-legacy -S -t nat >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1121-
elif [[ "$sub_component_param" == "iptables-nft" ]]; then
1122-
kubectl exec $pod -n kube-system -- /usr/sbin/iptables-nft -V > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log 2>/dev/null || :
1123-
echo "*********************nft filter v4 ************************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1124-
kubectl exec $pod -n kube-system -- /usr/sbin/iptables-nft -S >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log 2>/dev/null || :
1125-
echo "********************* nft nat v4 ************************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1126-
kubectl exec $pod -n kube-system -- /usr/sbin/iptables-nft -S -t nat >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log 2>/dev/null || :
1127-
echo "*********************nft filter v6 ************************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1128-
kubectl exec $pod -n kube-system -- /usr/sbin/ip6tables-nft -S >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log 2>/dev/null || :
1129-
echo "********************* nft nat v6 ************************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1130-
kubectl exec $pod -n kube-system -- /usr/sbin/ip6tables-nft -S -t nat >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log 2>/dev/null || :
1131-
elif [[ "$sub_component_param" == "route" ]]; then
1132-
kubectl exec $pod -n kube-system -- ip route show > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1133-
kubectl exec $pod -n kube-system -- ip -6 route show >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1134-
elif [[ "$sub_component_param" == "link" ]]; then
1135-
kubectl exec $pod -n kube-system -- ip -d link show > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1136-
elif [[ "$sub_component_param" == "neigh" ]]; then
1137-
kubectl exec $pod -n kube-system -- ip n > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1138-
kubectl exec $pod -n kube-system -- ip -6 n >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1139-
elif [[ "$sub_component_param" == "memory" ]]; then
1140-
kubectl exec $pod -n kube-system -- free -m > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1141-
elif [[ "$sub_component_param" == "top" ]]; then
1142-
kubectl exec $pod -n kube-system -- top -b -n 1 > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1143-
elif [[ "$sub_component_param" == "sysctl" ]]; then
1144-
kubectl exec $pod -n kube-system -- sysctl -a > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1145-
elif [[ "$sub_component_param" == "netstat" ]]; then
1146-
kubectl exec $pod -n kube-system -- netstat -tunlp > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1147-
elif [[ "$sub_component_param" == "addr" ]]; then
1148-
kubectl exec $pod -n kube-system -- ip addr show > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1149-
elif [[ "$sub_component_param" == "ipset" ]]; then
1150-
kubectl exec $pod -n kube-system -- ipset list > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1151-
elif [[ "$sub_component_param" == "tcp" ]]; then
1152-
kubectl exec $pod -n kube-system -- cat /proc/net/sockstat > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1153-
fi
1109+
case $sub_component_param in
1110+
dmesg)
1111+
kubectl exec $pod -n kube-system -- dmesg -T > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1112+
;;
1113+
iptables-legacy)
1114+
kubectl exec $pod -n kube-system -- /usr/sbin/iptables-legacy -V > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1115+
echo "****************** legacy filter v4 ******************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1116+
kubectl exec $pod -n kube-system -- /usr/sbin/iptables-legacy -S >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1117+
echo "****************** legacy nat v4 ******************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1118+
kubectl exec $pod -n kube-system -- /usr/sbin/iptables-legacy -S -t nat >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1119+
echo "****************** legacy filter v6 ******************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1120+
kubectl exec $pod -n kube-system -- /usr/sbin/ip6tables-legacy -S >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1121+
echo "****************** legacy nat v6 ******************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1122+
kubectl exec $pod -n kube-system -- /usr/sbin/ip6tables-legacy -S -t nat >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1123+
;;
1124+
iptables-nft)
1125+
kubectl exec $pod -n kube-system -- /usr/sbin/iptables-nft -V > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1126+
echo "****************** nft filter v4 ******************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1127+
kubectl exec $pod -n kube-system -- /usr/sbin/iptables-nft -S >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1128+
echo "****************** nft nat v4 ******************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1129+
kubectl exec $pod -n kube-system -- /usr/sbin/iptables-nft -S -t nat >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1130+
echo "****************** nft filter v6 ******************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1131+
kubectl exec $pod -n kube-system -- /usr/sbin/ip6tables-nft -S >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1132+
echo "****************** nft nat v6 ******************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1133+
kubectl exec $pod -n kube-system -- /usr/sbin/ip6tables-nft -S -t nat >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1134+
;;
1135+
route)
1136+
kubectl exec $pod -n kube-system -- ip -4 route show > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1137+
kubectl exec $pod -n kube-system -- ip -6 route show >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1138+
;;
1139+
link)
1140+
kubectl exec $pod -n kube-system -- ip -d -s link show > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1141+
;;
1142+
neigh)
1143+
kubectl exec $pod -n kube-system -- ip -4 n > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1144+
kubectl exec $pod -n kube-system -- ip -6 n >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1145+
;;
1146+
xfrm)
1147+
echo "****************** policy ******************" > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1148+
kubectl exec $pod -n kube-system -- ip xfrm policy >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1149+
echo "****************** state ******************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1150+
kubectl exec $pod -n kube-system -- ip xfrm state >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1151+
;;
1152+
memory)
1153+
kubectl exec $pod -n kube-system -- free -m > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1154+
;;
1155+
top)
1156+
kubectl exec $pod -n kube-system -- top -b -n 1 > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1157+
;;
1158+
sysctl)
1159+
kubectl exec $pod -n kube-system -- sysctl -a > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1160+
;;
1161+
netstat)
1162+
kubectl exec $pod -n kube-system -- netstat -tunlp > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1163+
;;
1164+
addr)
1165+
kubectl exec $pod -n kube-system -- ip addr show > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1166+
;;
1167+
ipset)
1168+
kubectl exec $pod -n kube-system -- ipset list > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1169+
;;
1170+
tcp)
1171+
kubectl exec $pod -n kube-system -- cat /proc/net/sockstat > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1172+
;;
1173+
ipsec)
1174+
echo "****************** config ******************" > ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1175+
kubectl exec $pod -n kube-system -- cat /etc/ipsec.conf >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1176+
echo "****************** ca certs ******************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1177+
kubectl exec $pod -n kube-system -- ipsec listcacerts >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1178+
echo "****************** certs ******************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1179+
kubectl exec $pod -n kube-system -- ipsec listcerts >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1180+
echo "****************** status ******************" >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log
1181+
kubectl exec $pod -n kube-system -- ipsec statusall >> ./kubectl-ko-log/$nodeName/$component_param/$sub_component_param.log || :
1182+
;;
1183+
esac
11541184
done
11551185
}
11561186

1157-
11581187
log(){
11591188
component="$1"
1160-
components=("kube-ovn" "ovs" "ovn" "linux" "all")
1161-
linux_sub_components=("dmesg" "iptables-legacy" "iptables-nft" "route" "link" "neigh" "memory" "top" "sysctl" "netstat" "addr" "ipset" "tcp")
1189+
components=(
1190+
kube-ovn
1191+
ovs
1192+
ovn
1193+
linux
1194+
all
1195+
)
1196+
linux_sub_components=(
1197+
dmesg
1198+
iptables-legacy
1199+
iptables-nft
1200+
route
1201+
link
1202+
neigh
1203+
memory
1204+
top
1205+
sysctl
1206+
netstat
1207+
addr
1208+
ipset
1209+
tcp
1210+
ipsec
1211+
xfrm
1212+
)
11621213

11631214
if [[ ! " ${components[@]} " =~ " $component " ]]; then
11641215
echo "invalid component $component"
@@ -1594,7 +1645,7 @@ case $subcommand in
15941645
icsbctl)
15951646
getOVNICSBPod
15961647
kubectl exec "$OVN_IC_SB_POD" -n $KUBE_OVN_NS -- ovn-ic-sbctl "$@"
1597-
;;
1648+
;;
15981649
vsctl|ofctl|dpctl|appctl)
15991650
xxctl "$subcommand" "$@"
16001651
;;

0 commit comments

Comments
 (0)