Skip to content

Commit 4181940

Browse files
struanbstruanb
committed
During installation, check for suitable rp_filter settings and if needed correct them
1 parent 494f0ed commit 4181940

File tree

1 file changed

+51
-0
lines changed

1 file changed

+51
-0
lines changed

runcvm-scripts/runcvm-install-runtime.sh

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,55 @@ _EOE_
4343
exit 1
4444
}
4545

46+
check_rp_filter() {
47+
# For RunCVM to work, the following condition on /proc/sys/net/ipv4/conf/ must be met:
48+
# - the max of all/rp_filter and <bridge>/rp_filter should be 0 or 2
49+
# (where <bridge> is the bridge underpinning the Docker network to which RunCVM instances will be attached)
50+
#
51+
# This means that:
52+
# - if all/rp_filter is set to 0, then <bridge>/rp_filter must be set to 0 or 2
53+
# (or, if <bridge> is not yet or might not yet have been created, then default/rp_filter must be set to 0 or 2)
54+
# - if all/rp_filter is set to 1, then <bridge>/rp_filter must be set to 2
55+
# (or, if <bridge> is not yet or might not yet have been created, then default/rp_filter must be set to 2)
56+
# - if all/rp_filter is set to 2, then no further action is needed
57+
58+
local rp_filter_all rp_filter_default
59+
60+
log "- Checking rp_filter ..."
61+
62+
if [ -f "/proc/sys/net/ipv4/conf/all/rp_filter" ]; then
63+
rp_filter_all=$(cat /proc/sys/net/ipv4/conf/all/rp_filter)
64+
else
65+
log " - Warning: could not find /proc/sys/net/ipv4/conf/all/rp_filter"
66+
fi
67+
68+
if [ -f "/proc/sys/net/ipv4/conf/default/rp_filter" ]; then
69+
rp_filter_default=$(cat /proc/sys/net/ipv4/conf/default/rp_filter)
70+
else
71+
log " - Warning: could not find /proc/sys/net/ipv4/conf/default/rp_filter"
72+
fi
73+
74+
if [ -z "$rp_filter_all" ] || [ -z "$rp_filter_default" ]; then
75+
return
76+
fi
77+
78+
if [ "$rp_filter_all" = "2" ]; then
79+
log " - sys.net.ipv4.conf.all.rp_filter is set to 2; assuming no further action needed"
80+
return
81+
elif [ "$rp_filter_all" = "0" ] && [ "$rp_filter_default" = "0" ]; then
82+
log " - sys.net.ipv4.conf.all.rp_filter AND sys.net.ipv4.conf.default.rp_filter are set to 0; assuming no further action needed"
83+
return
84+
fi
85+
86+
log " - sys.net.ipv4.conf.all.rp_filter is set to $rp_filter_all; fixing ..."
87+
log " - Setting sys.net.ipv4.conf.all.rp_filter and Setting sys.net.ipv4.conf.default.rp_filter to 2 ..."
88+
echo 2 >/proc/sys/net/ipv4/conf/all/rp_filter
89+
echo 2 >/proc/sys/net/ipv4/conf/default/rp_filter
90+
91+
log " - Patching /etc/sysctl.conf, /etc/sysctl.d/* to make these settings persist after reboot ..."
92+
find /etc/sysctl.conf /etc/sysctl.d -type f -exec sed -r -i 's/^([ ]*net.ipv4.conf.(all|default).rp_filter)=(1)$/# DISABLED BY RUNCVM\n# \1=\3\n# ADDED BY RUNCVM\n\1=2/' {} \;
93+
}
94+
4695
docker_restart() {
4796
# docker_restart
4897
# - With systemd, run: systemctl restart docker
@@ -186,5 +235,7 @@ if [ -n "$(which podman)" ]; then
186235
_EOE_
187236
fi
188237

238+
check_rp_filter
239+
189240
log "- RunCVM installation/upgrade complete."
190241
log

0 commit comments

Comments
 (0)