Only use iptables alternative on older iptables versions

Signed-off-by: Derek Nola <[email protected]>
k3s-io · Nov 10, 2023 · bec3490 · bec3490
1 parent 3b99820
commit bec3490
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 39 deletions.
diff --git a/roles/raspberrypi/tasks/main.yml b/roles/raspberrypi/tasks/main.yml
@@ -41,17 +41,9 @@
     - raspberry_pi|default(false)
     - ansible_facts.os_family is match("Archlinux")
 
-- name: Set detected_distribution_major_version
-  ansible.builtin.set_fact:
-    detected_distribution_major_version: "{{ ansible_facts.lsb.major_release }}"
-  when: >
-    ( detected_distribution | default("") == "Raspbian" or
-      detected_distribution | default("") == "Debian" )
-
 - name: Execute OS related tasks on the Raspberry Pi
   ansible.builtin.include_tasks: "{{ item }}"
   with_first_found:
-    - "prereq/{{ detected_distribution }}-{{ detected_distribution_major_version }}.yml"
     - "prereq/{{ detected_distribution }}.yml"
     - "prereq/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
     - "prereq/{{ ansible_distribution }}.yml"

diff --git a/roles/raspberrypi/tasks/prereq/Debian.yml b/roles/raspberrypi/tasks/prereq/Debian.yml
@@ -12,23 +12,36 @@
     backrefs: true
   notify: Reboot Pi
 
-- name: Install iptables
-  ansible.builtin.apt:
-    name: iptables
+- name: Gather the package facts
+  ansible.builtin.package_facts:
+    manager: auto
 
-- name: Flush iptables before changing to iptables-legacy
-  ansible.builtin.iptables:
-    flush: true
-  changed_when: false   # iptables flush always returns changed
+# If no iptables is found, K3s will use the iptables it ships with.
+# However, if a iptables is found, K3s will use that instead. Iptables
+# versions 1.8.7 and older have problems with K3s, so we force the use of
+# iptables-legacy in that case.
+- name: If old iptables found, change to iptables-legacy
+  when:
+    - ansible_facts.packages['iptables'] is defined
+    - ansible_facts.packages['iptables'][0]['version'] is version('1.8.8', '<')
+  block:
+    - name: Iptables version on node
+      ansible.builtin.debug:
+        msg: "iptables version {{ ansible_facts.packages['iptables'][0]['version'] }} found"
 
-- name: Changing to iptables-legacy
-  community.general.alternatives:
-    path: /usr/sbin/iptables-legacy
-    name: iptables
-  register: ip4_legacy
+    - name: Flush iptables before changing to iptables-legacy
+      ansible.builtin.iptables:
+        flush: true
+      changed_when: false   # iptables flush always returns changed
 
-- name: Changing to ip6tables-legacy
-  community.general.alternatives:
-    path: /usr/sbin/ip6tables-legacy
-    name: ip6tables
-  register: ip6_legacy
+    - name: Changing to iptables-legacy
+      community.general.alternatives:
+        path: /usr/sbin/iptables-legacy
+        name: iptables
+      register: ip4_legacy
+
+    - name: Changing to ip6tables-legacy
+      community.general.alternatives:
+        path: /usr/sbin/ip6tables-legacy
+        name: ip6tables
+      register: ip6_legacy
diff --git a/roles/raspberrypi/tasks/prereq/Raspbian.yml b/roles/raspberrypi/tasks/prereq/Raspbian.yml
@@ -7,19 +7,36 @@
     backrefs: true
   notify: Reboot Pi
 
-- name: Flush iptables before changing to iptables-legacy
-  ansible.builtin.iptables:
-    flush: true
-  changed_when: false   # iptables flush always returns changed
+- name: Gather the package facts
+  ansible.builtin.package_facts:
+    manager: auto
 
-- name: Changing to iptables-legacy
-  community.general.alternatives:
-    path: /usr/sbin/iptables-legacy
-    name: iptables
-  register: ip4_legacy
+# If no iptables is found, K3s will use the iptables it ships with.
+# However, if a iptables is found, K3s will use that instead. Iptables
+# versions 1.8.7 and older have problems with K3s, so we force the use of
+# iptables-legacy in that case.
+- name: If old iptables found, change to iptables-legacy
+  when:
+    - ansible_facts.packages['iptables'] is defined
+    - ansible_facts.packages['iptables'][0]['version'] is version('1.8.8', '<')
+  block:
+    - name: Iptables version on node
+      ansible.builtin.debug:
+        msg: "iptables version {{ ansible_facts.packages['iptables'][0]['version'] }} found"
 
-- name: Changing to ip6tables-legacy
-  community.general.alternatives:
-    path: /usr/sbin/ip6tables-legacy
-    name: ip6tables
-  register: ip6_legacy
+    - name: Flush iptables before changing to iptables-legacy
+      ansible.builtin.iptables:
+        flush: true
+      changed_when: false   # iptables flush always returns changed
+
+    - name: Changing to iptables-legacy
+      community.general.alternatives:
+        path: /usr/sbin/iptables-legacy
+        name: iptables
+      register: ip4_legacy
+
+    - name: Changing to ip6tables-legacy
+      community.general.alternatives:
+        path: /usr/sbin/ip6tables-legacy
+        name: ip6tables
+      register: ip6_legacy