基本框架

scripts/diag/entrypath/lib/remote_checks.sh

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+WORKER_CNI_DNAT_CHAIN=""
+WORKER_CNI_HIT_BEFORE=""
+WORKER_CNI_HIT_AFTER=""
+
+resolve_runtime_modes() {
+  if [[ -n "${DO_REMOTE_ARG}" ]]; then
+    DO_REMOTE="${DO_REMOTE_ARG}"
+  else
+    if [[ "${NON_INTERACTIVE}" == "1" ]]; then
+      DO_REMOTE="N"
+    else
+      read -r -p "是否通过 SSH 拉取 worker 计数（需要可免交互 sudo）? [y/N]: " DO_REMOTE
+      DO_REMOTE="${DO_REMOTE:-N}"
+    fi
+  fi
+
+  if [[ -n "${CAPTURE_MODE_ARG}" ]]; then
+    CAPTURE_MODE="${CAPTURE_MODE_ARG}"
+  fi
+  if [[ -n "${NFT_TRACE_MODE_ARG}" ]]; then
+    NFT_TRACE_MODE="${NFT_TRACE_MODE_ARG}"
+  fi
+  if [[ -n "${RETURN_TRACE_MODE_ARG}" ]]; then
+    RETURN_TRACE_MODE="${RETURN_TRACE_MODE_ARG}"
+  fi
+  if [[ -n "${POD_NETNS_TRACE_MODE_ARG}" ]]; then
+    POD_NETNS_TRACE_MODE="${POD_NETNS_TRACE_MODE_ARG}"
+  fi
+  if [[ -n "${POD_NETNS_TRACE_SECONDS_ARG}" ]]; then
+    POD_NETNS_TRACE_SECONDS="${POD_NETNS_TRACE_SECONDS_ARG}"
+  fi
+}
+
+collect_remote_worker_state() {
+  if [[ ! "$DO_REMOTE" =~ ^[Yy]$ ]] || [[ -z "$WORKER_HOST" ]]; then
+    return 0
+  fi
+
+  say "开始远端检查: ${WORKER_HOST}"
+  run_cmd "Worker 基础网络状态" ssh "${SSH_OPTS[@]}" "$WORKER_HOST" "ip -br a; ip route"
+  run_cmd "Worker k3s-agent 状态" ssh "${SSH_OPTS[@]}" "$WORKER_HOST" "sudo systemctl is-active k3s-agent; sudo journalctl -u k3s-agent -n 40 --no-pager"
+  run_cmd "Worker PREROUTING 关键计数" ssh "${SSH_OPTS[@]}" "$WORKER_HOST" "sudo iptables -t nat -L PREROUTING -n -v --line-numbers | grep -E 'CNI-HOSTPORT-DNAT|KUBE-SERVICES|dpt:80' || true"
+  run_cmd "Worker CNI-HOSTPORT-DNAT" ssh "${SSH_OPTS[@]}" "$WORKER_HOST" "sudo iptables -t nat -L CNI-HOSTPORT-DNAT -n -v --line-numbers || true"
+
+  WORKER_CNI_DNAT_CHAIN="$(ssh "${SSH_OPTS[@]}" "$WORKER_HOST" "sudo iptables -t nat -S CNI-HOSTPORT-DNAT 2>/dev/null | awk '/-j CNI-DN-/{for(i=1;i<=NF;i++) if(\$i==\"-j\"){print \$(i+1); exit}}'")"
+  if [[ -n "${WORKER_CNI_DNAT_CHAIN}" ]]; then
+    run_cmd "Worker 具体 CNI-DNAT 链" ssh "${SSH_OPTS[@]}" "$WORKER_HOST" "sudo iptables -t nat -L ${WORKER_CNI_DNAT_CHAIN} -n -v --line-numbers"
+    WORKER_CNI_HIT_BEFORE="$(ssh "${SSH_OPTS[@]}" "$WORKER_HOST" "sudo iptables -t nat -L ${WORKER_CNI_DNAT_CHAIN} -n -v -x | awk 'BEGIN{v=0} /DNAT/&&/dpt:80/{v=\$1} END{print v}'")"
+  fi
+}
+
+post_remote_worker_state() {
+  if [[ "$DO_REMOTE" =~ ^[Yy]$ ]] && [[ -n "${WORKER_CNI_DNAT_CHAIN}" ]]; then
+    WORKER_CNI_HIT_AFTER="$(ssh "${SSH_OPTS[@]}" "$WORKER_HOST" "sudo iptables -t nat -L ${WORKER_CNI_DNAT_CHAIN} -n -v -x | awk 'BEGIN{v=0} /DNAT/&&/dpt:80/{v=\$1} END{print v}'")"
+    run_cmd "Worker CNI-DNAT 链复测" ssh "${SSH_OPTS[@]}" "$WORKER_HOST" "sudo iptables -t nat -L ${WORKER_CNI_DNAT_CHAIN} -n -v --line-numbers"
+  fi
+}