Ubuntu
lxc package

lxc-net upstart script fails on nonexistent iptables rules

Bug #1429140 reported by Daniel Dehennin
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
High
Unassigned
Trusty
Fix Released
High
Unassigned

Bug Description

Hello,

On Trusty, the stop of lxc-net fails if the iptables rules are not present.

I added “exec >> /tmp/lxc-net.log 2>&1” at the beginning of pre-start and post-stop and get:

    iptables: Bad rule (does a matching rule exist in that chain?).

On Precise, a “|| true” was added to avoid errors.

I attach a patch to disable exit on failing iptables call.

Regards.

CVE References

Revision history for this message
Daniel Dehennin (launchpad-baby-gnu) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Do not crash when removing iptables rules" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Hi,

which release are you seeing this in?

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Note I tested this on vivid with a /downitpables script containing:

#!/bin/sh

LXC_BRIDGE=lxcbr0
LXC_NETWORK="10.0.3.0/24"

use_iptables_lock="-w"
iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

I raun /downitpables, then did 'sudo stop lxc-net', which succeeded. Then did 'sudo start lxc-net', which succeeded.

Changed in lxc (Ubuntu):
status: New → Incomplete
Revision history for this message
Daniel Dehennin (launchpad-baby-gnu) wrote :

Hello,

* Distribution Trusty Thar
* lxc version 1.0.7-0ubuntu0.1

Steps to reproduce:

1) fresh boot, bridge is up and running
2) sudo iptables -F INPUT
3) sudo stop lxc-net
    stop: Job failed while stopping
4) ip link show lxcbr0
3: lxcbr0: <BROADCAST,MULTICAST> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
    link/ether ca:ca:b6:d1:d4:26 brd ff:ff:ff:ff:ff:ff

So the bridge is not stopped correctly and recovering is difficult.

Regards.

Serge Hallyn (serge-hallyn)
Changed in lxc (Ubuntu):
importance: Undecided → High
status: Incomplete → Triaged
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks - a patch has been sent upstream and should be in 1.0.8 in trusty soon.

Serge Hallyn (serge-hallyn)
Changed in lxc (Ubuntu):
status: Triaged → Fix Committed
Stéphane Graber (stgraber)
Changed in lxc (Ubuntu):
status: Fix Committed → Fix Released
Changed in lxc (Ubuntu Trusty):
status: New → In Progress
Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello Daniel, or anyone else affected,

Accepted lxc into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lxc/1.0.8-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lxc (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Mathew Hodson (mhodson)
Changed in lxc (Ubuntu Trusty):
importance: Undecided → High
Revision history for this message
Daniel Dehennin (launchpad-baby-gnu) wrote :

I just test the proposed package version 1.0.8-0ubuntu0.1 and it fix my issue.

Thanks a lot

tags: added: verification-done
removed: verification-needed
Revision history for this message
Chris J Arges (arges) wrote :

Hello Daniel, or anyone else affected,

Accepted lxc into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lxc/1.0.8-0ubuntu0.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: removed: verification-done
tags: added: verification-needed
Revision history for this message
Daniel Dehennin (launchpad-baby-gnu) wrote :

I just test the proposed package version 1.0.8-0ubuntu0.2 and it fix my issue.

Thanks a lot.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Chris J Arges (arges) wrote :

Hello Daniel, or anyone else affected,

Accepted lxc into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lxc/1.0.8-0ubuntu0.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: removed: verification-done
tags: added: verification-needed
Stéphane Graber (stgraber)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 1.0.8-0ubuntu0.3

---------------
lxc (1.0.8-0ubuntu0.3) trusty; urgency=medium

  * Cherry-pick from upstream:
    - Fix preserve_ns to work on < 3.8 kernels. (LP: #1516971)

lxc (1.0.8-0ubuntu0.2) trusty; urgency=medium

  * Cherry-pick from upstream:
    - Fix ubuntu-cloud template to detect compression algorithm instead
      of hardcoding xz. Also update list of supported releases and use trusty
      as the fallback release. (LP: #1515463)
  * Update lxc-tests description to make it clear that this package is
    meant to be used by developers and by automated testing.

lxc (1.0.8-0ubuntu0.1) trusty; urgency=medium

  * New upstream bugfix release. (MRE tracking bug: LP: #1514623)
    (LP: #1429140)
    - Changelog at: https://linuxcontainers.org/lxc/news/
  * Drop proxy detection from the autopkgtest exercise script.
  * Add patch:
    - 0001-Trusty-Swap-out-the-CVE-2015-1335-fix-with-the-trust.patch
      This is a patch by Serge Hallyn to cope with the trusty 3.13 kernel.
      It updates the upstream CVE fix to the version which trusty ended
      up with after the few round of fixes.

 -- Stéphane Graber <email address hidden> Wed, 18 Nov 2015 13:42:07 -0500

Changed in lxc (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Stéphane Graber (stgraber) wrote : Update Released

The verification of the Stable Release Update for lxc has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.