magic-proxy broke with iptables 1.8.7-1ubuntu2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
launchpad-buildd |
Invalid
|
Undecided
|
Unassigned | ||
iptables (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bionic |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Invalid
|
Undecided
|
Unassigned | ||
Hirsute |
Invalid
|
Undecided
|
Unassigned | ||
livecd-rootfs (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Invalid
|
Undecided
|
Thomas Bechtold | ||
Focal |
Fix Released
|
Undecided
|
Thomas Bechtold | ||
Hirsute |
Fix Released
|
Undecided
|
Thomas Bechtold | ||
lxd (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bionic |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Invalid
|
Undecided
|
Unassigned | ||
Hirsute |
Invalid
|
Undecided
|
Unassigned |
Bug Description
[Impact]
The fixes for this bug (including the fixes for LP:#1944906) need to be backported to hirsute, focal and bionic) to be able to re-enable the "repo-snapshot-
[Test Plan]
- build a livecd-rootfs image with the changes for every series in a PPA
- Do build an image with the livecd-rootfs from the PPA and enable the repo-snapshot-stamp feature
- Check that the build did not fail or hang
[Where problems could occur]
The codepath that will be changed is only executed in livecd-rootfs if the repo-snapshot-stamp feature is enabled. And that feature is currently broken so it shouldn't be enabled anywhere.
[Original description]
when iptables got upgraded from 1.8.5-3ubuntu4 to 1.8.7-1ubuntu2 magic proxy stopped working in livecd-rootfs.
It does very simple thing:
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon -j REDIRECT --to 8080
inside hirsute lxd container, with quite high privileges, in a bionic VM, running 4.15 kernel.
With 1.8.5 above worked fine, with 1.8.7 somehow there was no outbound connectivity the very first http networking command after the above call would just hang indefinitely.
However, if one does this instead:
iptables -vv -t nat -S
iptables-legacy -vv -t nat -S
iptables -vv -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon -j REDIRECT --to 8080
somehow magically everything starts to work fine.
weird.
Related branches
- Ubuntu Core Development Team: Pending requested
-
Diff: 308 lines (+140/-51)2 files modifiedlive-build/auto/build (+17/-1)
magic-proxy (+123/-50)
- Ubuntu Core Development Team: Pending requested
-
Diff: 308 lines (+140/-51)2 files modifiedlive-build/auto/build (+17/-1)
magic-proxy (+123/-50)
- Pat Viafore (community): Needs Fixing
- Ubuntu Core Development Team: Pending requested
-
Diff: 301 lines (+134/-51)2 files modifiedlive-build/auto/build (+17/-1)
magic-proxy (+117/-50)
summary: |
- magic-proxy broke with 1.8.7-1ubuntu2 + magic-proxy broke with iptables 1.8.7-1ubuntu2 |
tags: | added: hirsute |
affects: | launchpad → launchpad-buildd |
Changed in lxd (Ubuntu): | |
status: | New → Invalid |
Changed in iptables (Ubuntu): | |
status: | New → Invalid |
Changed in launchpad-buildd: | |
status: | New → Invalid |
description: | updated |
description: | updated |
Changed in iptables (Ubuntu Bionic): | |
status: | New → Invalid |
Changed in iptables (Ubuntu Focal): | |
status: | New → Invalid |
Changed in iptables (Ubuntu Hirsute): | |
status: | New → Invalid |
Changed in lxd (Ubuntu Bionic): | |
status: | New → Invalid |
Changed in lxd (Ubuntu Focal): | |
status: | New → Invalid |
Changed in lxd (Ubuntu Hirsute): | |
status: | New → Invalid |
Changed in livecd-rootfs (Ubuntu Hirsute): | |
assignee: | nobody → Thomas Bechtold (toabctl) |
Changed in livecd-rootfs (Ubuntu Focal): | |
assignee: | nobody → Thomas Bechtold (toabctl) |
Changed in livecd-rootfs (Ubuntu Bionic): | |
assignee: | nobody → Thomas Bechtold (toabctl) |
I tried to reproduce this in an up-to-date bionic VM as follows:
# inside the bionic VM daily:hirsute hirsute
sudo snap install lxd
sudo lxd init # accept defauls
sudo lxc launch ubuntu-
sudo lxc exec hirsute /bin/bash
# then inside the hirsute container install livecd-rootfs
apt update
apt install livecd-rootfs
# http works as expected with no changes
wget -q www.google.com -O/dev/null && echo Working || echo Failed
Working # works as expected with no iptables rule
# add iptables rule manually
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \
-j REDIRECT --to 8080
# now we expect it to fail as there is no magic-proxy running yet
wget -q www.google.com -O/dev/null && echo Working || echo Failed
Failed
# start the magic-proxy manually livecd- rootfs/ magic-proxy \
--address= "127.0. 0.1" \
--run-as= daemon \
--cutoff- time=0 \
--log-file= livecd. magic-proxy. log \
--pid-file= magic-proxy. pid \
/usr/share/
--port=8080 \
--background \
--setsid
# wget works as expected via the proxy
wget -q www.google.com -O/dev/null && echo Working || echo Failed
Working
# kill the proxy
killall magic-proxy
# fails again
wget -q www.google.com -O/dev/null && echo Working || echo Failed
Failed
# remove iptables rule
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \
-j REDIRECT --to 8080
# works as normal
wget -q www.google.com -O/dev/null && echo Working || echo Failed
Working