Ubuntu
iptables-persistent package

iptables-persistent fails in containers due to modprobe being unavailable even though module could've been loaded outside of the container

Bug #1820144 reported by WGH
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
iptables-persistent (Ubuntu)
Fix Released
Medium
Unassigned
Bionic
Fix Released
Medium
Thomas Ward
Cosmic
Fix Released
Medium
Thomas Ward

Bug Description

[Impact]

The `iptables-persistent` package when loaded into a container can fail to install or configure due to a call to modprobe, which containers cannot access or utilize, which will result in a failure code. This prevents the scripts from operating as expected. This also appears to be a duplicate of #1002078 but due to code changes was reintroduced.

[Test Case]

(Salvaged from bug comments, works with LXD containers)

lxc launch ubuntu:18.04 x
lxc exec x apt update
lxc exec x apt install iptables-persistent
lxc exec x netfilter-persistent save

[Regression Potential]

The regression potential from the proposed changes is extremely small and limited. The changes here were implemented in the version of `iptables-persistent` in Disco and are upstream in origin, though this is a Native format package so it's right in the package where it's been altered.

[Other Information]

This package is a Native format package, therefore changes were made in the debdiff directly to the package, as it is not Quilt-patchable. The changes applied in the debdiffs were adjusted based on the version in Disco, which appends ` || true` to the modprobe line, so even if modprobe fails the script doesn't error out.

[Original Description]

/usr/share/netfilter-persistent/plugins.d/15-ip4tables contains two lines of interest:

set -e
/sbin/modprobe -q iptable_filter

modprobe failure causes entire script to exit with 1 status immediately.

Processes run inside of containers (such as LXC and LXD) can't really load modules, and kernel modules usually aren't even installed anyway:

root@t1:~# /sbin/modprobe iptable_filter
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.15.0-46-generic/modules.dep.bin'
modprobe: FATAL: Module iptable_filter not found in directory /lib/modules/4.15.0-46-generic

However, iptables will generally work inside containers, provided that the required modules were loaded outside the container.

So instead of failing, I think modprobe errors should be just ignored (|| true).

This seems to be the same bug as #1002078, which apparently got reintroduced during code rewrite.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: netfilter-persistent 1.0.4+nmu2
ProcVersionSignature: Ubuntu 4.15.0-46.49-generic 4.15.18
Uname: Linux 4.15.0-46-generic x86_64
NonfreeKernelModules: xt_REDIRECT nf_nat_redirect xt_tcpudp iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_addrtype iptable_filter binfmt_misc veth ebtable_filter ebtables bridge stp llc snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm input_leds joydev serio_raw snd_timer snd soundcore mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd qxl glue_helper ttm cryptd drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops psmouse sym53c8xx scsi_transport_spi drm virtio_blk pata_acpi i2c_piix4 virtio_net floppy
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
Date: Fri Mar 15 00:06:17 2019
PackageArchitecture: all
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=C.UTF-8
 SHELL=/bin/bash
SourcePackage: iptables-persistent
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
WGH (wgh) wrote :
Revision history for this message
WGH (wgh) wrote :

Quick reproduction in LXD:

lxc launch ubuntu:18.04 x
lxc exec x apt update
lxc exec x apt install iptables-persistent
lxc exec x netfilter-persistent save

Revision history for this message
Thomas Ward (teward) wrote :

This only works if the iptables modules aren't loaded in the 'host' system, correct?

Revision history for this message
WGH (wgh) wrote :

> This only works if the iptables modules aren't loaded in the 'host' system, correct?

I don't get your question. iptables-persistent doesn't work in containers in both cases:

- When modules are not loaded. Since containers lack privileges to load them, this is not fixable.
- When modules are loaded, because iptables-persistent calls modprobe which fails even when the required modules is already loaded. This is what this bug report is about. The modprobe error can be ignored, as iptables-save and friends will work fine.

Revision history for this message
Thomas Ward (teward) wrote :

Checked this further in the code, this is what they're doing in latest upstream in Disco. Marking as "Fix Released" for Disco as this is already solved there, going to check the Cosmic version next.

Can confirm for Bionic though.

Changed in iptables-persistent (Ubuntu):
status: New → Fix Released
Changed in iptables-persistent (Ubuntu Bionic):
status: New → Confirmed
Changed in iptables-persistent (Ubuntu Cosmic):
status: New → Confirmed
Revision history for this message
Thomas Ward (teward) wrote :

Confirmed, same issue affects Cosmic and is not fixed.

Changed in iptables-persistent (Ubuntu Bionic):
assignee: nobody → Thomas Ward (teward)
Changed in iptables-persistent (Ubuntu Cosmic):
assignee: nobody → Thomas Ward (teward)
Revision history for this message
Thomas Ward (teward) wrote :

Hello.

Can you please read through https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template and apply the template for SRU to your bug description, please? This is necessary before this can even be handled like an SRU.

I also have versions of this package with 'fixes' applied in https://launchpad.net/~teward/+archive/ubuntu/build-tests - if you can please test those versions to make sure they fix the issue, that'd be great. I also have debdiffs I will attach to this bug once you have applied the SRU template.

Revision history for this message
Thomas Ward (teward) wrote :
description: updated
Revision history for this message
Thomas Ward (teward) wrote :
Revision history for this message
Thomas Ward (teward) wrote :

Hello to all affected. I have provided debdiffs attached here, and subscribed the Sponsors team as I do not have direct upload for these packages. Once reviewed we can continue with the SRU process.

Mathew Hodson (mhodson)
Changed in iptables-persistent (Ubuntu):
importance: Undecided → High
Changed in iptables-persistent (Ubuntu Bionic):
importance: Undecided → High
Changed in iptables-persistent (Ubuntu Cosmic):
importance: Undecided → High
Mathew Hodson (mhodson)
Changed in iptables-persistent (Ubuntu):
importance: High → Medium
Changed in iptables-persistent (Ubuntu Bionic):
importance: High → Medium
Changed in iptables-persistent (Ubuntu Cosmic):
importance: High → Medium
Revision history for this message
WGH (wgh) wrote :

> Can you please read through https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template and apply the template for SRU to your bug description, please? This is necessary before this can even be handled like an SRU.

Is this still relevant?

Revision history for this message
Thomas Ward (teward) wrote :

WGH: no, because I applied it. Still have to wait for sponsors then the SRU team though. The process is not super quick unfortunately.

Revision history for this message
Robie Basak (racb) wrote :

I verified that the || true pattern is used in the modprobe call in the two files being patched here in 1.0.11 (via sources.debian.net), so this looks good to me.

Revision history for this message
Robie Basak (racb) wrote :

Uploaded Bionic and Cosmic debdiffs.

Changed in iptables-persistent (Ubuntu Bionic):
status: Confirmed → In Progress
Changed in iptables-persistent (Ubuntu Cosmic):
status: Confirmed → In Progress
Revision history for this message
Robie Basak (racb) wrote :

Thank you for driving these SRUs! A couple of minor comments that I didn't think it was worth blocking on:

I'd prefer ubuntu0.1 over ubuntu1 for SRUs. There isn't a hard policy on this, but it does make it clear that it's an SRU just from the version number, reduces the need to check for collisions (there can be none this time though) to only coincident version numbers across releases, and matches the recommendation linked from the SRU wiki page.

On the changelog entry, for SRUs specifically, I think it would be helpful to illustrate why a user would want to take the update, rather than just what is being changed, because apparently some users do read the changelogs. So I'd have added something about how this fixes the package when used in a container.

I didn't think that was enough reason to block you though, as this has been in the sponsorship queue long enough, so I uploaded.

Now awaiting SRU team review (which I can't do because I sponsored).

Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello WGH, or anyone else affected,

Accepted iptables-persistent into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/iptables-persistent/1.0.4+nmu2ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in iptables-persistent (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello WGH, or anyone else affected,

Accepted iptables-persistent into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/iptables-persistent/1.0.7ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in iptables-persistent (Ubuntu Cosmic):
status: In Progress → Fix Committed
tags: added: verification-needed-cosmic
WGH (wgh)
tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
WGH (wgh) wrote :

I've just tested the -proposed package on cosmic and bionic, works fine now.

tags: added: verification-done-cosmic
removed: verification-needed-cosmic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package iptables-persistent - 1.0.4+nmu2ubuntu1

---------------
iptables-persistent (1.0.4+nmu2ubuntu1) bionic; urgency=medium

  * plugins/{15-ip4tables,25-ip6tables}: Adjust plugins code to not hard-fail
    when a modprobe is unsuccessful. Similar behavior was implemented in
    later iptables versions upstream. (LP: #1820144)

 -- Thomas Ward <email address hidden> Thu, 21 Mar 2019 16:21:31 -0400

Changed in iptables-persistent (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for iptables-persistent has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package iptables-persistent - 1.0.7ubuntu1

---------------
iptables-persistent (1.0.7ubuntu1) cosmic; urgency=medium

  * plugins/{15-ip4tables,25-ip6tables}: Adjust plugins code to not hard-fail
    when a modprobe is unsuccessful. Similar behavior was implemented in
    later iptables versions upstream. (LP: #1820144)

 -- Thomas Ward <email address hidden> Thu, 21 Mar 2019 16:22:37 -0400

Changed in iptables-persistent (Ubuntu Cosmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.