| 2019-03-15 00:38:11 |
WGH |
bug |
|
|
added bug |
| 2019-03-19 22:50:29 |
Thomas Ward |
nominated for series |
|
Ubuntu Bionic |
|
| 2019-03-19 22:50:29 |
Thomas Ward |
bug task added |
|
iptables-persistent (Ubuntu Bionic) |
|
| 2019-03-19 22:51:11 |
Thomas Ward |
iptables-persistent (Ubuntu): status |
New |
Fix Released |
|
| 2019-03-19 22:51:14 |
Thomas Ward |
iptables-persistent (Ubuntu Bionic): status |
New |
Confirmed |
|
| 2019-03-19 22:52:12 |
Thomas Ward |
nominated for series |
|
Ubuntu Cosmic |
|
| 2019-03-19 22:52:12 |
Thomas Ward |
bug task added |
|
iptables-persistent (Ubuntu Cosmic) |
|
| 2019-03-19 22:52:21 |
Thomas Ward |
iptables-persistent (Ubuntu Cosmic): status |
New |
Confirmed |
|
| 2019-03-19 22:54:21 |
Thomas Ward |
iptables-persistent (Ubuntu Bionic): assignee |
|
Thomas Ward (teward) |
|
| 2019-03-19 22:54:22 |
Thomas Ward |
iptables-persistent (Ubuntu Cosmic): assignee |
|
Thomas Ward (teward) |
|
| 2019-03-26 12:35:44 |
Thomas Ward |
description |
/usr/share/netfilter-persistent/plugins.d/15-ip4tables contains two lines of interest:
set -e
/sbin/modprobe -q iptable_filter
modprobe failure causes entire script to exit with 1 status immediately.
Processes run inside of containers (such as LXC and LXD) can't really load modules, and kernel modules usually aren't even installed anyway:
root@t1:~# /sbin/modprobe iptable_filter
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.15.0-46-generic/modules.dep.bin'
modprobe: FATAL: Module iptable_filter not found in directory /lib/modules/4.15.0-46-generic
However, iptables will generally work inside containers, provided that the required modules were loaded outside the container.
So instead of failing, I think modprobe errors should be just ignored (|| true).
This seems to be the same bug as #1002078, which apparently got reintroduced during code rewrite.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: netfilter-persistent 1.0.4+nmu2
ProcVersionSignature: Ubuntu 4.15.0-46.49-generic 4.15.18
Uname: Linux 4.15.0-46-generic x86_64
NonfreeKernelModules: xt_REDIRECT nf_nat_redirect xt_tcpudp iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_addrtype iptable_filter binfmt_misc veth ebtable_filter ebtables bridge stp llc snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm input_leds joydev serio_raw snd_timer snd soundcore mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd qxl glue_helper ttm cryptd drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops psmouse sym53c8xx scsi_transport_spi drm virtio_blk pata_acpi i2c_piix4 virtio_net floppy
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
Date: Fri Mar 15 00:06:17 2019
PackageArchitecture: all
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=C.UTF-8
SHELL=/bin/bash
SourcePackage: iptables-persistent
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
The `iptables-persistent` package when loaded into a container can fail to install or configure due to a call to modprobe, which containers cannot access or utilize, which will result in a failure code. This prevents the scripts from operating as expected. This also appears to be a duplicate of #1002078 but due to code changes was reintroduced.
[Test Case]
(Salvaged from bug comments, works with LXD containers)
lxc launch ubuntu:18.04 x
lxc exec x apt update
lxc exec x apt install iptables-persistent
lxc exec x netfilter-persistent save
[Regression Potential]
The regression potential from the proposed changes is extremely small and limited. The changes here were implemented in the version of `iptables-persistent` in Disco and are upstream in origin, though this is a Native format package so it's right in the package where it's been altered.
[Other Information]
This package is a Native format package, therefore changes were made in the debdiff directly to the package, as it is not Quilt-patchable. The changes applied in the debdiffs were adjusted based on the version in Disco, which appends ` || true` to the modprobe line, so even if modprobe fails the script doesn't error out.
[Original Description]
/usr/share/netfilter-persistent/plugins.d/15-ip4tables contains two lines of interest:
set -e
/sbin/modprobe -q iptable_filter
modprobe failure causes entire script to exit with 1 status immediately.
Processes run inside of containers (such as LXC and LXD) can't really load modules, and kernel modules usually aren't even installed anyway:
root@t1:~# /sbin/modprobe iptable_filter
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.15.0-46-generic/modules.dep.bin'
modprobe: FATAL: Module iptable_filter not found in directory /lib/modules/4.15.0-46-generic
However, iptables will generally work inside containers, provided that the required modules were loaded outside the container.
So instead of failing, I think modprobe errors should be just ignored (|| true).
This seems to be the same bug as #1002078, which apparently got reintroduced during code rewrite.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: netfilter-persistent 1.0.4+nmu2
ProcVersionSignature: Ubuntu 4.15.0-46.49-generic 4.15.18
Uname: Linux 4.15.0-46-generic x86_64
NonfreeKernelModules: xt_REDIRECT nf_nat_redirect xt_tcpudp iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_addrtype iptable_filter binfmt_misc veth ebtable_filter ebtables bridge stp llc snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm input_leds joydev serio_raw snd_timer snd soundcore mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd qxl glue_helper ttm cryptd drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops psmouse sym53c8xx scsi_transport_spi drm virtio_blk pata_acpi i2c_piix4 virtio_net floppy
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
Date: Fri Mar 15 00:06:17 2019
PackageArchitecture: all
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=C.UTF-8
SHELL=/bin/bash
SourcePackage: iptables-persistent
UpgradeStatus: No upgrade log present (probably fresh install) |
|
| 2019-03-26 12:36:19 |
Thomas Ward |
attachment added |
|
iptables-persistent debdiff for Cosmic for bug 1820144 https://bugs.launchpad.net/ubuntu/+source/iptables-persistent/+bug/1820144/+attachment/5249445/+files/lp1820144_cosmic.debdiff |
|
| 2019-03-26 12:36:38 |
Thomas Ward |
attachment added |
|
iptables-persistent debdiff for Bionic for bug 1820144 https://bugs.launchpad.net/ubuntu/+source/iptables-persistent/+bug/1820144/+attachment/5249446/+files/lp1820144_bionic.debdiff |
|
| 2019-03-26 12:36:48 |
Thomas Ward |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2019-03-31 21:24:45 |
Mathew Hodson |
iptables-persistent (Ubuntu): importance |
Undecided |
High |
|
| 2019-03-31 21:24:47 |
Mathew Hodson |
iptables-persistent (Ubuntu Bionic): importance |
Undecided |
High |
|
| 2019-03-31 21:24:50 |
Mathew Hodson |
iptables-persistent (Ubuntu Cosmic): importance |
Undecided |
High |
|
| 2019-03-31 21:34:01 |
Mathew Hodson |
iptables-persistent (Ubuntu): importance |
High |
Medium |
|
| 2019-03-31 21:34:03 |
Mathew Hodson |
iptables-persistent (Ubuntu Bionic): importance |
High |
Medium |
|
| 2019-03-31 21:34:06 |
Mathew Hodson |
iptables-persistent (Ubuntu Cosmic): importance |
High |
Medium |
|
| 2019-04-12 11:10:49 |
Robie Basak |
iptables-persistent (Ubuntu Bionic): status |
Confirmed |
In Progress |
|
| 2019-04-12 11:10:51 |
Robie Basak |
iptables-persistent (Ubuntu Cosmic): status |
Confirmed |
In Progress |
|
| 2019-04-12 11:10:57 |
Robie Basak |
removed subscriber Ubuntu Sponsors Team |
|
|
|
| 2019-05-04 04:40:47 |
Steve Langasek |
iptables-persistent (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
| 2019-05-04 04:40:50 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2019-05-04 04:40:51 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
| 2019-05-04 04:40:54 |
Steve Langasek |
tags |
amd64 apport-bug bionic uec-images |
amd64 apport-bug bionic uec-images verification-needed verification-needed-bionic |
|
| 2019-05-28 17:41:06 |
Brian Murray |
iptables-persistent (Ubuntu Cosmic): status |
In Progress |
Fix Committed |
|
| 2019-05-28 17:41:12 |
Brian Murray |
tags |
amd64 apport-bug bionic uec-images verification-needed verification-needed-bionic |
amd64 apport-bug bionic uec-images verification-needed verification-needed-bionic verification-needed-cosmic |
|
| 2019-06-03 18:24:50 |
WGH |
tags |
amd64 apport-bug bionic uec-images verification-needed verification-needed-bionic verification-needed-cosmic |
amd64 apport-bug bionic uec-images verification-done-bionic verification-needed verification-needed-cosmic |
|
| 2019-06-03 18:31:49 |
WGH |
tags |
amd64 apport-bug bionic uec-images verification-done-bionic verification-needed verification-needed-cosmic |
amd64 apport-bug bionic uec-images verification-done-bionic verification-done-cosmic verification-needed |
|
| 2019-06-05 01:10:38 |
Launchpad Janitor |
iptables-persistent (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2019-06-05 01:10:45 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2019-06-05 01:11:00 |
Launchpad Janitor |
iptables-persistent (Ubuntu Cosmic): status |
Fix Committed |
Fix Released |
|
