netfilter: nf_conntrack: resolve clash for matching conntracks

Bug #1795493 reported by Joshua R. Poulson
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-azure (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned
Cosmic
Undecided
Unassigned

Bug Description

Per https://www.weave.works/blog/racy-conntrack-and-dns-lookup-timeouts Kubernetes users are seeing DNS lookups from Pods taking 5 or more seconds.

Please pick up the following patches to netfilter:
http://patchwork.ozlabs.org/patch/937963/
http://patchwork.ozlabs.org/patch/952939/

Joshua R. Poulson (jrp)
Changed in linux-azure (Ubuntu):
status: New → Confirmed
Revision history for this message
Marcelo Cerri (mhcerri) wrote :
Changed in linux-azure (Ubuntu Bionic):
status: New → In Progress
status: In Progress → Fix Committed
Changed in linux-azure (Ubuntu Cosmic):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-azure - 4.15.0-1030.31

---------------
linux-azure (4.15.0-1030.31) bionic; urgency=medium

  * linux-azure: 4.15.0-1030.31 -proposed tracker (LP: #1800692)

  * netfilter: nf_conntrack: resolve clash for matching conntracks
    (LP: #1795493)
    - SAUCE: netfilter: nf_conntrack: resolve clash for matching conntracks
    - SAUCE: netfilter: nf_nat: return the same reply tuple for matching CTs

 -- Marcelo Henrique Cerri <email address hidden> Tue, 30 Oct 2018 15:00:38 -0300

Changed in linux-azure (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (43.5 KiB)

This bug was fixed in the package linux-azure - 4.18.0-1006.6

---------------
linux-azure (4.18.0-1006.6) cosmic; urgency=medium

  * linux-azure: 4.18.0-1006.6 -proposed tracker (LP: #1805244)

  * Accelerated networking (SR-IOV VF) broken in 18.10 daily (LP: #1794477)
    - [Packaging] Move pci-hyperv and autofs4 back to linux-modules

linux-azure (4.18.0-1005.5) cosmic; urgency=medium

  * linux-azure: 4.18.0-1005.5 -proposed tracker (LP: #1802752)

  * [Hyper-V] Fix IRQ spreading on NVMe devices with lower numbers of channels
    (LP: #1802358)
    - SAUCE: genirq/affinity: Spread IRQs to all available NUMA nodes
    - SAUCE: irq/matrix: Split out the CPU selection code into a helper
    - SAUCE: irq/matrix: Spread managed interrupts on allocation
    - SAUCE: genirq/matrix: Improve target CPU selection for managed interrupts.

  [ Ubuntu: 4.18.0-12.13 ]

  * linux: 4.18.0-12.13 -proposed tracker (LP: #1802743)
  * [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405)
    - s390/zcrypt: Add ZAPQ inline function.
    - s390/zcrypt: Review inline assembler constraints.
    - s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.
    - s390/zcrypt: fix ap_instructions_available() returncodes
    - KVM: s390: vsie: simulate VCPU SIE entry/exit
    - KVM: s390: introduce and use KVM_REQ_VSIE_RESTART
    - KVM: s390: refactor crypto initialization
    - s390: vfio-ap: base implementation of VFIO AP device driver
    - s390: vfio-ap: register matrix device with VFIO mdev framework
    - s390: vfio-ap: sysfs interfaces to configure adapters
    - s390: vfio-ap: sysfs interfaces to configure domains
    - s390: vfio-ap: sysfs interfaces to configure control domains
    - s390: vfio-ap: sysfs interface to view matrix mdev matrix
    - KVM: s390: interface to clear CRYCB masks
    - s390: vfio-ap: implement mediated device open callback
    - s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl
    - s390: vfio-ap: zeroize the AP queues
    - s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl
    - KVM: s390: Clear Crypto Control Block when using vSIE
    - KVM: s390: vsie: Do the CRYCB validation first
    - KVM: s390: vsie: Make use of CRYCB FORMAT2 clear
    - KVM: s390: vsie: Allow CRYCB FORMAT-2
    - KVM: s390: vsie: allow CRYCB FORMAT-1
    - KVM: s390: vsie: allow CRYCB FORMAT-0
    - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1
    - KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2
    - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2
    - KVM: s390: device attrs to enable/disable AP interpretation
    - KVM: s390: CPU model support for AP virtualization
    - s390: doc: detailed specifications for AP virtualization
    - KVM: s390: fix locking for crypto setting error path
    - KVM: s390: Tracing APCB changes
    - s390: vfio-ap: setup APCB mask using KVM dedicated function
    - [Config:] Enable CONFIG_S390_AP_IOMMU and set CONFIG_VFIO_AP to module.
  * Bypass of mount visibility through userns + mount propagation (LP: #1789161)
    - mount: Retest MNT_LOCKED in do_umount
    - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts
  * CVE-2018-18955: nested user namespaces with more than fiv...

Changed in linux-azure (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Changed in linux-azure (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Andy Whitcroft (apw)
tags: added: kernel-fixup-verification-needed-bionic
removed: verification-needed-bionic
Revision history for this message
Andy Whitcroft (apw) wrote :

This bug was erroneously marked for verification in bionic; verification is not required and verification-needed-bionic is being removed.

tags: added: verification-done-bionic
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers