Andy Kurth created VCL-1056:
-------------------------------
Summary: Add checks/workarounds in iptables.pm if command fails
because another process holds an xtables lock
Key: VCL-1056
URL: https://issues.apache.org/jira/browse/VCL-1056
Project: VCL
Issue Type: Improvement
Components: vcld (backend)
Reporter: Andy Kurth
Assignee: Andy Kurth
Fix For: 2.5
The backend iptables.pm module will only attempt a single iptables operation at
a time. However, if some external process is performing an iptables operation
the following problems may occur:
{noformat}
iptables.pm:get_table_info|1602| ---- WARNING ----
iptables.pm:get_table_info|1602| 2017-06-23
14:28:25iptables.pm:get_table_info|1602|failed to list rules from 'filter'
table on vcl-dc2-98-37.cjmattin, exit status: 4, command:
iptables.pm:get_table_info|1602| /sbin/iptables --list-rules --table filter
iptables.pm:get_table_info|1602| output:
iptables.pm:get_table_info|1602| Another app is currently holding the xtables
lock. Perhaps you want to use the -w option?
{noformat}
{noformat}
iptables.pm:create_chain|1221| ---- WARNING ----
iptables.pm:create_chain|1221| 2017-06-23
14:28:25iptables.pm:create_chain|1221|failed to create 'vcl-post_load' chain in
'filter' table on vcl-dc2-98-37.cjmattin, exit status: 4, command:
iptables.pm:create_chain|1221| /sbin/iptables --new-chain vcl-post_load --table
filter
iptables.pm:create_chain|1221| output:
iptables.pm:create_chain|1221| Another app is currently holding the xtables
lock. Perhaps you want to use the -w option?
{noformat}
{noformat}
iptables.pm:_insert_rule|782| ---- WARNING ----
iptables.pm:_insert_rule|782| 2017-06-23
14:28:25iptables.pm:_insert_rule|782|failed to add iptables rule to INPUT chain
in filter table on vcl-dc2-98-37.cjmattin, exit status: 4, command:
iptables.pm:_insert_rule|782| /sbin/iptables --insert INPUT --table filter
--jump vcl-post_load --match comment --comment "VCL: jump to rules added during
the post-load stage (2017-06-23 14:28:25)"
iptables.pm:_insert_rule|782| output:
iptables.pm:_insert_rule|782| Another app is currently holding the xtables
lock. Perhaps you want to use the -w option?
{noformat}
I have seen this on an image which is using Puppet for additional configuration.
The -w option does this:
{panel}
-w, --wait \[seconds\]
Wait for the xtables lock. To prevent multiple instances of the
program from running concurrently, an attempt will be made to obtain an
exclusive lock at launch. By default, the program will exit if the lock
cannot be obtained. This
option will make the program wait (indefinitely or for optional
seconds) until the exclusive lock can be obtained.
{panel}
We cannot simply add the -w option to every iptables command because earlier
versions of iptables do not support it. A check for _-w option_ in the output
could be added. If it is present, try again with _-w_.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
