** Description changed:
+ SRU Justification
+
+ Impact: iptables-save fails in lxd containers due to the ownership of
+ /proc/net/ip_tables_names. This command is needed to manage firewalls in
+ containers using Puppet.
+
+ Fix: Upstream commit f13f2aeed154da8e48f90b85e720f8ba39b1e881
+ ("netfilter: Set /proc/net entries owner to root in namespace") which
+ sets ownership for /proc/net files to root in the user ns which owns the
+ net ns.
+
+ Test Case: Script attached to this bug report. Before the fix no output
+ will be seen from iptables-save; after the fix it will output the
+ iptables rules.
+
+ ---
+
Request to backport Kernel changes from Kernel 4.5 to lts kernel 4.4 for
xenial and if possible to lts kernel for 14.04
Change upstream:
netfilter: Set /proc/net entries owner to root in namespace
http://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/commit/?id=f13f2aeed154da8e48f90b85e720f8ba39b1e881
This is the Kernel-side part of the fix for "iptables-save does not work
inside lxd containers"
https://github.com/lxc/lxd/issues/1978#issuecomment-220998013
The necessary changes in lxc landed in lxc/lxd
https://github.com/lxc/lxc/pull/1014 and is available in version 2.0.1,
currently in xenial-proposed.
It would be great if this would be backported asap. As it allows to
manage the firewall within lxd instances using Puppet and probably other
configuration management systems. And to use iptables-save manually
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584953
Title:
backport fix for /proc/net issues with containers
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1584953/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
