** Description changed: + [Impact] + + The `iptables-persistent` package when loaded into a container can fail + to install or configure due to a call to modprobe, which containers + cannot access or utilize, which will result in a failure code. This + prevents the scripts from operating as expected. This also appears to + be a duplicate of #1002078 but due to code changes was reintroduced. + + [Test Case] + + (Salvaged from bug comments, works with LXD containers) + + lxc launch ubuntu:18.04 x + lxc exec x apt update + lxc exec x apt install iptables-persistent + lxc exec x netfilter-persistent save + + [Regression Potential] + + The regression potential from the proposed changes is extremely small + and limited. The changes here were implemented in the version of + `iptables-persistent` in Disco and are upstream in origin, though this + is a Native format package so it's right in the package where it's been + altered. + + [Other Information] + + This package is a Native format package, therefore changes were made in + the debdiff directly to the package, as it is not Quilt-patchable. The + changes applied in the debdiffs were adjusted based on the version in + Disco, which appends ` || true` to the modprobe line, so even if + modprobe fails the script doesn't error out. + + [Original Description] + /usr/share/netfilter-persistent/plugins.d/15-ip4tables contains two lines of interest: set -e /sbin/modprobe -q iptable_filter modprobe failure causes entire script to exit with 1 status immediately. Processes run inside of containers (such as LXC and LXD) can't really load modules, and kernel modules usually aren't even installed anyway: root@t1:~# /sbin/modprobe iptable_filter modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.15.0-46-generic/modules.dep.bin' modprobe: FATAL: Module iptable_filter not found in directory /lib/modules/4.15.0-46-generic However, iptables will generally work inside containers, provided that the required modules were loaded outside the container. So instead of failing, I think modprobe errors should be just ignored (|| true). This seems to be the same bug as #1002078, which apparently got reintroduced during code rewrite. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: netfilter-persistent 1.0.4+nmu2 ProcVersionSignature: Ubuntu 4.15.0-46.49-generic 4.15.18 Uname: Linux 4.15.0-46-generic x86_64 NonfreeKernelModules: xt_REDIRECT nf_nat_redirect xt_tcpudp iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_addrtype iptable_filter binfmt_misc veth ebtable_filter ebtables bridge stp llc snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm input_leds joydev serio_raw snd_timer snd soundcore mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd qxl glue_helper ttm cryptd drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops psmouse sym53c8xx scsi_transport_spi drm virtio_blk pata_acpi i2c_piix4 virtio_net floppy ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 Date: Fri Mar 15 00:06:17 2019 PackageArchitecture: all ProcEnviron: - TERM=xterm-256color - PATH=(custom, no user) - XDG_RUNTIME_DIR=<set> - LANG=C.UTF-8 - SHELL=/bin/bash + TERM=xterm-256color + PATH=(custom, no user) + XDG_RUNTIME_DIR=<set> + LANG=C.UTF-8 + SHELL=/bin/bash SourcePackage: iptables-persistent UpgradeStatus: No upgrade log present (probably fresh install)
** Patch added: "iptables-persistent debdiff for Cosmic for bug 1820144" https://bugs.launchpad.net/ubuntu/+source/iptables-persistent/+bug/1820144/+attachment/5249445/+files/lp1820144_cosmic.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820144 Title: iptables-persistent fails in containers due to modprobe being unavailable even though module could've been loaded outside of the container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iptables-persistent/+bug/1820144/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
