[Bug 1290825] [NEW] Upgrade using do-release-upgrade takes a long time to start because 'iptables -L' runs with DNS lookups enabled

[John Edwards]

Public bug reported:

An upgrade from Ubuntu 12.04 to 14.04 using 'sudo do-release-upgrade -d' takes a long time (over 3 minutes) to start after answering "yes" to the question:
If you continue, an additional SSH daemon will be started at port '1022'.  Do you want to continue? 

Running 'ps afx' at this time shows that 'iptables -L' is being run from
'/usr/bin/python /tmp/update-manager-djUfxZ/trusty --mode=server
--frontend=DistUpgradeViewText'

I think this is because there is an iptables blacklist created by the
shorewall package. So running 'iptables' without the '-n' option to
disable DNS lookups means that a DNS query is launched for every IP
address in the blacklist, some of which do not resolve and so the
upgrade scripts has to wait for a timeout on each of them.

Example of iptables being run with DNS lookups:
$ sudo time -p iptables -L > /dev/null
real 174.34
user 0.08
sys 0.09

Example of iptables being run without DNS lookups:
$ sudo time -p iptables -nL > /dev/null
real 0.08
user 0.00
sys 0.00

The code that runs the 'iptables -L' command seems to be in the utils.py
in the update-manager temp directory in /tmp/ (/tmp/update-manager-
djUfxZ/utils.py in this case) and as far as I can tell is only run to
see if iptabes is active or not.

So would it be possible to change the iptables command to be 'iptables
-nL' so that DNS queries are disabled?

I think this bug may also effect other upgrades, for example 10.04 to
12.04.

** Affects: update-manager (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: dist-upgrade

** Tags added: dist-upgrade

** Summary changed:

- Upgrade using takes a long time to start because 'iptables -L' runs with DNS lookups enabled
+ Upgrade using do-release-upgrade takes a long time to start because 'iptables -L' runs with DNS lookups enabled

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1290825

Title:
  Upgrade using do-release-upgrade takes a long time to start because
  'iptables -L' runs with DNS lookups enabled

Status in “update-manager” package in Ubuntu:
  New

Bug description:
  An upgrade from Ubuntu 12.04 to 14.04 using 'sudo do-release-upgrade -d' takes a long time (over 3 minutes) to start after answering "yes" to the question:
  If you continue, an additional SSH daemon will be started at port '1022'.  Do you want to continue? 

  Running 'ps afx' at this time shows that 'iptables -L' is being run
  from '/usr/bin/python /tmp/update-manager-djUfxZ/trusty --mode=server
  --frontend=DistUpgradeViewText'

  I think this is because there is an iptables blacklist created by the
  shorewall package. So running 'iptables' without the '-n' option to
  disable DNS lookups means that a DNS query is launched for every IP
  address in the blacklist, some of which do not resolve and so the
  upgrade scripts has to wait for a timeout on each of them.

  Example of iptables being run with DNS lookups:
  $ sudo time -p iptables -L > /dev/null
  real 174.34
  user 0.08
  sys 0.09

  Example of iptables being run without DNS lookups:
  $ sudo time -p iptables -nL > /dev/null
  real 0.08
  user 0.00
  sys 0.00

  The code that runs the 'iptables -L' command seems to be in the
  utils.py in the update-manager temp directory in /tmp/ (/tmp/update-
  manager-djUfxZ/utils.py in this case) and as far as I can tell is only
  run to see if iptabes is active or not.

  So would it be possible to change the iptables command to be 'iptables
  -nL' so that DNS queries are disabled?

  I think this bug may also effect other upgrades, for example 10.04 to
  12.04.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1290825/+subscriptions