[Bug 1820144] Re: iptables-persistent fails in containers due to modprobe being unavailable even though module could've been loaded outside of the container

Robie Basak 1820144 at bugs.launchpad.net
Fri Apr 12 11:05:43 UTC 2019 

I verified that the || true pattern is used in the modprobe call in the
two files being patched here in 1.0.11 (via sources.debian.net), so this
looks good to me.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1820144

Title:
  iptables-persistent fails in containers due to modprobe being
  unavailable even though module could've been loaded outside of the
  container

Status in iptables-persistent package in Ubuntu:
  Fix Released
Status in iptables-persistent source package in Bionic:
  In Progress
Status in iptables-persistent source package in Cosmic:
  In Progress

Bug description:
  [Impact]

  The `iptables-persistent` package when loaded into a container can
  fail to install or configure due to a call to modprobe, which
  containers cannot access or utilize, which will result in a failure
  code.  This prevents the scripts from operating as expected.  This
  also appears to be a duplicate of #1002078 but due to code changes was
  reintroduced.

  [Test Case]

  (Salvaged from bug comments, works with LXD containers)

  lxc launch ubuntu:18.04 x
  lxc exec x apt update
  lxc exec x apt install iptables-persistent
  lxc exec x netfilter-persistent save

  [Regression Potential]

  The regression potential from the proposed changes is extremely small
  and limited.  The changes here were implemented in the version of
  `iptables-persistent` in Disco and are upstream in origin, though this
  is a Native format package so it's right in the package where it's
  been altered.

  [Other Information]

  This package is a Native format package, therefore changes were made
  in the debdiff directly to the package, as it is not Quilt-patchable.
  The changes applied in the debdiffs were adjusted based on the version
  in Disco, which appends ` || true` to the modprobe line, so even if
  modprobe fails the script doesn't error out.

  [Original Description]

  /usr/share/netfilter-persistent/plugins.d/15-ip4tables contains two
  lines of interest:

  set -e
  /sbin/modprobe -q iptable_filter

  modprobe failure causes entire script to exit with 1 status
  immediately.

  Processes run inside of containers (such as LXC and LXD) can't really
  load modules, and kernel modules usually aren't even installed anyway:

  root at t1:~# /sbin/modprobe iptable_filter
  modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.15.0-46-generic/modules.dep.bin'
  modprobe: FATAL: Module iptable_filter not found in directory /lib/modules/4.15.0-46-generic

  However, iptables will generally work inside containers, provided that
  the required modules were loaded outside the container.

  So instead of failing, I think modprobe errors should be just ignored
  (|| true).

  This seems to be the same bug as #1002078, which apparently got
  reintroduced during code rewrite.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: netfilter-persistent 1.0.4+nmu2
  ProcVersionSignature: Ubuntu 4.15.0-46.49-generic 4.15.18
  Uname: Linux 4.15.0-46-generic x86_64
  NonfreeKernelModules: xt_REDIRECT nf_nat_redirect xt_tcpudp iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_addrtype iptable_filter binfmt_misc veth ebtable_filter ebtables bridge stp llc snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm input_leds joydev serio_raw snd_timer snd soundcore mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd qxl glue_helper ttm cryptd drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops psmouse sym53c8xx scsi_transport_spi drm virtio_blk pata_acpi i2c_piix4 virtio_net floppy
  ApportVersion: 2.20.9-0ubuntu7.6
  Architecture: amd64
  Date: Fri Mar 15 00:06:17 2019
  PackageArchitecture: all
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=C.UTF-8
   SHELL=/bin/bash
  SourcePackage: iptables-persistent
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables-persistent/+bug/1820144/+subscriptions

More information about the Ubuntu-sponsors mailing list