canonical-ubuntu-qa team mailing list archive

Thread
Date

[Merge] ~hyask/autopkgtest-cloud:skia/iptables_for_rust-reqwest into autopkgtest-cloud:master

To: mp+473064@xxxxxxxxxxxxxxxxxx
From: Skia <mp+473064@xxxxxxxxxxxxxxxxxx>
Date: Wed, 11 Sep 2024 13:22:25 -0000
Reply-to: mp+473064@xxxxxxxxxxxxxxxxxx
Sender: noreply@xxxxxxxxxxxxx

Skia has proposed merging ~hyask/autopkgtest-cloud:skia/iptables_for_rust-reqwest into autopkgtest-cloud:master.

Requested reviews:
  Canonical's Ubuntu QA (canonical-ubuntu-qa)

For more details, see:
https://code.launchpad.net/~hyask/autopkgtest-cloud/+git/autopkgtest-cloud/+merge/473064

Add a special iptables rule to make 'rust-reqwest' to pass.

These IP addresses are supposed to be unreachable in most networks. For
some reason they are routed differently on Canonical's infrastructure
and sent to the proxy, which makes some tests to fail because they
expect a timeout instead when trying to reach the IPs.

Blocking these addresses might have unintended side effects since
a quick search in Debian Code Search shows that many packages uses
10.255.255.1 in their test suite. However, it seems to me that most
packages indeed expect it to be unreachable, so I guess making that a
reality should in fact help more than one package, but it's difficult to
be certain that it won't break one particular package somewhere.
-- 
Your team Canonical's Ubuntu QA is requested to review the proposed merge of ~hyask/autopkgtest-cloud:skia/iptables_for_rust-reqwest into autopkgtest-cloud:master.

diff --git a/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/worker-config-production/setup-canonical.sh b/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/worker-config-production/setup-canonical.sh
index e9b3edb..058fdf6 100644
--- a/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/worker-config-production/setup-canonical.sh
+++ b/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/worker-config-production/setup-canonical.sh
@@ -62,11 +62,17 @@ for p in unattended-upgrades lxd lxd-client snapd; do
     [ ! -d /usr/share/doc/$p ] || $(which eatmydata || true) apt-get purge --auto-remove -y $p
 done
 
-# work around broken PTMU; LP: #1572026, RT#90771
 if type iptables >/dev/null 2>&1; then
     cat <<EOF > /etc/rc.local
 #!/bin/sh
+
+# work around broken PTMU; LP: #1572026, RT#90771
 iptables -w -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu || true
+
+# These addresses are used at least by rust-reqwest and should not be reachable
+# See https://bugs.launchpad.net/ubuntu/+source/rust-reqwest/+bug/2080346
+iptables -A OUTPUT -d 10.255.255.1/32 -p tcp -j DROP
+iptables -A OUTPUT -d 10.255.255.2/32 -p tcp -j DROP
 EOF
     chmod 755 /etc/rc.local
     # shellcheck disable=SC1091