← Back to team overview

kernel-packages team mailing list archive

  1. kernel-packages team
  2. Mailing list archive
  3. Message #180668

[Bug 1584953] Re: backport fix for /proc/net issues with containers

  Thread PreviousDate PreviousThread Next 
Attaching script to reproduce based on
https://github.com/lxc/lxd/issues/1978.

Using this script I've confirmed the fix works in all supported kernels
since trusty, so I'll move forward with submitting the fix for SRU.

** Attachment added: "iptables-test.sh"
   https://bugs.launchpad.net/ubuntu/xenial/+source/linux/+bug/1584953/+attachment/4669432/+files/iptables-test.sh

** Also affects: linux (Ubuntu Wily)
   Importance: Undecided
       Status: New

** Also affects: linux (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: linux (Ubuntu Vivid)
   Importance: Undecided
       Status: New

** Also affects: linux-lts-utopic (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: linux-lts-utopic (Ubuntu)
       Status: New => Invalid

** Changed in: linux-lts-utopic (Ubuntu Vivid)
       Status: New => Invalid

** Changed in: linux-lts-utopic (Ubuntu Wily)
       Status: New => Invalid

** Changed in: linux-lts-utopic (Ubuntu Xenial)
       Status: New => Invalid

** Changed in: linux-lts-utopic (Ubuntu Trusty)
   Importance: Undecided => Medium

** Changed in: linux-lts-utopic (Ubuntu Trusty)
       Status: New => In Progress

** Changed in: linux-lts-utopic (Ubuntu Trusty)
     Assignee: (unassigned) => Seth Forshee (sforshee)

** Changed in: linux (Ubuntu Trusty)
   Importance: Undecided => Medium

** Changed in: linux (Ubuntu Trusty)
       Status: New => In Progress

** Changed in: linux (Ubuntu Trusty)
     Assignee: (unassigned) => Seth Forshee (sforshee)

** Changed in: linux (Ubuntu Vivid)
   Importance: Undecided => Medium

** Changed in: linux (Ubuntu Vivid)
       Status: New => In Progress

** Changed in: linux (Ubuntu Vivid)
     Assignee: (unassigned) => Seth Forshee (sforshee)

** Changed in: linux (Ubuntu Wily)
   Importance: Undecided => Medium

** Changed in: linux (Ubuntu Wily)
       Status: New => In Progress

** Changed in: linux (Ubuntu Wily)
     Assignee: (unassigned) => Seth Forshee (sforshee)

** Changed in: linux (Ubuntu Xenial)
       Status: Incomplete => In Progress

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1584953

Title:
  backport fix for /proc/net issues with containers

Status in linux package in Ubuntu:
  Fix Released
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Trusty:
  In Progress
Status in linux-lts-utopic source package in Trusty:
  In Progress
Status in linux source package in Vivid:
  In Progress
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  In Progress
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  In Progress
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  SRU Justification

  Impact: iptables-save fails in lxd containers due to the ownership of
  /proc/net/ip_tables_names. This command is needed to manage firewalls
  in containers using Puppet.

  Fix: Upstream commit f13f2aeed154da8e48f90b85e720f8ba39b1e881
  ("netfilter: Set /proc/net entries owner to root in namespace") which
  sets ownership for /proc/net files to root in the user ns which owns
  the net ns.

  Test Case: Script attached to this bug report. Before the fix no
  output will be seen from iptables-save; after the fix it will output
  the iptables rules.

  ---

  Request to backport Kernel changes from Kernel 4.5 to lts kernel 4.4
  for xenial and if possible to lts kernel for 14.04

  Change upstream:
  netfilter: Set /proc/net entries owner to root in namespace
  http://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/commit/?id=f13f2aeed154da8e48f90b85e720f8ba39b1e881

  This is the Kernel-side part of the fix for "iptables-save does not work inside lxd containers"
  https://github.com/lxc/lxd/issues/1978#issuecomment-220998013

  The necessary changes in lxc landed in lxc/lxd
  https://github.com/lxc/lxc/pull/1014 and is available in version
  2.0.1, currently in xenial-proposed.

  It would be great if this would be backported asap. As it allows to
  manage the firewall within lxd instances using Puppet and probably
  other configuration management systems. And to use iptables-save
  manually

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1584953/+subscriptions

References

  Thread PreviousDate PreviousThread Next