kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #183956
[Bug 1584953] Re: backport fix for /proc/net issues with containers
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
wily' to 'verification-done-wily'.
If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.
See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!
** Tags added: verification-needed-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1584953
Title:
backport fix for /proc/net issues with containers
Status in linux package in Ubuntu:
Fix Released
Status in linux-lts-utopic package in Ubuntu:
Invalid
Status in linux source package in Trusty:
Fix Committed
Status in linux-lts-utopic source package in Trusty:
Fix Committed
Status in linux source package in Vivid:
Fix Committed
Status in linux-lts-utopic source package in Vivid:
Invalid
Status in linux source package in Wily:
Fix Committed
Status in linux-lts-utopic source package in Wily:
Invalid
Status in linux source package in Xenial:
Fix Committed
Status in linux-lts-utopic source package in Xenial:
Invalid
Bug description:
SRU Justification
Impact: iptables-save fails in lxd containers due to the ownership of
/proc/net/ip_tables_names. This command is needed to manage firewalls
in containers using Puppet.
Fix: Upstream commit f13f2aeed154da8e48f90b85e720f8ba39b1e881
("netfilter: Set /proc/net entries owner to root in namespace") which
sets ownership for /proc/net files to root in the user ns which owns
the net ns.
Test Case: Script attached to this bug report. Before the fix no
output will be seen from iptables-save; after the fix it will output
the iptables rules.
---
Request to backport Kernel changes from Kernel 4.5 to lts kernel 4.4
for xenial and if possible to lts kernel for 14.04
Change upstream:
netfilter: Set /proc/net entries owner to root in namespace
http://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/commit/?id=f13f2aeed154da8e48f90b85e720f8ba39b1e881
This is the Kernel-side part of the fix for "iptables-save does not work inside lxd containers"
https://github.com/lxc/lxd/issues/1978#issuecomment-220998013
The necessary changes in lxc landed in lxc/lxd
https://github.com/lxc/lxc/pull/1014 and is available in version
2.0.1, currently in xenial-proposed.
It would be great if this would be backported asap. As it allows to
manage the firewall within lxd instances using Puppet and probably
other configuration management systems. And to use iptables-save
manually
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1584953/+subscriptions
References