Univention Bugzilla – Bug 55807
docker.io: merge patches to UCS UCS5.1 / 5.2
Last modified: 2024-05-03 10:34:50 CEST
The patches of docker.io have to be cherry-picked and rebased to (UCS 5.1 and) UCS 5.2.
in 30_dont_change_FORWARD_policy.quilt we are removing things in two if-blocks: › › if enableIPTables { › if enableIP6Tables { So this seems nowadays to be configurable. Let's replace the patch with some config-options?!
r19920 | Bug #55807: disable iptables also for IPv6 r19919 | Bug #55807: disable iptables also for IPv6 r19860 | Bug #55807: rebase patches r19844 | Bug #55807: rebase patches
(In reply to Florian Best from comment #1) > in 30_dont_change_FORWARD_policy.quilt we are removing things in two > if-blocks: > › › if enableIPTables { > › if enableIP6Tables { > > So this seems nowadays to be configurable. Let's replace the patch with some > config-options?! This has been done by Marius and is simply: commit bfbe2d61348477b3b027f96a3dcc76630c3de4a2 (origin/preview/5.2-0) Author: Marius Meschter <marius.meschter@univention.de> Date: Mon Dec 18 16:49:34 2023 +0100 fix(docker): Disable ip(6)tables in docker config Bug #55807 diff --git container/univention-docker/conffiles/etc/docker/daemon.json container/univention-docker/conffiles/etc/docker/daemon.json index 0357835a65..bbf7bc7e1a 100644 --- container/univention-docker/conffiles/etc/docker/daemon.json +++ container/univention-docker/conffiles/etc/docker/daemon.json @@ -8,6 +8,8 @@ conf = { "bip": configRegistry["docker/daemon/default/opts/bip"], "log-driver": configRegistry["docker/daemon/default/opts/log-driver"], "live-restore": configRegistry.is_true("docker/daemon/default/parameter/live-restore"), + "iptables": False, + "ip6tables": False } registry_mirrors = configRegistry.get('docker/daemon/default/opts/registry-mirrors') if registry_mirrors: The patch has been dropped: bd4d6ab6d060 | feat(docker.io): replace 30_dont_change_FORWARD_policy with "iptables"
f3c343eac47b | feat(docker.io): replace 20_systemd_restart_firewall with a dedicated systemd service unit. /lib/systemd/system/docker.service.d/20-univention-firewall.conf +[Unit] +After=univention-firewall.service + +[Service] +ExecStartPost=-/usr/sbin/service univention-firewall restart
(In reply to Florian Best from comment #5) > f3c343eac47b | feat(docker.io): replace 20_systemd_restart_firewall with > a dedicated systemd service unit. > > /lib/systemd/system/docker.service.d/20-univention-firewall.conf > +[Unit] > +After=univention-firewall.service > + > +[Service] > +ExecStartPost=-/usr/sbin/service univention-firewall restart NO: You create a potential deadlock! `systemctl ... docker.service` runs a transaction, and by calling "service" in your code you call back to another "systemctl restart univention-firewall.serivce", which creates a nested transaction which sometimes™ blocks. Also look at Bug #53673: Restarting the UCS firewall duplicates docker rules each time.
(In reply to Philipp Hahn from comment #6) > NO: You create a potential deadlock! > `systemctl ... docker.service` runs a transaction, and by calling "service" > in your code you call back to another "systemctl restart > univention-firewall.serivce", which creates a nested transaction which > sometimes™ blocks. YES: I only move the same patch/code from "docker.io" into our UCS code. The potential deadlock must be there for ages and this is not my job to fix all those occurring things in this/these 5.2 bugs.
Due to Bug #56457 we updated `docker.io`, `containerd` and `runc` to newer versions in 5.0-7, so we need to adjust the patches in 5.2 too. Now we have `runc` version 1.1.7 in 5.0-7 (from Ubuntu focal-security) but 5.1-0 has 1.0.0~rc93+ds1-5+deb11u3 and 5.2-0 has 1.1.5+ds1-1+deb12u1 from Debian bookworm During update it would be great if we could make the bookworm version the new standard for UCS 5.2.
(In reply to Arvid Requate from comment #8) > Due to Bug #56457 we updated `docker.io`, `containerd` and `runc` to newer > versions in 5.0-7, > so we need to adjust the patches in 5.2 too. > > Now we have `runc` version 1.1.7 in 5.0-7 (from Ubuntu focal-security) > > but 5.1-0 has 1.0.0~rc93+ds1-5+deb11u3 > and 5.2-0 has 1.1.5+ds1-1+deb12u1 from Debian bookworm > > During update it would be great if we could make the bookworm version the > new standard for UCS 5.2. Create Bug https://forge.univention.org/bugzilla/show_bug.cgi?id=57247 for that, lets focus on the current version/patches here and deal with the update problem on the new bug.
* OK - 012_rules_disable_testsuite.patch.DISABLED * OK (dropped, moved to univention-firewall) - 20_systemd_restart_firewall.quilt * OK (dropped, replaced by config option ip6tables=false) - 30_dont_change_FORWARD_policy.quilt * OK - 31_fix-initd.patch * OK - 31_fix-initd.quilt no bug fixing here, just make sure it works as in UCS 5.0