Univention Bugzilla – Bug 43310
Firewall fails to initialize - loopback/icmp/related missing - race with docker
Last modified: 2017-04-04 18:29:54 CEST
On a newly installed UCS-4.2-0 using the DVD from 2017-01-06 the firewall is missing some required entries, which for example break DNS: # iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere Doing a manual "service univention-firewall restart" fixes it. After a reboot they're gone again. Adding logging to /etc/init.d/univention-firewall: > Starting Univention iptables configuration...error: unexpectedly disconnected from boot status daemon > Another app is currently holding the xtables lock. Perhaps you want to use the -w option? ... ps axf: > 809 ? Ss 0:00 /bin/sh /etc/init.d/univention-firewall start > 989 ? S 0:00 \_ run-parts --regex=^[a-zA-Z0-9_-]+([.]sh)?$ /etc/security/packetfilter.d/ > 996 ? S 0:00 \_ /bin/sh /etc/security/packetfilter.d//10_univention-firewall_start.sh > 1029 ? R 0:00 \_ ps axf ... > 884 ? Ssl 0:00 /usr/bin/docker -d -H fd:// --bip=172.17.42.1/16 --storage-driver=overlay > 1005 ? S 0:00 \_ /sbin/iptables --wait -t nat -C POSTROUTING -s 172.17.42.1/16 -o docker0 -j MASQUERADE locking was added to iptables, so "--wait" must be added to all calls.
r75622 | Bug #43310 firewall: Adapt to firewall locking find debian/univention-firewall.init conffiles -type f -exec \ sed -i -re '/^#/T;s,(/sbin/)?(ip6?tables)\>,\2 --wait,' {} + Package: univention-firewall Version: 9.0.0-4A~4.2.0.201701061703 Branch: ucs_4.2-0 No-CL: The UCS firewall has been adapted to the newer version of <package>iptables</package> implementing locking (<u:bug>43310</u:bug>)
OK: code change for univention-firewall OK: functional test There are other occasions of iptables in UCS 4.2 that are not altered yet: univention-samba/conffiles/etc/security/packetfilter.d/90_univention-samba.sh univention-squid/conffiles/etc/security/packetfilter.d/20squid univention-virtual-machine-manager-node/debian/univention-virtual-machine-manager-node-kvm.init I think we should fix these, too. → REOPEN
r77345 | Bug #43310 ucslint: Check for ip[6]tables w/o --wait r77344 | Bug #43310: Adapt to firewall locking r77348 | Bug #43310 base: Check for ip[6]tables w/o --wait FIX Package: ucslint Version: 6.0.1-4A~4.2.0.201703031807 Branch: ucs_4.2-0 Package: univention-samba Version: 11.0.1-4A~4.2.0.201703031809 Branch: ucs_4.2-0 Package: univention-squid Version: 10.0.0-7A~4.2.0.201703031811 Branch: ucs_4.2-0 Package: univention-virtual-machine-manager-node Version: 5.0.0-4A~4.2.0.201703031814 Branch: ucs_4.2-0 Package: univention-base-files Version: 6.0.0-7A~4.2.0.201703031835 Branch: ucs_4.2-0
OK: code change OK: functional test
UCS 4.2 has been released: https://docs.software-univention.de/release-notes-4.2-0-en.html https://docs.software-univention.de/release-notes-4.2-0-de.html If this error occurs again, please use "Clone This Bug".