Uploaded image for project: 'VCL'
  1. VCL
  2. VCL-1056

Add checks/workarounds in iptables.pm if command fails because another process holds an xtables lock

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.5
    • vcld (backend)
    • None

    Description

      The backend iptables.pm module will only attempt a single iptables operation at a time. However, if some external process is performing an iptables operation the following problems may occur:

      iptables.pm:get_table_info|1602| ---- WARNING ----
iptables.pm:get_table_info|1602| 2017-06-23 14:28:25iptables.pm:get_table_info|1602|failed to list rules from 'filter' table on vcl-dc2-98-37.cjmattin, exit status: 4, command:
iptables.pm:get_table_info|1602| /sbin/iptables --list-rules --table filter
iptables.pm:get_table_info|1602| output:
iptables.pm:get_table_info|1602| Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

      iptables.pm:create_chain|1221| ---- WARNING ----
iptables.pm:create_chain|1221| 2017-06-23 14:28:25iptables.pm:create_chain|1221|failed to create 'vcl-post_load' chain in 'filter' table on vcl-dc2-98-37.cjmattin, exit status: 4, command:
iptables.pm:create_chain|1221| /sbin/iptables --new-chain vcl-post_load --table filter
iptables.pm:create_chain|1221| output:
iptables.pm:create_chain|1221| Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

      iptables.pm:_insert_rule|782| ---- WARNING ----
iptables.pm:_insert_rule|782| 2017-06-23 14:28:25iptables.pm:_insert_rule|782|failed to add iptables rule to INPUT chain in filter table on vcl-dc2-98-37.cjmattin, exit status: 4, command:
iptables.pm:_insert_rule|782| /sbin/iptables --insert INPUT --table filter --jump vcl-post_load --match comment --comment "VCL: jump to rules added during the post-load stage (2017-06-23 14:28:25)"
iptables.pm:_insert_rule|782| output:
iptables.pm:_insert_rule|782| Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

      I have seen this on an image which is using Puppet for additional configuration.

      The -w option does this:

      -w, --wait [seconds]
      Wait for the xtables lock. To prevent multiple instances of the program from running concurrently, an attempt will be made to obtain an exclusive lock at launch. By default, the program will exit if the lock cannot be obtained. This
      option will make the program wait (indefinitely or for optional seconds) until the exclusive lock can be obtained.

      We cannot simply add the -w option to every iptables command because earlier versions of iptables do not support it. A check for -w option in the output could be added. If it is present, try again with -w.

      Attachments

        Activity

          People

            arkurth Andrew Kurth
            arkurth Andrew Kurth
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: