FS#61452 : [lxc] lxc-net.service has a race with iptables.service

FS#61452 - [lxc] lxc-net.service has a race with iptables.service

Attached to Project: Community Packages
Opened by Ondřej Svoboda (lenoch) - Friday, 18 January 2019, 09:14 GMT
Last edited by Morten Linderud (Foxboron) - Thursday, 11 May 2023, 21:04 GMT

Task Type	Bug Report
Category	Packages
Status	Closed
Assigned To	Sergej Pupykin (sergej) Morten Linderud (Foxboron)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:
When both lxc-net.service and iptables.service are enabled, the latter (iptables-restore) sometimes fails to start, with this message: "Another app is currently holding the xtables lock. Perhaps you want to use the -w option?", because iptables.service does not expect any other party messing with firewall rules at startup.

This results in a dangerous state with a pretty useless firewall, e.g. the INPUT chain has the default ACCEPT policy...

@spupykin: Creating the following service override for lxc-net.service fixes the race for me:
[Unit]
After=iptables.service

Since the service is included in the package, it is a downstream bug to me, firstly.

Additional info:
lxc 1:3.1.0-1, iptables 1:1.8.2-1

This task depends upon

Closed by Morten Linderud (Foxboron)
Thursday, 11 May 2023, 21:04 GMT
Reason for closing: No response

Comment by Toolybird (Toolybird) - Thursday, 20 April 2023, 06:56 GMT

This is pretty old and stale. Is it still an issue with latest pkgs?

PS: the lxc-net.service file comes from upstream.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#61452 - [lxc] lxc-net.service has a race with iptables.service

Details

Loading...