[CRIU] [PATCH] net: add wait to iptables command to fix race
Andrew Vagin
avagin at virtuozzo.com
Tue May 31 15:10:16 PDT 2016
On Tue, May 31, 2016 at 03:24:50PM +0300, Pavel Tikhomirov wrote:
> when run several tests simultaneousely it seem that some iptables
> commands can intersect and if we do not wait xtables lock criu fails:
>
> (00.009263) Running iptables [iptables -t filter -A INPUT --protocol tcp --source 127.0.0.1 --sport 55074 --destination 127.0.0.1 --dport 8880 -j DROP]
> Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
> (00.014367) Error (util.c:660): exited, status=4
> (00.014416) Error (netfilter.c:88): Iptables configuration failed: Success
> (00.014432) ----------------------------------------
> (00.014461) Error (cr-dump.c:1297): Dump files (pid: 24) failed with -1
>
> https://ci.openvz.org/job/CRIU/job/CRIU-virtuozzo/branch/criu-dev/3/
> https://jira.sw.ru/browse/PSBM-46774
>
Acked-by: Andrew Vagin <avagin at virtuozzo.com>
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
> ---
> criu/netfilter.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/criu/netfilter.c b/criu/netfilter.c
> index 312b4aa..2c3acd6 100644
> --- a/criu/netfilter.c
> +++ b/criu/netfilter.c
> @@ -20,7 +20,7 @@ static char buf[512];
> * ANy brave soul to write it using xtables-devel?
> */
>
> -static const char *nf_conn_cmd = "%s -t filter %s %s --protocol tcp "
> +static const char *nf_conn_cmd = "%s -w -t filter %s %s --protocol tcp "
> "--source %s --sport %d --destination %s --dport %d -j DROP";
It is better to use --wait instead of -w
>
> static char iptable_cmd_ipv4[] = "iptables";
> --
> 1.8.3.1
>
More information about the CRIU
mailing list