[CRIU] [PATCH] kdat: if iptables-restore has xtable lock support do wait on lock

Thu Sep 28 11:24:47 MSK 2017

On VZ7 we have a problem in random tests on iptables restore when
running tests in parallel(one iptables-restore instance tries to lock
xtables lock and fails while other instance(some iptables* command) is
already holding the lock):

================== Run zdtm/static/socket_udp_shutdown in ns ===================
Start test
./socket_udp_shutdown --pidfile=socket_udp_shutdown.pid --outfile=socket_udp_shutdown.out
Run criu dump
Run criu restore
=[log]=> dump/zdtm/static/socket_udp_shutdown/77/1/restore.log
------------------------ grep Error ------------------------
(00.158864)      1: 	Running ip rule delete table local
(00.167319)      1: 	Running ip rule restore
(00.175647)      1: 	Running iptables-restore for iptables-restore
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
(00.185245)      1: Error (criu/util.c:719): exited, status=4
(00.185289)      1: Error (criu/net.c:1739): iptables-restore failed
(00.185301)      1: Error (criu/net.c:2382): Can't create net_ns
(00.185370)      1: Error (criu/util.c:1412): Can't wait or bad status: errno=0, status=65280(00.187281) Error (criu/mount.c:2944): mnt: Can't remove the directory /tmp/.criu.mntns.Ai5EG9: No such file or directory
(00.187298) uns: calling exit_usernsd (-1, 1)
(00.187344) uns: daemon calls 0x466a40 (93, -1, 1)
(00.187361) uns: `- daemon exits w/ 0
(00.188375) uns: daemon stopped
(00.188390) Error (criu/cr-restore.c:2450): Restoring FAILED.
------------------------ ERROR OVER ------------------------
Test zdtm/static/socket_udp_shutdown FAIL at CRIU restore

https://ci.openvz.org/job/CRIU/job/CRIU-virtuozzo/job/criu-dev/2873

It happens now in every test-suit run on VZ7 host as we had updated to
1.4.21-18 iptables package, which has patches for xlocks support in
iptables-restore ported:

* Mon Apr 24 2017 Thomas Woerner <twoerner at redhat.com> 1.4.21-18 - Add
support for --wait options to restore commands (RHBZ#1438597)

Whether these patches are ported to other distribution packages we'll
have these problem in other distributions.

Just add -w to wait lock on iptables-restore as older versions does not
error on invalid option, just warning is printed.

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 criu/net.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/criu/net.c b/criu/net.c
index 68296c8a5..1e7c74e1e 100644
--- a/criu/net.c
+++ b/criu/net.c
@@ -1973,7 +1973,7 @@ static inline int restore_iptables(int pid)
 
 	img = open_image(CR_FD_IPTABLES, O_RSTR, pid);
 	if (img) {
-		ret = run_iptables_tool("iptables-restore", img_raw_fd(img), -1);
+		ret = run_iptables_tool("iptables-restore -w", img_raw_fd(img), -1);
 		close_image(img);
 	}
 	if (ret)
@@ -1985,7 +1985,7 @@ static inline int restore_iptables(int pid)
 	if (empty_image(img))
 		goto out;
 
-	ret = run_iptables_tool("ip6tables-restore", img_raw_fd(img), -1);
+	ret = run_iptables_tool("ip6tables-restore -w", img_raw_fd(img), -1);
 out:
 	close_image(img);
 
@@ -2457,8 +2457,8 @@ int netns_keep_nsfd(void)
 static int iptables_restore(bool ipv6, char *buf, int size)
 {
 	int pfd[2], ret = -1;
-	char *cmd4[] = {"iptables-restore",  "--noflush", NULL};
-	char *cmd6[] = {"ip6tables-restore", "--noflush", NULL};
+	char *cmd4[] = {"iptables-restore", "-w", "--noflush", NULL};
+	char *cmd6[] = {"ip6tables-restore", "-w", "--noflush", NULL};
 	char **cmd = ipv6 ? cmd6 : cmd4;;
 
 	if (pipe(pfd) < 0) {
-- 
2.13.5

