[Debian] Re: Bug#638609: linux-image-2.6.32-5-openvz-amd64: [openvz] iptables: "raw" table gets leaked to guests, causing checkpoint/restore errors

Ola Lundqvist opal at debian.org
Mon Sep 12 01:44:59 EDT 2011 

forwarded 638609 http://bugzilla.openvz.org/show_bug.cgi?id=1981
thanks

Hi Michael

Thanks for the bug-report. I have forwarded this to upstream as you
can see in http://bugzilla.openvz.org/show_bug.cgi?id=1981

Best regards,

// Ola

On Sat, Aug 20, 2011 at 10:54:46AM +0200, Michael Renner wrote:
> Package: linux-image-2.6.32-5-openvz-amd64
> Version: 2.6.32-35
> Severity: normal
> 
> When using OpenVZ the iptables "raw" table gets leaked to containers.  This is
> problematic when using OpenVZs checkpointing feature since every restore of a
> container invokes iptables-restore in the container with the set of rules which
> existed during the checkpoint process.
> 
> If a container was checkpointed with the "raw" table visible and the kernel of
> the hardware node/CT0 doesn't have iptable_raw loaded anymore the
> iptables-restore in the container will fail, causing the restore to abort.
> This will manifest in the dreaded and non-descript error:
> 
> 
> Error: undump failed: Invalid argument
> Restoring failed:
> Error: iptables-restore exited with 2
> Error: Most probably some iptables modules are not loaded
> Error: rst_restore_net: -22
> 
> 
> You can find a demonstration of this behavior at http://nopaste.narf.at/show/778/.
> 
> The "raw" table should be completely hidden in containers to
> prevent such problems, even more so because it's not even allowed
> within containers; OpenVZ only allows the "filter" and "mangle" tables
> to be used within containers.
> 
> 
> 
> -- System Information:
> Debian Release: 6.0.2
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-kernel-REQUEST at lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster at lists.debian.org
> Archive: http://lists.debian.org/20110820085446.10547.16306.reportbug@tokamak.amd.co.at
> 
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal at debian.org                     Annebergsslingan 37      \
|  ola at inguza.com                      654 65 KARLSTAD          |
|  http://inguza.com/                  +46 (0)70-332 1551       |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

More information about the Debian mailing list