[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#638609: linux-image-2.6.32-5-openvz-amd64: [openvz] iptables: "raw" table gets leaked to guests, causing checkpoint/restore errors



Package: linux-image-2.6.32-5-openvz-amd64
Version: 2.6.32-35
Severity: normal

When using OpenVZ the iptables "raw" table gets leaked to containers.  This is
problematic when using OpenVZs checkpointing feature since every restore of a
container invokes iptables-restore in the container with the set of rules which
existed during the checkpoint process.

If a container was checkpointed with the "raw" table visible and the kernel of
the hardware node/CT0 doesn't have iptable_raw loaded anymore the
iptables-restore in the container will fail, causing the restore to abort.
This will manifest in the dreaded and non-descript error:


Error: undump failed: Invalid argument
Restoring failed:
Error: iptables-restore exited with 2
Error: Most probably some iptables modules are not loaded
Error: rst_restore_net: -22


You can find a demonstration of this behavior at http://nopaste.narf.at/show/778/.

The "raw" table should be completely hidden in containers to
prevent such problems, even more so because it's not even allowed
within containers; OpenVZ only allows the "filter" and "mangle" tables
to be used within containers.



-- System Information:
Debian Release: 6.0.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash



Reply to: