Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

networkmanager: Wait for iptables lock in shared dispatcher script #3388

Merged
merged 1 commit into from
Mar 18, 2024
Merged

networkmanager: Wait for iptables lock in shared dispatcher script #3388

merged 1 commit into from
Mar 18, 2024

Conversation

mtoman
Copy link
Contributor

@mtoman mtoman commented Mar 15, 2024
edited

The dispatcher script that moves around FORWARD rules of shared interfaces currently calls iptables assuming it will always work but in practice two iptables commands can not run in parallel and we have occasionally seen the script fail with:

Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

This patch adds the -w option to make the script wait for the lock when necessary.

It also makes the script exit with an error code if anything fails, which will log the output as WARN instead of INFO as the errors are easy to overlook at this moment.

Contributor checklist

Reviewer Guidelines

  • When submitting a review, please pick:
    • 'Approve' if this change would be acceptable in the codebase (even if there are minor or cosmetic tweaks that could be improved).
    • 'Request Changes' if this change would not be acceptable in our codebase (e.g. bugs, changes that will make development harder in future, security/performance issues, etc).
    • 'Comment' if you don't feel you have enough information to decide either way (e.g. if you have major questions, or you don't understand the context of the change sufficiently to fully review yourself, but want to make a comment)

@mtoman
networkmanager: Wait for iptables lock in shared dispatcher script
374c4c3 
The dispatcher script that moves around FORWARD rules of shared
interfaces currently calls iptables assuming it will always work
but in practice two iptables commands can not run in parallel
and we have occasionally seen the script fail with:

Another app is currently holding the xtables lock.
Perhaps you want to use the -w option?

This patch adds the -w option to make the script wait for the lock
when necessary.

It also makes the script exit with an error code if anything fails,
which will log the output as WARN instead of INFO as the errors
are easy to overlook at this moment.

Change-type: patch
Signed-off-by: Michal Toman <michalt@balena.io>
@mtoman mtoman marked this pull request as ready for review March 18, 2024 09:14
@mtoman mtoman requested review from majorz and alexgg March 18, 2024 09:15
@flowzone-app flowzone-app bot enabled auto-merge March 18, 2024 09:18
@flowzone-app flowzone-app bot merged commit 66948b1 into master Mar 18, 2024
52 checks passed
@flowzone-app flowzone-app bot deleted the mtoman/nm-iptables-w branch March 18, 2024 17:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexgg alexgg alexgg approved these changes

@majorz majorz Awaiting requested review from majorz

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mtoman @alexgg