Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package netavark for openSUSE:Factory
checked in at 2024-09-15 12:32:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/netavark (Old)
and /work/SRC/openSUSE:Factory/.netavark.new.29891 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "netavark"
Sun Sep 15 12:32:50 2024 rev:13 rq:1200754 version:1.12.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/netavark/netavark.changes 2024-08-13
13:22:10.859588923 +0200
+++ /work/SRC/openSUSE:Factory/.netavark.new.29891/netavark.changes
2024-09-15 12:32:51.483680136 +0200
@@ -1,0 +2,12 @@
+Tue Sep 10 15:51:16 UTC 2024 - danish.prak...@suse.com
+
+- Update to version 1.12.2:
+ * Release v1.12.2
+ * Release notes for 1.12.2
+ * fix new rust 1.80 lint issues
+ * silence new rust 1.80 warnings
+ * aardvark: on start failure delete entries again
+ * iptables: make dns rules cover tcp as well
+ * nftables: make dns rules cover tcp as well
+
+-------------------------------------------------------------------
Old:
----
netavark-1.12.1.tar.gz
New:
----
netavark-1.12.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ netavark.spec ++++++
--- /var/tmp/diff_new_pack.9XV7Ix/_old 2024-09-15 12:33:16.760726308 +0200
+++ /var/tmp/diff_new_pack.9XV7Ix/_new 2024-09-15 12:33:16.764726474 +0200
@@ -19,7 +19,7 @@
%define major_minor %((v=%{version}; echo ${v%.*}))
Name: netavark
-Version: 1.12.1
+Version: 1.12.2
Release: 0
Summary: Container network stack
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.9XV7Ix/_old 2024-09-15 12:33:16.804728131 +0200
+++ /var/tmp/diff_new_pack.9XV7Ix/_new 2024-09-15 12:33:16.808728296 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/containers/netavark.git</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="scm">git</param>
- <param name="revision">v1.12.1</param>
+ <param name="revision">v1.12.2</param>
<param name="match-tag">*</param>
<param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
<param name="versionrewrite-replacement">\1</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.9XV7Ix/_old 2024-09-15 12:33:16.836729457 +0200
+++ /var/tmp/diff_new_pack.9XV7Ix/_new 2024-09-15 12:33:16.840729622 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/containers/netavark.git</param>
- <param
name="changesrevision">a4e1359ee7fa036db2712f495d4afc95c63a32d8</param></service></servicedata>
+ <param
name="changesrevision">a6d67b7f1a4445771e5ceb5e278286dd3a64bc3d</param></service></servicedata>
(No newline at EOF)
++++++ netavark-1.12.1.tar.gz -> netavark-1.12.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.12.1/Cargo.lock
new/netavark-1.12.2/Cargo.lock
--- old/netavark-1.12.1/Cargo.lock 2024-08-01 22:45:40.000000000 +0200
+++ new/netavark-1.12.2/Cargo.lock 2024-08-16 17:39:42.000000000 +0200
@@ -1359,7 +1359,7 @@
[[package]]
name = "netavark"
-version = "1.12.1"
+version = "1.12.2"
dependencies = [
"anyhow",
"chrono",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.12.1/Cargo.toml
new/netavark-1.12.2/Cargo.toml
--- old/netavark-1.12.1/Cargo.toml 2024-08-01 22:45:40.000000000 +0200
+++ new/netavark-1.12.2/Cargo.toml 2024-08-16 17:39:42.000000000 +0200
@@ -1,6 +1,6 @@
[package]
name = "netavark"
-version = "1.12.1"
+version = "1.12.2"
edition = "2021"
authors = ["github.com/containers"]
license = "Apache-2.0"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.12.1/RELEASE_NOTES.md
new/netavark-1.12.2/RELEASE_NOTES.md
--- old/netavark-1.12.1/RELEASE_NOTES.md 2024-08-01 22:45:40.000000000
+0200
+++ new/netavark-1.12.2/RELEASE_NOTES.md 2024-08-16 17:39:42.000000000
+0200
@@ -1,5 +1,10 @@
# Release Notes
+## v1.12.2
+
+* Ensure DNS rules cover TCP for iptables and nftables
+* On ardvark-dns start, delete entries again on failure
+
## v1.12.1
* Fixed problem with categories in Cargo.toml that prevented us from
publishing v1.12.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.12.1/build.rs new/netavark-1.12.2/build.rs
--- old/netavark-1.12.1/build.rs 2024-08-01 22:45:40.000000000 +0200
+++ new/netavark-1.12.2/build.rs 2024-08-16 17:39:42.000000000 +0200
@@ -75,6 +75,7 @@
"none" => "none",
inv => panic!("Invalid default firewall driver {}", inv),
};
+ println!("cargo:rustc-check-cfg=cfg(default_fw, values(\"nftables\",
\"iptables\", \"none\"))");
println!("cargo:rustc-cfg=default_fw=\"{}\"", fwdriver);
println!("cargo:rustc-env=DEFAULT_FW={fwdriver}");
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.12.1/src/commands/teardown.rs
new/netavark-1.12.2/src/commands/teardown.rs
--- old/netavark-1.12.1/src/commands/teardown.rs 2024-08-01
22:45:40.000000000 +0200
+++ new/netavark-1.12.2/src/commands/teardown.rs 2024-08-16
17:39:42.000000000 +0200
@@ -67,7 +67,7 @@
let path = Path::new(&config_dir).join("aardvark-dns");
let aardvark_interface = Aardvark::new(path, rootless,
aardvark_bin, dns_port);
- if let Err(err) =
aardvark_interface.delete_from_netavark_entries(aardvark_entries) {
+ if let Err(err) =
aardvark_interface.delete_from_netavark_entries(&aardvark_entries) {
error_list.push(NetavarkError::wrap("remove aardvark entries",
err));
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.12.1/src/dhcp_proxy/cache.rs
new/netavark-1.12.2/src/dhcp_proxy/cache.rs
--- old/netavark-1.12.1/src/dhcp_proxy/cache.rs 2024-08-01 22:45:40.000000000
+0200
+++ new/netavark-1.12.2/src/dhcp_proxy/cache.rs 2024-08-16 17:39:42.000000000
+0200
@@ -43,7 +43,7 @@
/// # Arguments
///
/// * `writer`: any type that can has the Write and Clear trait
implemented. In production this
- /// is a file. In development/testing this is a Cursor of bytes
+ /// is a file. In development/testing this is a Cursor of bytes
///
/// returns: Result<LeaseCache<W>, Error>
///
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.12.1/src/dhcp_proxy/lib.rs
new/netavark-1.12.2/src/dhcp_proxy/lib.rs
--- old/netavark-1.12.1/src/dhcp_proxy/lib.rs 2024-08-01 22:45:40.000000000
+0200
+++ new/netavark-1.12.2/src/dhcp_proxy/lib.rs 2024-08-16 17:39:42.000000000
+0200
@@ -40,10 +40,7 @@
impl From<DhcpV4Lease> for Lease {
fn from(l: DhcpV4Lease) -> Lease {
// Since these fields are optional as per mozim. Match them first
and then set them
- let domain_name = match l.domain_name {
- None => String::from(""),
- Some(l) => l,
- };
+ let domain_name = l.domain_name.unwrap_or_default();
let mtu = l.mtu.unwrap_or(0) as u32;
Lease {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.12.1/src/dns/aardvark.rs
new/netavark-1.12.2/src/dns/aardvark.rs
--- old/netavark-1.12.1/src/dns/aardvark.rs 2024-08-01 22:45:40.000000000
+0200
+++ new/netavark-1.12.2/src/dns/aardvark.rs 2024-08-16 17:39:42.000000000
+0200
@@ -211,7 +211,7 @@
Ok(())
}
- pub fn commit_entries(&self, entries: Vec<AardvarkEntry>) -> Result<()> {
+ pub fn commit_entries(&self, entries: &[AardvarkEntry]) -> Result<()> {
// Acquire fs lock to ensure other instance of aardvark cannot commit
// or start aardvark instance till already running instance has not
// completed its `commit` phase.
@@ -240,7 +240,7 @@
));
}
- for entry in &entries {
+ for entry in entries {
let mut path = Path::new(&self.config).join(entry.network_name);
if entry.is_internal {
let new_path =
Path::new(&self.config).join(entry.network_name.to_owned() + "%int");
@@ -344,8 +344,18 @@
pub fn commit_netavark_entries(&self, entries: Vec<AardvarkEntry>) ->
NetavarkResult<()> {
if !entries.is_empty() {
- self.commit_entries(entries)?;
- self.notify(true, false)?;
+ self.commit_entries(&entries)?;
+ match self.notify(true, false) {
+ Ok(_) => (),
+ Err(e) => {
+ if let Err(err) =
self.delete_from_netavark_entries(&entries) {
+ log::warn!(
+ "Failed to delete aardvark-dns entries after
failed start: {err}"
+ );
+ };
+ return Err(e);
+ }
+ };
}
Ok(())
}
@@ -450,8 +460,8 @@
Ok(())
}
- pub fn delete_from_netavark_entries(&self, entries: Vec<AardvarkEntry>) ->
NetavarkResult<()> {
- for entry in &entries {
+ pub fn delete_from_netavark_entries(&self, entries: &[AardvarkEntry]) ->
NetavarkResult<()> {
+ for entry in entries {
self.delete_entry(entry.container_id, entry.network_name)?;
}
self.notify(false, false)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.12.1/src/firewall/nft.rs
new/netavark-1.12.2/src/firewall/nft.rs
--- old/netavark-1.12.1/src/firewall/nft.rs 2024-08-01 22:45:40.000000000
+0200
+++ new/netavark-1.12.2/src/firewall/nft.rs 2024-08-16 17:39:42.000000000
+0200
@@ -380,9 +380,21 @@
vec![
get_subnet_match(&subnet, "saddr", stmt::Operator::EQ),
stmt::Statement::Match(stmt::Match {
+ left:
expr::Expression::Named(expr::NamedExpression::Meta(
+ expr::Meta {
+ key: expr::MetaKey::L4proto,
+ },
+ )),
+ right:
expr::Expression::Named(expr::NamedExpression::Set(vec![
+
expr::SetItem::Element(expr::Expression::String("udp".to_string())),
+
expr::SetItem::Element(expr::Expression::String("tcp".to_string())),
+ ])),
+ op: stmt::Operator::EQ,
+ }),
+ stmt::Statement::Match(stmt::Match {
left:
expr::Expression::Named(expr::NamedExpression::Payload(
expr::Payload::PayloadField(expr::PayloadField
{
- protocol: "udp".to_string(),
+ protocol: "th".to_string(),
field: "dport".to_string(),
}),
)),
@@ -1126,9 +1138,19 @@
vec![
get_ip_match(dns_ip, "daddr", stmt::Operator::EQ),
stmt::Statement::Match(stmt::Match {
+ left:
expr::Expression::Named(expr::NamedExpression::Meta(expr::Meta {
+ key: expr::MetaKey::L4proto,
+ })),
+ right: expr::Expression::Named(expr::NamedExpression::Set(vec![
+
expr::SetItem::Element(expr::Expression::String("udp".to_string())),
+
expr::SetItem::Element(expr::Expression::String("tcp".to_string())),
+ ])),
+ op: stmt::Operator::EQ,
+ }),
+ stmt::Statement::Match(stmt::Match {
left: expr::Expression::Named(expr::NamedExpression::Payload(
expr::Payload::PayloadField(expr::PayloadField {
- protocol: "udp".to_string(),
+ protocol: "th".to_string(),
field: "dport".to_string(),
}),
)),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.12.1/src/firewall/varktables/types.rs
new/netavark-1.12.2/src/firewall/varktables/types.rs
--- old/netavark-1.12.1/src/firewall/varktables/types.rs 2024-08-01
22:45:40.000000000 +0200
+++ new/netavark-1.12.2/src/firewall/varktables/types.rs 2024-08-16
17:39:42.000000000 +0200
@@ -373,13 +373,15 @@
// Always add ACCEPT rules in firewall for dns traffic from containers
// to gateway when using bridge network with internal dns.
- netavark_input_chain.build_rule(VarkRule::new(
- format!(
- "-p {} -s {} --dport {} -j {}",
- "udp", network, dns_port, ACCEPT
- ),
- Some(TeardownPolicy::OnComplete),
- ));
+ for proto in ["udp", "tcp"] {
+ netavark_input_chain.build_rule(VarkRule::new(
+ format!(
+ "-p {} -s {} --dport {} -j {}",
+ proto, network, dns_port, ACCEPT
+ ),
+ Some(TeardownPolicy::OnComplete),
+ ));
+ }
chains.push(netavark_input_chain);
// Drop all invalid packages, due a race the container source ip could be
leaked on the local
@@ -522,13 +524,15 @@
ip_value = format!("[{ip_value}]")
}
netavark_hostport_dn_chain.create = true;
- netavark_hostport_dn_chain.build_rule(VarkRule::new(
- format!(
- "-j {} -d {} -p {} --dport {} --to-destination {}:{}",
- DNAT, dns_ip, "udp", 53, ip_value, pfwd.dns_port
- ),
- Some(TeardownPolicy::OnComplete),
- ));
+ for proto in ["udp", "tcp"] {
+ netavark_hostport_dn_chain.build_rule(VarkRule::new(
+ format!(
+ "-j {} -d {} -p {} --dport {} --to-destination {}:{}",
+ DNAT, dns_ip, proto, 53, ip_value, pfwd.dns_port
+ ),
+ Some(TeardownPolicy::OnComplete),
+ ));
+ }
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.12.1/test/100-bridge-iptables.bats
new/netavark-1.12.2/test/100-bridge-iptables.bats
--- old/netavark-1.12.1/test/100-bridge-iptables.bats 2024-08-01
22:45:40.000000000 +0200
+++ new/netavark-1.12.2/test/100-bridge-iptables.bats 2024-08-16
17:39:42.000000000 +0200
@@ -250,12 +250,16 @@
}
@test "$fw_driver - bridge driver must generate config for aardvark with
custom dns server" {
- # get a random port directly to avoid low ports e.g. 53 would not create
iptables
- dns_port=$((RANDOM+10000))
-
- NETAVARK_DNS_PORT="$dns_port" run_netavark --file
${TESTSDIR}/testfiles/dualstack-bridge-custom-dns-server.json \
+ run_netavark --file
${TESTSDIR}/testfiles/dualstack-bridge-custom-dns-server.json \
setup $(get_container_netns_path)
+ run_in_host_netns iptables -S NETAVARK_INPUT
+ assert "${lines[1]}" == "-A NETAVARK_INPUT -s 10.89.3.0/24 -p udp -m udp
--dport 53 -j ACCEPT" "ipv4 dns udp accept rule"
+ assert "${lines[2]}" == "-A NETAVARK_INPUT -s 10.89.3.0/24 -p tcp -m tcp
--dport 53 -j ACCEPT" "ipv4 dns tcp accept rule"
+ run_in_host_netns ip6tables -S NETAVARK_INPUT
+ assert "${lines[1]}" == "-A NETAVARK_INPUT -s fd10:88:a::/64 -p udp -m udp
--dport 53 -j ACCEPT" "ipv6 dns udp accept rule"
+ assert "${lines[2]}" == "-A NETAVARK_INPUT -s fd10:88:a::/64 -p tcp -m tcp
--dport 53 -j ACCEPT" "ipv6 dns tcp accept rule"
+
# check aardvark config and running
run_helper cat "$NETAVARK_TMPDIR/config/aardvark-dns/podman1"
assert "${lines[0]}" =~ "10.89.3.1,fd10:88:a::1" "aardvark set to listen
to all IPs"
@@ -265,7 +269,7 @@
aardvark_pid=$(cat "$NETAVARK_TMPDIR/config/aardvark-dns/aardvark.pid")
assert "$ardvark_pid" =~ "[0-9]*" "aardvark pid not found"
run_helper ps "$aardvark_pid"
- assert "${lines[1]}" =~ ".*aardvark-dns --config
$NETAVARK_TMPDIR/config/aardvark-dns -p $dns_port run" "aardvark not running or
bad options"
+ assert "${lines[1]}" =~ ".*aardvark-dns --config
$NETAVARK_TMPDIR/config/aardvark-dns -p 53 run" "aardvark not running or bad
options"
}
@test "$fw_driver - bridge driver must generate config for aardvark with
multiple custom dns server" {
@@ -316,8 +320,10 @@
# check iptables
run_in_host_netns iptables -t nat -S NETAVARK-HOSTPORT-DNAT
assert "${lines[1]}" == "-A NETAVARK-HOSTPORT-DNAT -d 10.89.3.1/32 -p udp
-m udp --dport 53 -j DNAT --to-destination 10.89.3.1:$dns_port" "ipv4 dns
forward rule"
+ assert "${lines[2]}" == "-A NETAVARK-HOSTPORT-DNAT -d 10.89.3.1/32 -p tcp
-m tcp --dport 53 -j DNAT --to-destination 10.89.3.1:$dns_port" "ipv4 dns tcp
forward rule"
run_in_host_netns ip6tables -t nat -S NETAVARK-HOSTPORT-DNAT
assert "${lines[1]}" == "-A NETAVARK-HOSTPORT-DNAT -d fd10:88:a::1/128 -p
udp -m udp --dport 53 -j DNAT --to-destination [fd10:88:a::1]:$dns_port" "ipv6
dns forward rule"
+ assert "${lines[2]}" == "-A NETAVARK-HOSTPORT-DNAT -d fd10:88:a::1/128 -p
tcp -m tcp --dport 53 -j DNAT --to-destination [fd10:88:a::1]:$dns_port" "ipv6
dns tcp forward rule"
# check aardvark config and running
run_helper cat "$NETAVARK_TMPDIR/config/aardvark-dns/podman1"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.12.1/test/250-bridge-nftables.bats
new/netavark-1.12.2/test/250-bridge-nftables.bats
--- old/netavark-1.12.1/test/250-bridge-nftables.bats 2024-08-01
22:45:40.000000000 +0200
+++ new/netavark-1.12.2/test/250-bridge-nftables.bats 2024-08-16
17:39:42.000000000 +0200
@@ -240,12 +240,13 @@
}
@test "$fw_driver - bridge driver must generate config for aardvark with
custom dns server" {
- # get a random port directly to avoid low ports e.g. 53 would not create
nftables rules
- dns_port=$((RANDOM+10000))
-
- NETAVARK_DNS_PORT="$dns_port" run_netavark --file
${TESTSDIR}/testfiles/dualstack-bridge-custom-dns-server.json \
+ run_netavark --file
${TESTSDIR}/testfiles/dualstack-bridge-custom-dns-server.json \
setup $(get_container_netns_path)
+ # check nftables
+ run_in_host_netns nft list chain inet netavark INPUT
+ assert "${lines[3]}" =~ "ip saddr 10.89.3.0/24 meta l4proto \{ tcp, udp \}
th dport 53 accept" "DNS accept rule"
+
# check aardvark config and running
run_helper cat "$NETAVARK_TMPDIR/config/aardvark-dns/podman1"
assert "${lines[0]}" =~ "10.89.3.1,fd10:88:a::1" "aardvark set to listen
to all IPs"
@@ -255,7 +256,18 @@
aardvark_pid=$(cat "$NETAVARK_TMPDIR/config/aardvark-dns/aardvark.pid")
assert "$ardvark_pid" =~ "[0-9]*" "aardvark pid not found"
run_helper ps "$aardvark_pid"
- assert "${lines[1]}" =~ ".*aardvark-dns --config
$NETAVARK_TMPDIR/config/aardvark-dns -p $dns_port run" "aardvark not running or
bad options"
+ assert "${lines[1]}" =~ ".*aardvark-dns --config
$NETAVARK_TMPDIR/config/aardvark-dns -p 53 run" "aardvark not running or bad
options"
+}
+
+@test "$fw_driver - aardvark-dns entries after startup failure" {
+ # force failure with invalid aardvark-dns binary
+ expected_rc=1 run_netavark --aardvark-binary ${TESTSDIR} --file
${TESTSDIR}/testfiles/dualstack-bridge-custom-dns-server.json \
+ setup $(get_container_netns_path)
+ assert "$output" =~ "aardvark-dns failed to start: Failed to find
executable" "netavark error"
+
+ # check aardvark config must not exists after error
+ run_helper ls "$NETAVARK_TMPDIR/config/aardvark-dns"
+ assert "$output" == "" "No aardvark entries"
}
@test "$fw_driver - bridge driver must generate config for aardvark with
multiple custom dns server" {
@@ -305,7 +317,7 @@
# check nftables
run_in_host_netns nft list chain inet netavark NETAVARK-HOSTPORT-DNAT
- assert "${lines[2]}" =~ "ip daddr 10.89.3.1 udp dport 53 dnat ip to
10.89.3.1:$dns_port" "DNS forward rule"
+ assert "${lines[2]}" =~ "ip daddr 10.89.3.1 meta l4proto \{ tcp, udp \} th
dport 53 dnat ip to 10.89.3.1:$dns_port" "DNS forward rule"
# check aardvark config and running
run_helper cat "$NETAVARK_TMPDIR/config/aardvark-dns/podman1"
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/netavark/vendor.tar.gz
/work/SRC/openSUSE:Factory/.netavark.new.29891/vendor.tar.gz differ: char 13,
line 1
