Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package netavark for openSUSE:Factory
checked in at 2024-12-11 21:00:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/netavark (Old)
and /work/SRC/openSUSE:Factory/.netavark.new.29675 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "netavark"
Wed Dec 11 21:00:35 2024 rev:16 rq:1229708 version:1.13.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/netavark/netavark.changes 2024-11-29
00:08:52.889429226 +0100
+++ /work/SRC/openSUSE:Factory/.netavark.new.29675/netavark.changes
2024-12-11 21:04:15.888793116 +0100
@@ -1,0 +2,9 @@
+Tue Dec 10 06:53:58 UTC 2024 - madhankumar.chellamu...@suse.com
+
+- Update to version 1.13.1:
+ * Release v1.13.1
+ * Release notes for v1.13.1
+ * setup: on av errors cleanup again
+ * nftables: add daddr match to port forward jump rule
+
+-------------------------------------------------------------------
Old:
----
netavark-1.13.0.tar.gz
New:
----
netavark-1.13.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ netavark.spec ++++++
--- /var/tmp/diff_new_pack.xJx0Ci/_old 2024-12-11 21:04:17.348854050 +0100
+++ /var/tmp/diff_new_pack.xJx0Ci/_new 2024-12-11 21:04:17.348854050 +0100
@@ -19,7 +19,7 @@
%define major_minor %((v=%{version}; echo ${v%.*}))
Name: netavark
-Version: 1.13.0
+Version: 1.13.1
Release: 0
Summary: Container network stack
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.xJx0Ci/_old 2024-12-11 21:04:17.376855219 +0100
+++ /var/tmp/diff_new_pack.xJx0Ci/_new 2024-12-11 21:04:17.380855386 +0100
@@ -3,7 +3,7 @@
<param name="url">https://github.com/containers/netavark.git</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="scm">git</param>
- <param name="revision">v1.13.0</param>
+ <param name="revision">v1.13.1</param>
<param name="match-tag">*</param>
<param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
<param name="versionrewrite-replacement">\1</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.xJx0Ci/_old 2024-12-11 21:04:17.404856387 +0100
+++ /var/tmp/diff_new_pack.xJx0Ci/_new 2024-12-11 21:04:17.408856554 +0100
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/containers/netavark.git</param>
- <param
name="changesrevision">00e74728cc65aac7cdc6ba0ac74fc12e947bb04c</param></service></servicedata>
+ <param
name="changesrevision">0935a20455c3e6292a29b2a7b1a4030716b96be5</param></service></servicedata>
(No newline at EOF)
++++++ netavark-1.13.0.tar.gz -> netavark-1.13.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.13.0/Cargo.lock
new/netavark-1.13.1/Cargo.lock
--- old/netavark-1.13.0/Cargo.lock 2024-10-29 16:04:38.000000000 +0100
+++ new/netavark-1.13.1/Cargo.lock 2024-12-04 18:59:45.000000000 +0100
@@ -1280,7 +1280,7 @@
[[package]]
name = "netavark"
-version = "1.13.0"
+version = "1.13.1"
dependencies = [
"anyhow",
"chrono",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.13.0/Cargo.toml
new/netavark-1.13.1/Cargo.toml
--- old/netavark-1.13.0/Cargo.toml 2024-10-29 16:04:38.000000000 +0100
+++ new/netavark-1.13.1/Cargo.toml 2024-12-04 18:59:45.000000000 +0100
@@ -1,6 +1,6 @@
[package]
name = "netavark"
-version = "1.13.0"
+version = "1.13.1"
edition = "2021"
authors = ["github.com/containers"]
license = "Apache-2.0"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.13.0/RELEASE_NOTES.md
new/netavark-1.13.1/RELEASE_NOTES.md
--- old/netavark-1.13.0/RELEASE_NOTES.md 2024-10-29 16:04:38.000000000
+0100
+++ new/netavark-1.13.1/RELEASE_NOTES.md 2024-12-04 18:59:45.000000000
+0100
@@ -1,5 +1,10 @@
# Release Notes
+## v1.13.1
+
+* Fixed a bug where port forwarding rules might not be removed correctly on
nftables when different host ips are used for the same port.
([#1129](https://github.com/containers/netavark/issues/1129))
+* On aardvark-dns setup errors properly cleanup interfaces and firewall rules
again. ([#1121](https://github.com/containers/netavark/issues/1121))
+
## v1.13.0
* Fixed bug where port forwarding rules might not be removed correctly on
nftables
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.13.0/src/commands/setup.rs
new/netavark-1.13.1/src/commands/setup.rs
--- old/netavark-1.13.0/src/commands/setup.rs 2024-10-29 16:04:38.000000000
+0100
+++ new/netavark-1.13.1/src/commands/setup.rs 2024-12-04 18:59:45.000000000
+0100
@@ -3,8 +3,8 @@
use crate::dns::aardvark::Aardvark;
use crate::error::{NetavarkError, NetavarkResult};
use crate::firewall;
-use crate::network::driver::{get_network_driver, DriverInfo};
-use crate::network::netlink::LinkID;
+use crate::network::driver::{get_network_driver, DriverInfo, NetworkDriver};
+use crate::network::netlink::{self, LinkID};
use crate::network::{self};
use crate::network::{core_utils, types};
@@ -109,17 +109,11 @@
Ok((s, a)) => (s, a),
Err(e) => {
// now teardown the already setup drivers
- for dri in drivers.iter().take(i) {
- match dri.teardown((&mut hostns.netlink, &mut
netns.netlink)) {
- Ok(_) => {}
- Err(e) => {
- error!(
- "failed to cleanup previous networks after
setup failed: {}",
- e
- )
- }
- };
- }
+ teardown_drivers(
+ drivers.iter().take(i),
+ &mut hostns.netlink,
+ &mut netns.netlink,
+ );
return Err(e);
}
};
@@ -139,22 +133,19 @@
// ignore error when path already exists
Err(ref e) if e.kind() ==
std::io::ErrorKind::AlreadyExists => {}
Err(e) => {
- return Err(std::io::Error::new(
- std::io::ErrorKind::Other,
- format!("failed to create aardvark-dns directory:
{e}"),
- )
- .into());
+ teardown_drivers(drivers.iter(), &mut hostns.netlink,
&mut netns.netlink);
+ return Err(NetavarkError::wrap(
+ format!("failed to create aardvark-dns directory
{}", path.display()),
+ NetavarkError::Io(e),
+ ));
}
}
let aardvark_interface = Aardvark::new(path, rootless,
aardvark_bin, dns_port);
if let Err(er) =
aardvark_interface.commit_netavark_entries(aardvark_entries) {
- return Err(std::io::Error::new(
- std::io::ErrorKind::Other,
- format!("Error while applying dns entries: {er}"),
- )
- .into());
+ teardown_drivers(drivers.iter(), &mut hostns.netlink, &mut
netns.netlink);
+ return Err(NetavarkError::wrap("error while applying dns
entries", er));
}
} else {
info!(
@@ -170,3 +161,18 @@
Ok(())
}
}
+
+fn teardown_drivers<'a, I>(drivers: I, host: &mut netlink::Socket, netns: &mut
netlink::Socket)
+where
+ I: Iterator<Item = &'a Box<dyn NetworkDriver + 'a>>,
+{
+ for driver in drivers {
+ if let Err(e) = driver.teardown((host, netns)) {
+ error!(
+ "failed to cleanup network {} after setup failed: {}",
+ driver.network_name(),
+ e
+ );
+ };
+ }
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.13.0/src/firewall/nft.rs
new/netavark-1.13.1/src/firewall/nft.rs
--- old/netavark-1.13.0/src/firewall/nft.rs 2024-10-29 16:04:38.000000000
+0100
+++ new/netavark-1.13.1/src/firewall/nft.rs 2024-12-04 18:59:45.000000000
+0100
@@ -1011,14 +1011,18 @@
continue;
}
}
- let daddr_cond: Option<stmt::Statement> =
- daddr.map(|i| get_ip_match(&i, "daddr", stmt::Operator::EQ));
- // dnat chain: <protocol> dport <port> jump <container_dnat_chain>
- rules.push(make_rule(
- DNATCHAIN,
- vec![dport_cond.clone(), get_jump_action(&subnet_dnat_chain)],
- ));
+ let mut jump_statements = Vec::with_capacity(3);
+ let daddr_cond: Option<stmt::Statement> = daddr.map(|i| {
+ let daddr = get_ip_match(&i, "daddr", stmt::Operator::EQ);
+ jump_statements.push(daddr.clone());
+ daddr
+ });
+ jump_statements.push(dport_cond.clone());
+ jump_statements.push(get_jump_action(&subnet_dnat_chain));
+
+ // dnat chain: [ip daddr <ip>] <protocol> dport <port> jump
<container_dnat_chain>
+ rules.push(make_rule(DNATCHAIN, jump_statements));
// Container dnat chain: ip saddr <subnet> ip daddr <host IP>
<proto> dport <port(s)> jump SETMARKCHAIN
rules.push(get_subnet_dport_match(
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.13.0/test/100-bridge-iptables.bats
new/netavark-1.13.1/test/100-bridge-iptables.bats
--- old/netavark-1.13.0/test/100-bridge-iptables.bats 2024-10-29
16:04:38.000000000 +0100
+++ new/netavark-1.13.1/test/100-bridge-iptables.bats 2024-12-04
18:59:45.000000000 +0100
@@ -1088,3 +1088,12 @@
assert "${lines[3]}" == "-A NETAVARK_FORWARD -s 10.88.0.0/16 -j ACCEPT"
"NETAVARK_FORWARD rule 3"
assert "${#lines[@]}" = 4 "too many NETAVARK_FORWARD rules"
}
+
+@test "$fw_driver - aardvark-dns error cleanup" {
+ expected_rc=1 run_netavark -a /usr/bin/false --file
${TESTSDIR}/testfiles/dualstack-bridge-custom-dns-server.json setup
$(get_container_netns_path)
+ assert_json ".error" "error while applying dns entries: IO error:
aardvark-dns exited unexpectedly without error message" "aardvark-dns error"
+ run_in_host_netns iptables -S
+ assert "$output" !~ "10.89.3.0/24" "leaked network iptables rules after
setup error"
+ run_in_host_netns iptables -S -t nat
+ assert "$output" !~ "10.89.3.0/24" "leaked network iptables NAT rules
after setup error"
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/netavark-1.13.0/test/250-bridge-nftables.bats
new/netavark-1.13.1/test/250-bridge-nftables.bats
--- old/netavark-1.13.0/test/250-bridge-nftables.bats 2024-10-29
16:04:38.000000000 +0100
+++ new/netavark-1.13.1/test/250-bridge-nftables.bats 2024-12-04
18:59:45.000000000 +0100
@@ -985,7 +985,7 @@
}
# regression test for https://github.com/containers/netavark/issues/1068
-@test "$fw_driver - port firewall rule cleanup" {
+@test "$fw_driver - port firewall rule cleanup port protocol" {
run_netavark --file ${TESTSDIR}/testfiles/bridge-port-tcp-udp.json setup
$(get_container_netns_path)
local chain="nv_2f259bab_10_88_0_0_nm16_dnat"
@@ -1003,3 +1003,36 @@
expected_rc=1 run_in_host_netns nft list chain inet netavark $chain
}
+
+# regression test for https://github.com/containers/netavark/issues/1129
+@test "$fw_driver - port firewall rule cleanup host ip" {
+ run_netavark --file ${TESTSDIR}/testfiles/bridge-port-hostip.json setup
$(get_container_netns_path)
+
+ local chain="nv_2f259bab_10_88_0_0_nm16_dnat"
+ run_in_host_netns nft list chain inet netavark $chain
+
+ run_in_host_netns nft list ruleset
+
+ # extra check so we can be sure that these rules exists before checking
later of they are removed
+ assert "$output" =~ "ip saddr 10.88.0.0/16 ip daddr 192.168.188.25 tcp
dport 8080 jump NETAVARK-HOSTPORT-SETMARK"
+ assert "$output" =~ "ip saddr 127.0.0.1 ip daddr 192.168.188.25 tcp dport
8080 jump NETAVARK-HOSTPORT-SETMARK"
+ assert "$output" =~ "ip daddr 192.168.188.25 tcp dport 8080 dnat ip to
10.88.0.14:8080"
+ assert "$output" =~ "ip saddr 10.88.0.0/16 ip daddr 192.168.188.24 tcp
dport 8080 jump NETAVARK-HOSTPORT-SETMARK"
+ assert "$output" =~ "ip saddr 127.0.0.1 ip daddr 192.168.188.24 tcp dport
8080 jump NETAVARK-HOSTPORT-SETMARK"
+ assert "$output" =~ "ip daddr 192.168.188.24 tcp dport 8080 dnat ip to
10.88.0.14:8080"
+
+ run_netavark --file ${TESTSDIR}/testfiles/bridge-port-hostip.json teardown
$(get_container_netns_path)
+
+ expected_rc=1 run_in_host_netns nft list chain inet netavark $chain
+ run_in_host_netns nft list chain inet netavark NETAVARK-HOSTPORT-DNAT
+ assert "$output" == $'table inet netavark {\n\tchain
NETAVARK-HOSTPORT-DNAT {\n\t}\n}' "NETAVARK-HOSTPORT-DNAT chain must be empty"
+}
+
+@test "$fw_driver - aardvark-dns error cleanup" {
+ expected_rc=1 run_netavark -a /usr/bin/false --file
${TESTSDIR}/testfiles/dualstack-bridge-custom-dns-server.json setup
$(get_container_netns_path)
+ assert_json ".error" "error while applying dns entries: IO error:
aardvark-dns exited unexpectedly without error message" "aardvark-dns error"
+
+ run_in_host_netns nft list table inet netavark
+ assert "$output" !~ "10.89.3.0/24" "leaked network nft rules after setup
error"
+ assert "$output" !~ "fd10:88:a::/64" "leaked network nft rules after setup
error"
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/netavark-1.13.0/test/testfiles/bridge-port-hostip.json
new/netavark-1.13.1/test/testfiles/bridge-port-hostip.json
--- old/netavark-1.13.0/test/testfiles/bridge-port-hostip.json 1970-01-01
01:00:00.000000000 +0100
+++ new/netavark-1.13.1/test/testfiles/bridge-port-hostip.json 2024-12-04
18:59:45.000000000 +0100
@@ -0,0 +1,52 @@
+{
+ "container_id":
"f922ffdda5718b26ea585a500d5ad05191da5461b06d6f62e4d1f66ca901a253",
+ "container_name": "sharp_gould",
+ "port_mappings": [
+ {
+ "host_ip": "192.168.188.25",
+ "container_port": 8080,
+ "host_port": 8080,
+ "range": 1,
+ "protocol": "tcp"
+ },
+ {
+ "host_ip": "192.168.188.24",
+ "container_port": 8080,
+ "host_port": 8080,
+ "range": 1,
+ "protocol": "tcp"
+ }
+ ],
+ "networks": {
+ "podman": {
+ "static_ips": [
+ "10.88.0.14"
+ ],
+ "aliases": [
+ "f922ffdda571"
+ ],
+ "interface_name": "eth0"
+ }
+ },
+ "network_info": {
+ "podman": {
+ "name": "podman",
+ "id":
"2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b7a1bb9",
+ "driver": "bridge",
+ "network_interface": "podman0",
+ "created": "2024-09-05T15:00:04.45111926+02:00",
+ "subnets": [
+ {
+ "subnet": "10.88.0.0/16",
+ "gateway": "10.88.0.1"
+ }
+ ],
+ "ipv6_enabled": false,
+ "internal": false,
+ "dns_enabled": false,
+ "ipam_options": {
+ "driver": "host-local"
+ }
+ }
+ }
+}
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/netavark/vendor.tar.gz
/work/SRC/openSUSE:Factory/.netavark.new.29675/vendor.tar.gz differ: char 13,
line 1
