Your message dated Wed, 10 Jul 2013 20:08:31 +0200
with message-id <[email protected]>
and subject line Closing OpenVZ related bugs
has caused the Debian Bug report #638609,
regarding linux-image-2.6.32-5-openvz-amd64: [openvz] iptables: "raw" table
gets leaked to guests, causing checkpoint/restore errors
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
638609: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638609
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: linux-image-2.6.32-5-openvz-amd64
Version: 2.6.32-35
Severity: normal
When using OpenVZ the iptables "raw" table gets leaked to containers. This is
problematic when using OpenVZs checkpointing feature since every restore of a
container invokes iptables-restore in the container with the set of rules which
existed during the checkpoint process.
If a container was checkpointed with the "raw" table visible and the kernel of
the hardware node/CT0 doesn't have iptable_raw loaded anymore the
iptables-restore in the container will fail, causing the restore to abort.
This will manifest in the dreaded and non-descript error:
Error: undump failed: Invalid argument
Restoring failed:
Error: iptables-restore exited with 2
Error: Most probably some iptables modules are not loaded
Error: rst_restore_net: -22
You can find a demonstration of this behavior at
http://nopaste.narf.at/show/778/.
The "raw" table should be completely hidden in containers to
prevent such problems, even more so because it's not even allowed
within containers; OpenVZ only allows the "filter" and "mangle" tables
to be used within containers.
-- System Information:
Debian Release: 6.0.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Hi,
your bug has been filed against the "linux-2.6" source package and was filed for
a kernel older than the recently released Debian 7.x.
As already announced in the release notes of Debian 6, the kernel from Debian
7.x
no longer includes support for openvz (due to the openvz changes not being part
of
the upstream kernel).
We're closing this bug now, the Debian wiki contains some information on running
Debian 7.x with openvz: http://wiki.debian.org/OpenVz
Cheers,
Moritz
--- End Message ---
