[
https://issues.apache.org/jira/browse/VCL-1056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16082959#comment-16082959
]
ASF subversion and git services commented on VCL-1056:
------------------------------------------------------
Commit 1801653 from [email protected] in branch 'vcl/trunk'
[ https://svn.apache.org/r1801653 ]
VCL-1056
Added iptables.pm::_execute_iptables subroutine. It simply calls
$self->os->execute() and checks the output for text indicating another process
has an xtables lock.
Changed all existing calls from $self->os->execute() to
$self->_execute_iptables();
> Add checks/workarounds in iptables.pm if command fails because another
> process holds an xtables lock
> ----------------------------------------------------------------------------------------------------
>
> Key: VCL-1056
> URL: https://issues.apache.org/jira/browse/VCL-1056
> Project: VCL
> Issue Type: Improvement
> Components: vcld (backend)
> Reporter: Andy Kurth
> Assignee: Andy Kurth
> Fix For: 2.5
>
>
> The backend iptables.pm module will only attempt a single iptables operation
> at a time. However, if some external process is performing an iptables
> operation the following problems may occur:
> {noformat}
> iptables.pm:get_table_info|1602| ---- WARNING ----
> iptables.pm:get_table_info|1602| 2017-06-23
> 14:28:25iptables.pm:get_table_info|1602|failed to list rules from 'filter'
> table on vcl-dc2-98-37.cjmattin, exit status: 4, command:
> iptables.pm:get_table_info|1602| /sbin/iptables --list-rules --table filter
> iptables.pm:get_table_info|1602| output:
> iptables.pm:get_table_info|1602| Another app is currently holding the xtables
> lock. Perhaps you want to use the -w option?
> {noformat}
> {noformat}
> iptables.pm:create_chain|1221| ---- WARNING ----
> iptables.pm:create_chain|1221| 2017-06-23
> 14:28:25iptables.pm:create_chain|1221|failed to create 'vcl-post_load' chain
> in 'filter' table on vcl-dc2-98-37.cjmattin, exit status: 4, command:
> iptables.pm:create_chain|1221| /sbin/iptables --new-chain vcl-post_load
> --table filter
> iptables.pm:create_chain|1221| output:
> iptables.pm:create_chain|1221| Another app is currently holding the xtables
> lock. Perhaps you want to use the -w option?
> {noformat}
> {noformat}
> iptables.pm:_insert_rule|782| ---- WARNING ----
> iptables.pm:_insert_rule|782| 2017-06-23
> 14:28:25iptables.pm:_insert_rule|782|failed to add iptables rule to INPUT
> chain in filter table on vcl-dc2-98-37.cjmattin, exit status: 4, command:
> iptables.pm:_insert_rule|782| /sbin/iptables --insert INPUT --table filter
> --jump vcl-post_load --match comment --comment "VCL: jump to rules added
> during the post-load stage (2017-06-23 14:28:25)"
> iptables.pm:_insert_rule|782| output:
> iptables.pm:_insert_rule|782| Another app is currently holding the xtables
> lock. Perhaps you want to use the -w option?
> {noformat}
> I have seen this on an image which is using Puppet for additional
> configuration.
> The -w option does this:
> {panel}
> -w, --wait \[seconds\]
> Wait for the xtables lock. To prevent multiple instances of
> the program from running concurrently, an attempt will be made to obtain an
> exclusive lock at launch. By default, the program will exit if the lock
> cannot be obtained. This
> option will make the program wait (indefinitely or for optional
> seconds) until the exclusive lock can be obtained.
> {panel}
> We cannot simply add the -w option to every iptables command because earlier
> versions of iptables do not support it. A check for _-w option_ in the output
> could be added. If it is present, try again with _-w_.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
