[
https://issues.apache.org/jira/browse/VCL-1056?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andy Kurth resolved VCL-1056.
-----------------------------
Resolution: Fixed
> Add checks/workarounds in iptables.pm if command fails because another
> process holds an xtables lock
> ----------------------------------------------------------------------------------------------------
>
> Key: VCL-1056
> URL: https://issues.apache.org/jira/browse/VCL-1056
> Project: VCL
> Issue Type: Improvement
> Components: vcld (backend)
> Reporter: Andy Kurth
> Assignee: Andy Kurth
> Fix For: 2.5
>
>
> The backend iptables.pm module will only attempt a single iptables operation
> at a time. However, if some external process is performing an iptables
> operation the following problems may occur:
> {noformat}
> iptables.pm:get_table_info|1602| ---- WARNING ----
> iptables.pm:get_table_info|1602| 2017-06-23
> 14:28:25iptables.pm:get_table_info|1602|failed to list rules from 'filter'
> table on vcl-dc2-98-37.cjmattin, exit status: 4, command:
> iptables.pm:get_table_info|1602| /sbin/iptables --list-rules --table filter
> iptables.pm:get_table_info|1602| output:
> iptables.pm:get_table_info|1602| Another app is currently holding the xtables
> lock. Perhaps you want to use the -w option?
> {noformat}
> {noformat}
> iptables.pm:create_chain|1221| ---- WARNING ----
> iptables.pm:create_chain|1221| 2017-06-23
> 14:28:25iptables.pm:create_chain|1221|failed to create 'vcl-post_load' chain
> in 'filter' table on vcl-dc2-98-37.cjmattin, exit status: 4, command:
> iptables.pm:create_chain|1221| /sbin/iptables --new-chain vcl-post_load
> --table filter
> iptables.pm:create_chain|1221| output:
> iptables.pm:create_chain|1221| Another app is currently holding the xtables
> lock. Perhaps you want to use the -w option?
> {noformat}
> {noformat}
> iptables.pm:_insert_rule|782| ---- WARNING ----
> iptables.pm:_insert_rule|782| 2017-06-23
> 14:28:25iptables.pm:_insert_rule|782|failed to add iptables rule to INPUT
> chain in filter table on vcl-dc2-98-37.cjmattin, exit status: 4, command:
> iptables.pm:_insert_rule|782| /sbin/iptables --insert INPUT --table filter
> --jump vcl-post_load --match comment --comment "VCL: jump to rules added
> during the post-load stage (2017-06-23 14:28:25)"
> iptables.pm:_insert_rule|782| output:
> iptables.pm:_insert_rule|782| Another app is currently holding the xtables
> lock. Perhaps you want to use the -w option?
> {noformat}
> I have seen this on an image which is using Puppet for additional
> configuration.
> The -w option does this:
> {panel}
> -w, --wait \[seconds\]
> Wait for the xtables lock. To prevent multiple instances of
> the program from running concurrently, an attempt will be made to obtain an
> exclusive lock at launch. By default, the program will exit if the lock
> cannot be obtained. This
> option will make the program wait (indefinitely or for optional
> seconds) until the exclusive lock can be obtained.
> {panel}
> We cannot simply add the -w option to every iptables command because earlier
> versions of iptables do not support it. A check for _-w option_ in the output
> could be added. If it is present, try again with _-w_.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
