<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_ASSIGNED "
title="ASSIGNED - iptables-save fails silently in unprivileged lxc/lxd container"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1064#c7">Comment # 7</a>
on <a class="bz_bug_link
bz_status_ASSIGNED "
title="ASSIGNED - iptables-save fails silently in unprivileged lxc/lxd container"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1064">bug 1064</a>
from <span class="vcard"><a class="email" href="mailto:phiphi@phiphi.ch" title="Philipp Gassmann <phiphi@phiphi.ch>"> <span class="fn">Philipp Gassmann</span></a>
</span></b>
<pre>Tested it in Virtualbox on Ubuntu 16.04 with Kernel 4.5.2 from
<a href="http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.5.2-wily">http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.5.2-wily</a>
Unfortunately I get the same results.
Had to add configuration because of incomplete apparmor support in the mainline
kernel.
root@lxd1:~# lxc launch ubuntu:xenial iptables-test
ubuntulxd@lxd1:~$ lxc config set iptables-test raw.lxc 'lxc.aa_allow_incomplete
= 1'
ubuntulxd@lxd1:~$ lxc start iptables-test
ubuntulxd@lxd1:~$ lxc list
+---------------+---------+------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+---------------+---------+------+------+------------+-----------+
| iptables-test | RUNNING | | | PERSISTENT | 0 |
+---------------+---------+------+------+------------+-----------+
ubuntulxd@lxd1:~$ lxc exec iptables-test -- bash
root@iptables-test:~# iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
root@iptables-test:~# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@iptables-test:~# iptables-save
root@iptables-test:~# strace iptables-save
execve("/sbin/iptables-save", ["iptables-save"], [/* 12 vars */]) = 0
brk(NULL) = 0x1687000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f7d9358d000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=20483, ...}) = 0
mmap(NULL, 20483, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f7d93587000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libip4tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\26\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=27424, ...}) = 0
mmap(NULL, 2122496, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f7d93163000
mprotect(0x7f7d93169000, 2093056, PROT_NONE) = 0
mmap(0x7f7d93368000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f7d93368000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libip6tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\27\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=27456, ...}) = 0
mmap(NULL, 2122528, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f7d92f5c000
mprotect(0x7f7d92f62000, 2093056, PROT_NONE) = 0
mmap(0x7f7d93161000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f7d93161000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libxtables.so.11", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200/\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=51872, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f7d93586000
mmap(NULL, 2148792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f7d92d4f000
mprotect(0x7f7d92d5a000, 2097152, PROT_NONE) = 0
mmap(0x7f7d92f5a000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f7d92f5a000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1864888, ...}) = 0
mmap(NULL, 3967488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f7d92986000
mprotect(0x7f7d92b46000, 2093056, PROT_NONE) = 0
mmap(0x7f7d92d45000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bf000) = 0x7f7d92d45000
mmap(0x7f7d92d4b000, 14848, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f7d92d4b000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\r\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14608, ...}) = 0
mmap(NULL, 2109680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f7d92782000
mprotect(0x7f7d92785000, 2093056, PROT_NONE) = 0
mmap(0x7f7d92984000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f7d92984000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f7d93585000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f7d93584000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f7d93583000
arch_prctl(ARCH_SET_FS, 0x7f7d93584700) = 0
mprotect(0x7f7d92d45000, 16384, PROT_READ) = 0
mprotect(0x7f7d92984000, 4096, PROT_READ) = 0
mprotect(0x7f7d92f5a000, 4096, PROT_READ) = 0
mprotect(0x7f7d93161000, 4096, PROT_READ) = 0
mprotect(0x7f7d93368000, 4096, PROT_READ) = 0
mprotect(0x613000, 4096, PROT_READ) = 0
mprotect(0x7f7d9358f000, 4096, PROT_READ) = 0
munmap(0x7f7d93587000, 20483) = 0
brk(NULL) = 0x1687000
brk(0x16a8000) = 0x16a8000
open("/proc/net/ip_tables_names", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission
denied)
exit_group(0) = ?
+++ exited with 0 +++
root@iptables-test:~# uname -a
Linux iptables-test 4.5.2-040502-generic #201604200335 SMP Wed Apr 20 07:37:26
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>