<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body>

      <p>

        <div>

            <b><a class="bz_bug_link 

          bz_status_ASSIGNED "

   title="ASSIGNED - iptables-save fails silently in unprivileged lxc/lxd container"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1064#c7">Comment # 7</a>

              on <a class="bz_bug_link 

          bz_status_ASSIGNED "

   title="ASSIGNED - iptables-save fails silently in unprivileged lxc/lxd container"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1064">bug 1064</a>

              from <span class="vcard"><a class="email" href="mailto:phiphi@phiphi.ch" title="Philipp Gassmann <phiphi@phiphi.ch>"> <span class="fn">Philipp Gassmann</span></a>

</span></b>

        <pre>Tested it in Virtualbox on Ubuntu 16.04 with Kernel 4.5.2 from

<a href="http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.5.2-wily">http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.5.2-wily</a>

Unfortunately I get the same results.

Had to add configuration because of incomplete apparmor support in the mainline

kernel.

root@lxd1:~# lxc launch ubuntu:xenial iptables-test

ubuntulxd@lxd1:~$ lxc config set iptables-test raw.lxc 'lxc.aa_allow_incomplete

= 1'

ubuntulxd@lxd1:~$ lxc start iptables-test 

ubuntulxd@lxd1:~$ lxc list

+---------------+---------+------+------+------------+-----------+

|     NAME      |  STATE  | IPV4 | IPV6 |    TYPE    | SNAPSHOTS |

+---------------+---------+------+------+------------+-----------+

| iptables-test | RUNNING |      |      | PERSISTENT | 0         |

+---------------+---------+------+------+------------+-----------+

ubuntulxd@lxd1:~$ lxc exec iptables-test -- bash

root@iptables-test:~# iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

root@iptables-test:~# iptables -nL

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

root@iptables-test:~# iptables-save

root@iptables-test:~# strace iptables-save

execve("/sbin/iptables-save", ["iptables-save"], [/* 12 vars */]) = 0

brk(NULL)                               = 0x1687000

access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)

mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =

0x7f7d9358d000

access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)

open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3

fstat(3, {st_mode=S_IFREG|0644, st_size=20483, ...}) = 0

mmap(NULL, 20483, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f7d93587000

close(3)                                = 0

access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)

open("/lib/x86_64-linux-gnu/libip4tc.so.0", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\26\0\0\0\0\0\0"...,

832) = 832

fstat(3, {st_mode=S_IFREG|0644, st_size=27424, ...}) = 0

mmap(NULL, 2122496, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =

0x7f7d93163000

mprotect(0x7f7d93169000, 2093056, PROT_NONE) = 0

mmap(0x7f7d93368000, 8192, PROT_READ|PROT_WRITE,

MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f7d93368000

close(3)                                = 0

access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)

open("/lib/x86_64-linux-gnu/libip6tc.so.0", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\27\0\0\0\0\0\0"...,

832) = 832

fstat(3, {st_mode=S_IFREG|0644, st_size=27456, ...}) = 0

mmap(NULL, 2122528, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =

0x7f7d92f5c000

mprotect(0x7f7d92f62000, 2093056, PROT_NONE) = 0

mmap(0x7f7d93161000, 8192, PROT_READ|PROT_WRITE,

MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f7d93161000

close(3)                                = 0

access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)

open("/lib/x86_64-linux-gnu/libxtables.so.11", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200/\0\0\0\0\0\0"...,

832) = 832

fstat(3, {st_mode=S_IFREG|0644, st_size=51872, ...}) = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =

0x7f7d93586000

mmap(NULL, 2148792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =

0x7f7d92d4f000

mprotect(0x7f7d92d5a000, 2097152, PROT_NONE) = 0

mmap(0x7f7d92f5a000, 8192, PROT_READ|PROT_WRITE,

MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f7d92f5a000

close(3)                                = 0

access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)

open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"...,

832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=1864888, ...}) = 0

mmap(NULL, 3967488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =

0x7f7d92986000

mprotect(0x7f7d92b46000, 2093056, PROT_NONE) = 0

mmap(0x7f7d92d45000, 24576, PROT_READ|PROT_WRITE,

MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bf000) = 0x7f7d92d45000

mmap(0x7f7d92d4b000, 14848, PROT_READ|PROT_WRITE,

MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f7d92d4b000

close(3)                                = 0

access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)

open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\r\0\0\0\0\0\0"...,

832) = 832

fstat(3, {st_mode=S_IFREG|0644, st_size=14608, ...}) = 0

mmap(NULL, 2109680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =

0x7f7d92782000

mprotect(0x7f7d92785000, 2093056, PROT_NONE) = 0

mmap(0x7f7d92984000, 8192, PROT_READ|PROT_WRITE,

MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f7d92984000

close(3)                                = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =

0x7f7d93585000

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =

0x7f7d93584000

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =

0x7f7d93583000

arch_prctl(ARCH_SET_FS, 0x7f7d93584700) = 0

mprotect(0x7f7d92d45000, 16384, PROT_READ) = 0

mprotect(0x7f7d92984000, 4096, PROT_READ) = 0

mprotect(0x7f7d92f5a000, 4096, PROT_READ) = 0

mprotect(0x7f7d93161000, 4096, PROT_READ) = 0

mprotect(0x7f7d93368000, 4096, PROT_READ) = 0

mprotect(0x613000, 4096, PROT_READ)     = 0

mprotect(0x7f7d9358f000, 4096, PROT_READ) = 0

munmap(0x7f7d93587000, 20483)           = 0

brk(NULL)                               = 0x1687000

brk(0x16a8000)                          = 0x16a8000

open("/proc/net/ip_tables_names", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission

denied)

exit_group(0)                           = ?

+++ exited with 0 +++

root@iptables-test:~# uname -a

Linux iptables-test 4.5.2-040502-generic #201604200335 SMP Wed Apr 20 07:37:26

UTC 2016 x86_64 x86_64 x86_64 GNU/Linux</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>