Package: conntrack-tools User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu artful ubuntu-patch autopkgtest Version: 1:1.4.4+snapshot20161117-5 Severity: normal Tags: patch
Dear maintainers, The conntrack-tools 1.4.4+snapshot20161117 update was blocked from reaching Ubuntu's 17.04 release, because it regresses its autopkgtests in Ubuntu compared to 1.4.3-3. I have so far identified two problems with the tests when running on Ubuntu: - the tests modprobe a bunch of nf_conntrack_* modules; if some of these modules don't load because they are built into the kernel (as is the case for some of them on Ubuntu), these tests fail. - several tests are marked 'isolation-container', but provide a configuration to conntrackd that requires host-level privileges, so conntrackd fails at startup when run in a container. I have uploaded the attached patch to Ubuntu to address both of these problems. Please consider applying in Debian as well. I am still seeing one test failure on the Ubuntu autopkgtest infrastructure that I haven't yet reproduced locally. I'll send another patch if and when I manage to address this. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
diff -Nru conntrack-tools-1.4.4+snapshot20161117/debian/patches/series
conntrack-tools-1.4.4+snapshot20161117/debian/patches/series
--- conntrack-tools-1.4.4+snapshot20161117/debian/patches/series
2016-12-05 03:52:20.000000000 -0800
+++ conntrack-tools-1.4.4+snapshot20161117/debian/patches/series
2017-08-11 14:50:43.000000000 -0700
@@ -1 +1,2 @@
missing-include.patch
+skip-already-loaded-modules.patch
diff -Nru
conntrack-tools-1.4.4+snapshot20161117/debian/patches/skip-already-loaded-modules.patch
conntrack-tools-1.4.4+snapshot20161117/debian/patches/skip-already-loaded-modules.patch
---
conntrack-tools-1.4.4+snapshot20161117/debian/patches/skip-already-loaded-modules.patch
1969-12-31 16:00:00.000000000 -0800
+++
conntrack-tools-1.4.4+snapshot20161117/debian/patches/skip-already-loaded-modules.patch
2017-08-11 20:53:24.000000000 -0700
@@ -0,0 +1,56 @@
+Description: Don't fail on modprobe since the driver might be built-in
+ Any of these nf drivers could be built-ins instead of modules; don't cause
+ the testsuite to fail on modprobe, instead let it proceed and succeed/fail
+ later based on actual test results.
+ .
+ Ideally we would check up front if the driver is loaded rather than trying
+ to modprobe and ignoring failures, but there doesn't seem to be a reliable
+ place to check this in the kernel filesystem
+Author: Steve Langasek <steve.langa...@ubuntu.com>
+
+Index: conntrack-tools-1.4.4+snapshot20161117/tests/conntrack/run-test.sh
+===================================================================
+--- conntrack-tools-1.4.4+snapshot20161117.orig/tests/conntrack/run-test.sh
++++ conntrack-tools-1.4.4+snapshot20161117/tests/conntrack/run-test.sh
+@@ -10,10 +10,12 @@
+ #
+ # XXX: module auto-load not support by nfnetlink_cttimeout yet :-(
+ #
+-modprobe nf_conntrack_ipv4
+-modprobe nf_conntrack_ipv6
+-modprobe nf_conntrack_proto_udplite
+-modprobe nf_conntrack_proto_sctp
+-modprobe nf_conntrack_proto_dccp
+-modprobe nf_conntrack_proto_gre
++# any or all of these might be built-ins rather than modules, so don't error
++# out on failure from modprobe
++modprobe nf_conntrack_ipv4 || true
++modprobe nf_conntrack_ipv6 || true
++modprobe nf_conntrack_proto_udplite || true
++modprobe nf_conntrack_proto_sctp || true
++modprobe nf_conntrack_proto_dccp || true
++modprobe nf_conntrack_proto_gre || true
+ ./test testcases
+Index: conntrack-tools-1.4.4+snapshot20161117/tests/nfct/run-test.sh
+===================================================================
+--- conntrack-tools-1.4.4+snapshot20161117.orig/tests/nfct/run-test.sh
++++ conntrack-tools-1.4.4+snapshot20161117/tests/nfct/run-test.sh
+@@ -11,10 +11,12 @@
+ #
+ # XXX: module auto-load not support by nfnetlink_cttimeout yet :-(
+ #
+-modprobe nf_conntrack_ipv4
+-modprobe nf_conntrack_ipv6
+-modprobe nf_conntrack_proto_udplite
+-modprobe nf_conntrack_proto_sctp
+-modprobe nf_conntrack_proto_dccp
+-modprobe nf_conntrack_proto_gre
++# any or all of these might be built-ins rather than modules, so don't error
++# out on failure from modprobe
++modprobe nf_conntrack_ipv4 || true
++modprobe nf_conntrack_ipv6 || true
++modprobe nf_conntrack_proto_udplite || true
++modprobe nf_conntrack_proto_sctp || true
++modprobe nf_conntrack_proto_dccp || true
++modprobe nf_conntrack_proto_gre || true
+ ./test timeout
diff -Nru
conntrack-tools-1.4.4+snapshot20161117/debian/tests/basic-daemon-test.sh
conntrack-tools-1.4.4+snapshot20161117/debian/tests/basic-daemon-test.sh
--- conntrack-tools-1.4.4+snapshot20161117/debian/tests/basic-daemon-test.sh
2016-11-17 00:25:52.000000000 -0800
+++ conntrack-tools-1.4.4+snapshot20161117/debian/tests/basic-daemon-test.sh
2017-08-11 16:46:53.000000000 -0700
@@ -42,6 +42,23 @@
rm -f $LOCKFILE
fi
+if [ $(systemd-detect-virt) == lxc ]; then
+ scheduling=""
+ bufsize=""
+else
+ scheduling=<<EOF
+ Nice -20
+ Scheduler {
+ Type FIFO
+ Priority 99
+ }
+EOF
+ bufsize=<<EOF
+ SndSocketBuffer 12492800
+ RcvSocketBuffer 12492800
+EOF
+fi
+
echo "
Sync {
Mode NOTRACK {
@@ -55,19 +72,14 @@
Port 3780
Interface lo
Checksum on
- SndSocketBuffer 12492800
- RcvSocketBuffer 12492800
+$bufsize
}
Options {
ExpectationSync On
}
}
General {
- Nice -20
- Scheduler {
- Type FIFO
- Priority 99
- }
+$scheduling
Syslog on
LockFile $LOCKFILE
diff -Nru conntrack-tools-1.4.4+snapshot20161117/debian/tests/control
conntrack-tools-1.4.4+snapshot20161117/debian/tests/control
--- conntrack-tools-1.4.4+snapshot20161117/debian/tests/control 2016-12-07
01:35:34.000000000 -0800
+++ conntrack-tools-1.4.4+snapshot20161117/debian/tests/control 2017-08-11
20:55:01.000000000 -0700
@@ -24,8 +24,8 @@
Tests: conntrack-internal-testsuite.sh
Depends: @, @builddeps@, kmod
-Restrictions: needs-root, isolation-machine, build-needed
+Restrictions: needs-root, isolation-machine, build-needed, allow-stderr
Tests: nfct-internal-testsuite.sh
Depends: @, @builddeps@, kmod
-Restrictions: needs-root, isolation-machine, build-needed
+Restrictions: needs-root, isolation-machine, build-needed, allow-stderr
diff -Nru
conntrack-tools-1.4.4+snapshot20161117/debian/tests/systemd-service-test.sh
conntrack-tools-1.4.4+snapshot20161117/debian/tests/systemd-service-test.sh
--- conntrack-tools-1.4.4+snapshot20161117/debian/tests/systemd-service-test.sh
2016-11-17 00:25:52.000000000 -0800
+++ conntrack-tools-1.4.4+snapshot20161117/debian/tests/systemd-service-test.sh
2017-08-11 16:47:25.000000000 -0700
@@ -26,6 +26,35 @@
return 0
}
+get_ethernet_device()
+{
+ for dev in /sys/class/net/*; do
+ if [ $(cat "$dev/type") = 1 ]; then
+ echo $(basename "$dev")
+ break
+ fi
+ done
+}
+
+ETHER=$(get_ethernet_device)
+
+if [ $(systemd-detect-virt) == lxc ]; then
+ scheduling=""
+ bufsize=""
+else
+ scheduling=<<EOF
+ Nice -20
+ Scheduler {
+ Type FIFO
+ Priority 99
+ }
+EOF
+ bufsize=<<EOF
+ SndSocketBuffer 12492800
+ RcvSocketBuffer 12492800
+EOF
+fi
+
echo "
Sync {
Mode NOTRACK {
@@ -37,21 +66,16 @@
IPv4_address 127.0.0.1
IPv4_Destination_Address 127.0.0.1
Port 3780
- Interface eth0
+ Interface $ETHER
Checksum on
- SndSocketBuffer 12492800
- RcvSocketBuffer 12492800
+$bufsize
}
Options {
ExpectationSync On
}
}
General {
- Nice -20
- Scheduler {
- Type FIFO
- Priority 99
- }
+$scheduling
Syslog on
LockFile /var/lock/conntrackd.lock
signature.asc
Description: PGP signature
