Merge ~hyask/autopkgtest-cloud:skia/iptables_for_rust-reqwest into autopkgtest-cloud:master

Proposed by Skia
Status: Merged
Merged at revision: 74feb79f48de31f60e2c8428562e64121fe1ebc0
Proposed branch: ~hyask/autopkgtest-cloud:skia/iptables_for_rust-reqwest
Merge into: autopkgtest-cloud:master
Diff against target: 23 lines (+7/-1)
1 file modified
charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/worker-config-production/setup-canonical.sh (+7/-1)
Reviewer Review Type Date Requested Status
Paride Legovini Approve
Review via email: mp+473064@code.launchpad.net

Description of the change

Add a special iptables rule to make 'rust-reqwest' to pass.

These IP addresses are supposed to be unreachable in most networks. For
some reason they are routed differently on Canonical's infrastructure
and sent to the proxy, which makes some tests to fail because they
expect a timeout instead when trying to reach the IPs.

Blocking these addresses might have unintended side effects since
a quick search in Debian Code Search shows that many packages uses
10.255.255.1 in their test suite. However, it seems to me that most
packages indeed expect it to be unreachable, so I guess making that a
reality should in fact help more than one package, but it's difficult to
be certain that it won't break one particular package somewhere.

To post a comment you must log in.
Revision history for this message
Paride Legovini (paride) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/worker-config-production/setup-canonical.sh b/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/worker-config-production/setup-canonical.sh
2index e9b3edb..058fdf6 100644
3--- a/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/worker-config-production/setup-canonical.sh
4+++ b/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/worker-config-production/setup-canonical.sh
5@@ -62,11 +62,17 @@ for p in unattended-upgrades lxd lxd-client snapd; do
6 [ ! -d /usr/share/doc/$p ] || $(which eatmydata || true) apt-get purge --auto-remove -y $p
7 done
8
9-# work around broken PTMU; LP: #1572026, RT#90771
10 if type iptables >/dev/null 2>&1; then
11 cat <<EOF > /etc/rc.local
12 #!/bin/sh
13+
14+# work around broken PTMU; LP: #1572026, RT#90771
15 iptables -w -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu || true
16+
17+# These addresses are used at least by rust-reqwest and should not be reachable
18+# See https://bugs.launchpad.net/ubuntu/+source/rust-reqwest/+bug/2080346
19+iptables -A OUTPUT -d 10.255.255.1/32 -p tcp -j DROP
20+iptables -A OUTPUT -d 10.255.255.2/32 -p tcp -j DROP
21 EOF
22 chmod 755 /etc/rc.local
23 # shellcheck disable=SC1091

Subscribers

People subscribed via source and target branches

to all changes: