Merge ~hyask/autopkgtest-cloud:skia/iptables_for_rust-reqwest into autopkgtest-cloud:master

Proposed by Skia
Status: Merged
Merged at revision: 74feb79f48de31f60e2c8428562e64121fe1ebc0
Proposed branch: ~hyask/autopkgtest-cloud:skia/iptables_for_rust-reqwest
Merge into: autopkgtest-cloud:master
Diff against target: 23 lines (+7/-1)
1 file modified
charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/worker-config-production/setup-canonical.sh (+7/-1)
Reviewer Review Type Date Requested Status
Paride Legovini Approve
Review via email: mp+473064@code.launchpad.net

Description of the change

Add a special iptables rule to make 'rust-reqwest' to pass.

These IP addresses are supposed to be unreachable in most networks. For
some reason they are routed differently on Canonical's infrastructure
and sent to the proxy, which makes some tests to fail because they
expect a timeout instead when trying to reach the IPs.

Blocking these addresses might have unintended side effects since
a quick search in Debian Code Search shows that many packages uses
10.255.255.1 in their test suite. However, it seems to me that most
packages indeed expect it to be unreachable, so I guess making that a
reality should in fact help more than one package, but it's difficult to
be certain that it won't break one particular package somewhere.

To post a comment you must log in.
Revision history for this message
Paride Legovini (paride) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/worker-config-production/setup-canonical.sh b/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/worker-config-production/setup-canonical.sh
index e9b3edb..058fdf6 100644
--- a/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/worker-config-production/setup-canonical.sh
+++ b/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/worker-config-production/setup-canonical.sh
@@ -62,11 +62,17 @@ for p in unattended-upgrades lxd lxd-client snapd; do
62 [ ! -d /usr/share/doc/$p ] || $(which eatmydata || true) apt-get purge --auto-remove -y $p62 [ ! -d /usr/share/doc/$p ] || $(which eatmydata || true) apt-get purge --auto-remove -y $p
63done63done
6464
65# work around broken PTMU; LP: #1572026, RT#90771
66if type iptables >/dev/null 2>&1; then65if type iptables >/dev/null 2>&1; then
67 cat <<EOF > /etc/rc.local66 cat <<EOF > /etc/rc.local
68#!/bin/sh67#!/bin/sh
68
69# work around broken PTMU; LP: #1572026, RT#90771
69iptables -w -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu || true70iptables -w -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu || true
71
72# These addresses are used at least by rust-reqwest and should not be reachable
73# See https://bugs.launchpad.net/ubuntu/+source/rust-reqwest/+bug/2080346
74iptables -A OUTPUT -d 10.255.255.1/32 -p tcp -j DROP
75iptables -A OUTPUT -d 10.255.255.2/32 -p tcp -j DROP
70EOF76EOF
71 chmod 755 /etc/rc.local77 chmod 755 /etc/rc.local
72 # shellcheck disable=SC109178 # shellcheck disable=SC1091

Subscribers

People subscribed via source and target branches

to all changes: