Bug 1720650

Summary: testsuite should also use xtables-multi locking
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Dolezal <todoleza>
Component: firewalldAssignee: Eric Garver <egarver>
Status: CLOSED ERRATA QA Contact: Tomas Dolezal <todoleza>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.7CC: egarver, jmaxwell, rkhan, sbrivio, todoleza
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 20:00:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1723958    

Description Tomas Dolezal 2019-06-14 12:57:56 UTC
Description of problem:
Occasionally, there is a race when executing testsuite in parallel '-j4' causing tests failure.

Version-Release number of selected component (if applicable):
firewalld-0.6.3-2.el7.noarch

How reproducible:
race condition, s390x, but also any other

Steps to Reproduce:
TESTSUITEFLAGS='-j4 62' make installcheck

Actual results:
62. icmp_block_in_forward_chain.at:1: testing ICMP block present FORWARD chain ...
./icmp_block_in_forward_chain.at:1: if ! cp /etc/firewalld/firewalld.conf ./firewalld.conf; then exit 77; fi
./icmp_block_in_forward_chain.at:1: sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf
./icmp_block_in_forward_chain.at:1: ip netns add fwd-test-993
not running
2019-06-14 02:56:29 ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
2019-06-14 02:56:29 beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
2019-06-14 02:56:29 ICMP type 'failed-policy' is not supported by the kernel for ipv6.
2019-06-14 02:56:29 failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
2019-06-14 02:56:29 ICMP type 'reject-route' is not supported by the kernel for ipv6.
2019-06-14 02:56:29 reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
running
./icmp_block_in_forward_chain.at:3:     env DBUS_SYSTEM_BUS_ADDRESS="unix:abstract=firewalld-testsuite-dbus-system-socket-15613" ip netns exec fwd-test-993 firewall-cmd -q --zone=public --add-icmp-block=host-prohibited 
./icmp_block_in_forward_chain.at:4:     env DBUS_SYSTEM_BUS_ADDRESS="unix:abstract=firewalld-testsuite-dbus-system-socket-15613" ip netns exec fwd-test-993 iptables -L IN_public_deny | grep "host-prohibited" 
--- /dev/null	2019-06-14 02:32:15.571227632 -0400
+++ /tmp/tmp.wNg2ZPBFMa/rpmbuild/BUILD/firewalld-0.6.3/src/tests/testsuite.dir/at-groups/62/stderr	2019-06-14 02:56:32.205214286 -0400
@@ -0,0 +1 @@
+Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
stdout:
./icmp_block_in_forward_chain.at:4: exit code was 1, expected 0
62. icmp_block_in_forward_chain.at:1: 62. ICMP block present FORWARD chain (icmp_block_in_forward_chain.at:1): FAILED (icmp_block_in_forward_chain.at:4)

Expected results:
all calls to xtables-multi (iptables-restore, etc..) should use locking feature. Firewalld does that, the testsuite does not in this and possibly other cases.

Additional info:
testscript regression/icmp_block_in_forward_chain.at:
      4 m4_if(iptables, FIREWALL_BACKEND, [
      5     NS_CHECK([iptables -L IN_public_deny | grep "host-prohibited"], 0, ignore)
      6     NS_CHECK([iptables -L FWDI_public_deny | grep "host-prohibited"], 0, ignore)

Comment 2 Eric Garver 2019-06-14 15:57:23 UTC
Fixed upstream:

  e527818500be ("fix: tests: always list rules using macros")

Comment 9 errata-xmlrpc 2020-03-31 20:00:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1109