Imported 2.608

No reason for CPC update specified.

debian/changelog

@@ -1,3 +1,15 @@
+livecd-rootfs (2.608) eoan; urgency=medium
+
+  [ Iain Lane ]
+  * snap_preseed: Handle SNAP_NO_VALIDATE_SEED being unset.
+
+  [ Colin Watson ]
+  * Use iptables-legacy rather than iptables when running on older
+    (pre-4.15) kernel versions.  The newer nf_tables-based tools misbehave
+    at least on 4.4.
+
+ -- Colin Watson <cjwatson@ubuntu.com>  Tue, 03 Sep 2019 15:35:17 +0100
+
 livecd-rootfs (2.607) eoan; urgency=medium
 
   * snap seeding: Defer validation for regular image builds. When getting the

live-build/auto/build

@@ -17,6 +17,32 @@ fi
 
 . config/functions
 
+# New nf_tables-based versions of iptables don't work well on old kernels.
+# We aren't sure exactly how old is a problem: 4.15 works, but with 4.4 new
+# rules are added to all chains in the requested table rather than just one,
+# and the new rules seem to have no useful effect.  In such cases,
+# iptables-legacy works better.
+#
+# We can simplify this once livecd-rootfs no longer needs to support running
+# on Ubuntu 16.04 (that is, once Launchpad's build VMs are upgraded to
+# Ubuntu 18.04).
+run_iptables () {
+    local kver kver_major kver_minor
+
+    kver="$(uname -r)"
+    kver="${kver%%-*}"
+    kver_major="${kver%%.*}"
+    kver="${kver#*.}"
+    kver_minor="${kver%%.*}"
+
+    if [ "$kver_major" -lt 4 ] || \
+       ([ "$kver_major" = 4 ] && [ "$kver_minor" -lt 15 ]); then
+        iptables-legacy "$@"
+    else
+        iptables "$@"
+    fi
+}
+
 if [ -n "$REPO_SNAPSHOT_STAMP" ]; then
     if [ "`whoami`" != "root" ]; then
         echo "Magic repo snapshots only work when running as root." >&2
@@ -26,8 +52,8 @@ if [ -n "$REPO_SNAPSHOT_STAMP" ]; then
     apt-get -qyy install iptables
 
     # Redirect all outgoing traffic to port 80 to proxy instead.
-    iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \
-        -j REDIRECT --to 8080
+    run_iptables -t nat -A OUTPUT -p tcp --dport 80 \
+        -m owner ! --uid-owner daemon -j REDIRECT --to 8080
 
     # Run proxy as "daemon" to avoid infinite loop.
     /usr/share/livecd-rootfs/magic-proxy \
@@ -871,8 +897,8 @@ if [ -f "config/magic-proxy.pid" ]; then
     rm -f config/magic-proxy.pid
 
     # Remove previously-inserted iptables rule.
-    iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \
-        -j REDIRECT --to 8080
+    run_iptables -t nat -D OUTPUT -p tcp --dport 80 \
+        -m owner ! --uid-owner daemon -j REDIRECT --to 8080
 fi
 
 case $PROJECT in

live-build/functions

@@ -656,7 +656,7 @@ snap_preseed() {
     # i.e. snaps with bases need to add bases first etc
     #
     # Skip validation by setting SNAP_NO_VALIDATE_SEED=1.
-    if [ -z "${SNAP_NO_VALIDATE_SEED}" ]; then
+    if [ -z "${SNAP_NO_VALIDATE_SEED:-}" ]; then
         snap_validate_seed "${CHROOT_ROOT}"
     fi
 }