From 9fbef5dcd7898f133946831f340a6bf2b90b1356 Mon Sep 17 00:00:00 2001 From: CloudBuilder Date: Tue, 3 Sep 2019 19:00:07 +0000 Subject: [PATCH] Imported 2.608 No reason for CPC update specified. --- debian/changelog | 12 ++++++++++++ live-build/auto/build | 34 ++++++++++++++++++++++++++++++---- live-build/functions | 2 +- 3 files changed, 43 insertions(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index 5229ac44..cccd610b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +livecd-rootfs (2.608) eoan; urgency=medium + + [ Iain Lane ] + * snap_preseed: Handle SNAP_NO_VALIDATE_SEED being unset. + + [ Colin Watson ] + * Use iptables-legacy rather than iptables when running on older + (pre-4.15) kernel versions. The newer nf_tables-based tools misbehave + at least on 4.4. + + -- Colin Watson Tue, 03 Sep 2019 15:35:17 +0100 + livecd-rootfs (2.607) eoan; urgency=medium * snap seeding: Defer validation for regular image builds. When getting the diff --git a/live-build/auto/build b/live-build/auto/build index a625c336..5606dfcc 100755 --- a/live-build/auto/build +++ b/live-build/auto/build @@ -17,6 +17,32 @@ fi . config/functions +# New nf_tables-based versions of iptables don't work well on old kernels. +# We aren't sure exactly how old is a problem: 4.15 works, but with 4.4 new +# rules are added to all chains in the requested table rather than just one, +# and the new rules seem to have no useful effect. In such cases, +# iptables-legacy works better. +# +# We can simplify this once livecd-rootfs no longer needs to support running +# on Ubuntu 16.04 (that is, once Launchpad's build VMs are upgraded to +# Ubuntu 18.04). +run_iptables () { + local kver kver_major kver_minor + + kver="$(uname -r)" + kver="${kver%%-*}" + kver_major="${kver%%.*}" + kver="${kver#*.}" + kver_minor="${kver%%.*}" + + if [ "$kver_major" -lt 4 ] || \ + ([ "$kver_major" = 4 ] && [ "$kver_minor" -lt 15 ]); then + iptables-legacy "$@" + else + iptables "$@" + fi +} + if [ -n "$REPO_SNAPSHOT_STAMP" ]; then if [ "`whoami`" != "root" ]; then echo "Magic repo snapshots only work when running as root." >&2 @@ -26,8 +52,8 @@ if [ -n "$REPO_SNAPSHOT_STAMP" ]; then apt-get -qyy install iptables # Redirect all outgoing traffic to port 80 to proxy instead. - iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \ - -j REDIRECT --to 8080 + run_iptables -t nat -A OUTPUT -p tcp --dport 80 \ + -m owner ! --uid-owner daemon -j REDIRECT --to 8080 # Run proxy as "daemon" to avoid infinite loop. /usr/share/livecd-rootfs/magic-proxy \ @@ -871,8 +897,8 @@ if [ -f "config/magic-proxy.pid" ]; then rm -f config/magic-proxy.pid # Remove previously-inserted iptables rule. - iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \ - -j REDIRECT --to 8080 + run_iptables -t nat -D OUTPUT -p tcp --dport 80 \ + -m owner ! --uid-owner daemon -j REDIRECT --to 8080 fi case $PROJECT in diff --git a/live-build/functions b/live-build/functions index 9bbab33a..c5a63444 100644 --- a/live-build/functions +++ b/live-build/functions @@ -656,7 +656,7 @@ snap_preseed() { # i.e. snaps with bases need to add bases first etc # # Skip validation by setting SNAP_NO_VALIDATE_SEED=1. - if [ -z "${SNAP_NO_VALIDATE_SEED}" ]; then + if [ -z "${SNAP_NO_VALIDATE_SEED:-}" ]; then snap_validate_seed "${CHROOT_ROOT}" fi }