Ubuntu
update-manager package

Upgrade using do-release-upgrade takes a long time to start because 'iptables -L' runs with DNS lookups enabled

Bug #1290825 reported by John Edwards on 2014-03-11

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ubuntu-release-upgrader (Ubuntu)	Invalid	Medium	Brian Murray
	update-manager (Ubuntu)	Fix Released	Medium	Brian Murray

Bug Description

An upgrade from Ubuntu 12.04 to 14.04 using 'sudo do-release-upgrade -d' takes a long time (over 3 minutes) to start after answering "yes" to the question:
If you continue, an additional SSH daemon will be started at port '1022'. Do you want to continue?

Running 'ps afx' at this time shows that 'iptables -L' is being run from '/usr/bin/python /tmp/update-manager-djUfxZ/trusty --mode=server --frontend=DistUpgradeViewText'

I think this is because there is an iptables blacklist created by the shorewall package. So running 'iptables' without the '-n' option to disable DNS lookups means that a DNS query is launched for every IP address in the blacklist, some of which do not resolve and so the upgrade scripts has to wait for a timeout on each of them.

Example of iptables being run with DNS lookups:
$ sudo time -p iptables -L > /dev/null
real 174.34
user 0.08
sys 0.09

Example of iptables being run without DNS lookups:
$ sudo time -p iptables -nL > /dev/null
real 0.08
user 0.00
sys 0.00

The code that runs the 'iptables -L' command seems to be in the utils.py in the update-manager temp directory in /tmp/ (/tmp/update-manager-djUfxZ/utils.py in this case) and as far as I can tell is only run to see if iptabes is active or not.

So would it be possible to change the iptables command to be 'iptables -nL' so that DNS queries are disabled?

I think this bug may also effect other upgrades, for example 10.04 to 12.04.

Tags:

Related branches

lp:update-manager

John Edwards (john-cornerstonelinux) on 2014-03-11

tags:	added: dist-upgrade
summary:	- Upgrade using takes a long time to start because 'iptables -L' runs with - DNS lookups enabled + Upgrade using do-release-upgrade takes a long time to start because + 'iptables -L' runs with DNS lookups enabled

Anders (eddiedog988) on 2014-03-13

Changed in update-manager (Ubuntu):
status:	New → Confirmed

Revision history for this message

John Edwards (john-cornerstonelinux) wrote on 2014-03-13:

#1

Patch to add '-n' option to 'iptables -L' Edit (500 bytes, text/plain)

Suggested patch for a one line change to utils.py in the trusty update-manager code that is unpacked into /tmp/.

Revision history for this message

John Edwards (john-cornerstonelinux) wrote on 2014-03-13:

#2

Adding the "ubuntu-release-upgrader" package because I think this is where the code which runs the update is created from.

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2014-03-13:

#3

The attachment "Patch to add '-n' option to 'iptables -L'" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Revision history for this message

Brian Murray (brian-murray) wrote on 2014-03-17:

#4

Thanks for noticing and working on this. You are correct that the release upgrade runs using code created by ubuntu-release-upgrader. I'll get your change uploaded shortly.

Changed in ubuntu-release-upgrader (Ubuntu):
status:	New → Triaged
importance:	Undecided → Medium
assignee:	nobody → Brian Murray (brian-murray)
Changed in update-manager (Ubuntu):
status:	Confirmed → Invalid

Revision history for this message

Brian Murray (brian-murray) wrote on 2014-03-17:

#5

Actually, utils.py is part of update-manager and included in the release upgrader tarball created by ubuntu-release-upgrader.

Changed in update-manager (Ubuntu):
assignee:	nobody → Brian Murray (brian-murray)
importance:	Undecided → Medium
status:	Invalid → Triaged

Brian Murray (brian-murray) on 2014-03-20

Changed in update-manager (Ubuntu):
status:	Triaged → In Progress
Changed in ubuntu-release-upgrader (Ubuntu):
status:	Triaged → Invalid

Revision history for this message

John Edwards (john-cornerstonelinux) wrote on 2014-03-20:

#6

I can confirmed that the recent patch to utils.py fixes the problem on Ubuntu 12.04 to 14.04 upgrades.

The utils.py code has been around for a while, so I think this problem may also effect other upgrades (eg 10.04 to 12.04).

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-03-28:

#7

This bug was fixed in the package update-manager - 1:0.196.9

---------------
update-manager (1:0.196.9) trusty; urgency=medium

  [ Sebastien Bacher ]
  * UpdateManager/UpdatesAvailable.py:
    - use the correct icon theme (lp: #1283554)

  [ Marc Deslauriers ]
  * UpdateManager/Dialogs.py: close window after requesting reboot.
    (LP: #1297361)

  [ Michael Vogt ]
  * tests/aptroot-update-list-test:
    - fix test failure caused by not-installable depends (lp: #1295392)
-- Michael Vogt <email address hidden> Wed, 26 Mar 2014 12:52:13 +0100

Changed in update-manager (Ubuntu):
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Patch to add '-n' option to 'iptables -L' Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.