概述
在项目中执行初始化脚本时遇到重启iptables
服务时卡住,且长时间无响应。以下为状态信息:
[root@localhost ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: activating (start) since 五 2022-03-25 17:24:19 CST; 1min 11s ago
Main PID: 142965 (iptables.init)
Tasks: 2
CGroup: /system.slice/iptables.service
├─142965 /bin/bash /usr/libexec/iptables/iptables.init start
└─142972 iptables-restore --wait 600 /etc/sysconfig/iptables
3月 25 17:24:19 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
3月 25 17:24:28 localhost.localdomain iptables.init[142965]: iptables: Applying firewall rules: Another app is currently holding the xtables lock; still 591s 0us time ahead to have a chance to grab the lock...
3月 25 17:24:38 localhost.localdomain iptables.init[142965]: Another app is currently holding the xtables lock; still 581s 0us time ahead to have a chance to grab the lock...
3月 25 17:24:48 localhost.localdomain iptables.init[142965]: Another app is currently holding the xtables lock; still 571s 0us time ahead to have a chance to grab the lock...
3月 25 17:24:58 localhost.localdomain iptables.init[142965]: Another app is currently holding the xtables lock; still 561s 0us time ahead to have a chance to grab the lock...
3月 25 17:25:08 localhost.localdomain iptables.init[142965]: Another app is currently holding the xtables lock; still 551s 0us time ahead to have a chance to grab the lock...
3月 25 17:25:18 localhost.localdomain iptables.init[142965]: Another app is currently holding the xtables lock; still 541s 0us time ahead to have a chance to grab the lock...
3月 25 17:25:28 localhost.localdomain iptables.init[142965]: Another app is currently holding the xtables lock; still 531s 0us time ahead to have a chance to grab the lock...
[root@localhost ~]# systemctl status ip6tables
● ip6tables.service - IPv6 firewall with ip6tables
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled; vendor preset: disabled)
Active: activating (start) since 五 2022-03-25 14:50:24 CST; 2h 38min ago
Main PID: 139499 (ip6tables.init)
Tasks: 2
CGroup: /system.slice/ip6tables.service
├─139499 /bin/bash /usr/libexec/iptables/ip6tables.init start
└─139510 ip6tables-restore --wait 600 /etc/sysconfig/ip6tables
3月 25 14:50:24 localhost.localdomain systemd[1]: Starting IPv6 firewall with ip6tables...
3月 25 14:50:25 localhost.localdomain ip6tables.init[139499]: ip6tables: Applying firewall rules: Warning: never matched protocol: 51. use extension match instead.
问题引起疑似因firewalld
服务移除nf_conntrack
模块夯住导致。
模块/proc/net/nf_conntrack
不存在,重启系统后恢复。
解决办法
[root@localhost ~]# lsof -n 2>/dev/null | grep /run/xtables.lock
ip6tables 139510 root 4rW REG 0,20 0 99282 /run/xtables.lock
iptables- 142972 root 4r REG 0,20 0 99282 /run/xtables.lock
[root@localhost ~]# ps aux|grep iptables
root 139499 0.0 0.0 115592 1996 ? Ss 14:50 0:00 /bin/bash /usr/libexec/iptables/ip6tables.init start
root 142965 0.0 0.0 115592 1944 ? Ss 17:24 0:00 /bin/bash /usr/libexec/iptables/iptables.init start
root 142972 0.0 0.0 16264 768 ? S 17:24 0:00 iptables-restore --wait 600 /etc/sysconfig/iptables
root 143074 0.0 0.0 112728 976 pts/3 S+ 17:27 0:00 grep --color=auto iptables
[root@localhost ~]# lsof -n 2>/dev/null | grep /run/xtables.lock
ip6tables 139510 root 4rW REG 0,20 0 99282 /run/xtables.lock
iptables- 142972 root 4r REG 0,20 0 99282 /run/xtables.lock
[root@localhost ~]# kill 142972
[root@localhost ~]# kill 139510
验证
[root@localhost ~]# lsof -n 2>/dev/null | grep /run/xtables.lock
[root@localhost ~]# systemctl start ip6tables
[root@localhost ~]# systemctl status ip6tables
● ip6tables.service - IPv6 firewall with ip6tables
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled; vendor preset: disabled)
Active: active (exited) since 五 2022-03-25 17:29:23 CST; 3s ago
Process: 143114 ExecStart=/usr/libexec/iptables/ip6tables.init start (code=exited, status=0/SUCCESS)
Main PID: 143114 (code=exited, status=0/SUCCESS)
3月 25 17:29:23 localhost.localdomain systemd[1]: Starting IPv6 firewall with ip6tables...
3月 25 17:29:23 localhost.localdomain ip6tables.init[143114]: ip6tables: Applying firewall rules: Warning: never matched protocol: 51. use extension match instead.
3月 25 17:29:23 localhost.localdomain ip6tables.init[143114]: [ 确定 ]
3月 25 17:29:23 localhost.localdomain systemd[1]: Started IPv6 firewall with ip6tables.
[root@localhost ~]# systemctl start iptables
[root@localhost ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since 五 2022-03-25 17:29:35 CST; 13s ago
Process: 143244 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 143244 (code=exited, status=0/SUCCESS)
3月 25 17:29:35 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
3月 25 17:29:35 localhost.localdomain iptables.init[143244]: iptables: Applying firewall rules: [ 确定 ]
3月 25 17:29:35 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.
参考内容
参考自:https://cdn.f5.com/product/bugtracker/ID885373.html
There are four possible workarounds:
=======
-- [root:Active:Disconnected] config # lsof -n 2>/dev/null | grep /run/xtables.lock
iptables 14009 root 3rW REG 0,20 0 26415 /run/xtables.lock
root 13945 0.5 0.3 163992 29216 ? S 19:58 0:00 | \_ /usr/bin/mgmt_acld -do -m
root 14009 0.0 0.0 24900 1360 ? S 19:58 0:00 | \_ /sbin/iptables -xvL f5acl
^^^ xtables.lock held by iptables which is being run by mgmt_acld
[root:Active:Disconnected] config # bigstart stop mgmt_acld
[root:Active:Disconnected] config # killall iptables
^^^ stop mgmt_acld, and kill iptables
[root:Active:Disconnected] config # lsof -n 2>/dev/null | grep /run/xtables.lock
[root@blpv0678:Active:Disconnected] config #
^^^ verify the lock is gone
perform the merge and the rules are loaded. Make sure to restart mgmt_acld afterwards.
=======
-- Reboot after every management firewall rule that is created.
=======
-- Manually clear the iptables lock then make your changes
1) Run: rm -rf /run/xtables.lock
2) Then make your changes
=======
-- If the changes have already been made, Manually clear the iptables lock, then run load sys config.
1) Run: rm -rf /run/xtables.lock
2) Then Run: tmsh load sys config