update 6.3.3 left apps not responding & firewall inactive after reboot

chymian 0

the latest update to 6.3.3 left nextcloud & wallabag not responding/restarting.
the pbl. was access to the pgsql container, which was fixed by a manual restart of the container...

the necessary system reboot left the firewall down: (due to a race condition?)

Jun 30 08:27:20 my.eb8.org cloudron-firewall.sh[5559]: ==> Setting up firewall
Jun 30 08:27:20 my.eb8.org cloudron-firewall.sh[5613]: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 30 08:27:22 my.eb8.org cloudron-firewall.sh[5828]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Jun 30 08:27:22 my.eb8.org cloudron-firewall.sh[5833]: iptables: No chain/target/match by that name.
Jun 30 08:27:22 my.eb8.org systemd[1]: cloudron-firewall.service: Main process exited, code=exited, status=1/FAILURE
Jun 30 08:27:22 my.eb8.org systemd[1]: cloudron-firewall.service: Failed with result 'exit-code'.
Jun 30 08:27:22 my.eb8.org systemd[1]: Failed to start Cloudron Firewall.

manual restating the FW brought it back online.

nebulon

@chymian-0 do you have any additional firewall/iptables rules put manually?

girish

I have seen this happens when we try to add a lot of iptable rules quickly. Do you have a lot of IP address in your firewall (i.e added via Cloudron) ? I remember we hit this before and I converted the code to use ipset based on the suggestion in https://serverfault.com/questions/935272/another-app-is-currently-holding-the-xtables-lock but looks like we hit this anyway... Is this easily reproducible?

chymian 0

hey @nebulon,
no, only 2-3 ports tcp/udp (wireguard/snmp/ssh)
and it happened inbetween again, without any reboots/upgrades/etc. I got notfied by network mgmgt system, that my cloudron server is down - luckily it was just the firewall…