Add '-w' argument to iptables

If multiple tests are executed in parallel (e.g. via pytest-xdist) and
more than one test queries the iptables rules on the same host
simultaneously, the following error will occur:

    E       AssertionError: Unexpected exit code 4 for
    CommandResult(command='iptables -t filter -S', exit_status=4,
    stdout='', stderr='Another app is currently holding the xtables
    lock. Perhaps you want to use the -w option?')

Iptables has an internal lock to prevent multiple simultaneous
invocations.  This change implements that suggestion and adds "-w 90" to
the iptables command so that we will wait up to 90 seconds to obtain the
lock.

Unfortunatelly centos 6 is still maintained but doesn't have support for
iptables with "-w" argument. So we have handle this by trying iptables
with "-w 90", if it fail we retry without this option ("w argument
support" is then cached at host level).

Co-Authored-By James E. Blair <[email protected]>

Author: philpep

images/centos_6/Dockerfile

@@ -2,7 +2,7 @@ FROM centos:6
 
 RUN yum clean all && \
     yum -y install \
-      openssh-server && \
+      openssh-server iptables && \
     rm -f /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_rsa_key && \
     ssh-keygen -q -N "" -t dsa -f /etc/ssh/ssh_host_ecdsa_key && \
     ssh-keygen -q -N "" -t rsa -f /etc/ssh/ssh_host_rsa_key && \

test/test_modules.py

@@ -516,6 +516,13 @@ def test_iptables(host):
     assert ssh_rule_str in input_rules
     assert vip_redirect_rule_str in nat_rules
     assert vip_redirect_rule_str in nat_prerouting_rules
+    assert host.iptables._has_w_argument is True
+
+
+@pytest.mark.testinfra_hosts('docker://centos_6')
+def test_iptables_centos6(host):
+    host.iptables.rules()
+    assert host.iptables._has_w_argument is False
 
 
 def test_ip6tables(host):

testinfra/modules/iptables.py

@@ -16,6 +16,39 @@
 class Iptables(InstanceModule):
     """Test iptables rule exists"""
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        # support for -w argument (since 1.6.0)
+        # https://git.netfilter.org/iptables/commit/?id=aaa4ace72b
+        # centos 6 has no support
+        # centos 7 has 1.4 patched
+        self._has_w_argument = None
+
+    def _iptables_command(self, version):
+        if version == 4:
+            iptables = "iptables"
+        elif version == 6:
+            iptables = "ip6tables"
+        else:
+            raise RuntimeError("Invalid version: %s" % version)
+        if self._has_w_argument is False:
+            return iptables
+        else:
+            return "{} -w 90".format(iptables)
+
+    def _run_iptables(self, version, cmd, *args):
+        ipt_cmd = "{} {}".format(self._iptables_command(version), cmd)
+        if self._has_w_argument is None:
+            result = self.run_expect([0, 2], ipt_cmd, *args)
+            if result.rc == 2:
+                self._has_w_argument = False
+                return self._run_iptables(version, cmd, *args)
+            else:
+                self._has_w_argument = True
+                return result.stdout.rstrip('\r\n')
+        else:
+            return self.check_output(ipt_cmd, *args)
+
     def rules(self, table='filter', chain=None, version=4):
         """Returns list of iptables rules
 
@@ -39,21 +72,13 @@ def rules(self, table='filter', chain=None, version=4):
         ['-P PREROUTING ACCEPT']
 
         """
-
-        if version == 4:
-            iptables = "iptables"
-        elif version == 6:
-            iptables = "ip6tables"
-        else:
-            raise RuntimeError("Invalid version: %s" % version)
-
-        rules = []
+        cmd, args = "-t %s -S", [table]
         if chain:
-            cmd = "{0} -t {1} -S {2}".format(iptables, table, chain)
-        else:
-            cmd = "{0} -t {1} -S".format(iptables, table)
+            cmd += " %s"
+            args += [chain]
 
-        for line in self.check_output(cmd).splitlines():
+        rules = []
+        for line in self._run_iptables(version, cmd, *args).splitlines():
             line = line.replace("\t", " ")
             rules.append(line)
         return rules