Import patches-applied version 2.2.21+really2.2.20-0ubuntu1~16.04.1 to applied/ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 6c9cd7e1ac55aae259d8e2f06569375e27a12f20
Unapplied parent: 7e7d885433a2bac56ce2361126bf7ec3d565fd66

New changelog entries:
  * Backport bionic version to xenial.
  * Revert to an older upstream release: 2.2.20 (LP: #1749589).
    - Rename upstream tarball to 2.2.21+really2.2.20 to end up with a
      temporarily higher version number than what's in the archive.
  * debian/patches/disable_import_test.patch: refreshed patch.

1 files changed, 9 insertions, 39 deletions

diff --git a/azurelinuxagent/common/osutil/default.py b/azurelinuxagent/common/osutil/default.py
index 16b7444..ecade8d 100644
--- a/azurelinuxagent/common/osutil/default.py
+++ b/azurelinuxagent/common/osutil/default.py
@@ -66,10 +66,6 @@ FIREWALL_LIST = "iptables {0} -t security -L -nxv"
 FIREWALL_PACKETS = "iptables {0} -t security -L OUTPUT --zero OUTPUT -nxv"
 FIREWALL_FLUSH = "iptables {0} -t security --flush"
 
-# Precisely delete the rules created by the agent.
-FIREWALL_DELETE_CONNTRACK = "iptables {0} -t security -D OUTPUT -d {1} -p tcp -m conntrack --ctstate INVALID,NEW -j ACCEPT"
-FIREWALL_DELETE_OWNER = "iptables {0} -t security -D OUTPUT -d {1} -p tcp -m owner --uid-owner {2} -j ACCEPT"
-
 PACKET_PATTERN = "^\s*(\d+)\s+(\d+)\s+DROP\s+.*{0}[^\d]*$"
 
 _enable_firewall = True
@@ -80,8 +76,8 @@ UUID_PATTERN = re.compile(
     r'^\s*[A-F0-9]{8}(?:\-[A-F0-9]{4}){3}\-[A-F0-9]{12}\s*$',
     re.IGNORECASE)
 
-
 class DefaultOSUtil(object):
+
     def __init__(self):
         self.agent_conf_file_path = '/etc/waagent.conf'
         self.selinux = None
@@ -97,11 +93,6 @@ class DefaultOSUtil(object):
             wait = self.get_firewall_will_wait()
 
             rc, output = shellutil.run_get_output(FIREWALL_PACKETS.format(wait))
-            if rc == 3:
-                # Transient error  that we ignore.  This code fires every loop
-                # of the daemon (60m), so we will get the value eventually.
-                return 0
-
             if rc != 0:
                 return -1
 
@@ -138,40 +129,24 @@ class DefaultOSUtil(object):
                 else ""
         return wait
 
-    def _delete_rule(self, rule):
-        """
-        Continually execute the delete operation until the return
-        code is non-zero or the limit has been reached.
-        """
-        for i in range(1, 100):
-            rc = shellutil.run(rule, chk_err=False)
-            if rc == 1:
-                return
-            elif rc == 2:
-                raise Exception("invalid firewall deletion rule '{0}'".format(rule))
-
-    def remove_firewall(self, dst_ip=None, uid=None):
+    def remove_firewall(self):
         # If a previous attempt failed, do not retry
         global _enable_firewall
         if not _enable_firewall:
             return False
 
         try:
-            if dst_ip is None or uid is None:
-                msg = "Missing arguments to enable_firewall"
-                logger.warn(msg)
-                raise Exception(msg)
-
             wait = self.get_firewall_will_wait()
 
-            self._delete_rule(FIREWALL_DELETE_CONNTRACK.format(wait, dst_ip))
-            self._delete_rule(FIREWALL_DELETE_OWNER.format(wait, dst_ip, uid))
+            flush_rule = FIREWALL_FLUSH.format(wait)
+            if shellutil.run(flush_rule, chk_err=True) != 0:
+                raise Exception("non-zero return code")
 
             return True
 
         except Exception as e:
             _enable_firewall = False
-            logger.info("Unable to remove firewall -- "
+            logger.info("Unable to flush firewall -- "
                         "no further attempts will be made: "
                         "{0}".format(ustr(e)))
             return False
@@ -192,15 +167,10 @@ class DefaultOSUtil(object):
 
             # If the DROP rule exists, make no changes
             drop_rule = FIREWALL_DROP.format(wait, "C", dst_ip)
-            rc = shellutil.run(drop_rule, chk_err=False)
-            if rc == 0:
+
+            if shellutil.run(drop_rule, chk_err=False) == 0:
                 logger.verbose("Firewall appears established")
                 return True
-            elif rc == 2:
-                self.remove_firewall(dst_ip, uid)
-                msg = "please upgrade iptables to a version that supports the -C option"
-                logger.warn(msg)
-                raise Exception(msg)
 
             # Otherwise, append both rules
             accept_rule = FIREWALL_ACCEPT.format(wait, "A", dst_ip, uid)
@@ -1028,7 +998,7 @@ class DefaultOSUtil(object):
         if not os.path.exists(hostname_record):
             # this file is created at provisioning time with agents >= 2.2.3
             hostname = socket.gethostname()
-            logger.info('Hostname record does not exist, '
+            logger.warn('Hostname record does not exist, '
                         'creating [{0}] with hostname [{1}]',
                         hostname_record,
                         hostname)