From 4537b5b9636867e5c66cfffdd2281ddbe1593803 Mon Sep 17 00:00:00 2001
From: Pedro Coutinho <pedro@tigera.io>
Date: Wed, 17 Jul 2024 17:23:40 -0700
Subject: [PATCH 1/2] [CORE-10546] Change rpm install order to fix 'undefined
 symbol: xtables_strdup'
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`microdnf install iproute-tc nftables` would install `iptables-libs` 1.8.5-11.el8_9 as a dependency, and it provides `/lib64/libxtables.so.12.3.0`. When using that `.so` file with `LD_PRELOAD`, we can consistently reproduce the issue:

```
LD_PRELOAD=/lib64/libxtables.so.12.3.0 iptables-legacy-save
iptables-legacy-save: symbol lookup error: iptables-legacy-save: undefined symbol: xtables_strdup
```

The problem was, during our build process, we build iptables (and iptables-libs) v1.8.8 and install with `rpm --force`, but that doesn´t remove the outdated v1.8.5. By moving things around in the Dockerfiles and installing iptables-libs 1.8.8 before iproute-tc and nftables, the problematic 1.8.5 package is no longer installed and thus the correct `.so` file should be used (`libxtables.so.12.6.0` at the time of writing this).
---
 node/Dockerfile.amd64 | 21 +++++++++++----------
 node/Dockerfile.arm64 | 22 +++++++++++-----------
 2 files changed, 22 insertions(+), 21 deletions(-)

diff --git a/node/Dockerfile.amd64 b/node/Dockerfile.amd64
index fcd2601aac8..b57843a24dc 100644
--- a/node/Dockerfile.amd64
+++ b/node/Dockerfile.amd64
@@ -119,26 +119,27 @@ RUN microdnf install \
     # Needed for runit startup script
     which \
     # Needed for the cleanup script
-    findutils \
-    # nftables
-    nftables
+    findutils
 
 # Since the ubi repos do not contain all the packages we need (they're missing conntrack-tools),
 # we're using AlmaLinux repos for missing packages.
 COPY almalinux.repo /etc/yum.repos.d/almalinux.repo
 
 RUN microdnf --enablerepo=baseos install \
-    iproute-tc \
     # Needed for conntrack
     libnetfilter_cthelper libnetfilter_cttimeout libnetfilter_queue \
     conntrack-tools
 
-# Install iptables via rpms. The libs must be force installed because the iptables source RPM has the release
-# version '1.8.8-6.el8' conflicts with iptables-libs (pulled in by the iputils package) '1.8.5-11.el8_9'.
-RUN rpm --force -i /tmp/rpms/iptables-libs-${IPTABLES_VER}.el8.x86_64.rpm && \
-    rpm --force -i /tmp/rpms/iptables-legacy-libs-${IPTABLES_VER}.el8.2.x86_64.rpm && \
-    # Install compatible libnftnl version with selected iptables version
-    rpm -i /tmp/rpms/iptables-legacy-${IPTABLES_VER}.el8.2.x86_64.rpm && \
+# Install iptables-libs via rpm. The libs must installed before installing iproute-tc and nftables via 'microdnf install'
+# otherwise they will pull an outdated version of iptables-libs (1.8.5-11.el8_9) as a dependency.
+RUN rpm -i /tmp/rpms/iptables-libs-${IPTABLES_VER}.el8.x86_64.rpm && \
+    rpm -i /tmp/rpms/iptables-legacy-libs-${IPTABLES_VER}.el8.2.x86_64.rpm
+
+# iproute-tc and nftables depend on iptables-libs and should be installed after it.
+RUN microdnf --enablerepo=baseos install iproute-tc nftables
+
+# Install iptables via rpm. Install compatible libnftnl version with the selected iptables version
+RUN rpm -i /tmp/rpms/iptables-legacy-${IPTABLES_VER}.el8.2.x86_64.rpm && \
     rpm -i /tmp/rpms/iptables-nft-${IPTABLES_VER}.el8.x86_64.rpm && \
     # Install ipset version
     rpm --force -i /tmp/rpms/ipset-libs-${IPSET_VER}.el8.x86_64.rpm && \
diff --git a/node/Dockerfile.arm64 b/node/Dockerfile.arm64
index a41d67cdf30..5cc6736112d 100644
--- a/node/Dockerfile.arm64
+++ b/node/Dockerfile.arm64
@@ -129,27 +129,27 @@ RUN microdnf install \
     # Needed for runit startup script
     which \
     # Needed for the cleanup script
-    findutils \
-    # nftables
-    nftables
-
+    findutils
 
 # Since the ubi repos do not contain all the packages we need (they're missing conntrack-tools),
 # we're using AlmaLinux repos for missing packages.
 COPY almalinux.repo /etc/yum.repos.d/almalinux.repo
 
 RUN microdnf --enablerepo=baseos install \
-    iproute-tc \
     # Needed for conntrack
     libnetfilter_cthelper libnetfilter_cttimeout libnetfilter_queue \
     conntrack-tools
 
-# Install iptables via rpms. The libs must be force installed because the iptables source RPM has the release
-# version '1.8.8-6.el8' conflicts with iptables-libs (pulled in by the iputils package) '1.8.5-11.el8_9'.
-RUN rpm --force -i /tmp/rpms/iptables-libs-${IPTABLES_VER}.el8.aarch64.rpm && \
-    rpm --force -i /tmp/rpms/iptables-legacy-libs-${IPTABLES_VER}.el8.2.aarch64.rpm && \
-    # Install compatible libnftnl version with selected iptables version
-    rpm --force -i /tmp/rpms/libnftnl-${LIBNFTNL_VER}.el8.aarch64.rpm && \
+# Install iptables-libs via rpm. The libs must installed before installing iproute-tc and nftables via 'microdnf install'
+# otherwise they will pull an outdated version of iptables-libs (1.8.5-11.el8_9) as a dependency.
+RUN rpm -i /tmp/rpms/iptables-libs-${IPTABLES_VER}.el8.aarch64.rpm && \
+    rpm -i /tmp/rpms/iptables-legacy-libs-${IPTABLES_VER}.el8.2.aarch64.rpm
+
+# iproute-tc and nftables depend on iptables-libs and should be installed after it.
+RUN microdnf --enablerepo=baseos install iproute-tc nftables
+
+# Install iptables via rpm. Install compatible libnftnl version with the selected iptables version
+RUN rpm --force -i /tmp/rpms/libnftnl-${LIBNFTNL_VER}.el8.aarch64.rpm && \
     # Install both and select at runtime.
     rpm -i /tmp/rpms/iptables-legacy-${IPTABLES_VER}.el8.2.aarch64.rpm && \
     rpm -i /tmp/rpms/iptables-nft-${IPTABLES_VER}.el8.aarch64.rpm && \

From 020182d0dfc4eff785e041dddfa43c9d77c827d0 Mon Sep 17 00:00:00 2001
From: Pedro Coutinho <pedro@tigera.io>
Date: Thu, 18 Jul 2024 14:27:39 -0700
Subject: [PATCH 2/2] Update comment

---
 node/Dockerfile.amd64 | 2 +-
 node/Dockerfile.arm64 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/node/Dockerfile.amd64 b/node/Dockerfile.amd64
index b57843a24dc..b913ac261b7 100644
--- a/node/Dockerfile.amd64
+++ b/node/Dockerfile.amd64
@@ -131,7 +131,7 @@ RUN microdnf --enablerepo=baseos install \
     conntrack-tools
 
 # Install iptables-libs via rpm. The libs must installed before installing iproute-tc and nftables via 'microdnf install'
-# otherwise they will pull an outdated version of iptables-libs (1.8.5-11.el8_9) as a dependency.
+# otherwise they will pull a different version of iptables-libs as a dependency.
 RUN rpm -i /tmp/rpms/iptables-libs-${IPTABLES_VER}.el8.x86_64.rpm && \
     rpm -i /tmp/rpms/iptables-legacy-libs-${IPTABLES_VER}.el8.2.x86_64.rpm
 
diff --git a/node/Dockerfile.arm64 b/node/Dockerfile.arm64
index 5cc6736112d..e00e895f370 100644
--- a/node/Dockerfile.arm64
+++ b/node/Dockerfile.arm64
@@ -141,7 +141,7 @@ RUN microdnf --enablerepo=baseos install \
     conntrack-tools
 
 # Install iptables-libs via rpm. The libs must installed before installing iproute-tc and nftables via 'microdnf install'
-# otherwise they will pull an outdated version of iptables-libs (1.8.5-11.el8_9) as a dependency.
+# otherwise they will pull a different version of iptables-libs as a dependency.
 RUN rpm -i /tmp/rpms/iptables-libs-${IPTABLES_VER}.el8.aarch64.rpm && \
     rpm -i /tmp/rpms/iptables-legacy-libs-${IPTABLES_VER}.el8.2.aarch64.rpm