fix(envd): self-heal MMDS routing on /init lookup failure by ValentaTomas · Pull Request #2701 · e2b-dev/infra

ValentaTomas · 2026-05-17T21:38:30Z

On MMDS lookup failure (no happy-path cost), install a private nat chain (E2B_MMDS) that `RETURN`s for `169.254.169.254:80` and pin its jump at position 1 in PREROUTING and OUTPUT, removing prior copies first. Retry the lookup once.

Idempotent: `-N`/`-D` errors are expected and swallowed.

Follow-ups (separate PRs)

Survey envd `/init` failure modes to add similar in-envd recovery for other preconditions / loops.
Long-term: dedicated envd netns so user iptables cannot affect us at all.

When a user-installed PREROUTING/OUTPUT NAT rule in the same netns shadows the MMDS route (e.g. `iptables -t nat -A PREROUTING -d 169.254.169.254 -p tcp --dport 80 -j REDIRECT`), envd's resume-time token-hash lookup fails and /init returns 401. The user's app keeps working because their app needs the redirect. On MMDS lookup failure only (no happy-path cost), install a private nat chain (E2B_MMDS) with a RETURN for 169.254.169.254:80 and re-pin its jump at position 1 in PREROUTING and OUTPUT. Retry the MMDS lookup once. Self-healing rather than always-on: every /init that hits the slow path puts our jump back at position 1, so subsequent resumes recover even if the customer template still installs the conflicting rule.

cursor · 2026-05-17T21:38:36Z

PR Summary

Medium Risk
Touches /init MMDS token validation and executes iptables during error handling; misbehavior could block init or alter networking in unexpected ways under failure conditions.

Overview
/init now retries MMDS access-token-hash lookup once after attempting to self-heal by pinning an iptables nat RETURN rule for 169.254.169.254:80, and rate-limits pin-failure warnings; if iptables is unavailable/blocked or the rule changes interfere with other nat rules, init may still fail while silently skipping concurrent repairs. PollForMMDSOpts now uses an HTTP client timeout; on slow-but-working MMDS this may cause premature failures. The new shared ratelimit.Limiter uses time.Since and atomic time pointers; clock jumps could cause unexpected gating behavior.

^{Reviewed by Cursor Bugbot for commit 6589bfb. Bugbot is set up for automated code reviews on this repo. Configure here.}

codecov · 2026-05-17T21:39:26Z

❌ 3 Tests Failed:

Tests completed	Failed	Passed	Skipped
2645	3	2642	7

View the full list of 3 ❄️ flaky test(s)

github.com/e2b-dev/infra/tests/integration/internal/tests/api/sandboxes::TestEgressFirewallAllowAllDuplicate

Flake rate in main: 53.95% (Passed 280 times, Failed 328 times)

Stack Traces | 183s run time

=== RUN   TestEgressFirewallAllowAllDuplicate
=== PAUSE TestEgressFirewallAllowAllDuplicate
=== CONT  TestEgressFirewallAllowAllDuplicate
    sandbox_network_out_test.go:30: Building custom template for network egress tests...
    template.go:44: network-egress-test: [info] Building template i71qsp4ldvkqy68bqzot/bba9c23d-b617-41e9-9c81-656c3c4a1a10
    template.go:44: network-egress-test: [info] [base] FROM ubuntu:22.04 [ffd709f131f42dfab282de47a91dd2c139e900c1c11fc574b49b517a05ef0a32]
    template.go:44: network-egress-test: [info] Base Docker image size: 30 MB
    template.go:44: network-egress-test: [info] Creating file system and pulling Docker image
    template.go:44: network-egress-test: [info] Uncompressing layer sha256:40d16f30db405106ef8074779bdf41f012465c2a785bbeaa2eab9f2081099b47 30 MB
    template.go:44: network-egress-test: [info] Uncompressing layer sha256:8478bb588b2204f49a9a67386575faa30da4753815e89749d5d37dc37829d7b5 12 MB
    template.go:44: network-egress-test: [info] Uncompressing layer sha256:8c4b1b28875140ed3abacaf16ad0d696f6bef912f52d2148f261a23e3349465b 168 B
    template.go:44: network-egress-test: [info] Layers extracted
    template.go:44: network-egress-test: [info] Root filesystem structure: bin, boot, dev, etc, home, lib, lib32, lib64, libx32, media, mnt, opt, proc, root, run, sbin, srv, sys, tmp, usr, var
    template.go:44: network-egress-test: [info] Provisioning sandbox template
    template.go:44: network-egress-test: [info] Provisioning was successful, cleaning up
    template.go:44: network-egress-test: [info] Sandbox template provisioned
    template.go:44: network-egress-test: [info] [base] DEFAULT USER user [90bdd4afa342293c931373351bf578872dec9179214ba3e8bf9edba311466213]
    template.go:44: network-egress-test: [info] [builder 1/1] RUN sudo apt-get update && sudo apt-get install -y curl iputils-ping dnsutils openssh-client gnupg && sudo rm -rf .../lib/apt/lists/* [2463a9871c5acb096dc00a6b03e4965da11a9e03c5f0618cbf556435df9fae17]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Hit:1 http://security.ubuntu.com/ubuntu jammy-security InRelease
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Hit:2 http://archive.ubuntu.com/ubuntu jammy InRelease
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Hit:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Hit:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Reading package lists...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Reading package lists...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Building dependency tree...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Reading state information...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: curl is already the newest version (7.81.0-1ubuntu1.24).
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: openssh-client is already the newest version (1:8.9p1-3ubuntu0.15).
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: openssh-client set to manually installed.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: The following additional packages will be installed:
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: bind9-dnsutils bind9-host bind9-libs dirmngr gnupg-l10n gnupg-utils gpg
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm libassuan0 libicu70
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: libksba8 liblmdb0 libmaxminddb0 libnpth0 libuv1 libxml2 pinentry-curses
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Suggested packages:
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: dbus-user-session libpam-systemd pinentry-gnome3 tor parcimonie xloadimage
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: scdaemon mmdb-bin pinentry-doc
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: The following NEW packages will be installed:
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: bind9-dnsutils bind9-host bind9-libs dirmngr dnsutils gnupg gnupg-l10n
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: iputils-ping libassuan0 libicu70 libksba8 liblmdb0 libmaxminddb0 libnpth0
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: libuv1 libxml2 pinentry-curses
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: 0 upgraded, 24 newly installed, 0 to remove and 0 not upgraded.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Need to get 15.3 MB of archives.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: After this operation, 48.2 MB of additional disk space will be used.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 iputils-ping amd64 3:20211215-1ubuntu0.1 [43.0 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:2 http://archive.ubuntu.com/ubuntu jammy/main amd64 libicu70 amd64 70.1-2 [10.6 MB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:3 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libxml2 amd64 2.9.13+dfsg-1ubuntu0.11 [765 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:4 http://archive.ubuntu.com/ubuntu jammy/main amd64 liblmdb0 amd64 0.9.24-1build2 [47.6 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:5 http://archive.ubuntu.com/ubuntu jammy/main amd64 libmaxminddb0 amd64 1.5.2-1build2 [24.7 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:6 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libuv1 amd64 1.43.0-1ubuntu0.1 [92.7 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:7 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 bind9-libs amd64 1:9.18.39-0ubuntu0.22.04.3 [1262 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:8 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 bind9-host amd64 1:9.18.39-0ubuntu0.22.04.3 [52.5 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:9 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 bind9-dnsutils amd64 1:9.18.39-0ubuntu0.22.04.3 [158 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:10 http://archive.ubuntu.com/ubuntu jammy/main amd64 libassuan0 amd64 2.5.5-1build1 [38.2 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:11 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 gpgconf amd64 2.2.27-3ubuntu2.5 [94.3 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:12 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libksba8 amd64 1.6.0-2ubuntu0.2 [119 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:13 http://archive.ubuntu.com/ubuntu jammy/main amd64 libnpth0 amd64 1.6-3build2 [8664 B]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:14 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 dirmngr amd64 2.2.27-3ubuntu2.5 [293 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:15 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 dnsutils all 1:9.18.39-0ubuntu0.22.04.3 [3924 B]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:16 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 gnupg-l10n all 2.2.27-3ubuntu2.5 [54.5 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:17 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 gnupg-utils amd64 2.2.27-3ubuntu2.5 [309 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:18 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 gpg amd64 2.2.27-3ubuntu2.5 [519 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:19 http://archive.ubuntu.com/ubuntu jammy/main amd64 pinentry-curses amd64 1.1.1-1build2 [34.4 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:20 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 gpg-agent amd64 2.2.27-3ubuntu2.5 [209 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:21 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 gpg-wks-client amd64 2.2.27-3ubuntu2.5 [62.7 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:22 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 gpg-wks-server amd64 2.2.27-3ubuntu2.5 [57.6 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:23 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 gpgsm amd64 2.2.27-3ubuntu2.5 [197 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Get:24 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 gnupg all 2.2.27-3ubuntu2.5 [315 kB]
    template.go:44: network-egress-test: [info] [builder 1/1] [stderr]: debconf: delaying package configuration, since apt-utils is not installed
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Fetched 15.3 MB in 0s (37.2 MB/s)
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package iputils-ping.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: (Reading database ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: (Reading database ... 5%(Reading database ... 10%(Reading database ... 15%(Reading database ... 20%(Reading database ... 25%(Reading database ... 30%(Reading database ... 35%(Reading database ... 40%(Reading database ... 45%(Reading database ... 50%(Reading database ... 55%(Reading database ... 60%(Reading database ... 65%
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: (Reading database ... 70%
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: (Reading database ... 75%
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: (Reading database ... 80%
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: (Reading database ... 85%
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: (Reading database ... 90%
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: (Reading database ... 95%
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: (Reading database ... 100%(Reading database ... 12395 files and directories currently installed.)
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../00-iputils-ping_3%3a20211215-1ubuntu0.1_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking iputils-ping (3:20211215-1ubuntu0.1) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package libicu70:amd64.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../01-libicu70_70.1-2_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking libicu70:amd64 (70.1-2) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package libxml2:amd64.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../02-libxml2_2.9.13+dfsg-1ubuntu0.11_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking libxml2:amd64 (2.9.13+dfsg-1ubuntu0.11) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package liblmdb0:amd64.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../03-liblmdb0_0.9.24-1build2_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking liblmdb0:amd64 (0.9.24-1build2) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package libmaxminddb0:amd64.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../04-libmaxminddb0_1.5.2-1build2_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking libmaxminddb0:amd64 (1.5.2-1build2) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package libuv1:amd64.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../05-libuv1_1.43.0-1ubuntu0.1_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking libuv1:amd64 (1.43.0-1ubuntu0.1) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package bind9-libs:amd64.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../06-bind9-libs_1%3a9.18.39-0ubuntu0.22.04.3_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking bind9-libs:amd64 (1:9.18.39-0ubuntu0.22.04.3) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package bind9-host.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../07-bind9-host_1%3a9.18.39-0ubuntu0.22.04.3_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking bind9-host (1:9.18.39-0ubuntu0.22.04.3) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package bind9-dnsutils.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../08-bind9-dnsutils_1%3a9.18.39-0ubuntu0.22.04.3_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking bind9-dnsutils (1:9.18.39-0ubuntu0.22.04.3) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package libassuan0:amd64.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../09-libassuan0_2.5.5-1build1_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking libassuan0:amd64 (2.5.5-1build1) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package gpgconf.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../10-gpgconf_2.2.27-3ubuntu2.5_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking gpgconf (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package libksba8:amd64.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../11-libksba8_1.6.0-2ubuntu0.2_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking libksba8:amd64 (1.6.0-2ubuntu0.2) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package libnpth0:amd64.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../12-libnpth0_1.6-3build2_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking libnpth0:amd64 (1.6-3build2) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package dirmngr.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../13-dirmngr_2.2.27-3ubuntu2.5_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking dirmngr (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package dnsutils.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../14-dnsutils_1%3a9.18.39-0ubuntu0.22.04.3_all.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking dnsutils (1:9.18.39-0ubuntu0.22.04.3) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package gnupg-l10n.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../15-gnupg-l10n_2.2.27-3ubuntu2.5_all.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking gnupg-l10n (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package gnupg-utils.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../16-gnupg-utils_2.2.27-3ubuntu2.5_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking gnupg-utils (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package gpg.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../17-gpg_2.2.27-3ubuntu2.5_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking gpg (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package pinentry-curses.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../18-pinentry-curses_1.1.1-1build2_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking pinentry-curses (1.1.1-1build2) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package gpg-agent.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../19-gpg-agent_2.2.27-3ubuntu2.5_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking gpg-agent (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package gpg-wks-client.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../20-gpg-wks-client_2.2.27-3ubuntu2.5_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking gpg-wks-client (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package gpg-wks-server.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../21-gpg-wks-server_2.2.27-3ubuntu2.5_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking gpg-wks-server (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package gpgsm.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../22-gpgsm_2.2.27-3ubuntu2.5_amd64.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking gpgsm (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Selecting previously unselected package gnupg.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Preparing to unpack .../23-gnupg_2.2.27-3ubuntu2.5_all.deb ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Unpacking gnupg (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up libksba8:amd64 (1.6.0-2ubuntu0.2) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up liblmdb0:amd64 (0.9.24-1build2) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up libmaxminddb0:amd64 (1.5.2-1build2) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up libnpth0:amd64 (1.6-3build2) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up libassuan0:amd64 (2.5.5-1build1) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up libuv1:amd64 (1.43.0-1ubuntu0.1) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up gnupg-l10n (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up gpgconf (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up iputils-ping (3:20211215-1ubuntu0.1) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up gpg (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up libicu70:amd64 (70.1-2) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up gnupg-utils (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up pinentry-curses (1.1.1-1build2) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up gpg-agent (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Created symlink .../systemd/user/sockets.target.wants/gpg-agent-browser.socket → .../systemd/user/gpg-agent-browser.socket.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Created symlink .../systemd/user/sockets.target.wants/gpg-agent-extra.socket → .../systemd/user/gpg-agent-extra.socket.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Created symlink .../systemd/user/sockets.target.wants/gpg-agent-ssh.socket → .../systemd/user/gpg-agent-ssh.socket.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Created symlink .../systemd/user/sockets.target.wants/gpg-agent.socket → .../systemd/user/gpg-agent.socket.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up gpgsm (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up dirmngr (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Created symlink .../systemd/user/sockets.target.wants/dirmngr.socket → .../systemd/user/dirmngr.socket.
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up gpg-wks-server (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up libxml2:amd64 (2.9.13+dfsg-1ubuntu0.11) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up gpg-wks-client (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up bind9-libs:amd64 (1:9.18.39-0ubuntu0.22.04.3) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up gnupg (2.2.27-3ubuntu2.5) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up bind9-host (1:9.18.39-0ubuntu0.22.04.3) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up bind9-dnsutils (1:9.18.39-0ubuntu0.22.04.3) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Setting up dnsutils (1:9.18.39-0ubuntu0.22.04.3) ...
    template.go:44: network-egress-test: [info] [builder 1/1] [stdout]: Processing triggers for libc-bin (2.35-0ubuntu3.13) ...
    template.go:44: network-egress-test: [info] [finalize] Finalizing template build [678d8c6396745e76c1e6fcb6ec74a06eb1cc3bffc1101dbaec5c89848fb75045]
    template.go:44: network-egress-test: [info] [optimize] Optimizing template [027a14840d213f9902f523344074c7f19992129998b9867f8c379d0012f44fe9]
    template.go:44: network-egress-test: [info] Build finished, took 2m59s
    sandbox_network_out_test.go:32: Build completed successfully
    sandbox_network_out_test.go:49: Network test template built: i71qsp4ldvkqy68bqzot
    sandbox_network_out_test.go:489: Command [curl] output: event:{start:{pid:1324}}
Executing command curl in sandbox i4okbku6flvo9xrhxren7
    sandbox_network_out_test.go:489: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 07:55:04 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_out_test.go:489: Command [curl] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_network_out_test.go:489: Command [curl] completed successfully in sandbox ifwqsylof97s4c6qo307a
    sandbox_network_out_test.go:490: Command [curl] output: event:{start:{pid:1325}}
    sandbox_network_out_test.go:490: 
        	Error Trace:	.../api/sandboxes/sandbox_network_out_test.go:67
        	            				.../api/sandboxes/sandbox_network_out_test.go:490
        	Error:      	Received unexpected error:
        	            	failed to execute command curl in sandbox ifwqsylof97s4c6qo307a: invalid_argument: protocol error: incomplete envelope: unexpected EOF
        	Test:       	TestEgressFirewallAllowAllDuplicate
        	Messages:   	Expected curl to 1.1.1.1 to succeed with duplicate 0.0.0.0/0 allow
Executing command curl in sandbox imm6fpudk4igxj1bt6fph
--- FAIL: TestEgressFirewallAllowAllDuplicate (182.70s)

github.com/e2b-dev/infra/tests/integration/internal/tests/api/sandboxes::TestUpdateNetworkConfig

Flake rate in main: 76.37% (Passed 289 times, Failed 934 times)

Stack Traces | 90.4s run time

=== RUN   TestUpdateNetworkConfig
=== PAUSE TestUpdateNetworkConfig
=== CONT  TestUpdateNetworkConfig
--- FAIL: TestUpdateNetworkConfig (90.40s)

github.com/e2b-dev/infra/tests/integration/internal/tests/api/sandboxes::TestUpdateNetworkConfig/pause_resume_preserves_allow_internet_access_false

Flake rate in main: 76.83% (Passed 279 times, Failed 925 times)

Stack Traces | 52.4s run time

=== RUN   TestUpdateNetworkConfig/pause_resume_preserves_allow_internet_access_false
Executing command curl in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:399: Command [curl] output: event:{start:{pid:1366}}
    sandbox_network_update_test.go:399: Command [curl] output: event:{end:{exit_code:35 exited:true status:"exit status 35" error:"exit status 35"}}
Executing command curl in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:399: Command [curl] output: event:{start:{pid:1367}}
    sandbox_network_update_test.go:399: Command [curl] output: event:{end:{exit_code:35 exited:true status:"exit status 35" error:"exit status 35"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1368}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 07:56:39 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1369}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 07:56:40 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1370}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 07:56:41 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox ivs7wiqvwzs8j83cu8xp4
Executing command curl in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1371}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 07:56:42 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox ivs7wiqvwzs8j83cu8xp4
Executing command curl in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1372}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 07:56:43 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox ivs7wiqvwzs8j83cu8xp4
Executing command curl in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1373}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 07:56:44 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox ivs7wiqvwzs8j83cu8xp4
Executing command curl in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1374}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 07:56:45 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox ivs7wiqvwzs8j83cu8xp4
Executing command curl in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1375}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 07:56:46 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox ivs7wiqvwzs8j83cu8xp4
Executing command curl in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1376}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 07:56:47 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox ivs7wiqvwzs8j83cu8xp4
Executing command curl in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1377}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 07:56:48 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox ivs7wiqvwzs8j83cu8xp4
Executing command curl in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1378}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 07:56:49 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox ivs7wiqvwzs8j83cu8xp4
Executing command curl in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1379}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 07:56:50 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1380}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 07:56:51 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1381}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 07:56:52 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox ivs7wiqvwzs8j83cu8xp4
Executing command curl in sandbox i78ivdzeuxho48wxf69mg
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1382}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Tue, 19 May 2026 07:56:53 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:28: Command [curl] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_network_update_test.go:28: Command [curl] completed successfully in sandbox ivs7wiqvwzs8j83cu8xp4
Executing command curl in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:28: Command [curl] output: event:{start:{pid:1383}}
Executing command curl in sandbox ivs7wiqvwzs8j83cu8xp4
    sandbox_network_update_test.go:417: 
        	Error Trace:	.../api/sandboxes/sandbox_network_update_test.go:26
        	            				.../api/sandboxes/sandbox_network_update_test.go:417
        	Error:      	Condition never satisfied
        	Test:       	TestUpdateNetworkConfig/pause_resume_preserves_allow_internet_access_false
        	Messages:   	connectivity did not match expected state in time
--- FAIL: TestUpdateNetworkConfig/pause_resume_preserves_allow_internet_access_false (52.35s)

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}

gemini-code-assist

Code Review

Using the RETURN target in the E2B_MMDS chain allows subsequent rules in PREROUTING or OUTPUT to still process the packet; using ACCEPT instead would effectively bypass user-installed NAT rules by terminating chain traversal. The iptables commands should also include the -w flag to prevent failures due to concurrent lock acquisition in the network namespace.

cursor

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

✅ Fixed: RETURN target does not prevent subsequent NAT rule matching
- Changed iptables target from RETURN to ACCEPT on line 21 to terminate all NAT rule evaluation and prevent subsequent REDIRECT rules from hijacking MMDS traffic.

Or push these changes by commenting:

@cursor push 33f7a29d4b

Preview (33f7a29d4b)

diff --git a/packages/envd/internal/host/mmds_route_linux.go b/packages/envd/internal/host/mmds_route_linux.go
--- a/packages/envd/internal/host/mmds_route_linux.go
+++ b/packages/envd/internal/host/mmds_route_linux.go
@@ -18,7 +18,7 @@
 	commands := [][]string{
 		{"-N", "E2B_MMDS"},
 		{"-F", "E2B_MMDS"},
-		{"-A", "E2B_MMDS", "-d", "169.254.169.254", "-p", "tcp", "--dport", "80", "-j", "RETURN"},
+		{"-A", "E2B_MMDS", "-d", "169.254.169.254", "-p", "tcp", "--dport", "80", "-j", "ACCEPT"},
 		{"-D", "PREROUTING", "-j", "E2B_MMDS"},
 		{"-I", "PREROUTING", "1", "-j", "E2B_MMDS"},
 		{"-D", "OUTPUT", "-j", "E2B_MMDS"},

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit 37c4de7. Configure here.}

Switch from a private E2B_MMDS chain (jump + RETURN) to inserting the RETURN rule directly into nat PREROUTING/OUTPUT at position 1, matching the rules known to work. The chain approach was not equivalent: RETURN from a user-defined chain falls through to the next caller rule, so customer DNAT/REDIRECT rules at PREROUTING[2:] would still match.

Gemini review: a user iptables process can hold the xtables lock when our self-heal fires; -w 5 makes us wait up to 5s instead of failing immediately on EAGAIN.

- pkg/version.go: 0.5.23 -> 0.5.24 (new behavioral path on /init). - init.go: comment referenced the private chain that was removed in b425dcf; describe the direct PREROUTING/OUTPUT re-pin instead.

Previously the self-heal swallowed every iptables error, which hid real breakage (e.g. iptables binary missing, broken iptables module load, xtables lock contention beyond -w). Now PinMMDSRoute returns the first -I failure with the iptables stderr attached, and the caller logs at warn. -D failures stay silent: "rule absent" is the expected first-run case.

Drop the in-pin cooldown (we want self-heal to fire on every retry in case user rules keep landing back on top) and instead floor the warn log to once per 10s with a suppressed-since-last counter, mirroring internal/logs/exporter/rate_limited_logger.go.

- Extract the gate from internal/logs/exporter/rate_limited_logger.go into internal/logs/ratelimit.Limiter (logger-agnostic; returns (allowed, suppressedSinceLast)). Exporter wraps it for log.Printf, init.go uses it directly with zerolog. - Add Timeout to PollForMMDSOpts' http.Client (matches the existing mmdsAccessTokenClient 10s). Without it a -j DROP on MMDS would hang each tick on the TCP handshake until the parent ctx expired.

Coalesce concurrent /init self-heal calls with an atomic.Bool TryLock so we don't fire iptables mutations in parallel against the same nat table. Same pattern as isMountingNFS.

# Conflicts: # packages/envd/internal/host/mmds.go

cla-bot Bot added the cla-signed label May 17, 2026

e2b-request-same-site-reviewers Bot assigned djeebus May 17, 2026

gemini-code-assist Bot reviewed May 17, 2026

View reviewed changes

Comment thread packages/envd/internal/host/mmds_route_linux.go Outdated

Comment thread packages/envd/internal/host/mmds_route_linux.go Outdated

cursor Bot reviewed May 17, 2026

View reviewed changes

Comment thread packages/envd/internal/host/mmds_route_linux.go Outdated

ValentaTomas marked this pull request as ready for review May 17, 2026 21:51

ValentaTomas requested review from dobrac and jakubno as code owners May 17, 2026 21:51

add -w to iptables for xtables lock contention

f3796b6

Gemini review: a user iptables process can hold the xtables lock when our self-heal fires; -w 5 makes us wait up to 5s instead of failing immediately on EAGAIN.

claude Bot reviewed May 17, 2026

View reviewed changes

Comment thread packages/envd/internal/api/init.go

Comment thread packages/envd/internal/api/init.go Outdated

ValentaTomas mentioned this pull request May 17, 2026

feat(rootfs): isolate envd in a dedicated network namespace #2700

Closed

5 tasks

e2b-dev deleted a comment from claude Bot May 17, 2026

ValentaTomas added 4 commits May 17, 2026 15:18

bump envd to 0.5.24 + correct self-heal comment

b139b81

- pkg/version.go: 0.5.23 -> 0.5.24 (new behavioral path on /init). - init.go: comment referenced the private chain that was removed in b425dcf; describe the direct PREROUTING/OUTPUT re-pin instead.

ValentaTomas mentioned this pull request May 18, 2026

fix(envd): bound MMDS lookup in /init to prevent initLock starvation #2689

Closed

jakubno unassigned djeebus May 18, 2026

arkamar reviewed May 18, 2026

View reviewed changes

Comment thread packages/envd/internal/api/init.go

ValentaTomas added 2 commits May 18, 2026 12:12

serialize MMDS pin to avoid parallel iptables runs

c6ee5e0

Coalesce concurrent /init self-heal calls with an atomic.Bool TryLock so we don't fire iptables mutations in parallel against the same nat table. Same pattern as isMountingNFS.

use semaphore.Weighted for MMDS pin coalescing

9232385

ValentaTomas requested a review from arkamar May 18, 2026 19:16

ValentaTomas enabled auto-merge (squash) May 19, 2026 07:12

ValentaTomas and others added 2 commits May 19, 2026 00:13

Merge remote-tracking branch 'origin/main' into fix/envd-mmds-route-pin

5afc45e

# Conflicts: # packages/envd/internal/host/mmds.go

chore(envd): bump version to 0.5.25

6589bfb

arkamar approved these changes May 19, 2026

View reviewed changes

ValentaTomas merged commit 90944d5 into main May 19, 2026
54 checks passed

ValentaTomas deleted the fix/envd-mmds-route-pin branch May 19, 2026 08:35

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(envd): self-heal MMDS routing on /init lookup failure#2701

fix(envd): self-heal MMDS routing on /init lookup failure#2701
ValentaTomas merged 11 commits into
mainfrom
fix/envd-mmds-route-pin

ValentaTomas commented May 17, 2026 •

edited

Loading

Uh oh!

cursor Bot commented May 17, 2026 •

edited

Loading

Uh oh!

codecov Bot commented May 17, 2026 •

edited

Loading

Uh oh!

gemini-code-assist Bot left a comment

Uh oh!

Uh oh!

Uh oh!

cursor Bot left a comment •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

ValentaTomas commented May 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Follow-ups (separate PRs)

Uh oh!

cursor Bot commented May 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

PR Summary

Uh oh!

codecov Bot commented May 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

❌ 3 Tests Failed:

Uh oh!

gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

Uh oh!

Uh oh!

cursor Bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

ValentaTomas commented May 17, 2026 •

edited

Loading

cursor Bot commented May 17, 2026 •

edited

Loading

codecov Bot commented May 17, 2026 •

edited

Loading

cursor Bot left a comment •

edited

Loading