Bug 1043894

Summary: libvirtd reload and hooks problem routed-net
Product: [Community] Virtualization Tools Reporter: Chris Weltzien <c.weltzien>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED DEFERRED QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: crobinso, rbalakri, t.rohde
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-10 17:20:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Chris Weltzien 2013-12-17 12:18:17 UTC
Description of problem:
if we do a reload of libvirt, some iptables rules, which are created through /etc/libvirt/hooks/qemu are not working anymore.
every time a other (one or two,thee) vms are affected.

Version-Release number of selected component (if applicable):
libvirt version: 1.2.0


To fix the problem, we have to run the qemu skript for the vm again, which have the problem.


our qemu file:

#!/bin/bash

do_net() {
        local status=$2
        local ip=$3
        local in=$4
        local out=$5

        if [[ ! $status || ! $ip || ! $in || ! $out ]]; then
                echo "Not all parameters were passed!"
                exit 1
        fi

        if [ "$status" = "stopped" -o "$status" = "reconnect" ]; then
                ip route del $ip via 191.255.255.1 dev $out
                ip neigh del proxy $ip dev $in
                iptables -D FORWARD -i $in -o $out -s 0.0.0.0/0 -d $ip/32 -j ACCEPT
                iptables -D FORWARD -i $out -o $in -s $ip/32 -d 0.0.0.0/0 -j ACCEPT
        fi

        if [ "$status" = "start" -o "$status" = "reconnect" ]; then
                ip route add $ip via 191.255.255.1 dev $out
                ip neigh add proxy $ip dev $in
                iptables -I FORWARD 4 -i $in -o $out -s 0.0.0.0/0 -d $ip/32 -j ACCEPT
                iptables -I FORWARD 4 -i $out -o $in -s $ip/32 -d 0.0.0.0/0 -j ACCEPT
                fi
}

CONF=//etc/libvirt/hooks/vms/*
for file in $CONF
do
        guest_ipaddr=""
        guest_name=""
        type=""
        destination="0.0.0.0/0"

  while read line; do
    eval $line
  done < $file
        guest_ipaddrnet=$guest_ipaddr"/32"
      for dest in ${destination}
      do
                if [ "${1}" = "${guest_name}" ]; then
                        echo "SRC-IP="$guest_ipaddr " " $guest_ipaddrnet " VM="$guest_name " Dest="$dest
                        if [ "${2}" = "stopped" ]; then
                                        ip route del $guest_ipaddr via 191.255.255.1 dev virbr1
                                       ip neigh del proxy $guest_ipaddr dev bond0
                               iptables -D FORWARD -i bond0 -o virbr1 -s $dest -d $guest_ipaddrnet -j ACCEPT
                               iptables -D FORWARD -i virbr1 -o bond0 -s $guest_ipaddrnet -d $dest -j ACCEPT
                        fi
                        if [ "${2}" = "start" ]; then
                                 ip route add $guest_ipaddr via 191.255.255.1 dev virbr1
                                 ip neigh add proxy $guest_ipaddr dev bond0
                                 iptables -I FORWARD 4 -i bond0 -o virbr1 -s $dest -d $guest_ipaddrnet -j ACCEPT
                                 iptables -I FORWARD 4 -i virbr1 -o bond0 -s $guest_ipaddrnet -d $dest -j ACCEPT
                        fi
                        if [ "${2}" = "reconnect" ]; then
                                       ip route del $guest_ipaddr via 191.255.255.1 dev virbr1
                                       ip neigh del proxy $guest_ipaddr dev bond0
                               iptables -D FORWARD -i bond0 -o virbr1 -s $dest -d $guest_ipaddrnet -j ACCEPT
                               iptables -D FORWARD -i virbr1 -o bond0 -s $guest_ipaddrnet -d $dest -j ACCEPT
                               sleep 1
                                 ip route add $guest_ipaddr via 191.255.255.1 dev virbr1
                                 ip neigh add proxy $guest_ipaddr dev bond0
                               iptables -I FORWARD 4 -i bond0 -o virbr1 -s $dest -d $guest_ipaddrnet -j ACCEPT
                               iptables -I FORWARD 4 -i virbr1 -o bond0 -s $guest_ipaddrnet -d $dest -j ACCEPT
                        fi
                fi
        done
done

Comment 1 Tim Rohde 2014-02-19 10:30:02 UTC
Hi,

we have a workaround for that. We´ve add sleep ${RANDOM:0:1}.${RANDOM:-1:1} between the IP Tables rules. The Problem is, that IP tables cannot execute twice or more times simultaneously.

Cheers Tim

Comment 2 Cole Robinson 2016-04-10 17:20:11 UTC
Sounds like Comment #1 describes a workaround... I'm not sure if there's a libvirt bug here, please reopen if I've misunderstood