|Summary:||firewalld conflicts with libvirt's default network|
|Product:||[Fedora] Fedora||Reporter:||Dave Allan <dallan>|
|Component:||libvirt||Assignee:||Laine Stump <laine>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||rawhide||CC:||awilliam, berrange, bloch, clalancette, crobinso, dougsland, frankly3d, itamar, jforbes, laine, libvirt-maint, mishu, mwoehlke.floss, robatino, tflink, twoerner, veillard, virt-maint|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-09-14 06:29:51 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:|
Description Dave Allan 2012-02-23 00:53:51 UTC
After I installed firewalld, my guests stopped being able to pass traffic on their interfaces connected to the libvirt default network. Stopping firewalld and restarting libvirt resolved the problem.
Comment 1 Adam Williamson 2012-04-10 19:29:27 UTC
I _just_ started seeing this on 17, though i'm sure I had firewalld running and guest networking working for a while. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Comment 2 Cole Robinson 2012-04-18 15:17:14 UTC
(In reply to comment #1) > I _just_ started seeing this on 17, though i'm sure I had firewalld running and > guest networking working for a while. > I think it's racy, not guaranteed to conflict depending on who starts first. Despite that, firewalld is on by default in f17, so that makes this a pretty serious issue. Requesting F17Blocker. I understand twoerner has a patch to have libvirt talk to firewalld rather than raw iptables calls. That might be our best bet for f17, unless someone has an alternative or hack that buys us some time.
Comment 3 Adam Williamson 2012-04-20 20:28:39 UTC
Discussed at 2012-04-20 blocker review meeting: http://meetbot.fedoraproject.org/fedora-bugzappers/2012-04-20/fedora-bugzappers.2012-04-20-17.01.log.txt . As things stand, we agree this constitutes a blocker of the criterion "The release must be able host virtual guest instances of the same release, using Fedora's current preferred virtualization technology" and is accepted as a blocker. There is a chance firewalld-as-default feature will be reverted, this is on the agenda for the next FESCo meeting: if this happens, this bug will stop being a blocker. We will revisit in that case.
Comment 4 Daniel Berrangé 2012-04-24 16:14:38 UTC
FYI upstream patch for libvirt to work with firewalld. There are a number of issues we're hitting with it though, not least x8 performance slowdown compared to existing using of iptables/ebtables commands https://www.redhat.com/archives/libvir-list/2012-April/msg01236.html
Comment 5 Tim Flink 2012-05-01 22:16:42 UTC
Since firewalld is not going to be on by default for F17  this bug is no longer a blocker - moving to rejected.  http://lists.fedoraproject.org/pipermail/devel/2012-April/166254.html
Comment 6 Adam Williamson 2012-05-16 06:17:55 UTC
clean-up. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Comment 7 Matthew Woehlke 2012-08-06 20:23:36 UTC
(In reply to comment #5) > Since firewalld is not going to be on by default for F17  this bug is no > longer a blocker - moving to rejected. Eh? I don't recall asking for firewalld, but I have it. I had to: # firewall-cmd --add --interface=virbr1 ...before my guest could talk to my host. Seems like this bug?
Comment 8 Adam Williamson 2012-08-07 05:56:55 UTC
Matthew: depends when you installed F17, to a degree. It got made the default for a while, between Alpha and Final (I forget exactly when), then we went back to s-c-f as the default close to release. But if you happened to install during the period firewalld was set as default, you'll still have it; we didn't put in any package triggers to 'migrate' such systems back to s-c-f. If you want to go back to s-c-f manually, IIRC, you have to enable the iptables.service and iptables6.service services, run lokkit --enabled, and uninstall firewalld. I _think_ that's it, but that's just from memory.
Comment 9 Matthew Woehlke 2012-08-07 18:28:03 UTC
Ah, yes, that would be what happened... thanks for reminding me :-). (So... "rejected" just means as a blocker, I take it? Bug is still open, anyway, so I guess 'yes'.) Anyway, it's unclear from the report if the problem I am having is identical, but it seems likely. Basically, it seems that libvirt and/or firewalld need to interact better such that when libvirt creates a new virtual device (e.g. vnet*, virbr*) it can be automatically registered with firewalld. From doing the registration manually, I believe that would fix at least the problem I am having. (Note: simply controlling start-up order is insufficient, as virtual devices aren't necessarily created on boot. The user (VM admin) might enable/disable or even create/destroy virtual networks at any time.)
Comment 10 Adam Williamson 2012-08-07 23:56:36 UTC
matthew: yes, any stuff you see in bug reports about the blocker bug process just relates specifically to the blocker bug / release validation process; the bug remains open, it just means we aren't holding releases for the bug.
Comment 11 Adam Williamson 2012-08-07 23:58:22 UTC
But, now you mention it, let's re-propose this for F18, as firewalld is back to being the default. I'll have to check if this is still affecting out-of-the-box images when booted in virt-manager if I can ever build a bloody image that boots...
Comment 12 Adam Williamson 2012-08-16 16:12:03 UTC
Discussed at 2012-08-10 blocker review meeting. Agreed that we needed more time to evaluate this one.
Comment 13 Adam Williamson 2012-08-16 18:54:33 UTC
Discussed at 2012-08-16 blocker review meeting - http://meetbot.fedoraproject.org/fedora-bugzappers/2012-08-16/f18-alpha-blocker-review-3.2012-08-16-16.00.html . Again, we didn't get around to re-checking this yet; just needs someone to enable firewalld on an F18 system and check network status in a KVM guest.
Comment 14 Laine Stump 2012-08-17 02:20:15 UTC
It is still problematic; for example, if firewalld is restarted, it tosses out all of libvirt's iptables rules. twoerner and I are working on patches for libvirt to integrate with firewalld. Hopefully those can be pushed before the next upstream release of libvirt, which will likely be the version in F18.
Comment 15 Adam Williamson 2012-08-20 23:23:20 UTC
Discussed at 2012-08-20 QA meeting, acting as a blocker review meeting: http://meetbot.fedoraproject.org/fedora-meeting/2012-08-20/fedora-qa.2012-08-20-15.00.html . Accepted as a Beta blocker, as the relevant criterion - "The release must be able host virtual guest instances of the same release, using Fedora's current preferred virtualization technology" - is Beta, not Alpha.
Comment 16 Laine Stump 2012-08-22 15:16:39 UTC
Yesterday, I pushed patches (from twoerner and stefanb) to upstream libvirt which are at least a first cut at using firewalld for libvirt's iptables/ebtables needs, rather that going directly. There will be a new upstream libvrit release a week from today, and at that time a build will be made for both F18 and rawhide. This will need some serious testing, but the core code is there now. commit bf156385a031c0cafa8a068f6fbfc41fc9823a99 Author: Thomas Woerner <firstname.lastname@example.org> Date: Tue Aug 14 20:59:52 2012 +0200 network: use firewalld instead of iptables, when available commit 4efde75fab4633d35e70b96cb540e9a903eae1b9 Author: Stefan Berger <email@example.com> Date: Wed Aug 8 12:00:23 2012 -0400 nwfilter: provide basic support for firewalld These patches require a new selinux-policy to permit dbus communications by firewall-cmd when run in libvirt's confined environment. That patch is already in selinux-policy-3.11.1-9.fc18.noarch: Bug 848860
Comment 17 Frank Murphy 2013-03-25 08:18:39 UTC
Thought Closed: Have I got this bug? Thread here: https://lists.fedoraproject.org/pipermail/virt/2013-March/003608.html
Comment 18 Frank Murphy 2013-03-25 08:19:34 UTC
(In reply to comment #17) > Thought Closed: Have I got this bug? > Thread here: > https://lists.fedoraproject.org/pipermail/virt/2013-March/003608.html ~]# firewall-cmd --get-active-zones public: eth0 eth1 virbr0 ~$ rpm -qa | grep firewall firewalld-0.2.12-4.fc18.noarch firewall-applet-0.2.12-4.fc18.noarch firewall-config-0.2.12-4.fc18.noarch