Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1136227

Summary: Unable to start virtual machine due to iptables error
Product: Red Hat Enterprise Linux 7 Reporter: Francesco Romani <fromani>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED DUPLICATE QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: acathrow, gscrivan, mprivozn
Target Milestone: rc   
Target Release: ---   
Hardware: ppc64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-03 13:11:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Domain XML of the failing VM none

Description Francesco Romani 2014-09-02 08:15:59 UTC 
Created attachment 933628 [details]
snippet of the libvirt logs documenting the failed VM startup

Description of problem:
On PPC64, when trying to start a VM, actually through oVirt/VDSM, libvirt fails to setup iptables configuration and abort the operation

Relevant libvirt logs are attached

Version-Release number of selected component (if applicable):
libvirt-daemon-driver-network-1.1.3-1
iptables-1.4.18-1
ebtables-2.0.10-8

How reproducible:
100%


Steps to Reproduce:
1. boot a VM using the example configuration
2.
3.

Actual results:
VM starts


Expected results:
VM fails to start

Additional info:
qemu command line

LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin QEMU_AUDIO_DRV=none /usr/bin/qemu-system-ppc64 -name awesome -S -machine pseries,accel=kvm,usb=off -m 4096 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 4eea0421-9ff3-4fdc-a87e-2103c2d0ef30 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/awesome.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=2014-09-02T07:57:41,driftfix=slew -no-shutdown -device pci-ohci,id=usb,bus=pci.0,addr=0x3 -device spapr-vscsi,id=scsi0,reg=0x2000 -device virtio-scsi-pci,id=scsi1,bus=pci.0,addr=0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x4 -drive file=/rhev/data-center/mnt/_var_lib_libvirt_images_realiso/740756e9-f45a-4c34-8147-f190937a6277/images/11111111-1111-1111-1111-111111111111/RHEL-7.0-20140507.0-Server-ppc64-boot.iso,if=none,id=drive-scsi0-0-0-0,readonly=on,format=raw,serial= -device scsi-cd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1 -drive file=/rhev/data-center/e61eb449-6f83-4127-8938-9ab620159d9b/d44dacb7-596d-4939-bb7d-2e2c262bb603/images/94d499f5-fdf3-464b-be06-28681003d4b3/d449d7db-6c51-491d-a1e5-f042b1320b4c,if=none,id=drive-virtio-disk0,format=raw,serial=94d499f5-fdf3-464b-be06-28681003d4b3,cache=none,werror=stop,rerror=stop,aio=threads -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk0,id=virtio-disk0 -netdev tap,fd=22,id=hostnet0,vhost=on,vhostfd=23 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:e6:8f:15,bus=pci.0,addr=0x1 -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/channels/4eea0421-9ff3-4fdc-a87e-2103c2d0ef30.com.redhat.rhevm.vdsm,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.rhevm.vdsm -chardev socket,id=charchannel1,path=/var/lib/libvirt/qemu/channels/4eea0421-9ff3-4fdc-a87e-2103c2d0ef30.org.qemu.guest_agent.0,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=org.qemu.guest_agent.0 -device usb-tablet,id=input0 -device usb-kbd,id=input1 -device usb-mouse,id=input2 -vnc 0:0,password -k en-us -device VGA,id=video0,bus=pci.0,addr=0x6 -usbdevice keyboard

iptables state after the failed launch:
# iptables -n -L -v
Chain INPUT (policy ACCEPT 7086 packets, 757K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
    0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  virbr1 virbr1  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr1  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 5798 packets, 5682K bytes)
 pkts bytes target     prot opt in     out     source               destination
Comment 2 Francesco Romani 2014-09-02 08:32:01 UTC 
Created attachment 933652 [details]
Domain XML of the failing VM
Comment 3 Giuseppe Scrivano 2014-09-02 10:38:42 UTC 
I've tried to reproduce quickly this issue on a machine without oVirt and I had to replace the "<filterref filter="vdsm-no-mac-spoofing"/>" in the original configuration with "<filterref filter='clean-traffic'/>" (for the sake of a quick test) to let it run.

Could you please try with the same test on your machine and see if it makes any difference and if the filter is causing this problem?