Bug 1692972 - "firewall direct interface" auth prompt on launch
Summary: "firewall direct interface" auth prompt on launch
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libvirt
Version: 30
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: openqa
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-26 19:19 UTC by Adam Williamson
Modified: 2019-03-29 19:19 UTC (History)
15 users (show)

Fixed In Version: libvirt-5.1.0-3.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-03-29 19:19:09 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Adam Williamson 2019-03-26 19:19:24 UTC
On launch of Boxes on Fedora 30 and Rawhide, an authentication prompt for "firewall direct interface" appears. This started happening between Fedora-30-20190301.n.0 and Fedora-30-20190312.n.0, it seems. I'm not sure whether it's intended / expected?

Comment 1 Christophe Fergeau 2019-03-27 08:24:43 UTC
This is a libvirt regression, I think you'll get the prompt too if you interact with qemu:///session with virsh. libvirt people are aware of it.

Comment 2 Fedora Update System 2019-03-27 09:12:01 UTC
libvirt-5.1.0-3.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-f3e6d3e0a5

Comment 3 Daniel Berrangé 2019-03-27 09:13:27 UTC
Upstream fix is

commit 3e02ee9b5da7fc7197aaa6d57563349a7670b8a1 (origin/v5.1.0-maint, v5.1.0-maint)
Author: Daniel P. Berrangé <berrange>
Date:   Wed Mar 13 16:21:15 2019 +0000

    network: avoid trying to create global firewall rules if unprivileged
    
    The unprivileged libvirtd does not have permission to create firewall
    rules, or bridge devices, or do anything to the host network in
    general. Historically we still activate the network driver though and
    let the network start API call fail.
    
    The startup code path which reloads firewall rules on active networks
    would thus effectively be a no-op when unprivileged as it is impossible
    for there to be any active networks
    
    With the change to use a global set of firewall chains, however, we now
    have code that is run unconditionally.
    
    Ideally we would not register the network driver at all when
    unprivileged, but the entanglement with the virt drivers currently makes
    that impractical. As a temporary hack, we just make the firewall reload
    into a no-op.
    
    Signed-off-by: Daniel P. Berrangé <berrange>

Comment 4 Fedora Update System 2019-03-29 19:19:09 UTC
libvirt-5.1.0-3.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.