Bug 1699051 - libvirt installs firewalld zonefile that uses rule priorities, which aren't yet supported by F30 firewalld
Summary: libvirt installs firewalld zonefile that uses rule priorities, which aren't y...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libvirt
Version: 30
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1704438 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-11 15:59 UTC by Laine Stump
Modified: 2019-06-06 01:06 UTC (History)
16 users (show)

Fixed In Version: libvirt-5.1.0-8.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-06 01:06:31 UTC
Type: Bug


Attachments (Terms of Use)

Description Laine Stump 2019-04-11 15:59:36 UTC
When support was added for firewalld using an nftables backend, part of the implementation required adding a new firewalld zonefile called "libvirt" that uses a new firewalld feature - the ability to set a priority for each rich rule in a zone.

Anticipating that some distros would get an updated libvirt package before they got an updated firewalld package, the support for the libvirt zonefile was made contingent on a --with-firewalld-zone configure option. In the libvirt.spec file, we set this flag on if the Fedora version was 30+ (since the F30 release was at that time several months in the future), but the GA of F30 is now imminent, and the F30 firewalld package hasn't yet been updated to support rich rule priorities (most likely because there hasn't been a new upstream release of firewalld since that feature was added.

The presence of the libvirt zonefile in a system that has a firewalld that doesn't support rich rule priorities will result in this error message every time firewalld is started/restarted:

firewalld[13355]: ERROR: Failed to load zone file '/usr/lib/firewalld/zones/libvirt.xml': PARSE_ERROR: rule: Unexpected attribute priority


Since the F30 firewalld has a patch to make iptables the default backend, the libvirt zone isn't needed for proper networking, so there is no *functional* problem, but users may be confused by the above error message and unnecessarily file bug reports. So we could decide to continue installing the libvirt zonefile (in anticipation of the F30 firewalld being updated to support rich rule priorities), or we could decide to patch the libvirt.spec to only install the libvirt zonefile for F31+, and avoid the error logs (if we do this, we should probably do it upstream and backport the patch rather than just making it a downstream patch).

Comment 1 Laine Stump 2019-04-11 18:32:17 UTC
I pushed this upstream:

commit 65b08aff08df4eb9593620274e5a09e1b92f24aa
Author: Laine Stump <laine@laine.org>
Date:   Thu Apr 11 12:53:54 2019 -0400

    build: set --without-firewalld-zone in configure commandline for Fedora 30
    

It's been verified in an IRC discussion that firewalld will be staying with iptables (and won't get rule priorities) on F30, so this same patch should be applied to the libvirt.spec file in Fedora git.

Comment 2 Eric Garver 2019-04-29 18:39:17 UTC
*** Bug 1704438 has been marked as a duplicate of this bug. ***

Comment 3 Fedora Update System 2019-05-29 19:35:57 UTC
FEDORA-2019-6aa8bc010f has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6aa8bc010f

Comment 4 Adam Williamson 2019-05-29 19:38:56 UTC
I just did the same change on the f30 package branch and built it, and submitted an update. It didn't seem worth changing the other branches as the change won't really do anything there...

Comment 5 Fedora Update System 2019-05-30 13:58:16 UTC
libvirt-5.1.0-7.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6aa8bc010f

Comment 6 Fedora Update System 2019-05-31 16:42:09 UTC
FEDORA-2019-6aa8bc010f has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6aa8bc010f

Comment 7 Fedora Update System 2019-06-01 01:34:54 UTC
libvirt-5.1.0-8.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6aa8bc010f

Comment 8 Fedora Update System 2019-06-06 01:06:31 UTC
libvirt-5.1.0-8.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.