Description of problem: iptables has been renamed to iptables-legacy in this case, libvirtd cannot find the iptables binary. libvirtd doesn't start and "virsh net-start default" shows the error *this is an upgraded system, not fresh install. Version-Release number of selected component (if applicable): ~]$ rpm -qa | grep -E "libvirt|iptables|nft" | sort iptables-compat-1.8.7-4.fc34.x86_64 iptables-legacy-1.8.7-4.fc34.x86_64 iptables-legacy-libs-1.8.7-4.fc34.x86_64 iptables-libs-1.8.7-4.fc34.x86_64 iptables-services-1.8.7-4.fc34.x86_64 iptables-utils-1.8.7-4.fc34.x86_64 libnftnl-1.1.9-2.fc34.x86_64 libvirt-7.0.0-4.fc34.x86_64 libvirt-bash-completion-7.0.0-4.fc34.x86_64 libvirt-client-7.0.0-4.fc34.x86_64 libvirt-daemon-7.0.0-4.fc34.x86_64 libvirt-daemon-config-network-7.0.0-4.fc34.x86_64 libvirt-daemon-config-nwfilter-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-interface-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-libxl-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-lxc-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-network-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-nodedev-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-nwfilter-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-qemu-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-secret-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-storage-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-storage-core-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-storage-disk-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-storage-gluster-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-storage-iscsi-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-storage-iscsi-direct-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-storage-logical-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-storage-mpath-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-storage-rbd-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-storage-scsi-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-storage-sheepdog-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-storage-zfs-7.0.0-4.fc34.x86_64 libvirt-daemon-driver-vbox-7.0.0-4.fc34.x86_64 libvirt-daemon-kvm-7.0.0-4.fc34.x86_64 libvirt-daemon-qemu-7.0.0-4.fc34.x86_64 libvirt-gconfig-4.0.0-1.fc34.x86_64 libvirt-glib-4.0.0-1.fc34.x86_64 libvirt-gobject-4.0.0-1.fc34.x86_64 libvirt-libs-7.0.0-4.fc34.x86_64 nftables-0.9.8-2.fc34.x86_64 python3-libvirt-7.0.0-2.fc34.x86_64 python3-nftables-0.9.8-2.fc34.x86_64 How reproducible: with the iptables-legacy packages installed, virsh net-start default or systemctl restart libvirtd Actual results: [root@little lethalwp]# virsh net-start default error: Failed to start network default error: internal error: Failed to initialize a valid firewall backend [root@little lethalwp]# systemctl restart libvirtd [root@little lethalwp]# systemctl status libvirtd ● libvirtd.service - Virtualization daemon Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2021-03-21 12:06:11 CET; 3s ago TriggeredBy: ● libvirtd.socket ● libvirtd-admin.socket ● libvirtd-ro.socket Docs: man:libvirtd(8) https://libvirt.org Main PID: 6347 (libvirtd) Tasks: 19 (limit: 32768) Memory: 13.1M CPU: 236ms CGroup: /system.slice/libvirtd.service └─6347 /usr/sbin/libvirtd --timeout 120 mar 21 12:06:11 little.lethalwp systemd[1]: Starting Virtualization daemon... mar 21 12:06:11 little.lethalwp systemd[1]: Started Virtualization daemon. mar 21 12:06:11 little.lethalwp libvirtd[6370]: libcap-ng used by "/usr/sbin/libvirtd" failed due to not having CAP_SETPCAP in capng_apply mar 21 12:06:11 little.lethalwp libvirtd[6372]: libcap-ng used by "/usr/sbin/libvirtd" failed due to not having CAP_SETPCAP in capng_apply mar 21 12:06:11 little.lethalwp libvirtd[6347]: libvirt version: 7.0.0, package: 4.fc34 (Fedora Project, 2021-02-03-20:03:12, ) mar 21 12:06:11 little.lethalwp libvirtd[6347]: hostname: little.lethalwp mar 21 12:06:11 little.lethalwp libvirtd[6347]: /usr/sbin/iptables not available, firewall backend will not function: No such file or directory mar 21 12:06:11 little.lethalwp libvirtd[6347]: internal error: Failed to initialize a valid firewall backend Expected results: libvirt running. missing symlink to iptables-legacy?
workaround: manually install the dependancy: iptables-nft-1.8.7-4.fc34.x86_64 so the dependency must be missing from the libvirtd rpm.
I had thought that the various iptables-* variants were all supposed to provide "iptables", so that a package that required "some implementation of iptables" could just say "Requires: iptables" rather than needing to guess about which variant was in use on which version of which distro (and that doesn't even account for people who purposefully install iptables-legacy rather than iptables-nft". I looked in the fedora-devel archives and there seems to be discussion about this exact issue, but it seems that in the end it wasn't resolved in the way that (for example) psutter envisioned it: https://www.spinics.net/lists/fedora-devel/msg264647.html (I didn't follow that thread through to the end though, so maybe his thinking changed since then) - it's Sunday and there is a construction project awaiting in the back yard!) So what is the new approved method of specifying "We need some implementation of iptables" in a specfile that will work for everyone?
/usr/sbin/iptables and /usr/sbin/ip6tables are missing in iptables-1.8.7-4.fc34.x86_64. I have tested downgrading to iptables-1.8.7-3.fc34 where the binaries are present. After rebooting the zone libvirt was active, so it indeed is the root cause.
(In reply to lethalwp from comment #1) > workaround: > manually install the dependancy: > iptables-nft-1.8.7-4.fc34.x86_64 > > so the dependency must be missing from the libvirtd rpm. I have tested the workaround - it didn't solve the problem in my case ... I suggest to provide the same bins/files in version iptables-1.8.7-4.fc34.x86_64 as in version iptables-1.8.7-3.fc34.x86_64.
*** Bug 1941583 has been marked as a duplicate of this bug. ***
Hi, /usr/sbin/iptables is not directly part of iptables-legacy (or the older iptables) package: It is a symlink managed by alternatives. Looks like I managed to break registration with the latter with the package rename, iptables package assumes it's uninstalled and unregisters itself after iptables-legacy has been installed. I'm still searching for a solution, just wanted to clarify the situation here. Thanks, Phil
@Laine : Hi Laine ! You have changed the title to "iptables-legacy package is missing" which might be a bit misleading ... the iptables-legacy package is installed. Please find some details below : $ sudo alternatives --list | grep tables ebtables auto /usr/sbin/ebtables-legacy $ sudo dnf list installed | grep iptables iptables-compat.x86_64 1.8.7-4.fc34 iptables-legacy.x86_64 1.8.7-4.fc34 iptables-legacy-libs.x86_64 1.8.7-4.fc34 iptables-libs.x86_64 1.8.7-4.fc34 iptables-utils.x86_64 1.8.7-4.fc34 $ sudo locate /usr/sbin/ip /usr/sbin/ip /usr/sbin/ip6tables-apply /usr/sbin/ip6tables-legacy /usr/sbin/ip6tables-legacy-restore /usr/sbin/ip6tables-legacy-save /usr/sbin/ipmaddr /usr/sbin/ipset /usr/sbin/iptables-apply /usr/sbin/iptables-legacy /usr/sbin/iptables-legacy-restore /usr/sbin/iptables-legacy-save /usr/sbin/iptstate /usr/sbin/iptunnel $ sudo systemctl status libvirtd.service ● libvirtd.service - Virtualization daemon Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2021-03-22 17:35:40 CET; 2s ago TriggeredBy: ● libvirtd-ro.socket ● libvirtd-admin.socket ● libvirtd.socket Docs: man:libvirtd(8) https://libvirt.org Main PID: 2763 (libvirtd) Tasks: 19 (limit: 32768) Memory: 11.6M CPU: 125ms CGroup: /system.slice/libvirtd.service └─2763 /usr/sbin/libvirtd --timeout 120 Mär 22 17:35:40 ******** systemd[1]: Starting Virtualization daemon... Mär 22 17:35:40 ******** systemd[1]: Started Virtualization daemon. Mär 22 17:35:40 ******** libvirtd[2785]: libcap-ng used by "/usr/sbin/libvirtd" failed due to not having CAP_SETPCAP in capng_apply Mär 22 17:35:40 ******** libvirtd[2787]: libcap-ng used by "/usr/sbin/libvirtd" failed due to not having CAP_SETPCAP in capng_apply Mär 22 17:35:40 ******** libvirtd[2763]: libvirt version: 7.0.0, package: 4.fc34 (Fedora Project, 2021-02-03-20:03:12, ) Mär 22 17:35:40 ******** libvirtd[2763]: hostname: cl-fs-01 Mär 22 17:35:40 ******** libvirtd[2763]: /usr/sbin/iptables not available, firewall backend will not function: No such file or directory Mär 22 17:35:40 ******** libvirtd[2763]: internal error: Failed to initialize a valid firewall backend $ sudo virsh net-info default Name: default UUID: 64ec1649-d783-43f8-8f3d-a3dcd3c2d472 Active: no Persistent: yes Autostart: yes Bridge: virbr0 $ sudo virsh net-list --all Name State Autostart Persistent ---------------------------------------------- default inactive yes yes
(In reply to Phil Sutter from comment #6) > Hi, > > /usr/sbin/iptables is not directly part of iptables-legacy (or the older > iptables) package: It is a symlink managed by alternatives. Looks like I > managed to break registration with the latter with the package rename, > iptables > package assumes it's uninstalled and unregisters itself after iptables-legacy > has been installed. > > I'm still searching for a solution, just wanted to clarify the situation > here. > > Thanks, Phil Hi Phil ! Wouldn't it be the most easy solution to just stick with the "old" bins/files/packages names ?
> Hi Laine ! You have changed the title to "iptables-legacy package is missing" which might be a bit misleading ... the iptables-legacy package is installed. A missing quote in my change caused you to misunderstand the new title. It is not saying that the iptable-legacy package itself is missing, but is instead saying that the iptables-legacy package is missing a "Provides: iptables" in its specfile, which *I thought* was what Phil said during an IRC discussion is what is needed to solve the problem (but from Comment 6 it sounds like I may be assuming too much; if so Phil can of course change the title to be more accurate!)
Same problem here. I use your workaround and solved this problem. Thank you. (In reply to lethalwp from comment #1) > workaround: > manually install the dependancy: > iptables-nft-1.8.7-4.fc34.x86_64 > > so the dependency must be missing from the libvirtd rpm.
(In reply to Laine Stump from comment #9) > > Hi Laine ! You have changed the title to "iptables-legacy package is missing" which might be a bit misleading ... the iptables-legacy package is installed. > > A missing quote in my change caused you to misunderstand the new title. It > is not saying that the iptable-legacy package itself is missing, but is > instead saying that the iptables-legacy package is missing a "Provides: > iptables" in its specfile, which *I thought* was what Phil said during an > IRC discussion is what is needed to solve the problem (but from Comment 6 it > sounds like I may be assuming too much; if so Phil can of course change the > title to be more accurate!) Thanks for clarification, Laine ! Yes, I seem to have misunderstood it.