Bug 978454 - virt-install and virt-manager don't tweak iptables for -w bridge=X option
Summary: virt-install and virt-manager don't tweak iptables for -w bridge=X option
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: virt-manager
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Cole Robinson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-26 16:22 UTC by Konrad Rzeszutek Wilk
Modified: 2013-08-31 16:24 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-31 16:24:29 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
virt-manager configuration of a switch (51.75 KB, image/png)
2013-06-26 16:22 UTC, Konrad Rzeszutek Wilk
no flags Details
Guest 'journalctl' when it could not get a DHCP address. (55.03 KB, image/png)
2013-06-26 16:22 UTC, Konrad Rzeszutek Wilk
no flags Details

Description Konrad Rzeszutek Wilk 2013-06-26 16:22:02 UTC
Created attachment 765686 [details]
virt-manager configuration of a switch

Description of problem:

I tried installing a guest using -w bridge=switch and the guest could not get a DHCP address.

Then I did 'iptables -F' and suddenly the guest could get the DHCP address.

This problem shows up if I use virt-manager (see attached image of configuration) or virt-install:


virt-install -l http://192.168.2.251/tftpboot/lab/tst031/f19-x86_64 --ram 1024 --disk /dev/vg_guests/guest2 --name F19-64 -w bridge=switch


[root@tst031 network-scripts]# cat ifcfg-switch 
DEVICE=switch
TYPE=Bridge
BOOTPROTO=dhcp
ONBOOT=yes
DELAY=0
USERCTL=no
NM_CONTROLLED=no
[root@tst031 network-scripts]# cat ifcfg-em1
# Generated by dracut initrd
DEVICE="em1"
ONBOOT=yes
BOOTPROTO=none
BRIDGE="switch"
UUID="d211e3b6-e501-4126-a1c2-6e838a0e2e5b"
HWADDR="00:22:4d:69:de:00"
TYPE=Ethernet
NAME="em1"

[root@tst031 network-scripts]# brctl show
bridge name     bridge id               STP enabled     interfaces
switch          0080.00224d69de00       no              em1
                                                        vif4.0
virbr0          8000.000000000000       yes

iptables:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
49451  157M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    2   120 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  110 21761 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  110 21761 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    9   720 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
   63 11577 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   44  9077 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   44  9077 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   44  9077 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
   44  9077 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 135 packets, 73970 bytes)
 pkts bytes target     prot opt in     out     source               destination         
58258   65M OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_ZONE_public  all  --  p1p2   *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDI_ZONE_public  all  --  p1p1   *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDI_ZONE_public  all  --  em1    *       0.0.0.0/0            0.0.0.0/0           [goto] 
   44  9077 FWDI_ZONE_public  all  --  switch *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDI_ZONE_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_ZONE_public  all  --  *      p1p2    0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDO_ZONE_public  all  --  *      p1p1    0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDO_ZONE_public  all  --  *      em1     0.0.0.0/0            0.0.0.0/0           [goto] 
   44  9077 FWDO_ZONE_public  all  --  *      switch  0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDO_ZONE_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_ZONE_public (5 references)
 pkts bytes target     prot opt in     out     source               destination         
   44  9077 FWDI_ZONE_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   44  9077 FWDI_ZONE_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   44  9077 FWDI_ZONE_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDI_ZONE_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_ZONE_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_ZONE_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_ZONE_external (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_ZONE_external_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_ZONE_external_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_ZONE_external_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_ZONE_external_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_ZONE_external_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_ZONE_external_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_ZONE_public (5 references)
 pkts bytes target     prot opt in     out     source               destination         
   44  9077 FWDO_ZONE_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   44  9077 FWDO_ZONE_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   44  9077 FWDO_ZONE_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_ZONE_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_ZONE_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_ZONE_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   53  5337 IN_ZONE_public  all  --  p1p2   *       0.0.0.0/0            0.0.0.0/0           [goto] 
   11  3173 IN_ZONE_public  all  --  p1p1   *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 IN_ZONE_public  all  --  em1    *       0.0.0.0/0            0.0.0.0/0           [goto] 
   37 11452 IN_ZONE_public  all  --  switch *       0.0.0.0/0            0.0.0.0/0           [goto] 
    9  1799 IN_ZONE_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_ZONE_dmz (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_ZONE_dmz_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_ZONE_dmz_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_ZONE_dmz_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_ZONE_dmz_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW

Chain IN_ZONE_dmz_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_ZONE_dmz_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_ZONE_external (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_ZONE_external_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_ZONE_external_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_ZONE_external_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_ZONE_external_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW

Chain IN_ZONE_external_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_ZONE_external_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_ZONE_home (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_ZONE_home_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_ZONE_home_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_ZONE_home_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_ZONE_home_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:631 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138 ctstate NEW

Chain IN_ZONE_home_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_ZONE_home_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_ZONE_internal (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_ZONE_internal_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_ZONE_internal_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_ZONE_internal_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_ZONE_internal_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:631 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138 ctstate NEW

Chain IN_ZONE_internal_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_ZONE_internal_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_ZONE_public (5 references)
 pkts bytes target     prot opt in     out     source               destination         
  110 21761 IN_ZONE_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  110 21761 IN_ZONE_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  110 21761 IN_ZONE_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_ZONE_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   120 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
   36  9344 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353 ctstate NEW

Chain IN_ZONE_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_ZONE_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_ZONE_work (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_ZONE_work_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_ZONE_work_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_ZONE_work_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_ZONE_work_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:631 ctstate NEW

Chain IN_ZONE_work_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_ZONE_work_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Version-Release number of selected component (if applicable):

[root@tst031 network-scripts]# rpm -qa | grep virt
virt-install-0.10.0-0.5.gitde1695b2.fc19.noarch
libvirt-daemon-xen-1.0.5.1-1.fc19.x86_64
libvirt-daemon-driver-nwfilter-1.0.5.1-1.fc19.x86_64
libvirt-daemon-config-network-1.0.5.1-1.fc19.x86_64
libvirt-daemon-driver-secret-1.0.5.1-1.fc19.x86_64
libvirt-client-1.0.5.1-1.fc19.x86_64
libvirt-gobject-0.1.6-1.fc19.x86_64
libvirt-daemon-1.0.5.1-1.fc19.x86_64
virt-viewer-0.5.6-1.fc19.x86_64
libvirt-daemon-driver-nodedev-1.0.5.1-1.fc19.x86_64
libvirt-daemon-kvm-1.0.5.1-1.fc19.x86_64
virt-manager-0.10.0-0.5.gitde1695b2.fc19.noarch
libvirt-daemon-driver-qemu-1.0.5.1-1.fc19.x86_64
virt-manager-common-0.10.0-0.5.gitde1695b2.fc19.noarch
libvirt-daemon-driver-libxl-1.0.5.1-1.fc19.x86_64
libvirt-glib-0.1.6-1.fc19.x86_64
libgovirt-0.0.3-2.fc19.x86_64
libvirt-daemon-driver-storage-1.0.5.1-1.fc19.x86_64
libvirt-daemon-driver-interface-1.0.5.1-1.fc19.x86_64
libvirt-daemon-driver-network-1.0.5.1-1.fc19.x86_64
libvirt-gconfig-0.1.6-1.fc19.x86_64
libvirt-python-1.0.5.1-1.fc19.x86_64
libvirt-daemon-driver-xen-1.0.5.1-1.fc19.x86_64

How reproducible:

100%

Steps to Reproduce:
1. Setup a bridge, say called 'switch'
2. Run virt-install with the -w bridge=switch, as so:
 virt-install -l http://192.168.2.251/tftpboot/lab/tst031/f19-x86_64 --ram 1024 --disk /dev/vg_guests/guest2 --name F19-64  -w bridge=switch

3. See the guest not being able to get DHCP addresses.

Actual results:

See attached screenshot of virt-viewer (sorry, can't copy-n-paste it)

Expected results:

A normal installation

Additional info:

If I do 'iptables -F' it works :-)

Comment 1 Konrad Rzeszutek Wilk 2013-06-26 16:22:47 UTC
Created attachment 765687 [details]
Guest 'journalctl' when it could not get a DHCP address.

Comment 2 Konrad Rzeszutek Wilk 2013-06-26 16:29:34 UTC
Bug 978443 got me changing my default bridge to use 'xenbr0' and sure enough if I use that it works great!

 virt-install -l http://192.168.2.251/tftpboot/lab/tst031/f19-x86_64 --ram 1024 --disk /dev/vg_guests/guest2 --name F19-64 --force -w bridge=xenbr0

Comment 3 Cole Robinson 2013-08-31 16:24:29 UTC
Yeah, libvirt only touches iptables if you use the virtual network integration. If you tell it to use a raw bridge it won't touch anything. xenbr0 should already be the default for virt-install xen, maybe something broke there.


Note You need to log in before you can comment on or make changes to this bug.