831121 – app-emulation/libvirt: libvirtd should start after any firewall e.g. shorewall

Bug 831121 - app-emulation/libvirt: libvirtd should start after any firewall e.g. shorewall

Summary: app-emulation/libvirt: libvirtd should start after any firewall e.g. shorewall

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Matthias Maier

URL:	https://github.com/vagrant-libvirt/va...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-01-13 10:17 UTC by Bjoern Olausson
Modified:	2022-04-03 04:36 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bjoern Olausson 2022-01-13 10:17:30 UTC

Hej,

I just did run into a nasty issue that shorewall clears all iptable chains which have been created by libvirtd.

Libvirtd creates some iptable chains and e.g. vagrant will not play nice if those have been deleted.

If libvirtd is started after shorewall, everything works as expected.

/etc/init.d/libvirtd already contains a list of dependencies:
depend() {
        need virtlogd
        use ceph dbus iscsid virtlockd
        after cgconfig corosync ebtables iptables ip6tables nfs nfsmount ntp-client ntpdportmap rpc.statd sanlock xenconsoled
}

I would suggest to add shorewall to the "after" line
(maybe add other firewalls in the Gentoo tree as well)

Greetings,
Bjoern

Reproducible: Always

Steps to Reproduce:
/etc/init.d/shorewall stop
/etc/init.d/shorewall start
iptables-save | grep "LIBVIRT"
/etc/init.d/libvirtd restart
iptables-save | grep "LIBVIRT"
vagrant up
--> SUCCESS

/etc/init.d/shorewall stop
/etc/init.d/libvirtd restart
iptables-save | grep "LIBVIRT"
/etc/init.d/shorewall start
iptables-save | grep "LIBVIRT"
vagrant up
--> FAILURE

Actual Results:  
Failed to apply firewall rules /sbin/iptables -w --table filter --insert LIBVIRT_INP --in-interface virbr1 --protocol tcp --destination-port 67 --jump ACCEPT: iptables: No chain/target/match by that name.

Expected Results:  
Vagrant should start successfully and all the iptables chains created from libvirtd should be in place

Comment 1 Bjoern Olausson 2022-01-13 10:26:38 UTC

In case someone doesn't want to modify the libvird init script, shorewall can be added to the "boot" runlevel and libvirtd to the "default" runlevel (as a quick workaround)

Comment 2 Matthias Maier gentoo-dev

2022-01-13 10:39:26 UTC

it should be sufficient to simply add an

  rc_after="shorewall"

into your  /etc/conf.d/libvirtd  configuration.

Comment 3 Bjoern Olausson 2022-01-13 12:25:54 UTC

Since libvirtd already contains "ebtables iptables ip6tables" it would make sense to add shorewall etc as well.

Comment 4 Larry the Git Cow gentoo-dev

2022-04-03 04:36:02 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f80abc70fa18166129b827b6ed4c671cb5c656b0

commit f80abc70fa18166129b827b6ed4c671cb5c656b0
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-04-03 04:04:09 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-03 04:35:37 +0000

    app-emulation/libvirt: add 8.2.0
    
    * Add 8.2.0
    * Tighten up some lower bounds on dependencies
    * Add shorewall to init script 'after'
    
    Bug: https://bugs.gentoo.org/836128
    Closes: https://bugs.gentoo.org/833754
    Closes: https://bugs.gentoo.org/831121
    Signed-off-by: Sam James <sam@gentoo.org>

 app-emulation/libvirt/Manifest                |   2 +
 app-emulation/libvirt/files/libvirtd.init-r19 |   2 +-
 app-emulation/libvirt/libvirt-8.2.0.ebuild    | 336 ++++++++++++++++++++++++++
 app-emulation/libvirt/libvirt-9999.ebuild     |  52 ++--
 app-emulation/libvirt/metadata.xml            |   4 +
 5 files changed, 368 insertions(+), 28 deletions(-)