Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

libvirt-daemon-system and iptables dependency

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
pled
Posts: 4
Joined: 2022-08-18 13:58
Been thanked: 2 times

libvirt-daemon-system and iptables dependency

#1 Post by pled »

Hi,
Sorry if my question is stupid, I not sure the following is relevant, but just want to help in case it is.

I am running debian bookworm, and face the issue where after removing iptables (wanted to use only nftables) I got my VMs not working anymore, as virtual network could not start with the following error :

Code: Select all

$ sudo virsh net-start default
erreur :Impossible de démarrer le réseau default
erreur :internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: libvirt:  erreur : cannot execute binary /usr/sbin/iptables: Aucun fichier ou dossier de ce type
Searching for a solution, I found information about libvirt-daemon-system dependency to iptables. So far so good.

My question is about dependency and ability to remove iptables without any warning about libvirt.

If I look at libvirt-daemon-system depedency :

Code: Select all

Depends: adduser, gettext-base, iptables | firewalld, libvirt-clients (= 8.5.0-1), libvirt-daemon (= 8.5.0-1), libvirt-daemon-config-network (= 8.5.0-1), libvirt-daemon-config-nwfilter (= 8.5.0-1), libvirt-daemon-system-systemd (= 8.5.0-1) | libvirt-daemon-system-sysv (= 8.5.0-1), logrotate, policykit-1, debconf (>= 0.5) | debconf-2.0

It says "iptables] OR firewalld" ...

So I don't know if this is relevant to create a bug : When removing iptables, a warning should be raised if libvirt-daemon-system is installed on the system. More than this (but may be related), the dependency displayed should be not be "iptables | firewalld" as "iptables" is clearly required to create netfilter rules.

Hope that helps.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: libvirt-daemon-system and iptables dependency

#2 Post by Head_on_a_Stick »

The firewalld package lists iptables as a dependency.

EDIT: sorry, that's for the bullseye package. See below.
Last edited by Head_on_a_Stick on 2022-08-18 17:00, edited 1 time in total.
deadbang

L_V
Posts: 1477
Joined: 2007-03-19 09:04
Been thanked: 11 times

Re: libvirt-daemon-system and iptables dependency

#3 Post by L_V »

Not dependency -> recommends only.

firewalld

Code: Select all

Depends: dbus gir1.2-glib-2.0 gir1.2-nm-1.0 policykit-1 python3-dbus python3-gi python3-nftables python3-firewall python3:any
Recommends: ipset iptables python3-cap-ng
firewalld uses nftables as default; python3-nftables is a dependency.

python3-nftables

Code: Select all

Depends: libnftables1 python3-jsonschema python3:any
iptables is being replaced by nftables starting with Debian Buster

CwF
Global Moderator
Global Moderator
Posts: 2639
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: libvirt-daemon-system and iptables dependency

#4 Post by CwF »

L_V wrote: 2022-08-18 15:55 iptables is being replaced by nftables starting with Debian Buster
I've mentioned this a few time. Regardless of packing discrepancies, iptables is still a dependency. Maybe a debtree map will catch it. Testing is not always fully reconciled!

The same thing happened in Buster, you could remove it, and break it without warning.

L_V
Posts: 1477
Joined: 2007-03-19 09:04
Been thanked: 11 times

Re: libvirt-daemon-system and iptables dependency

#5 Post by L_V »

CwF wrote: 2022-08-18 16:51 iptables is still a dependency.
You need to be more accurate: a dependency of precisely what ?
I use nftables, and don't have iptables installed.

Debian recommandation: "users are strongly encouraged to switch to the nftables interface rather than using iptables".
nftables architecture is built right into the kernel.

If I add firewalld, I still don't need iptables.
Installation of firewalld would add this:

Code: Select all

firewalld gir1.2-nm-1.0 libnm0 python3-attr python3-firewall python3-jsonschema python3-nftables python3-pyrsistent 
[nftables backend | firewalld]

/etc/firewalld/firewalld.conf

Code: Select all

# FirewallBackend
# Selects the firewall backend implementation.
#	- nftables (default)
#	- iptables (iptables, ip6tables, ebtables and ipset)
# Note: The iptables backend is deprecated. It will be removed in a future release.

FirewallBackend=nftables

The OP is reporting an issue related to libvirt-daemon-system which should work without iptables for Debian, but unfortunately not correctly starts without iptables, due to very likely wrong default configuration for Debian.
A libvirt patch is probably necessary to really avoid iptables.
nftables + firewalld should be enough.

CwF
Global Moderator
Global Moderator
Posts: 2639
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: libvirt-daemon-system and iptables dependency

#6 Post by CwF »

L_V wrote: 2022-08-18 18:50 The OP is reporting an issue related to libvirt-daemon-system which should work without iptables for Debian, but unfortunately not correctly starts without iptables, due to very likely wrong default configuration for Debian.
Yes, I was not referring to firewalld, or the 'OR' question.
Last I checked apparmor may complain and refuse to start some sub process I can't recall.
You can get around it and use VM's with vfio net, I maybe recall.

The other OP point is you can remove iptables without any warning of libvirt impairment.
I did so pre-Bullseye and learned what I have stated. My Bookworm's still happily use iptables and I haven't seen the need to re-check yet. So far, ain't broke, don't fix it...

There is plenty of time left for a changeover in the upcoming Bookworm. For sure, it didn't make it in Buster.

CwF
Global Moderator
Global Moderator
Posts: 2639
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: libvirt-daemon-system and iptables dependency

#7 Post by CwF »

something like

Code: Select all

: 2782: error : virFirewallValidateBackend:187 : direct firewall backend requested, but /usr/sbin/iptables is not available: No such file or directory

L_V
Posts: 1477
Joined: 2007-03-19 09:04
Been thanked: 11 times

Re: libvirt-daemon-system and iptables dependency

#8 Post by L_V »

CwF wrote: 2022-08-18 19:22 There is plenty of time left for a changeover in the upcoming Bookworm.
I am afraid not, especially if this kind of issue is not tracked anywhere.
bookworm_freeze_policy.

CwF
Global Moderator
Global Moderator
Posts: 2639
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: libvirt-daemon-system and iptables dependency

#9 Post by CwF »

Well, I'm not sure it is beyond a Debian maintainer issue. I'm not sure I see any evidence that nftables is not simply a big brother to iptables. iptables is maintained and current and there is no conflict. Why not eliminate the possibly erroneous recommendation to migrate to nftables?

Maybe I'm missing something, but I recommend to install iptables, and be done.

L_V
Posts: 1477
Joined: 2007-03-19 09:04
Been thanked: 11 times

Re: libvirt-daemon-system and iptables dependency

#10 Post by L_V »

You cannot reverse a decision already made about 5 years ago, because of a well known libvirt bug, which is really very specific.
All major distributions have made the move many years ago.
Finally, in terms of problems we have in deployment.
The biggest problem is that if the admin does service iptables restart all our work gets blown away .
Instead we document that if you run service iptables restart, you need to send SIGHUP to libvirt to make it recreate its rules.
https://libvirt.org/firewall.html
My understanding is more that libvirt team needs some help to work on this bug which needs to be better tracked.

CwF
Global Moderator
Global Moderator
Posts: 2639
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: libvirt-daemon-system and iptables dependency

#11 Post by CwF »

L_V wrote: 2022-08-19 09:00 You cannot reverse a decision already made about 5 years ago, because of a well known libvirt bug, which is really very specific.
All major distributions have made the move many years ago.
Interesting, I have seen the issue.
In a past recent post about a partial power outage where the external DHCP server cycled, there was a mix of results. A member here said a power cycle could not explain it, but it does. The odd part is only bookworm vm's and their host were affected. The host lost it's ip until manually refreshed, all such vm's report the old ip, while the dhcp server reported a refreshed ip, as in spoofed!
Older host and vm's and dedicated nics had no issues.Only my bookworm variants are 'fresh', though derived from the old. So thanks for the reminder, Bookworm needs work, I've missed something.

So the test is simple enough, cycle any external dhcp server and see what happens!

Except, this is a tangent to the OP. One excuse could be missing recommends lose features. I'm ignorant of other OS's handling and whether iptables is removed and libvirt differently compiled, but this seems to be strictly a libvirt issue and not iptables at all. Yet the seed of action comes from the 'warning' on the iptables package while nftables coexist fine, and iptables isn't going away as far as I see.

So I circle back where I started! Why is there a 'warning' on the iptables package suggesting iptables should be 'replaced' inferring 'removed'? The language could be simpler - "This is Legacy and not required being redundant to nftables" and then a fix to make iptables a full dependency on libvirt machines and the OP issue is resolved! And it would be more obvious that the fault is libvirts' and not iptables.

L_V
Posts: 1477
Joined: 2007-03-19 09:04
Been thanked: 11 times

Re: libvirt-daemon-system and iptables dependency

#12 Post by L_V »

CwF wrote: 2022-08-19 15:58 and then a fix to make iptables a full dependency on libvirt machines
I don't call this a fix, but a workaround, some extra glue, until the fix is available, that is libvirt should directly deal with firewalld/nftables.
Having a clean system totally relying on nftables, and later on being forced to reintroduce old iptables because of a well identified old bug is not a correct solution anymore.
Mixing nftables + iptables cannot be considered as an ideal solution (this part is complex enough).
Since the beginning, some bridges have been made to facilitate the transition from iptables to nftables, and convert iptables to nftables (iptables-translate).

Now if it is demonstrated that it is definitively 'impossible' for libvirt to work without iptables, it would mean that there is something wrong with nftables.
The hot potato owner should be identified.

CwF
Global Moderator
Global Moderator
Posts: 2639
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: libvirt-daemon-system and iptables dependency

#13 Post by CwF »

L_V wrote: 2022-08-19 16:54 The hot potato owner should be identified.
https://www.spinics.net/linux/fedora/li ... 12287.html

Post Reply