On 10/26/20 10:21 AM, Nikolay Shirokovskiy wrote:
Now on every nwfilter config package update we overwrite existing filters entirely. It is desired to bring new version of filters on update but we'd better keep their uuids I guess. Actually patch primarily address noise in logs on update. If both libvirtd and firewalld are running and libvirt is using firewalld backend then on firewalld restart we reload all nwfilters. So if node is updated and we have update for both firewalld and libvirt then in the process of update first new nwfilters of libvirt package are copied to /etc/libvirt/nwfilters then firewalld is restarted and then libvirtd is restarted. In this process firewalld restart cause log messages like [1]. The issue is libvirt brings nwfilters without <uuid> in definition and on handling firewalld restart libvirt generates missing uuid and then fail to update filter definition because it is already present in filters list with different uuid. [1] virNWFilterObjListAssignDef:337 : operation failed: filter 'no-ip-spoofing' already exists with uuid c302edf9-8a48-40d8-a652-f70b2c563ad1 Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy@xxxxxxxxxxxxx> --- libvirt.spec.in | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index 2a4324b..6a31440 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1438,7 +1438,18 @@ fi rm -rf %{_localstatedir}/lib/rpm-state/libvirt || :%post daemon-config-nwfilter-cp %{_datadir}/libvirt/nwfilter/*.xml %{_sysconfdir}/libvirt/nwfilter/ +# keep existing filters uuid on update +for dfile in %{_datadir}/libvirt/nwfilter/*.xml; do + sfile=%{_sysconfdir}/libvirt/nwfilter/`basename $dfile` + if [ -f "$sfile" ]; then + uuidstr=`sed -n '/<uuid>.*<\/uuid>/p' "$sfile"` + if [ ! -z "$uuidstr" ]; then + sed -e "s,<filter .*>,&\n$uuidstr," "$dfile" > "$sfile" + continue + fi + fi + cp "$dfile" "$sfile" +done # libvirt saves these files with mode 600 chmod 600 %{_sysconfdir}/libvirt/nwfilter/*.xml # Make sure libvirt picks up the new nwfilter defininitons
I wonder if we should treat these .xml files as config files. I mean, they can be changed by user and if they have been we should not touch them at update no matter what. But if they haven't, then we should replace them because they may contain new, better rules.
I've read spec file documentation here and it looks like %config(noreplace) is doing just that:
https://rpm-packaging-guide.github.io/#more-on-macros Would that solve the issue? Michal
