Re: [libvirt PATCH 00/28] native support for nftables in virtual network driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jun 12, 2024 at 01:54:47AM -0700, Andrea Bolognani wrote:
> On Tue, Jun 11, 2024 at 05:27:42PM GMT, Daniel P. Berrangé wrote:
> > On Tue, Jun 11, 2024 at 08:49:42AM -0700, Andrea Bolognani wrote:
> > > One additional issue with this:
> > >
> > >   $ PATH=/usr/bin /usr/sbin/libvirtd
> > >   error : virNetworkLoadDriverConfig:146 : internal error: could not
> > > find a usable firewall backend
> > >   error : virStateInitialize:672 : Initialization of bridge state
> > > driver failed: internal error: could not find a usable firewall
> > > backend
> > >   error : daemonRunStateInit:617 : Driver state initialization failed
> > >
> > > This happens because nft and iptables are both in /usr/sbin, so if
> > > the user's $PATH doesn't include that directory they won't be found
> > > and the driver will fail to initialize.
> > >
> > > Not a big deal on Fedora, where /usr/sbin is part of the default
> > > $PATH for users, but that's not the case on Debian, where
> > > qemu:///session is just completely broken right now.
> > >
> > > I was testing out a patch that addressed the situation by switching
> > > backend detection to virFindFileInPathFull(), but then I realized
> > > that it's fairly pointless to look for nft/iptables when a regular
> > > user can't run them anyway.
> > >
> > > So what I think we need to do is, make the failure to detect a
> > > working backend non-fatal, unless the user has explicitly asked for a
> > > specific backend to be used. That should bring us back to the
> > > previous situation.
> >
> > This is probably another reason to have a "no op" backend that merely
> > raises errors for every operation - see my Roman's mail about FreeBSD
> 
> Is there much of a difference between having an explicit noop backend
> that is checked for availability after all other ones, and simply not
> failing to initialize the driver if a backend can't be found?

I actually sent a patch for the latter last night

> 
> Anyway, I'd be happy with either solution.
> 
> I'm still unclear on how networking on FreeBSD could work at all
> until now. Aren't the iptables rules needed for guest connectivity?
> Or did I misunderstand their purpose?

It wouldn't have worked, but the problem is that we now kill the
entire libvirtd startup, instead of successfully starting a (broken)
network driver.  Both are broken, but now the brokenness has spread
to the bits that do matter.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux