UFW blocks libvirtd default network from starting automatically in Saucy

Bug #1245322 reported by Claude Durocher
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
High
Unassigned
Saucy
Fix Released
High
Unassigned

Bug Description

============================================
SRU justification
============================================
1. Impact: libvirt may fail to start
2. Development fix: have libvirt use -w flag to iptables to have it wait rather than fail on lock contention
3. Stable fix: same as dev fix
4. Test case: install ufw and libvirt; reboot a few times.
5. Regression potential: there should be none, this only passes the -w flag to iptables if it is supported.

Running KVM under Ubuntu 13.10 64 bits.
===================================================

When UFW is enabled, the default network won't start automatically when set to do so. Manual startup of the network must be done before starting the first guest.

Error in /var/log/libvirt/libvirtd.log when UFW is enabled :

2013-10-28 02:53:31.732+0000: 1485: error : virCommandWait:2348 : internal error: Child process (/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT) unexpected exit status 4: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
2013-10-28 02:53:31.732+0000: 1485: error : networkAddGeneralFirewallRules:1895 : failed to add iptables rule to allow DHCP requests from 'virbr0'

Disabling UFW and rebooting solves the issue (default network is started automatically).

This behaviour is new in 13.10 (it was working fine in 13.04 and before).

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1245322] [NEW] UFW blocks libvirtd default network from starting automatically in Saucy

I don't believe this is a libvirt bug, but I'm not sure what the
right answer is.

 affects: ufw

Revision history for this message
Claude Durocher (claude-d) wrote :

Have a look at this thread : http://patchwork.ozlabs.org/patch/246619/

Seems like a new 'locking' mechanism has been added to xtable recently preventing concurrent access on iptables.

I ran a debug on libvirtd and it could probably be solved by using the -w option in the $IPT command (wherever this is called):

2013-10-29 01:10:53.805+0000: 1457: error : virCommandWait:2348 : internal error: Child process (/bin/sh -c 'IPT="/sbin/iptables"
cmd='\''$IPT -n -L FORWARD'\''
eval res=\$\("${cmd} 2>&1"\)
if [ $? -ne 0 ]; then echo "Failure to execute command '\''${cmd}'\'' : '\''${res}'\''."; exit 1;fi
') unexpected exit status 1: 2013-10-29 01:10:53.799+0000: 2972: debug : virFileClose:90 : Closed fd 21
2013-10-29 01:10:53.799+0000: 2972: debug : virFileClose:90 : Closed fd 23
2013-10-29 01:10:53.799+0000: 2972: debug : virFileClose:90 : Closed fd 19

2013-10-29 01:10:53.805+0000: 1457: debug : virCommandRun:2111 : Result status 0, stdout: 'Failure to execute command '$IPT -n -L FORWARD' : 'Another app is currently holding the xtables lock. Perhaps you want to use the -w option?'.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1245322] Re: UFW blocks libvirtd default network from starting automatically in Saucy

Quoting ClaudeD (<email address hidden>):
> Have a look at this thread : http://patchwork.ozlabs.org/patch/246619/
>
> Seems like a new 'locking' mechanism has been added to xtable recently
> preventing concurrent access on iptables.
>
> I ran a debug on libvirtd and it could probably be solved by using the
> -w option in the $IPT command (wherever this is called):

Thanks, that's great info

 status: confirmed
 importance: medium

Changed in libvirt (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

I'd recommend that configure.ac do a check for 'sudo iptables -w -L -n'. If it succeeds, then conditionally add to src/util/viriptables.c:iptablesCommandNew() a 'virCommandAddArgList(cmd, "-w", "NULL)'.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

on second thought, I'm checking for the support from a daemon-init start time job. testing patch now. Intend to send it upstream, and put it into trusty once the next release is uploaded (next week). Then it can be SRUd into saucy (cherrypick is completely clean so far)

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Patch sent upstream, here is a debdiff which was tested against saucy.

tags: added: patch
Revision history for this message
Claude Durocher (claude-d) wrote :

Is it possible to have binaries to test it here?

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Quoting ClaudeD (<email address hidden>):
> Is it possible to have binaries to test it here?

I'd deleted the ones I built, but just built and posted a new set (for
saucy) here: http://people.canonical.com/~serge/libvirt-xtables2

Revision history for this message
Claude Durocher (claude-d) wrote :

I tested the patch with ufw active : default network now starts automatically after reboot. Thanks!

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks for the confirmation. Note (to self) that the patch has undergone
some fixes in the upstream discussion, so the fix which actually goes
into trusty and saucy needs to include those.

no longer affects: ufw
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.1.4-0ubuntu2

---------------
libvirt (1.1.4-0ubuntu2) trusty; urgency=low

  * debian/patches/9002-better_default_uri_virsh.patch: Update to fix the
    FTBFS.
 -- Chuck Short <email address hidden> Wed, 13 Nov 2013 11:04:29 -0500

Changed in libvirt (Ubuntu):
status: Confirmed → Fix Released
description: updated
Changed in libvirt (Ubuntu Saucy):
status: New → Triaged
importance: Undecided → High
Changed in libvirt (Ubuntu):
importance: Medium → High
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello ClaudeD, or anyone else affected,

Accepted libvirt into saucy-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/libvirt/1.1.1-0ubuntu8.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in libvirt (Ubuntu Saucy):
status: Triaged → Fix Committed
tags: added: verification-needed
Revision history for this message
Claude Durocher (claude-d) wrote :

Just installed the saucy-proposed package 1.1.1-0ubuntu8.2 on my system and it works fine (default network is started after reboot).

tags: added: verification-done
removed: verification-needed
Revision history for this message
Stéphane Graber (stgraber) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.1.1-0ubuntu8.2

---------------
libvirt (1.1.1-0ubuntu8.2) saucy-proposed; urgency=low

  * add d/p/util_use_w_flag_when_calling_iptables.patch (LP: #1245322)
  * debian/apparmor/libvirt-qemu: allow access to usb info (LP: #1245251)
  * debian/apparmor/libvirt-qemu: allow access to hugepages mounts
    (LP: #1250216)
 -- Serge Hallyn <email address hidden> Thu, 14 Nov 2013 10:09:24 -0600

Changed in libvirt (Ubuntu Saucy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.