1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1040783: [Pkg-libvirt-maintainers] Bug#1040783: libvirt-daemon: lib

    From Andrea Bolognani@21:1/5 to Gregor Riepl on Sun Apr 13 01:20:01 2025
    On Sat, Apr 12, 2025 at 04:27:34PM +0200, Gregor Riepl wrote:
    This post suggests that it could be a packaging problem: https://nocthoughts.com/2023/04/26/arch-linux-virt-manager-and-firewalld.html

    In any case, the libvirt-daemon-driver-network package contains
    template firewalld zone files in /usr/lib/firewalld/zones/ - it
    suffices to copy them to /etc/firewalld/zones/ and restart
    firewalld.

    firewalld should read the file under /usr/lib, not just those under
    /etc. That's how things are packaged both upstream and in Fedora.

    I didn't have firewalld installed on my bookworm system, but I've
    just installed it and:

    $ sudo firewall-cmd --list-all-zones | grep libvirt
    libvirt (active)
    libvirt-routed

    I think what might be happening is that we don't have any code in the
    libvirt package that matches the following snippet from the upstream
    spec file:

    %post daemon-driver-network
    %if %{with_firewalld_zone}
    %firewalld_reload
    %endif

    In other words, things worked for me because I already had the zone
    definitions present when I installed firewalld; if I had done things
    the other way around, installing firewalld first and
    libvirt-daemon-system (or libvirt-daemon-driver-network in trixie)
    after that, they wouldn't have.

    As for the workaround suggested above by Niccolò:

    I've found the root of the problem: I was connecting to libvirt via ssh
    using an unprivileged user part of the libvirt group. That works for
    most of the tasks but not for creating the firewalld libvirt zone. Using root, while being less than ideal, works fine.

    I believe the most likely explanation is that the system was rebooted
    between the failed attempt, as a regular user, and the successful
    one, as root. If that had happened, firewalld would have picked up
    the new zone definitions and virtual network creation would have
    worked.

    It would probably make sense to at least attempt to reload firewalld
    when the network driver is installed, the way upstream and Fedora
    already do.

    --
    Andrea Bolognani <eof@kiyuko.org>
    Resistance is futile, you will be garbage collected.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEO48t9niVypx3EjLf954fxUKFg6wFAmf69AQACgkQ954fxUKF g6yf7A/8DoeD0uuZjrh0b99ObRuoU1fzOCJf4E4uvHI6J0P1Sh5F0Qi2LF5zKJaT TgTQwgxWndGQScGyzo8OmWM/Ng0ivnrEQjt9MIChQ1VNKjvK+O02TzwR323Fcsv8 QstptfwUFGOn1G9+FPHtZe6ik9OCwwn7Ey0qEQ20AgVfedcHjtOq8/mHj5DfCsuV W6kQ51udRobvHD2iSuuiGU9ajSFyL9yquDd5oH9W9YNe0iN8VNbE9VsZJ5yCa9H/ d7G10cA8pcVxpCzjYZAn9DacRs4Mk0ViIP44trNkg84Apj1yYzq6Fl9aYqpmQ4r4 a4cPwPMhMDM/mx4rO7iAmgJAbpY5uV571a0ozVd8Dcv4bniRSoYD2LCuw7VjWH83 ebimRl5gYCfR4EJMH4ExhhhTZv9HOkYIvn8NNlFyB+zltZIt4TxeF3GvGoU764NB YGj+eZQxutlv6fiBY+xXD+PaLFxzW3/hAsJICwO3KGJrxye/Cx4AVb/ugLqenBaG NBjkcMrNGJSgDaBt6hU1EICIUkA5Xv449I4/6YJK7vKoI8EB0nnfDLFEqA1+/iDg 4TETy3y4a4bKu7BfPzd9Q/iiRxjodiHJvjMYzXy62Oxlh7uHVCgmk3FxfWYaffSz rPFXOXdueUSDwkOPyN1uoUyneQgoYwM27nkKFhXh2X35IEMWS3w=
    =/nGJ
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Guido =?iso-8859-1?Q?G=FCnther?=@21:1/5 to Andrea Bolognani on Sun Apr 13 09:40:01 2025
    On Sun, Apr 13, 2025 at 01:15:28AM +0200, Andrea Bolognani wrote:
    [..snip..]

    I think what might be happening is that we don't have any code in the
    libvirt package that matches the following snippet from the upstream
    spec file:

    %post daemon-driver-network
    %if %{with_firewalld_zone}
    %firewalld_reload
    %endif

    Nice find!

    [..snip..]

    It would probably make sense to at least attempt to reload firewalld
    when the network driver is installed, the way upstream and Fedora
    already do.

    Instead of all packages shipping zones doing this firewalld should
    likely better register a trigger, like e.g. glib does for new schemas:

    /usr/share/glib-2.0/schemas libglib2.0-0t64:amd64

    in /var/lib/dpkg/triggers/File

    so probably best to move the issue there?

    Cheers,
    -- Guido


    --
    Andrea Bolognani <eof@kiyuko.org>
    Resistance is futile, you will be garbage collected.



    _______________________________________________
    Pkg-libvirt-maintainers mailing list Pkg-libvirt-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrea Bolognani@21:1/5 to All on Sun Apr 13 19:40:01 2025
    Control: reassing -1 firewalld
    Control: retitle -1 firewalld: Please introduce a trigger for zones installed by other packages
    Control: affects -1 libvirt

    On Sun, Apr 13, 2025 at 09:28:58AM +0200, Guido Günther wrote:
    On Sun, Apr 13, 2025 at 01:15:28AM +0200, Andrea Bolognani wrote:
    I think what might be happening is that we don't have any code in the libvirt package that matches the following snippet from the upstream
    spec file:

    %post daemon-driver-network
    %if %{with_firewalld_zone}
    %firewalld_reload
    %endif

    Nice find!

    It would probably make sense to at least attempt to reload firewalld
    when the network driver is installed, the way upstream and Fedora
    already do.

    Instead of all packages shipping zones doing this firewalld should
    likely better register a trigger, like e.g. glib does for new schemas:

    /usr/share/glib-2.0/schemas libglib2.0-0t64:amd64

    in /var/lib/dpkg/triggers/File

    so probably best to move the issue there?

    Agreed, that would probably be the best way to handle things.

    --
    Andrea Bolognani <eof@kiyuko.org>
    Resistance is futile, you will be garbage collected.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEO48t9niVypx3EjLf954fxUKFg6wFAmf79cUACgkQ954fxUKF g6xeVQ//SjhwM3Wt+PG9Ob8ic3WfUVM4gArv+EjdiQ5THr3sJ+vzSyDCBhNF4AW1 gJ+7mGYQclMBbVoIi91KltTyBBpgxBs9Ex/FvCb+/VgocSSlFzVJ6BWBji1R1f1w WsEKFFvR6eYhCfDMAtd0y+P4m73XZw8IgwwzNNyc+FyJ3YpedhSyDsT2BnfApOfB hBUQeDaWN3PkLyqKr6ZO3QccwbWWZ3gMm0tNuEYr8fXX7QUWYqe5P7wAk+B6p+rK vcqwyd91+TLt4YiuAfzeH0mGA3gwGOl+tF+K/UZGw1YToFVSWhakJ+P47tuGu5g1 vwNHzMGh+ndPEbMU43jQcV8isyz98bFywLxYBnK2zjuOEW72GN9AgHy98e2KXXaS W71VAnBwthx1r6fzXK9BvFv2OkMABrw7AkIqubREmx4LyfHW2pPU46Bq8E3FCRjL +NpG/c+R01SyHXZId7GZaLoswkhj+cPDWfvtvewnXhikBG0LsYLkab3Xb6N3V66w TRL8otQQIzv/OFuuGChRM0FWEWUJT6dLkZBfv4urcOI2y8dM/eNRqp8cgoVoOa5b LGOMpxacw/w9cwV5Agw+YOpXQ6FSiBlKorB4sN7WNeZBKvdDGmMl88UvcxYrbZZl bpFlvXnoaeU02qSsdzh88ihyFUFNZqFpOYbJqc7/8sJ9sJ29xjo=
    =o4c+
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrea Bolognani@21:1/5 to Andrea Bolognani on Sun Apr 13 19:50:01 2025
    Control: reassign -1 firewalld

    Ugh. Sorry for the noise.

    On Sun, Apr 13, 2025 at 07:35:06PM +0200, Andrea Bolognani wrote:
    Control: reassing -1 firewalld
    Control: retitle -1 firewalld: Please introduce a trigger for zones installed by other packages
    Control: affects -1 libvirt

    On Sun, Apr 13, 2025 at 09:28:58AM +0200, Guido Günther wrote:
    On Sun, Apr 13, 2025 at 01:15:28AM +0200, Andrea Bolognani wrote:
    I think what might be happening is that we don't have any code in the libvirt package that matches the following snippet from the upstream
    spec file:

    %post daemon-driver-network
    %if %{with_firewalld_zone}
    %firewalld_reload
    %endif

    Nice find!

    It would probably make sense to at least attempt to reload firewalld
    when the network driver is installed, the way upstream and Fedora
    already do.

    Instead of all packages shipping zones doing this firewalld should
    likely better register a trigger, like e.g. glib does for new schemas:

    /usr/share/glib-2.0/schemas libglib2.0-0t64:amd64

    in /var/lib/dpkg/triggers/File

    so probably best to move the issue there?

    Agreed, that would probably be the best way to handle things.

    --
    Andrea Bolognani <eof@kiyuko.org>
    Resistance is futile, you will be garbage collected.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEO48t9niVypx3EjLf954fxUKFg6wFAmf791oACgkQ954fxUKF g6zQaQ//WPv9ZA2ZduMVh/5GSr7YPmNzjLjEbMYVhusYCRxbn+WOyow07UZYcsA+ mklYFq0D4Xb4pwGyPIKVxgMwkYhnD0TDpY9vtzS/or0AT+P6E6Z8X4MpAiXVkrUb mW4T/K2hg1w5+Q6NNfMZjw+R2t9mV3fltLrhLJbnvaoFd1R4N9sXF0BbT2KTB/08 L0jYJrLa1c7N8RzSCtb1h9FfJ4S/JEpUeUgPSfduJ/CtbQJJEEyk83KWd8+Q9Wc9 4kf7puuHU2VD7xULNPU/6mhEhf3geK7PqNDwPFWQk3ko1Da+sJ1kXNspzGiJwnjl KwNsxCV0rRn0dmIWQfefzW/QmDnNcvatlR814MqDOP99fSIzUisV19ztseCRFtyV L0osVn530/67p6IBPR4xupjFKZSDq4VEys8BohYThsDZ2jx3U4XepBpXOUOKVSc3 l5GdCv/KZykUTWMMJwZcphPeXIljP+n5UE4DWrT2z9Ft3kzYQNDMmcbmiIgaxMDk ShcP76nZqaynDW1qtYANlsvu8UCOqe6zzce1Vds3InhzAwu1jJjX6/j9a+5BhUkY p2T/eK6NAw8i4nC8xrJYwRbv7TGLKHIm3TUBop/ktm5Wf4BELU/TZlU4Y/TKGQUm wshM9O8WH2opYUCedmk+h/6D9sNA9feDOrvm3tqnftkIDejMY78=
    =+F8D
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)