Bug#1040783: [Pkg-libvirt-maintainers] Bug#1040783: libvirt-daemon: libvirt firewalld zone is missing

Sat, 12 Apr 2025 16:18:12 -0700 

On Sat, Apr 12, 2025 at 04:27:34PM +0200, Gregor Riepl wrote:
> This post suggests that it could be a packaging problem:
> https://nocthoughts.com/2023/04/26/arch-linux-virt-manager-and-firewalld.html
> 
> In any case, the libvirt-daemon-driver-network package contains
> template firewalld zone files in /usr/lib/firewalld/zones/ - it
> suffices to copy them to /etc/firewalld/zones/ and restart
> firewalld.

firewalld should read the file under /usr/lib, not just those under
/etc. That's how things are packaged both upstream and in Fedora.

I didn't have firewalld installed on my bookworm system, but I've
just installed it and:

  $ sudo firewall-cmd --list-all-zones | grep libvirt
  libvirt (active)
  libvirt-routed

I think what might be happening is that we don't have any code in the
libvirt package that matches the following snippet from the upstream
spec file:

  %post daemon-driver-network
    %if %{with_firewalld_zone}
    %firewalld_reload
    %endif

In other words, things worked for me because I already had the zone
definitions present when I installed firewalld; if I had done things
the other way around, installing firewalld first and
libvirt-daemon-system (or libvirt-daemon-driver-network in trixie)
after that, they wouldn't have.

As for the workaround suggested above by Niccolò:

> I've found the root of the problem: I was connecting to libvirt via ssh
> using an unprivileged user part of the libvirt group. That works for
> most of the tasks but not for creating the firewalld libvirt zone. Using
> root, while being less than ideal, works fine.

I believe the most likely explanation is that the system was rebooted
between the failed attempt, as a regular user, and the successful
one, as root. If that had happened, firewalld would have picked up
the new zone definitions and virtual network creation would have
worked.

It would probably make sense to at least attempt to reload firewalld
when the network driver is installed, the way upstream and Fedora
already do.

-- 
Andrea Bolognani <e...@kiyuko.org>
Resistance is futile, you will be garbage collected.

Attachment: signature.asc
Description: PGP signature

Reply via email to