Polite ping
On 26.10.2020 12:21, Nikolay Shirokovskiy wrote:
Now on every nwfilter config package update we overwrite existing
filters
entirely. It is desired to bring new version of filters on update but we'd
better keep their uuids I guess.
Actually patch primarily address noise in logs on update. If both libvirtd and
firewalld are running and libvirt is using firewalld backend then on firewalld
restart we reload all nwfilters. So if node is updated and we have update for
both firewalld and libvirt then in the process of update first new nwfilters of
libvirt package are copied to /etc/libvirt/nwfilters then firewalld is
restarted and then libvirtd is restarted. In this process firewalld restart
cause log messages like [1]. The issue is libvirt brings nwfilters without
<uuid> in definition and on handling firewalld restart libvirt generates
missing uuid and then fail to update filter definition because it is already
present in filters list with different uuid.
[1] virNWFilterObjListAssignDef:337 : operation failed: filter 'no-ip-spoofing'
already exists with uuid c302edf9-8a48-40d8-a652-f70b2c563ad1
Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy(a)virtuozzo.com>
---
libvirt.spec.in | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 2a4324b..6a31440 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1438,7 +1438,18 @@ fi
rm -rf %{_localstatedir}/lib/rpm-state/libvirt || :
%post daemon-config-nwfilter
-cp %{_datadir}/libvirt/nwfilter/*.xml %{_sysconfdir}/libvirt/nwfilter/
+# keep existing filters uuid on update
+for dfile in %{_datadir}/libvirt/nwfilter/*.xml; do
+ sfile=%{_sysconfdir}/libvirt/nwfilter/`basename $dfile`
+ if [ -f "$sfile" ]; then
+ uuidstr=`sed -n '/<uuid>.*<\/uuid>/p' "$sfile"`
+ if [ ! -z "$uuidstr" ]; then
+ sed -e "s,<filter .*>,&\n$uuidstr," "$dfile" >
"$sfile"
+ continue
+ fi
+ fi
+ cp "$dfile" "$sfile"
+done
# libvirt saves these files with mode 600
chmod 600 %{_sysconfdir}/libvirt/nwfilter/*.xml
# Make sure libvirt picks up the new nwfilter defininitons