9:40 p.m.
https://bugzilla.redhat.com/show_bug.cgi?id=1188088
When the firewalld is running and then start the libvirtd, libvirt
will set the current backend as VIR_FIREWALL_BACKEND_FIREWALLD.
But when firewalld is stop, we still try to use firewalld even it
is stopped, this will make the vm which has nwfilter cannot start
because systemd cannot find a running firewalld service.
We already have a Dbus callback functions before, add a recheck for
the validating backend in firewalld_dbus_filter_bridge and
nwfilterFirewalldDBusFilter callback functions to help us dynamic
change the validating backend.
Signed-off-by: Luyao Huang <lhuang(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/network/bridge_driver.c | 6 ++++++
src/nwfilter/nwfilter_driver.c | 6 ++++++
src/util/virfirewall.c | 8 ++++++++
src/util/virfirewall.h | 2 ++
5 files changed, 23 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index f7f8ea2..dd953b2 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1386,6 +1386,7 @@ virFirewallAddRuleFull;
virFirewallApply;
virFirewallFree;
virFirewallNew;
+virFirewallRecheckBackend;
virFirewallRemoveRule;
virFirewallRuleAddArg;
virFirewallRuleAddArgFormat;
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index c56e8f2..c0e77e6 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -60,6 +60,7 @@
#include "viruuid.h"
#include "viriptables.h"
#include "virlog.h"
+#include "virfirewall.h"
#include "virdnsmasq.h"
#include "configmake.h"
#include "virnetdev.h"
@@ -448,6 +449,11 @@ firewalld_dbus_filter_bridge(DBusConnection *connection
ATTRIBUTE_UNUSED,
DBusMessage *message, void *user_data ATTRIBUTE_UNUSED)
{
if (dbus_message_is_signal(message, DBUS_INTERFACE_DBUS,
+ "NameOwnerChanged")) {
+ virFirewallRecheckBackend();
+ }
+
+ if (dbus_message_is_signal(message, DBUS_INTERFACE_DBUS,
"NameOwnerChanged") ||
dbus_message_is_signal(message, "org.fedoraproject.FirewallD1",
"Reloaded"))
diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
index 8e3db43..5f8c48d 100644
--- a/src/nwfilter/nwfilter_driver.c
+++ b/src/nwfilter/nwfilter_driver.c
@@ -29,6 +29,7 @@
#include "virdbus.h"
#include "virlog.h"
+#include "virfirewall.h"
#include "internal.h"
@@ -87,6 +88,11 @@ nwfilterFirewalldDBusFilter(DBusConnection *connection
ATTRIBUTE_UNUSED,
void *user_data ATTRIBUTE_UNUSED)
{
if (dbus_message_is_signal(message, DBUS_INTERFACE_DBUS,
+ "NameOwnerChanged")) {
+ virFirewallRecheckBackend();
+ }
+
+ if (dbus_message_is_signal(message, DBUS_INTERFACE_DBUS,
"NameOwnerChanged") ||
dbus_message_is_signal(message, "org.fedoraproject.FirewallD1",
"Reloaded")) {
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index cd7afa5..ae00816 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -980,3 +980,11 @@ virFirewallApply(virFirewallPtr firewall)
virMutexUnlock(&ruleLock);
return ret;
}
+
+int
+virFirewallRecheckBackend(void)
+{
+ currentBackend = VIR_FIREWALL_BACKEND_AUTOMATIC;
+
+ return virFirewallValidateBackend(currentBackend);
+}
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index dbf3975..fa4bd8b 100644
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -108,4 +108,6 @@ int virFirewallApply(virFirewallPtr firewall);
void virFirewallSetLockOverride(bool avoid);
+int virFirewallRecheckBackend(void);
+
#endif /* __VIR_FIREWALL_H__ */
--
1.8.3.1
5:38 a.m.
On Mon, Feb 02, 2015 at 11:40:44AM +0800, Luyao Huang wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=1188088
When the firewalld is running and then start the libvirtd, libvirt
will set the current backend as VIR_FIREWALL_BACKEND_FIREWALLD.
But when firewalld is stop, we still try to use firewalld even it
is stopped, this will make the vm which has nwfilter cannot start
because systemd cannot find a running firewalld service.
We already have a Dbus callback functions before, add a recheck for
the validating backend in firewalld_dbus_filter_bridge and
nwfilterFirewalldDBusFilter callback functions to help us dynamic
change the validating backend.
NACK, this is not desirable IMHO. Just because firewalld is stopped
does not imply that it should not be used by libvirt. It may simply
be in the process of being restarted, either by the admin or due to
an RPM upgrade. Switching a host between firewalld & non-firewalld
managmenet is not something that is typically done - the decision
to use firewalld is something taken at time of initial provisioning.
So I don't think libvirt should optimize for that scenario. We should
optimize for a host always using one or the other exclusively and not
try to dynamically switch.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
5:46 a.m.
On 02/02/2015 07:38 PM, Daniel P. Berrange wrote:
On Mon, Feb 02, 2015 at 11:40:44AM +0800, Luyao Huang wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1188088
>
> When the firewalld is running and then start the libvirtd, libvirt
> will set the current backend as VIR_FIREWALL_BACKEND_FIREWALLD.
> But when firewalld is stop, we still try to use firewalld even it
> is stopped, this will make the vm which has nwfilter cannot start
> because systemd cannot find a running firewalld service.
>
> We already have a Dbus callback functions before, add a recheck for
> the validating backend in firewalld_dbus_filter_bridge and
> nwfilterFirewalldDBusFilter callback functions to help us dynamic
> change the validating backend.
NACK, this is not desirable IMHO. Just because firewalld is stopped
does not imply that it should not be used by libvirt. It may simply
be in the process of being restarted, either by the admin or due to
an RPM upgrade. Switching a host between firewalld & non-firewalld
managmenet is not something that is typically done - the decision
to use firewalld is something taken at time of initial provisioning.
So I don't think libvirt should optimize for that scenario. We should
optimize for a host always using one or the other exclusively and not
try to dynamically switch.
Got it, i hadn't thought about this when i wrote this patch.
And thanks a lot for your clearly explanation.
Regards,
Daniel
Luyao
3581
days inactive
3581
days old
2 comments
2 participants
participants (2)
-
Daniel P. Berrange -
Luyao Huang