FS#59749 - [firewalld] Linux 4.18.3.arch1-1 breaks libvirtd/qemu networking (DHCP)
Attached to Project:
Community Packages
Opened by wzrd tales (wzrdtales) - Wednesday, 22 August 2018, 09:41 GMT
Last edited by freswa (frederik) - Wednesday, 14 October 2020, 20:50 GMT
Opened by wzrd tales (wzrdtales) - Wednesday, 22 August 2018, 09:41 GMT
Last edited by freswa (frederik) - Wednesday, 14 October 2020, 20:50 GMT
|
Details
Description:
When upgrading to Linux 4.18.3.arch1-1 and all packages related to that upgrade will break libvirtd/qemu networking. When the vm gets started it gets stuck while requesting an ip via DHCP and it is not possible to get any ip anymore. Additional info: Package Downgrade that fixed the problem: [2018-08-22 11:31] [ALPM] downgraded linux (4.18.3.arch1-1 -> 4.17.14.arch1-1) [2018-08-22 11:31] [ALPM] downgraded tp_smapi (0.43-49 -> 0.43-45) [2018-08-22 11:31] [ALPM] downgraded acpi_call (1.1.0-155 -> 1.1.0-151) [2018-08-22 11:31] [ALPM] downgraded virtualbox-host-modules-arch (5.2.18-5 -> 5.2.16-11) Couldn't find any errors in the logs. Steps to reproduce: Upgrade to Linux 4.18.3.arch1-1, create a VM with default networking, try to get an IP via DHCP. |
This task depends upon
dns + dhcp broken => dnsmasq problem?
I haven't tested downgrading yet but I thought I should mention it.
To reproduce, try starting and connecting to a random docker container and doing package upgrades.
Downgrading to kernel version 4.17.14 also solved the issue for me
I noticed that upon disabling firewalld this machine would once again function normally, DHCP would execute successfully and the machine had full networking capabilities. Once I re-enabled firewalld and restarted the machine DHCP would fail again.
I also have a server with several docker containers which also appear to be affected. I was able to temporarily fix the issue on my desktop by downgrading the Linux and Linux Headers packages to 4.17.
It somehow fails to forward packages originating from a virtual Ethernet bridge like "docker0" to their destination.
I went and opened a bug for the firwalld package. This task can be closed IMO
firewall-cmd --zone=public --change-interface=virbr0 --permanent
Also add the "dns" and "dhcp" services to this zone (I did this through firewall-config).
By changing the backend back to iptables, DHCP works in my libvirt, and I assume will work with docker as well. However this is still just an workaround. The issue then is that the combination of libvirt/docker and firewalld running on top of nftables doesn't seem to work.
FYI changing the backend to iptables as apophys suggested did the trick for me too.