Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1509894 - guest network is disconnected after firewalld is started
Summary: guest network is disconnected after firewalld is started
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.5
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Laine Stump
QA Contact: yalzhang@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-06 09:46 UTC by Dan Zheng
Modified: 2017-11-30 20:01 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-30 20:01:29 UTC


Attachments (Terms of Use)

Description Dan Zheng 2017-11-06 09:46:11 UTC
Description of problem:
Guest lost connection after firewalld is started.

Version-Release number of selected component (if applicable):
libvirt-3.9.0-1.el7.x86_64
qemu-kvm-rhev-2.10.0-4.el7.x86_64
kernel-3.10.0-771.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.
# virsh net-list --all
 Name                 State      Autostart     Persistent
----------------------------------------------------------
 default              active     yes           yes

# systemctl status libvirtd
● libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2017-11-06 02:40:27 EST; 1h 4min ago
     Docs: man:libvirtd(8)
 Main PID: 20612 (libvirtd)
    Tasks: 20 (limit: 32768)
   CGroup: /system.slice/libvirtd.service
           ├─19852 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
           ├─19853 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
           └─20612 /usr/sbin/libvirtd

# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

...


2. Start guest and guest is well.
In guest:
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.122.181  netmask 255.255.255.0  broadcast 192.168.122.255
        inet6 fe80::5054:ff:fe3f:6094  prefixlen 64  scopeid 0x20<link>

# ping www.baidu.com
PING www.wshifen.com (104.193.88.123) 56(84) bytes of data.
64 bytes from 104.193.88.123 (104.193.88.123): icmp_seq=1 ttl=42 time=117 ms
64 bytes from 104.193.88.123 (104.193.88.123): icmp_seq=2 ttl=42 time=117 ms
64 bytes from 104.193.88.123 (104.193.88.123): icmp_seq=3 ttl=42 time=117 ms


3. Start firewalld service and checked iptables rules and found 2 rules of libvirt are changed to those between star lines.
# systemctl start firewalld
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination      
**********************************************************   
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere         
**********************************************************   
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

4. 
In guest:
# ping www.baidu.com
ping: www.baidu.com: Name or service not known


5. Destroy guest and change mac and restart guest, then guest can not  get IP.
In guest:
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::5054:ff:fe3f:6095  prefixlen 64  scopeid 0x20<link>
        ether 52:54:00:3f:60:95  txqueuelen 1000  (Ethernet)
        RX packets 52  bytes 2898 (2.8 KiB)
        RX errors 0  dropped 6  overruns 0  frame 0

# dhclient -v
Internet Systems Consortium DHCP Client 4.2.5
Copyright 2004-2013 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/eth0/52:54:00:3f:60:95
Sending on   LPF/eth0/52:54:00:3f:60:95
Sending on   Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 7 (xid=0x636dfacb)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 8 (xid=0x636dfacb)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 14 (xid=0x636dfacb)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 9 (xid=0x636dfacb)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 9 (xid=0x636dfacb)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 9 (xid=0x636dfacb)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 5 (xid=0x636dfacb)
No DHCPOFFERS received.
No working leases in persistent database - sleeping.

Actual results:
Guest loses network connection

Expected results:
Guest should be able to connect network.

Additional info:

Comment 2 Jaroslav Suchanek 2017-11-24 16:37:41 UTC
I assume that having firewalld enabled/disabled during libvirtd life is not
the best approach. Already commented here:
https://bugzilla.redhat.com/show_bug.cgi?id=1188088#c1

Laine, please confirm. Thanks.

Comment 3 Laine Stump 2017-11-30 20:01:29 UTC
If firewalld is enabled when you start libvirtd, then you need to keep it enabled or there will be problems with networking (it should continue working properly if you restart firwewalld, you just can't leave it disabled).

Likewise, if firewalld is *disabled* when you start libvirtd (as is the case here) then you need to keep it disabled, since libvirtd will have set a bunch of iptables rules that firewalld won't know about (because they were added prior to firewalld being restarted), and firewalld will add its own rules in the wrong place relative to libvirtd's rules, and could even delete rules that had been added by libvirtd.


Note You need to log in before you can comment on or make changes to this bug.