[libvirt] [PATCH] network: only reload firewall after firewalld is finished restarting
Laine Stump
laine at laine.org
Fri Apr 12 16:09:09 UTC 2019
On 4/12/19 11:57 AM, Daniel P. Berrangé wrote:
> On Fri, Apr 12, 2019 at 11:35:13AM -0400, Laine Stump wrote:
>> The network driver used to reload the firewall rules whenever a dbus
>> NameOwnerChanged message for org.fedoraproject.FirewallD1 was
>> received. Presumably at some point in the past this was successful at
>> reloading our rules after a firewalld restart. Recently though I
>> noticed that once firewalld was restarted, libvirt's logs would get this
>> message:
>>
>> The name org.fedoraproject.FirewallD1 was not provided by any .service files
>>
>> After this point, no networks could be started until libvirtd itself
>> was restarted.
>>
>> The problem is that the NameOwnerChanged message is sent twice during
>> a firewalld restart - once when the old firewalld is stopped, and
>> again when the new firewalld is started. If we try to reload at the
>> point the old firewalld is stopped, none of the firewalld dbus calls
>> will succeed.
>>
>> The solution is to check the new_owner field of the message - we
>> should reload our firewall rules only if new_owner is non-empty (it is
>> set to "" when firewalld is stopped, and some sort of epoch number
>> when it is again started).
>>
>> Signed-off-by: Laine Stump <laine at laine.org>
>> ---
>> src/network/bridge_driver.c | 19 +++++++++++++++++--
>> 1 file changed, 17 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
>> index 4d4ab0f375..167c142ae2 100644
>> --- a/src/network/bridge_driver.c
>> +++ b/src/network/bridge_driver.c
>> @@ -549,8 +549,23 @@ firewalld_dbus_filter_bridge(DBusConnection *connection ATTRIBUTE_UNUSED,
>> dbus_message_is_signal(message, "org.fedoraproject.FirewallD1",
>> "Reloaded"))
> This code path can be run for 2 different signals. You must only do the
> Decode step for the NamedOwnerChanged signal, not the Reloaded signal.
Ah, right. Okay, time for V2.
More information about the libvir-list
mailing list