Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#938929: Dependency problem with iptables and libvirt-daemon-system
61 views
Skip to first unread message
Julian Hyordey
Aug 30, 2019, 6:50:03 AM8/30/19
to
Package: libvirt-daemon-system Version: 5.0.0-4 Severity: grave File: /usr/sbin/libvirtd
apt show libvirt-daemon-system
Package: libvirt-daemon-system
Version: 5.0.0-4
Priority: optional
Section: admin
Source: libvirt
Maintainer: Debian Libvirt Maintainers <pkg-libvirt...@lists.alioth.debian.org>
Installed-Size: 466 kB
Depends: debconf (>= 0.5) | debconf-2.0, libacl1 (>= 2.2.23), libapparmor1 (>= 2.6~devel), libaudit1 (>= 1:2.2.1), libblkid1 (>= 2.16), libc6 (>= 2.14), libcap-ng0 (>= 0.7.9), libdbus-1-3 (>= 1.9.14), libdevmapper1.02.1 (>= 2:1.02.20), libgnutls30 (>= 3.6.5), libnl-3-200 (>= 3.2.7), libnl-route-3-200 (>= 3.2.7), libnuma1 (>= 2.0.11), libselinux1 (>= 2.0.82), libvirt0 (>= 5.0.0), libxml2 (>= 2.7.4), libyajl2 (>= 2.0.4), adduser, gettext-base, lsb-base, libvirt-clients (= 5.0.0-4), libvirt-daemon (= 5.0.0-4), iptables (>= 1.8.1-1) | firewalld, logrotate, policykit-1
[...]
.
Package: libvirt-daemon-system
Version: 5.0.0-4
Priority: optional
Section: admin
Source: libvirt
Maintainer: Debian Libvirt Maintainers <pkg-libvirt...@lists.alioth.debian.org>
Installed-Size: 466 kB
Depends: debconf (>= 0.5) | debconf-2.0, libacl1 (>= 2.2.23), libapparmor1 (>= 2.6~devel), libaudit1 (>= 1:2.2.1), libblkid1 (>= 2.16), libc6 (>= 2.14), libcap-ng0 (>= 0.7.9), libdbus-1-3 (>= 1.9.14), libdevmapper1.02.1 (>= 2:1.02.20), libgnutls30 (>= 3.6.5), libnl-3-200 (>= 3.2.7), libnl-route-3-200 (>= 3.2.7), libnuma1 (>= 2.0.11), libselinux1 (>= 2.0.82), libvirt0 (>= 5.0.0), libxml2 (>= 2.7.4), libyajl2 (>= 2.0.4), adduser, gettext-base, lsb-base, libvirt-clients (= 5.0.0-4), libvirt-daemon (= 5.0.0-4), iptables (>= 1.8.1-1) | firewalld, logrotate, policykit-1
[...]
.
So If I want to migrate from iptables to nftables on my KVM hypervisor, I can't remove iptables without removing
libvirt-daemon-system. A bit annoying for an hypervisor.
Maybe linked to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935313 ? Not sure, so I submit.
Maybe linked to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935313 ? Not sure, so I submit.
Regards,
Ivo De Decker
Mar 22, 2020, 2:50:03 PM3/22/20
to
Control: severity -1 normal
Control: tags -1 moreinfo
Hi,
On Fri, Aug 30, 2019 at 12:45:16PM +0200, Julian Hyordey wrote:
> apt show libvirt-daemon-system
> Package: libvirt-daemon-system
> Version: 5.0.0-4
> Priority: optional
> Section: admin
> Source: libvirt
> Maintainer: Debian Libvirt Maintainers <
> pkg-libvirt...@lists.alioth.debian.org>
> Installed-Size: 466 kB
> Depends: debconf (>= 0.5) | debconf-2.0, libacl1 (>= 2.2.23), libapparmor1 (>=
> 2.6~devel), libaudit1 (>= 1:2.2.1), libblkid1 (>= 2.16), libc6 (>= 2.14),
> libcap-ng0 (>= 0.7.9), libdbus-1-3 (>= 1.9.14), libdevmapper1.02.1 (>=
> 2:1.02.20), libgnutls30 (>= 3.6.5), libnl-3-200 (>= 3.2.7), libnl-route-3-200
> (>= 3.2.7), libnuma1 (>= 2.0.11), libselinux1 (>= 2.0.82), libvirt0 (>= 5.0.0),
> libxml2 (>= 2.7.4), libyajl2 (>= 2.0.4), adduser, gettext-base, lsb-base,
> libvirt-clients (= 5.0.0-4), libvirt-daemon (= 5.0.0-4), iptables (>= 1.8.1-1)
> | firewalld, logrotate, policykit-1
> [...]
> .
> So If I want to migrate from iptables to nftables on my KVM hypervisor, I can't
> remove iptables without removing libvirt-daemon-system. A bit annoying for an
> hypervisor.
Can't you just install nftables, use it, and leave iptables installed?
Ivo
Control: tags -1 moreinfo
Hi,
On Fri, Aug 30, 2019 at 12:45:16PM +0200, Julian Hyordey wrote:
> apt show libvirt-daemon-system
> Package: libvirt-daemon-system
> Version: 5.0.0-4
> Priority: optional
> Section: admin
> Source: libvirt
> Maintainer: Debian Libvirt Maintainers <
> pkg-libvirt...@lists.alioth.debian.org>
> Installed-Size: 466 kB
> Depends: debconf (>= 0.5) | debconf-2.0, libacl1 (>= 2.2.23), libapparmor1 (>=
> 2.6~devel), libaudit1 (>= 1:2.2.1), libblkid1 (>= 2.16), libc6 (>= 2.14),
> libcap-ng0 (>= 0.7.9), libdbus-1-3 (>= 1.9.14), libdevmapper1.02.1 (>=
> 2:1.02.20), libgnutls30 (>= 3.6.5), libnl-3-200 (>= 3.2.7), libnl-route-3-200
> (>= 3.2.7), libnuma1 (>= 2.0.11), libselinux1 (>= 2.0.82), libvirt0 (>= 5.0.0),
> libxml2 (>= 2.7.4), libyajl2 (>= 2.0.4), adduser, gettext-base, lsb-base,
> libvirt-clients (= 5.0.0-4), libvirt-daemon (= 5.0.0-4), iptables (>= 1.8.1-1)
> | firewalld, logrotate, policykit-1
> [...]
> .
> So If I want to migrate from iptables to nftables on my KVM hypervisor, I can't
> remove iptables without removing libvirt-daemon-system. A bit annoying for an
> hypervisor.
Ivo
Willem van den Akker
Mar 31, 2020, 2:30:02 AM3/31/20
to
Same here.
Removing IPtables also removes libvirt-daemon-sytem. If you want a
hardenend system all packages which are not used must be removed.
So leaving IPtables installed is not an option.
The following packages will be REMOVED:
iptables* libvirt-daemon-system*
0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
After this operation, 3,063 kB disk space will be freed.
I am using.
ii libvirt-daemon-system 6.0.0-4
ii libvirt-daemon-system-systemd 6.0.0-4
/W
Removing IPtables also removes libvirt-daemon-sytem. If you want a
hardenend system all packages which are not used must be removed.
So leaving IPtables installed is not an option.
The following packages will be REMOVED:
iptables* libvirt-daemon-system*
0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
After this operation, 3,063 kB disk space will be freed.
I am using.
ii libvirt-daemon-system 6.0.0-4
ii libvirt-daemon-system-systemd 6.0.0-4
/W
Marcio Demetrio Bacci
Aug 27, 2020, 11:00:04 PM8/27/20
to
Dear Maintainer
Today I updated my Debian to version 10.5 that replaced iptables with nftables. When removing iptables the libvirt package was also removed and I can no longer reinstall it due to dependence on iptables.
Today I updated my Debian to version 10.5 that replaced iptables with nftables. When removing iptables the libvirt package was also removed and I can no longer reinstall it due to dependence on iptables.
I have installed ebtables, but isn't solve this problem.
My System is: SMP Debian 5.6.14-2~bpo10+1 (2020-06-09) x86_64 GNU/Linux
Regards,
Márcio Bacci
Daniel
Dec 18, 2021, 10:50:04 AM12/18/21
to
Dear maintainer,
this problem is still existing with Debian 11.2 and is really annoying.
VMs are not started because network is not up. While starting the
network we get
virsh# net-start route
erreur :Impossible de démarrer le réseau route
erreur :internal error: Failed to apply firewall rules
/usr/sbin/iptables -w --table filter --list-rules: # Warning:
iptables-legacy tables present, use iptables-legacy to see them
iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.
Same info for ip6tables.
We are using nftables and loading rule on boot with
nft flush ruleset && nft -f rules.file
If we remove iptables libvirt-daemon-system is removed too !
To get everything working well again after a reboot:
virsh# exit
sudo systemctl stop libvirtd
sudo nft flush ruleset
sudo apt reinstall libvirt-daemon-system (which will reinstall iptables too)
sudo systemctl start libvirtd
sudo virsh
virsh# net-start route
and now we can start all our VMs manually. Not quite what we expected
when switching to nftables :(
Thanks for your feedback
--
Daniel
this problem is still existing with Debian 11.2 and is really annoying.
VMs are not started because network is not up. While starting the
network we get
virsh# net-start route
erreur :Impossible de démarrer le réseau route
erreur :internal error: Failed to apply firewall rules
/usr/sbin/iptables -w --table filter --list-rules: # Warning:
iptables-legacy tables present, use iptables-legacy to see them
iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.
Same info for ip6tables.
We are using nftables and loading rule on boot with
nft flush ruleset && nft -f rules.file
If we remove iptables libvirt-daemon-system is removed too !
To get everything working well again after a reboot:
virsh# exit
sudo systemctl stop libvirtd
sudo nft flush ruleset
sudo apt reinstall libvirt-daemon-system (which will reinstall iptables too)
sudo systemctl start libvirtd
sudo virsh
virsh# net-start route
and now we can start all our VMs manually. Not quite what we expected
when switching to nftables :(
Thanks for your feedback
--
Daniel
Maximilian Wilhelm
Oct 9, 2022, 2:00:03 PM10/9/22
to
Hey folks,
just set up a new KVM host on Bullseye and ran into the same problems.
Our automation purges iptables after setting up nftables to have clean
slate which also would remove libvirt-daemon-system here.
As I don't use any networking related features offered by libvirt I
would consider it great if there wouldn't be a hard dependency on any
related packages. Maybe the dependency on iptables could become a
recommends?
Thanks and best regards,
Max
just set up a new KVM host on Bullseye and ran into the same problems.
Our automation purges iptables after setting up nftables to have clean
slate which also would remove libvirt-daemon-system here.
As I don't use any networking related features offered by libvirt I
would consider it great if there wouldn't be a hard dependency on any
related packages. Maybe the dependency on iptables could become a
recommends?
Thanks and best regards,
Max
Patrick Schleizer
Jul 26, 2023, 8:40:04 AM7/26/23
to
libvirt upstream no longer depends on iptables for years.
source:
https://gitlab.com/libvirt/libvirt/-/issues/406#note_1176654618
Should be trivial and safe to switch to nftables?
source:
https://gitlab.com/libvirt/libvirt/-/issues/406#note_1176654618
Should be trivial and safe to switch to nftables?
Diederik de Haas
Dec 7, 2023, 1:50:05 PM12/7/23
to
to the libvirt-daemon-system binary package.
I think it would be good to switch both to nftables, especially now that we're
(still) in the middle of the Trixie development cycle. Or at least add
nftables as (preferred) optional dependency to iptables.
*If* any issues pop up, there's plenty of time to fix it.
Now almost 5 years ago, the iptables package added the following to its
Description: "The iptables/xtables framework has been replaced by nftables.
You should consider migrating now."
0 new messages