New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libvirt: don't use iptables-nftables #109722
Conversation
I have found out what caused the problem. See #109332 (comment) |
@pmeiyu Thanks for digging into the problem more. Based on that, I think this pr (reverting back from iptables-nftables to iptables-legacy for now) seems right. You should be able to test it locally on nixos with something like: nixpkgs.overlays = [
(super: self: { libvirt = (import (builtins.fetchTarball "https://github.com/NixOS/nixpkgs/archive/066676b839a217f6b1b5d8ab05842604d33b7258.tar.gz") {}).libvirt; })
]; in |
I have tested this code snippet and can confirm libvirt's firewall is back to normal. Thank you. @euank |
This is a semi-automatic executed nixpkgs-review which is checked by a human on a best effort basis and does not build all packages (e.g. lumo, tensorflow or pytorch). Result of 1 package built:
The following issues got detected with the above build packages. libvirt: Please consider this feature to be alpha. A substituteInPlace with an unused --replace got detected:
Please check the offending substituteInPlace for typos or changes in source. |
066676b
to
690de2e
Compare
Thanks for running that / catching that issue, @SuperSandro2000; I updated the replace to match upstream quoting changes. |
I have hoped to catch such issues with that feature and the time I invested was already worth it! |
This is a semi-automatic executed nixpkgs-review which is checked by a human on a best effort basis and does not build all packages (e.g. lumo, tensorflow or pytorch). Result of 1 package failed to build and already failed to build on hydra master:
30 packages built:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested and works. sudo systemctl restart libvirtd
if you want to skip a full reboot.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Mic92 Can you please take another look at this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine, and my VM has internet again.
In case you still want the extra data points: I had the same problem and this fixes it for me too. |
690de2e
to
67d7400
Compare
Rebased due to a merge conflict; the rebase was trivial, but I didn't rebuild the package yet since master right now has changes that basically require rebuilding the whole world, so I'll wait on hydra. |
@euank The changes got reverted I think. |
Per a comment on the PR that made this change, it turns out to cause issues in some cases: NixOS#109332 (comment) For now, let's revert back. Presumably the issues derive from the system iptables not matching libvirt's iptables. In the future, NixOS#81172 should move us back into the future, and I'm perfectly fine waiting for that PR to handle this separately.
67d7400
to
f0b1cdb
Compare
Ah, yup, thanks for the heads up @mohe2015! |
Motivation for this change
Per a comment on the PR that made this change, it turns out to cause
issues in some cases: #109332 (comment)
For now, let's revert back. Presumably the issues derive from the system
iptables not matching libvirt's iptables.
In the future, #81172 should move us back into the future, and I'm
perfectly fine waiting for that PR to handle this separately.
I'm marking this as a draft until I confirm this fixes the reporter's issue.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)