New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libvirt: 6.6.0 -> 6.8.0 #109332
libvirt: 6.6.0 -> 6.8.0 #109332
Conversation
06fe650
to
9ed4117
Compare
The previous commit updates to a newer libvirt with a newer build setup. This commit carries forward that work into a mergeable state. Based on the suggestion in NixOS#103309 (comment), I did a fwupd-like patch for the various meson.build files.
@GrahamcOfBorg test podman |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
diff LGTM, assuming tests pass
I think the patch should be upstreamed, seems to just be restoring functionality which was available in their autotools toolchain.
failures are broken on master
|
I think the libvirtd firewall rules are broken after this change. My VMs cannot access Internet.
|
Hi @euank, Look at the comment in nftables ruleset:
|
I override nftables package's withXtables to true. Now the output of And I find out VM's internet connection problem is caused by conflicts between iptables and nftables. iptables DROPs forwarded packets and it can override nftables rules. When I tell iptables to allow forwarded packets, the VMs can access Internet.
|
My iptables' forward policy is DROP. It conflicts with nftables, so nftables is not working well. According to 1, mixing iptables and nftables is problematic. The default firewall in NixOS is still iptables so I think other people will also be affected by problem. We should either warn people about the problem or revert back to iptables for now. |
Per a comment on the PR that made this change, it turns out to cause issues in some cases: NixOS#109332 (comment) For now, let's revert back. Presumably the issues derive from the system iptables not matching libvirt's iptables. In the future, NixOS#81172 should move us back into the future, and I'm perfectly fine waiting for that PR to handle this separately.
Motivation for this change
This PR carries forward #103309 with the same motivation (fixes a bug in libvirt that causes it to fail to start on non-btrfs setups).
Extra notes
There's a few odd things about this package still. The meson build patch is pretty intrusive, but I'm overall okay with that one I think.
The fact that it uses
/var/lib
instead of/etc
forsysconfdir
is also a little abnormal. The reason I'm leaving it like that is because the nixos module expects it, and I think it may be better to update the module separately from this meson-build-system change.I've only done minimal testing of this, specifically the following:
Of course, that's still better than 6.6.0 for me since 6.6.0 couldn't even get to the point of creating a disk image due to a bug, let alone booting something.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)