You are not logged in.
- Topics: Active | Unanswered
#1 2018-09-29 10:42:53
- ebal
- Member
- From: Athens, Greece
- Registered: 2009-05-26
- Posts: 224
- Website
libvirt - Failed to initialize a valid firewall backend
Hi all,
I am not quite sure if this is a bug, a config change or a package dependency related story.
Nevertheless, I will post my findings and hopefully through a discussion we can find the truth behind this.
Today 2018/09/29 I updated my desktop pc and it is up2date at current moment.
Libvirt 4.7.0-1 couldnt create bridge interfaces and add the appropriate firewall rules.
Further investigation into the matter showed me a peculiar error virNetDevSendEthtoolIoctl : ethtool ioctl error: No such device
but the virt-manager was complained for Failed to initialize a valid firewall backend so I guessed that these are probably two separated problems.
Below you can find my full investigation. My conclusions are that the latest version of libvirtd needs both ebtables & firewalld although I would love not to use firewalld.
Kernel , libvirt & Qemu/kvm Version
~$ uname -a
Linux myhomepc 4.14.72-1-lts #1 SMP Wed Sep 26 12:31:03 CEST 2018 x86_64 GNU/Linux
~$ pacman -Qi libvirt | egrep ^Version
Version : 4.7.0-1
~$ pacman -Qi qemu | egrep ^Version
Version : 3.0.0-2No Firewalld or ebtables
~$ pacman -Q | egrep -i 'firewalld|ebtables'No Bridges
~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 192.168.0.3/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::96de:80ff:fexx:xxxx/64 scope link
valid_lft forever preferred_lft forever
~$ sudo brctl showNo firewall
~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
~$ systemctl status iptables
● iptables.service - Packet Filtering Framework
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: inactive (dead) since Sat 2018-09-29 12:08:44 EEST; 1h 4min ago
Main PID: 495 (code=exited, status=0/SUCCESS)
Sep 29 12:08:44 myhomepc systemd[1]: Stopping Packet Filtering Framework...
Sep 29 12:08:44 myhomepc iptables-flush[1479]: /usr/bin/iptables
Sep 29 12:08:44 myhomepc systemd[1]: Stopped Packet Filtering Framework.No running services:
~$ ps -e fuwww | egrep -i 'dnsmasq|qemu|virt'
ebal 8839 0.0 0.0 8188 2408 pts/1 S+ 13:14 0:00 | | \_ grep -E -i dnsmasq|qemu|virt
~$ systemctl status libvirtd
● libvirtd.service - Virtualization daemon
Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; disabled; vendor preset: disabled)
Active: inactive (dead) since Sat 2018-09-29 13:07:06 EEST; 1min 37s ago
Docs: man:libvirtd(8)
https://libvirt.org
Process: 8434 ExecStart=/usr/bin/libvirtd $LIBVIRTD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 8434 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 32768)
Memory: 5.5M
CGroup: /system.slice/libvirtd.service
Sep 29 13:07:06 myhomepc systemd[1]: Stopping Virtualization daemon...
Sep 29 13:07:06 myhomepc systemd[1]: Stopped Virtualization daemon.
~$ systemctl status virtlockd.socket
● virtlockd.socket - Virtual machine lock manager socket
Loaded: loaded (/usr/lib/systemd/system/virtlockd.socket; disabled; vendor preset: disabled)
Active: active (listening) since Sat 2018-09-29 12:05:22 EEST; 1h 3min ago
Listen: /var/run/libvirt/virtlockd-sock (Stream)
CGroup: /system.slice/virtlockd.socket
Sep 29 13:09:22 myhomepc systemd[1]: Closed Virtual machine lock manager socket.So basically a very clean archlinux box
Starting services
~$ sudo systemctl restart iptables
~$ sudo systemctl restart virtlogd.socket
~$ sudo systemctl restart libvirtdNo virtual bridge !
~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 192.168.0.3/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::96de:80ff:fexx:xxxx/64 scope link
valid_lft forever preferred_lft forever
~$ sudo brctl showerrors on Journaclt
~$ sudo journalctl -u libvirtd | tail
Sep 29 13:16:29 myhomepc libvirtd[8890]: 2018-09-29 10:16:29.535+0000: 8912: error : virNetDevSendEthtoolIoctl:3077 : ethtool ioctl error: No such device
Sep 29 13:16:29 myhomepc libvirtd[8890]: 2018-09-29 10:16:29.777+0000: 8907: error : virFirewallApply:902 : internal error: Failed to initialize a valid firewall backend
Sep 29 13:16:29 myhomepc libvirtd[8890]: 2018-09-29 10:16:29.826+0000: 8912: error : virNetDevSendEthtoolIoctl:3077 : ethtool ioctl error: No such device
Sep 29 13:16:29 myhomepc libvirtd[8890]: 2018-09-29 10:16:29.827+0000: 8912: error : virNetDevSendEthtoolIoctl:3077 : ethtool ioctl error: No such device
Sep 29 13:16:29 myhomepc libvirtd[8890]: 2018-09-29 10:16:29.829+0000: 8912: error : virNetDevSendEthtoolIoctl:3077 : ethtool ioctl error: No such device
Sep 29 13:16:29 myhomepc libvirtd[8890]: 2018-09-29 10:16:29.830+0000: 8912: error : virNetDevSendEthtoolIoctl:3077 : ethtool ioctl error: No such device
Sep 29 13:16:29 myhomepc libvirtd[8890]: 2018-09-29 10:16:29.831+0000: 8912: error : virNetDevSendEthtoolIoctl:3077 : ethtool ioctl error: No such device
Sep 29 13:16:29 myhomepc libvirtd[8890]: 2018-09-29 10:16:29.832+0000: 8912: error : virNetDevSendEthtoolIoctl:3077 : ethtool ioctl error: No such device
Sep 29 13:16:29 myhomepc libvirtd[8890]: 2018-09-29 10:16:29.833+0000: 8912: error : virNetDevSendEthtoolIoctl:3077 : ethtool ioctl error: No such device
Sep 29 13:16:29 myhomepc libvirtd[8890]: 2018-09-29 10:16:29.835+0000: 8912: error : virNetDevSendEthtoolIoctl:3077 : ethtool ioctl error: No such deviceInstall ebtables & firewalld
~$ sudo pacman -S ebtables firewalld
resolving dependencies...
looking for conflicting packages...
Package (6) New Version Net Change
extra/python-dbus 1.2.8-2 0.53 MiB
extra/python-dbus-common 1.2.8-2 8.18 MiB
community/python-decorator 4.3.0-2 0.04 MiB
community/python-slip 0.6.5-2 0.12 MiB
extra/ebtables 2.0.10_4-6 0.23 MiB
community/firewalld 0.6.2-1 4.68 MiB
Total Installed Size: 13.78 MiB
:: Proceed with installation? [Y/n] y
(6/6) checking keys in keyring [----------------------------------------------------------------] 100%
(6/6) checking package integrity [----------------------------------------------------------------] 100%
(6/6) loading package files [----------------------------------------------------------------] 100%
(6/6) checking for file conflicts [----------------------------------------------------------------] 100%
(6/6) checking available disk space [----------------------------------------------------------------] 100%
:: Processing package changes...
(1/6) installing ebtables [----------------------------------------------------------------] 100%
(2/6) installing python-decorator [----------------------------------------------------------------] 100%
(3/6) installing python-dbus-common [----------------------------------------------------------------] 100%
(4/6) installing python-dbus [----------------------------------------------------------------] 100%
(5/6) installing python-slip [----------------------------------------------------------------] 100%
(6/6) installing firewalld [----------------------------------------------------------------] 100%
Optional dependencies for firewalld
bash-completion: bash completion [installed]
ebtables: old backend [installed]
gtk3: firewall-config [installed]
ipset: old backend
iptables: old backend [installed]
libnm-glib: firewall-config and firewall-applet
libnotify: firewall-applet [installed]
python-pyqt5: firewall-applet
:: Running post-transaction hooks...
(1/5) Compiling GSettings XML schema files...
(2/5) Updating icon theme caches...
(3/5) Reloading system manager configuration...
(4/5) Arming ConditionNeedsUpdate...and restart libvirtd !
~$ sudo systemctl restart libvirtdvoila !!!
~$ ip a | egrep vir
95: virbr1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
inet 192.168.42.1/24 brd 192.168.42.255 scope global virbr1
96: virbr1-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr1 state DOWN group default qlen 1000
97: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
98: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000firewall rules in place
~$ sudo iptables -nvL | egrep virbr
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- virbr1 virbr1 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr1 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- virbr1 virbr1 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr1 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT udp -- * virbr1 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT udp -- * virbr1 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68https://balaskas.gr
Linux System Engineer - Registered Linux User #420129
Offline
#2 2018-09-29 17:28:32
- chr0mag
- Member
- From: Vancouver, Canada
- Registered: 2017-02-02
- Posts: 94
Re: libvirt - Failed to initialize a valid firewall backend
It looks like you're running into this bug: https://bugs.archlinux.org/task/60062 .
Offline
#3 2018-10-01 16:59:30
- weenieHut
- Member
- Registered: 2016-10-27
- Posts: 1
Re: libvirt - Failed to initialize a valid firewall backend
Also having this problem. I can get libvirt and virtual networks to start now, but my instantiated VMs no longer have internet access when using firewalld, even after changing backend in /etc/firewalld/firewalld.conf to iptables.
Last edited by weenieHut (2018-10-01 16:59:58)
Offline