mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-29 00:55:22 +00:00
0756415f14
When a system has enabled the iptables/ip6tables services rather than firewalld, there is no explicit ordering of the start of those services vs. libvirtd. This creates a problem when libvirtd.service is started before ip[6]tables, as the latter, when it finally is started, will remove all of the iptables rules that had previously been added by libvirt, including the custom chains where libvirt's rules are kept. This results in an error message similar to the following when a user subsequently tries to start a new libvirt network: "Error while activating network: Call to virNetworkCreate failed: internal error: Failed to apply firewall rules /usr/sbin/ip6tables -w --table filter --insert LIBVIRT_FWO \ --in-interface virbr2 --jump REJECT: ip6tables: No chain/target/match by that name." (Prior to logging this error, it also would have caused failure to forward (or block) traffic in some cases, e.g. for guests on a NATed network, since libvirt's rules to forward/block had all been deleted and libvirt didn't know about it, so it couldn't fix the problem) When this happens, the problem can be remedied by simply restarting libvirtd.service (which has the side-effect of reloading all libvirt-generated firewall rules) Instead, we can just explicitly stating in the libvirtd.service file that libvirtd.service should start after ip6tables.service and ip6tables.service, eliminating the race condition that leads to the error. There is also nothing (that I can see) in the systemd .service files to guarantee that firewalld.service will be started (if enabled) prior to libvirtd.service. The same error scenario given above would occur if libvirtd.service started before firewalld.service. Even before that, though libvirtd would have detected that firewalld.service was disabled, and then turn off all firewalld support. So, for example, firewalld's libvirt zone wouldn't be used, and most likely traffic from guests would therefore be blocked (all with no external indication of the source of the problem other than a debug-level log when libvirtd was started saying that firewalld wasn't in use); also libvirtd wouldn't notice when firewalld reloaded its rules (which also simultaneously deletes all of libvirt's rules). I'm not aware of any reports that have been traced back to libvirtd.service starting before firewalld.service, but have seen that error reported multiple times, and also don't see an existing dependency that would guarantee firewalld.service starts before libvirtd.service, so it's possible it's been happening and we just haven't gotten to the bottom of it. This patch adds an After= line to the libvirtd.service file for each of iptables.service, ip6tables.service, and firewalld.servicee, which should guarantee that libvirtd.service isn't started until systemd has started whichever of the others is enabled. This race was diagnosed, and patch proposed, by Jason Montleon in https://bugzilla.redhat.com/1723698 . At the time (April 2019) danpb agreed with him that this change to libvirtd.service was a reasonable thing to do, but I guess everyone thought someone else was going to post a patch, so in the end nobody did. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
59 lines
1.9 KiB
SYSTEMD
59 lines
1.9 KiB
SYSTEMD
[Unit]
|
|
Description=Virtualization daemon
|
|
Requires=virtlogd.socket
|
|
Requires=virtlockd.socket
|
|
# Use Wants instead of Requires so that users
|
|
# can disable these three .socket units to revert
|
|
# to a traditional non-activation deployment setup
|
|
Wants=libvirtd.socket
|
|
Wants=libvirtd-ro.socket
|
|
Wants=libvirtd-admin.socket
|
|
Wants=systemd-machined.service
|
|
Before=libvirt-guests.service
|
|
After=network.target
|
|
After=firewalld.service
|
|
After=iptables.service
|
|
After=ip6tables.service
|
|
After=dbus.service
|
|
After=iscsid.service
|
|
After=apparmor.service
|
|
After=local-fs.target
|
|
After=remote-fs.target
|
|
After=systemd-logind.service
|
|
After=systemd-machined.service
|
|
After=xencommons.service
|
|
Conflicts=xendomains.service
|
|
Documentation=man:libvirtd(8)
|
|
Documentation=https://libvirt.org
|
|
|
|
[Service]
|
|
Type=notify
|
|
EnvironmentFile=-@sysconfdir@/sysconfig/libvirtd
|
|
ExecStart=@sbindir@/libvirtd $LIBVIRTD_ARGS
|
|
ExecReload=/bin/kill -HUP $MAINPID
|
|
KillMode=process
|
|
Restart=on-failure
|
|
# At least 1 FD per guest, often 2 (eg qemu monitor + qemu agent).
|
|
# eg if we want to support 4096 guests, we'll typically need 8192 FDs
|
|
# If changing this, also consider virtlogd.service & virtlockd.service
|
|
# limits which are also related to number of guests
|
|
LimitNOFILE=8192
|
|
# The cgroups pids controller can limit the number of tasks started by
|
|
# the daemon, which can limit the number of domains for some hypervisors.
|
|
# A conservative default of 8 tasks per guest results in a TasksMax of
|
|
# 32k to support 4096 guests.
|
|
TasksMax=32768
|
|
# With cgroups v2 there is no devices controller anymore, we have to use
|
|
# eBPF to control access to devices. In order to do that we create a eBPF
|
|
# hash MAP which locks memory. The default map size for 64 devices together
|
|
# with program takes 12k per guest. After rounding up we will get 64M to
|
|
# support 4096 guests.
|
|
LimitMEMLOCK=64M
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
Also=virtlockd.socket
|
|
Also=virtlogd.socket
|
|
Also=libvirtd.socket
|
|
Also=libvirtd-ro.socket
|