Bug#1040783: libvirt-daemon: libvirt firewalld zone is missing

[Niccolò Belli]

Il 2023-07-13 08:05 Nick Hastings ha scritto:
I'm facing the same problem. I'm running virt-manager on the localhost 
as
a user who is a member of the libvirt group. What did you actually run 
as

root to have the libvirt zone created?


Nothing, I've just connected to virt-manager using the ssh root account 
instead and virt-manager automatically took care of everything during 
the routed virtual network creation.

Bug#1040783: libvirt-daemon: libvirt firewalld zone is missing

[Nick Hastings]

Hi,

On Tue, 11 Jul 2023 04:41:07 +0200 =?UTF-8?Q?Niccol=C3=B2_Belli?= 
 wrote:
> I've found the root of the problem: I was connecting to libvirt via ssh 
> using an unprivileged user part of the libvirt group. That works for 
> most of the tasks but not for creating the firewalld libvirt zone. Using 
> root, while being less than ideal, works fine.

I'm facing the same problem. I'm running virt-manager on the localhost as
a user who is a member of the libvirt group. What did you actually run as
root to have the libvirt zone created?

Thanks,

Nick.

Bug#1040783: libvirt-daemon: libvirt firewalld zone is missing

[Niccolò Belli]

I've found the root of the problem: I was connecting to libvirt via ssh 
using an unprivileged user part of the libvirt group. That works for 
most of the tasks but not for creating the firewalld libvirt zone. Using 
root, while being less than ideal, works fine.

Bug#1040783: libvirt-daemon: libvirt firewalld zone is missing

[Niccolò Belli]

Package: libvirt-daemon
Version: 9.0.0-4
Severity: normal
X-Debbugs-Cc: darkba...@linuxsystems.it

Hi,
I've installed firewalld (with the default nftables backend) and libvirt-daemon 
(kvm backend) in Debian 12 Bookworm.
I've connected remotely via virt-manager (through ssh) and tried to create a 
routed network, but I get the following error:

Error creating virtual network: internal error: firewalld is set to use the 
nftables backend, but the required firewalld 'libvirt' zone is missing. Either 
set the firewalld backend to 'iptables', or ensure that firewalld has a 
'libvirt' zone by upgrading firewalld to a version supporting rule priorities 
(0.7.0+) and/or rebuilding libvirt with --with-firewalld-zone

which is weird considering libvirt seems to be built with -Dfirewalld=enabled.

What's missing? Why doesn't firewalld create the libvirt zone?
I want to use the nftables backend.

Niccolo'

-- System Information:
Debian Release: 12.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-10-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvirt-daemon depends on:
ii  libacl1 2.3.1-3
ii  libblkid1   2.38.1-5+b1
ii  libc6   2.36-9
ii  libdevmapper1.02.1  2:1.02.185-2
ii  libgcc-s1   12.2.0-14
ii  libglib2.0-02.74.6-2
ii  libparted2  3.5-3
ii  libpcap0.8  1.10.3-1
ii  libpciaccess0   0.17-2
ii  libselinux1 3.4-1+b6
ii  libtirpc3   1.3.3+ds-1
ii  libudev1252.6-1
ii  libvirt-daemon-driver-qemu  9.0.0-4
ii  libvirt09.0.0-4
ii  libxml2 2.9.14+dfsg-1.2

Versions of packages libvirt-daemon recommends:
pn  libvirt-daemon-driver-lxc   
pn  libvirt-daemon-driver-vbox  
pn  libvirt-daemon-driver-xen   
ii  libxml2-utils   2.9.14+dfsg-1.2
ii  lvm22.03.16-2
ii  mount   2.38.1-5+b1
pn  netcat-openbsd  
ii  qemu-system 1:7.2+dfsg-7
ii  qemu-system-x86 [qemu-kvm]  1:7.2+dfsg-7

Versions of packages libvirt-daemon suggests:
pn  libvirt-daemon-driver-storage-gluster   
pn  libvirt-daemon-driver-storage-iscsi-direct  
pn  libvirt-daemon-driver-storage-rbd   
pn  libvirt-daemon-driver-storage-zfs   
ii  libvirt-daemon-system   9.0.0-4
ii  numad   0.5+20150602-8+b1

-- no debconf information