After many and many weeks, I finally got libvirt working on this Gentoo machine. Before revealing how I’ve fixed this problem, let’s go through what the issues were.
On this Gentoo I run Firewalld with nftables as backend. An alternative to nftables is iptables, but since nftables is newer and is becoming the default backend for more and more distribution including Fedora, I think it’s a good thing to adobt it early.
Here is the status output of firewalld.
# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2020-10-16 19:00:19 AEDT; 6s ago
Docs: man:firewalld(1)
Main PID: 179954 (firewalld)
Tasks: 2 (limit: 18753)
Memory: 23.2M
CPU: 744ms
CGroup: /system.slice/firewalld.service
└─179954 /usr/bin/python3.7 /usr/sbin/firewalld --nofork --nopid
Oct 16 19:00:18 mbook systemd[1]: firewalld.service: Succeeded.
Oct 16 19:00:18 mbook systemd[1]: Stopped firewalld - dynamic firewall daemon.
Oct 16 19:00:18 mbook systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 16 19:00:19 mbook systemd[1]: Started firewalld - dynamic firewall daemon.
Oct 16 19:00:19 mbook firewalld[179954]: WARNING: ipset not usable, disabling ipset usage in firewall.
Oct 16 19:00:19 mbook firewalld[179954]: WARNING: iptables-restore and iptables are missing, disabling IPv4 firewall.
Oct 16 19:00:19 mbook firewalld[179954]: WARNING: ip6tables-restore and ip6tables are missing, disabling IPv6 firewall.
Oct 16 19:00:19 mbook firewalld[179954]: WARNING: ebtables-restore and ebtables are missing, disabling bridge firewall.
Oct 16 19:00:19 mbook firewalld[179954]: WARNING: COMMAND_FAILED: INVALID_IPV: 'ipv4' is not a valid backend or is unavailable
Oct 16 19:00:19 mbook firewalld[179954]: WARNING: COMMAND_FAILED: INVALID_IPV: 'ipv6' is not a valid backend or is unavailable
Despite there was a warning about ipset not found, net-firewall/ipset was installed. Likewise, the package net-firewall/iptables was already installed, and it provides iptables-restore, ip6tables-restore,…etc.
So I thought maybe I was missing kernel modules which need to be enabled when building the kernel.
# zgrep -i ip_set /proc/config.gz
CONFIG_IP_SET=y
CONFIG_IP_SET_MAX=256
# CONFIG_IP_SET_BITMAP_IP is not set
# CONFIG_IP_SET_BITMAP_IPMAC is not set
# CONFIG_IP_SET_BITMAP_PORT is not set
# CONFIG_IP_SET_HASH_IP is not set
# CONFIG_IP_SET_HASH_IPMARK is not set
# CONFIG_IP_SET_HASH_IPPORT is not set
# CONFIG_IP_SET_HASH_IPPORTIP is not set
# CONFIG_IP_SET_HASH_IPPORTNET is not set
# CONFIG_IP_SET_HASH_IPMAC is not set
# CONFIG_IP_SET_HASH_MAC is not set
# CONFIG_IP_SET_HASH_NETPORTNET is not set
# CONFIG_IP_SET_HASH_NET is not set
# CONFIG_IP_SET_HASH_NETNET is not set
# CONFIG_IP_SET_HASH_NETPORT is not set
# CONFIG_IP_SET_HASH_NETIFACE is not set
# CONFIG_IP_SET_LIST_SET is not set
I went back to enable all those options, and recompiled the kernel.
# zgrep -i ip_set /proc/config.gz
CONFIG_IP_SET=y
CONFIG_IP_SET_MAX=256
CONFIG_IP_SET_BITMAP_IP=m
CONFIG_IP_SET_BITMAP_IPMAC=m
CONFIG_IP_SET_BITMAP_PORT=m
CONFIG_IP_SET_HASH_IP=m
CONFIG_IP_SET_HASH_IPMARK=m
CONFIG_IP_SET_HASH_IPPORT=m
CONFIG_IP_SET_HASH_IPPORTIP=m
CONFIG_IP_SET_HASH_IPPORTNET=m
CONFIG_IP_SET_HASH_IPMAC=m
CONFIG_IP_SET_HASH_MAC=m
CONFIG_IP_SET_HASH_NETPORTNET=m
CONFIG_IP_SET_HASH_NET=m
CONFIG_IP_SET_HASH_NETNET=m
CONFIG_IP_SET_HASH_NETPORT=m
CONFIG_IP_SET_HASH_NETIFACE=m
CONFIG_IP_SET_LIST_SET=m
Saddly, the firewalld status still produce the same output. I should note that with these warnings, the firewalld is running as expected.
The main problem is that libvirtd can be started but it will not create a virtual network bridge. Here is the output of libvrtd status.
# systemctl start libvirtd
...omitted..
Oct 10 18:51:00 mbook systemd[1]: Starting Virtualization daemon...
Oct 10 18:51:00 mbook systemd[1]: Started Virtualization daemon.
Oct 10 18:51:00 mbook libvirtd[2506]: libvirt version: 6.7.0
Oct 10 18:51:00 mbook libvirtd[2506]: hostname: mbook
Oct 10 18:51:00 mbook libvirtd[2506]: COMMAND_FAILED: INVALID_IPV: 'ipv4' is not a valid backend or is unavailable
Oct 10 18:51:00 mbook libvirtd[2506]: COMMAND_FAILED: INVALID_IPV: 'ipv6' is not a valid backend or is unavailable
Oct 10 18:51:01 mbook libvirtd[2506]: COMMAND_FAILED: INVALID_IPV: 'ipv4' is not a valid backend or is unavailable
I’ve been spending every Friday’s evening looking into this. I tried so many things from enabling kernel options (or flags?), rebuild kernels, re-install various packages with different flags. It was sad to say that I couldn’t fix it… until the evening of Friday 16. I re-installed net-firewall/firewalld to include iptables flag, and it worked!
# eix firewalld
[I] net-firewall/firewalld
Available versions: 0.7.1-r3^t (~)0.7.3-r1^t {gui +iptables +nftables KERNEL="linux" PYTHON_SINGLE_TARGET="python3_6 python3_7"}
Installed versions: 0.7.3-r1^t(08:21:27 PM 10/16/2020)(iptables nftables -gui KERNEL="linux" PYTHON_SINGLE_TARGET="python3_6 -python3_7")
Homepage: http://www.firewalld.org/
Description: A firewall daemon with D-BUS interface providing a dynamic firewall
As mentioned, I tried so many things that I couldn’t rule out that a combination of something I’m not aware of and this iptables flag turned on for net-firewall/firewalld fixed this problem.
Anyway, I’m quite happy that this main last issue has finally been fixed, as I’m relying so much on KVM/libvirt for work and personal uses.
I’m including a lot of links to references I’ve use to try to solve my problem with firewall, nftables, and libvirt. There was no single reference which pointed me to the actual fix, but they’re good reads and it could help you with your issues.
References:
- “ipset not usable” warning, but IP_SET kernel modules available #591
- Firewall and network filtering in libvirt
- Creating Virtual Networks With KVM on Gentoo
- firewalld fails to start: FATAL ERROR: No IPv4 and IPv6 firewall: looks for binaries in wrong paths
- KVM: lost cabaility to assign a network
- QEMU/Linux guest
- Firewalld kernel requirements