ALT Linux Bugzilla – Full Text Bug Listing
| Summary: | Отваливается сеть у виртуальных машин при изменении настроек через alterator-net-iptables | ||
|---|---|---|---|
| Product: | Branch p10 | Reporter: | igor <igor.bz> |
| Component: | alterator-net-iptables | Assignee: | Mikhail Efremov <sem> |
| Status: | NEW --- | QA Contact: | qa-p10 <qa-p10> |
| Severity: | normal | ||
| Priority: | P5 | CC: | alimektor |
| Version: | не указана | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
Пакет:
- alterator-net-iptables-4.19.10-alt1
Стенд:
- ALT Workstation 10.1 с обновлением до текущего P10
Шаги:
1. Выполнить первоначальную настройку:
# apt-get install -y alterator-net-iptables virt-manager qemu libvirt libvirt-daemon-driver-storage-disk
# systemctl enable --now libvirtd && sleep 5; systemctl status libvirtd --no-pager -l
# gpasswd -a test vmusers
2. Скачать любой образ (в моём случае ALT Workstation 10.1).
3. Включить сеть: Вкладка Виртуальные сети -> выбрать default -> нажать
треугольник (запустить) -> включить чекбокс Автозапуск: при загрузке
-> Применить
4. Создать виртуальную машину.
5. Проверить сеть в виртуальной машине (ping ya.ru, страница в
браузере) и командой:
# virsh net-list --all
Имя Состояние Автозапуск Постоянный
------------------------------------------------
default активен yes yes
6. Запустить Центр управления системой → включить режим эксперта →
Брандмауэр → Перенаправление портов
7. Добавить правило:
- Протокол: TCP
- IP адрес: порт: 777
- перенаправлять на IP адрес: <текущий_ip> порт: 80
нажать Добавить
8. Включить чекбокс Включить перенаправление портов
9. Проверить сеть командой:
# virsh net-list --all
Имя Состояние Автозапуск Постоянный
------------------------------------------------
default активен yes yes
10. Проверить сеть в виртуальной машине:
$ ping -с 3 ya.ru
$ xbrowser google.com
Ожидаемый результат: присутствует сетевое соединение.
Фактический результат: отсутствует сетевое соединение.
Дополнительно 1: выполнение команды # systemctl restart libvirtd
действительно решает проблему с сетевым соединением.
Дополнительно 2: если сначала выполнять пинг (ping ya.ru), после чего
нажать чекбокс Включить перенаправление портов, то пинг продолжится, но
повторный пинг уже не выполняется.
В Sisyphus не проверялось.
|
При применении изменённых значений через брандмауэр (alterator-net-iptables) отваливается сеть у виртуальных машин на базе qemu-kvm с задействованием libvird. Сеть в виртуальных машинах начинает работать вновь только после перезапуска службы libvirtd. У хоста сеть работает нормально. Дистрибутив: NAME="starter kit" VERSION="10" ID=altlinux VERSION_ID=10 PRETTY_NAME="ALT Starterkit 10 (Hypericum)" --- rpm -q libvirt-daemon libvirt-daemon-9.3.0-alt1.x86_64 --- rpm -q alterator-net-iptables alterator-net-iptables-4.19.10-alt1.x86_64 --- Вывод из журнала в процессе применения настроек брандмауэра: systemd[1]: Stopping Network Connectivity... network[1725202]: Computing interface groups: . 1 interfaces found network[1725202]: Processing /etc/net/vlantab: empty. network[1725202]: Stopping group 0/virtual (1 interfaces) avahi-daemon[1617793]: Withdrawing address record for 127.0.0.1 on lo. avahi-daemon[1617793]: Leaving mDNS multicast group on interface lo.IPv4 with address 127.0.0.1. avahi-daemon[1617793]: Interface lo.IPv4 no longer relevant for mDNS. avahi-daemon[1617793]: Interface lo.IPv6 no longer relevant for mDNS. avahi-daemon[1617793]: Leaving mDNS multicast group on interface lo.IPv6 with address ::1. avahi-daemon[1617793]: Withdrawing address record for ::1 on lo. network[1725202]: Stopping lo: network[1725232]: .. network[1725202]: OK network[1725286]: Stopping iptables for default network[1725286]: Flushing the "OUTPUT" chain in the "filter" table network[1725286]: Flushing the "FORWARD" chain in the "filter" table network[1725286]: Flushing the "INPUT" chain in the "filter" table network[1725286]: Flushing the "POSTROUTING" chain in the "nat" table network[1725286]: Flushing the "OUTPUT" chain in the "nat" table network[1725286]: Flushing the "PREROUTING" chain in the "nat" table network[1725286]: Flushing the "POSTROUTING" chain in the "mangle" table network[1725286]: Flushing the "OUTPUT" chain in the "mangle" table network[1725286]: Flushing the "FORWARD" chain in the "mangle" table network[1725286]: Flushing the "INPUT" chain in the "mangle" table network[1725286]: Flushing the "PREROUTING" chain in the "mangle" table network[1725286]: Unloading module ip_conntrack_ftp network[1725286]: Setting ACCEPT policy for the "INPUT" chain in the "filter" table network[1725286]: Setting ACCEPT policy for the "FORWARD" chain in the "filter" table network[1725286]: Setting ACCEPT policy for the "OUTPUT" chain in the "filter" table network[1725286]: Stopping ip6tables for default network[1725286]: Flushing the "OUTPUT" chain in the "filter" table network[1725286]: Flushing the "FORWARD" chain in the "filter" table network[1725286]: Flushing the "INPUT" chain in the "filter" table network[1725286]: Flushing the "POSTROUTING" chain in the "mangle" table network[1725286]: Flushing the "OUTPUT" chain in the "mangle" table network[1725286]: Flushing the "FORWARD" chain in the "mangle" table network[1725286]: Flushing the "INPUT" chain in the "mangle" table network[1725286]: Flushing the "PREROUTING" chain in the "mangle" table network[1725286]: Unloading module ip_conntrack_ftp network[1725286]: Setting ACCEPT policy for the "INPUT" chain in the "filter" table network[1725286]: Setting ACCEPT policy for the "FORWARD" chain in the "filter" table network[1725286]: Setting ACCEPT policy for the "OUTPUT" chain in the "filter" table systemd[1]: network.service: Deactivated successfully. systemd[1]: Stopped Network Connectivity. systemd[1]: Starting Network Connectivity... network[1725451]: Starting ip6tables for default network[1725451]: Setting ACCEPT policy for the "INPUT" chain in the "filter" table network[1725451]: Setting ACCEPT policy for the "FORWARD" chain in the "filter" table network[1725451]: Setting ACCEPT policy for the "OUTPUT" chain in the "filter" table network[1725451]: Loading module ip_conntrack_ftp network[1725451]: Loading rules for the "PREROUTING" chain in the "mangle" table network[1725451]: Loading rules for the "INPUT" chain in the "mangle" table network[1725451]: Loading rules for the "FORWARD" chain in the "mangle" table network[1725451]: Loading rules for the "OUTPUT" chain in the "mangle" table network[1725451]: Loading rules for the "POSTROUTING" chain in the "mangle" table network[1725451]: Loading rules for the "INPUT" chain in the "filter" table.... network[1725451]: Loading rules for the "FORWARD" chain in the "filter" table...... network[1725451]: Loading rules for the "OUTPUT" chain in the "filter" table.. network[1725451]: Starting iptables for default network[1725451]: Setting ACCEPT policy for the "INPUT" chain in the "filter" table network[1725451]: Setting ACCEPT policy for the "FORWARD" chain in the "filter" table network[1725451]: Setting ACCEPT policy for the "OUTPUT" chain in the "filter" table network[1725451]: Loading module ip_conntrack_ftp network[1725451]: Loading rules for the "PREROUTING" chain in the "mangle" table network[1725451]: Loading rules for the "INPUT" chain in the "mangle" table network[1725451]: Loading rules for the "FORWARD" chain in the "mangle" table network[1725451]: Loading rules for the "OUTPUT" chain in the "mangle" table network[1725451]: Loading rules for the "POSTROUTING" chain in the "mangle" table network[1725451]: Loading rules for the "PREROUTING" chain in the "nat" table network[1725451]: Loading rules for the "OUTPUT" chain in the "nat" table network[1725451]: Loading rules for the "POSTROUTING" chain in the "nat" table network[1725451]: Loading rules for the "INPUT" chain in the "filter" table....... network[1725451]: Loading rules for the "FORWARD" chain in the "filter" table....... network[1725451]: Loading rules for the "OUTPUT" chain in the "filter" table... network[1725434]: Computing interface groups: . 1 interfaces found network[1725434]: Starting group 0/virtual (1 interfaces) network[1725434]: Starting lo: avahi-daemon[1617793]: Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1. network[1725919]: . avahi-daemon[1617793]: New relevant interface lo.IPv4 for mDNS. avahi-daemon[1617793]: Registering new address record for 127.0.0.1 on lo.IPv4. avahi-daemon[1617793]: Joining mDNS multicast group on interface lo.IPv6 with address ::1. avahi-daemon[1617793]: New relevant interface lo.IPv6 for mDNS. avahi-daemon[1617793]: Registering new address record for ::1 on lo.*. NetworkManager[3012]: <info> [1687458444.8239] device (lo): carrier: link connected avahi-daemon[1617793]: Withdrawing address record for 127.0.0.1 on lo. avahi-daemon[1617793]: Leaving mDNS multicast group on interface lo.IPv4 with address 127.0.0.1. avahi-daemon[1617793]: Interface lo.IPv4 no longer relevant for mDNS. network[1725931]: . avahi-daemon[1617793]: Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1. network[1725934]: . avahi-daemon[1617793]: New relevant interface lo.IPv4 for mDNS. avahi-daemon[1617793]: Registering new address record for 127.0.0.1 on lo.IPv4. network[1725942]: . network[1725434]: OK network[1725434]: Processing /etc/net/vlantab: empty. systemd[1]: Started Network Connectivity