From f5089257fd5853910b31fd0526167c59ea7ec5b6 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 22 Nov 2024 19:01:31 -0800 Subject: [PATCH] koji_builder: use iptables backend for libvirt In f41+ libvirt defaults to using nftables if both it and iptables are installed, but it doesn't seem to work with imagefactory/oz virt instances and our iptables setup. So, lets revert back to iptables for now. We can switch back if we can fix the incompatiblity, switch builders to nftables, or stop using oz/IF Signed-off-by: Kevin Fenzi --- roles/koji_builder/files/network.conf | 29 +++++++++++++++++++++++++++ roles/koji_builder/tasks/main.yml | 17 ++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 roles/koji_builder/files/network.conf diff --git a/roles/koji_builder/files/network.conf b/roles/koji_builder/files/network.conf new file mode 100644 index 0000000000..1998199594 --- /dev/null +++ b/roles/koji_builder/files/network.conf @@ -0,0 +1,29 @@ +# Master configuration file for the network driver. +# All settings described here are optional - if omitted, sensible +# defaults are used. + +# firewall_backend: +# +# determines which subsystem to use to setup firewall packet +# filtering rules for virtual networks. +# +# Supported settings: +# +# iptables - use iptables commands to construct the firewall +# nftables - use nft commands to construct the firewall +# +# If firewall_backend isn't configured, libvirt will choose the +# first available backend from the following list: +# +# [nftables, iptables] +# +# If no backend is available on the host, then the network driver +# will fail to start, and an error will be logged. +# +# (NB: switching from one backend to another while there are active +# virtual networks *is* supported. The change will take place the +# next time that libvirtd/virtnetworkd is restarted - all existing +# virtual networks will have their old firewalls removed, and then +# reloaded using the new backend.) +# +firewall_backend = "iptables" diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index 97f3ac6147..9a4a4492f9 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -236,6 +236,23 @@ - koji_builder when: env != "staging" +# install libvirt/network.conf +# +# The default in f41+ is to use nftables, but it's not compatible with the +# iptables setup we are using on the builders for some reason. +# So, switch back to iptables until we switch to nftables, or move everying +# away from oz/Imagefactory so we don't need virt instances for image builds +# anymore. + +- name: install libvirt/network.conf + copy: src=network.conf dest=/etc/libvirt/network.conf + notify: + - restart virtnetworkd + - restart libvirtd + tags: + - koji_builder + when: env != "staging" + # # On primary we want to make a /mnt/koji link to /mnt/fedora_koji/koji #