virsh error

orinoco · 2024/12/16, 12:06:45

Hello,

I can't start my qemu/kvm guests since last d-u. I remember that there was something about firewall in the last changes. As I'm using firewalling with my vm's I didn't care about it. Today I'm getting this:

Code Select

$ LANG=C sudo virsh -d1 start Win10_test
start: domain(optdata): Win10_test
start: found option <domain>: Win10_test
error: Failed to start domain 'Win10_test'
error: Angeforderte Operation ist nicht gültig: network 'default' is not active

and

Code Select

$ LANG=C sudo virsh -d1 net-start default
net-start: network(optdata): default
net-start: found option <network>: default
error: Failed to start network default
error: Interner Fehler: Failed to apply firewall command 'tc filter add dev virbr0 prio 2 protocol ip parent 1: u32 match ip dport 68 ffff action csum ip and udp': Error: Failed to load TC action module.
We have an error talking to the kernel

with

Code Select

$ uname -a
Linux jake 6.12.4-1-siduction-amd64 #1 SMP PREEMPT_DYNAMIC siduction 6.12-4 (2024-12-09) x86_64 GNU/Linux

I have no clue what's going on here and need some advice.

micspabo · 2024/12/16, 22:27:01

Seems I have the same problem.

Code Select


  # virsh net-start default
    error: Failed to start network default
    error: internal error: Failed to apply firewall command 'tc filter add dev virbr0 prio 2 protocol ip parent 1: u32 match ip dport 68 ffff action csum ip and udp': Error: Failed to load TC action module.
    We have an error talking to the kernel

  # journalctl -b -u libvirtd.service
    Dez 16 22:06:03 Siduction systemd[1]: Starting libvirtd.service - libvirt legacy monolithic daemon...
    Dez 16 22:06:03 Siduction systemd[1]: Started libvirtd.service - libvirt legacy monolithic daemon.
    Dez 16 22:06:03 Siduction libvirtd[1108]: libvirt version: 10.10.0, package: 10.10.0-3 (Debian)
    Dez 16 22:06:03 Siduction libvirtd[1108]: hostname: Siduction
    Dez 16 22:06:03 Siduction libvirtd[1108]: internal error: Failed to apply firewall command 'tc filter add dev virbr0 prio 2 protocol ip parent 1: u32 match ip dport 68 ffff action csum ip and udp': Error: Failed to load TC action module.
                                              We have an error talking to the kernel
    Dez 16 22:06:03 Siduction libvirtd[1108]: Cannot get interface flags on 'virbr0': No such device
    Dez 16 22:06:03 Siduction libvirtd[1108]: error destroying network device virbr0: No such device
    Dez 16 22:08:03 Siduction systemd[1]: libvirtd.service: Deactivated successfully.
    Dez 16 22:08:03 Siduction systemd[1]: libvirtd.service: Consumed 978ms CPU time, 145.7M memory peak.

  # journalctl -b -g virbr0
    Dez 16 22:06:03 Siduction NetworkManager[943]: <info>  [1734383163.1115] manager: (virbr0): new Bridge device (/org/freedesktop/NetworkManager/Devices/5)
    Dez 16 22:06:03 Siduction iwd[850]: udev interface=virbr0 ifindex=5
    Dez 16 22:06:03 Siduction libvirtd[1108]: internal error: Failed to apply firewall command 'tc filter add dev virbr0 prio 2 protocol ip parent 1: u32 match ip dport 68 ffff action csum ip and udp': Error: Failed to load TC action module.
                                              We have an error talking to the kernel
    Dez 16 22:06:03 Siduction libvirtd[1108]: Cannot get interface flags on 'virbr0': No such device
    Dez 16 22:06:03 Siduction libvirtd[1108]: error destroying network device virbr0: No such device

  # uname -r
    6.12.5-1-siduction-amd64

  $ ip a s virbr0
    Device "virbr0" does not exist.

Same when I boot kernel 6.12.4-1. I probably removed older kernels too early.

orinoco · 2024/12/17, 00:19:56

I don't think it's the kernel. I've checked my computer and I still have version 6.12.3-1, 6.12.4-1 and I've just updated to 6.12.5-1. All three versions are giving this error.

Some updates for libvirt and qemu came through over the weekend. There was also an apt-listchange message for one of the packages, but I forgot what it was about. I just remember that it was about filewalling. I didn't think it was relevant to me, so I didn't make a note of it.

On Saturday morning it worked with kernel 6.12.4-1. Then I used qemu/kvm with all the updates again yesterday and the problems started.

micspabo · 2024/12/17, 07:02:36

On Sunday I only saw

Code Select


libvirt (10.10.0-2) experimental; urgency=medium

  nftables is now used by default in the network driver.

  This makes it finally possible to use libvirt without having
  iptables installed on the system, but there are still a couple
  of caveats:

    * the nwfilter driver hasn't been converted to nftables yet,
      so if that's installed iptables will be dragged in;

    * the libvirt-daemon-system package, now a convenient way to
      quickly bring up a reasonably featured QEMU-based hypervisor,
      depends on both the network and nwfilter drivers, which means
      that going that route will cause iptables to be installed and
      used for both.

  If not having iptables present on the system is a hard
  requirement, individual libvirt components (obviously excluding
  the nwfilter driver) will have to be selected and installed
  manually.

 -- Andrea Bolognani <eof@kiyuko.org>  Thu, 05 Dec 2024 23:38:13 +0100

I thought I'm already using nftables. But...

Code Select


# systemctl is-enabled nftables.service
  disabled

# systemctl is-enabled iptables.service
  not-found

# dpkg -l | grep ii | grep iptables
  ii  iptables   1.8.11-2   amd64   administration tools for packet filtering and NAT

it looks like I'm not. :-( It's probably been a year since I changed the filtering.

scholle1 · 2024/12/17, 10:27:17

@micspabo
What happens when

Code Select

systemctl enable --now nftables.service
?

whistler_mb · 2024/12/17, 12:25:43

After changing firewall_backend to iptables, kvm works again.

orinoco · 2024/12/17, 14:23:11

I can confirm the effect of the configuration adjustment. I have adjusted the last line of the file /etc/libvirt/network.conf accordingly.

How should this adjustment be interpreted? Is this a temporary workaround?

Is there a reference where I can read why this setting has to be made?

micspabo · 2024/12/17, 16:05:44

I tried @scholle1 idea

Code Select


  # systemctl enable --now nftables.service
    Created symlink '/etc/systemd/system/sysinit.target.wants/nftables.service' → '/usr/lib/systemd/system/nftables.service'.

  # systemctl is-enabled nftables.service
    enabled

  # systemctl reboot

But no change so far,- virbr0 isnt visible yet.

Code Select


  # virsh net-start default
    error: Failed to start network default
    error: internal error: Failed to apply firewall command 'tc filter add dev virbr0 prio 2 protocol ip parent 1: u32 match ip dport 68 ffff action csum ip and udp': Error: Failed to load TC action module.
    We have an error talking to the kernel

orinoco · 2024/12/17, 17:12:49

Change /etc/libvirt/network.conf like this:

Code Select

$ tail /etc/libvirt/network.conf 
#
#   (NB: switching from one backend to another while there are active
#   virtual networks *is* supported. The change will take place the
#   next time that libvirtd/virtnetworkd is restarted - all existing
#   virtual networks will have their old firewalls removed, and then
#   reloaded using the new backend.)
#
#firewall_backend = "nftables"
firewall_backend = "iptables"