Fedora 19. Making libvirt and firewalld play nice

I’ve been running Fedora for quite some type and it’s hands down my favorite bleeding-edge distro. Since I’ve been at Red Hat though, I’ve been using RHEL on my work laptops, and I’ve really enjoyed the experience and stability. So the past three years it’s been Fedora at home and RHEL at work, and that’s worked out perfectly. …..until now. There are a lot of changes happening upstream that I’ve found myself starting to fall behind. Things like systemd, firewalld, gnome3, are a few of the bigger changes that come to mind. RHEL 7 is looking like it’s largely going to be based on F19, but it wouldn’t surprise me if a couple things from F20 make it as well. Anyway, it’s time I get up to speed with what’s coming in RHEL7 and the best way to do that is to run Fedora on *everything*. So far I’ve got F19 running on 4x boxes and I still have 3 more to upgrade. Here’s a quick thing I ran into this afternoon:

libvirt & firewalld: I was really surprised that the default libvirt network was not already running on my system. I was able to easily create it via virt-manager. I stuck to the same 192.168.122.0/24 network, but it wouldn’t accept the name “default” so I used “local”. Next, I had to get PXE working so I added the tftp & bootp lines with `virsh net-edit local`.

<network>
<name>local</name>
<uuid>bcf7e69f-838a-488e-b1ec-6d01566d3a05</uuid>
<forward mode='nat'/>
<bridge name='virbr0' stp='on' delay='0' />
<mac address='52:54:00:49:92:da'/>
<domain name='local'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<tftp root='/var/lib/tftpboot' />
<dhcp>
<range start='192.168.122.128' end='192.168.122.254' />
<bootp file='pxelinux.0' />
</dhcp>
</ip>
</network>

Everything seemed good at this point until I noticed that none of my guests could communicate w/ the host. This turned out to be a firewalld issue. First the interface needs to be added to firewalld: `sudo firewall-cmd --permanent --zone=trusted --add-interface=virbr0` This makes firewalld aware of the interface and places it in the trusted zone so that all traffic is passed. The permanent argument does not effect the running config. For the changes to take effect run `sudo firewall-cmd --reload.` At first I found this really annoying to have to deal with, but now that I dug into it a little bit it’s actually a really nice setup.

Of course you can disable firewalld and do everything with static iptables rules (lokkit), but I think there’s a lot of good functionality here, and I’m excited to learn more. Here’s a link to the wiki.

5 Replies to “Fedora 19. Making libvirt and firewalld play nice”

  1. hrmmm. That’s interesting ….and depressing.

    In hind sight, installing the libvirt-daemon-config-network package would have taken care of this. :)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.