Additional kernel config options needed for libvirt / openstack support

Hi,

Some of those options are already enabled in linux-linaro, and some don't exist anymore in latests kernels (like CONFIG_IP_NF_NAT=m). Andrey added MASQUERADE target yesterday, so the remaining config options from your list would be:

CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CT_NETLINK=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_SIP=m

- which of these are still useful for libvirt testing? also, is there some document / source code / test results that show what netfilter options are needed by libvirt and openstack?

Riku

No, there is no real document that I have found -- the primary reason is probably the options are just normally on in a major disco.

Some have been enabled in the past based on docs that I found or by manual testing.

MASQUERADE is the most important one that I have recently found that was missing. But, I can't confirm that there are not others in this list that also might be needed now or at some point very soon.

What is the down side to turning them all on now? They are loadable modules.

Which build should I expect to work? I tried

http://snapshots.linaro.org/ubuntu/hwpacks/arndale/586

with

http://snapshots.linaro.org/ubuntu/images/server/615

and got the following:

2000-01-01 00:33:35.636+0000: 4191: info : libvirt version: 1.1.4
2000-01-01 00:33:35.636+0000: 4191: error : virCommandWait:2376 : internal error: Child process (/sbin/iptables -w --table filter --insert FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT) unexpected exit status 1: iptables: No chain/target/match by that name.

2000-01-01 00:33:35.636+0000: 4191: error : networkAddMasqueradingFirewallRules:166 : failed to add iptables rule to allow forwarding to 'virbr0'
2000-01-01 00:40:21.605+0000: 4182: error : virCommandWait:2376 : internal error: Child process (/sbin/iptables -w --table filter --insert FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT) unexpected exit status 1: iptables: No chain/target/match by that name.

2000-01-01 00:40:21.605+0000: 4182: error : networkAddMasqueradingFirewallRules:166 : failed to add iptables rule to allow forwarding to 'virbr0'
-ctstate ESTABLISHED,RELATED --jump ACCEPTt-interface virbr0 --match conntrack -
iptables: No chain/target/match by that name.

I'm able to reproduce, following these steps:
# apt-get install libvirt-bin
# virsh net-start default

It seems we don't have the virtual network interface (virbr0). Even with ifconfig -a, we don't have it.

However, I can get it with:
# brctl addbr virbr0
# brctl addif virbr0 eth0

_before_ the iptables commands failures, we can see:

udevEventHandleCallback:1523 : udev action: 'add'
udevGetDeviceProperty:121 : udev reports device 'virbr0' does not have property 'DRIVER'
udevGetDeviceType:1217 : Could not determine device type for device with sysfs name 'virbr0'
udevAddOneDevice:1392 : Discarding device -1 0x77606010 /sys/devices/virtual/net/virbr0

udevEventHandleCallback:1523 : udev action: 'add'
udevGetDeviceProperty:121 : udev reports device 'rx-0' does not have property 'DRIVER'
udevGetDeviceProperty:139 : Found property key 'SUBSYSTEM' value 'queues' for device with sysname 'rx-0'
udevGetDeviceType:1217 : Could not determine device type for device with sysfs name 'rx-0'
udevAddOneDevice:1392 : Discarding device -1 0x77607ae8 /sys/devices/virtual/net/virbr0/queues/rx-0

udevEventHandleCallback:1523 : udev action: 'add'
udevGetDeviceProperty:121 : udev reports device 'tx-0' does not have property 'DRIVER'
udevGetDeviceProperty:139 : Found property key 'SUBSYSTEM' value 'queues' for device with sysname 'tx-0'
udevGetDeviceType:1217 : Could not determine device type for device with sysfs name 'tx-0'
udevAddOneDevice:1392 : Discarding device -1 0x77606d60 /sys/devices/virtual/net/virbr0/queues/tx-0

I have gone through the exercise again with the 3.13 kernel and found the minimal set of options that are required to get libvirt to work correctly:

CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m

This one, I am not entirely sure about, but since we already have the rest of the NAT configs turned on, we might as well do this one too -- it was in my config file fragment, and I haven't tested with it removed:

CONFIG_NF_NAT=m

only CONFIG_NETFILTER_XT_MATCH_CONNTRACK was missing. Thanks Clark. It's commited.