This has been done before, but Copr hypervisors stopped allocating VMs, observing several problems - inability to boot VMs (ppc64le p08 boxes) - inability to ssh-connect to newly started VMs over ipv6 - no ipv4 internet on allocated VMs (through libvirt's NAT), even though ipv6 worked
Reverting to iptables && libvirtd restart helped the situation: https://pagure.io/fedora-infra/ansible/c/43b8ee52d8b05acb22a8128d4b9fe207707bea82..43b8ee52d8b05acb22a8128d4b9fe207707bea82
Goot for now, but we should align with the rest of the Fedora hypervisors and move to nftables.
Do we know where the extra iptables rules are coming from?
I don't see anything firewall related in: roles/copr/hypervisor/*
Metadata Update from @james: - Issue assigned to james
I don't think we add anything ourselves? Libvirt though modifies iptables on VM boot/termination. Is libvirt known to work with nftables correctly? We need to make VMs globally accessible over ipv6, and ipv4 over libvirt NAT.
It definitely does in rhel9... but I am reminded that those machines are rhel8 still. Perhaps thats the issue?
Metadata Update from @phsmoura: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: medium-gain, medium-trouble, ops
Could be?
This comment won't make the decision easier, but sooner or later we should have some firewall managed "centrally" for all our VMs on hypervisors, and I've seen even the RHEL9 libvirt (and not yet fixed for C10S) having troubles with modern firewall.
Log in to comment on this ticket.