subject:"Re\: \[netcf\-devel\] ncftool 'Failed to initialize netcf' missing a dep\?"

Re: [netcf-devel] ncftool 'Failed to initialize netcf' missing a dep?

2009-12-17 Thread Daniel P. Berrange

On Thu, Dec 17, 2009 at 11:36:29AM -0500, Laine Stump wrote:
> On 12/07/2009 01:43 PM, David Lutterkort wrote:
> > Hi Dale,
> >
> > On Sat, 2009-12-05 at 11:33 -0800, Dale Bewley wrote:
> >
> >> [r...@localhost ~]# NETCF_DEBUG=1 ncftool
> >> warning: augeas initialization had errors
> >> please file a bug with the following lines in the bug report:
> >> /augeas/files/etc/sysconfig/iptables/error = "parse_failed"
> >> /augeas/files/etc/sysconfig/iptables/error/pos = "0"
> >> /augeas/files/etc/sysconfig/iptables/error/line = "1"
> >> /augeas/files/etc/sysconfig/iptables/error/char = "0"
> >> /augeas/files/etc/sysconfig/iptables/error/lens = 
> >> "/usr/share/augeas/lenses/dist/iptables.aug:59.10-.32"
> >> /augeas/files/etc/sysconfig/iptables/error/message = "Iterated lens 
> >> matched less than it should"
> >> Failed to initialize netcf
> >> error: unspecified error
> >> error: errors in loading some config files
> >>  
> > The mystery to me is why netcf even looks at your iptables config -
> > since you have the bridge module loaded, the
> > file /proc/sys/net/bridge/bridge-nf-call-iptables should exist, and per
> > the F12 defaults, should have a 0 in it. That tells netcf not to bother
> > with iptables.
> >
> 
> I have the same behavior captured on my F12 box. 
> /proc/sys/net/bridge/bridge-nf-call-iptables does contain a 1, even 
> though the bridge module is loaded. I just checked on my F11 machine, 
> and it also has bridge-nf-call-iptables set to 1, even though the bridge 
> module is loaded (in the case of F11, initialization is successful, though).
> 
> So it looks like we can't assume bridge-nf-call-iptables will be set to 
> 0 if the bridge module is loaded. Do we need to find another way to test 
> for this?

The default setting is specified in a config file

  /etc/sysctl.conf

This file is loaded at system bootup by the initscript. The trouble is,
if the bridge module is not loaded at boot, then ...

  # sysctl -w net.bridge.bridge-nf-call-iptable=0
  error: "net.bridge.bridge-nf-call-iptable" is an unknown key

...when you then load bridge module later during boot this setting is
never loaded.

The only way around this I see is either

 - Change the default in the kernel module itself
 - Add a post load rule to /etc/modprobe.conf to set the sysctls

Regards,
Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
___
netcf-devel mailing list
netcf-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/netcf-devel

Re: [netcf-devel] ncftool 'Failed to initialize netcf' missing a dep?

2009-12-17 Thread Laine Stump

On 12/07/2009 01:43 PM, David Lutterkort wrote:
> Hi Dale,
>
> On Sat, 2009-12-05 at 11:33 -0800, Dale Bewley wrote:
>
>> [r...@localhost ~]# NETCF_DEBUG=1 ncftool
>> warning: augeas initialization had errors
>> please file a bug with the following lines in the bug report:
>> /augeas/files/etc/sysconfig/iptables/error = "parse_failed"
>> /augeas/files/etc/sysconfig/iptables/error/pos = "0"
>> /augeas/files/etc/sysconfig/iptables/error/line = "1"
>> /augeas/files/etc/sysconfig/iptables/error/char = "0"
>> /augeas/files/etc/sysconfig/iptables/error/lens = 
>> "/usr/share/augeas/lenses/dist/iptables.aug:59.10-.32"
>> /augeas/files/etc/sysconfig/iptables/error/message = "Iterated lens matched 
>> less than it should"
>> Failed to initialize netcf
>> error: unspecified error
>> error: errors in loading some config files
>>  
> The mystery to me is why netcf even looks at your iptables config -
> since you have the bridge module loaded, the
> file /proc/sys/net/bridge/bridge-nf-call-iptables should exist, and per
> the F12 defaults, should have a 0 in it. That tells netcf not to bother
> with iptables.
>

I have the same behavior captured on my F12 box. 
/proc/sys/net/bridge/bridge-nf-call-iptables does contain a 1, even 
though the bridge module is loaded. I just checked on my F11 machine, 
and it also has bridge-nf-call-iptables set to 1, even though the bridge 
module is loaded (in the case of F11, initialization is successful, though).

So it looks like we can't assume bridge-nf-call-iptables will be set to 
0 if the bridge module is loaded. Do we need to find another way to test 
for this?


___
netcf-devel mailing list
netcf-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/netcf-devel

Re: [netcf-devel] ncftool 'Failed to initialize netcf' missing a dep?

2009-12-07 Thread David Lutterkort

Hi Dale,

On Sat, 2009-12-05 at 11:33 -0800, Dale Bewley wrote:
> [r...@localhost ~]# NETCF_DEBUG=1 ncftool
> warning: augeas initialization had errors
> please file a bug with the following lines in the bug report:
> /augeas/files/etc/sysconfig/iptables/error = "parse_failed"
> /augeas/files/etc/sysconfig/iptables/error/pos = "0"
> /augeas/files/etc/sysconfig/iptables/error/line = "1"
> /augeas/files/etc/sysconfig/iptables/error/char = "0"
> /augeas/files/etc/sysconfig/iptables/error/lens = 
> "/usr/share/augeas/lenses/dist/iptables.aug:59.10-.32"
> /augeas/files/etc/sysconfig/iptables/error/message = "Iterated lens matched 
> less than it should"
> Failed to initialize netcf
> error: unspecified error
> error: errors in loading some config files

The mystery to me is why netcf even looks at your iptables config -
since you have the bridge module loaded, the
file /proc/sys/net/bridge/bridge-nf-call-iptables should exist, and per
the F12 defaults, should have a 0 in it. That tells netcf not to bother
with iptables.

> I also discovered that after no changes to any configurations, 
> a restart of the network makes ncftool/augeas happy.

That could either be something changing bridge-nf-call-iptables or
something fiddling with iptables config.

> I found that if I remove '-m comment --comment "Forwarding for VM
> bridges"' then ncftool is happy, even after a fresh reboot. So,
> perhaps it's an augeas bug with the comment module in iptables?

That's part of it - the lens is just good enough for the common
directives that system-config-firewall and its ilk use. I'll try and add
some smarts about the comment module.

David

___
netcf-devel mailing list
netcf-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/netcf-devel

Re: [netcf-devel] ncftool 'Failed to initialize netcf' missing a dep?

2009-12-05 Thread Dale Bewley

- "David Lutterkort"  wrote:
> Can you try this again with 'NETCF_DEBUG=1 ncftool', i.e. set
> NETCF_DEBUG in the environment ? That should spew out some more
> details.
> 
> David

Thanks for the tip.

[r...@localhost ~]# NETCF_DEBUG=1 ncftool
warning: augeas initialization had errors
please file a bug with the following lines in the bug report:
/augeas/files/etc/sysconfig/iptables/error = "parse_failed"
/augeas/files/etc/sysconfig/iptables/error/pos = "0"
/augeas/files/etc/sysconfig/iptables/error/line = "1"
/augeas/files/etc/sysconfig/iptables/error/char = "0"
/augeas/files/etc/sysconfig/iptables/error/lens = 
"/usr/share/augeas/lenses/dist/iptables.aug:59.10-.32"
/augeas/files/etc/sysconfig/iptables/error/message = "Iterated lens matched 
less than it should"
Failed to initialize netcf
error: unspecified error
error: errors in loading some config files

[r...@localhost sysconfig]# cat iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m limit --limit-burst 10 --limit 6/minute -j LOG --log-level 6
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT -m comment --comment 
"Forwarding for VM bridges"
-A FORWARD -m limit --limit-burst 10 --limit 6/minute -j LOG --log-level 6
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

I also discovered that after no changes to any configurations, 
a restart of the network makes ncftool/augeas happy.

[r...@localhost sysconfig]# service network restart
Shutting down interface eth0:  [  OK  ]
Shutting down loopback interface:  [  OK  ]
Disabling IPv4 packet forwarding:  net.ipv4.ip_forward = 0
   [  OK  ]
Bringing up loopback interface:[  OK  ]
Bringing up interface eth0:  
Determining IP information for eth0... done.
   [  OK  ]
[r...@localhost ~]# iptables -L -n|grep PHYS
ACCEPT all  --  0.0.0.0/00.0.0.0/0   PHYSDEV match 
--physdev-is-bridged /* Forwarding for VM bridges */ 
[r...@localhost sysconfig]# NETCF_DEBUG=1 ncftool
ncftool> 

If I reboot, ncftool is broken again, with the same error, until a network 
restart.

Note the following line in iptables:
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT -m comment --comment 
"Forwarding for VM bridges"

If I comment out that entire line with a #, I'm somewhat surprised when I run 
ncftool, to see iptables restart and this line is deleted.

[r...@localhost sysconfig]# NETCF_DEBUG=1 ncftool
iptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter  [  OK  ]
iptables: Unloading modules:   [  OK  ]
iptables: Applying firewall rules: [  OK  ]
ncftool> quit

I found that if I remove '-m comment --comment "Forwarding for VM bridges"' 
then ncftool is happy, even after a fresh reboot. So, perhaps it's an augeas 
bug with the comment module in iptables? It does seem odd that even with this 
line present, ncftool does work if I restart the network service.
___
netcf-devel mailing list
netcf-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/netcf-devel

Re: [netcf-devel] ncftool 'Failed to initialize netcf' missing a dep?

2009-12-04 Thread David Lutterkort

On Wed, 2009-12-02 at 18:32 -0800, Dale Bewley wrote:
> - "David Lutterkort"  wrote:
> > On Tue, 2009-12-01 at 13:49 -0800, Dale Bewley wrote:
> > > Out of the box F12 64bit fairly slim install with 497 packages,
> > > NetworkManager is not running. It's been chkconfig'd off in the
> > > kickstart %post.
> > > 
> > > There is an eth0 and an eth1 interface. Eth1 is inactive and eth0
> > is
> > > configured by anaconda to use dhcp. Netcf 0.1.4 fails run:
> > 
> > This seems like another manifestation of the bug you found with not
> > having the bridge module loaded - the fix for that is only in
> > netcf-0.1.5, not in 0.1.4. Can you retry with 0.1.5 ? (It's in
> > updates-testing)
> 
> Almost, but it's different because the bridge module actually is present.
> I neglected to mention that.
> 
> I just tested again on a fresh F12 install:
> 
> [r...@localhost ~]# lsmod |grep bridge
> bridge 54112  0
> stp 2724  1 bridge
> llc 6400  2 bridge,stp
> 
> [r...@localhost ~]# ncftool
> Failed to initialize netcf
> error: unspecified error
> error: errors in loading some config files

Can you try this again with 'NETCF_DEBUG=1 ncftool', i.e. set
NETCF_DEBUG in the environment ? That should spew out some more details.

David


___
netcf-devel mailing list
netcf-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/netcf-devel

Re: [netcf-devel] ncftool 'Failed to initialize netcf' missing a dep?

2009-12-02 Thread Dale Bewley

- "David Lutterkort"  wrote:
> On Tue, 2009-12-01 at 13:49 -0800, Dale Bewley wrote:
> > Out of the box F12 64bit fairly slim install with 497 packages,
> > NetworkManager is not running. It's been chkconfig'd off in the
> > kickstart %post.
> > 
> > There is an eth0 and an eth1 interface. Eth1 is inactive and eth0
> is
> > configured by anaconda to use dhcp. Netcf 0.1.4 fails run:
> 
> This seems like another manifestation of the bug you found with not
> having the bridge module loaded - the fix for that is only in
> netcf-0.1.5, not in 0.1.4. Can you retry with 0.1.5 ? (It's in
> updates-testing)

Almost, but it's different because the bridge module actually is present.
I neglected to mention that.

I just tested again on a fresh F12 install:

[r...@localhost ~]# lsmod |grep bridge
bridge 54112  0
stp 2724  1 bridge
llc 6400  2 bridge,stp

[r...@localhost ~]# ncftool
Failed to initialize netcf
error: unspecified error
error: errors in loading some config files

[r...@localhost ~]# ifconfig
eth0  Link encap:Ethernet  HWaddr 00:22:19:65:F4:E2
  inet addr:10.1.200.134  Bcast:10.1.200.255  Mask:255.255.255.0
  inet6 addr: fe80::222:19ff:fe65:f4e2/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:259 errors:0 dropped:0 overruns:0 frame:0
  TX packets:153 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:29218 (28.5 KiB)  TX bytes:20886 (20.3 KiB)
  Interrupt:37 Memory:ec00-ec012800

loLink encap:Local Loopback
  inet addr:127.0.0.1  Mask:255.0.0.0
  inet6 addr: ::1/128 Scope:Host
  UP LOOPBACK RUNNING  MTU:16436  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

virbr0Link encap:Ethernet  HWaddr F2:B5:3A:82:90:D9
  inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

# upgrading to netcf 0.1.5 did not help

[r...@localhost ~]# yum --enablerepo=updates-testing update netcf
...
Updated:
  netcf.x86_64 0:0.1.5-1.fc12
Dependency Updated:
  netcf-libs.x86_64 0:0.1.5-1.fc12
...
[r...@localhost ~]# ncftool
Failed to initialize netcf
error: unspecified error
error: errors in loading some config files
[r...@localhost ~]# virsh iface-list
error: Failed to list active interfaces
error: this function is not supported by the hypervisor: 
virConnectNumOfInterfaces

# creating my own bridge does make it work

[r...@localhost ~]# cd /etc/sysconfig/network-scripts
[r...@localhost network-scripts]# ls ifcfg*
ifcfg-eth0  ifcfg-eth1  ifcfg-lo
[r...@localhost network-scripts]# cat < ifcfg-eth0
> DEVICE=eth0
> HWADDR=
> ONBOOT=yes
> BRIDGE=br0
> EOF
[r...@localhost network-scripts]# cat < ifcfg-br0
> DEVICE=br0
> ONBOOT=yes
> TYPE=Bridge
> BOOTPROTO=dhcp
> EOF
[r...@localhost network-scripts]# service network restart
Shutting down interface br0:  [  OK  ]
Shutting down interface eth0:  bridge br0 does not exist!
[  OK  ]
Shutting down loopback interface:  [  OK  ]
Disabling IPv4 packet forwarding:  net.ipv4.ip_forward = 0
[  OK  ]
Bringing up loopback interface:  [  OK  ]
Bringing up interface eth0:  [  OK  ]
Bringing up interface br0:
Determining IP information for br0... done.
[  OK  ]

[r...@localhost network-scripts]# ncftool
ncftool> list
br0
lo
ncftool> quit

[r...@localhost network-scripts]# virsh iface-list --all
Name State  MAC Address

br0  active 00:22:19:65:f4:e2
lo   active 00:00:00:00:00:00
eth1 inactive   00:22:19:65:f4:e4

[r...@localhost network-scripts]# ifconfig
br0   Link encap:Ethernet  HWaddr 00:22:19:65:F4:E2  
  inet addr:10.1.200.134  Bcast:10.1.200.255  Mask:255.255.255.0
  inet6 addr: fe80::222:19ff:fe65:f4e2/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:1157 errors:0 dropped:0 overruns:0 frame:0
  TX packets:536 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0 
  RX bytes:93393 (91.2 KiB)  TX bytes:118448 (115.6 KiB)

eth0  Link encap:Ethernet  HWaddr 00:22:19:65:F4:E2  
  inet6 addr: fe80::222:19ff:fe65:f4e2/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:1147 errors:0 dropped:0 overruns:0 frame:0
  TX packets:525 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000 
  RX bytes:113163 (110.5 KiB

Re: [netcf-devel] ncftool 'Failed to initialize netcf' missing a dep?

2009-12-02 Thread David Lutterkort

On Tue, 2009-12-01 at 13:49 -0800, Dale Bewley wrote:
> Out of the box F12 64bit fairly slim install with 497 packages,
> NetworkManager is not running. It's been chkconfig'd off in the
> kickstart %post.
> 
> There is an eth0 and an eth1 interface. Eth1 is inactive and eth0 is
> configured by anaconda to use dhcp. Netcf 0.1.4 fails run:

This seems like another manifestation of the bug you found with not
having the bridge module loaded - the fix for that is only in
netcf-0.1.5, not in 0.1.4. Can you retry with 0.1.5 ? (It's in
updates-testing)

David

___
netcf-devel mailing list
netcf-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/netcf-devel

Re: [netcf-devel] ncftool 'Failed to initialize netcf' missing a dep?

Re: [netcf-devel] ncftool 'Failed to initialize netcf' missing a dep?

Re: [netcf-devel] ncftool 'Failed to initialize netcf' missing a dep?

Re: [netcf-devel] ncftool 'Failed to initialize netcf' missing a dep?

Re: [netcf-devel] ncftool 'Failed to initialize netcf' missing a dep?

Re: [netcf-devel] ncftool 'Failed to initialize netcf' missing a dep?

Re: [netcf-devel] ncftool 'Failed to initialize netcf' missing a dep?

7 matches

Site Navigation

Mail list logo

Footer information