Comments

66 Comments

@zbyszek Sorry, my bad ... you are right ! I downloaded version 1.0.1-3 and rebooted - now it works. Thank you :)

@zbyszek Yes, I am sure - I installed version 1.0.1-3.fc35 by running sudo dnf upgrade --enablerepo=updates-testing

No swap after upgrading to version 1.0.1-3.fc35 ... downgrading to version 0.3.2-5.fc35 brings swap back.

$ journalctl | grep zram
Okt 27 10:19:46 cl-fs-01 kernel: zram: Added device: zram0
Okt 27 10:19:46 cl-fs-01 systemd[1]: Created slice Slice /system/systemd-zram-setup.
Okt 27 10:19:47 cl-fs-01 systemd[1]: Found device /dev/zram0.
Okt 27 10:19:47 cl-fs-01 systemd[1]: Starting Create swap on /dev/zram0...
Okt 27 10:19:47 cl-fs-01 zram-generator[826]: Error: /systemd-makefs call failed for /dev/zram0
Okt 27 10:19:47 cl-fs-01 zram-generator[826]: Caused by:
Okt 27 10:19:47 cl-fs-01 zram-generator[826]:     No such file or directory (os error 2)
Okt 27 10:19:47 cl-fs-01 kernel: zram0: detected capacity change from 0 to 16777216
Okt 27 10:19:47 cl-fs-01 systemd[1]: systemd-zram-setup@zram0.service: Main process exited, code=exited, status=1/FAILURE
Okt 27 10:19:47 cl-fs-01 systemd[1]: systemd-zram-setup@zram0.service: Failed with result 'exit-code'.
Okt 27 10:19:47 cl-fs-01 systemd[1]: Failed to start Create swap on /dev/zram0.
Okt 27 10:19:47 cl-fs-01 systemd[1]: Dependency failed for Compressed Swap on /dev/zram0.
Okt 27 10:19:47 cl-fs-01 systemd[1]: dev-zram0.swap: Job dev-zram0.swap/start failed with result 'dependency'.  

@zpytela : Thank you for the information, Zdenek !

After applying selinux-policy-34.9-1.fc34, I always receive this sealert when running the command sudo updatedb :

setroubleshoot[7078]: SELinux is preventing updatedb from search access on the directory dma_heap.
If you believe that updatedb should be allowed search access on the dma_heap directory by default.
# ausearch -c 'updatedb' --raw | audit2allow -M my-updatedb
# semodule -X 300 -i my-updatedb.pp

By the way, I'm receiving this sealert message after every system boot since I have installed fedora 34 workstation :

setroubleshoot[2132]: SELinux is preventing gnome-session-c from write access on the sock_file dbus-AG0rCzsVkf.
If you believe that gnome-session-c should be allowed write access on the dbus-AG0rCzsVkf sock_file by default.
# ausearch -c 'gnome-session-c' --raw | audit2allow -M my-gnomesessionc
# semodule -X 300 -i my-gnomesessionc.pp

You're welcome @benzea and @ipedrosa ! :)

karma

Update @ipedrosa - I restored the image again and this time I updated all other packages before upgrading pam :
sudo dnf upgrade --enablerepo=updates-testing --exclude=pam
sudo dnf upgrade --enablerepo=updates-testing pam
Now it worked as expected, no system freeze. So it must have been an interference with another package update.

$ cat /etc/os-release
NAME=Fedora
VERSION="34 (Workstation Edition)"
ID=fedora
VERSION_ID=34
VERSION_CODENAME=""
PLATFORM_ID="platform:f34"
PRETTY_NAME="Fedora 34 (Workstation Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:34"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/34/system-administrators-guide/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=34
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=34
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Workstation Edition"
VARIANT_ID=workstation

$ ls -l /etc/pam.d/fingerprint-auth
lrwxrwxrwx. 1 root root 32 8. Apr 11:03 /etc/pam.d/fingerprint-auth -> /etc/authselect/fingerprint-auth

karma

Freezes the system once the scriptlet starts. To make sure it wasn't an accident, I restored a clonezilla image.
Same results ... system freezes.

karma

@psutter I'm not sure if it's only an issue on my side ... I tested the upgrade on a physical and on a virtual system.
In both cases only the workaround (uninstalling and reinstalling stuff) worked - a simple dnf upgrade didn't work.
I assume the package itself is generally functional now, and should work without issues on a fresh install at least.

@psutter And here are the requested facts from the current (successful) installation of iptables-1.8.7-6.fc34 :

$ sudo dnf list installed | grep iptables
iptables-compat.x86_64 1.8.7-6.fc34
iptables-legacy.x86_64 1.8.7-6.fc34
iptables-legacy-libs.x86_64 1.8.7-6.fc34
iptables-libs.x86_64 1.8.7-6.fc34
iptables-utils.x86_64 1.8.7-6.fc34

$ ls -l /etc/alternatives | grep iptables
lrwxrwxrwx. 1 root root 25 24. Mär 16:45 iptables -> /usr/sbin/iptables-legacy
lrwxrwxrwx. 1 root root 33 24. Mär 16:45 iptables-restore -> /usr/sbin/iptables-legacy-restore
lrwxrwxrwx. 1 root root 30 24. Mär 16:45 iptables-save -> /usr/sbin/iptables-legacy-save

$ ls -l /usr/sbin | grep iptables
lrwxrwxrwx. 1 root root 14 23. Mär 21:35 ip6tables-apply -> iptables-apply
lrwxrwxrwx. 1 root root 26 24. Mär 16:45 iptables -> /etc/alternatives/iptables
-rwxr-xr-x. 1 root root 7061 15. Jan 23:03 iptables-apply
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 34 24. Mär 16:45 iptables-restore -> /etc/alternatives/iptables-restore
lrwxrwxrwx. 1 root root 31 24. Mär 16:45 iptables-save -> /etc/alternatives/iptables-save

$ cat /var/lib/alternatives/iptables
auto
/usr/sbin/iptables
ip6tables
/usr/sbin/ip6tables
iptables-restore
/usr/sbin/iptables-restore
iptables-save
/usr/sbin/iptables-save
ip6tables-restore
/usr/sbin/ip6tables-restore
ip6tables-save
/usr/sbin/ip6tables-save

/usr/sbin/iptables-legacy
10
/usr/sbin/ip6tables-legacy
/usr/sbin/iptables-legacy-restore
/usr/sbin/iptables-legacy-save
/usr/sbin/ip6tables-legacy-restore
/usr/sbin/ip6tables-legacy-save

$ sudo virsh net-list --all
Name State Autostart Persistent


default active yes yes

@psutter Okay Phil, I could not downgrade and I could not remove iptables completely because dnf complained that
removing iptables-legacy-libs would remove systemd. After several attempts of uninstalling and reinstalling firewalld
I finally found a workaround (operations have to be performed in exactly this order) that led to the expected results :

sudo dnf remove firewalld iptables libvirt

sudo dnf install iptables
suso dnf install firewalld
sudo dnf install libvirt

sudo dnf install cockpit-machines cockpit-podman gnome-boxes podman

sudo systemctl enable libvirtd
sudo systemctl start libvirtd

sudo reboot

Note : I tried to install firewalld first, but dnf wanted to install iptables-nft as a dependency automatically.
Now the zone libvirt is available and the default zone is active - KVM and libvirt are "ready to Rock'n'Roll".
What an adventure ... let's hope that this is not the procedure the "Standard Joe user" will have to follow.

@psutter /usr/sbin/iptables is present on iptables-1.8.7-3 ... on 1.8.7-4 / 1.8.7-5 / 1.8.7-6 NOT.
When I install iptables-nft additionally /usr/sbin/iptables appears, but has no effect on libvirt.

No @psutter ... that's what I'm reporting all the time ... no /usr/sbin/iptables since version 1.8.7-3.
I have upgraded from 1.8.7-3 to 1.8.7-4 to 1.8.7-5 to 1.8.7-6 ... in 1.8.7-3 /usr/sbin/iptables existed.

@psutter Sorry Phil, I've pasted a wrong output for $ ls -l /etc/alternatives | grep iptables ... before and after the
update there was no entry for iptables at all - only for ebtables ... after installing iptables-nft the entry was there.
This thing starts to drivings me nuts ...

@psutter I always run sudo updatedb before I run sudo locate ... but I had checked it with ls before as well.

Before and after the update :

$ ls -l /etc/alternatives | grep iptables
lrwxrwxrwx. 1 root root 33 24. Mär 10:40 iptables-restore -> /usr/sbin/iptables-legacy-restore
lrwxrwxrwx. 1 root root 30 24. Mär 10:40 iptables-save -> /usr/sbin/iptables-legacy-save

$ ls -l /usr/sbin | grep iptables
lrwxrwxrwx. 1 root root 14 23. Mär 21:35 ip6tables-apply -> iptables-apply
-rwxr-xr-x. 1 root root 7061 15. Jan 23:03 iptables-apply
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 34 24. Mär 09:55 iptables-restore -> /etc/alternatives/iptables-restore
lrwxrwxrwx. 1 root root 31 24. Mär 09:55 iptables-save -> /etc/alternatives/iptables-save

After installing iptables-nft :

$ ls -l /etc/alternatives | grep iptables
lrwxrwxrwx. 1 root root 25 24. Mär 10:45 iptables -> /usr/sbin/iptables-legacy
lrwxrwxrwx. 1 root root 33 24. Mär 10:45 iptables-restore -> /usr/sbin/iptables-legacy-restore
lrwxrwxrwx. 1 root root 30 24. Mär 10:45 iptables-save -> /usr/sbin/iptables-legacy-save

$ ls -l /usr/sbin | grep iptables
lrwxrwxrwx. 1 root root 14 23. Mär 21:35 ip6tables-apply -> iptables-apply
lrwxrwxrwx. 1 root root 26 24. Mär 09:55 iptables -> /etc/alternatives/iptables
-rwxr-xr-x. 1 root root 7061 15. Jan 23:03 iptables-apply
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 17 23. Mär 21:35 iptables-nft -> xtables-nft-multi
lrwxrwxrwx. 1 root root 17 23. Mär 21:35 iptables-nft-restore -> xtables-nft-multi
lrwxrwxrwx. 1 root root 17 23. Mär 21:35 iptables-nft-save -> xtables-nft-multi
lrwxrwxrwx. 1 root root 34 24. Mär 09:55 iptables-restore -> /etc/alternatives/iptables-restore
lrwxrwxrwx. 1 root root 17 23. Mär 21:35 iptables-restore-translate -> xtables-nft-multi
lrwxrwxrwx. 1 root root 31 24. Mär 09:55 iptables-save -> /etc/alternatives/iptables-save
lrwxrwxrwx. 1 root root 17 23. Mär 21:35 iptables-translate -> xtables-nft-multi

$ cat /var/lib/alternatives/iptables
manual
/usr/sbin/iptables
ip6tables
/usr/sbin/ip6tables
ip6tables-restore
/usr/sbin/ip6tables-restore
ip6tables-save
/usr/sbin/ip6tables-save
iptables-restore
/usr/sbin/iptables-restore
iptables-save
/usr/sbin/iptables-save

/usr/sbin/iptables-legacy
10
/usr/sbin/ip6tables-legacy
/usr/sbin/ip6tables-legacy-restore
/usr/sbin/ip6tables-legacy-save
/usr/sbin/iptables-legacy-restore
/usr/sbin/iptables-legacy-save
/usr/sbin/iptables-nft
10 /usr/sbin/ip6tables-nft
/usr/sbin/ip6tables-nft-restore
/usr/sbin/ip6tables-nft-save
/usr/sbin/iptables-nft-restore
/usr/sbin/iptables-nft-save

Update : After having additionally installed the package iptables-nft the symlinked files are present.
But it still doesn't work ... the zone libvirt doesn't get created and virsh net-list says default inactive.
Seems that alternatives doesn't link iptables-legacy to /usr/sbin/iptables, where iptables-nft does ...

karma

@adamwill @psutter : Unfortunately no progress ... /usr/sbin/ip6tables and /usr/sbin/iptables are still missing.
Without them being present KVM/libvirt and GNOME Boxes (which runs libvirt under the hood) are not usable.

karma

@psutter Although alternatives now show iptables, the ip6tables/iptables symlinks don't exist - it still doesn't work.

$ sudo alternatives --list | grep tables
ebtables auto /usr/sbin/ebtables-legacy
iptables manual /usr/sbin/iptables-legacy

$ sudo dnf list installed | grep iptables
iptables-compat.x86_64 1.8.7-5.fc34
iptables-legacy.x86_64 1.8.7-5.fc34
iptables-legacy-libs.x86_64 1.8.7-5.fc34
iptables-libs.x86_64 1.8.7-5.fc34
iptables-utils.x86_64 1.8.7-5.fc34

$ sudo locate /usr/sbin/ip6tables
/usr/sbin/ip6tables-apply
/usr/sbin/ip6tables-legacy
/usr/sbin/ip6tables-legacy-restore
/usr/sbin/ip6tables-legacy-save

$ sudo locate /usr/sbin/iptables
/usr/sbin/iptables-apply
/usr/sbin/iptables-legacy
/usr/sbin/iptables-legacy-restore
/usr/sbin/iptables-legacy-save

$ sudo virsh net-list --all
Name State Autostart Persistent


default inactive yes yes

@adamwill As libvirt uses iptables instead of nftables it depends on /usr/sbin/iptables which creates the zone libvirt.
/usr/sbin/iptables is not directly part of the iptables-legacy or the older iptables package, It is a symlink managed by
alternatives as @psutter explained in https://bugzilla.redhat.com/show_bug.cgi?id=1941288. As you see it's missing.

$ sudo alternatives --list | grep tables
ebtables auto /usr/sbin/ebtables-legacy

$ sudo dnf list installed | grep iptables
iptables-compat.x86_64 1.8.7-4.fc34
iptables-legacy.x86_64 1.8.7-4.fc34
iptables-legacy-libs.x86_64 1.8.7-4.fc34
iptables-libs.x86_64 1.8.7-4.fc34
iptables-utils.x86_64 1.8.7-4.fc34

$ sudo locate /usr/sbin/iptables
/usr/sbin/iptables-apply
/usr/sbin/iptables-legacy
/usr/sbin/iptables-legacy-restore
/usr/sbin/iptables-legacy-save