Restore alternatives configuration after upgrade
Fix upgrade path with package rename
Fix for missing man pages with iptables-nft only
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2021-377c35aa46Please login to add feedback.
This update has been submitted for testing by psutter.
This update's test gating status has been changed to 'ignored'.
This update's test gating status has been changed to 'waiting'.
This update has obsoleted iptables-1.8.7-5.fc34, and has inherited its bugs and notes.
This update's test gating status has been changed to 'ignored'.
Note, the openQA test failures here are failing because dnf isn't happy with things when upgrading from F33 and winds up installing the -3 builds from stable, not the -6 builds from the update.
If I tweak the test to exclude the -3 builds from the calculation, though, the tests pass. So I think if we actually push this update stable, and the -3 build goes away entirely (as it would), there wouldn't be a problem.
This update has been pushed to testing.
@adamwill @psutter : Unfortunately no progress ... /usr/sbin/ip6tables and /usr/sbin/iptables are still missing.
Without them being present KVM/libvirt and GNOME Boxes (which runs libvirt under the hood) are not usable.
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
Update : After having additionally installed the package iptables-nft the symlinked files are present.
But it still doesn't work ... the zone libvirt doesn't get created and virsh net-list says default inactive.
Seems that alternatives doesn't link iptables-legacy to /usr/sbin/iptables, where iptables-nft does ...
@clnetbox I tested the update with and without iptables-nft and alternatives in auto as well as manual mode. This should not fail for you, so could you please check in detail what's happening? Please dump: - /var/lib/alternatives - the output of 'ls -l /etc/alternatives/' - the otuput of 'ls -l /usr/sbin/iptables' before and after the update.
BTW: I noticed you used 'locate' to check for file existence. This might be a red herring as the output comes from a database and not the actual filesystem state.
@psutter I always run sudo updatedb before I run sudo locate ... but I had checked it with ls before as well.
Before and after the update :
$ ls -l /etc/alternatives | grep iptables
lrwxrwxrwx. 1 root root 33 24. Mär 10:40 iptables-restore -> /usr/sbin/iptables-legacy-restore
lrwxrwxrwx. 1 root root 30 24. Mär 10:40 iptables-save -> /usr/sbin/iptables-legacy-save
$ ls -l /usr/sbin | grep iptables
lrwxrwxrwx. 1 root root 14 23. Mär 21:35 ip6tables-apply -> iptables-apply
-rwxr-xr-x. 1 root root 7061 15. Jan 23:03 iptables-apply
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 34 24. Mär 09:55 iptables-restore -> /etc/alternatives/iptables-restore
lrwxrwxrwx. 1 root root 31 24. Mär 09:55 iptables-save -> /etc/alternatives/iptables-save
After installing iptables-nft :
$ ls -l /etc/alternatives | grep iptables
lrwxrwxrwx. 1 root root 25 24. Mär 10:45 iptables -> /usr/sbin/iptables-legacy
lrwxrwxrwx. 1 root root 33 24. Mär 10:45 iptables-restore -> /usr/sbin/iptables-legacy-restore
lrwxrwxrwx. 1 root root 30 24. Mär 10:45 iptables-save -> /usr/sbin/iptables-legacy-save
$ ls -l /usr/sbin | grep iptables
lrwxrwxrwx. 1 root root 14 23. Mär 21:35 ip6tables-apply -> iptables-apply
lrwxrwxrwx. 1 root root 26 24. Mär 09:55 iptables -> /etc/alternatives/iptables
-rwxr-xr-x. 1 root root 7061 15. Jan 23:03 iptables-apply
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 17 23. Mär 21:35 iptables-nft -> xtables-nft-multi
lrwxrwxrwx. 1 root root 17 23. Mär 21:35 iptables-nft-restore -> xtables-nft-multi
lrwxrwxrwx. 1 root root 17 23. Mär 21:35 iptables-nft-save -> xtables-nft-multi
lrwxrwxrwx. 1 root root 34 24. Mär 09:55 iptables-restore -> /etc/alternatives/iptables-restore
lrwxrwxrwx. 1 root root 17 23. Mär 21:35 iptables-restore-translate -> xtables-nft-multi
lrwxrwxrwx. 1 root root 31 24. Mär 09:55 iptables-save -> /etc/alternatives/iptables-save
lrwxrwxrwx. 1 root root 17 23. Mär 21:35 iptables-translate -> xtables-nft-multi
$ cat /var/lib/alternatives/iptables
manual
/usr/sbin/iptables
ip6tables
/usr/sbin/ip6tables
ip6tables-restore
/usr/sbin/ip6tables-restore
ip6tables-save
/usr/sbin/ip6tables-save
iptables-restore
/usr/sbin/iptables-restore
iptables-save
/usr/sbin/iptables-save
/usr/sbin/iptables-legacy
10
/usr/sbin/ip6tables-legacy
/usr/sbin/ip6tables-legacy-restore
/usr/sbin/ip6tables-legacy-save
/usr/sbin/iptables-legacy-restore
/usr/sbin/iptables-legacy-save
/usr/sbin/iptables-nft
10 /usr/sbin/ip6tables-nft
/usr/sbin/ip6tables-nft-restore
/usr/sbin/ip6tables-nft-save
/usr/sbin/iptables-nft-restore
/usr/sbin/iptables-nft-save
@psutter Sorry Phil, I've pasted a wrong output for $ ls -l /etc/alternatives | grep iptables ... before and after the
update there was no entry for iptables at all - only for ebtables ... after installing iptables-nft the entry was there.
This thing starts to drivings me nuts ...
@clnetbox So you didn't have /usr/sbin/iptables even before the update? What version of iptables are you updating from?
No @psutter ... that's what I'm reporting all the time ... no /usr/sbin/iptables since version 1.8.7-3.
I have upgraded from 1.8.7-3 to 1.8.7-4 to 1.8.7-5 to 1.8.7-6 ... in 1.8.7-3 /usr/sbin/iptables existed.
@clnetbox Sorry, but that's not what your dumps indicate: You wrote "Before and after the update : " and "ls -l /usr/sbin | grep iptables" doesn't contain /usr/sbin/iptables. So is /usr/sbin/iptables present with iptables-1.8.7-3 or not? If it is, could you please provide proper output instead of "all at once"?
@psutter /usr/sbin/iptables is present on iptables-1.8.7-3 ... on 1.8.7-4 / 1.8.7-5 / 1.8.7-6 NOT.
When I install iptables-nft additionally /usr/sbin/iptables appears, but has no effect on libvirt.
@clnetbox Please do not install iptables-nft. Just perform the update, but prior to that fetch the data I asked you to.
@psutter Okay Phil, I could not downgrade and I could not remove iptables completely because dnf complained that
removing iptables-legacy-libs would remove systemd. After several attempts of uninstalling and reinstalling firewalld
I finally found a workaround (operations have to be performed in exactly this order) that led to the expected results :
sudo dnf remove firewalld iptables libvirt
sudo dnf install iptables
suso dnf install firewalld
sudo dnf install libvirt
sudo dnf install cockpit-machines cockpit-podman gnome-boxes podman
sudo systemctl enable libvirtd
sudo systemctl start libvirtd
sudo reboot
Note : I tried to install firewalld first, but dnf wanted to install iptables-nft as a dependency automatically.
Now the zone libvirt is available and the default zone is active - KVM and libvirt are "ready to Rock'n'Roll".
What an adventure ... let's hope that this is not the procedure the "Standard Joe user" will have to follow.
@psutter And here are the requested facts from the current (successful) installation of iptables-1.8.7-6.fc34 :
$ sudo dnf list installed | grep iptables
iptables-compat.x86_64 1.8.7-6.fc34
iptables-legacy.x86_64 1.8.7-6.fc34
iptables-legacy-libs.x86_64 1.8.7-6.fc34
iptables-libs.x86_64 1.8.7-6.fc34
iptables-utils.x86_64 1.8.7-6.fc34
$ ls -l /etc/alternatives | grep iptables
lrwxrwxrwx. 1 root root 25 24. Mär 16:45 iptables -> /usr/sbin/iptables-legacy
lrwxrwxrwx. 1 root root 33 24. Mär 16:45 iptables-restore -> /usr/sbin/iptables-legacy-restore
lrwxrwxrwx. 1 root root 30 24. Mär 16:45 iptables-save -> /usr/sbin/iptables-legacy-save
$ ls -l /usr/sbin | grep iptables
lrwxrwxrwx. 1 root root 14 23. Mär 21:35 ip6tables-apply -> iptables-apply
lrwxrwxrwx. 1 root root 26 24. Mär 16:45 iptables -> /etc/alternatives/iptables
-rwxr-xr-x. 1 root root 7061 15. Jan 23:03 iptables-apply
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 20 23. Mär 21:35 iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx. 1 root root 34 24. Mär 16:45 iptables-restore -> /etc/alternatives/iptables-restore
lrwxrwxrwx. 1 root root 31 24. Mär 16:45 iptables-save -> /etc/alternatives/iptables-save
$ cat /var/lib/alternatives/iptables
auto
/usr/sbin/iptables
ip6tables
/usr/sbin/ip6tables
iptables-restore
/usr/sbin/iptables-restore
iptables-save
/usr/sbin/iptables-save
ip6tables-restore
/usr/sbin/ip6tables-restore
ip6tables-save
/usr/sbin/ip6tables-save
/usr/sbin/iptables-legacy
10
/usr/sbin/ip6tables-legacy
/usr/sbin/iptables-legacy-restore
/usr/sbin/iptables-legacy-save
/usr/sbin/ip6tables-legacy-restore
/usr/sbin/ip6tables-legacy-save
$ sudo virsh net-list --all
Name State Autostart Persistent
default active yes yes
@clnetbox Yes, sadly it seems impossible to steer 'dnf distrosync' to also install a required package (like iptables-libs in this case) while downgrading things. At least I haven't been able to. So I can assume this was a local issue on your side and the current release is fine?
@psutter I'm not sure if it's only an issue on my side ... I tested the upgrade on a physical and on a virtual system.
In both cases only the workaround (uninstalling and reinstalling stuff) worked - a simple dnf upgrade didn't work.
I assume the package itself is generally functional now, and should work without issues on a fresh install at least.
This update can be pushed to stable now if the maintainer wishes
Works
works for me
This update has been submitted for stable by psutter.
No problems found.
This update has been pushed to stable.