search

aleph-im / aleph-vm

Aleph.im VM execution engine
MIT License
41 stars 17 forks source link

NFTables conflict when Libvirt is running #626

Open hoh opened 1 month ago

hoh commented 1 month ago 
May 30 15:02:36 aleph-server-8 python3[853913]: Original exception was:
May 30 15:02:36 aleph-server-8 python3[853913]: Traceback (most recent call last):
May 30 15:02:36 aleph-server-8 python3[853913]:   File "<frozen runpy>", line 198, in _run_module_as_main
May 30 15:02:36 aleph-server-8 python3[853913]:   File "<frozen runpy>", line 88, in _run_code
May 30 15:02:36 aleph-server-8 python3[853913]:   File "/opt/aleph-vm/aleph/vm/orchestrator/__main__.py", line 4, in <module>
May 30 15:02:36 aleph-server-8 python3[853913]:     main()
May 30 15:02:36 aleph-server-8 python3[853913]:   File "/opt/aleph-vm/aleph/vm/orchestrator/cli.py", line 368, in main
May 30 15:02:36 aleph-server-8 python3[853913]:     supervisor.run()
May 30 15:02:36 aleph-server-8 python3[853913]:   File "/opt/aleph-vm/aleph/vm/orchestrator/supervisor.py", line 150, in run
May 30 15:02:36 aleph-server-8 python3[853913]:     pool.setup()
May 30 15:02:36 aleph-server-8 python3[853913]:   File "/opt/aleph-vm/aleph/vm/pool.py", line 79, in setup
May 30 15:02:36 aleph-server-8 python3[853913]:     self.network.setup()
May 30 15:02:36 aleph-server-8 python3[853913]:   File "/opt/aleph-vm/aleph/vm/network/hostnetwork.py", line 161, in setup
May 30 15:02:36 aleph-server-8 python3[853913]:     initialize_nftables()
May 30 15:02:36 aleph-server-8 python3[853913]:   File "/opt/aleph-vm/aleph/vm/network/firewall.py", line 130, in initialize_nftables
May 30 15:02:36 aleph-server-8 python3[853913]:     raise NotImplementedError(msg)
May 30 15:02:36 aleph-server-8 python3[853913]: NotImplementedError: Multiple base chains for an nftables basechain are not supported: postrouting
hoh commented 1 month ago

Apparently a postrouting chain would already have bee configured by Libvirt:

table ip6 nat {
        chain LIBVIRT_PRT {
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                counter packets 0 bytes 0 jump LIBVIRT_PRT
        }
}
table ip6 mangle {
        chain LIBVIRT_PRT {
        }

        chain POSTROUTING {
                type filter hook postrouting priority mangle; policy accept;
                counter packets 69910139 bytes 27400537652 jump LIBVIRT_PRT
        }
}
hoh commented 3 weeks ago

This is apparently due to Libvirt being installed on the machine, conflicting on the NFTables rules.