search

crc-org / crc

CRC is a tool to help you run containers. It manages a local OpenShift 4.x cluster, Microshift or a Podman VM optimized for testing and development purposes
https://crc.dev
Apache License 2.0
1.25k stars 240 forks source link

[BUG] Add nftables support instead of requiring iptables #3158

Closed cipherboy closed 2 years ago

cipherboy commented 2 years ago

General information

CRC version

$ ./crc version
CRC version: 2.2.2+f1e1d3e
OpenShift version: 4.10.9
Podman version: 3.4.4

CRC status

$ ./crc status --log-level debug
DEBU CRC version: 2.2.2+f1e1d3e                   
DEBU OpenShift version: 4.10.9                    
DEBU Podman version: 3.4.4                        
DEBU Running 'crc status'                         
DEBU Checking file: /home/cipherboy/.crc/machines/crc/.crc-exist 
Machine does not exist. Use 'crc start' to create it

CRC config

$ ./crc config view
- consent-telemetry                     : no

Host Operating System

$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="35 (Workstation Edition)"
ID=fedora
VERSION_ID=35
VERSION_CODENAME=""
PLATFORM_ID="platform:f35"
PRETTY_NAME="Fedora Linux 35 (Workstation Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:35"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f35/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=35
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=35
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Workstation Edition"
VARIANT_ID=workstation

Steps to reproduce

  1. Start from Fedora 35 host. Note that nftables is preferred over iptables.
  2. Run crc setup.
  3. Watch it fail

Expected

Expected crc to be Fedora 35 aware considering Fedora 36 is almost out the door. :-)

Actual

[cipherboy@xps15 crc-linux-2.2.2-amd64]$ ./crc setup
CRC is constantly improving and we would like to know more about usage (more details at https://developers.redhat.com/article/tool-data-collection)
Your preference can be changed manually if desired using 'crc config set consent-telemetry <yes/no>'
Would you like to contribute anonymous usage statistics? [y/N]: N
No worry, you can still enable telemetry manually with the command 'crc config set consent-telemetry yes'.
INFO Using bundle path /home/cipherboy/.crc/cache/crc_libvirt_4.10.9_amd64.crcbundle 
INFO Checking if running as non-root              
INFO Checking if running inside WSL2              
INFO Checking if crc-admin-helper executable is cached 
INFO Caching crc-admin-helper executable          
INFO Using root access: Changing ownership of /home/cipherboy/.crc/bin/crc-admin-helper-linux 
[sudo] password for cipherboy: 
Sorry, try again.
[sudo] password for cipherboy: 
INFO Using root access: Setting suid for /home/cipherboy/.crc/bin/crc-admin-helper-linux 
INFO Checking for obsolete admin-helper executable 
INFO Checking if running on a supported CPU architecture 
INFO Checking minimum RAM requirements            
INFO Checking if crc executable symlink exists    
INFO Creating symlink for crc executable          
INFO Checking if Virtualization is enabled        
INFO Checking if KVM is enabled                   
INFO Checking if libvirt is installed             
INFO Checking if user is part of libvirt group    
INFO Checking if active user/process is currently part of the libvirt group 
INFO Checking if libvirt daemon is running        
INFO Checking if a supported libvirt version is installed 
INFO Checking if crc-driver-libvirt is installed  
INFO Installing crc-driver-libvirt                
INFO Checking crc daemon systemd service          
INFO Setting up crc daemon systemd service        
INFO Checking crc daemon systemd socket units     
INFO Setting up crc daemon systemd socket units   
INFO Checking if systemd-networkd is running      
INFO Checking if NetworkManager is installed      
INFO Checking if NetworkManager service is running 
INFO Checking if dnsmasq configurations file exist for NetworkManager 
INFO Checking if the systemd-resolved service is running 
INFO Checking if /etc/NetworkManager/dispatcher.d/99-crc.sh exists 
INFO Writing NetworkManager dispatcher file for crc 
INFO Using root access: Writing NetworkManager configuration to /etc/NetworkManager/dispatcher.d/99-crc.sh 
INFO Using root access: Changing permissions for /etc/NetworkManager/dispatcher.d/99-crc.sh to 755  
INFO Using root access: Executing systemctl daemon-reload command 
INFO Using root access: Executing systemctl reload NetworkManager 
INFO Checking if libvirt 'crc' network is available 
INFO Setting up libvirt 'crc' network             
INFO Checking if libvirt 'crc' network is active  
INFO Starting libvirt 'crc' network               
Failed to start libvirt 'crc' network 
 exit status 1: error: Failed to start network crc
error: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --insert LIBVIRT_INP --in-interface crc --protocol tcp --destination-port 67 --jump ACCEPT: iptables: No chain/target/match by that name.

Logs

Before gather the logs try following if that fix your issue

$ crc delete -f
$ crc cleanup
$ crc setup
$ crc start --log-level debug

Same error during setup ^

Please consider posting the output of crc start --log-level debug on http://gist.github.com/ and post the link in the issue.

^ fails due to CRC not being setup.

It seems this is a rough duplicate of earlier issuers (#1812 and #494), except those systems were slated to use iptables and we should now be preferring nftables on newer Fedora systems.

$ sudo nft list tables
table inet firewalld
$ sudo nft list table inet firewalld
... lots of output ...
cfergeau commented 2 years ago

crc creates a libvirt network using virsh net-define, which is what is failing here

    NetworkTemplate = `<network>
    <name>{{ .NetworkName }}</name>
    <uuid>49eee855-d342-46c3-9ed3-b8d1758814cd</uuid>
    <forward mode='nat'>
      <nat>
        <port start='1024' end='65535'/>
      </nat>
    </forward>
    <bridge name='crc' stp='on' delay='0'/>
    <mac address='52:54:00:fd:be:d0'/>
    <ip family='ipv4' address='192.168.130.1' prefix='24'>
      <dhcp>
        <host mac='{{ .MAC }}' ip='{{ .IP }}'/>
      </dhcp>
    </ip>
  </network>`

(the {{ }} variables are substituted with actual values). I don't know what triggers the use of iptables instead of nftables in this definition, but this is not directly triggered by crc, but looks more like a libvirt issue.

gbraad commented 2 years ago

What does Fedora in general do when comes to nftables? Perhaps file an issue and link here to track.

cipherboy commented 2 years ago

That was linked above: https://fedoraproject.org/wiki/Changes/firewalld_default_to_nftables#Dependencies and previously (in F32) https://fedoraproject.org/wiki/Changes/iptables-nft-default

Notably, it says it deps on libvirt >= 5.1.0 and I'm at libvirt-7.6.0-5.fc35.x86_64 so that shouldn't be the issue.

I had other VMs running at the time of trying to run crc setup and they were working fine; I wonder if perhaps there's a change elsewhere? It seems unrelated to this BZ as I don't have a ZONE_CONFLICT line in my journalctl entries. The older libvirt BZ mentioning LIBVIRT_INP also doesn't seem to apply as its before the iptables->nft switch of F32 and later firewalld update in F35.

Happy to provide any other debugging info. I have both Docker (from Moby, not the Fedora repos version) and Podman present, I wonder if there's a conflict with one of those? I've not used anything but the default networks with them, though.

cfergeau commented 2 years ago

One thing you could try is to copy this in a net.xml file:

<network>
  <name>crc-test</name>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='crc-test' stp='on' delay='0'/>
  <ip family='ipv4' address='192.168.131.1' prefix='24'>
    <dhcp>
      <host mac='52:fd:fc:07:21:83' ip='192.168.131.11'/>
    </dhcp>
  </ip>
</network>

and then sudo virsh net-define ./net.xml and sudo virsh net-start crc-test to see if this reproduces this issue. Also make sure you don't have a second libvirt install in your path which would be used instead of the system one.

cfergeau commented 2 years ago

I tried crc setup on a fresh fedora 35 install, and it is working fine. Both iptables -L and nft list chains show a LIBVIRT_INP chain. Not sure what's going on with your system.

cipherboy commented 2 years ago

Hmm, interesting. Yeah, I just retried this again after a fresh boot and I had iptables -S output from libvirt and the XML snippet applied fine.

JournalCTL Logs ``` Apr 29 12:48:01 xps15.local.cipherboy.com nautilus[2258703]: Use "crc [command] --help" for more information about a command. Apr 29 12:48:04 xps15.local.cipherboy.com systemd[958260]: Started VTE child process 2258731 launched by gnome-terminal-server process 2025600. Apr 29 12:48:07 xps15.local.cipherboy.com gnome-shell[958661]: Can't update stage views actor [:0x564bed5be2f0] is on because it needs an allocation. Apr 29 12:48:07 xps15.local.cipherboy.com gnome-shell[958661]: Can't update stage views actor [:0x564bed8cb320] is on because it needs an allocation. Apr 29 12:48:07 xps15.local.cipherboy.com gnome-shell[958661]: Can't update stage views actor [:0x564beebb3150] is on because it needs an allocation. Apr 29 12:48:17 xps15.local.cipherboy.com audit: BPF prog-id=802 op=LOAD Apr 29 12:48:17 xps15.local.cipherboy.com systemd[1]: Starting Fingerprint Authentication Daemon... Apr 29 12:48:17 xps15.local.cipherboy.com systemd[1]: Started Fingerprint Authentication Daemon. Apr 29 12:48:17 xps15.local.cipherboy.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Apr 29 12:48:21 xps15.local.cipherboy.com sudo[2258858]: pam_unix(sudo:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/22 ruser=cipherboy rhost= user=cipherboy Apr 29 12:48:21 xps15.local.cipherboy.com audit[2258858]: USER_AUTH pid=2258858 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="cipherboy" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=failed' Apr 29 12:48:25 xps15.local.cipherboy.com audit[2258858]: USER_AUTH pid=2258858 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_usertype,pam_localuser,pam_unix acct="cipherboy" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:25 xps15.local.cipherboy.com audit[2258858]: USER_ACCT pid=2258858 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="cipherboy" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:25 xps15.local.cipherboy.com audit[2258858]: USER_CMD pid=2258858 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/cipherboy/Downloads/crc-linux-amd64/crc-linux-2.2.2-amd64" cmd=63686F776E20726F6F74202F686F6D652F636970686572626F792F2E6372632F62696E2F6372632D61646D696E2D68656C7065722D6C696E7578 exe="/usr/bin/sudo" terminal=? res=success' Apr 29 12:48:25 xps15.local.cipherboy.com sudo[2258858]: cipherboy : TTY=pts/22 ; PWD=/home/cipherboy/Downloads/crc-linux-amd64/crc-linux-2.2.2-amd64 ; USER=root ; COMMAND=/usr/bin/chown root /home/cipherboy/.crc/bin/crc-admin-helper-linux Apr 29 12:48:25 xps15.local.cipherboy.com audit[2258858]: CRED_REFR pid=2258858 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:25 xps15.local.cipherboy.com sudo[2258858]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000) Apr 29 12:48:25 xps15.local.cipherboy.com audit[2258858]: USER_START pid=2258858 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:25 xps15.local.cipherboy.com sudo[2258858]: pam_unix(sudo:session): session closed for user root Apr 29 12:48:25 xps15.local.cipherboy.com audit[2258858]: USER_END pid=2258858 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:25 xps15.local.cipherboy.com audit[2258858]: CRED_DISP pid=2258858 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:25 xps15.local.cipherboy.com audit[2258883]: USER_ACCT pid=2258883 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="cipherboy" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:25 xps15.local.cipherboy.com audit[2258883]: USER_CMD pid=2258883 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/cipherboy/Downloads/crc-linux-amd64/crc-linux-2.2.2-amd64" cmd=63686D6F6420752B732C672B78202F686F6D652F636970686572626F792F2E6372632F62696E2F6372632D61646D696E2D68656C7065722D6C696E7578 exe="/usr/bin/sudo" terminal=? res=success' Apr 29 12:48:25 xps15.local.cipherboy.com audit[2258883]: CRED_REFR pid=2258883 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:25 xps15.local.cipherboy.com sudo[2258883]: cipherboy : TTY=pts/22 ; PWD=/home/cipherboy/Downloads/crc-linux-amd64/crc-linux-2.2.2-amd64 ; USER=root ; COMMAND=/usr/bin/chmod u+s,g+x /home/cipherboy/.crc/bin/crc-admin-helper-linux Apr 29 12:48:25 xps15.local.cipherboy.com sudo[2258883]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000) Apr 29 12:48:25 xps15.local.cipherboy.com audit[2258883]: USER_START pid=2258883 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:25 xps15.local.cipherboy.com sudo[2258883]: pam_unix(sudo:session): session closed for user root Apr 29 12:48:25 xps15.local.cipherboy.com audit[2258883]: USER_END pid=2258883 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:25 xps15.local.cipherboy.com audit[2258883]: CRED_DISP pid=2258883 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:25 xps15.local.cipherboy.com systemd[958260]: Reloading. Apr 29 12:48:26 xps15.local.cipherboy.com systemd[958260]: Reloading. Apr 29 12:48:26 xps15.local.cipherboy.com systemd[958260]: Reloading. Apr 29 12:48:26 xps15.local.cipherboy.com systemd[958260]: Reloading. Apr 29 12:48:26 xps15.local.cipherboy.com systemd[958260]: Listening on CRC HTTP socket. Apr 29 12:48:26 xps15.local.cipherboy.com systemd[958260]: Reloading. Apr 29 12:48:26 xps15.local.cipherboy.com systemd[958260]: Reloading. Apr 29 12:48:26 xps15.local.cipherboy.com systemd[958260]: Reloading. Apr 29 12:48:27 xps15.local.cipherboy.com kernel: Guest personality initialized and is inactive Apr 29 12:48:27 xps15.local.cipherboy.com kernel: VMCI host device registered (name=vmci, major=10, minor=122) Apr 29 12:48:27 xps15.local.cipherboy.com kernel: Initialized host personality Apr 29 12:48:27 xps15.local.cipherboy.com kernel: NET: Registered PF_VSOCK protocol family Apr 29 12:48:27 xps15.local.cipherboy.com systemd[958260]: Listening on CRC vsock socket. Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258951]: USER_ACCT pid=2258951 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="cipherboy" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258951]: USER_CMD pid=2258951 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/cipherboy/Downloads/crc-linux-amd64/crc-linux-2.2.2-amd64" cmd=746565202F6574632F4E6574776F726B4D616E616765722F646973706174636865722E642F39392D6372632E7368 exe="/usr/bin/sudo" terminal=? res=success' Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258951]: CRED_REFR pid=2258951 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com sudo[2258951]: cipherboy : TTY=pts/22 ; PWD=/home/cipherboy/Downloads/crc-linux-amd64/crc-linux-2.2.2-amd64 ; USER=root ; COMMAND=/usr/bin/tee /etc/NetworkManager/dispatcher.d/99-crc.sh Apr 29 12:48:27 xps15.local.cipherboy.com sudo[2258951]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000) Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258951]: USER_START pid=2258951 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com sudo[2258951]: pam_unix(sudo:session): session closed for user root Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258951]: USER_END pid=2258951 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258951]: CRED_DISP pid=2258951 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258953]: USER_ACCT pid=2258953 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="cipherboy" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258953]: USER_CMD pid=2258953 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/cipherboy/Downloads/crc-linux-amd64/crc-linux-2.2.2-amd64" cmd=63686D6F6420373535202F6574632F4E6574776F726B4D616E616765722F646973706174636865722E642F39392D6372632E7368 exe="/usr/bin/sudo" terminal=? res=success' Apr 29 12:48:27 xps15.local.cipherboy.com sudo[2258953]: cipherboy : TTY=pts/22 ; PWD=/home/cipherboy/Downloads/crc-linux-amd64/crc-linux-2.2.2-amd64 ; USER=root ; COMMAND=/usr/bin/chmod 755 /etc/NetworkManager/dispatcher.d/99-crc.sh Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258953]: CRED_REFR pid=2258953 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com sudo[2258953]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000) Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258953]: USER_START pid=2258953 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com sudo[2258953]: pam_unix(sudo:session): session closed for user root Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258953]: USER_END pid=2258953 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258953]: CRED_DISP pid=2258953 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258955]: USER_ACCT pid=2258955 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="cipherboy" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258955]: USER_CMD pid=2258955 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/cipherboy/Downloads/crc-linux-amd64/crc-linux-2.2.2-amd64" cmd=73797374656D63746C206461656D6F6E2D72656C6F6164 exe="/usr/bin/sudo" terminal=? res=success' Apr 29 12:48:27 xps15.local.cipherboy.com sudo[2258955]: cipherboy : TTY=pts/22 ; PWD=/home/cipherboy/Downloads/crc-linux-amd64/crc-linux-2.2.2-amd64 ; USER=root ; COMMAND=/usr/bin/systemctl daemon-reload Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258955]: CRED_REFR pid=2258955 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com sudo[2258955]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000) Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258955]: USER_START pid=2258955 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com systemd[1]: Reloading. Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com systemd-sysv-generator[2258981]: SysV service '/etc/rc.d/init.d/amagent' lacks a native systemd unit file. Automatically generating a unit file for compatibility. Please update package to include a native systemd unit file, in order to make it more safe and robust. Apr 29 12:48:27 xps15.local.cipherboy.com systemd-sysv-generator[2258981]: SysV service '/etc/rc.d/init.d/livesys' lacks a native systemd unit file. Automatically generating a unit file for compatibility. Please update package to include a native systemd unit file, in order to make it more safe and robust. Apr 29 12:48:27 xps15.local.cipherboy.com systemd-sysv-generator[2258981]: SysV service '/etc/rc.d/init.d/livesys-late' lacks a native systemd unit file. Automatically generating a unit file for compatibility. Please update package to include a native systemd unit file, in order to make it more safe and robust. Apr 29 12:48:27 xps15.local.cipherboy.com systemd[1]: /usr/lib/systemd/system/falcon-sensor.service:12: PIDFile= references a path below legacy directory /var/run/, updating /var/run/falcond.pid → /run/falcond.pid; please update the unit file accordingly. Apr 29 12:48:27 xps15.local.cipherboy.com systemd[1]: /usr/lib/systemd/system/docker.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/docker.sock → /run/docker.sock; please update the unit file accordingly. Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=803 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=804 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=805 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=806 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=807 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=808 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=809 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=810 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=811 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=812 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=813 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=814 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=815 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=816 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=817 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=818 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=819 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=820 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=821 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=822 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=823 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=824 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=825 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=826 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=827 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=828 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:27 xps15.local.cipherboy.com audit: BPF prog-id=829 op=LOAD Apr 29 12:48:27 xps15.local.cipherboy.com sudo[2258955]: pam_unix(sudo:session): session closed for user root Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258955]: USER_END pid=2258955 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258955]: CRED_DISP pid=2258955 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258985]: USER_ACCT pid=2258985 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="cipherboy" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258985]: USER_CMD pid=2258985 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/cipherboy/Downloads/crc-linux-amd64/crc-linux-2.2.2-amd64" cmd=73797374656D63746C2072656C6F6164204E6574776F726B4D616E61676572 exe="/usr/bin/sudo" terminal=? res=success' Apr 29 12:48:27 xps15.local.cipherboy.com sudo[2258985]: cipherboy : TTY=pts/22 ; PWD=/home/cipherboy/Downloads/crc-linux-amd64/crc-linux-2.2.2-amd64 ; USER=root ; COMMAND=/usr/bin/systemctl reload NetworkManager Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258985]: CRED_REFR pid=2258985 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com sudo[2258985]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000) Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258985]: USER_START pid=2258985 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com systemd[1]: Reloading Network Manager... Apr 29 12:48:27 xps15.local.cipherboy.com NetworkManager[2519]: [1651250907.3327] audit: op="reload" arg="0" pid=2258987 uid=0 result="success" Apr 29 12:48:27 xps15.local.cipherboy.com NetworkManager[2519]: [1651250907.3336] config: signal: SIGHUP (no changes from disk) Apr 29 12:48:27 xps15.local.cipherboy.com NetworkManager[2519]: [1651250907.3337] dns-mgr: init: dns=systemd-resolved rc-manager=unmanaged (auto), plugin=systemd-resolved Apr 29 12:48:27 xps15.local.cipherboy.com systemd[1]: Reloaded Network Manager. Apr 29 12:48:27 xps15.local.cipherboy.com sudo[2258985]: pam_unix(sudo:session): session closed for user root Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258985]: USER_END pid=2258985 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com audit[2258985]: CRED_DISP pid=2258985 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/22 res=success' Apr 29 12:48:27 xps15.local.cipherboy.com NetworkManager[2519]: [1651250907.4521] manager: (crc): new Bridge device (/org/freedesktop/NetworkManager/Devices/787) Apr 29 12:48:27 xps15.local.cipherboy.com systemd-udevd[2258946]: Using default interface naming scheme 'v249'. Apr 29 12:48:27 xps15.local.cipherboy.com libvirtd[752313]: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --insert LIBVIRT_INP --in-interface crc --protocol tcp --destination-port 67 --jump ACCEPT: iptables: No chain/target/match by that name. Apr 29 12:48:27 xps15.local.cipherboy.com gnome-shell[958661]: Removing a network device that was not added Apr 29 12:48:34 xps15.local.cipherboy.com systemd[1]: systemd-hostnamed.service: Deactivated successfully. Apr 29 12:48:34 xps15.local.cipherboy.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Apr 29 12:48:34 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:34 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD Apr 29 12:48:47 xps15.local.cipherboy.com systemd[1]: fprintd.service: Deactivated successfully. Apr 29 12:48:47 xps15.local.cipherboy.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Apr 29 12:48:47 xps15.local.cipherboy.com audit: BPF prog-id=0 op=UNLOAD ```

Nothing really stands out there to me. The internal error: is duplicated from the first message, but otherwise nothing else really seems interesting.

I've been able to get down to an empty iptables -S after reloading firewalld but that doesn't appear to persist long (libvirtd will usually detect it and re-apply the chains quickly).

Must've been a glitch in the matrix, I'll go ahead and close then. Sorry for the noise!