sys-firewall broken, does not function as ProxyVM in R3.2 / xendriverdomain systemd service not enabled in Fedora #2141

adrelanos · Jul 1, 2016

Qubes OS version (e.g., `R3.1`):

R3.2 (testing repository)

Affected TemplateVMs (e.g., `fedora-23`, if applicable):

Probably any.

Expected behavior:

An arbitrary proxy VM with NetVM set to sys-firewall should just work. (ping, nslookup, wget, etc.)

Actual behavior:

An arbitrary proxy VM with NetVM set to sys-firewall does not work (ping, nslookup, wget, etc.).

Steps to reproduce the behavior:

Unclear, since it seems to be happening only to me.

General notes:

An arbitrary proxy VM (debian based) does not work behind sys-firewall. It however works behind sys-net.

Although this breaks Whonix by default, this bug report has been produced independent from Whonix. (sys-whonix does not work with its NetVM set to sys-firewall but it does work fine when set to sys-net.)

I have collected a ton of debug output.

Related issues:

Perhaps #1067.

Can't reproduce...
Are you sure that proxyVM is really connected to sys-firewall? It's IP address (10.137.1.8) suggests rather being connected to sys-net. But I can't see route to in in your sys-net routing table.

Does it happen only after dynamically switching netvm? Or also after fresh startup of said proxyvm?

marmarek · Jul 1, 2016

Can't reproduce...
Are you sure that proxyVM is really connected to sys-firewall? It's IP address (10.137.1.8) suggests rather being connected to sys-net. But I can't see route to in in your sys-net routing table.

Does it happen only after dynamically switching netvm? Or also after fresh startup of said proxyvm?

Are you sure that proxyVM is really connected to sys-firewall?

I am sure, but I will also test again.

Does it happen only after dynamically switching netvm? Or also after fresh startup of said proxyvm?

No dynamic netvm setting switching. Only manual fresh startup.

adrelanos · Jul 1, 2016

Are you sure that proxyVM is really connected to sys-firewall?

I am sure, but I will also test again.

Does it happen only after dynamically switching netvm? Or also after fresh startup of said proxyvm?

No dynamic netvm setting switching. Only manual fresh startup.

Yes, proxyvmtest and sys-whonix were rightly connected to sys-firewall. Just now verified that.

I noticed something that may or may not be related. Boot takes a long time. (Booting from an external USB 2.0 80 GB HDD. So not the fastest.) During the bootscreen I could see that sys-net start took ~ 1:40 min.

I shut down all VMs and manually run qvm-start proxyvmtest which resulted in sys-net, sys-firewall followed up by proxyvmtest to start just right in order. After doing that, both proxyvmtest and sys-whonix had functional networking. So they did after another reboot.

adrelanos · Jul 1, 2016

Yes, proxyvmtest and sys-whonix were rightly connected to sys-firewall. Just now verified that.

I noticed something that may or may not be related. Boot takes a long time. (Booting from an external USB 2.0 80 GB HDD. So not the fastest.) During the bootscreen I could see that sys-net start took ~ 1:40 min.

I shut down all VMs and manually run qvm-start proxyvmtest which resulted in sys-net, sys-firewall followed up by proxyvmtest to start just right in order. After doing that, both proxyvmtest and sys-whonix had functional networking. So they did after another reboot.

This may be #1990.

marmarek · Jul 1, 2016

This may be #1990.

@adrelanos Setting sys-firewall or vpn as my sys-whonix netvm does work. Also if I do sys-whonix-> vpn-> sys-firewall-> sys-net. Do your vms stay green when you boot up and reproduce this?

tasket · Jul 1, 2016

@adrelanos Setting sys-firewall or vpn as my sys-whonix netvm does work. Also if I do sys-whonix-> vpn-> sys-firewall-> sys-net. Do your vms stay green when you boot up and reproduce this?

I think they were all green.

(If they were not, I was discarding it as a minor unrelated bug #2128.)

adrelanos · Jul 2, 2016

I think they were all green.

(If they were not, I was discarding it as a minor unrelated bug #2128.)

@marmarek:

This may be #1990.

Do you mean the former, this whole ticket could be another manifestation of #1990 or did you mean the latter, the slow sys-net bootup could be #1990?

I booted that system again and after boot networking was broken again in proxyvmtest and sys-whonix.
All VMs had the green status in QVMM.
The proxyvmtest was surely connected to sys-firewall, I double checked this using qvm-prefs -l proxyvmtest. Also double checked, that sys-firewall is connected to sys-net using the same method.
Browser AppVM was connected to sys-firewall and fully functional.
sys-firewall test wget google.com, nslookup google.com, ping 8.8.8.8 (destination host unreachable) all failed.
After shutting down all VMs and restarting sys-whonix (thereby automatically sys-net and sys-firewall starting) made connectivity work for sys-whonix and proxyvmtest.
After yet another reboot, exactly the same as above happened.

Therefore there is a good chance I will be able to reproduce this again. In such a situation, would you desire any debug output or so?

adrelanos · Jul 2, 2016

@marmarek:

This may be #1990.

Do you mean the former, this whole ticket could be another manifestation of #1990 or did you mean the latter, the slow sys-net bootup could be #1990?

I booted that system again and after boot networking was broken again in proxyvmtest and sys-whonix.
All VMs had the green status in QVMM.
The proxyvmtest was surely connected to sys-firewall, I double checked this using qvm-prefs -l proxyvmtest. Also double checked, that sys-firewall is connected to sys-net using the same method.
Browser AppVM was connected to sys-firewall and fully functional.
sys-firewall test wget google.com, nslookup google.com, ping 8.8.8.8 (destination host unreachable) all failed.
After shutting down all VMs and restarting sys-whonix (thereby automatically sys-net and sys-firewall starting) made connectivity work for sys-whonix and proxyvmtest.
After yet another reboot, exactly the same as above happened.

Therefore there is a good chance I will be able to reproduce this again. In such a situation, would you desire any debug output or so?

Do you mean the former, this whole ticket could be another manifestation of #1990

Yes.

Therefore there is a good chance I will be able to reproduce this again. In such a situation, would you desire any debug output or so?

Check status of all the network interfaces on the way (ifconfig -a or ip link). If any of them (including vif*) is not in UP state, this is #1990.
In such a case, you can additionally confirm this by following this:

Take vif interface name, I'll use vif3.0 as an example.
Get those two numbers from it (3, 0)
Combine into xenstore path: backend/3/0/state
Check its content (in the VM where that interface live): xenstore-read backend/3/0/state - it's probably 3 or 2
Write the same value again: xenstore-write backend/3/0/state 2
Now the network should be fixed.

marmarek · Jul 3, 2016

Do you mean the former, this whole ticket could be another manifestation of #1990

Yes.

Therefore there is a good chance I will be able to reproduce this again. In such a situation, would you desire any debug output or so?

Check status of all the network interfaces on the way (ifconfig -a or ip link). If any of them (including vif*) is not in UP state, this is #1990.
In such a case, you can additionally confirm this by following this:

Take vif interface name, I'll use vif3.0 as an example.
Get those two numbers from it (3, 0)
Combine into xenstore path: backend/3/0/state
Check its content (in the VM where that interface live): xenstore-read backend/3/0/state - it's probably 3 or 2
Write the same value again: xenstore-write backend/3/0/state 2
Now the network should be fixed.

I was hoping the updates from #1990 would fix this. But they did not.

I verified that I have the version numbers advertised in #1990 in dom0, fedora, debian and Whonix templates.

xenstore-read backend/3/0/state did not work. Cannot read xenstore path. (xenstore-write did also not write.) Interface was 3, 0. And that interface was not up.

adrelanos · Jul 14, 2016

I was hoping the updates from #1990 would fix this. But they did not.

I verified that I have the version numbers advertised in #1990 in dom0, fedora, debian and Whonix templates.

xenstore-read backend/3/0/state did not work. Cannot read xenstore path. (xenstore-write did also not write.) Interface was 3, 0. And that interface was not up.

xenstore-read backend/3/0/state did not work.

My bad - there should be backend/vif/3/0/state.

marmarek · Jul 14, 2016

xenstore-read backend/3/0/state did not work.

My bad - there should be backend/vif/3/0/state.

xenstore-read/write works now. But the interface stays down so network cannot be restored that way. Updates from #1990 worsened the situation. Now also after shutting down all VMs and restarting them, connectivity cannot be restored and the vif interfaces stay downed.

Also since the #1990 updates, the VMs stay sometimes yellow in QVMM. Has this been reported somewhere already? May or may not be related.

adrelanos · Jul 14, 2016

xenstore-read/write works now. But the interface stays down so network cannot be restored that way. Updates from #1990 worsened the situation. Now also after shutting down all VMs and restarting them, connectivity cannot be restored and the vif interfaces stay downed.

Also since the #1990 updates, the VMs stay sometimes yellow in QVMM. Has this been reported somewhere already? May or may not be related.

What exactly version of qubes-core-agent do you have? 3.2.7 or 3.2.6?

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

marmarek · Jul 14, 2016

What exactly version of qubes-core-agent do you have? 3.2.7 or 3.2.6?

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

sys-whonix qubes-core-agent 3.1.17-1
Debain qubes-core-agent 3.2.6-1
Fedora qubes-core-vm 3.2.7-1
dom0 qubes-core-dom0 3.2.5-1

At the moment even browser AppVM connected directly to NetVM has no more internet access.

adrelanos · Jul 14, 2016

sys-whonix qubes-core-agent 3.1.17-1
Debain qubes-core-agent 3.2.6-1
Fedora qubes-core-vm 3.2.7-1
dom0 qubes-core-dom0 3.2.5-1

At the moment even browser AppVM connected directly to NetVM has no more internet access.

There was a bug in upgrade path in 3.2.6 fixed in 3.2.7. In short: you need to enable xendriverdomain service.

marmarek · Jul 14, 2016

There was a bug in upgrade path in 3.2.6 fixed in 3.2.7. In short: you need to enable xendriverdomain service.

(3.2.7 for Debian will be in a 15min)

marmarek · Jul 14, 2016

(3.2.7 for Debian will be in a 15min)

Hmm, but for Debian it isn't fixed there. Do you have sys-net/sys-firewall based on Debian? What is the status of xendriverdomain service there?

marmarek · Jul 14, 2016

Hmm, but for Debian it isn't fixed there. Do you have sys-net/sys-firewall based on Debian? What is the status of xendriverdomain service there?

Marek Marczykowski-Górecki:

Do you have sys-net/sys-firewall based on Debian?

No.

adrelanos · Jul 14, 2016

Marek Marczykowski-Górecki:

Do you have sys-net/sys-firewall based on Debian?

No.

What is the status of xendriverdomain service there?

marmarek · Jul 14, 2016

What is the status of xendriverdomain service there?

xendriverdomain was enabled (exit success) in Debian VMs. After upgrading to 3.2.7-1 this stayed the same. Exit success.

xendrivberdomain was previoulsy disabled indeed in Fedora template and enabling it fixed the networking issues.

Both, Fedora and Debian based browser VMs stay yellow in QVMM. Running konsole from QVMM keeps failing (tried 3 times each). QVMM reported qrexec not connected. Strangely however first try qvm-run browser konsole worked.

(Btw I didn't overlook your question. I wanted to answer an easy question (got Debian based sys-net|firewall?) first before I rebooted that broken system, gathered more debug output to answer the other question about xendriverdomain. Not sure that was useful or creating more confusion.)

adrelanos · Jul 15, 2016

xendriverdomain was enabled (exit success) in Debian VMs. After upgrading to 3.2.7-1 this stayed the same. Exit success.

xendrivberdomain was previoulsy disabled indeed in Fedora template and enabling it fixed the networking issues.

Both, Fedora and Debian based browser VMs stay yellow in QVMM. Running konsole from QVMM keeps failing (tried 3 times each). QVMM reported qrexec not connected. Strangely however first try qvm-run browser konsole worked.

(Btw I didn't overlook your question. I wanted to answer an easy question (got Debian based sys-net|firewall?) first before I rebooted that broken system, gathered more debug output to answer the other question about xendriverdomain. Not sure that was useful or creating more confusion.)

xendrivberdomain was previoulsy disabled indeed in Fedora template and enabling it fixed the networking issues.

So apparently 3.2.7 didn't fix this either... It is strange because on my system it was properly enabled. Can you check updates installation order (qubes-core-vm-3.2.[567] and xen-4.6.1-18)? It should be in /var/log/dnf.rpm.log.

marmarek · Jul 15, 2016

xendrivberdomain was previoulsy disabled indeed in Fedora template and enabling it fixed the networking issues.

So apparently 3.2.7 didn't fix this either... It is strange because on my system it was properly enabled. Can you check updates installation order (qubes-core-vm-3.2.[567] and xen-4.6.1-18)? It should be in /var/log/dnf.rpm.log.

Jul 14 22:21:28 INFO Upgraded: qubes-core-vm-3.2.7-1.fc23.x86_64
Jul 14 22:21:48 INFO Upgraded: xen-qubes-vm-2001:4.6.1-18.fc23.x86_64

adrelanos · Jul 15, 2016

Jul 14 22:21:28 INFO Upgraded: qubes-core-vm-3.2.7-1.fc23.x86_64
Jul 14 22:21:48 INFO Upgraded: xen-qubes-vm-2001:4.6.1-18.fc23.x86_64

Automated announcement from builder-github

The package xen-4.6.1-19.fc23 has been pushed to the r3.2 testing repository for the Fedora fc23 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.2-current-testing

QubesOS/qubes-issues

Join GitHub today

sys-firewall broken, does not function as ProxyVM in R3.2 / xendriverdomain systemd service not enabled in Fedora #2141

Comments

adrelanos commented Jul 1, 2016

Qubes OS version (e.g., R3.1):

Affected TemplateVMs (e.g., fedora-23, if applicable):

Expected behavior:

Actual behavior:

Steps to reproduce the behavior:

General notes:

Related issues:

This comment has been minimized.

marmarek commented Jul 1, 2016

This comment has been minimized.

adrelanos commented Jul 1, 2016

This comment has been minimized.

adrelanos commented Jul 1, 2016

This comment has been minimized.

marmarek commented Jul 1, 2016

This comment has been minimized.

tasket commented Jul 1, 2016

andrewdavidwong added this to the Release 3.2 milestone Jul 2, 2016

andrewdavidwong added bug C: core labels Jul 2, 2016

This comment has been minimized.

adrelanos commented Jul 2, 2016

This comment has been minimized.

adrelanos commented Jul 2, 2016

This comment has been minimized.

marmarek commented Jul 3, 2016

This comment has been minimized.

adrelanos commented Jul 14, 2016

This comment has been minimized.

marmarek commented Jul 14, 2016

This comment has been minimized.

adrelanos commented Jul 14, 2016

This comment has been minimized.

marmarek commented Jul 14, 2016

This comment has been minimized.

adrelanos commented Jul 14, 2016

This comment has been minimized.

marmarek commented Jul 14, 2016

This comment has been minimized.

marmarek commented Jul 14, 2016

This comment has been minimized.

marmarek commented Jul 14, 2016

This comment has been minimized.

adrelanos commented Jul 14, 2016

This comment has been minimized.

marmarek commented Jul 14, 2016

This comment has been minimized.

adrelanos commented Jul 15, 2016 • edited Edited 1 time adrelanos edited Feb 6, 2017 (most recent)

This comment has been minimized.

marmarek commented Jul 15, 2016

This comment has been minimized.

adrelanos commented Jul 15, 2016

marmarek closed this in marmarek/old-qubes-vmm-xen@ac8e04b Jul 15, 2016

adrelanos changed the title from sys-firewall broken, does not function as ProxyVM in R3.2 to sys-firewall broken, does not function as ProxyVM in R3.2 / xendriverdomain systemd service not enabled in Fedora Jul 16, 2016

adrelanos referenced this issue Jul 16, 2016

marmarek added a commit to marmarek/old-qubes-vmm-xen that referenced this issue Jul 17, 2016

marmarek added a commit to marmarek/old-qubes-core-agent-linux that referenced this issue Jul 17, 2016

This comment has been minimized.

marmarek commented Jul 17, 2016

marmarek added the r3.2-fc23-cur-test label Jul 17, 2016

This comment has been minimized.

marmarek commented Jul 17, 2016

marmarek added the r3.2-fc24-cur-test label Jul 17, 2016

This comment has been minimized.

marmarek commented Jul 17, 2016

marmarek added the r3.2-dom0-cur-test label Jul 17, 2016

This comment has been minimized.

marmarek commented Jul 17, 2016

marmarek added the r3.1-fc21-cur-test label Jul 17, 2016

This comment has been minimized.

marmarek commented Jul 17, 2016

marmarek added the r3.1-fc22-cur-test label Jul 17, 2016

This comment has been minimized.

marmarek commented Jul 17, 2016

marmarek added the r3.2-stretch-cur-test label Jul 17, 2016

This comment has been minimized.

Qubes OS version (e.g., `R3.1`):

Affected TemplateVMs (e.g., `fedora-23`, if applicable):

adrelanos commented Jul 15, 2016 •

edited

Edited 1 time

adrelanos edited Feb 6, 2017 (most recent)

marmarek closed this in `marmarek/old-qubes-vmm-xen@ac8e04b` Jul 15, 2016