Comment # 9 on bug 1214160 from Robert Munteanu

(In reply to James Fehlig from comment #7)
> I forgot to set needinfo to Robert for my question in #6...
> 
> (In reply to Mohd Saquib from comment #4)
> > Hi,
> > firewalld maintainer here!
> 
> Thanks for taking a look!
> 
> > Yes there was a firewalld update recently but I highly doubt that this error
> > is due to that. Anyway I'll double check.
> 
> Robert already verified the issue was not caused by the firewalld update.
> Still, any help understanding the cause of "INVALID_ZONE: 'libvirt-routed'
> not among existing zones" error would be much appreciated.

I can share more information about my setup, if helpful. I am not sure I can
create an actual reproducer, since I don't have another bare metal machine
around. The setup (loosely) is the following:

- NFS server running on the host
- libvirt managing 3 VMs defined via
https://github.com/dmacvicar/terraform-provider-libvirt
- a kubernetes cluster provisioned using k3s is running on those machines
- a systemd unit opens up additional ports for the relevant firewalld zones

[Unit]
Description=Opens ports for libvirtd
Requires=libvirtd.service
After=libvirtd.service

[Service]
ExecStart=/usr/local/bin/libvirtd-open-ports.sh

[Install]
WantedBy=multi-user.targ

The script currently casts a very wide net because of my troubleshooting

#!/bin/bash -eu

zones="libvirt libvirt-routed"
services="rpc-bind mountd nfs http mysql"
ports="7090/tcp 9115/tcp 9427/tcp" # Motion webcam, blackbox_exporter, ping
exporter

for zone in ${zones}; do
    for svc in ${services}; do
        firewall-cmd --zone="${zone}" --add-service="${svc}"
    done

    for port in ${ports}; do
        firewall-cmd --zone="${zone}" --add-port="${port}"
    done
done


I am using a script instead of passing '--permanent' to firewall-cmd
invocations because it's easier for me to manage it with SaltStack.

I'm clearing needinfo in hope that it helps, feel free to request again.