Preseed crashes unmarshalling into Nftset #1994
Description
Is there an existing issue for this?
- There is no existing issue for this bug
Is this happening on an up to date version of Incus?
- This is happening on a supported version of Incus
Incus system details
incus 6.12
I can grab the full info if needed.Instance details
No response
Instance log
No response
Current behavior
Crashes on application of preseed.
vm-test-run-incus-aarch64-linux> machine # [ 21.501427] systemd[1]: Starting Incus Container and Virtual Machine Management Daemon...
vm-test-run-incus-aarch64-linux> machine # [ 22.497308] incusd[982]: time="2025-04-25T19:48:02Z" level=warning msg="AppArmor support has been disabled because of lack of kernel support"
vm-test-run-incus-aarch64-linux> machine # [ 22.522181] incusd[982]: time="2025-04-25T19:48:02Z" level=warning msg=" - AppArmor support has been disabled, Disabled because of lack of kernel support"
vm-test-run-incus-aarch64-linux> machine # [ 22.546524] incusd[982]: time="2025-04-25T19:48:02Z" level=warning msg="Instance type not operational" driver=qemu err="KVM support is missing (no /dev/kvm)" type=virtual-machine
vm-test-run-incus-aarch64-linux> machine # [ 24.772647] incusd[982]: time="2025-04-25T19:48:04Z" level=warning msg="Failed to update instance types: Get \"https://images.linuxcontainers.org/meta/instance-types/.yaml\": lookup images.linuxcontainers.org: no such host"
vm-test-run-incus-aarch64-linux> machine # [ 24.773055] incusd[982]: time="2025-04-25T19:48:04Z" level=error msg="Failed updating instance types" err="Get \"https://images.linuxcontainers.org/meta/instance-types/.yaml\": lookup images.linuxcontainers.org: no such host"
vm-test-run-incus-aarch64-linux> machine # [ 24.972693] ovsdb-server[775]: ovs|00002|memory|INFO|5344 kB peak resident set size after 10.1 seconds
vm-test-run-incus-aarch64-linux> machine # [ 24.986484] ovsdb-server[775]: ovs|00003|memory|INFO|atoms:37 cells:39 json-caches:1 monitors:2 n-weak-refs:0 sessions:1
vm-test-run-incus-aarch64-linux> machine # [ 25.020856] systemd[1]: Started Incus Container and Virtual Machine Management Daemon.
vm-test-run-incus-aarch64-linux> machine # [ 25.034132] systemd[1]: Starting Incus initialization with preseed file...
vm-test-run-incus-aarch64-linux> machine # [ 25.045769] systemd[1]: Starting Incus Instances Startup/Shutdown...
vm-test-run-incus-aarch64-linux> machine # [ 25.154555] systemd[1]: Finished Incus Instances Startup/Shutdown.
vm-test-run-incus-aarch64-linux> machine # [ 25.165301] systemd[1]: Reached target Multi-User System.
vm-test-run-incus-aarch64-linux> (finished: waiting for unit incus.service, in 29.90 seconds)
vm-test-run-incus-aarch64-linux> machine: waiting for unit incus-preseed.service
vm-test-run-incus-aarch64-linux> machine # [ 26.706290] ovs-vswitchd[799]: ovs|00006|memory|INFO|4128 kB peak resident set size after 11.5 seconds
vm-test-run-incus-aarch64-linux> machine # [ 26.706520] ovs-vswitchd[799]: ovs|00007|memory|INFO|idl-cells-Open_vSwitch:17
vm-test-run-incus-aarch64-linux> machine # [ 26.707476] (udev-worker)[1050]: Network interface NamePolicy= disabled on kernel command line.
vm-test-run-incus-aarch64-linux> machine # [ 27.023505] incus-preseed-start[1035]: Error: Failed to create local member network "incusbr0" in project "default": Failed clearing firewall: Error in deletion of address sets: Failed to parse nft command output: json: cannot unmarshal array into Go struct field NftSet.nftables.set.type of type string
vm-test-run-incus-aarch64-linux> machine # [ 27.065589] systemd[1]: incus-preseed.service: Main process exited, code=exited, status=1/FAILURE
vm-test-run-incus-aarch64-linux> machine # [ 27.079232] systemd[1]: incus-preseed.service: Failed with result 'exit-code'.
vm-test-run-incus-aarch64-linux> machine # [ 27.091099] systemd[1]: Failed to start Incus initialization with preseed file.
vm-test-run-incus-aarch64-linux> machine # [ 27.102395] systemd[1]: Startup finished in 6.779s (kernel) + 20.299s (userspace) = 27.078s.
preseed
networks:
- config:
ipv4.address: 10.0.10.1/24
ipv4.nat: 'true'
name: incusbr0
type: bridge
- config:
bridge.driver: openvswitch
ipv4.address: 10.0.20.1/24
ipv4.nat: 'true'
name: ovsbr0
type: bridge
profiles:
- devices:
eth0:
name: eth0
network: incusbr0
type: nic
root:
path: /
pool: default
size: 35GiB
type: disk
name: default
storage_pools:
- driver: dir
name: defaultnft config
This is the nft we apply on boot, which is in place before incus starts.
#! /nix/store/b7qj7kq752c3gcmq7my7idy95x75n8fd-nftables-1.1.1/bin/nft -f
# previous deletions, if any
include "/var/lib/nftables/deletions.nft"
# current deletions
include "/nix/store/a1v8lzag6ba8x1fq5qlgfn53icasazcv-nftables-deletions"
table inet nixos-fw {
set temp-ports {
comment "Temporarily opened ports"
type inet_proto . inet_service
flags interval
auto-merge
}
chain rpfilter {
type filter hook prerouting priority mangle + 10; policy drop;
meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server"
fib saddr . mark . iif oif exists accept
jump rpfilter-allow
}
chain rpfilter-allow {
}
chain input {
type filter hook input priority filter; policy drop;
iifname { "incusbr0", "lo" } accept comment "trusted interfaces"
# Some ICMPv6 types like NDP is untracked
ct state vmap {
invalid : drop,
established : accept,
related : accept,
new : jump input-allow,
untracked: jump input-allow,
}
tcp flags syn / fin,syn,rst,ack log level info prefix "refused connection: "
}
chain input-allow {
meta l4proto . th dport @temp-ports accept
icmp type echo-request accept comment "allow ping"
icmpv6 type != { nd-redirect, 139 } accept comment "Accept all ICMPv6 messages except redirects and node information queries (type 139). See RFC 4890, section 4.4."
ip6 daddr fe80::/64 udp dport 546 accept comment "DHCPv6 client"
}
}
Expected behavior
This is our typical test-case preseed, so I'd expect it to continue to apply cleanly.
Steps to reproduce
Not sure?
Metadata
Metadata
Assignees
Labels
No labels