[Pkg-libvirt-maintainers] Bug#854241: libvirt-daemon-system: bridge networking fails with "Operation not permitted"
Michal Herko
misko.herko at gmail.com
Sun Feb 5 11:19:42 UTC 2017
Package: libvirt-daemon-system
Version: 3.0.0-2
Severity: normal
Dear Maintainer,
How to reproduce:
install gnome-boxes, libvirt-daemon-system, libvirt-clients
add bridge network with:
# virsh net-start default
# virsh net-autostart default
# echo "allow virbr0" > /etc/qemu/bridge.conf
# adduser heroin kvm
# adduser heroin qemu
try to start a virtual machine:
$ virsh start boxes-unknown
Expected:
virtual machine would start
Actual:
error: Failed to start domain boxes-unknown
error: internal error:
/usr/lib/qemu/qemu-bridge-helper --br=virbr0 --fd=25: failed to communicate with bridge helper: Transport endpoint is not connected
stderr=failed to create tun device: Operation not permitted
Workaround:
toggle the setuid bit on qemu-bridge-helper
# chmod +s /usr/lib/qemu/qemu-bridge-helper
virtual machine configuration http://pastebin.com/EBqKL455
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libvirt-daemon-system depends on:
ii adduser 3.115
ii debconf [debconf-2.0] 1.5.60
ii gettext-base 0.19.8.1-2
ii init-system-helpers 1.47
ii iptables 1.6.0+snapshot20161117-5
ii libapparmor1 2.11.0-2
ii libaudit1 1:2.6.7-1
ii libblkid1 2.29.1-1
ii libc6 2.24-9
ii libcap-ng0 0.7.7-3
ii libdbus-1-3 1.10.14-1
ii libdevmapper1.02.1 2:1.02.137-1
ii libnl-3-200 3.2.27-1
ii libnl-route-3-200 3.2.27-1
ii libnuma1 2.0.11-2.1
ii librados2 10.2.5-6
ii librbd1 10.2.5-6
ii libselinux1 2.6-3
ii libvirt-clients 3.0.0-2
ii libvirt-daemon 3.0.0-2
ii libvirt0 3.0.0-2
ii libxml2 2.9.4+dfsg1-2.2
ii libyajl2 2.1.0-2
ii logrotate 3.11.0-0.1
ii lsb-base 9.20161125
ii policykit-1 0.105-17
Versions of packages libvirt-daemon-system recommends:
ii bridge-utils 1.5-11
ii dmidecode 3.0-4
ii dnsmasq-base 2.76-5
ii ebtables 2.0.10.4-3.5
ii iproute2 4.9.0-1
ii parted 3.2-17
Versions of packages libvirt-daemon-system suggests:
pn apparmor <none>
pn auditd <none>
pn nfs-common <none>
pn pm-utils <none>
pn radvd <none>
ii systemd 232-15
pn systemtap <none>
pn zfsutils <none>
-- Configuration Files:
/etc/libvirt/nwfilter/allow-arp.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit allow-arp
or other application using the libvirt API.
-->
<filter name='allow-arp' chain='arp' priority='-500'>
<uuid>08c762c7-8705-4fe0-b02f-406a715135ad</uuid>
<rule action='accept' direction='inout' priority='500'/>
</filter>
/etc/libvirt/nwfilter/allow-dhcp-server.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit allow-dhcp-server
or other application using the libvirt API.
-->
<filter name='allow-dhcp-server' chain='ipv4' priority='-700'>
<uuid>aef72e28-a8f4-4b87-a1c3-2c0743eb431a</uuid>
<rule action='accept' direction='out' priority='100'>
<ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
</rule>
<rule action='accept' direction='in' priority='100'>
<ip srcipaddr='$DHCPSERVER' protocol='udp' srcportstart='67' dstportstart='68'/>
</rule>
</filter>
/etc/libvirt/nwfilter/allow-dhcp.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit allow-dhcp
or other application using the libvirt API.
-->
<filter name='allow-dhcp' chain='ipv4' priority='-700'>
<uuid>e47023fd-bf93-4b81-b9ce-2231334b6245</uuid>
<rule action='accept' direction='out' priority='100'>
<ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
</rule>
<rule action='accept' direction='in' priority='100'>
<ip protocol='udp' srcportstart='67' dstportstart='68'/>
</rule>
</filter>
/etc/libvirt/nwfilter/allow-incoming-ipv4.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit allow-incoming-ipv4
or other application using the libvirt API.
-->
<filter name='allow-incoming-ipv4' chain='ipv4' priority='-700'>
<uuid>c408da24-bae8-434a-93a6-008262c4426e</uuid>
<rule action='accept' direction='in' priority='500'/>
</filter>
/etc/libvirt/nwfilter/allow-ipv4.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit allow-ipv4
or other application using the libvirt API.
-->
<filter name='allow-ipv4' chain='ipv4' priority='-700'>
<uuid>e320b4f2-f7b3-4d96-a0b4-eca6ae827cc6</uuid>
<rule action='accept' direction='inout' priority='500'/>
</filter>
/etc/libvirt/nwfilter/clean-traffic.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit clean-traffic
or other application using the libvirt API.
-->
<filter name='clean-traffic' chain='root'>
<uuid>e76af31c-d2f3-473d-8221-51e686164c5c</uuid>
<filterref filter='no-mac-spoofing'/>
<filterref filter='no-ip-spoofing'/>
<rule action='accept' direction='out' priority='-650'>
<mac protocolid='ipv4'/>
</rule>
<filterref filter='allow-incoming-ipv4'/>
<filterref filter='no-arp-spoofing'/>
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<filterref filter='no-other-l2-traffic'/>
<filterref filter='qemu-announce-self'/>
</filter>
/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-arp-ip-spoofing
or other application using the libvirt API.
-->
<filter name='no-arp-ip-spoofing' chain='arp-ip' priority='-510'>
<uuid>1da0bf37-17ba-4ee2-8eaf-4e63f9d3acf9</uuid>
<rule action='return' direction='out' priority='400'>
<arp arpsrcipaddr='$IP'/>
</rule>
<rule action='drop' direction='out' priority='1000'/>
</filter>
/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-arp-mac-spoofing
or other application using the libvirt API.
-->
<filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'>
<uuid>e86e2a76-2f5d-42f7-a33a-e9b4ab37e443</uuid>
<rule action='return' direction='out' priority='350'>
<arp arpsrcmacaddr='$MAC'/>
</rule>
<rule action='drop' direction='out' priority='1000'/>
</filter>
/etc/libvirt/nwfilter/no-arp-spoofing.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-arp-spoofing
or other application using the libvirt API.
-->
<filter name='no-arp-spoofing' chain='root'>
<uuid>7b721ece-b57c-4188-ae8d-8bfc839803a7</uuid>
<filterref filter='no-arp-mac-spoofing'/>
<filterref filter='no-arp-ip-spoofing'/>
</filter>
/etc/libvirt/nwfilter/no-ip-multicast.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-ip-multicast
or other application using the libvirt API.
-->
<filter name='no-ip-multicast' chain='ipv4' priority='-700'>
<uuid>e59feaf2-38fa-44be-8808-05358a85860e</uuid>
<rule action='drop' direction='out' priority='500'>
<ip dstipaddr='224.0.0.0' dstipmask='4'/>
</rule>
</filter>
/etc/libvirt/nwfilter/no-ip-spoofing.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-ip-spoofing
or other application using the libvirt API.
-->
<filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'>
<uuid>9006ff51-a0f7-4283-9a86-4330631f00da</uuid>
<rule action='return' direction='out' priority='100'>
<ip srcipaddr='0.0.0.0' protocol='udp'/>
</rule>
<rule action='return' direction='out' priority='500'>
<ip srcipaddr='$IP'/>
</rule>
<rule action='drop' direction='out' priority='1000'/>
</filter>
/etc/libvirt/nwfilter/no-mac-broadcast.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-mac-broadcast
or other application using the libvirt API.
-->
<filter name='no-mac-broadcast' chain='ipv4' priority='-700'>
<uuid>82d46f6f-5f2d-48c6-98bd-14fcf9aaa434</uuid>
<rule action='drop' direction='out' priority='500'>
<mac dstmacaddr='ff:ff:ff:ff:ff:ff'/>
</rule>
</filter>
/etc/libvirt/nwfilter/no-mac-spoofing.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-mac-spoofing
or other application using the libvirt API.
-->
<filter name='no-mac-spoofing' chain='mac' priority='-800'>
<uuid>aea6f7d6-2252-4249-b779-a1d1a9e44d91</uuid>
<rule action='return' direction='out' priority='500'>
<mac srcmacaddr='$MAC'/>
</rule>
<rule action='drop' direction='out' priority='500'>
<mac/>
</rule>
</filter>
/etc/libvirt/nwfilter/no-other-l2-traffic.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-other-l2-traffic
or other application using the libvirt API.
-->
<filter name='no-other-l2-traffic' chain='root'>
<uuid>ebb75292-bff7-43e4-a7d9-6a944e1e9d4c</uuid>
<rule action='drop' direction='inout' priority='1000'/>
</filter>
/etc/libvirt/nwfilter/no-other-rarp-traffic.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-other-rarp-traffic
or other application using the libvirt API.
-->
<filter name='no-other-rarp-traffic' chain='rarp' priority='-400'>
<uuid>847204b6-bae9-461b-bcfd-1ab67aea755e</uuid>
<rule action='drop' direction='inout' priority='1000'/>
</filter>
/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit qemu-announce-self-rarp
or other application using the libvirt API.
-->
<filter name='qemu-announce-self-rarp' chain='rarp' priority='-400'>
<uuid>6d350476-684f-4f14-bf1f-623b9791e112</uuid>
<rule action='accept' direction='out' priority='500'>
<rarp srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
</rule>
<rule action='accept' direction='in' priority='500'>
<rarp dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
</rule>
</filter>
/etc/libvirt/nwfilter/qemu-announce-self.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit qemu-announce-self
or other application using the libvirt API.
-->
<filter name='qemu-announce-self' chain='root'>
<uuid>85f7db95-97a2-41e3-94bd-6927f13d6355</uuid>
<rule action='accept' direction='out' priority='500'>
<mac protocolid='0x835'/>
</rule>
<filterref filter='qemu-announce-self-rarp'/>
<filterref filter='no-other-rarp-traffic'/>
</filter>
/etc/libvirt/qemu/networks/default.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh net-edit default
or other application using the libvirt API.
-->
<network>
<name>default</name>
<uuid>7b311b6e-7055-4469-9187-1f14be446c73</uuid>
<forward mode='nat'/>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:12:01:7a'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>
-- debconf information:
libvirt-daemon-system/id_warning: true
More information about the Pkg-libvirt-maintainers
mailing list