[Pkg-libvirt-maintainers] Bug#932456: libvirt-daemon-system: blockcommit => permission denied
Benoit Panizzon
panizzon at woody.ch
Fri Jul 19 16:40:18 BST 2019
Package: libvirt-daemon-system
Version: 5.0.0-4
Severity: important
Dear Maintainer,
After upgrading my virtual 'hosting' machine to Buster, I snapshoted a first guest.
Now I am not able to blockcommit the snapshot back to the backing image
to be able to grow the FS.
Also the snapshot is quickly growing.
I am pretty at a loss about the cause. Google found a couple of hints
that apparmor is the culpit. So I did try to run everything under
aa-complaint with no success.
I did try to disable apparmor or the libvirtd profile on apparmor as well, no joy!
I did a chmod 777 on the directory with the images and a chmod 666
in the images themself. So I'm pretty sure it's not a file
permission issue.
# virsh blockcommit hathi vda --active --verbose --pivot
error: internal error: unable to execute QEMU command 'block-commit': Could not reopen file: Permission denied
Jul 19 17:33:08 pulsar kernel: [ 1904.061499] audit: type=1400 audit(1563550388.502:120): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="libvirt-402562bd-e0cd-9bcd-7455-4c3833e60907" pid=5933 comm="apparmor_parser"
Jul 19 17:33:08 pulsar libvirtd[3145]: internal error: unable to execute QEMU command 'block-commit': Could not reopen file: Permission denied
Jul 19 17:33:08 pulsar kernel: [ 1904.202315] audit: type=1400 audit(1563550388.642:121): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="libvirt-402562bd-e0cd-9bcd-7455-4c3833e60907" pid=5937 comm="apparmor_parser"
Any hints on how to solve the issue are greatly appreciated.
-Benoit-
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8), LANGUAGE=de_CH:de (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libvirt-daemon-system depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.71
ii gettext-base 0.19.8.1-9
ii iptables 1.8.2-4
ii libacl1 2.2.53-4
ii libapparmor1 2.13.2-10
ii libaudit1 1:2.8.4-3
ii libblkid1 2.33.1-0.1
ii libc6 2.28-10
ii libcap-ng0 0.7.9-2
ii libdbus-1-3 1.12.16-1
ii libdevmapper1.02.1 2:1.02.155-3
ii libgnutls30 3.6.7-4
ii libnl-3-200 3.4.0-1
ii libnl-route-3-200 3.4.0-1
ii libnuma1 2.0.12-1
ii libselinux1 2.8-1+b1
ii libvirt-clients 5.0.0-4
ii libvirt-daemon 5.0.0-4
ii libvirt0 5.0.0-4
ii libxml2 2.9.4+dfsg1-7+b3
ii libyajl2 2.1.0-3
ii logrotate 3.14.0-4
ii lsb-base 10.2019051400
ii policykit-1 0.105-25
Versions of packages libvirt-daemon-system recommends:
ii dmidecode 3.2-1
ii dnsmasq-base [dnsmasq-base] 2.80-1
ii iproute2 4.20.0-2
ii parted 3.2-25
Versions of packages libvirt-daemon-system suggests:
ii apparmor 2.13.2-10
pn auditd <none>
ii nfs-common 1:1.3.4-2.5
pn open-iscsi <none>
pn pm-utils <none>
pn radvd <none>
ii systemd 241-5
pn systemtap <none>
pn zfsutils <none>
-- Configuration Files:
/etc/apparmor.d/usr.sbin.libvirtd changed:
@{LIBVIRT}="libvirt"
/usr/sbin/libvirtd flags=(attach_disconnected, complain) {
#include <abstractions/base>
#include <abstractions/dbus>
capability kill,
capability net_admin,
capability net_raw,
capability setgid,
capability sys_admin,
capability sys_module,
capability sys_ptrace,
capability sys_pacct,
capability sys_nice,
capability sys_chroot,
capability setuid,
capability dac_override,
capability dac_read_search,
capability fowner,
capability chown,
capability setpcap,
capability mknod,
capability fsetid,
capability audit_write,
capability ipc_lock,
# Needed for vfio
capability sys_resource,
mount options=(rw,rslave) -> /,
mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
# libvirt provides any mounts under /dev to qemu namespaces
mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,
mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/},
mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/,
mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**,
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
network netlink raw,
network packet dgram,
network packet raw,
# for --p2p migrations
unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
ptrace (read,trace) peer=unconfined,
ptrace (read,trace) peer=/usr/sbin/libvirtd,
ptrace (read,trace) peer=/usr/sbin/dnsmasq,
ptrace (read,trace) peer=libvirt-*,
signal (send) peer=/usr/sbin/dnsmasq,
signal (read, send) peer=libvirt-*,
signal (send) set=("kill", "term") peer=unconfined,
# For communication/control to qemu-bridge-helper
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper,
# allow connect with openGraphicsFD, direction reversed in newer versions
unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
# unconfined also required if guests run without security module
unix (send, receive) type=stream addr=none peer=(label=unconfined),
# required if guests run unconfined seclabel type='none' but libvirtd is confined
signal (read, send) peer=unconfined,
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
/ r,
/** rwmkl,
/bin/* PUx,
/sbin/* PUx,
/usr/bin/* PUx,
/usr/sbin/virtlogd pix,
/usr/sbin/* PUx,
/{usr/,}lib/udev/scsi_id PUx,
/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
/usr/{lib,lib64}/xen/bin/* Ux,
/usr/lib/xen-*/bin/libxl-save-helper PUx,
# Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
# read and run an ebtables script.
/var/lib/libvirt/virtd* ixr,
# force the use of virt-aa-helper
audit deny /{usr/,}sbin/apparmor_parser rwxl,
audit deny /etc/apparmor.d/libvirt/** wxl,
audit deny /sys/kernel/security/apparmor/features rwxl,
audit deny /sys/kernel/security/apparmor/matching rwxl,
audit deny /sys/kernel/security/apparmor/.* rwxl,
/sys/kernel/security/apparmor/profiles r,
/usr/{lib,lib64}/libvirt/* PUxr,
/usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
/usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
# allow changing to our UUID-based named profiles
change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
# child profile for bridge helper process
profile qemu_bridge_helper {
#include <abstractions/base>
capability setuid,
capability setgid,
capability setpcap,
capability net_admin,
network inet stream,
# For communication/control from libvirtd
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
signal (receive) set=("term") peer=/usr/sbin/libvirtd,
/dev/net/tun rw,
/etc/qemu/** r,
owner @{PROC}/*/status r,
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.libvirtd>
}
/etc/default/libvirt-guests changed:
ON_BOOT=start
START_DELAY=10
ON_SHUTDOWN=susped
PARALLEL_SHUTDOWN=3
/etc/default/libvirtd changed:
start_libvirtd="yes"
libvirtd_opts="-l"
/etc/init.d/libvirtd changed:
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
export PATH
DAEMON=/usr/sbin/libvirtd
NAME=libvirtd
DESC="libvirt management daemon"
cgroups="cpuset cpu cpuacct devices freezer net_cls blkio perf_event"
! grep -qs cgroup_enable=memory /proc/cmdline || cgroups="$cgroups memory"
test -x $DAEMON || exit 0
echo TEST2
. /lib/lsb/init-functions
echo TEST
PIDFILE=/var/run/$NAME.pid
DODTIME=1 # Time to wait for the server to die, in seconds
if [ -f /etc/default/libvirtd ] ; then
. /etc/default/libvirtd
fi
check_start_libvirtd_option() {
if [ ! "$start_libvirtd" = "yes" ]; then
log_warning_msg "Not starting libvirt management daemon libvirtd, disabled via /etc/default/libvirtd"
return 1
else
return 0
fi
}
running_pid()
{
# Check if a given process pid's cmdline matches a given name
pid=$1
name=$2
[ -z "$pid" ] && return 1
[ ! -d /proc/$pid ] && return 1
cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
# Is this the expected child?
[ "$cmd" != "$name" ] && return 1
return 0
}
running()
{
# No pidfile, probably no daemon present
[ ! -f "$PIDFILE" ] && return 1
# Obtain the pid and check it against the binary name
pid=`cat $PIDFILE`
running_pid $pid $DAEMON || return 1
return 0
}
systemd_running()
{
if [ -d /run/systemd/system ] ; then
return 0
fi
return 1
}
mount_cgroups()
{
if ! systemd_running
then
mount -t tmpfs cgroup_root /sys/fs/cgroup || return 1
for M in $cgroups; do
mkdir /sys/fs/cgroup/$M || return 1
mount -t cgroup -o rw,nosuid,nodev,noexec,relatime,$M "cgroup_${M}" "/sys/fs/cgroup/${M}" || return 1
done
else
log_warning_msg "Systemd running, skipping cgroup mount."
fi
}
umount_cgroups()
{
if ! systemd_running
then
for M in $cgroups; do
umount "cgroup_${M}"
rmdir /sys/fs/cgroup/$M
done
umount cgroup_root
else
log_warning_msg "Systemd running, skipping cgroup mount."
fi
}
check_mount_cgroup_options() {
if [ ! "$mount_cgroups" = "yes" ]; then
return 1
else
return 0
fi
}
force_stop() {
[ ! -f "$PIDFILE" ] && return
if running ; then
kill -15 $pid
# Is it really dead?
[ -n "$DODTIME" ] && sleep "$DODTIME"s
if running ; then
kill -9 $pid
[ -n "$DODTIME" ] && sleep "$DODTIME"s
if running ; then
echo "Cannot kill $LABEL (pid=$pid)!"
exit 1
fi
fi
fi
rm -f $PIDFILE
return 0
}
case "$1" in
start)
if check_start_libvirtd_option; then
log_daemon_msg "Starting $DESC" "$NAME"
if running ; then
log_progress_msg "already running"
log_end_msg 0
exit 0
fi
rm -f /var/run/libvirtd.pid
if check_mount_cgroup_options; then
if ! mount_cgroups;then
log_warning_msg "Can not mount cgroups layout"
exit 1
fi
fi
start-stop-daemon --start --quiet --pidfile $PIDFILE \
--exec $DAEMON -- -d $libvirtd_opts
if running; then
log_end_msg 0
else
log_end_msg 1
fi
fi
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
if ! running ; then
log_progress_msg "not running"
log_end_msg 0
exit 0
fi
if check_mount_cgroup_options; then
umount_cgroups
fi
start-stop-daemon --stop --quiet --pidfile $PIDFILE \
--exec $DAEMON
log_end_msg 0
;;
force-stop)
log_daemon_msg "Forcefully stopping $DESC" "$NAME"
force_stop
if ! running; then
log_end_msg 0
else
log_end_msg 1
fi
;;
restart)
if check_start_libvirtd_option; then
log_daemon_msg "Restarting $DESC" "$DAEMON"
start-stop-daemon --oknodo --stop --quiet --pidfile \
/var/run/$NAME.pid --exec $DAEMON
[ -n "$DODTIME" ] && sleep $DODTIME
start-stop-daemon --start --quiet --pidfile \
/var/run/$NAME.pid --exec $DAEMON -- -d $libvirtd_opts
if running; then
log_end_msg 0
else
log_end_msg 1
fi
fi
;;
reload|force-reload)
if running; then
log_daemon_msg "Reloading configuration of $DESC" "$NAME"
start-stop-daemon --stop --signal 1 --quiet --pidfile \
/var/run/$NAME.pid --exec $DAEMON
log_end_msg 0
else
log_warning_msg "libvirtd not running, doing nothing."
fi
;;
status)
log_daemon_msg "Checking status of $DESC" "$NAME"
if running ; then
log_progress_msg "running"
log_end_msg 0
else
log_progress_msg "not running"
log_end_msg 1
if [ -f "$PIDFILE" ] ; then
exit 1
else
exit 3
fi
fi
;;
*)
N=/etc/init.d/libvirtd
echo "Usage: $N {start|stop|restart|reload|force-reload|status|force-stop}" >&2
exit 1
;;
esac
exit 0
/etc/libvirt/libvirtd.conf changed:
listen_tls = 0
listen_tcp = 1
unix_sock_group = "libvirt"
unix_sock_ro_perms = "0777"
unix_sock_rw_perms = "0770"
unix_sock_dir = "/var/run/libvirt"
auth_unix_ro = "none"
auth_unix_rw = "none"
auth_tcp = "sasl"
/etc/libvirt/nwfilter/allow-arp.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit allow-arp
or other application using the libvirt API.
-->
<filter name='allow-arp' chain='arp' priority='-500'>
<uuid>d0abceab-e2b4-4cc3-93d6-dc3ea426edf3</uuid>
<rule action='accept' direction='inout' priority='500'/>
</filter>
/etc/libvirt/nwfilter/allow-dhcp-server.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit allow-dhcp-server
or other application using the libvirt API.
-->
<filter name='allow-dhcp-server' chain='ipv4' priority='-700'>
<uuid>6fccac6f-0f2e-4e6a-93c7-a9d523bc4dab</uuid>
<rule action='accept' direction='out' priority='100'>
<ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
</rule>
<rule action='accept' direction='in' priority='100'>
<ip srcipaddr='$DHCPSERVER' protocol='udp' srcportstart='67' dstportstart='68'/>
</rule>
</filter>
/etc/libvirt/nwfilter/allow-dhcp.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit allow-dhcp
or other application using the libvirt API.
-->
<filter name='allow-dhcp' chain='ipv4' priority='-700'>
<uuid>5a543ad3-1b04-498f-a52e-23a538040e58</uuid>
<rule action='accept' direction='out' priority='100'>
<ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
</rule>
<rule action='accept' direction='in' priority='100'>
<ip protocol='udp' srcportstart='67' dstportstart='68'/>
</rule>
</filter>
/etc/libvirt/nwfilter/allow-incoming-ipv4.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit allow-incoming-ipv4
or other application using the libvirt API.
-->
<filter name='allow-incoming-ipv4' chain='ipv4' priority='-700'>
<uuid>1950e05d-12e5-4f06-a3ef-23f9dae8141a</uuid>
<rule action='accept' direction='in' priority='500'/>
</filter>
/etc/libvirt/nwfilter/allow-ipv4.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit allow-ipv4
or other application using the libvirt API.
-->
<filter name='allow-ipv4' chain='ipv4' priority='-700'>
<uuid>ff143dbd-a11b-4dbc-81fd-397c87ce1a94</uuid>
<rule action='accept' direction='inout' priority='500'/>
</filter>
/etc/libvirt/nwfilter/clean-traffic-gateway.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit clean-traffic-gateway
or other application using the libvirt API.
-->
<filter name='clean-traffic-gateway' chain='root'>
<uuid>9b94ec17-4ae0-4222-8783-77f1aefe66c2</uuid>
<filterref filter='no-mac-spoofing'/>
<filterref filter='no-ip-spoofing'/>
<filterref filter='no-arp-spoofing'/>
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<rule action='accept' direction='in' priority='500'>
<mac srcmacaddr='$GATEWAY_MAC'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<mac dstmacaddr='$GATEWAY_MAC'/>
</rule>
<filterref filter='no-other-l2-traffic'/>
<filterref filter='qemu-announce-self'/>
</filter>
/etc/libvirt/nwfilter/clean-traffic.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit clean-traffic
or other application using the libvirt API.
-->
<filter name='clean-traffic' chain='root'>
<uuid>b28d72d9-1c54-463d-bb09-ae2fb40554ec</uuid>
<filterref filter='no-mac-spoofing'/>
<filterref filter='no-ip-spoofing'/>
<rule action='accept' direction='out' priority='-650'>
<mac protocolid='ipv4'/>
</rule>
<filterref filter='allow-incoming-ipv4'/>
<filterref filter='no-arp-spoofing'/>
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<filterref filter='no-other-l2-traffic'/>
<filterref filter='qemu-announce-self'/>
</filter>
/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-arp-ip-spoofing
or other application using the libvirt API.
-->
<filter name='no-arp-ip-spoofing' chain='arp-ip' priority='-510'>
<uuid>53a5762e-5ef0-4830-8032-2290974116c5</uuid>
<rule action='return' direction='out' priority='400'>
<arp arpsrcipaddr='$IP'/>
</rule>
<rule action='drop' direction='out' priority='1000'/>
</filter>
/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-arp-mac-spoofing
or other application using the libvirt API.
-->
<filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'>
<uuid>183a713b-d051-4613-9d33-ecc67f5b22c9</uuid>
<rule action='return' direction='out' priority='350'>
<arp arpsrcmacaddr='$MAC'/>
</rule>
<rule action='drop' direction='out' priority='1000'/>
</filter>
/etc/libvirt/nwfilter/no-arp-spoofing.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-arp-spoofing
or other application using the libvirt API.
-->
<filter name='no-arp-spoofing' chain='root'>
<uuid>d0c1b728-0074-4b70-9fb9-c149736ce06e</uuid>
<filterref filter='no-arp-mac-spoofing'/>
<filterref filter='no-arp-ip-spoofing'/>
</filter>
/etc/libvirt/nwfilter/no-ip-multicast.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-ip-multicast
or other application using the libvirt API.
-->
<filter name='no-ip-multicast' chain='ipv4' priority='-700'>
<uuid>9f588e1a-3f48-49ab-b928-c89701ac6373</uuid>
<rule action='drop' direction='out' priority='500'>
<ip dstipaddr='224.0.0.0' dstipmask='4'/>
</rule>
</filter>
/etc/libvirt/nwfilter/no-ip-spoofing.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-ip-spoofing
or other application using the libvirt API.
-->
<filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'>
<uuid>b9a96e04-51c9-49ab-8ea8-2bfbff0d8a28</uuid>
<rule action='return' direction='out' priority='100'>
<ip srcipaddr='0.0.0.0' protocol='udp'/>
</rule>
<rule action='return' direction='out' priority='500'>
<ip srcipaddr='$IP'/>
</rule>
<rule action='drop' direction='out' priority='1000'/>
</filter>
/etc/libvirt/nwfilter/no-mac-broadcast.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-mac-broadcast
or other application using the libvirt API.
-->
<filter name='no-mac-broadcast' chain='ipv4' priority='-700'>
<uuid>c619f93f-868c-4fb5-9482-d9ea3d294929</uuid>
<rule action='drop' direction='out' priority='500'>
<mac dstmacaddr='ff:ff:ff:ff:ff:ff'/>
</rule>
</filter>
/etc/libvirt/nwfilter/no-mac-spoofing.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-mac-spoofing
or other application using the libvirt API.
-->
<filter name='no-mac-spoofing' chain='mac' priority='-800'>
<uuid>b89e855e-ed41-4276-917d-72462a07002e</uuid>
<rule action='return' direction='out' priority='500'>
<mac srcmacaddr='$MAC'/>
</rule>
<rule action='drop' direction='out' priority='500'>
<mac/>
</rule>
</filter>
/etc/libvirt/nwfilter/no-other-l2-traffic.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-other-l2-traffic
or other application using the libvirt API.
-->
<filter name='no-other-l2-traffic' chain='root'>
<uuid>69a49398-75d7-4f3c-8484-45bed1c723a5</uuid>
<rule action='drop' direction='inout' priority='1000'/>
</filter>
/etc/libvirt/nwfilter/no-other-rarp-traffic.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit no-other-rarp-traffic
or other application using the libvirt API.
-->
<filter name='no-other-rarp-traffic' chain='rarp' priority='-400'>
<uuid>9798add2-28b8-45e2-bb52-8a9e213201b3</uuid>
<rule action='drop' direction='inout' priority='1000'/>
</filter>
/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit qemu-announce-self-rarp
or other application using the libvirt API.
-->
<filter name='qemu-announce-self-rarp' chain='rarp' priority='-400'>
<uuid>fe544f26-bd73-44f8-8255-cec766f24322</uuid>
<rule action='accept' direction='out' priority='500'>
<rarp srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
</rule>
<rule action='accept' direction='in' priority='500'>
<rarp dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
</rule>
</filter>
/etc/libvirt/nwfilter/qemu-announce-self.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh nwfilter-edit qemu-announce-self
or other application using the libvirt API.
-->
<filter name='qemu-announce-self' chain='root'>
<uuid>6a702d98-c092-4172-a16f-cf27fd1fae7e</uuid>
<rule action='accept' direction='out' priority='500'>
<mac protocolid='0x835'/>
</rule>
<filterref filter='qemu-announce-self-rarp'/>
<filterref filter='no-other-rarp-traffic'/>
</filter>
/etc/libvirt/qemu/networks/default.xml changed:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh net-edit default
or other application using the libvirt API.
-->
<network>
<name>default</name>
<uuid>966b4956-62e6-49ea-9883-57caa0107927</uuid>
<forward mode='nat'/>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:29:52:56'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>
-- debconf information:
libvirt-daemon-system/id_warning: true
More information about the Pkg-libvirt-maintainers
mailing list