[Pkg-libvirt-maintainers] Bug#1082530: libvirt-daemon: libvirtd does not look up qemu-bridge-helper below /usr/libexec/qemu

Farblos farblos at vodafonemail.de
Sat Sep 21 16:41:01 BST 2024 

Package: libvirt-daemon
Version: 10.7.0-3
Severity: normal
X-Debbugs-Cc: farblos at vodafonemail.de

Dear Maintainer,

   * What led up to the situation?

Recent upgrade of packages libvirt-daemon (10.7.0-3) and/or qemu-system-common
(1:9.0.2+ds-2+b1).

   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   
Tried to start a ***user-level*** QEMU VM through libvirt/virsh.

   * What was the outcome of this action?

The VM failed to start with error message:

  [~]$ virsh start ol
  error: Failed to start domain 'ol'
  error: /usr/lib/qemu/qemu-bridge-helper --use-vnet --br=virbr0 --fd=32: failed to communicate with bridge helper: : Transport endpoint is not connected

The journal contains the following log entries:

  Sep 21 17:33:08 host01 libvirtd[5562]: /usr/lib/qemu/qemu-bridge-helper --use-vnet --br=virbr0 --fd=32: failed to communicate with bridge helper: : Transport endpoint is not connected
  Sep 21 17:33:08 host01 kernel: audit: type=1400 audit(1726932788.816:33): apparmor="DENIED" operation="file_mmap" class="file" profile="libvirtd//qemu_bridge_helper" name="/usr/bin/dash" pid=5614 comm="qemu-bridge-hel" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

   * What outcome did you expect instead?

The VM starting as usual.

   * Educated Guess

- Package qemu-system-common has moved the QEMU bridge helper to
  directory /usr/libexec/qemu/qemu-bridge-helper, replacing the
  original /usr/lib/qemu/qemu-bridge-helper with a Bourne shell
  wrapper script that passes control to the real executable.

- However, function virDomainCreateInBridgePortWithHelper in file
  src/hypervisor/domain_interface.c of libvirt still looks for
  the bridge helper only in the previous locations, which is
  $PATH plus the entries in local variable bridgeHelperDirs.
  Directory /usr/libexec/qemu is not among these.

- As a result, libvirtd tries to start the bridge helper through
  the Bourne shell wrapper script, which conflicts with the
  AppArmor rules for libvirtd.

   * Workaround

As a work-around, one can configure variable bridge_helper to the
absolute path "/usr/libexec/qemu/qemu-bridge-helper" in file
~/.config/libvirt/qemu.conf.

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.10.9-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvirt-daemon depends on:
ii  libc6                  2.40-2
ii  libgcc-s1              14.2.0-3
ii  libglib2.0-0t64        2.82.0-1
ii  libtirpc3t64           1.3.4+ds-1.3
ii  libvirt-common         10.7.0-3
ii  libvirt-daemon-common  10.7.0-3
ii  libvirt0               10.7.0-3
ii  libxml2                2.9.14+dfsg-1.3+b3
ii  logrotate              3.22.0-1

Versions of packages libvirt-daemon recommends:
pn  libvirt-daemon-driver-interface        <none>
pn  libvirt-daemon-driver-lxc              <none>
ii  libvirt-daemon-driver-network          10.7.0-3
ii  libvirt-daemon-driver-nodedev          10.7.0-3
ii  libvirt-daemon-driver-nwfilter         10.7.0-3
ii  libvirt-daemon-driver-qemu             10.7.0-3
ii  libvirt-daemon-driver-secret           10.7.0-3
ii  libvirt-daemon-driver-storage          10.7.0-3
pn  libvirt-daemon-driver-storage-disk     <none>
pn  libvirt-daemon-driver-storage-iscsi    <none>
pn  libvirt-daemon-driver-storage-logical  <none>
pn  libvirt-daemon-driver-storage-mpath    <none>
pn  libvirt-daemon-driver-storage-scsi     <none>
pn  libvirt-daemon-driver-vbox             <none>
pn  libvirt-daemon-driver-xen              <none>
pn  libvirt-daemon-lock                    <none>
ii  libvirt-daemon-log                     10.7.0-3
pn  libvirt-daemon-plugin-lockd            <none>
pn  libvirt-daemon-plugin-sanlock          <none>

Versions of packages libvirt-daemon suggests:
pn  libvirt-daemon-driver-storage-gluster       <none>
pn  libvirt-daemon-driver-storage-iscsi-direct  <none>
pn  libvirt-daemon-driver-storage-rbd           <none>
pn  libvirt-daemon-driver-storage-zfs           <none>
ii  libvirt-daemon-system                       10.7.0-3

-- no debconf information

More information about the Pkg-libvirt-maintainers mailing list