Package: libvirt-daemon
Version: 1.2.9-9+deb8u1
Severity: normal
Hi Guido,
$ strings /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so | grep
bridge-helper
/usr/libexec/qemu-bridge-helper
# dpkg -S bridge-helper
qemu-system-common: /usr/lib/qemu/qemu-bridge-helper
As <https://lists.gnu.org/archive/html/qemu-devel/2013-11/msg01534.html>
seems to never got applied, the helper is also missing the required
capability CAP_NET_ADMIN, which must be added by running
setcap cap_net_admin+ep /usr/lib/qemu/qemu-bridge-helper
I choose to put that information in the README.Debian.
Greeting
Philipp
PS: I hope I didn't break some test-suite - at least building the new
version in my pbuilder environment worked okay.
-- System Information:
Debian Release: 8.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (90, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libvirt-daemon depends on:
ii libapparmor1 2.9.0-3
ii libaudit1 1:2.4-1+b1
ii libavahi-client3 0.6.31-5
ii libavahi-common3 0.6.31-5
ii libblkid1 2.25.2-6
ii libc6 2.19-18+deb8u3
ii libcap-ng0 0.7.4-2
ii libdbus-1-3 1.8.20-0+deb8u1
ii libdevmapper1.02.1 2:1.02.90-2.2
ii libfuse2 2.9.3-15+deb8u2
ii libgnutls-deb0-28 3.3.8-6+deb8u3
ii libnetcf1 1:0.2.3-4.1
ii libnl-3-200 3.2.24-2
ii libnl-route-3-200 3.2.24-2
ii libnuma1 2.0.10-1
ii libparted2 3.2-7
ii libpcap0.8 1.6.2-2
ii libpciaccess0 0.13.2-3+b1
ii librados2 0.80.7-2+deb8u1
ii librbd1 0.80.7-2+deb8u1
ii libsasl2-2 2.1.26.dfsg1-13+deb8u1
ii libselinux1 2.3-2
ii libssh2-1 1.4.3-4.1+deb8u1
ii libsystemd0 215-17+deb8u3
ii libudev1 215-17+deb8u3
ii libvirt0 1.2.9-9+deb8u1
ii libxen-4.4 4.4.1-9+deb8u3
ii libxenstore3.0 4.4.1-9+deb8u3
ii libxml2 2.9.1+dfsg1-5+deb8u1
ii libyajl2 2.1.0-2
Versions of packages libvirt-daemon recommends:
ii libxml2-utils 2.9.1+dfsg1-5+deb8u1
ii netcat-openbsd 1.105-7
ii qemu-kvm 1:2.1+dfsg-12+deb8u5a
Versions of packages libvirt-daemon suggests:
ii libvirt-daemon-system 1.2.9-9+deb8u1
-- no debconf information
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -357,7 +357,7 @@
# is used to create <source type='bridge'> interfaces when libvirtd is
# running unprivileged. libvirt invokes the helper directly, instead
# of using "-netdev bridge", for security reasons.
-#bridge_helper = "/usr/libexec/qemu-bridge-helper"
+#bridge_helper = "/usr/lib/qemu/qemu-bridge-helper"
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -244,7 +244,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf
goto error;
}
- if (VIR_STRDUP(cfg->bridgeHelperName, "/usr/libexec/qemu-bridge-helper") < 0)
+ if (VIR_STRDUP(cfg->bridgeHelperName, "/usr/lib/qemu/qemu-bridge-helper") < 0)
goto error;
cfg->clearEmulatorCapabilities = true;
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -56,7 +56,7 @@ module Test_libvirtd_qemu =
{ "auto_dump_bypass_cache" = "0" }
{ "auto_start_bypass_cache" = "0" }
{ "hugetlbfs_mount" = "/dev/hugepages" }
-{ "bridge_helper" = "/usr/libexec/qemu-bridge-helper" }
+{ "bridge_helper" = "/usr/lib/qemu/qemu-bridge-helper" }
{ "clear_emulator_capabilities" = "1" }
{ "set_process_name" = "1" }
{ "max_processes" = "0" }
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -51,6 +51,18 @@ EOF
This makes dnsmasq only bind to the loopback interface by default so libvirtd
can handle the virtual bridges.
+Bridged network
+===============
+libvirt can use the qemu-bridge-helper to create bridged network interfaces for
+session domains. For this to work the helper must have the capability to create
+TUN/TAP devices or must have the SUID permission set.
+This can be done by running the following command as the user root:
+
+ setcap cap_net_admin+ep /usr/lib/qemu/qemu-bridge-helper
+
+The allowed bridges must be configured in the file '/etc/qemu/bridge.conf'. For
+each bridge add a line like 'allow br0'.
+
Access Control
==============
Access to the libvirt managing tasks is controlled by PolicyKit. To ease
