Package: libvirt-daemon-system Version: 3.0.0-2 Severity: normal Dear Maintainer, How to reproduce: install gnome-boxes, libvirt-daemon-system, libvirt-clients add bridge network with: # virsh net-start default # virsh net-autostart default # echo "allow virbr0" > /etc/qemu/bridge.conf # adduser heroin kvm # adduser heroin qemu try to start a virtual machine: $ virsh start boxes-unknown Expected: virtual machine would start Actual: error: Failed to start domain boxes-unknown error: internal error: /usr/lib/qemu/qemu-bridge-helper --br=virbr0 --fd=25: failed to communicate with bridge helper: Transport endpoint is not connected stderr=failed to create tun device: Operation not permitted Workaround: toggle the setuid bit on qemu-bridge-helper # chmod +s /usr/lib/qemu/qemu-bridge-helper
virtual machine configuration http://pastebin.com/EBqKL455 -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libvirt-daemon-system depends on: ii adduser 3.115 ii debconf [debconf-2.0] 1.5.60 ii gettext-base 0.19.8.1-2 ii init-system-helpers 1.47 ii iptables 1.6.0+snapshot20161117-5 ii libapparmor1 2.11.0-2 ii libaudit1 1:2.6.7-1 ii libblkid1 2.29.1-1 ii libc6 2.24-9 ii libcap-ng0 0.7.7-3 ii libdbus-1-3 1.10.14-1 ii libdevmapper1.02.1 2:1.02.137-1 ii libnl-3-200 3.2.27-1 ii libnl-route-3-200 3.2.27-1 ii libnuma1 2.0.11-2.1 ii librados2 10.2.5-6 ii librbd1 10.2.5-6 ii libselinux1 2.6-3 ii libvirt-clients 3.0.0-2 ii libvirt-daemon 3.0.0-2 ii libvirt0 3.0.0-2 ii libxml2 2.9.4+dfsg1-2.2 ii libyajl2 2.1.0-2 ii logrotate 3.11.0-0.1 ii lsb-base 9.20161125 ii policykit-1 0.105-17 Versions of packages libvirt-daemon-system recommends: ii bridge-utils 1.5-11 ii dmidecode 3.0-4 ii dnsmasq-base 2.76-5 ii ebtables 2.0.10.4-3.5 ii iproute2 4.9.0-1 ii parted 3.2-17 Versions of packages libvirt-daemon-system suggests: pn apparmor <none> pn auditd <none> pn nfs-common <none> pn pm-utils <none> pn radvd <none> ii systemd 232-15 pn systemtap <none> pn zfsutils <none> -- Configuration Files: /etc/libvirt/nwfilter/allow-arp.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit allow-arp or other application using the libvirt API. --> <filter name='allow-arp' chain='arp' priority='-500'> <uuid>08c762c7-8705-4fe0-b02f-406a715135ad</uuid> <rule action='accept' direction='inout' priority='500'/> </filter> /etc/libvirt/nwfilter/allow-dhcp-server.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit allow-dhcp-server or other application using the libvirt API. --> <filter name='allow-dhcp-server' chain='ipv4' priority='-700'> <uuid>aef72e28-a8f4-4b87-a1c3-2c0743eb431a</uuid> <rule action='accept' direction='out' priority='100'> <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/> </rule> <rule action='accept' direction='in' priority='100'> <ip srcipaddr='$DHCPSERVER' protocol='udp' srcportstart='67' dstportstart='68'/> </rule> </filter> /etc/libvirt/nwfilter/allow-dhcp.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit allow-dhcp or other application using the libvirt API. --> <filter name='allow-dhcp' chain='ipv4' priority='-700'> <uuid>e47023fd-bf93-4b81-b9ce-2231334b6245</uuid> <rule action='accept' direction='out' priority='100'> <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/> </rule> <rule action='accept' direction='in' priority='100'> <ip protocol='udp' srcportstart='67' dstportstart='68'/> </rule> </filter> /etc/libvirt/nwfilter/allow-incoming-ipv4.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit allow-incoming-ipv4 or other application using the libvirt API. --> <filter name='allow-incoming-ipv4' chain='ipv4' priority='-700'> <uuid>c408da24-bae8-434a-93a6-008262c4426e</uuid> <rule action='accept' direction='in' priority='500'/> </filter> /etc/libvirt/nwfilter/allow-ipv4.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit allow-ipv4 or other application using the libvirt API. --> <filter name='allow-ipv4' chain='ipv4' priority='-700'> <uuid>e320b4f2-f7b3-4d96-a0b4-eca6ae827cc6</uuid> <rule action='accept' direction='inout' priority='500'/> </filter> /etc/libvirt/nwfilter/clean-traffic.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit clean-traffic or other application using the libvirt API. --> <filter name='clean-traffic' chain='root'> <uuid>e76af31c-d2f3-473d-8221-51e686164c5c</uuid> <filterref filter='no-mac-spoofing'/> <filterref filter='no-ip-spoofing'/> <rule action='accept' direction='out' priority='-650'> <mac protocolid='ipv4'/> </rule> <filterref filter='allow-incoming-ipv4'/> <filterref filter='no-arp-spoofing'/> <rule action='accept' direction='inout' priority='-500'> <mac protocolid='arp'/> </rule> <filterref filter='no-other-l2-traffic'/> <filterref filter='qemu-announce-self'/> </filter> /etc/libvirt/nwfilter/no-arp-ip-spoofing.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-arp-ip-spoofing or other application using the libvirt API. --> <filter name='no-arp-ip-spoofing' chain='arp-ip' priority='-510'> <uuid>1da0bf37-17ba-4ee2-8eaf-4e63f9d3acf9</uuid> <rule action='return' direction='out' priority='400'> <arp arpsrcipaddr='$IP'/> </rule> <rule action='drop' direction='out' priority='1000'/> </filter> /etc/libvirt/nwfilter/no-arp-mac-spoofing.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-arp-mac-spoofing or other application using the libvirt API. --> <filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'> <uuid>e86e2a76-2f5d-42f7-a33a-e9b4ab37e443</uuid> <rule action='return' direction='out' priority='350'> <arp arpsrcmacaddr='$MAC'/> </rule> <rule action='drop' direction='out' priority='1000'/> </filter> /etc/libvirt/nwfilter/no-arp-spoofing.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-arp-spoofing or other application using the libvirt API. --> <filter name='no-arp-spoofing' chain='root'> <uuid>7b721ece-b57c-4188-ae8d-8bfc839803a7</uuid> <filterref filter='no-arp-mac-spoofing'/> <filterref filter='no-arp-ip-spoofing'/> </filter> /etc/libvirt/nwfilter/no-ip-multicast.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-ip-multicast or other application using the libvirt API. --> <filter name='no-ip-multicast' chain='ipv4' priority='-700'> <uuid>e59feaf2-38fa-44be-8808-05358a85860e</uuid> <rule action='drop' direction='out' priority='500'> <ip dstipaddr='224.0.0.0' dstipmask='4'/> </rule> </filter> /etc/libvirt/nwfilter/no-ip-spoofing.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-ip-spoofing or other application using the libvirt API. --> <filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'> <uuid>9006ff51-a0f7-4283-9a86-4330631f00da</uuid> <rule action='return' direction='out' priority='100'> <ip srcipaddr='0.0.0.0' protocol='udp'/> </rule> <rule action='return' direction='out' priority='500'> <ip srcipaddr='$IP'/> </rule> <rule action='drop' direction='out' priority='1000'/> </filter> /etc/libvirt/nwfilter/no-mac-broadcast.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-mac-broadcast or other application using the libvirt API. --> <filter name='no-mac-broadcast' chain='ipv4' priority='-700'> <uuid>82d46f6f-5f2d-48c6-98bd-14fcf9aaa434</uuid> <rule action='drop' direction='out' priority='500'> <mac dstmacaddr='ff:ff:ff:ff:ff:ff'/> </rule> </filter> /etc/libvirt/nwfilter/no-mac-spoofing.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-mac-spoofing or other application using the libvirt API. --> <filter name='no-mac-spoofing' chain='mac' priority='-800'> <uuid>aea6f7d6-2252-4249-b779-a1d1a9e44d91</uuid> <rule action='return' direction='out' priority='500'> <mac srcmacaddr='$MAC'/> </rule> <rule action='drop' direction='out' priority='500'> <mac/> </rule> </filter> /etc/libvirt/nwfilter/no-other-l2-traffic.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-other-l2-traffic or other application using the libvirt API. --> <filter name='no-other-l2-traffic' chain='root'> <uuid>ebb75292-bff7-43e4-a7d9-6a944e1e9d4c</uuid> <rule action='drop' direction='inout' priority='1000'/> </filter> /etc/libvirt/nwfilter/no-other-rarp-traffic.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit no-other-rarp-traffic or other application using the libvirt API. --> <filter name='no-other-rarp-traffic' chain='rarp' priority='-400'> <uuid>847204b6-bae9-461b-bcfd-1ab67aea755e</uuid> <rule action='drop' direction='inout' priority='1000'/> </filter> /etc/libvirt/nwfilter/qemu-announce-self-rarp.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit qemu-announce-self-rarp or other application using the libvirt API. --> <filter name='qemu-announce-self-rarp' chain='rarp' priority='-400'> <uuid>6d350476-684f-4f14-bf1f-623b9791e112</uuid> <rule action='accept' direction='out' priority='500'> <rarp srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/> </rule> <rule action='accept' direction='in' priority='500'> <rarp dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/> </rule> </filter> /etc/libvirt/nwfilter/qemu-announce-self.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh nwfilter-edit qemu-announce-self or other application using the libvirt API. --> <filter name='qemu-announce-self' chain='root'> <uuid>85f7db95-97a2-41e3-94bd-6927f13d6355</uuid> <rule action='accept' direction='out' priority='500'> <mac protocolid='0x835'/> </rule> <filterref filter='qemu-announce-self-rarp'/> <filterref filter='no-other-rarp-traffic'/> </filter> /etc/libvirt/qemu/networks/default.xml changed: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh net-edit default or other application using the libvirt API. --> <network> <name>default</name> <uuid>7b311b6e-7055-4469-9187-1f14be446c73</uuid> <forward mode='nat'/> <bridge name='virbr0' stp='on' delay='0'/> <mac address='52:54:00:12:01:7a'/> <ip address='192.168.122.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.122.2' end='192.168.122.254'/> </dhcp> </ip> </network> -- debconf information: libvirt-daemon-system/id_warning: true
