Hi, On Sun, Feb 05, 2017 at 12:19:42PM +0100, Michal Herko wrote: > Package: libvirt-daemon-system > Version: 3.0.0-2 > Severity: normal > > Dear Maintainer, > How to reproduce: > install gnome-boxes, libvirt-daemon-system, libvirt-clients > add bridge network with: > # virsh net-start default > # virsh net-autostart default > # echo "allow virbr0" > /etc/qemu/bridge.conf > # adduser heroin kvm > # adduser heroin qemu > try to start a virtual machine: > $ virsh start boxes-unknown > Expected: > virtual machine would start > Actual: > error: Failed to start domain boxes-unknown > error: internal error: > /usr/lib/qemu/qemu-bridge-helper --br=virbr0 --fd=25: failed to communicate > with bridge helper: Transport endpoint is not connected > stderr=failed to create tun device: Operation not permitted > Workaround: > toggle the setuid bit on qemu-bridge-helper > # chmod +s /usr/lib/qemu/qemu-bridge-helper
That would be qemu's job since we can't interfere with other packages setuid bits. Check Check /usr/share/doc/libvirt-daemon/README.Debian.gz for how to use cap_sys_admin instead of setuid root. -- Guido > > virtual machine configuration http://pastebin.com/EBqKL455 > > -- System Information: > Debian Release: 9.0 > APT prefers testing > APT policy: (500, 'testing') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages libvirt-daemon-system depends on: > ii adduser 3.115 > ii debconf [debconf-2.0] 1.5.60 > ii gettext-base 0.19.8.1-2 > ii init-system-helpers 1.47 > ii iptables 1.6.0+snapshot20161117-5 > ii libapparmor1 2.11.0-2 > ii libaudit1 1:2.6.7-1 > ii libblkid1 2.29.1-1 > ii libc6 2.24-9 > ii libcap-ng0 0.7.7-3 > ii libdbus-1-3 1.10.14-1 > ii libdevmapper1.02.1 2:1.02.137-1 > ii libnl-3-200 3.2.27-1 > ii libnl-route-3-200 3.2.27-1 > ii libnuma1 2.0.11-2.1 > ii librados2 10.2.5-6 > ii librbd1 10.2.5-6 > ii libselinux1 2.6-3 > ii libvirt-clients 3.0.0-2 > ii libvirt-daemon 3.0.0-2 > ii libvirt0 3.0.0-2 > ii libxml2 2.9.4+dfsg1-2.2 > ii libyajl2 2.1.0-2 > ii logrotate 3.11.0-0.1 > ii lsb-base 9.20161125 > ii policykit-1 0.105-17 > > Versions of packages libvirt-daemon-system recommends: > ii bridge-utils 1.5-11 > ii dmidecode 3.0-4 > ii dnsmasq-base 2.76-5 > ii ebtables 2.0.10.4-3.5 > ii iproute2 4.9.0-1 > ii parted 3.2-17 > > Versions of packages libvirt-daemon-system suggests: > pn apparmor <none> > pn auditd <none> > pn nfs-common <none> > pn pm-utils <none> > pn radvd <none> > ii systemd 232-15 > pn systemtap <none> > pn zfsutils <none> > > -- Configuration Files: > /etc/libvirt/nwfilter/allow-arp.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit allow-arp > or other application using the libvirt API. > --> > <filter name='allow-arp' chain='arp' priority='-500'> > <uuid>08c762c7-8705-4fe0-b02f-406a715135ad</uuid> > <rule action='accept' direction='inout' priority='500'/> > </filter> > > /etc/libvirt/nwfilter/allow-dhcp-server.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit allow-dhcp-server > or other application using the libvirt API. > --> > <filter name='allow-dhcp-server' chain='ipv4' priority='-700'> > <uuid>aef72e28-a8f4-4b87-a1c3-2c0743eb431a</uuid> > <rule action='accept' direction='out' priority='100'> > <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' > srcportstart='68' dstportstart='67'/> > </rule> > <rule action='accept' direction='in' priority='100'> > <ip srcipaddr='$DHCPSERVER' protocol='udp' srcportstart='67' > dstportstart='68'/> > </rule> > </filter> > > /etc/libvirt/nwfilter/allow-dhcp.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit allow-dhcp > or other application using the libvirt API. > --> > <filter name='allow-dhcp' chain='ipv4' priority='-700'> > <uuid>e47023fd-bf93-4b81-b9ce-2231334b6245</uuid> > <rule action='accept' direction='out' priority='100'> > <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' > srcportstart='68' dstportstart='67'/> > </rule> > <rule action='accept' direction='in' priority='100'> > <ip protocol='udp' srcportstart='67' dstportstart='68'/> > </rule> > </filter> > > /etc/libvirt/nwfilter/allow-incoming-ipv4.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit allow-incoming-ipv4 > or other application using the libvirt API. > --> > <filter name='allow-incoming-ipv4' chain='ipv4' priority='-700'> > <uuid>c408da24-bae8-434a-93a6-008262c4426e</uuid> > <rule action='accept' direction='in' priority='500'/> > </filter> > > /etc/libvirt/nwfilter/allow-ipv4.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit allow-ipv4 > or other application using the libvirt API. > --> > <filter name='allow-ipv4' chain='ipv4' priority='-700'> > <uuid>e320b4f2-f7b3-4d96-a0b4-eca6ae827cc6</uuid> > <rule action='accept' direction='inout' priority='500'/> > </filter> > > /etc/libvirt/nwfilter/clean-traffic.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit clean-traffic > or other application using the libvirt API. > --> > <filter name='clean-traffic' chain='root'> > <uuid>e76af31c-d2f3-473d-8221-51e686164c5c</uuid> > <filterref filter='no-mac-spoofing'/> > <filterref filter='no-ip-spoofing'/> > <rule action='accept' direction='out' priority='-650'> > <mac protocolid='ipv4'/> > </rule> > <filterref filter='allow-incoming-ipv4'/> > <filterref filter='no-arp-spoofing'/> > <rule action='accept' direction='inout' priority='-500'> > <mac protocolid='arp'/> > </rule> > <filterref filter='no-other-l2-traffic'/> > <filterref filter='qemu-announce-self'/> > </filter> > > /etc/libvirt/nwfilter/no-arp-ip-spoofing.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit no-arp-ip-spoofing > or other application using the libvirt API. > --> > <filter name='no-arp-ip-spoofing' chain='arp-ip' priority='-510'> > <uuid>1da0bf37-17ba-4ee2-8eaf-4e63f9d3acf9</uuid> > <rule action='return' direction='out' priority='400'> > <arp arpsrcipaddr='$IP'/> > </rule> > <rule action='drop' direction='out' priority='1000'/> > </filter> > > /etc/libvirt/nwfilter/no-arp-mac-spoofing.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit no-arp-mac-spoofing > or other application using the libvirt API. > --> > <filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'> > <uuid>e86e2a76-2f5d-42f7-a33a-e9b4ab37e443</uuid> > <rule action='return' direction='out' priority='350'> > <arp arpsrcmacaddr='$MAC'/> > </rule> > <rule action='drop' direction='out' priority='1000'/> > </filter> > > /etc/libvirt/nwfilter/no-arp-spoofing.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit no-arp-spoofing > or other application using the libvirt API. > --> > <filter name='no-arp-spoofing' chain='root'> > <uuid>7b721ece-b57c-4188-ae8d-8bfc839803a7</uuid> > <filterref filter='no-arp-mac-spoofing'/> > <filterref filter='no-arp-ip-spoofing'/> > </filter> > > /etc/libvirt/nwfilter/no-ip-multicast.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit no-ip-multicast > or other application using the libvirt API. > --> > <filter name='no-ip-multicast' chain='ipv4' priority='-700'> > <uuid>e59feaf2-38fa-44be-8808-05358a85860e</uuid> > <rule action='drop' direction='out' priority='500'> > <ip dstipaddr='224.0.0.0' dstipmask='4'/> > </rule> > </filter> > > /etc/libvirt/nwfilter/no-ip-spoofing.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit no-ip-spoofing > or other application using the libvirt API. > --> > <filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'> > <uuid>9006ff51-a0f7-4283-9a86-4330631f00da</uuid> > <rule action='return' direction='out' priority='100'> > <ip srcipaddr='0.0.0.0' protocol='udp'/> > </rule> > <rule action='return' direction='out' priority='500'> > <ip srcipaddr='$IP'/> > </rule> > <rule action='drop' direction='out' priority='1000'/> > </filter> > > /etc/libvirt/nwfilter/no-mac-broadcast.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit no-mac-broadcast > or other application using the libvirt API. > --> > <filter name='no-mac-broadcast' chain='ipv4' priority='-700'> > <uuid>82d46f6f-5f2d-48c6-98bd-14fcf9aaa434</uuid> > <rule action='drop' direction='out' priority='500'> > <mac dstmacaddr='ff:ff:ff:ff:ff:ff'/> > </rule> > </filter> > > /etc/libvirt/nwfilter/no-mac-spoofing.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit no-mac-spoofing > or other application using the libvirt API. > --> > <filter name='no-mac-spoofing' chain='mac' priority='-800'> > <uuid>aea6f7d6-2252-4249-b779-a1d1a9e44d91</uuid> > <rule action='return' direction='out' priority='500'> > <mac srcmacaddr='$MAC'/> > </rule> > <rule action='drop' direction='out' priority='500'> > <mac/> > </rule> > </filter> > > /etc/libvirt/nwfilter/no-other-l2-traffic.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit no-other-l2-traffic > or other application using the libvirt API. > --> > <filter name='no-other-l2-traffic' chain='root'> > <uuid>ebb75292-bff7-43e4-a7d9-6a944e1e9d4c</uuid> > <rule action='drop' direction='inout' priority='1000'/> > </filter> > > /etc/libvirt/nwfilter/no-other-rarp-traffic.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit no-other-rarp-traffic > or other application using the libvirt API. > --> > <filter name='no-other-rarp-traffic' chain='rarp' priority='-400'> > <uuid>847204b6-bae9-461b-bcfd-1ab67aea755e</uuid> > <rule action='drop' direction='inout' priority='1000'/> > </filter> > > /etc/libvirt/nwfilter/qemu-announce-self-rarp.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit qemu-announce-self-rarp > or other application using the libvirt API. > --> > <filter name='qemu-announce-self-rarp' chain='rarp' priority='-400'> > <uuid>6d350476-684f-4f14-bf1f-623b9791e112</uuid> > <rule action='accept' direction='out' priority='500'> > <rarp srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff' > opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' > arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/> > </rule> > <rule action='accept' direction='in' priority='500'> > <rarp dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' > arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' > arpdstipaddr='0.0.0.0'/> > </rule> > </filter> > > /etc/libvirt/nwfilter/qemu-announce-self.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh nwfilter-edit qemu-announce-self > or other application using the libvirt API. > --> > <filter name='qemu-announce-self' chain='root'> > <uuid>85f7db95-97a2-41e3-94bd-6927f13d6355</uuid> > <rule action='accept' direction='out' priority='500'> > <mac protocolid='0x835'/> > </rule> > <filterref filter='qemu-announce-self-rarp'/> > <filterref filter='no-other-rarp-traffic'/> > </filter> > > /etc/libvirt/qemu/networks/default.xml changed: > <!-- > WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE > OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: > virsh net-edit default > or other application using the libvirt API. > --> > <network> > <name>default</name> > <uuid>7b311b6e-7055-4469-9187-1f14be446c73</uuid> > <forward mode='nat'/> > <bridge name='virbr0' stp='on' delay='0'/> > <mac address='52:54:00:12:01:7a'/> > <ip address='192.168.122.1' netmask='255.255.255.0'> > <dhcp> > <range start='192.168.122.2' end='192.168.122.254'/> > </dhcp> > </ip> > </network> > > > -- debconf information: > libvirt-daemon-system/id_warning: true > > _______________________________________________ > Pkg-libvirt-maintainers mailing list > pkg-libvirt-maintain...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers >
