From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=VNWgnLRP; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id 5B9C45A004E for ; Wed, 29 Jan 2025 10:41:21 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1738143680; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=i9vW7wxKFCu/Duh+iRvjgCI9MZDBBiL+HwY4XOXTMqM=; b=VNWgnLRPk464w8f9obrv0ntQtLuzWtAMCdXyX3ZPRbBSBL3PVQa7vBwXmrHDuK6zVnd4ly U9U4A0DZslXij8jXayEzXMeZ5BMXV0mrNgc5P+DDDXFCMrwAM+aE57PXTu7AgBFtG02AY0 kUvKhj/GaNkzXUJE5PwIo2RxvBAzO7o= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-251-EaNrUCewOPqK03dc8clkag-1; Wed, 29 Jan 2025 04:41:19 -0500 X-MC-Unique: EaNrUCewOPqK03dc8clkag-1 X-Mimecast-MFC-AGG-ID: EaNrUCewOPqK03dc8clkag Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-43625ceae52so35783355e9.0 for ; Wed, 29 Jan 2025 01:41:18 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738143676; x=1738748476; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=i9vW7wxKFCu/Duh+iRvjgCI9MZDBBiL+HwY4XOXTMqM=; b=r+ysOsoD3LeNOrtgEuXr35/EeL+kJ46V1IToGlQG2oyH+mXU4I3pCw+0P/WERhOQow u/dYgaeQcTJUZ0u0BcUgHIpCabB4zzU482V/6EJE2jnonSggkyXL7slnrG9yaebEAeUz uh1BxJztatS2u17w1zBe3wrOWh3EUNyWANItAaIaWp3bp1oWRFTDJAl5yz+l8Ae6V+Bc bnVNhzl8aZHZKnuHDzXkVGzJYm6kmDXQCfMPAbEKESCVHZw4JZ1oh/ygbchg49oGNB7G A+X/0FIp3sCJIwTkilD4EV4I6/0KhLk37xlPiNs3PdbcoohvavH+SFMB/PEmUxxNudd0 aZHg== X-Gm-Message-State: AOJu0YxiplAsafHF4Z7IV95FKnIq/GJMM18/UqTONE4jNwMTHefbjg1G UZkXmpsmIdr4UHSz21mZMiUAOU/o2LiJK8/+KyZ0YVqRzmGGbHkcWwOEZqeNdlyfM71bB7BsAed yEYWFZ0zeITxmo4xqnYdDBFRfQ/5N/Flq3lGt+eN36lYXsgA/E8v1/GgGHjKUrbsxtc6C4vWEl4 bvdrqf77DevYnp2fHsJmRfPwZIA8vj319m X-Gm-Gg: ASbGncuJBSY0bTSPgwkINpoOQqj5N4970FZWKcQvVVF3IJ2aIMqMa4KXchbOWa4gf4w +/60+sA1NSZezEhXhRyEzr4kwuvXa63NpDW29suwsvvjTp9hRg+dvpJn89ftXQ719GiaAUjfBie KAnhM6Sx1+BVLNAH/UEEpjQWW2RJ19PkdC3xXyzPdioAJUUa4eJYKfkb+aTd9PIDM+IJ5yWWYba gbHPZ+hZTlkl9+sU5YkKdGdgPBZkI7x3qxUTXIK8S6V5RwdPNuEApzQEiWSR2gYT9Uk0P54ItsF f5tQpgLeJz/NJdZM1dhZIwFPnJ43JrZspQ== X-Received: by 2002:a05:6000:1788:b0:38b:e32a:10aa with SMTP id ffacd0b85a97d-38c51949fbamr2044018f8f.5.1738143676247; Wed, 29 Jan 2025 01:41:16 -0800 (PST) X-Google-Smtp-Source: AGHT+IE3aeJaVo+8JCCGJ3K620eln5FUVoYpFGVwnmpt0HOexVPShFpp+KNmGrmiW2NURJ5Wiq4wjg== X-Received: by 2002:a05:6000:1788:b0:38b:e32a:10aa with SMTP id ffacd0b85a97d-38c51949fbamr2043982f8f.5.1738143675758; Wed, 29 Jan 2025 01:41:15 -0800 (PST) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-38c2a188689sm16451246f8f.48.2025.01.29.01.41.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Jan 2025 01:41:15 -0800 (PST) Date: Wed, 29 Jan 2025 10:41:12 +0100 From: Stefano Brivio To: Prafulla Giri Subject: Re: Apparmor (and other) Issues Message-ID: <20250129104112.0756df5c@elisabeth> In-Reply-To: References: Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: JeUigi1Q_nFAdxkFXqUeu0Yg5gNN8MRVtjOd6oJWj9c_1738143678 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: B47DTDAP562CX6BSKGT566WY6NRDUJQP X-Message-ID-Hash: B47DTDAP562CX6BSKGT566WY6NRDUJQP X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: "passt-dev@passt.top" , Andrea Bolognani X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hi, On Wed, 29 Jan 2025 09:14:12 +0000 Prafulla Giri wrote: > Esteemed maintainer, >=20 > First and foremost, thank you very much for your hard work: passt is awes= ome and allows one to run more useful user-space VM-s. >=20 > I have encountered 2 particular issues with the usage of passt with Debia= n, and wanted to bring them to your attention as I think you are probably t= he best person to deal with this. I do plan on sending a report to the Debi= an team afterwards. >=20 > For reference, I tested these on Debian Testing Daily Image dated 28 Janu= ary 2025, with updates, and the version of passt available with it is passt= 0.0~git20250121.4f2c8e7-1 >=20 > - Passt's default Apparmor config needs to allow writes to $XDG_RUNTIME_D= IR (which is at /run/user/$UID). Currently it doesn't. Virt-manager, at lea= st, tries to create the necessary sockets in the directory but apparmor pre= vents that from happening (and the error message Virt-Manager gives isn't h= elpful either: the first time around I falsely believed it was a segfault o= r similar issue). I managed to get passt=E2=80=8B working past this flaw (p= un intended) by manually disabling apparmor for the binary. Passt works jus= t fine in Fedora 41 as it doesn't use Apparmor but uses SELinux, and thus t= he configs don't affect it. Thanks for reporting this! I'm the maintainer of the Debian package, by the way. Cc'ing Andrea, who is a maintainer of the libvirt package for Debian and surely more knowledgeable about this. Note that virt-manager uses passt through libvirt (I think that's only possibility) and this should actually be allowed in libvirt's AppArmor policy, in the sub-profile for passt: https://gitlab.com/libvirt/libvirt/-/blob/0264a7704ada52f686cafe8f6402d5b= 60f9f0fc4/src/security/apparmor/libvirt-qemu.in#L204 the rationale is that passt itself doesn't know which directory libvirt will pick for its socket and PID files, so libvirt's policy has to specify that. So I think you should file an issue for the libvirt package in this case, unless Andrea has some pointers. > - This second issue is perhaps a bit more Debian-specific, but I am going= to mention it so that you might drop some hints for the Debian maintainers= to debug this: Once Apparmor is disabled and a VM is configured to work wi= th passt, DNS resolution doesn't work in the VM (IP Addresses work just fin= e) i.e. ping fsf.org=E2=80=8B doesn't work but `ping 209.51.188.174` does. = The hypervisor details follow: > $ virsh version # on Debian Testing a.k.a. 'Trixie' > Compiled against library: libvirt 11.0.0 > Using library: libvirt 11.0.0 > Using API: QEMU 11.0.0Running hypervisor: QEMU 9.2.0 > This, again, isn't an issue with Fedora 41, where everything just works. = The hypervisor details for Fedora 41 are: > $ virsh version # on Fedora 41 > Compiled against library: libvirt 10.6.0 > Using library: libvirt 10.6.0 > Using API: QEMU 10.6.0 > Running hypervisor: QEMU 9.1.2 Oops. Can you share the command line of passt as run by libvirt (say, 'ps aux|grep passt') for this case? passt has some basic DNS forwarding capabilities, which are configured depending on the host's resolver configuration. > Again, I will be making a report to the Debian maintainers, should they w= ish to chime in regarding Apparmor configs or the DNS resolution issue. Please file a separate issue, in case. This one would be for passt. > Thank you once again for this awesome tool. And thanks again for trying it out and reporting issues! --=20 Stefano