From: Stefano Brivio <sbrivio@redhat.com>
To: Prafulla Giri <prafulla.giri@protonmail.com>
Cc: Andrea Bolognani <abologna@redhat.com>,
"passt-dev@passt.top" <passt-dev@passt.top>
Subject: Re: Apparmor (and other) Issues
Date: Wed, 19 Feb 2025 11:47:41 +0100 [thread overview]
Message-ID: <20250219114741.2d128d57@elisabeth> (raw)
In-Reply-To: <qIxgv09q-IkQS32-MDqNap8e-mTFn0Jo14ftldWYhcTe8Lw8_CmRR9olLcjnZqty_NJQrmVsT-ouh9rTJN3cNqrV5DQo9PQGPt-tFMoim0o=@protonmail.com>
On Wed, 19 Feb 2025 06:31:49 +0000
Prafulla Giri <prafulla.giri@protonmail.com> wrote:
> On Monday, February 17th, 2025 at 1:22 PM, Stefano Brivio <sbrivio@redhat.com> wrote:
>
> > You mean 'passt', and:
> >
> Strangely enough, I did mean pasta: that's the one that gives a shell. passt only creates namespace thingy. I thought pasta used passt underneath and that is why changes to passt was visible by testing pasta. Am I doing something wrong?
They are the same binary. Simplistically: one (pasta) gives you a shell
but you can also use it with Podman (or Docker), the other one (passt)
gives you a UNIX domain socket and you can use it with QEMU (or
libkrun/muvm).
They just need to be invoked as different commands, so a symlink would
normally be enough, except that AppArmor profiles can't be (separately)
associated to symlinks, so the Debian and openSUSE packages install a
hard link (and Fedora packages a copy).
> > https://salsa.debian.org/sbrivio/passt/-/commit/5bb812e79143670a57440cd8aa7f2979583c5a0a
> >
> > might explain it. You need to create hard links ('make install' doesn't
> > do that) to associate different AppArmor profiles.
> >
> > In any case, I'm releasing (and packaging) a new version with the
> > AppArmor workaround today.
> >
> I just checked on Debian Sid and I can confirm that everything is working as expected. Thank you very much for your hard work. As I understand it, a better Apparmor fix is being discussed with other maintainers in the meantime. But as things stand right now, Debian users ought to be able to use passt with libvirt, as expected.
>
> In the meantime, I have noticed another error and want to ask where I ought to report it: If a VM isn't able to run, passt configs aren't cleared. I just had a VM not start because of permission errors (I resolved it), but trying to restart the VM threw a passt error saying the port being forwarded was already in use (a remnant of previous run that failed). I'll have to come up with a way to make this reproducible, of course. But it seems that on unclean exits, passt isn't being allowed to clean things up (destroy the created namespace, stop the port-forwards, etc.) Perhaps I ought to report this on libvirt side? I encountered this error through virt-manager. Perhaps I should test with virsh as well.
There's no persistent configuration stuff left around: if you run
stand-alone pasta, the detached namespace will go away on its own.
The sockets passt(1) creates remain until libvirt cleans them up (passt
can't do that because it remounts its root filesystem to an empty
filesystem as it starts).
Bound ports, you might need to wait up to two minutes after sockets are
closed, because they will be in TIME_WAIT state for that time. That
comes from the definition of MSL (Maixmum Segment Lifetime, RFC 9293
section 4.). The kernel wants to make sure that in-flight TCP segments
don't reach another process by mistake.
--
Stefano
next prev parent reply other threads:[~2025-02-19 10:47 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <gfnJ5_aKhxXif2AlacEZIAO3UgiyKhgfDhlg7-FWBbkXttL891Y9k0zClSeYZiLN8JkMF9Z_pprz9f3w88cjZTkHL42cjar9boCCIuS6B08=@protonmail.com>
2025-01-29 9:41 ` Apparmor (and other) Issues Stefano Brivio
2025-01-29 18:10 ` Prafulla Giri
2025-01-29 18:48 ` Stefano Brivio
2025-01-30 10:05 ` Prafulla Giri
2025-01-31 20:20 ` Stefano Brivio
[not found] ` <NNMPy6qrSrpU0VFxOsd8tUnJFDsz_Ychl7WAxOB1aYfyRCjzTG4uzNEGZLkHUa_NnxCEAL_X1lhnySdZ_1i2ZMxuVK0zDHa-YLex3O5fhRw=@protonmail.com>
2025-02-02 14:40 ` Prafulla Giri
2025-02-03 8:35 ` Stefano Brivio
[not found] ` <0gHPSAbajW7n2zyIE-8k2vez7nkpAHQOnP4p6yfc6i5v948AExss0zBAYKF-92Yqf90DhAg3Xx9u19aw4TtSQLnpNgvCEa--wkPTL0PDdnM=@protonmail.com>
2025-02-04 8:50 ` Stefano Brivio
2025-02-04 9:50 ` Andrea Bolognani
2025-02-04 10:17 ` Stefano Brivio
2025-02-04 15:50 ` Andrea Bolognani
2025-02-04 16:22 ` Stefano Brivio
2025-02-04 18:46 ` Andrea Bolognani
2025-02-04 19:14 ` Stefano Brivio
2025-02-04 22:19 ` Andrea Bolognani
2025-02-04 22:34 ` Stefano Brivio
2025-02-05 7:40 ` Prafulla Giri
2025-02-05 10:16 ` Stefano Brivio
2025-02-07 6:49 ` Prafulla Giri
2025-02-07 9:16 ` Stefano Brivio
2025-02-08 17:19 ` Prafulla Giri
2025-02-09 9:08 ` Stefano Brivio
2025-02-17 6:37 ` Prafulla Giri
2025-02-17 7:37 ` Stefano Brivio
2025-02-19 6:31 ` Prafulla Giri
2025-02-19 10:47 ` Stefano Brivio [this message]
2025-02-21 4:32 ` Prafulla Giri
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250219114741.2d128d57@elisabeth \
--to=sbrivio@redhat.com \
--cc=abologna@redhat.com \
--cc=passt-dev@passt.top \
--cc=prafulla.giri@protonmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).