From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=IRlpCDHj; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id 541645A061C for ; Wed, 19 Feb 2025 11:47:49 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1739962068; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7dXY96sp3ZbF596hB826AdnbwNRa7MOdVKRzZ9MGAXk=; b=IRlpCDHjTTPWdwjeOVFgIKMVeqcHN6oHdpAQlvxlXJk+q2uYXZvNZkbOrXvV7Ep+uFdR1g WyotpDEmJu6WuE2b7MCnsod/QgAJMa/7D4NS0Zz8DP0RfxXPMulIZfNxh081DVlmdm7DBC S6VMHxjp7E2V7W2sNdcCvpcfroPgDJ8= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-355-7dicmYjbNyCkWGMqJpk6VA-1; Wed, 19 Feb 2025 05:47:46 -0500 X-MC-Unique: 7dicmYjbNyCkWGMqJpk6VA-1 X-Mimecast-MFC-AGG-ID: 7dicmYjbNyCkWGMqJpk6VA_1739962066 Received: by mail-wm1-f72.google.com with SMTP id 5b1f17b1804b1-43941ad86d4so38097065e9.2 for ; Wed, 19 Feb 2025 02:47:46 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739962065; x=1740566865; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=7dXY96sp3ZbF596hB826AdnbwNRa7MOdVKRzZ9MGAXk=; b=cz0FAutZRdBBQsNU06TgTnwxsQ0JTLlIvsFKYpC9h5PVCNHHiIQ/X9jQ+61U0c2dfj /rdrzxDvrswpF9SW/t/4NHexEtiQwpyEahIehpDbFUYFdaRqrUWfIqs/TERpFn3c8/NS 8h4lhFBKUgyk/ndYLACNgMwiVcm8itodfH0Sb9D2zcsN+7JxP8gs5WayF9rn9YThTWZo KBjdDRWPO7BRGg2PGeVpcJcuzZny6raMZvlvioYrcT9daYvm4/1msQqLUWDbt0dR7veF v9GGyI9VYs0gr78u5QPi1noKaxqCnhG52DLQY9Je8Q+Y58Z8blUqUDeQxeFsNOnQpihv /D6Q== X-Forwarded-Encrypted: i=1; AJvYcCWMbrv+o0CoTvuH5lBYUkg4Lu5VJBEVIPxqHsFXySXSpX4iLY4B+JrzhTi8herLJ2Zy3mnqe6Z1XHI=@passt.top X-Gm-Message-State: AOJu0YwRBG7hDP7XHOtG9vgXxjsJk+WFVxu+G014FGBND/vE4Zm3V5UV Tccx062XJO5FMxenWg2eH71xULuoZjD1gYTdOxc2xNhApuQcw5Z0msDxuCb6qxF7yzKSqVheKDR eEq5ZbQZAGNOfx8ah8dd7padYnxKjmaEcEeFKl176uv+2eDzkUXjKe01hWM+qiwhCZKrBmytHhy NACD08cxPyl+anLIioPwS9ipOC1xOZTs2v X-Gm-Gg: ASbGnctaB3kOfxvfpIG3IAfIS2yBP6/M+v5p0c92d4aCJ0nQCuRKeUTLFIRWefdiYZR IyhsHNyoaz+RmkTKk/ugX4JB+CW+on+b+ukpuEJx+R8LT85bxIW1KsvR8e/HFsl7vOZEg92+1eR j6/El+pp2+fS2K4EgEIaBE5YuqE5ZkDrY9ZiJuQUbHuRgeTs1/kXxEEctArhAq1RwJalG5WpaRB F0qNxmuZNeVYW8wUyC2QYD5L6pmGFWfR98qmqljATc3eeNPRvOqBXvO65ejTKZ8yA7LJJXWN3Uv 1qQnMefd3ZOLj2/b2eW5TT+FmUOiFTWO0g== X-Received: by 2002:a05:600c:1910:b0:439:8dbc:1d0e with SMTP id 5b1f17b1804b1-4398dbc2311mr83865485e9.10.1739962065195; Wed, 19 Feb 2025 02:47:45 -0800 (PST) X-Google-Smtp-Source: AGHT+IGoPqoLH/R8WHET9N7BxKV3XP3Cvpgd0DdKbLC2U8HO1F5eFvE7ktLuR14wvE9qVK/PcZGOBA== X-Received: by 2002:a05:600c:1910:b0:439:8dbc:1d0e with SMTP id 5b1f17b1804b1-4398dbc2311mr83864585e9.10.1739962063646; Wed, 19 Feb 2025 02:47:43 -0800 (PST) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-38f259f8273sm17116954f8f.89.2025.02.19.02.47.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Feb 2025 02:47:43 -0800 (PST) Date: Wed, 19 Feb 2025 11:47:41 +0100 From: Stefano Brivio To: Prafulla Giri Subject: Re: Apparmor (and other) Issues Message-ID: <20250219114741.2d128d57@elisabeth> In-Reply-To: References: <20250205111651.59551470@elisabeth> <20250207101631.0875e141@elisabeth> <20250209100848.4e5c39de@elisabeth> <20250217083741.41343ded@elisabeth> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: wi24PmBQkncCie-I9IMguoEKqQ6IfBIYDZrftbdelS4_1739962066 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: 6SMOVKLJO4E4RMW474RD6G236Q37JXR7 X-Message-ID-Hash: 6SMOVKLJO4E4RMW474RD6G236Q37JXR7 X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Andrea Bolognani , "passt-dev@passt.top" X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed, 19 Feb 2025 06:31:49 +0000 Prafulla Giri wrote: > On Monday, February 17th, 2025 at 1:22 PM, Stefano Brivio wrote: > > > You mean 'passt', and: > > > Strangely enough, I did mean pasta: that's the one that gives a shell. passt only creates namespace thingy. I thought pasta used passt underneath and that is why changes to passt was visible by testing pasta. Am I doing something wrong? They are the same binary. Simplistically: one (pasta) gives you a shell but you can also use it with Podman (or Docker), the other one (passt) gives you a UNIX domain socket and you can use it with QEMU (or libkrun/muvm). They just need to be invoked as different commands, so a symlink would normally be enough, except that AppArmor profiles can't be (separately) associated to symlinks, so the Debian and openSUSE packages install a hard link (and Fedora packages a copy). > > https://salsa.debian.org/sbrivio/passt/-/commit/5bb812e79143670a57440cd8aa7f2979583c5a0a > > > > might explain it. You need to create hard links ('make install' doesn't > > do that) to associate different AppArmor profiles. > > > > In any case, I'm releasing (and packaging) a new version with the > > AppArmor workaround today. > > > I just checked on Debian Sid and I can confirm that everything is working as expected. Thank you very much for your hard work. As I understand it, a better Apparmor fix is being discussed with other maintainers in the meantime. But as things stand right now, Debian users ought to be able to use passt with libvirt, as expected. > > In the meantime, I have noticed another error and want to ask where I ought to report it: If a VM isn't able to run, passt configs aren't cleared. I just had a VM not start because of permission errors (I resolved it), but trying to restart the VM threw a passt error saying the port being forwarded was already in use (a remnant of previous run that failed). I'll have to come up with a way to make this reproducible, of course. But it seems that on unclean exits, passt isn't being allowed to clean things up (destroy the created namespace, stop the port-forwards, etc.) Perhaps I ought to report this on libvirt side? I encountered this error through virt-manager. Perhaps I should test with virsh as well. There's no persistent configuration stuff left around: if you run stand-alone pasta, the detached namespace will go away on its own. The sockets passt(1) creates remain until libvirt cleans them up (passt can't do that because it remounts its root filesystem to an empty filesystem as it starts). Bound ports, you might need to wait up to two minutes after sockets are closed, because they will be in TIME_WAIT state for that time. That comes from the definition of MSL (Maixmum Segment Lifetime, RFC 9293 section 4.). The kernel wants to make sure that in-flight TCP segments don't reach another process by mistake. -- Stefano