From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=lsUF2S0i;
	dkim-atps=neutral
Received: from mail-4319.protonmail.ch (mail-4319.protonmail.ch [185.70.43.19])
	by passt.top (Postfix) with ESMTPS id 69A805A026F
	for <passt-dev@passt.top>; Thu, 30 Jan 2025 11:05:31 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
	s=protonmail3; t=1738231530; x=1738490730;
	bh=6g4yTxycmRCM7YlYMu1qblYTzhemCDmiytbQ0Bw6o38=;
	h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
	 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
	 Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post;
	b=lsUF2S0iuPDyLjm0sw2Koa9zta9Tfbg/VifmyCC1exhHwdhD+LkREXLdZcttTUqVV
	 OyUYqqhZsL6KQmi2onCyQ29jriMA1EQywsyXJ5bNm45bhulNu6H/unvZ0txnWNQlnK
	 AEh2HOXvbgR1/J2V79mHPg5s/wpi3KA6/WSIWsHGBtafpWRRVird269lT/h9q6x2x1
	 VTsHOo/yjYFr3VnbRF1bH7mAyS5sr0pqGGGYyd5sEuAyoc0SQq1sTUQDDEgEJN/KSc
	 TRq6tnzY+oFfPt/1NuX2zO5ailhbV2VXlR3XllwK5zdIbaOhOJJpP793qD1q4rx94T
	 w4hVSZkxkKUVg==
Date: Thu, 30 Jan 2025 10:05:14 +0000
To: Stefano Brivio <sbrivio@redhat.com>
From: Prafulla Giri <prafulla.giri@protonmail.com>
Subject: Re: Apparmor (and other) Issues
Message-ID: <3mWvqHbG0sGUhoq9ersir5eXDcFpZkAm8BGfuhs3YOBV36rlbJ82aj27diLMkSjg8YQnrQajsHKkcVh3kXG9gc-o2HZF2rQXo9DnqkqbwNQ=@protonmail.com>
In-Reply-To: <20250129194854.6b67fbfe@elisabeth>
References: <gfnJ5_aKhxXif2AlacEZIAO3UgiyKhgfDhlg7-FWBbkXttL891Y9k0zClSeYZiLN8JkMF9Z_pprz9f3w88cjZTkHL42cjar9boCCIuS6B08=@protonmail.com> <20250129104112.0756df5c@elisabeth> <S3b4qUhq7b72aZqUNyWdynRNtOJEnKslfqR0i4vnaUIBu3EnkzjxTC22qzD2ZsbQgiIWtyuKQfO6fBNYSaSNYgzDqXSft95vpyuFjI_T_74=@protonmail.com> <20250129194854.6b67fbfe@elisabeth>
Feedback-ID: 33818994:user:proton
X-Pm-Message-ID: fe2e64ae67b2be5fe482d7c23ea155e3ce41a844
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: A4RDYJGDNFCFUCJRFM4V4VMT3Z5GDRKM
X-Message-ID-Hash: A4RDYJGDNFCFUCJRFM4V4VMT3Z5GDRKM
X-MailFrom: prafulla.giri@protonmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "passt-dev@passt.top" <passt-dev@passt.top>, Andrea Bolognani <abologna@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/3mWvqHbG0sGUhoq9ersir5eXDcFpZkAm8BGfuhs3YOBV36rlbJ82aj27diLMkSjg8YQnrQajsHKkcVh3kXG9gc-o2HZF2rQXo9DnqkqbwNQ=@protonmail.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/A4RDYJGDNFCFUCJRFM4V4VMT3Z5GDRKM/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


On Thursday, January 30th, 2025 at 12:33 AM, Stefano Brivio <sbrivio@redhat=
.com> wrote:

> On Wed, 29 Jan 2025 18:10:36 +0000
> Prafulla Giri prafulla.giri@protonmail.com wrote:
>=20
> > Hello,
> >=20
> > On Wednesday, January 29th, 2025 at 3:26 PM, Stefano Brivio sbrivio@red=
hat.com wrote:
> >=20
> > > Hi,
> > >=20
> > > On Wed, 29 Jan 2025 09:14:12 +0000
> > > Prafulla Giri prafulla.giri@protonmail.com wrote:
> > >=20
> > > > Esteemed maintainer,
> > > >=20
> > > > First and foremost, thank you very much for your hard work: passt i=
s awesome and allows one to run more useful user-space VM-s.
> > > >=20
> > > > I have encountered 2 particular issues with the usage of passt with=
 Debian, and wanted to bring them to your attention as I think you are prob=
ably the best person to deal with this. I do plan on sending a report to th=
e Debian team afterwards.
> > > >=20
> > > > For reference, I tested these on Debian Testing Daily Image dated 2=
8 January 2025, with updates, and the version of passt available with it is=
 passt 0.0~git20250121.4f2c8e7-1
> > > >=20
> > > > - Passt's default Apparmor config needs to allow writes to $XDG_RUN=
TIME_DIR (which is at /run/user/$UID). Currently it doesn't. Virt-manager, =
at least, tries to create the necessary sockets in the directory but apparm=
or prevents that from happening (and the error message Virt-Manager gives i=
sn't helpful either: the first time around I falsely believed it was a segf=
ault or similar issue). I managed to get passt working past this flaw (pun =
intended) by manually disabling apparmor for the binary. Passt works just f=
ine in Fedora 41 as it doesn't use Apparmor but uses SELinux, and thus the =
configs don't affect it.
> > >=20
> > > Thanks for reporting this! I'm the maintainer of the Debian package, =
by
> > > the way. Cc'ing Andrea, who is a maintainer of the libvirt package fo=
r
> > > Debian and surely more knowledgeable about this.
> >=20
> > I'm glad to have bumped into you. Because of the email domain, I though=
t you weren't the Debian maintainer. Silly me.
>=20
>=20
> :)
>=20
> > > Note that virt-manager uses passt through libvirt (I think that's onl=
y
> > > possibility) and this should actually be allowed in libvirt's AppArmo=
r
> > > policy, in the sub-profile for passt:
> > >=20
> > > https://gitlab.com/libvirt/libvirt/-/blob/0264a7704ada52f686cafe8f640=
2d5b60f9f0fc4/src/security/apparmor/libvirt-qemu.in#L204
> > >=20
> > > the rationale is that passt itself doesn't know which directory libvi=
rt
> > > will pick for its socket and PID files, so libvirt's policy has to
> > > specify that.
> > >=20
> > > So I think you should file an issue for the libvirt package in this
> > > case, unless Andrea has some pointers.
> >=20
> > I will wait for the maintainers input on this one.
>=20
>=20
> One thing that might help meanwhile is if you have a look at
> /var/log/audit/audit.log after the failure occurs. Look for 'passt'
> there. There should be a message logging a denied access to some
> file: what does it say?
>=20
I didn't have auditd installed on Debian and installed it, and running ever=
ything with the default auditd config (with my Apparmor disabled for passt,=
 as mentioned previously) does not result in anything. Do I have to configu=
re auditd manually? Any pointers on that, please?

On Fedora 41, which seems to have auditd preconfigured, there aren't any si=
gnificant reports about passt.

> > > > - This second issue is perhaps a bit more Debian-specific, but I am=
 going to mention it so that you might drop some hints for the Debian maint=
ainers to debug this: Once Apparmor is disabled and a VM is configured to w=
ork with passt, DNS resolution doesn't work in the VM (IP Addresses work ju=
st fine) i.e. ping fsf.org doesn't work but `ping 209.51.188.174` does. The=
 hypervisor details follow:
> > > > $ virsh version # on Debian Testing a.k.a. 'Trixie'
> > > > Compiled against library: libvirt 11.0.0
> > > > Using library: libvirt 11.0.0
> > > > Using API: QEMU 11.0.0Running hypervisor: QEMU 9.2.0
> > > > This, again, isn't an issue with Fedora 41, where everything just w=
orks. The hypervisor details for Fedora 41 are:
> > > > $ virsh version # on Fedora 41
> > > > Compiled against library: libvirt 10.6.0
> > > > Using library: libvirt 10.6.0
> > > > Using API: QEMU 10.6.0
> > > > Running hypervisor: QEMU 9.1.2
> > >=20
> > > Oops. Can you share the command line of passt as run by libvirt
> > > (say, 'ps aux|grep passt') for this case? passt has some basic
> > > DNS forwarding capabilities, which are configured depending on
> > > the host's resolver configuration.
> >=20
> > Certainly! I'm sorry I didn't do this earlier. I'd checked on this: the=
re is no difference between the command that runs passt on Fedora 41 or Deb=
ian Trixie.
> >=20
> > This is the command on Fedora 41:
> > passt --one-off --socket /run/user/1000/libvirt/qemu/run/passt/4-dragor=
a-net0.socket --pid /run/user/1000/libvirt/qemu/run/passt/4-dragora-net0-pa=
sst.pid
> >=20
> > and this is the command on Debian Trixie:
> > passt --one-off --socket /run/user/1000/libvirt/qemu/run/passt/1-vm1-ne=
t0.socket --pid /run/user/1000/libvirt/qemu/run/passt/1-vm1-net0-passt.pid
>=20
>=20
> Okay, nothing unexpected so far. Could you also please compare the
> output of 'passt -f -d' between the two cases? Just terminate it with
> ^C once you have the output.
Here are the outputs:
$ passt -f -d # on Debian Testing/Trixie
0.0016: No interfaces with usable IPv6 routes
0.0017: Failed to detect external interface for IPv6
0.0028: UNIX domain socket bound at /tmp/passt_1.socket
0.0029: Template interface: enp1s0 (IPv4)
0.0029: MAC:
0.0029:     host: 9a:55:9a:55:9a:55
0.0029:     NAT to host 127.0.0.1: 192.168.100.1
0.0029: DHCP:
0.0029:     assign: 192.168.100.157
0.0029:     mask: 255.255.255.0
0.0029:     router: 192.168.100.1
0.0029: DNS:
0.0029:     192.168.100.1
0.0029: DNS search list:
0.0029:     .
0.0056:=20
You can now start qemu (>=3D 7.2, with commit 13c6be96618c):
0.0056:     kvm ... -device virtio-net-pci,netdev=3Ds -netdev stream,id=3Ds=
,server=3Doff,addr.type=3Dunix,addr.path=3D/tmp/passt_1.socket
0.0057: or qrap, for earlier qemu versions:
0.0057:     ./qrap 5 kvm ... -net socket,fd=3D5 -net nic,model=3Dvirtio
0.0067: SO_PEEK_OFF supported
0.0067: TCP_INFO tcpi_snd_wnd field  supported
0.0067: TCP_INFO tcpi_bytes_acked field  supported
0.0067: TCP_INFO tcpi_min_rtt field  supported

$ passt -f -d
0.0022: UNIX domain socket bound at /tmp/passt_1.socket
0.0022: Template interface: wlp0s20f3 (IPv4)
0.0022: MAC:
0.0022:     host: 9a:55:9a:55:9a:55
0.0022:     NAT to host 127.0.0.1: 192.168.100.1
0.0023: DHCP:
0.0023:     assign: 192.168.100.157
0.0023:     mask: 255.255.255.0
0.0023:     router: 192.168.100.1
0.0023: DNS:
0.0023:     192.168.100.1
0.0023: DNS search list:
0.0023:     .
0.0047:=20
You can now start qemu (>=3D 7.2, with commit 13c6be96618c):
0.0047:     kvm ... -device virtio-net-pci,netdev=3Ds -netdev stream,id=3Ds=
,server=3Doff,addr.type=3Dunix,addr.path=3D/tmp/passt_1.socket
0.0047: or qrap, for earlier qemu versions:
0.0047:     ./qrap 5 kvm ... -net socket,fd=3D5 -net nic,model=3Dvirtio
0.0055: SO_PEEK_OFF supported
0.0055: TCP_INFO tcpi_snd_wnd field  supported
0.0055: TCP_INFO tcpi_bytes_acked field  supported
0.0055: TCP_INFO tcpi_min_rtt field  supported

>=20
> How are resolvers configured on the two hosts? What does
> /etc/resolv.conf say?
$ cat /etc/resolv.conf # On Fedora 41
# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-reso=
lved(8).
[...]
nameserver 127.0.0.53
options edns0 trust-ad
search .
$ cat /etc/resolv.conf # On Debian Trixie
# This is /run/systemd/resolve/resolv.conf managed by man:systemd-resolved(=
8).
[...]
nameserver 192.168.100.1
search .
$ cat /etc/resolv.conf # On a Debian 11 OS
# Generated by NetworkManager
nameserver 192.168.100.1

Also the output of `resolvectl status` for good measure:
# On Fedora 41
Global
         Protocols: LLMNR=3Dresolve -mDNS -DNSOverTLS DNSSEC=3Dno/unsupport=
ed
  resolv.conf mode: stub

Link 2 (wlp0s20f3)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute LLMNR=3Dresolve -mDNS -DNSOverTLS DNSSEC=
=3Dno/unsupported
Current DNS Server: 192.168.100.1
       DNS Servers: 192.168.100.1

# On Debian Trixie
Global
         Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=3Dno/unsupported
  resolv.conf mode: uplink

Link 2 (enp1s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=3Dno/unsu=
pported
       DNS Servers: 192.168.100.1
     Default Route: yes

>=20
> If nothing is visible from there, next check: 'virsh edit vm1' on
> Debian and add a log file in the XML, that is, replace this line:
>=20
> <backend type=3D'passt'/>
>=20
>=20
> with:
>=20
> <backend type=3D'passt' logFile=3D'/tmp/passt.log'/>
>=20
>=20
> and then share the log.
>=20
The log from Debian Trixie host for VM1:
passt 0.0~git20250121.4f2c8e7-1: /usr/bin/passt.avx2 (6428)
0.0017: info:    No interfaces with usable IPv6 routes
0.0029: info:    UNIX domain socket bound at /run/user/1000/libvirt/qemu/ru=
n/passt/2-vm1-net0.socket
0.0030: info:    Template interface: enp1s0 (IPv4)
0.0030: info:    MAC:
0.0030: info:        host: 9a:55:9a:55:9a:55
0.0030: info:        NAT to host 127.0.0.1: 192.168.100.1
0.0030: info:    DHCP:
0.0031: info:        assign: 192.168.100.157
0.0031: info:        mask: 255.255.255.0
0.0031: info:        router: 192.168.100.1
0.0031: info:    DNS:
0.0031: info:        192.168.100.1
0.0031: info:    DNS search list:
0.0031: info:        .
0.0066: info:   =20
You can now start qemu (>=3D 7.2, with commit 13c6be96618c):
0.0066: info:        kvm ... -device virtio-net-pci,netdev=3Ds -netdev stre=
am,id=3Ds,server=3Doff,addr.type=3Dunix,addr.path=3D/run/user/1000/libvirt/=
qemu/run/passt/2-vm1-net0.socket
0.0066: info:    or qrap, for earlier qemu versions:
0.0066: info:        ./qrap 5 kvm ... -net socket,fd=3D5 -net nic,model=3Dv=
irtio
0.0617: info:    accepted connection from PID 0
38.6257: info:    DHCP: offer to discover
38.6257: info:        from 52:54:00:a0:e1:7c
38.6471: info:    DHCP: ack to request
38.6471: info:        from 52:54:00:a0:e1:7c
451.4989: info:    Client connection closed, exiting

The log from Fedora 41:
passt 0^20250121.g4f2c8e7-2.fc41.x86_64: /usr/bin/passt.avx2 (3138)
0.0017: info:    UNIX domain socket bound at /run/user/1000/libvirt/qemu/ru=
n/passt/3-debian-trixie-net0.socket
0.0018: info:    Template interface: wlp0s20f3 (IPv4)
0.0018: info:    MAC:
0.0018: info:        host: 9a:55:9a:55:9a:55
0.0018: info:        NAT to host 127.0.0.1: 192.168.100.1
0.0018: info:    DHCP:
0.0018: info:        assign: 192.168.100.157
0.0018: info:        mask: 255.255.255.0
0.0018: info:        router: 192.168.100.1
0.0018: info:    DNS:
0.0018: info:        192.168.100.1
0.0018: info:    DNS search list:
0.0018: info:        .
0.0043: info:   =20
You can now start qemu (>=3D 7.2, with commit 13c6be96618c):
0.0043: info:        kvm ... -device virtio-net-pci,netdev=3Ds -netdev stre=
am,id=3Ds,server=3Doff,addr.type=3Dunix,addr.path=3D/run/user/1000/libvirt/=
qemu/run/passt/3-debian-trixie-net0.socket
0.0043: info:    or qrap, for earlier qemu versions:
0.0043: info:        ./qrap 5 kvm ... -net socket,fd=3D5 -net nic,model=3Dv=
irtio
0.0591: info:    accepted connection from PID 0
10.7894: info:    DHCP: ack to discover (Rapid Commit)
10.7894: info:        from 52:54:00:8f:e7:c3
99.6704: info:    Client connection closed, exiting


> --
> Stefano