From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=lsUF2S0i; dkim-atps=neutral Received: from mail-4319.protonmail.ch (mail-4319.protonmail.ch [185.70.43.19]) by passt.top (Postfix) with ESMTPS id 69A805A026F for <passt-dev@passt.top>; Thu, 30 Jan 2025 11:05:31 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1738231530; x=1738490730; bh=6g4yTxycmRCM7YlYMu1qblYTzhemCDmiytbQ0Bw6o38=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post; b=lsUF2S0iuPDyLjm0sw2Koa9zta9Tfbg/VifmyCC1exhHwdhD+LkREXLdZcttTUqVV OyUYqqhZsL6KQmi2onCyQ29jriMA1EQywsyXJ5bNm45bhulNu6H/unvZ0txnWNQlnK AEh2HOXvbgR1/J2V79mHPg5s/wpi3KA6/WSIWsHGBtafpWRRVird269lT/h9q6x2x1 VTsHOo/yjYFr3VnbRF1bH7mAyS5sr0pqGGGYyd5sEuAyoc0SQq1sTUQDDEgEJN/KSc TRq6tnzY+oFfPt/1NuX2zO5ailhbV2VXlR3XllwK5zdIbaOhOJJpP793qD1q4rx94T w4hVSZkxkKUVg== Date: Thu, 30 Jan 2025 10:05:14 +0000 To: Stefano Brivio <sbrivio@redhat.com> From: Prafulla Giri <prafulla.giri@protonmail.com> Subject: Re: Apparmor (and other) Issues Message-ID: <3mWvqHbG0sGUhoq9ersir5eXDcFpZkAm8BGfuhs3YOBV36rlbJ82aj27diLMkSjg8YQnrQajsHKkcVh3kXG9gc-o2HZF2rQXo9DnqkqbwNQ=@protonmail.com> In-Reply-To: <20250129194854.6b67fbfe@elisabeth> References: <gfnJ5_aKhxXif2AlacEZIAO3UgiyKhgfDhlg7-FWBbkXttL891Y9k0zClSeYZiLN8JkMF9Z_pprz9f3w88cjZTkHL42cjar9boCCIuS6B08=@protonmail.com> <20250129104112.0756df5c@elisabeth> <S3b4qUhq7b72aZqUNyWdynRNtOJEnKslfqR0i4vnaUIBu3EnkzjxTC22qzD2ZsbQgiIWtyuKQfO6fBNYSaSNYgzDqXSft95vpyuFjI_T_74=@protonmail.com> <20250129194854.6b67fbfe@elisabeth> Feedback-ID: 33818994:user:proton X-Pm-Message-ID: fe2e64ae67b2be5fe482d7c23ea155e3ce41a844 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: A4RDYJGDNFCFUCJRFM4V4VMT3Z5GDRKM X-Message-ID-Hash: A4RDYJGDNFCFUCJRFM4V4VMT3Z5GDRKM X-MailFrom: prafulla.giri@protonmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: "passt-dev@passt.top" <passt-dev@passt.top>, Andrea Bolognani <abologna@redhat.com> X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt <passt-dev.passt.top> Archived-At: <https://archives.passt.top/passt-dev/3mWvqHbG0sGUhoq9ersir5eXDcFpZkAm8BGfuhs3YOBV36rlbJ82aj27diLMkSjg8YQnrQajsHKkcVh3kXG9gc-o2HZF2rQXo9DnqkqbwNQ=@protonmail.com/> Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/A4RDYJGDNFCFUCJRFM4V4VMT3Z5GDRKM/> List-Archive: <https://archives.passt.top/passt-dev/> List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/> List-Help: <mailto:passt-dev-request@passt.top?subject=help> List-Owner: <mailto:passt-dev-owner@passt.top> List-Post: <mailto:passt-dev@passt.top> List-Subscribe: <mailto:passt-dev-join@passt.top> List-Unsubscribe: <mailto:passt-dev-leave@passt.top> On Thursday, January 30th, 2025 at 12:33 AM, Stefano Brivio <sbrivio@redhat= .com> wrote: > On Wed, 29 Jan 2025 18:10:36 +0000 > Prafulla Giri prafulla.giri@protonmail.com wrote: >=20 > > Hello, > >=20 > > On Wednesday, January 29th, 2025 at 3:26 PM, Stefano Brivio sbrivio@red= hat.com wrote: > >=20 > > > Hi, > > >=20 > > > On Wed, 29 Jan 2025 09:14:12 +0000 > > > Prafulla Giri prafulla.giri@protonmail.com wrote: > > >=20 > > > > Esteemed maintainer, > > > >=20 > > > > First and foremost, thank you very much for your hard work: passt i= s awesome and allows one to run more useful user-space VM-s. > > > >=20 > > > > I have encountered 2 particular issues with the usage of passt with= Debian, and wanted to bring them to your attention as I think you are prob= ably the best person to deal with this. I do plan on sending a report to th= e Debian team afterwards. > > > >=20 > > > > For reference, I tested these on Debian Testing Daily Image dated 2= 8 January 2025, with updates, and the version of passt available with it is= passt 0.0~git20250121.4f2c8e7-1 > > > >=20 > > > > - Passt's default Apparmor config needs to allow writes to $XDG_RUN= TIME_DIR (which is at /run/user/$UID). Currently it doesn't. Virt-manager, = at least, tries to create the necessary sockets in the directory but apparm= or prevents that from happening (and the error message Virt-Manager gives i= sn't helpful either: the first time around I falsely believed it was a segf= ault or similar issue). I managed to get passt working past this flaw (pun = intended) by manually disabling apparmor for the binary. Passt works just f= ine in Fedora 41 as it doesn't use Apparmor but uses SELinux, and thus the = configs don't affect it. > > >=20 > > > Thanks for reporting this! I'm the maintainer of the Debian package, = by > > > the way. Cc'ing Andrea, who is a maintainer of the libvirt package fo= r > > > Debian and surely more knowledgeable about this. > >=20 > > I'm glad to have bumped into you. Because of the email domain, I though= t you weren't the Debian maintainer. Silly me. >=20 >=20 > :) >=20 > > > Note that virt-manager uses passt through libvirt (I think that's onl= y > > > possibility) and this should actually be allowed in libvirt's AppArmo= r > > > policy, in the sub-profile for passt: > > >=20 > > > https://gitlab.com/libvirt/libvirt/-/blob/0264a7704ada52f686cafe8f640= 2d5b60f9f0fc4/src/security/apparmor/libvirt-qemu.in#L204 > > >=20 > > > the rationale is that passt itself doesn't know which directory libvi= rt > > > will pick for its socket and PID files, so libvirt's policy has to > > > specify that. > > >=20 > > > So I think you should file an issue for the libvirt package in this > > > case, unless Andrea has some pointers. > >=20 > > I will wait for the maintainers input on this one. >=20 >=20 > One thing that might help meanwhile is if you have a look at > /var/log/audit/audit.log after the failure occurs. Look for 'passt' > there. There should be a message logging a denied access to some > file: what does it say? >=20 I didn't have auditd installed on Debian and installed it, and running ever= ything with the default auditd config (with my Apparmor disabled for passt,= as mentioned previously) does not result in anything. Do I have to configu= re auditd manually? Any pointers on that, please? On Fedora 41, which seems to have auditd preconfigured, there aren't any si= gnificant reports about passt. > > > > - This second issue is perhaps a bit more Debian-specific, but I am= going to mention it so that you might drop some hints for the Debian maint= ainers to debug this: Once Apparmor is disabled and a VM is configured to w= ork with passt, DNS resolution doesn't work in the VM (IP Addresses work ju= st fine) i.e. ping fsf.org doesn't work but `ping 209.51.188.174` does. The= hypervisor details follow: > > > > $ virsh version # on Debian Testing a.k.a. 'Trixie' > > > > Compiled against library: libvirt 11.0.0 > > > > Using library: libvirt 11.0.0 > > > > Using API: QEMU 11.0.0Running hypervisor: QEMU 9.2.0 > > > > This, again, isn't an issue with Fedora 41, where everything just w= orks. The hypervisor details for Fedora 41 are: > > > > $ virsh version # on Fedora 41 > > > > Compiled against library: libvirt 10.6.0 > > > > Using library: libvirt 10.6.0 > > > > Using API: QEMU 10.6.0 > > > > Running hypervisor: QEMU 9.1.2 > > >=20 > > > Oops. Can you share the command line of passt as run by libvirt > > > (say, 'ps aux|grep passt') for this case? passt has some basic > > > DNS forwarding capabilities, which are configured depending on > > > the host's resolver configuration. > >=20 > > Certainly! I'm sorry I didn't do this earlier. I'd checked on this: the= re is no difference between the command that runs passt on Fedora 41 or Deb= ian Trixie. > >=20 > > This is the command on Fedora 41: > > passt --one-off --socket /run/user/1000/libvirt/qemu/run/passt/4-dragor= a-net0.socket --pid /run/user/1000/libvirt/qemu/run/passt/4-dragora-net0-pa= sst.pid > >=20 > > and this is the command on Debian Trixie: > > passt --one-off --socket /run/user/1000/libvirt/qemu/run/passt/1-vm1-ne= t0.socket --pid /run/user/1000/libvirt/qemu/run/passt/1-vm1-net0-passt.pid >=20 >=20 > Okay, nothing unexpected so far. Could you also please compare the > output of 'passt -f -d' between the two cases? Just terminate it with > ^C once you have the output. Here are the outputs: $ passt -f -d # on Debian Testing/Trixie 0.0016: No interfaces with usable IPv6 routes 0.0017: Failed to detect external interface for IPv6 0.0028: UNIX domain socket bound at /tmp/passt_1.socket 0.0029: Template interface: enp1s0 (IPv4) 0.0029: MAC: 0.0029: host: 9a:55:9a:55:9a:55 0.0029: NAT to host 127.0.0.1: 192.168.100.1 0.0029: DHCP: 0.0029: assign: 192.168.100.157 0.0029: mask: 255.255.255.0 0.0029: router: 192.168.100.1 0.0029: DNS: 0.0029: 192.168.100.1 0.0029: DNS search list: 0.0029: . 0.0056:=20 You can now start qemu (>=3D 7.2, with commit 13c6be96618c): 0.0056: kvm ... -device virtio-net-pci,netdev=3Ds -netdev stream,id=3Ds= ,server=3Doff,addr.type=3Dunix,addr.path=3D/tmp/passt_1.socket 0.0057: or qrap, for earlier qemu versions: 0.0057: ./qrap 5 kvm ... -net socket,fd=3D5 -net nic,model=3Dvirtio 0.0067: SO_PEEK_OFF supported 0.0067: TCP_INFO tcpi_snd_wnd field supported 0.0067: TCP_INFO tcpi_bytes_acked field supported 0.0067: TCP_INFO tcpi_min_rtt field supported $ passt -f -d 0.0022: UNIX domain socket bound at /tmp/passt_1.socket 0.0022: Template interface: wlp0s20f3 (IPv4) 0.0022: MAC: 0.0022: host: 9a:55:9a:55:9a:55 0.0022: NAT to host 127.0.0.1: 192.168.100.1 0.0023: DHCP: 0.0023: assign: 192.168.100.157 0.0023: mask: 255.255.255.0 0.0023: router: 192.168.100.1 0.0023: DNS: 0.0023: 192.168.100.1 0.0023: DNS search list: 0.0023: . 0.0047:=20 You can now start qemu (>=3D 7.2, with commit 13c6be96618c): 0.0047: kvm ... -device virtio-net-pci,netdev=3Ds -netdev stream,id=3Ds= ,server=3Doff,addr.type=3Dunix,addr.path=3D/tmp/passt_1.socket 0.0047: or qrap, for earlier qemu versions: 0.0047: ./qrap 5 kvm ... -net socket,fd=3D5 -net nic,model=3Dvirtio 0.0055: SO_PEEK_OFF supported 0.0055: TCP_INFO tcpi_snd_wnd field supported 0.0055: TCP_INFO tcpi_bytes_acked field supported 0.0055: TCP_INFO tcpi_min_rtt field supported >=20 > How are resolvers configured on the two hosts? What does > /etc/resolv.conf say? $ cat /etc/resolv.conf # On Fedora 41 # This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-reso= lved(8). [...] nameserver 127.0.0.53 options edns0 trust-ad search . $ cat /etc/resolv.conf # On Debian Trixie # This is /run/systemd/resolve/resolv.conf managed by man:systemd-resolved(= 8). [...] nameserver 192.168.100.1 search . $ cat /etc/resolv.conf # On a Debian 11 OS # Generated by NetworkManager nameserver 192.168.100.1 Also the output of `resolvectl status` for good measure: # On Fedora 41 Global Protocols: LLMNR=3Dresolve -mDNS -DNSOverTLS DNSSEC=3Dno/unsupport= ed resolv.conf mode: stub Link 2 (wlp0s20f3) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: +DefaultRoute LLMNR=3Dresolve -mDNS -DNSOverTLS DNSSEC= =3Dno/unsupported Current DNS Server: 192.168.100.1 DNS Servers: 192.168.100.1 # On Debian Trixie Global Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=3Dno/unsupported resolv.conf mode: uplink Link 2 (enp1s0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=3Dno/unsu= pported DNS Servers: 192.168.100.1 Default Route: yes >=20 > If nothing is visible from there, next check: 'virsh edit vm1' on > Debian and add a log file in the XML, that is, replace this line: >=20 > <backend type=3D'passt'/> >=20 >=20 > with: >=20 > <backend type=3D'passt' logFile=3D'/tmp/passt.log'/> >=20 >=20 > and then share the log. >=20 The log from Debian Trixie host for VM1: passt 0.0~git20250121.4f2c8e7-1: /usr/bin/passt.avx2 (6428) 0.0017: info: No interfaces with usable IPv6 routes 0.0029: info: UNIX domain socket bound at /run/user/1000/libvirt/qemu/ru= n/passt/2-vm1-net0.socket 0.0030: info: Template interface: enp1s0 (IPv4) 0.0030: info: MAC: 0.0030: info: host: 9a:55:9a:55:9a:55 0.0030: info: NAT to host 127.0.0.1: 192.168.100.1 0.0030: info: DHCP: 0.0031: info: assign: 192.168.100.157 0.0031: info: mask: 255.255.255.0 0.0031: info: router: 192.168.100.1 0.0031: info: DNS: 0.0031: info: 192.168.100.1 0.0031: info: DNS search list: 0.0031: info: . 0.0066: info: =20 You can now start qemu (>=3D 7.2, with commit 13c6be96618c): 0.0066: info: kvm ... -device virtio-net-pci,netdev=3Ds -netdev stre= am,id=3Ds,server=3Doff,addr.type=3Dunix,addr.path=3D/run/user/1000/libvirt/= qemu/run/passt/2-vm1-net0.socket 0.0066: info: or qrap, for earlier qemu versions: 0.0066: info: ./qrap 5 kvm ... -net socket,fd=3D5 -net nic,model=3Dv= irtio 0.0617: info: accepted connection from PID 0 38.6257: info: DHCP: offer to discover 38.6257: info: from 52:54:00:a0:e1:7c 38.6471: info: DHCP: ack to request 38.6471: info: from 52:54:00:a0:e1:7c 451.4989: info: Client connection closed, exiting The log from Fedora 41: passt 0^20250121.g4f2c8e7-2.fc41.x86_64: /usr/bin/passt.avx2 (3138) 0.0017: info: UNIX domain socket bound at /run/user/1000/libvirt/qemu/ru= n/passt/3-debian-trixie-net0.socket 0.0018: info: Template interface: wlp0s20f3 (IPv4) 0.0018: info: MAC: 0.0018: info: host: 9a:55:9a:55:9a:55 0.0018: info: NAT to host 127.0.0.1: 192.168.100.1 0.0018: info: DHCP: 0.0018: info: assign: 192.168.100.157 0.0018: info: mask: 255.255.255.0 0.0018: info: router: 192.168.100.1 0.0018: info: DNS: 0.0018: info: 192.168.100.1 0.0018: info: DNS search list: 0.0018: info: . 0.0043: info: =20 You can now start qemu (>=3D 7.2, with commit 13c6be96618c): 0.0043: info: kvm ... -device virtio-net-pci,netdev=3Ds -netdev stre= am,id=3Ds,server=3Doff,addr.type=3Dunix,addr.path=3D/run/user/1000/libvirt/= qemu/run/passt/3-debian-trixie-net0.socket 0.0043: info: or qrap, for earlier qemu versions: 0.0043: info: ./qrap 5 kvm ... -net socket,fd=3D5 -net nic,model=3Dv= irtio 0.0591: info: accepted connection from PID 0 10.7894: info: DHCP: ack to discover (Rapid Commit) 10.7894: info: from 52:54:00:8f:e7:c3 99.6704: info: Client connection closed, exiting > -- > Stefano