From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=Uen/AC/B; dkim-atps=neutral Received: from mail-40138.protonmail.ch (mail-40138.protonmail.ch [185.70.40.138]) by passt.top (Postfix) with ESMTPS id 610B95A061A for ; Wed, 29 Jan 2025 19:10:43 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1738174242; x=1738433442; bh=YdPDzTm9DCH/n9Qi0/6c+Bs3d4Tvb37spw0jbRSJAU0=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post; b=Uen/AC/BZqZl28If2qgBDl/0G9bL77gFYBHxG5yJ5Zl4HkQMmenmI+68c6gEVvPAN aR0Y0ur+uiY43K8rCvOOaicIbEMynRoRlzO8GsFw9LcbxgID25/QK/BP2SdpKd94/V mxZAApRiVW3AwQaodF/WbKgHQhSMY8AHzEB84Ds6UhB+9y/XJDH40T1s0PpZ0nMOjn DEcbSSFpVV4yGZQ78Mh8f2nBFcJrT6EmzfzeL8l8ur72NWvVp+ofAKHG7JK25UtWGg Iz8ac8QpiYSJDd9GcnlO8y6B7aKv2HuVHNVW9UJPmgTrr6qd1RA44sfavWWsdlJrgg B9tUqq0fp3VBw== Date: Wed, 29 Jan 2025 18:10:36 +0000 To: Stefano Brivio From: Prafulla Giri Subject: Re: Apparmor (and other) Issues Message-ID: In-Reply-To: <20250129104112.0756df5c@elisabeth> References: <20250129104112.0756df5c@elisabeth> Feedback-ID: 33818994:user:proton X-Pm-Message-ID: afa21d72b7fca8adfad0a4cf498d0d656f33bb72 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 7HB6GQJFUOB7T7E7O5GBUW6HJQLSGQYS X-Message-ID-Hash: 7HB6GQJFUOB7T7E7O5GBUW6HJQLSGQYS X-MailFrom: prafulla.giri@protonmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: "passt-dev@passt.top" , Andrea Bolognani X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hello, On Wednesday, January 29th, 2025 at 3:26 PM, Stefano Brivio wrote: > Hi, >=20 > On Wed, 29 Jan 2025 09:14:12 +0000 > Prafulla Giri prafulla.giri@protonmail.com wrote: >=20 > > Esteemed maintainer, > >=20 > > First and foremost, thank you very much for your hard work: passt is aw= esome and allows one to run more useful user-space VM-s. > >=20 > > I have encountered 2 particular issues with the usage of passt with Deb= ian, and wanted to bring them to your attention as I think you are probably= the best person to deal with this. I do plan on sending a report to the De= bian team afterwards. > >=20 > > For reference, I tested these on Debian Testing Daily Image dated 28 Ja= nuary 2025, with updates, and the version of passt available with it is pas= st 0.0~git20250121.4f2c8e7-1 > >=20 > > - Passt's default Apparmor config needs to allow writes to $XDG_RUNTIME= _DIR (which is at /run/user/$UID). Currently it doesn't. Virt-manager, at l= east, tries to create the necessary sockets in the directory but apparmor p= revents that from happening (and the error message Virt-Manager gives isn't= helpful either: the first time around I falsely believed it was a segfault= or similar issue). I managed to get passt working past this flaw (pun inte= nded) by manually disabling apparmor for the binary. Passt works just fine = in Fedora 41 as it doesn't use Apparmor but uses SELinux, and thus the conf= igs don't affect it. >=20 >=20 > Thanks for reporting this! I'm the maintainer of the Debian package, by > the way. Cc'ing Andrea, who is a maintainer of the libvirt package for > Debian and surely more knowledgeable about this. >=20 I'm glad to have bumped into you. Because of the email domain, I thought yo= u weren't the Debian maintainer. Silly me. > Note that virt-manager uses passt through libvirt (I think that's only > possibility) and this should actually be allowed in libvirt's AppArmor > policy, in the sub-profile for passt: >=20 > https://gitlab.com/libvirt/libvirt/-/blob/0264a7704ada52f686cafe8f6402d5b= 60f9f0fc4/src/security/apparmor/libvirt-qemu.in#L204 >=20 > the rationale is that passt itself doesn't know which directory libvirt > will pick for its socket and PID files, so libvirt's policy has to > specify that. >=20 > So I think you should file an issue for the libvirt package in this > case, unless Andrea has some pointers. I will wait for the maintainers input on this one. >=20 > > - This second issue is perhaps a bit more Debian-specific, but I am goi= ng to mention it so that you might drop some hints for the Debian maintaine= rs to debug this: Once Apparmor is disabled and a VM is configured to work = with passt, DNS resolution doesn't work in the VM (IP Addresses work just f= ine) i.e. ping fsf.org doesn't work but `ping 209.51.188.174` does. The hyp= ervisor details follow: > > $ virsh version # on Debian Testing a.k.a. 'Trixie' > > Compiled against library: libvirt 11.0.0 > > Using library: libvirt 11.0.0 > > Using API: QEMU 11.0.0Running hypervisor: QEMU 9.2.0 > > This, again, isn't an issue with Fedora 41, where everything just works= . The hypervisor details for Fedora 41 are: > > $ virsh version # on Fedora 41 > > Compiled against library: libvirt 10.6.0 > > Using library: libvirt 10.6.0 > > Using API: QEMU 10.6.0 > > Running hypervisor: QEMU 9.1.2 >=20 >=20 > Oops. Can you share the command line of passt as run by libvirt > (say, 'ps aux|grep passt') for this case? passt has some basic > DNS forwarding capabilities, which are configured depending on > the host's resolver configuration. >=20 Certainly! I'm sorry I didn't do this earlier. I'd checked on this: there i= s no difference between the command that runs passt on Fedora 41 or Debian = Trixie. This is the command on Fedora 41: passt --one-off --socket /run/user/1000/libvirt/qemu/run/passt/4-dragora-ne= t0.socket --pid /run/user/1000/libvirt/qemu/run/passt/4-dragora-net0-passt.= pid and this is the command on Debian Trixie: passt --one-off --socket /run/user/1000/libvirt/qemu/run/passt/1-vm1-net0.s= ocket --pid /run/user/1000/libvirt/qemu/run/passt/1-vm1-net0-passt.pid Just for the record, I'm also putting in the QEMU commands for Fedora 41 an= d Debian Trixie, as well: Fedora 41: /usr/bin/qemu-system-x86_64 -name guest=3Ddebian-trixie,debug-threads=3Don = -S -object {"qom-type":"secret","id":"masterKey0","format":"raw","file":"/h= ome/larryboy/.config/libvirt/qemu/lib/domain-5-debian-trixie/master-key.aes= "} -machine pc-q35-9.1,usb=3Doff,vmport=3Doff,dump-guest-core=3Doff,memory-= backend=3Dpc.ram,hpet=3Doff,acpi=3Don -accel kvm -cpu host,migratable=3Don = -m size=3D8388608k -object {"qom-type":"memory-backend-ram","id":"pc.ram","= size":8589934592} -overcommit mem-lock=3Doff -smp 4,sockets=3D4,cores=3D1,t= hreads=3D1 -uuid d00ad47e-3cfe-4a1a-af01-b23417aad670 -no-user-config -node= faults -chardev socket,id=3Dcharmonitor,fd=3D31,server=3Don,wait=3Doff -mon= chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dcontrol -rtc base=3Dutc,driftfix= =3Dslew -global kvm-pit.lost_tick_policy=3Ddelay -no-shutdown -global ICH9-= LPC.disable_s3=3D1 -global ICH9-LPC.disable_s4=3D1 -boot strict=3Don -devic= e {"driver":"pcie-root-port","port":16,"chassis":1,"id":"pci.1","bus":"pcie= .0","multifunction":true,"addr":"0x2"} -device {"driver":"pcie-root-port","= port":17,"chassis":2,"id":"pci.2","bus":"pcie.0","addr":"0x2.0x1"} -device = {"driver":"pcie-root-port","port":18,"chassis":3,"id":"pci.3","bus":"pcie.0= ","addr":"0x2.0x2"} -device {"driver":"pcie-root-port","port":19,"chassis":= 4,"id":"pci.4","bus":"pcie.0","addr":"0x2.0x3"} -device {"driver":"pcie-roo= t-port","port":20,"chassis":5,"id":"pci.5","bus":"pcie.0","addr":"0x2.0x4"}= -device {"driver":"pcie-root-port","port":21,"chassis":6,"id":"pci.6","bus= ":"pcie.0","addr":"0x2.0x5"} -device {"driver":"pcie-root-port","port":22,"= chassis":7,"id":"pci.7","bus":"pcie.0","addr":"0x2.0x6"} -device {"driver":= "pcie-root-port","port":23,"chassis":8,"id":"pci.8","bus":"pcie.0","addr":"= 0x2.0x7"} -device {"driver":"pcie-root-port","port":24,"chassis":9,"id":"pc= i.9","bus":"pcie.0","multifunction":true,"addr":"0x3"} -device {"driver":"p= cie-root-port","port":25,"chassis":10,"id":"pci.10","bus":"pcie.0","addr":"= 0x3.0x1"} -device {"driver":"pcie-root-port","port":26,"chassis":11,"id":"p= ci.11","bus":"pcie.0","addr":"0x3.0x2"} -device {"driver":"pcie-root-port",= "port":27,"chassis":12,"id":"pci.12","bus":"pcie.0","addr":"0x3.0x3"} -devi= ce {"driver":"pcie-root-port","port":28,"chassis":13,"id":"pci.13","bus":"p= cie.0","addr":"0x3.0x4"} -device {"driver":"pcie-root-port","port":29,"chas= sis":14,"id":"pci.14","bus":"pcie.0","addr":"0x3.0x5"} -device {"driver":"q= emu-xhci","p2":15,"p3":15,"id":"usb","bus":"pci.2","addr":"0x0"} -device {"= driver":"virtio-serial-pci","id":"virtio-serial0","bus":"pci.3","addr":"0x0= "} -blockdev {"driver":"file","filename":"/home/larryboy/.local/share/libvi= rt/images/debian-13-nocloud-amd64-daily.qcow2","node-name":"libvirt-2-stora= ge","auto-read-only":true,"discard":"unmap"} -blockdev {"node-name":"libvir= t-2-format","read-only":true,"discard":"unmap","driver":"qcow2","file":"lib= virt-2-storage","backing":null} -blockdev {"driver":"file","filename":"/hom= e/larryboy/.local/share/libvirt/images/debian-trixie.qcow2","node-name":"li= bvirt-1-storage","auto-read-only":true,"discard":"unmap"} -blockdev {"node-= name":"libvirt-1-format","read-only":false,"discard":"unmap","driver":"qcow= 2","file":"libvirt-1-storage","backing":"libvirt-2-format"} -device {"drive= r":"virtio-blk-pci","bus":"pci.4","addr":"0x0","drive":"libvirt-1-format","= id":"virtio-disk0","bootindex":1} -netdev {"type":"stream","addr":{"type":"= unix","path":"/run/user/1000/libvirt/qemu/run/passt/5-debian-trixie-net0.so= cket"},"server":false,"reconnect":5,"id":"hostnet0"} -device {"driver":"vir= tio-net-pci","netdev":"hostnet0","id":"net0","mac":"52:54:00:8f:e7:c3","bus= ":"pci.1","addr":"0x0"} -chardev pty,id=3Dcharserial0 -device {"driver":"is= a-serial","chardev":"charserial0","id":"serial0","index":0} -chardev socket= ,id=3Dcharchannel0,fd=3D30,server=3Don,wait=3Doff -device {"driver":"virtse= rialport","bus":"virtio-serial0.0","nr":1,"chardev":"charchannel0","id":"ch= annel0","name":"org.qemu.guest_agent.0"} -chardev spicevmc,id=3Dcharchannel= 1,name=3Dvdagent -device {"driver":"virtserialport","bus":"virtio-serial0.0= ","nr":2,"chardev":"charchannel1","id":"channel1","name":"com.redhat.spice.= 0"} -device {"driver":"usb-tablet","id":"input0","bus":"usb.0","port":"1"} = -audiodev {"id":"audio1","driver":"spice"} -spice port=3D5901,addr=3D127.0.= 0.1,disable-ticketing=3Don,image-compression=3Doff,seamless-migration=3Don = -display egl-headless,rendernode=3D/dev/dri/renderD128 -device {"driver":"v= irtio-vga-gl","id":"video0","max_outputs":1,"bus":"pcie.0","addr":"0x1"} -d= evice {"driver":"ich9-intel-hda","id":"sound0","bus":"pcie.0","addr":"0x1b"= } -device {"driver":"hda-duplex","id":"sound0-codec0","bus":"sound0.0","cad= ":0,"audiodev":"audio1"} -global ICH9-LPC.noreboot=3Doff -watchdog-action r= eset -chardev spicevmc,id=3Dcharredir0,name=3Dusbredir -device {"driver":"u= sb-redir","chardev":"charredir0","id":"redir0","bus":"usb.0","port":"2"} -c= hardev spicevmc,id=3Dcharredir1,name=3Dusbredir -device {"driver":"usb-redi= r","chardev":"charredir1","id":"redir1","bus":"usb.0","port":"3"} -device {= "driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.5","addr":"0x0"} -= object {"qom-type":"rng-random","id":"objrng0","filename":"/dev/urandom"} -= device {"driver":"virtio-rng-pci","rng":"objrng0","id":"rng0","bus":"pci.6"= ,"addr":"0x0"} -sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn= =3Ddeny,resourcecontrol=3Ddeny -msg timestamp=3Don Debian Trixie: /usr/bin/qemu-system-x86_64 -name guest=3Dvm1,debug-threads=3Don -S -object= {"qom-type":"secret","id":"masterKey0","format":"raw","file":"/home/larryb= oy/.config/libvirt/qemu/lib/domain-1-vm1/master-key.aes"} -machine pc-i440f= x-9.2,usb=3Doff,vmport=3Doff,dump-guest-core=3Doff,memory-backend=3Dpc.ram,= hpet=3Doff,acpi=3Don -accel kvm -cpu Denverton,vmx=3Don,fma=3Don,pdcm=3Don,= pcid=3Don,avx=3Don,f16c=3Don,hypervisor=3Don,ss=3Don,tsc-adjust=3Don,bmi1= =3Don,avx2=3Don,bmi2=3Don,invpcid=3Don,avx512f=3Don,avx512dq=3Don,adx=3Don,= avx512ifma=3Don,clwb=3Don,avx512cd=3Don,avx512bw=3Don,avx512vl=3Don,avx512v= bmi=3Don,umip=3Don,pku=3Don,avx512vbmi2=3Don,gfni=3Don,vaes=3Don,vpclmulqdq= =3Don,avx512vnni=3Don,avx512bitalg=3Don,avx512-vpopcntdq=3Don,rdpid=3Don,mo= vdiri=3Don,movdir64b=3Don,fsrm=3Don,avx512-vp2intersect=3Don,md-clear=3Don,= stibp=3Don,flush-l1d=3Don,xsaves=3Don,abm=3Don,ibpb=3Don,ibrs=3Don,amd-stib= p=3Don,amd-ssbd=3Don,ibrs-all=3Don,mds-no=3Don,pschange-mc-no=3Don,fbsdp-no= =3Don,gds-no=3Don,rfds-no=3Don,vmx-activity-wait-sipi=3Don,vmx-xsaves=3Don,= vmx-tsc-scaling=3Don,vmx-invvpid=3Don,mpx=3Doff -m size=3D1048576k -object = {"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824} -overcomm= it mem-lock=3Doff -smp 1,sockets=3D1,cores=3D1,threads=3D1 -uuid aa332a62-1= b7f-4a3c-b2c5-908e5e339b72 -no-user-config -nodefaults -chardev socket,id= =3Dcharmonitor,fd=3D27,server=3Don,wait=3Doff -mon chardev=3Dcharmonitor,id= =3Dmonitor,mode=3Dcontrol -rtc base=3Dutc,driftfix=3Dslew -global kvm-pit.l= ost_tick_policy=3Ddelay -no-shutdown -global PIIX4_PM.disable_s3=3D1 -globa= l PIIX4_PM.disable_s4=3D1 -boot menu=3Don,strict=3Don -device {"driver":"ic= h9-usb-ehci1","id":"usb","bus":"pci.0","addr":"0x5.0x7"} -device {"driver":= "ich9-usb-uhci1","masterbus":"usb.0","firstport":0,"bus":"pci.0","multifunc= tion":true,"addr":"0x5"} -device {"driver":"ich9-usb-uhci2","masterbus":"us= b.0","firstport":2,"bus":"pci.0","addr":"0x5.0x1"} -device {"driver":"ich9-= usb-uhci3","masterbus":"usb.0","firstport":4,"bus":"pci.0","addr":"0x5.0x2"= } -device {"driver":"virtio-serial-pci","id":"virtio-serial0","bus":"pci.0"= ,"addr":"0x6"} -blockdev {"driver":"file","filename":"/home/larryboy/.local= /share/libvirt/images/vm1.qcow2","node-name":"libvirt-2-storage","auto-read= -only":true,"discard":"unmap"} -blockdev {"node-name":"libvirt-2-format","r= ead-only":false,"driver":"qcow2","file":"libvirt-2-storage","backing":null}= -device {"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-2-forma= t","id":"ide0-0-0","bootindex":2} -blockdev {"driver":"file","filename":"/h= ome/larryboy/.local/share/libvirt/images/dsl-2024.rc7.iso","node-name":"lib= virt-1-storage","read-only":true} -device {"driver":"ide-cd","bus":"ide.0",= "unit":1,"drive":"libvirt-1-storage","id":"ide0-0-1","bootindex":1} -netdev= {"type":"stream","addr":{"type":"unix","path":"/run/user/1000/libvirt/qemu= /run/passt/1-vm1-net0.socket"},"server":false,"reconnect-ms":5000,"id":"hos= tnet0"} -device {"driver":"rtl8139","netdev":"hostnet0","id":"net0","mac":"= 52:54:00:a0:e1:7c","bus":"pci.0","addr":"0x3"} -chardev pty,id=3Dcharserial= 0 -device {"driver":"isa-serial","chardev":"charserial0","id":"serial0","in= dex":0} -chardev spicevmc,id=3Dcharchannel0,name=3Dvdagent -device {"driver= ":"virtserialport","bus":"virtio-serial0.0","nr":1,"chardev":"charchannel0"= ,"id":"channel0","name":"com.redhat.spice.0"} -device {"driver":"usb-tablet= ","id":"input0","bus":"usb.0","port":"1"} -audiodev {"id":"audio1","driver"= :"spice"} -spice port=3D5900,addr=3D127.0.0.1,disable-ticketing=3Don,seamle= ss-migration=3Don -display egl-headless,rendernode=3D/dev/dri/renderD128 -d= evice {"driver":"virtio-vga-gl","id":"video0","max_outputs":1,"bus":"pci.0"= ,"addr":"0x2"} -device {"driver":"AC97","id":"sound0","audiodev":"audio1","= bus":"pci.0","addr":"0x4"} -chardev spicevmc,id=3Dcharredir0,name=3Dusbredi= r -device {"driver":"usb-redir","chardev":"charredir0","id":"redir0","bus":= "usb.0","port":"2"} -chardev spicevmc,id=3Dcharredir1,name=3Dusbredir -devi= ce {"driver":"usb-redir","chardev":"charredir1","id":"redir1","bus":"usb.0"= ,"port":"3"} -device {"driver":"virtio-balloon-pci","id":"balloon0","bus":"= pci.0","addr":"0x7"} -sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,s= pawn=3Ddeny,resourcecontrol=3Ddeny -msg timestamp=3Don > > Again, I will be making a report to the Debian maintainers, should they= wish to chime in regarding Apparmor configs or the DNS resolution issue. >=20 >=20 > Please file a separate issue, in case. This one would be for > passt. >=20 I think I no longer have to, since I have the Debian maintainer right here.= (: > > Thank you once again for this awesome tool. >=20 >=20 > And thanks again for trying it out and reporting issues! >=20 I'm happy to be of some assistance (: > -- > Stefano