-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-10.0
-
None
-
passt-0^20240523.g765eb0b-2.el10
-
None
-
None
-
CustomerScenariosInitiative
-
sst_virtualization_networking
-
ssg_virtualization
-
3
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
Pass
-
Automated
-
-
x86_64
-
None
libguestfs + RHEL 10 + passt + root + direct mode fails with a permission denied error.
The easiest way to see this is with either RHEL 10 or recent Fedora. Run this command as root:
# LIBGUESTFS_BACKEND=direct guestfish --network -a /dev/null run libguestfs: error: passt exited with status 1
To get more details, add the -vx options:
# LIBGUESTFS_BACKEND=direct guestfish --network -a /dev/null run -vx
libguestfs: trace: set_pgroup true
libguestfs: trace: set_pgroup = 0
libguestfs: trace: add_drive "/dev/null"
libguestfs: trace: get_tmpdir
libguestfs: trace: get_tmpdir = "/tmp"
libguestfs: trace: disk_create "/tmp/libguestfsCADtp5/devnull1.img" "raw" 4096
libguestfs: trace: disk_create = 0
libguestfs: trace: add_drive = 0
libguestfs: trace: launch
libguestfs: trace: max_disks
libguestfs: trace: max_disks = 255
libguestfs: trace: version
libguestfs: trace: version = <struct guestfs_version = major: 1, minor: 53, release: 2, extra: fedora=41,release=1.fc41,libvirt, >
libguestfs: trace: get_backend
libguestfs: trace: get_backend = "direct"
libguestfs: launch: program=guestfish
libguestfs: launch: version=1.53.2fedora=41,release=1.fc41,libvirt
libguestfs: launch: backend registered: direct
libguestfs: launch: backend registered: libvirt
libguestfs: launch: backend=direct
libguestfs: launch: tmpdir=/tmp/libguestfsCADtp5
libguestfs: launch: umask=0022
libguestfs: launch: euid=0
libguestfs: trace: get_cachedir
libguestfs: trace: get_cachedir = "/var/tmp"
libguestfs: begin building supermin appliance
libguestfs: run supermin
libguestfs: command: run: /usr/bin/supermin
libguestfs: command: run: \ --build
libguestfs: command: run: \ --verbose
libguestfs: command: run: \ --if-newer
libguestfs: command: run: \ --lock /var/tmp/.guestfs-0/lock
libguestfs: command: run: \ --copy-kernel
libguestfs: command: run: \ -f ext2
libguestfs: command: run: \ --host-cpu x86_64
libguestfs: command: run: \ /usr/lib64/guestfs/supermin.d
libguestfs: command: run: \ -o /var/tmp/.guestfs-0/appliance.d
supermin: version: 5.3.4
supermin: rpm: detected RPM version 4.19
supermin: rpm: detected RPM architecture x86_64
supermin: package handler: fedora/rpm
supermin: acquiring lock on /var/tmp/.guestfs-0/lock
supermin: if-newer: output does not need rebuilding
libguestfs: finished building supermin appliance
libguestfs: begin testing qemu features
libguestfs: trace: get_cachedir
libguestfs: trace: get_cachedir = "/var/tmp"
libguestfs: checking for previously cached test results of /usr/bin/qemu-kvm, in /var/tmp/.guestfs-0
libguestfs: loading previously cached test results
libguestfs: qemu version: 8.2
libguestfs: qemu mandatory locking: yes
libguestfs: qemu KVM: enabled
libguestfs: trace: get_backend_setting "force_tcg"
libguestfs: trace: get_backend_setting = NULL (error)
libguestfs: trace: get_backend_setting "force_kvm"
libguestfs: trace: get_backend_setting = NULL (error)
libguestfs: trace: get_sockdir
libguestfs: trace: get_sockdir = "/tmp"
libguestfs: finished testing qemu features
libguestfs: trace: get_backend_setting "gdb"
libguestfs: trace: get_backend_setting = NULL (error)
libguestfs: command: run: passt --help
Usage: passt [OPTION]...
-d, --debug\t\tBe verbose
--trace\t\tBe extra verbose, implies --debug
-q, --quiet\t\tDon't print informational messages
-f, --foreground\tDon't run in background
default: run in background if started from a TTY
-e, --stderr\t\tLog to stderr too
default: log to system logger only if started from a TTY
-l, --log-file PATH\tLog (only) to given file
--log-size BYTES\tMaximum size of log file
default: 1 MiB
--runas UID|UID:GID \tRun as given UID, GID, which can be
numeric, or login and group names
default: drop to user "nobody"
-h, --help\t\tDisplay this help message and exit
--version\t\tShow version and exit
-s, --socket PATH\tUNIX domain socket path
default: probe free path starting from /tmp/passt_1.socket
-F, --fd FD\t\tUse FD as pre-opened connected socket
-p, --pcap FILE\tLog tap-facing traffic to pcap file
-P, --pid FILE\tWrite own PID to the given file
-m, --mtu MTU\tAssign MTU via DHCP/NDP
a zero value disables assignment
default: 65520: maximum 802.3 MTU minus 802.3 header
length, rounded to 32 bits (IPv4 words)
-a, --address ADDR\tAssign IPv4 or IPv6 address ADDR
can be specified zero to two times (for IPv4 and IPv6)
default: use addresses from interface with default route
-n, --netmask MASK\tAssign IPv4 MASK, dot-decimal or bits
default: netmask from matching address on the host
-M, --mac-addr ADDR\tUse source MAC address ADDR
default: MAC address from interface with default route
-g, --gateway ADDR\tPass IPv4 or IPv6 address as gateway
default: gateway from interface with default route
-i, --interface NAME\tInterface for addresses and routes
default: from --outbound-if4 and --outbound-if6, if any
otherwise interface with first default route
-o, --outbound ADDR\tBind to address as outbound source
can be specified zero to two times (for IPv4 and IPv6)
default: use source address from routing tables
--outbound-if4 NAME\tBind to outbound interface for IPv4
default: use interface from default route
--outbound-if6 NAME\tBind to outbound interface for IPv6
default: use interface from default route
-D, --dns ADDR\tUse IPv4 or IPv6 address as DNS
can be specified multiple times
a single, empty option disables DNS information
default: use addresses from /etc/resolv.conf
-S, --search LIST\tSpace-separated list, search domains
a single, empty option disables the DNS search list
default: use search list from /etc/resolv.conf
--no-dhcp-dns\tNo DNS list in DHCP/DHCPv6/NDP
--no-dhcp-search\tNo list in DHCP/DHCPv6/NDP
--dns-forward ADDR\tForward DNS queries sent to ADDR
can be specified zero to two times (for IPv4 and IPv6)
default: don't forward DNS queries
--no-tcp\t\tDisable TCP protocol handler
--no-udp\t\tDisable UDP protocol handler
--no-icmp\t\tDisable ICMP/ICMPv6 protocol handler
--no-dhcp\t\tDisable DHCP server
--no-ndp\t\tDisable NDP responses
--no-dhcpv6\t\tDisable DHCPv6 server
--no-ra\t\tDisable router advertisements
--no-map-gw\t\tDon't map gateway address to host
-4, --ipv4-only\tEnable IPv4 operation only
-6, --ipv6-only\tEnable IPv6 operation only
-1, --one-off\tQuit after handling one single client
-t, --tcp-ports SPEC\tTCP port forwarding to guest
can be specified multiple times
SPEC can be:
'none': don't forward any ports
'all': forward all unbound, non-ephemeral ports
a comma-separated list, optionally ranged with '-'
and optional target ports after ':', with optional
address specification suffixed by '/' and optional
interface prefixed by '%'. Ranges can be reduced by
excluding ports or ranges prefixed by '~'
Examples:
-t 22\t\tForward local port 22 to 22 on guest
-t 22:23\tForward local port 22 to 23 on guest
-t 22,25\tForward ports 22, 25 to ports 22, 25
-t 22-80 \tForward ports 22 to 80
-t 22-80:32-90\tForward ports 22 to 80 to
\t\t\tcorresponding port numbers plus 10
-t 192.0.2.1/5\tBind port 5 of 192.0.2.1 to guest
-t 5-25,~10-20\tForward ports 5 to 9, and 21 to 25
-t ~25\t\tForward all ports except for 25
default: none
-u, --udp-ports SPEC\tUDP port forwarding to guest
SPEC is as described for TCP above
default: none
libguestfs: command: run: passt
libguestfs: command: run: \ --one-off
libguestfs: command: run: \ --socket /tmp/libguestfsAweAxE/passt.sock
libguestfs: command: run: \ --pid /tmp/libguestfsAweAxE/passt2.pid
libguestfs: command: run: \ --address 169.254.2.15
libguestfs: command: run: \ --netmask 16
libguestfs: command: run: \ --mac-addr 52:56:00:00:00:02
libguestfs: command: run: \ --gateway 169.254.2.2
Don't run as root. Changing to nobody...
No IPv6 nameserver available for NDP/DHCPv6
Template interface: eno1 (IPv4), eno1 (IPv6)
MAC:
host: 52:56:00:00:00:02
DHCP:
assign: 169.254.2.15
mask: 255.255.0.0
router: 169.254.2.2
DNS:
169.254.2.2
DNS search list:
home.annexia.org
NDP/DHCPv6:
assign: 2001:8b0:9ad:8729:ca7f:54ff:fe54:2f54
router: fe80::feaa:14ff:fea2:4b62
our link-local: fe80::ca7f:54ff:fe54:2f54
DNS search list:
home.annexia.org
UNIX domain socket bound at /tmp/libguestfsAweAxE/passt.sock
You can now start qemu (>= 7.2, with commit 13c6be96618c):
kvm ... -device virtio-net-pci,netdev=s -netdev stream,id=s,server=off,addr.type=unix,addr.path=/tmp/libguestfsAweAxE/passt.sock
or qrap, for earlier qemu versions:
./qrap 5 kvm ... -net socket,fd=5 -net nic,model=virtio
PID file open: Permission denied
libguestfs: error: passt exited with status 1
libguestfs: trace: launch = -1 (error)
libguestfs: trace: close
libguestfs: closing guestfs handle 0x55ca0e83c7f0 (state 0)
libguestfs: command: run: rm
libguestfs: command: run: \ -rf /tmp/libguestfsCADtp5
libguestfs: command: run: rm
libguestfs: command: run: \ -rf /tmp/libguestfsAweAxE
Using strace appears to show this failing system call in passt:
2806123 openat(AT_FDCWD, "/tmp/libguestfs0QgcOb/passt2.pid", O_WRONLY|O_CREAT|O_ TRUNC|O_CLOEXEC, 0600) = -1 EACCES (Permission denied) 2806123 write(2, "PID file open: Permission denied\n", 33) = 33
The directory /tmp/libguestfs0QgcOb is created earlier by libguestfs (running as root) with permissions 0700. If passt changed to nobody.nobody by this point, it would explain why this fails.
There are no SELinux denials (except maybe "dontaudit" ones, which I didn't check for).
I tested with:
libguestfs-1.53.2-1.fc41.x86_64 passt-0^20240326.g4988e2b-1.fc40.x86_64
but we think it also happens on RHEL 10.
- links to
-
RHBA-2024:134580
passt update
- mentioned on
