LINUX.ORG.RU
ФорумAdmin

Как запустить kvm виртуальную машину с сетью в openvswitch от непривелигированного пользователя?

 , , , ,


0

1

Добрый день. Создал сеть:

<network>
  <name>hole</name>
  <uuid>chn54mcb-3b52-75b3-a654-f48bbe3726c3</uuid>
  <forward mode='bridge'/>
  <bridge name='switch1'/>
  <vlan>
    <tag id='2000'/>
  </vlan>
  <virtualport type='openvswitch'/>
</network>

virsh net-define /home/abracadabra/.config/libvirt/qemu/networks/hole.xml
virsh net-start hole
virsh net-autostart hole
virsh net-list
 Name                                    State    Autostart   Persistent
--------------------------------------------------------------------------
hole                   active   yes         yes

Пытаюсь создать виртуальную машину:

virt-install -n bagel --ram=2048 --vcpus=2 --os-type=linux --os-variant=debian9 --disk /home/abracadabra/bagelDisk.raw,device=disk,format=raw,bus=virtio --cdrom=/home/abracadabra/debian-10.11.0-amd64-DVD-1.iso --boot cdrom,hd,menu=on --graphics spice,port=-1,listen=192.168.1.2 --network=network:hole,model=rtl8139
И получаю слудующее:
Starting install...
ERROR    internal error: /usr/lib/qemu/qemu-bridge-helper --br=switch1 --fd=26: failed to communicate with bridge helper: Transport endpoint is not connected
stderr=failed to add interface `tap0' to bridge `switch1': Operation not supported

Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect qemu:///session start bagel
otherwise, please restart your installation.

Есть только предположение что причина в этом:

ovs-vsctl add-br test
ovs-vsctl: unix:/var/run/openvswitch/db.sock: database connection failed (Permission denied)
Можно это как-то обойти не давая пользователю прав администратора?

Это пробовал.

chown root:kvm /usr/lib/qemu/qemu-bridge-helper && chmod 4750 /usr/lib/qemu/qemu-bridge-helper

И при этом с сетевым мостом виртуалка без проблем стартует от непривелигированного пользователя.

 --network bridge:br_for_bagel,model=rtl8139
От root сеть работает в любой конфигурации.

Включить пользователя в группу libvirt, qemu, kvm или как-то так, надо гуглить для конкретного дистрибутива

Jurik_Phys ★★★★★ ()
Ответ на: комментарий от Jurik_Phys

Спасибо за ответ, забыл упомянуть, пользователь включен в группу libvit и kvm. Группы qemu нет.

JoIIyRoger ()
Ответ на: комментарий от JoIIyRoger

Ну очевидно никто кроме рута это не сможет

chown :libvirt /var/run/openvswitch/db.sock

возможно оно использует polkit. Я бы включил дебаг и посмотрел, есть ли запросы на операции.

AVL2 ★★★★★ ()
Ответ на: комментарий от AVL2

[code=bash] chown :libvirt /var/run/openvswitch/db.sock [/code] Без изменений: [code=bash] ls -al /var/run/openvswitch/db.sock srwxr-x— 1 root libvirt 0 Apr 16 23:57 /var/run/openvswitch/db.sock

ovs-vsctl –verbose=dbg add-br br1 2022-04-17T11:01:02Z|00001|vsctl|INFO|Called as ovs-vsctl –verbose=dbg add-br br1 2022-04-17T11:01:02Z|00002|reconnect|DBG|unix:/var/run/openvswitch/db.sock: entering BACKOFF 2022-04-17T11:01:02Z|00003|stream_unix|DBG|/var/run/openvswitch/db.sock: connection failed (Permission denied) 2022-04-17T11:01:02Z|00004|reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting… 2022-04-17T11:01:02Z|00005|reconnect|DBG|unix:/var/run/openvswitch/db.sock: entering CONNECTING 2022-04-17T11:01:02Z|00006|reconnect|INFO|unix:/var/run/openvswitch/db.sock: connection attempt failed (Permission denied) 2022-04-17T11:01:02Z|00007|reconnect|DBG|unix:/var/run/openvswitch/db.sock: entering BACKOFF ovs-vsctl: unix:/var/run/openvswitch/db.sock: database connection failed (Permission denied)

[/code]

JoIIyRoger ()
Ответ на: комментарий от AVL2

Дебаг создания ВМ.

[Sun, 17 Apr 2022 06:03:38 virt-install 13117] ERROR (cli:254) internal error: /usr/lib/qemu/qemu-bridge-helper --br=switch1 --fd=26: failed to communicate with bridge helper: Transport endpoint is not connected
stderr=failed to add interface `tap0' to bridge `switch1': Operation not supported

[Sun, 17 Apr 2022 06:03:38 virt-install 13117] DEBUG (cli:256) 
Traceback (most recent call last):
  File "/usr/share/virt-manager/virt-install", line 598, in start_install
    transient=options.transient)
  File "/usr/share/virt-manager/virtinst/installer.py", line 419, in start_install
    doboot, transient)
  File "/usr/share/virt-manager/virtinst/installer.py", line 362, in _create_guest
    domain = self.conn.createXML(install_xml or final_xml, 0)
  File "/usr/lib/python3/dist-packages/libvirt.py", line 3732, in createXML
    if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self)
libvirt.libvirtError: internal error: /usr/lib/qemu/qemu-bridge-helper --br=switch1 --fd=26: failed to communicate with bridge helper: Transport endpoint is not connected
stderr=failed to add interface `tap0' to bridge `switch1': Operation not supported

[Sun, 17 Apr 2022 06:03:38 virt-install 13117] DEBUG (cli:267) Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect qemu:///session start bagel
otherwise, please restart your installation.
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect qemu:///session start bagel
otherwise, please restart your installation.

Если честно смущает уведомление: Operation not supported Может оно и не должно работать?

JoIIyRoger ()
Ответ на: комментарий от AVL2

В syslog:

Apr 17 06:27:55 pc libvirtd[14203]: Failed to open file '/sys/kernel/security/apparmor/profiles': Permission denied
Apr 17 06:27:55 pc libvirtd[14203]: Failed to read AppArmor profiles list '/sys/kernel/security/apparmor/profiles': Permission denied
Apr 17 06:27:55 pc libvirtd[14203]: internal error: Unable to get DBus session bus connection: Unable to autolaunch a dbus-daemon without a $DISPLAY for X11
Apr 17 06:27:56 pc systemd-udevd[14238]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Apr 17 06:27:56 pc systemd-udevd[14238]: link_config: could not get ethtool features for tap0
Apr 17 06:27:56 pc systemd-udevd[14238]: Could not set offload features of tap0: No such device
Apr 17 06:27:56 pc libvirtd[14203]: internal error: /usr/lib/qemu/qemu-bridge-helper --br=switch1 --fd=26: failed to communicate with bridge helper: Transport endpoint is not connected#012stderr=failed to add interface `tap0' to bridge `switch1': Operation not supported
Apr 17 06:27:56 pc ovs-vsctl: ovs|00001|db_ctl_base|ERR|'del-port' command requires at least 1 arguments
Apr 17 06:27:56 pc libvirtd[14203]: internal error: Child process (ovs-vsctl --timeout=5 -- --if-exists del-port) unexpected exit status 1: ovs-vsctl: 'del-port' command requires at least 1 arguments
Apr 17 06:27:56 pc libvirtd[14203]: internal error: Unable to delete port (null) from OVS
Apr 17 06:27:56 pc libvirtd[14203]: Failed to open file '/sys/class/net/tap0/operstate': No such file or directory
Apr 17 06:27:56 pc libvirtd[14203]: unable to read: /sys/class/net/tap0/operstate: No such file or directory
Apr 17 06:27:56 pc libvirtd[8136]: Failed to open file '/sys/class/net/tap0/operstate': No such file or directory
Apr 17 06:27:56 pc libvirtd[8136]: unable to read: /sys/class/net/tap0/operstate: No such file or directory
polkit:
systemctl status polkit
● polkit.service - Authorization Manager
   Loaded: loaded (/lib/systemd/system/polkit.service; static; vendor preset: enabled)
   Active: active (running) since Sun 2022-04-17 06:19:44 CDT; 11min ago
     Docs: man:polkit(8)
 Main PID: 13764 (polkitd)
    Tasks: 3 (limit: 4915)
   Memory: 4.2M
   CGroup: /system.slice/polkit.service
           └─13764 /usr/lib/policykit-1/polkitd

Apr 17 06:19:44 pc systemd[1]: Starting Authorization Manager...
Apr 17 06:19:44 pc polkitd[13764]: Entering main event loop
Apr 17 06:19:44 pc polkitd[13764]: Connected to the system bus
Apr 17 06:19:44 pc polkitd[13764]: Registering null backend at priority -10
Apr 17 06:19:44 pc polkitd[13764]: started daemon version 0.105 using authority implementation `local' version `0.105'
Apr 17 06:19:44 pc polkitd[13764]: Error getting login monitor: -2Using authority class PolkitBackendLocalAuthority
Apr 17 06:19:44 pc systemd[1]: Started Authorization Manager.
Apr 17 06:19:44 pc polkitd[13764]: Acquired the name org.freedesktop.PolicyKit1
systemctl status polkit
● polkit.service - Authorization Manager
   Loaded: loaded (/lib/systemd/system/polkit.service; static; vendor preset: enabled)
   Active: active (running) since Sun 2022-04-17 06:19:44 CDT; 11min ago
     Docs: man:polkit(8)
 Main PID: 13764 (polkitd)
    Tasks: 3 (limit: 4915)
   Memory: 4.2M
   CGroup: /system.slice/polkit.service
           └─13764 /usr/lib/policykit-1/polkitd

Apr 17 06:19:44 pc systemd[1]: Starting Authorization Manager...
Apr 17 06:19:44 pc polkitd[13764]: Entering main event loop
Apr 17 06:19:44 pc polkitd[13764]: Connected to the system bus
Apr 17 06:19:44 pc polkitd[13764]: Registering null backend at priority -10
Apr 17 06:19:44 pc polkitd[13764]: started daemon version 0.105 using authority implementation `local' version `0.105'
Apr 17 06:19:44 pc polkitd[13764]: Error getting login monitor: -2Using authority class PolkitBackendLocalAuthority
Apr 17 06:19:44 pc systemd[1]: Started Authorization Manager.
Apr 17 06:19:44 pc polkitd[13764]: Acquired the name org.freedesktop.PolicyKit1

JoIIyRoger ()
Ответ на: комментарий от AVL2

От root как и предполагалось.

pr 17 19:10:22 pc kernel: [69225.163594] audit: type=1400 audit(1650240622.392:171): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libvirt-b1f75342-3a7c-40d3-91fe-4cc6ab56d534" pid=24688 comm="apparmor_parser"
Apr 17 19:10:22 pc kernel: [69225.331894] audit: type=1400 audit(1650240622.560:172): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-b1f75342-3a7c-40d3-91fe-4cc6ab56d534" pid=24692 comm="apparmor_parser"
Apr 17 19:10:22 pc kernel: [69225.489350] audit: type=1400 audit(1650240622.720:173): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-b1f75342-3a7c-40d3-91fe-4cc6ab56d534" pid=24695 comm="apparmor_parser"
Apr 17 19:10:22 pc kernel: [69225.649835] audit: type=1400 audit(1650240622.880:174): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="libvirt-b1f75342-3a7c-40d3-91fe-4cc6ab56d534" pid=24698 comm="apparmor_parser"
Apr 17 19:10:22 pc systemd-udevd[24699]: Using default interface naming scheme 'v240'.
Apr 17 19:10:22 pc systemd-udevd[24699]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Apr 17 19:10:22 pc ovs-vsctl: ovs|00001|vsctl|INFO|Called as ovs-vsctl --timeout=5 -- --if-exists del-port vnet3 -- add-port core vnet3 tag=2000 -- set Interface vnet3 "external-ids:attached-mac=\"0a:29:56:df:dc:eb\"" -- set Interface vnet3 "external-ids:iface-id=\"51a65cc2-e7a9-4c21-80cc-beeca7f26b79\"" -- set Interface vnet3 "external-ids:vm-id=\"b1f75342-3a7c-40d3-91fe-4cc6ab56d534\"" -- set Interface vnet3 external-ids:iface-status=active
Apr 17 19:10:22 pc kernel: [69225.679788] device vnet3 entered promiscuous mode
Apr 17 19:10:23 pc kernel: [69225.835924] audit: type=1400 audit(1650240623.064:175): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-b1f75342-3a7c-40d3-91fe-4cc6ab56d534" pid=24709 comm="apparmor_parser"

JoIIyRoger ()
Ответ на: комментарий от AVL2

Если сделать через sudo -u root то virt-install создаст конфиг виртуалки в /etc/libvirt/qemu и сеть будет искать в /etc/libvirt/qemu/networks в то время как она была создана в /home/abracadabra/.config/libvirt/qemu/networks/

И даже если создать вм от root, затем перенести конфиги в директорию пользователя, от root сделать undefine вм и сети, затем от пользователя сделать define и start получим туже ошибку:

error: Failed to start domain bagel
error: internal error: /usr/lib/qemu/qemu-bridge-helper --br=switch1 --fd=26: failed to communicate with bridge helper: Transport endpoint is not connected
stderr=failed to add interface `tap0' to bridge `switch1': Operation not supported

JoIIyRoger ()
Ответ на: комментарий от JoIIyRoger

Как и предпологалось:

Если честно смущает уведомление: Operation not supported Может оно и не должно работать?

https://listman.redhat.com/archives/libvirt-users/2016-March/msg00117.html

Правда это сообщение за 2016 год и есть намек что вроде как можно добавить поддержку. Может что поменялось за 6 лет?

JoIIyRoger ()
Ответ на: комментарий от JoIIyRoger

Хотя в следующем сообщении говорится, что был модуль совместимости который убрали т.к. libvirt умеет из коробки OVS. https://listman.redhat.com/archives/libvirt-users/2016-March/008938.html

>What you're trying to do isn't supported and won't work. the 
>qemu:///session libvirtd runs as a normal user, and doesn't have the 
>necessary permissions to create tap devices or connect them to either 
>Linux host bridges or OVS bridges. qemu added the "qemu-bridge-helper" 
>which is a suid binary that will create a tap device and connect it to 
>the named Linux host bridge, and the person who wrote that helper also 
>made a patch to libvirt to automatically call the qemu-bridge-helper 
>when a request is made in a qemu:///session guest to connect to a 
>bridge. Unfortunately, qemu-bridge-helper only knows how to connect to 
>standard Linux host bridges, it knows nothing about OVS.

Thank you, that answers my questions pretty thoroughly :)

>I believe there is an OVS compatibility module that makes the ioctl used 
>to connect a tap device to a host bridge also work for OVS bridges. You 
>may want to look into that.
<snip>

Br-compat module was removed from OVS few releases ago, IIRC, since 
libvirt and KVM/QEMU can use Openvswitch bridges natively now.
And it works just fine, just not for my use case :)

Thanks again for the information on inner workings of user session, now I know what I have to do.
Luckily, I don't have that much domains to migrate.

Pedja

JoIIyRoger ()
Для того чтобы оставить комментарий войдите или зарегистрируйтесь.