[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Bridge-less VM

(look towards the bottom of the message for the "hidden lead" :-)

On 1/16/20 1:16 PM, Rob Roschewsk wrote:
I'm trying to create a free standing VM that doesn't connect to a bridge.

This is supposedly do able according to the WIKI:

But with a config similar to:

   <interface type='ethernet'>
     <target dev='mytap1' managed='no'/>
     <model type='virtio'/>

When starting the domain I get the error:
error: internal error: process exited while connecting to monitor: 2020-01-16T18:08:04.788860Z qemu-system-x86_64: -netdev tap,id=hostnet0,vhost=on,vhostfd=26: could not open /dev/net/tun: Operation not permitted

Checked permissions on /dev/net/tunand it's 666

If I just configure it as a "bridge" connection the domain starts. Then I can use brctl to remove it from the bridge to get what I want. That just proves it possible but with extra steps (Shout out to Rick and Morty)

Running Ubuntu 16.04.1 Kernel 4.15.0-74
libvirt 1.3.1-1ubuntu10.27

Oh, I see - you're running a version of libvirt that was released exactly 4 years ago today! You should notice in the web page you referenced above that <target dev='blah' managed='no'/> has only been supported since libvirt 5.7.0, which was released just last September. What you're running is incredibly ancient, and there is *a lot* of stuff documented on libvirt.org that it doesn't support (although we do try to note the minimum version required for any new feature).

Aside from missing the very recent "managed='no'" feature (which I think you probably don't need or even care about - you'd rather just let libvirt create the tap device for you, right?), the version of libvirt you're running doesn't even contain the very *old* commit 9c17d665fd (from March of 2016) which removed the necessity to run qemu as root when using <interface type='ethernet'>.

So you have two choices:

1) upgrade to a newer libvirt (something in the 5.x.0 or even 6.0.0 if possible). In this case you'll also probably want to remove the <target dev='blah' managed='no'/> line (unless you really do want give the device a specific name (controlled by "dev='blah'") and/or precreate the tap device yourself (controlled by "managed='no'").

2) change /etc/libvirt/qemu.conf to tell libvirt it should run qemu as user root and not clear the capabilities privileges for the qemu process (done by uncommenting 'user = "root"' and 'clear_emulator_capabilities = 0'). This is a *VERY* bad idea, since 1) it allows the qemu process to run as root, meaning that if a virtual machine finds an exploit in your (*also* very old) qemu binary and "breaks out", it will have full root access to your host. Also in this case you will need to manually create the tap device beforehand (before commit 9c17d665fd libvirt would not auto-create a tap device for <interface type='ethernet'>).

I hope I've convinced you to take choice (1)!

qemu 1:2.5+dfsg-5ubuntu10.41

--> Rob

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]