On 6/24/2025 3:04 PM, Stefano Brivio wrote:
On Tue, 24 Jun 2025 09:12:33 +0100
"Richard W.M. Jones" <rjones@redhat.com> wrote:


On Tue, Jun 24, 2025 at 01:25:47PM +0530, Aithal, Srikanth wrote:

libguestfs: command: run: \ --pid /tmp/libguestfsJamIlZ/passt1.pid  

...

Don't run as root. Changing to nobody...  

...

PID file open: Permission denied

I think that might be due to an issue in the AppArmor policy from the
version shipped with Ubuntu 24.04 (that's a rather old version), but
I'm not entirely sure what it might be.

Aithal, could you have a look at /var/log/audit/audit.log (say,
"tail -f /var/log/audit/audit.log") while you're running this?

AppArmor access denials are logged there, as well as in the system log.


I updated my Ubuntu 24.04 system to the latest version using apt upgrade. Following the update, I can now run virt-customize as a non-root user with passt, resolving the previous permission issue.

However, I am still encountering the original issue I faced with libslirp and now with passt: the network interfaces inside the libguestfs appliance are not being assigned IP addresses.

I have attached the new logs for your review. Thank you for your time and assistance.


# dpkg -l | grep passt
ii  passt                                               0.0~git20240220.1e6f92b-1                  amd64        user-mode networking daemons for virtual machines and namespaces


# sudo -u amd virt-customize -v -x -a /home/amd/noble-server-cloudimg-amd64.qcow2 --install isc-dhcp-client

..

libguestfs: command: run: passt --help
Usage: passt [OPTION]...

  -d, --debug\t\tBe verbose
      --trace\t\tBe extra verbose, implies --debug
..

..

libguestfs: command: run: passt
libguestfs: command: run: \ --one-off
libguestfs: command: run: \ --socket /tmp/libguestfsTs3w5r/passt.sock
libguestfs: command: run: \ --pid /tmp/libguestfsTs3w5r/passt1.pid
libguestfs: command: run: \ --address 169.254.2.15
libguestfs: command: run: \ --netmask 16
libguestfs: command: run: \ --mac-addr 52:56:00:00:00:02
libguestfs: command: run: \ --gateway 169.254.2.2
No routable interface for IPv6: IPv6 is disabled
Template interface: enp97s0 (IPv4)
MAC:
    host: 52:56:00:00:00:02
DHCP:
    assign: 169.254.2.15
    mask: 255.255.0.0
    router: 169.254.2.2
DNS:
    169.254.2.2
DNS search list:
    amd.com
UNIX domain socket bound at /tmp/libguestfsTs3w5r/passt.sock

You can now start qemu (>= 7.2, with commit 13c6be96618c):
    kvm ... -device virtio-net-pci,netdev=s -netdev stream,id=s,server=off,addr.type=unix,addr.path=/tmp/libguestfsTs3w5r/passt.sock
or qrap, for earlier qemu versions:
    ./qrap 5 kvm ... -net socket,fd=5 -net nic,model=virtio
/usr/bin/qemu-system-x86_64 \
    -global virtio-blk-pci.scsi=off \
    -no-user-config \
    -nodefaults \

..

    -netdev stream,id=usernet,addr.type=unix,addr.path=/tmp/libguestfsTs3w5r/passt.sock \
    -device virtio-net-pci,netdev=usernet \

..

..

+ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5054:ff:fe12:3456/64 scope link tentative
       valid_lft forever preferred_lft forever
3: sit0@NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
    inet6 ::127.0.0.1/96 scope host
       valid_lft forever preferred_lft forever

..


Reading package lists...
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/noble/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/noble-updates/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/noble-backports/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/noble-security/InRelease  Temporary failure resolving 'security.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package isc-dhcp-client

..




      

        

          
libguestfs: trace: launch = -1 (error)  


        

        
In libguestfs we already work around qemu changing its user when we
are running as root:

https://github.com/libguestfs/libguestfs/blob/0991b4dc2124a8d6c3d232663ea3473a0c78f81f/lib/tmpdirs.c#L202

However I think because passt is creating the file, it cannot write
into the 0755 directory.


      

      
This is something we fixed:

  https://passt.top/passt/commit/?id=c9b24134656925e53fea3cde0b33ab143dcd84af

the fix is not available in 0.0~git20240220.1e6f92b-1, and I'm generally
having little luck with requesting backports, e.g.:

  https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2077158

but in any case that's not the issue Aithal is hitting here, because things
don't work as non-root anyway.



      

        
Honestly (just as with libvirt / qemu) unilaterally changing the user
ID when running as root is not helping anyone nor adding any security.


      

      
I'd say that, minus that kind of issue which is obviously detrimental to
security, not being able to issue a number of system calls as root once
a guest connects is still decreasing the surface for possible attacks.