6:42 a.m.
Hello all,
I am encountering an issue with virt-customize when the host kernel, on
which virt-customize runs, has CONFIG_IPV6_SIT built-in. Below is the
error output from the command:
|virt-customize -a noble-server-cloudimg-amd64.qcow2 --install
isc-dhcp-client [ 0.0] Examining the guest ... [ 2.9] Setting a random
seed virt-customize: warning: random seed could not be setforthis typeof
guest [ 2.9] Installing packages: isc-dhcp-client Reading package
lists... W: Failed to fetch
http://archive.ubuntu.com/ubuntu/dists/noble/InRelease Temporary failure
resolving 'archive.ubuntu.com'W: Failed to fetch
http://archive.ubuntu.com/ubuntu/dists/noble-updates/InRelease Temporary
failure resolving 'archive.ubuntu.com'W: Failed to fetch
http://archive.ubuntu.com/ubuntu/dists/noble-backports/InRelease
Temporary failure resolving 'archive.ubuntu.com'W: Failed to fetch
http://security.ubuntu.com/ubuntu/dists/noble-security/InRelease
Temporary failure resolving 'security.ubuntu.com'W: Some index files
failed to download. They have been ignored, or old ones used instead.
Reading package lists... Building dependency tree... Reading state
information... Package grub2 is not available, but is referred to by
another package. This may mean that the package is missing, has been
obsoleted, or is only available from another sourceHowever the following
packages replace it: grub-efi-amd64 grub-pc-bin grub-pc
grub-ieee1275-bin grub-ieee1275 grub-efi-ia32-bin grub-efi-ia32
grub-efi-amd64-bin E: Unable to locate package isc-dhcp-client E: Unable
to locate package isc-dhcp-client-ddns E: Package 'grub2'has no
installation candidate ... If reporting bugs, run virt-customize with
debugging enabled and include the complete output: virt-customize -v -x
[...]|
Using the -v verbose option, I discovered that the IP address assigned
in the QEMU command line was not reflected inside the guest. Here is the
relevant ip a output from the log:
+ ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen
1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet
127.0.0.1/8 brd 127.255.255.255 scope host lo valid_lft forever
preferred_lft forever inet6 ::1/128 scope host valid_lft forever
preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP group
default qlen 1000 link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
inet6 fe80::5054:ff:fe12:3456/64 scope link tentative valid_lft forever
preferred_lft forever *3: sit0@NONE: mtu 1480 qdisc noqueue state
UNKNOWN group default qlen 1000* link/sit 0.0.0.0 brd 0.0.0.0 inet6
::127.0.0.1/96 scope host valid_lft forever preferred_lft forever
Further debugging revealed that when the host kernel has SIT-related
configurations enabled (i.e., CONFIG_IPV6_SIT), the supermin appliance,
which libguestfs uses, inherits the same kernel and initrd.
Consequently, the guest environment booted by virt-customize includes
the sit0 device.
When the sit0 device is present, the primary NIC (eth0) does not receive
the static IP address assigned by libguestfs in the QEMU command line:
/usr/bin/qemu-system-x86_64 \ -global virtio-blk-pci.scsi=off \ ...
-netdev user,id=usernet,net=169.254.2.15/16 \ -device
virtio-net-pci,netdev=usernet \ ..
I verified this issue on another machine where the host kernel had no
SIT-related configurations enabled. On that machine, the same
virt-customize command with the same Noble image worked correctly. I
have attached verbose logs for both working and non-working
configurations. A diff of these logs shows that the sit0 device causes
the IP assignment issue with the eth0 interface.
I have the following queries and would appreciate any responses:
1. Why does the user network IP not get applied when the sit0 device is
present in the appliance?
2. Is there a way to append parameters to the libguestfs QEMU command
line to blacklist the sit module in such cases?
3. Can we override the kernel and initrd used by libguestfs via the
virt-customize command line?
Thank you,
Srikanth Aithal
Srikanth.Aithal(a)amd.com
AMD Linux group
8:26 a.m.
On Fri, Jun 20, 2025 at 05:12:27PM +0530, Aithal, Srikanth wrote:
Hello all,
I am encountering an issue with virt-customize when the host kernel, on which
virt-customize runs, has CONFIG_IPV6_SIT built-in. Below is the error output
from the command:
virt-customize -a noble-server-cloudimg-amd64.qcow2 --install isc-dhcp-client [
...
Using the -v verbose option, I discovered that the IP address
assigned in the
QEMU command line was not reflected inside the guest. Here is the relevant ip a
output from the log:
You would not expect the IP inside the appliance to be the same as
outside. We're using two tools called libslirp & passt to create a
user-level network.
+ ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default
qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd
127.255.255.255 scope host lo valid_lft forever preferred_lft forever inet6 ::1
/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc
pfifo_fast state UP group default qlen 1000 link/ether 52:54:00:12:34:56 brd
ff:ff:ff:ff:ff:ff inet6 fe80::5054:ff:fe12:3456/64 scope link tentative
valid_lft forever preferred_lft forever 3: sit0@NONE: mtu 1480 qdisc noqueue
state UNKNOWN group default qlen 1000 link/sit 0.0.0.0 brd 0.0.0.0 inet6
::127.0.0.1/96 scope host valid_lft forever preferred_lft forever
Further debugging revealed that when the host kernel has SIT-related
configurations enabled (i.e., CONFIG_IPV6_SIT), the supermin appliance, which
libguestfs uses, inherits the same kernel and initrd. Consequently, the guest
environment booted by virt-customize includes the sit0 device.
When the sit0 device is present, the primary NIC (eth0) does not receive the
static IP address assigned by libguestfs in the QEMU command line:
/usr/bin/qemu-system-x86_64 \ -global virtio-blk-pci.scsi=off \ ... -netdev
user,id=usernet,net=169.254.2.15/16 \ -device virtio-net-pci,netdev=usernet \
..
In this case it would use libslirp. I'm pretty sure slirp doesn't
support IPv6 at all which is the problem here. But also ...
I verified this issue on another machine where the host kernel had
no
SIT-related configurations enabled. On that machine, the same virt-customize
command with the same Noble image worked correctly. I have attached verbose
logs for both working and non-working configurations. A diff of these logs
shows that the sit0 device causes the IP assignment issue with the eth0
interface.
I have the following queries and would appreciate any responses:
1. Why does the user network IP not get applied when the sit0 device is
present in the appliance?
2. Is there a way to append parameters to the libguestfs QEMU command line to
blacklist the sit module in such cases?
3. Can we override the kernel and initrd used by libguestfs via the
virt-customize command line?
libguestfs: command: run: passt --help
sh: 1: passt: not found
If you use passt (which supports IPv6) it might work better, or at
least differently ...
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
11:24 a.m.
On Fri, 20 Jun 2025 14:26:11 +0100
"Richard W.M. Jones" <rjones(a)redhat.com> wrote:
On Fri, Jun 20, 2025 at 05:12:27PM +0530, Aithal, Srikanth wrote:
> Hello all,
>
> I am encountering an issue with virt-customize when the host kernel, on which
> virt-customize runs, has CONFIG_IPV6_SIT built-in. Below is the error output
> from the command:
>
> virt-customize -a noble-server-cloudimg-amd64.qcow2 --install isc-dhcp-client [
...
> Using the -v verbose option, I discovered that the IP address assigned in the
> QEMU command line was not reflected inside the guest. Here is the relevant ip a
> output from the log:
You would not expect the IP inside the appliance to be the same as
outside. We're using two tools called libslirp & passt to create a
user-level network.
By the way, just to avoid confusion: passt's default behaviour
(stand-alone, not started by libguestfs) is to advertise to the guest
(DHCP / NDP / DHCPv6) addresses and routes copied from the host
interface with the (first) default route.
But with libguestfs, for compatibility with libslirp, passt is also
configured with a fixed address, which won't be the same as the host.
You would see that in passt's own command-line (it's a separate tool,
so you won't see that in QEMU's command line).
> + ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd
> 127.255.255.255 scope host lo valid_lft forever preferred_lft forever inet6 ::1
> /128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc
> pfifo_fast state UP group default qlen 1000 link/ether 52:54:00:12:34:56 brd
> ff:ff:ff:ff:ff:ff inet6 fe80::5054:ff:fe12:3456/64 scope link tentative
> valid_lft forever preferred_lft forever 3: sit0@NONE: mtu 1480 qdisc noqueue
> state UNKNOWN group default qlen 1000 link/sit 0.0.0.0 brd 0.0.0.0 inet6
> ::127.0.0.1/96 scope host valid_lft forever preferred_lft forever
>
> Further debugging revealed that when the host kernel has SIT-related
> configurations enabled (i.e., CONFIG_IPV6_SIT), the supermin appliance, which
> libguestfs uses, inherits the same kernel and initrd. Consequently, the guest
> environment booted by virt-customize includes the sit0 device.
>
> When the sit0 device is present, the primary NIC (eth0) does not receive the
> static IP address assigned by libguestfs in the QEMU command line:
>
> /usr/bin/qemu-system-x86_64 \ -global virtio-blk-pci.scsi=off \ ... -netdev
> user,id=usernet,net=169.254.2.15/16 \ -device virtio-net-pci,netdev=usernet \
In this case it would use libslirp. I'm pretty sure slirp doesn't
support IPv6 at all which is the problem here. But also ...
It kind of does, but it's not enabled by default, and it doesn't
support SLAAC plus a number of mandatory functionalities, at least not
ouf of the box, so, yes, see below...
> I verified this issue on another machine where the host kernel
had no
> SIT-related configurations enabled. On that machine, the same virt-customize
> command with the same Noble image worked correctly. I have attached verbose
> logs for both working and non-working configurations. A diff of these logs
> shows that the sit0 device causes the IP assignment issue with the eth0
> interface.
>
> I have the following queries and would appreciate any responses:
>
> 1. Why does the user network IP not get applied when the sit0 device is
> present in the appliance?
I think the DHCP client tries to configure sit0 as it's the first
interface reported by the kernel and can't do it with the information
provided by libslirp's DHCP server.
No idea about 2. and 3.
> 2. Is there a way to append parameters to the libguestfs QEMU
command line to
> blacklist the sit module in such cases?
> 3. Can we override the kernel and initrd used by libguestfs via the
> virt-customize command line?
> libguestfs: command: run: passt --help
> sh: 1: passt: not found
If you use passt (which supports IPv6) it might work better, or at
least differently ...
...that would be my suggestion as well (apt install passt). It's not
exactly up to date on Ubuntu 24.04, and doesn't look very maintained
(see e.g. https://bugs.launchpad.net/ubuntu/+source/passt/+bug/2077158,
I maintain the Debian package only), but it should work better than
libslirp anyway, as the appliance can use SLAAC as well.
--
Stefano
2:55 a.m.
Hello,
Thank you for the detailed note. My comments in-line. Appreciate your
time in helping me on this issue.
On 6/20/2025 9:54 PM, Stefano Brivio wrote:
On Fri, 20 Jun 2025 14:26:11 +0100
"Richard W.M. Jones" <rjones(a)redhat.com> wrote:
> On Fri, Jun 20, 2025 at 05:12:27PM +0530, Aithal, Srikanth wrote:
>> Hello all,
>>
>> I am encountering an issue with virt-customize when the host kernel, on which
>> virt-customize runs, has CONFIG_IPV6_SIT built-in. Below is the error output
>> from the command:
>>
>> virt-customize -a noble-server-cloudimg-amd64.qcow2 --install isc-dhcp-client [
> ...
>> Using the -v verbose option, I discovered that the IP address assigned in the
>> QEMU command line was not reflected inside the guest. Here is the relevant ip a
>> output from the log:
> You would not expect the IP inside the appliance to be the same as
> outside. We're using two tools called libslirp & passt to create a
> user-level network.
By the way, just to avoid confusion: passt's default behaviour
(stand-alone, not started by libguestfs) is to advertise to the guest
(DHCP / NDP / DHCPv6) addresses and routes copied from the host
interface with the (first) default route.
But with libguestfs, for compatibility with libslirp, passt is also
configured with a fixed address, which won't be the same as the host.
You would see that in passt's own command-line (it's a separate tool,
so you won't see that in QEMU's command line).
>> + ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd
>> 127.255.255.255 scope host lo valid_lft forever preferred_lft forever inet6 ::1
>> /128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc
>> pfifo_fast state UP group default qlen 1000 link/ether 52:54:00:12:34:56 brd
>> ff:ff:ff:ff:ff:ff inet6 fe80::5054:ff:fe12:3456/64 scope link tentative
>> valid_lft forever preferred_lft forever 3: sit0@NONE: mtu 1480 qdisc noqueue
>> state UNKNOWN group default qlen 1000 link/sit 0.0.0.0 brd 0.0.0.0 inet6
>> ::127.0.0.1/96 scope host valid_lft forever preferred_lft forever
>>
>> Further debugging revealed that when the host kernel has SIT-related
>> configurations enabled (i.e., CONFIG_IPV6_SIT), the supermin appliance, which
>> libguestfs uses, inherits the same kernel and initrd. Consequently, the guest
>> environment booted by virt-customize includes the sit0 device.
>>
>> When the sit0 device is present, the primary NIC (eth0) does not receive the
>> static IP address assigned by libguestfs in the QEMU command line:
>>
>> /usr/bin/qemu-system-x86_64 \ -global virtio-blk-pci.scsi=off \ ... -netdev
>> user,id=usernet,net=169.254.2.15/16 \ -device virtio-net-pci,netdev=usernet \
> In this case it would use libslirp. I'm pretty sure slirp doesn't
> support IPv6 at all which is the problem here. But also ...
It kind of does, but it's not enabled by default, and it doesn't
support SLAAC plus a number of mandatory functionalities, at least not
ouf of the box, so, yes, see below...
>> I verified this issue on another machine where the host kernel had no
>> SIT-related configurations enabled. On that machine, the same virt-customize
>> command with the same Noble image worked correctly. I have attached verbose
>> logs for both working and non-working configurations. A diff of these logs
>> shows that the sit0 device causes the IP assignment issue with the eth0
>> interface.
>>
>> I have the following queries and would appreciate any responses:
>>
>> 1. Why does the user network IP not get applied when the sit0 device is
>> present in the appliance?
I think the DHCP client tries to configure sit0 as it's the first
interface reported by the kernel and can't do it with the information
provided by libslirp's DHCP server.
No idea about 2. and 3.
>> 2. Is there a way to append parameters to the libguestfs QEMU command line to
>> blacklist the sit module in such cases?
>> 3. Can we override the kernel and initrd used by libguestfs via the
>> virt-customize command line?
>> libguestfs: command: run: passt --help
>> sh: 1: passt: not found
> If you use passt (which supports IPv6) it might work better, or at
> least differently ...
...that would be my suggestion as well (apt install passt). It's not
exactly up to date on Ubuntu 24.04, and doesn't look very maintained
(see e.g. https://bugs.launchpad.net/ubuntu/+source/passt/+bug/2077158,
I maintain the Debian package only), but it should work better than
libslirp anyway, as the appliance can use SLAAC as well.
I tried using passt on Ubuntu 24.04 LTS (Noble Numbat) but encountered
permission issues. I spent some time debugging without success. Below
are the steps I took. I would appreciate any suggestions for resolving
this issue.
# passt --version
passt unknown version
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
# dpkg -l | grep passt
ii passt 0.0~git20240220.1e6f92b-1 amd64 user-mode networking
daemons for virtual machines and namespaces
Running virt-customize resulted in a different error:
Error with virt-customize:
libguestfs: command: run: passt
libguestfs: command: run: \ --one-off
libguestfs: command: run: \ --socket /tmp/libguestfsJamIlZ/passt.sock
libguestfs: command: run: \ --pid /tmp/libguestfsJamIlZ/passt1.pid
libguestfs: command: run: \ --address 169.254.2.15
libguestfs: command: run: \ --netmask 16
libguestfs: command: run: \ --mac-addr 52:56:00:00:00:02
libguestfs: command: run: \ --gateway 169.254.2.2
Don't run as root. Changing to nobody...
No routable interface for IPv6: IPv6 is disabled
Template interface: enp97s0 (IPv4)
MAC:
host: 52:56:00:00:00:02
DHCP:
assign: 169.254.2.15
mask: 255.255.0.0
router: 169.254.2.2
DNS:
169.254.2.2
DNS search list:
amd.com
UNIX domain socket bound at /tmp/libguestfsJamIlZ/passt.sock
You can now start qemu (>= 7.2, with commit 13c6be96618c):
kvm ... -device virtio-net-pci,netdev=s -netdev
stream,id=s,server=off,addr.type=unix,addr.path=/tmp/libguestfsJamIlZ/passt.sock
or qrap, for earlier qemu versions:
./qrap 5 kvm ... -net socket,fd=5 -net nic,model=virtio
PID file open: Permission denied
libguestfs: trace: launch = -1 (error)
virt-customize: error: libguestfs error: passt exited with status 1
I tested both versions of passt: the one provided by Ubuntu 24.04 and
the Debian passt package. I have attached error logs for both versions.
I also tried modifying AppArmor rules, but it still fails on Ubuntu 24.04:
# aa-disable /etc/apparmor.d/usr.bin.passt
ERROR: Operation {'runbindable'} cannot have a source. Source = AARE('/')
I attempted to stop the AppArmor service, but the issue with passt persists.
3:12 a.m.
On Tue, Jun 24, 2025 at 01:25:47PM +0530, Aithal, Srikanth wrote:
libguestfs: command: run: \ --pid /tmp/libguestfsJamIlZ/passt1.pid
...
Don't run as root. Changing to nobody...
...
PID file open: Permission denied
libguestfs: trace: launch = -1 (error)
In libguestfs we already work around qemu changing its user when we
are running as root:
https://github.com/libguestfs/libguestfs/blob/0991b4dc2124a8d6c3d232663ea...
However I think because passt is creating the file, it cannot write
into the 0755 directory.
Honestly (just as with libvirt / qemu) unilaterally changing the user
ID when running as root is not helping anyone nor adding any security.
As for working around the bug, just don't run virt-customize as root.
There's no need to run guestfs tools as root, unless for some reason
you need to edit a disk image which is only accessible by root.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
3:36 a.m.
On 6/24/2025 1:42 PM, Richard W.M. Jones wrote:
On Tue, Jun 24, 2025 at 01:25:47PM +0530, Aithal, Srikanth wrote:
> libguestfs: command: run: \ --pid /tmp/libguestfsJamIlZ/passt1.pid
...
> Don't run as root. Changing to nobody...
...
> PID file open: Permission denied
> libguestfs: trace: launch = -1 (error)
In libguestfs we already work around qemu changing its user when we
are running as root:
https://github.com/libguestfs/libguestfs/blob/0991b4dc2124a8d6c3d232663ea...
However I think because passt is creating the file, it cannot write
into the 0755 directory.
Honestly (just as with libvirt / qemu) unilaterally changing the user
ID when running as root is not helping anyone nor adding any security.
As for working around the bug, just don't run virt-customize as root.
There's no need to run guestfs tools as root, unless for some reason
you need to edit a disk image which is only accessible by root.
Rich.
Hello Rich,
Thank you for your response.
I tried using a non-root user, but I'm still encountering the same
issue. I have confirmed that the user is part of the kvm and libvirt groups:
$ id $(whoami)
uid=1000(amd) gid=1000(amd)
groups=1000(amd),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),994(kvm),101(lxd),110(libvirt)
I ran the following command:
$ virt-customize -v -x -a noble-server-cloudimg-amd64.qcow2 --install
isc-dhcp-client
The output includes:
...
libguestfs: command: run: passt
libguestfs: command: run: \ --one-off
libguestfs: command: run: \ --socket
/run/user/1000/libguestfsr1TVUg/passt.sock
libguestfs: command: run: \ --pid /run/user/1000/libguestfsr1TVUg/passt3.pid
libguestfs: command: run: \ --address 169.254.2.15
libguestfs: command: run: \ --netmask 16
libguestfs: command: run: \ --mac-addr 52:56:00:00:00:02
libguestfs: command: run: \ --gateway 169.254.2.2
No routable interface for IPv6: IPv6 is disabled
Template interface: enp97s0 (IPv4)
MAC:
host: 52:56:00:00:00:02
DHCP:
assign: 169.254.2.15
mask: 255.255.0.0
router: 169.254.2.2
DNS:
169.254.2.2
DNS search list:
amd.com
UNIX domain socket bound at /run/user/1000/libguestfsr1TVUg/passt.sock
You can now start qemu (>= 7.2, with commit 13c6be96618c):
kvm ... -device virtio-net-pci,netdev=s -netdev
stream,id=s,server=off,addr.type=unix,addr.path=/run/user/1000/libguestfsr1TVUg/passt.sock
or qrap, for earlier qemu versions:
./qrap 5 kvm ... -net socket,fd=5 -net nic,model=virtio
PID file open: Permission denied
libguestfs: trace: launch = -1 (error)
virt-customize: error: libguestfs error: passt exited with status 1
...
I have attached the full log for your reference. Please let me know if
you need additional details.
4:34 a.m.
On Tue, 24 Jun 2025 09:12:33 +0100
"Richard W.M. Jones" <rjones(a)redhat.com> wrote:
On Tue, Jun 24, 2025 at 01:25:47PM +0530, Aithal, Srikanth wrote:
> libguestfs: command: run: \ --pid /tmp/libguestfsJamIlZ/passt1.pid
...
> Don't run as root. Changing to nobody...
...
> PID file open: Permission denied
I think that might be due to an issue in the AppArmor policy from the
version shipped with Ubuntu 24.04 (that's a rather old version), but
I'm not entirely sure what it might be.
Aithal, could you have a look at /var/log/audit/audit.log (say,
"tail -f /var/log/audit/audit.log") while you're running this?
AppArmor access denials are logged there, as well as in the system log.
> libguestfs: trace: launch = -1 (error)
In libguestfs we already work around qemu changing its user when we
are running as root:
https://github.com/libguestfs/libguestfs/blob/0991b4dc2124a8d6c3d232663ea...
However I think because passt is creating the file, it cannot write
into the 0755 directory.
This is something we fixed:
https://passt.top/passt/commit/?id=c9b24134656925e53fea3cde0b33ab143dcd84af
the fix is not available in 0.0~git20240220.1e6f92b-1, and I'm generally
having little luck with requesting backports, e.g.:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2077158
but in any case that's not the issue Aithal is hitting here, because things
don't work as non-root anyway.
Honestly (just as with libvirt / qemu) unilaterally changing the
user
ID when running as root is not helping anyone nor adding any security.
I'd say that, minus that kind of issue which is obviously detrimental to
security, not being able to issue a number of system calls as root once
a guest connects is still decreasing the surface for possible attacks.
--
Stefano
5:16 a.m.
On 6/24/2025 3:04 PM, Stefano Brivio wrote:
On Tue, 24 Jun 2025 09:12:33 +0100
"Richard W.M. Jones"<rjones(a)redhat.com> wrote:
> On Tue, Jun 24, 2025 at 01:25:47PM +0530, Aithal, Srikanth wrote:
>> libguestfs: command: run: \ --pid /tmp/libguestfsJamIlZ/passt1.pid
> ...
>> Don't run as root. Changing to nobody...
> ...
>> PID file open: Permission denied
I think that might be due to an issue in the AppArmor policy from the
version shipped with Ubuntu 24.04 (that's a rather old version), but
I'm not entirely sure what it might be.
Aithal, could you have a look at /var/log/audit/audit.log (say,
"tail -f /var/log/audit/audit.log") while you're running this?
AppArmor access denials are logged there, as well as in the system log.
I updated my Ubuntu 24.04 system to the latest version using apt
upgrade. Following the update, I can now run virt-customize as a
non-root user with passt, resolving the previous permission issue.
However, I am still encountering the original issue I faced with
libslirp and now with passt: the network interfaces inside the
libguestfs appliance are not being assigned IP addresses.
I have attached the new logs for your review. Thank you for your time
and assistance.
/# dpkg -l | grep passt/
ii passt 0.0~git20240220.1e6f92b-1 amd64
user-mode networking daemons for virtual machines and namespaces
/# sudo -u amd virt-customize -v -x -a
/home/amd/noble-server-cloudimg-amd64.qcow2 --install isc-dhcp-client/
..
libguestfs: command: run: passt --help
Usage: passt [OPTION]...
-d, --debug\t\tBe verbose
--trace\t\tBe extra verbose, implies --debug
..
..
libguestfs: command: run: passt
libguestfs: command: run: \ --one-off
libguestfs: command: run: \ --socket /tmp/libguestfsTs3w5r/passt.sock
libguestfs: command: run: \ --pid /tmp/libguestfsTs3w5r/passt1.pid
libguestfs: command: run: \ --address 169.254.2.15
libguestfs: command: run: \ --netmask 16
libguestfs: command: run: \ --mac-addr 52:56:00:00:00:02
libguestfs: command: run: \ --gateway 169.254.2.2
No routable interface for IPv6: IPv6 is disabled
Template interface: enp97s0 (IPv4)
MAC:
host: 52:56:00:00:00:02
DHCP:
assign: 169.254.2.15
mask: 255.255.0.0
router: 169.254.2.2
DNS:
169.254.2.2
DNS search list:
amd.com
UNIX domain socket bound at /tmp/libguestfsTs3w5r/passt.sock
You can now start qemu (>= 7.2, with commit 13c6be96618c):
kvm ... -device virtio-net-pci,netdev=s -netdev
stream,id=s,server=off,addr.type=unix,addr.path=/tmp/libguestfsTs3w5r/passt.sock
or qrap, for earlier qemu versions:
./qrap 5 kvm ... -net socket,fd=5 -net nic,model=virtio
/usr/bin/qemu-system-x86_64 \
-global virtio-blk-pci.scsi=off \
-no-user-config \
-nodefaults \
..
* -netdev
stream,id=usernet,addr.type=unix,addr.path=/tmp/libguestfsTs3w5r/passt.sock
\*
-device virtio-net-pci,netdev=usernet \
..
..
+ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
inet6 fe80::5054:ff:fe12:3456/64 scope link tentative
valid_lft forever preferred_lft forever
3: sit0@NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN
group default qlen 1000
link/sit 0.0.0.0 brd 0.0.0.0
inet6 ::127.0.0.1/96 scope host
valid_lft forever preferred_lft forever
..
Reading package lists...
W: Failed to fetch
http://archive.ubuntu.com/ubuntu/dists/noble/InRelease Temporary
failure resolving 'archive.ubuntu.com'
W: Failed to fetch
http://archive.ubuntu.com/ubuntu/dists/noble-updates/InRelease Temporary
failure resolving 'archive.ubuntu.com'
W: Failed to fetch
http://archive.ubuntu.com/ubuntu/dists/noble-backports/InRelease
Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch
http://security.ubuntu.com/ubuntu/dists/noble-security/InRelease
Temporary failure resolving 'security.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old
ones used instead.
Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package isc-dhcp-client
..
>> libguestfs: trace: launch = -1 (error)
> In libguestfs we already work around qemu changing its user when we
> are running as root:
>
>
https://github.com/libguestfs/libguestfs/blob/0991b4dc2124a8d6c3d232663ea...
>
> However I think because passt is creating the file, it cannot write
> into the 0755 directory.
This is something we fixed:
https://passt.top/passt/commit/?id=c9b24134656925e53fea3cde0b33ab143dcd84af
the fix is not available in 0.0~git20240220.1e6f92b-1, and I'm generally
having little luck with requesting backports, e.g.:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2077158
but in any case that's not the issue Aithal is hitting here, because things
don't work as non-root anyway.
> Honestly (just as with libvirt / qemu) unilaterally changing the user
> ID when running as root is not helping anyone nor adding any security.
I'd say that, minus that kind of issue which is obviously detrimental to
security, not being able to issue a number of system calls as root once
a guest connects is still decreasing the surface for possible attacks.
5:37 a.m.
On Tue, 24 Jun 2025 15:46:13 +0530
"Aithal, Srikanth" <sraithal(a)amd.com> wrote:
On 6/24/2025 3:04 PM, Stefano Brivio wrote:
> On Tue, 24 Jun 2025 09:12:33 +0100
> "Richard W.M. Jones"<rjones(a)redhat.com> wrote:
>
>> On Tue, Jun 24, 2025 at 01:25:47PM +0530, Aithal, Srikanth wrote:
>>> libguestfs: command: run: \ --pid /tmp/libguestfsJamIlZ/passt1.pid
>> ...
>>> Don't run as root. Changing to nobody...
>> ...
>>> PID file open: Permission denied
> I think that might be due to an issue in the AppArmor policy from the
> version shipped with Ubuntu 24.04 (that's a rather old version), but
> I'm not entirely sure what it might be.
>
> Aithal, could you have a look at /var/log/audit/audit.log (say,
> "tail -f /var/log/audit/audit.log") while you're running this?
>
> AppArmor access denials are logged there, as well as in the system log.
I updated my Ubuntu 24.04 system to the latest version using apt
upgrade. Following the update, I can now run virt-customize as a
non-root user with passt, resolving the previous permission issue.
However, I am still encountering the original issue I faced with
libslirp and now with passt: the network interfaces inside the
libguestfs appliance are not being assigned IP addresses.
I have attached the new logs for your review. Thank you for your time
and assistance.
/# dpkg -l | grep passt/
ii passt 0.0~git20240220.1e6f92b-1 amd64
user-mode networking daemons for virtual machines and namespaces
/# sudo -u amd virt-customize -v -x -a
/home/amd/noble-server-cloudimg-amd64.qcow2 --install isc-dhcp-client/
..
libguestfs: command: run: passt --help
Usage: passt [OPTION]...
-d, --debug\t\tBe verbose
--trace\t\tBe extra verbose, implies --debug
..
..
libguestfs: command: run: passt
libguestfs: command: run: \ --one-off
libguestfs: command: run: \ --socket /tmp/libguestfsTs3w5r/passt.sock
libguestfs: command: run: \ --pid /tmp/libguestfsTs3w5r/passt1.pid
libguestfs: command: run: \ --address 169.254.2.15
libguestfs: command: run: \ --netmask 16
libguestfs: command: run: \ --mac-addr 52:56:00:00:00:02
libguestfs: command: run: \ --gateway 169.254.2.2
No routable interface for IPv6: IPv6 is disabled
Template interface: enp97s0 (IPv4)
MAC:
host: 52:56:00:00:00:02
DHCP:
assign: 169.254.2.15
mask: 255.255.0.0
router: 169.254.2.2
DNS:
169.254.2.2
DNS search list:
amd.com
UNIX domain socket bound at /tmp/libguestfsTs3w5r/passt.sock
...I didn't realise you don't have IPv6 connectivity on the host,
sorry. Then passt won't really help bypassing IPv4.
Rich, I think the issue here is that appliance/init does:
iface=$(ls -I all -I default -I lo /proc/sys/net/ipv4/conf)
and that will pick sit0 over eth0, but it shouldn't. If requesting
jq(1) is an option, perhaps:
iface=$(ip -j link show | jq -rM '.[] | select(.link_type ==
"ether").ifname')
would be somewhat more accurate.
--
Stefano
6:33 a.m.
On Tue, Jun 24, 2025 at 12:37:22PM +0200, Stefano Brivio wrote:
On Tue, 24 Jun 2025 15:46:13 +0530
"Aithal, Srikanth" <sraithal(a)amd.com> wrote:
> On 6/24/2025 3:04 PM, Stefano Brivio wrote:
> > On Tue, 24 Jun 2025 09:12:33 +0100
> > "Richard W.M. Jones"<rjones(a)redhat.com> wrote:
> >
> >> On Tue, Jun 24, 2025 at 01:25:47PM +0530, Aithal, Srikanth wrote:
> >>> libguestfs: command: run: \ --pid /tmp/libguestfsJamIlZ/passt1.pid
> >> ...
> >>> Don't run as root. Changing to nobody...
> >> ...
> >>> PID file open: Permission denied
> > I think that might be due to an issue in the AppArmor policy from the
> > version shipped with Ubuntu 24.04 (that's a rather old version), but
> > I'm not entirely sure what it might be.
> >
> > Aithal, could you have a look at /var/log/audit/audit.log (say,
> > "tail -f /var/log/audit/audit.log") while you're running this?
> >
> > AppArmor access denials are logged there, as well as in the system log.
>
> I updated my Ubuntu 24.04 system to the latest version using apt
> upgrade. Following the update, I can now run virt-customize as a
> non-root user with passt, resolving the previous permission issue.
>
> However, I am still encountering the original issue I faced with
> libslirp and now with passt: the network interfaces inside the
> libguestfs appliance are not being assigned IP addresses.
>
> I have attached the new logs for your review. Thank you for your time
> and assistance.
>
>
> /# dpkg -l | grep passt/
> ii passt 0.0~git20240220.1e6f92b-1 amd64
> user-mode networking daemons for virtual machines and namespaces
>
>
> /# sudo -u amd virt-customize -v -x -a
> /home/amd/noble-server-cloudimg-amd64.qcow2 --install isc-dhcp-client/
>
> ..
>
> libguestfs: command: run: passt --help
> Usage: passt [OPTION]...
>
> -d, --debug\t\tBe verbose
> --trace\t\tBe extra verbose, implies --debug
> ..
>
> ..
>
> libguestfs: command: run: passt
> libguestfs: command: run: \ --one-off
> libguestfs: command: run: \ --socket /tmp/libguestfsTs3w5r/passt.sock
> libguestfs: command: run: \ --pid /tmp/libguestfsTs3w5r/passt1.pid
> libguestfs: command: run: \ --address 169.254.2.15
> libguestfs: command: run: \ --netmask 16
> libguestfs: command: run: \ --mac-addr 52:56:00:00:00:02
> libguestfs: command: run: \ --gateway 169.254.2.2
> No routable interface for IPv6: IPv6 is disabled
> Template interface: enp97s0 (IPv4)
> MAC:
> host: 52:56:00:00:00:02
> DHCP:
> assign: 169.254.2.15
> mask: 255.255.0.0
> router: 169.254.2.2
> DNS:
> 169.254.2.2
> DNS search list:
> amd.com
> UNIX domain socket bound at /tmp/libguestfsTs3w5r/passt.sock
...I didn't realise you don't have IPv6 connectivity on the host,
sorry. Then passt won't really help bypassing IPv4.
Rich, I think the issue here is that appliance/init does:
iface=$(ls -I all -I default -I lo /proc/sys/net/ipv4/conf)
and that will pick sit0 over eth0, but it shouldn't. If requesting
jq(1) is an option, perhaps:
iface=$(ip -j link show | jq -rM '.[] | select(.link_type ==
"ether").ifname')
would be somewhat more accurate.
I'm a bit confused here. How does host IPv4 or IPv6 affect what
happens in the appliance? For example if the host only had IPv6, it
should still work wouldn't it?
Also I'm confused where sit0 comes from (or even what it is, really).
Why does it appear inside the appliance at all?
My mental model is that passt provides an IPv4 address inside the host
on eth0. If the host has, say, only IPv6, then requests would be
proxied out over that. We don't care how that happens precisely.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
6:57 a.m.
On Tue, 24 Jun 2025 12:33:17 +0100
"Richard W.M. Jones" <rjones(a)redhat.com> wrote:
On Tue, Jun 24, 2025 at 12:37:22PM +0200, Stefano Brivio wrote:
> On Tue, 24 Jun 2025 15:46:13 +0530
> "Aithal, Srikanth" <sraithal(a)amd.com> wrote:
>
> > On 6/24/2025 3:04 PM, Stefano Brivio wrote:
> > > On Tue, 24 Jun 2025 09:12:33 +0100
> > > "Richard W.M. Jones"<rjones(a)redhat.com> wrote:
> > >
> > >> On Tue, Jun 24, 2025 at 01:25:47PM +0530, Aithal, Srikanth wrote:
> > >>> libguestfs: command: run: \ --pid /tmp/libguestfsJamIlZ/passt1.pid
> > >> ...
> > >>> Don't run as root. Changing to nobody...
> > >> ...
> > >>> PID file open: Permission denied
> > > I think that might be due to an issue in the AppArmor policy from the
> > > version shipped with Ubuntu 24.04 (that's a rather old version), but
> > > I'm not entirely sure what it might be.
> > >
> > > Aithal, could you have a look at /var/log/audit/audit.log (say,
> > > "tail -f /var/log/audit/audit.log") while you're running
this?
> > >
> > > AppArmor access denials are logged there, as well as in the system log.
> >
> > I updated my Ubuntu 24.04 system to the latest version using apt
> > upgrade. Following the update, I can now run virt-customize as a
> > non-root user with passt, resolving the previous permission issue.
> >
> > However, I am still encountering the original issue I faced with
> > libslirp and now with passt: the network interfaces inside the
> > libguestfs appliance are not being assigned IP addresses.
> >
> > I have attached the new logs for your review. Thank you for your time
> > and assistance.
> >
> >
> > /# dpkg -l | grep passt/
> > ii passt 0.0~git20240220.1e6f92b-1 amd64
> > user-mode networking daemons for virtual machines and namespaces
> >
> >
> > /# sudo -u amd virt-customize -v -x -a
> > /home/amd/noble-server-cloudimg-amd64.qcow2 --install isc-dhcp-client/
> >
> > ..
> >
> > libguestfs: command: run: passt --help
> > Usage: passt [OPTION]...
> >
> > -d, --debug\t\tBe verbose
> > --trace\t\tBe extra verbose, implies --debug
> > ..
> >
> > ..
> >
> > libguestfs: command: run: passt
> > libguestfs: command: run: \ --one-off
> > libguestfs: command: run: \ --socket /tmp/libguestfsTs3w5r/passt.sock
> > libguestfs: command: run: \ --pid /tmp/libguestfsTs3w5r/passt1.pid
> > libguestfs: command: run: \ --address 169.254.2.15
> > libguestfs: command: run: \ --netmask 16
> > libguestfs: command: run: \ --mac-addr 52:56:00:00:00:02
> > libguestfs: command: run: \ --gateway 169.254.2.2
> > No routable interface for IPv6: IPv6 is disabled
> > Template interface: enp97s0 (IPv4)
> > MAC:
> > host: 52:56:00:00:00:02
> > DHCP:
> > assign: 169.254.2.15
> > mask: 255.255.0.0
> > router: 169.254.2.2
> > DNS:
> > 169.254.2.2
> > DNS search list:
> > amd.com
> > UNIX domain socket bound at /tmp/libguestfsTs3w5r/passt.sock
>
> ...I didn't realise you don't have IPv6 connectivity on the host,
> sorry. Then passt won't really help bypassing IPv4.
>
> Rich, I think the issue here is that appliance/init does:
>
> iface=$(ls -I all -I default -I lo /proc/sys/net/ipv4/conf)
>
> and that will pick sit0 over eth0, but it shouldn't. If requesting
> jq(1) is an option, perhaps:
>
> iface=$(ip -j link show | jq -rM '.[] | select(.link_type ==
"ether").ifname')
>
> would be somewhat more accurate.
I'm a bit confused here. How does host IPv4 or IPv6 affect what
happens in the appliance?
The appliance still needs to connect to hosts using IPv4 or IPv6
addresses.
My hope was simply that availability of IPv6 would work around the
issue, because IPv4 isn't configured here (due to the issue I'm pointing
out).
The interface appliance/init selects to configure IPv4 via DHCP is
sit0 instead of eth0.
For example if the host only had IPv6, it should still work
wouldn't
it?
With IPv6 only, appliance/init would at least need to bring up the
interface to configure the interface via SLAAC. I don't see it being
done, so, unless it's done implicitly somewhere, that shouldn't work,
either.
I guess that should be fixed as well, with, say:
ip link set "${iface}" up
Also I'm confused where sit0 comes from (or even what it is,
really).
Why does it appear inside the appliance at all?
See original report from Aithal for full details (and in my opinion a
reasonable request to offer a way to disable the module inside the
appliance).
Long story short, you configure the kernel with CONFIG_IPV6_SIT, and
the kernel will automatically create the sit0 interface at boot, which
causes appliance/init to ask dhclient to configure it (instead of eth0).
SIT stands for "Simple Internet Transition" and it's essentially the
6to4 (https://en.wikipedia.org/wiki/6to4) implementation on Linux. It's
not supposed to be used in the appliance at all, but the interface
appears merely because the kernel is configured with it.
My mental model is that passt provides an IPv4 address inside the
host
on eth0. If the host has, say, only IPv6, then requests would be
proxied out over that. We don't care how that happens precisely.
Protocol families are not simply proxied between each other because
there's no shared address space between IPv4 and IPv6.
Let's say you connect to 88.198.0.164 from the appliance, but there's
no IPv4 routing available on the host: passt will *not* reverse-resolve
88.198.0.164 to passt.top and connect you to 2a01:4f8:222:904::2
instead. That would be kind of surprising and add convoluted DNS
requirements.
We have a request for CLAT:
https://bugs.passt.top/show_bug.cgi?id=43
where one could do something like that, but you would need to configure
it explicitly (the day it's implemented).
In any case, this has all little to do with the actual issue. The
problem is that the appliance runs dhclient or dhcpcd on sit0 instead
of eth0, because excluding "all", "default", and "lo" is not
enough. If
you prefer a minimal fix:
iface=$(ls -I all -I default -I lo -I sit0 /proc/sys/net/ipv4/conf)
would also work.
I can send a patch, too, but it might take me a while before I find a
moment to prepare the test setup.
--
Stefano
7:15 a.m.
On Tue, Jun 24, 2025 at 01:57:09PM +0200, Stefano Brivio wrote:
On Tue, 24 Jun 2025 12:33:17 +0100
"Richard W.M. Jones" <rjones(a)redhat.com> wrote:
> I'm a bit confused here. How does host IPv4 or IPv6 affect what
> happens in the appliance?
The appliance still needs to connect to hosts using IPv4 or IPv6
addresses.
My hope was simply that availability of IPv6 would work around the
issue, because IPv4 isn't configured here (due to the issue I'm pointing
out).
OK I see, I think. By "isn't configured" you mean because we pick the
sit0 interface instead of eth0? (Obviously that's wrong, but the
"ls -I" command is a bit of a hack.) We could add "-I sit" there.
The interface appliance/init selects to configure IPv4 via DHCP is
sit0 instead of eth0.
> For example if the host only had IPv6, it should still work wouldn't
> it?
With IPv6 only, appliance/init would at least need to bring up the
interface to configure the interface via SLAAC. I don't see it being
done, so, unless it's done implicitly somewhere, that shouldn't work,
either.
I guess that should be fixed as well, with, say:
ip link set "${iface}" up
> Also I'm confused where sit0 comes from (or even what it is, really).
> Why does it appear inside the appliance at all?
See original report from Aithal for full details (and in my opinion a
reasonable request to offer a way to disable the module inside the
appliance).
"the module" meaning ipv6/sit.ko?
Long story short, you configure the kernel with CONFIG_IPV6_SIT, and
the kernel will automatically create the sit0 interface at boot, which
causes appliance/init to ask dhclient to configure it (instead of eth0).
SIT stands for "Simple Internet Transition" and it's essentially the
6to4 (https://en.wikipedia.org/wiki/6to4) implementation on Linux. It's
not supposed to be used in the appliance at all, but the interface
appears merely because the kernel is configured with it.
> My mental model is that passt provides an IPv4 address inside the host
> on eth0. If the host has, say, only IPv6, then requests would be
> proxied out over that. We don't care how that happens precisely.
Protocol families are not simply proxied between each other because
there's no shared address space between IPv4 and IPv6.
If passt is like slirp, then it would originate connections itself
(ie. calling connect(2) on the host side), so I don't understand how
the address family would be relevant. I guess passt is not like slirp
in this regard?
Let's say you connect to 88.198.0.164 from the appliance, but
there's
no IPv4 routing available on the host: passt will *not* reverse-resolve
88.198.0.164 to passt.top and connect you to 2a01:4f8:222:904::2
instead. That would be kind of surprising and add convoluted DNS
requirements.
We have a request for CLAT:
https://bugs.passt.top/show_bug.cgi?id=43
where one could do something like that, but you would need to configure
it explicitly (the day it's implemented).
In any case, this has all little to do with the actual issue. The
problem is that the appliance runs dhclient or dhcpcd on sit0 instead
of eth0, because excluding "all", "default", and "lo" is
not enough. If
you prefer a minimal fix:
iface=$(ls -I all -I default -I lo -I sit0 /proc/sys/net/ipv4/conf)
Yes, this seems like the more obvious change, but there seems there
might be something very deep that I'm missing here.
would also work.
I can send a patch, too, but it might take me a while before I find a
moment to prepare the test setup.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
7:33 a.m.
On Tue, 24 Jun 2025 13:15:58 +0100
"Richard W.M. Jones" <rjones(a)redhat.com> wrote:
On Tue, Jun 24, 2025 at 01:57:09PM +0200, Stefano Brivio wrote:
> On Tue, 24 Jun 2025 12:33:17 +0100
> "Richard W.M. Jones" <rjones(a)redhat.com> wrote:
> > I'm a bit confused here. How does host IPv4 or IPv6 affect what
> > happens in the appliance?
>
> The appliance still needs to connect to hosts using IPv4 or IPv6
> addresses.
>
> My hope was simply that availability of IPv6 would work around the
> issue, because IPv4 isn't configured here (due to the issue I'm pointing
> out).
OK I see, I think. By "isn't configured" you mean because we pick the
sit0 interface instead of eth0?
Right.
(Obviously that's wrong, but the
"ls -I" command is a bit of a hack.) We could add "-I sit" there.
> The interface appliance/init selects to configure IPv4 via DHCP is
> sit0 instead of eth0.
>
> > For example if the host only had IPv6, it should still work wouldn't
> > it?
>
> With IPv6 only, appliance/init would at least need to bring up the
> interface to configure the interface via SLAAC. I don't see it being
> done, so, unless it's done implicitly somewhere, that shouldn't work,
> either.
>
> I guess that should be fixed as well, with, say:
>
> ip link set "${iface}" up
>
> > Also I'm confused where sit0 comes from (or even what it is, really).
> > Why does it appear inside the appliance at all?
>
> See original report from Aithal for full details (and in my opinion a
> reasonable request to offer a way to disable the module inside the
> appliance).
"the module" meaning ipv6/sit.ko?
That would be the corresponding module file, but given that the module
is built-in here (I'm still calling it a module, but that's a matter of
wording), one could pass something like initcall_blacklist=sit_init on
the kernel command line.
> Long story short, you configure the kernel with CONFIG_IPV6_SIT,
and
> the kernel will automatically create the sit0 interface at boot, which
> causes appliance/init to ask dhclient to configure it (instead of eth0).
>
> SIT stands for "Simple Internet Transition" and it's essentially the
> 6to4 (https://en.wikipedia.org/wiki/6to4) implementation on Linux. It's
> not supposed to be used in the appliance at all, but the interface
> appears merely because the kernel is configured with it.
>
> > My mental model is that passt provides an IPv4 address inside the host
> > on eth0. If the host has, say, only IPv6, then requests would be
> > proxied out over that. We don't care how that happens precisely.
>
> Protocol families are not simply proxied between each other because
> there's no shared address space between IPv4 and IPv6.
If passt is like slirp, then it would originate connections itself
(ie. calling connect(2) on the host side), so I don't understand how
the address family would be relevant.
Indeed, it does that, but it needs to pass an address (including family)
to connect(2), and that's the destination address of the original
connection as seen from the guest. You can't connect to 88.198.0.164
using IPv6.
I guess passt is not like slirp in this regard?
They're exactly the same in this regard.
> Let's say you connect to 88.198.0.164 from the appliance,
but there's
> no IPv4 routing available on the host: passt will *not* reverse-resolve
> 88.198.0.164 to passt.top and connect you to 2a01:4f8:222:904::2
> instead. That would be kind of surprising and add convoluted DNS
> requirements.
>
> We have a request for CLAT:
>
> https://bugs.passt.top/show_bug.cgi?id=43
>
> where one could do something like that, but you would need to configure
> it explicitly (the day it's implemented).
>
> In any case, this has all little to do with the actual issue. The
> problem is that the appliance runs dhclient or dhcpcd on sit0 instead
> of eth0, because excluding "all", "default", and "lo"
is not enough. If
> you prefer a minimal fix:
>
> iface=$(ls -I all -I default -I lo -I sit0 /proc/sys/net/ipv4/conf)
Yes, this seems like the more obvious change, but there seems there
might be something very deep that I'm missing here.
> would also work.
>
> I can send a patch, too, but it might take me a while before I find a
> moment to prepare the test setup.
Rich.
--
Stefano
8:03 a.m.
On Tue, Jun 24, 2025 at 02:33:43PM +0200, Stefano Brivio wrote:
On Tue, 24 Jun 2025 13:15:58 +0100
"Richard W.M. Jones" <rjones(a)redhat.com> wrote:
> If passt is like slirp, then it would originate connections itself
> (ie. calling connect(2) on the host side), so I don't understand how
> the address family would be relevant.
Indeed, it does that, but it needs to pass an address (including family)
to connect(2), and that's the destination address of the original
connection as seen from the guest. You can't connect to 88.198.0.164
using IPv6.
OK I see, thanks. Isn't there some IPv4-in-IPv6 thing passt could do
in this case? Or could passt choose the right address family to use
in connect(2) based on the address that the appliance passes across?
I think also we're confusing what happens on the host with what
happens in the appliance a bit (or maybe I am). Inside the appliance
I'd like to go for this simple change:
- iface=$(ls -I all -I default -I lo /proc/sys/net/ipv4/conf)
+ iface=$(ls -I all -I default -I lo -I sit0 /proc/sys/net/ipv4/conf)
Is there anything that needs to happen on the host side?
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
8
days inactive
12
days old
1 comments
2 participants
participants (2)
-
Aithal, Srikanth -
Richard W.M. Jones -
Stefano Brivio