Your message dated Thu, 3 Mar 2016 17:47:20 +0100 with message-id <[email protected]> and subject line Re: [Pkg-libvirt-maintainers] Bug#816602: libvirt-daemon: Expects qemu-bridge-helper in /usr/libexec/ has caused the Debian Bug report #816602, regarding libvirt-daemon: Expects qemu-bridge-helper in /usr/libexec/ to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 816602: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816602 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libvirt-daemon Version: 1.2.9-9+deb8u1 Severity: normal Hi Guido, $ strings /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so | grep bridge-helper /usr/libexec/qemu-bridge-helper # dpkg -S bridge-helper qemu-system-common: /usr/lib/qemu/qemu-bridge-helper As <https://lists.gnu.org/archive/html/qemu-devel/2013-11/msg01534.html> seems to never got applied, the helper is also missing the required capability CAP_NET_ADMIN, which must be added by running setcap cap_net_admin+ep /usr/lib/qemu/qemu-bridge-helper I choose to put that information in the README.Debian. Greeting Philipp PS: I hope I didn't break some test-suite - at least building the new version in my pbuilder environment worked okay. -- System Information: Debian Release: 8.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (90, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libvirt-daemon depends on: ii libapparmor1 2.9.0-3 ii libaudit1 1:2.4-1+b1 ii libavahi-client3 0.6.31-5 ii libavahi-common3 0.6.31-5 ii libblkid1 2.25.2-6 ii libc6 2.19-18+deb8u3 ii libcap-ng0 0.7.4-2 ii libdbus-1-3 1.8.20-0+deb8u1 ii libdevmapper1.02.1 2:1.02.90-2.2 ii libfuse2 2.9.3-15+deb8u2 ii libgnutls-deb0-28 3.3.8-6+deb8u3 ii libnetcf1 1:0.2.3-4.1 ii libnl-3-200 3.2.24-2 ii libnl-route-3-200 3.2.24-2 ii libnuma1 2.0.10-1 ii libparted2 3.2-7 ii libpcap0.8 1.6.2-2 ii libpciaccess0 0.13.2-3+b1 ii librados2 0.80.7-2+deb8u1 ii librbd1 0.80.7-2+deb8u1 ii libsasl2-2 2.1.26.dfsg1-13+deb8u1 ii libselinux1 2.3-2 ii libssh2-1 1.4.3-4.1+deb8u1 ii libsystemd0 215-17+deb8u3 ii libudev1 215-17+deb8u3 ii libvirt0 1.2.9-9+deb8u1 ii libxen-4.4 4.4.1-9+deb8u3 ii libxenstore3.0 4.4.1-9+deb8u3 ii libxml2 2.9.1+dfsg1-5+deb8u1 ii libyajl2 2.1.0-2 Versions of packages libvirt-daemon recommends: ii libxml2-utils 2.9.1+dfsg1-5+deb8u1 ii netcat-openbsd 1.105-7 ii qemu-kvm 1:2.1+dfsg-12+deb8u5a Versions of packages libvirt-daemon suggests: ii libvirt-daemon-system 1.2.9-9+deb8u1 -- no debconf information--- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -357,7 +357,7 @@ # is used to create <source type='bridge'> interfaces when libvirtd is # running unprivileged. libvirt invokes the helper directly, instead # of using "-netdev bridge", for security reasons. -#bridge_helper = "/usr/libexec/qemu-bridge-helper" +#bridge_helper = "/usr/lib/qemu/qemu-bridge-helper" --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -244,7 +244,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf goto error; } - if (VIR_STRDUP(cfg->bridgeHelperName, "/usr/libexec/qemu-bridge-helper") < 0) + if (VIR_STRDUP(cfg->bridgeHelperName, "/usr/lib/qemu/qemu-bridge-helper") < 0) goto error; cfg->clearEmulatorCapabilities = true; --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -56,7 +56,7 @@ module Test_libvirtd_qemu = { "auto_dump_bypass_cache" = "0" } { "auto_start_bypass_cache" = "0" } { "hugetlbfs_mount" = "/dev/hugepages" } -{ "bridge_helper" = "/usr/libexec/qemu-bridge-helper" } +{ "bridge_helper" = "/usr/lib/qemu/qemu-bridge-helper" } { "clear_emulator_capabilities" = "1" } { "set_process_name" = "1" } { "max_processes" = "0" } --- a/debian/README.Debian +++ b/debian/README.Debian @@ -51,6 +51,18 @@ EOF This makes dnsmasq only bind to the loopback interface by default so libvirtd can handle the virtual bridges. +Bridged network +=============== +libvirt can use the qemu-bridge-helper to create bridged network interfaces for +session domains. For this to work the helper must have the capability to create +TUN/TAP devices or must have the SUID permission set. +This can be done by running the following command as the user root: + + setcap cap_net_admin+ep /usr/lib/qemu/qemu-bridge-helper + +The allowed bridges must be configured in the file '/etc/qemu/bridge.conf'. For +each bridge add a line like 'allow br0'. + Access Control ============== Access to the libvirt managing tasks is controlled by PolicyKit. To ease
--- End Message ---
--- Begin Message ---Hi Philipp, On Thu, Mar 03, 2016 at 01:26:52PM +0100, Philipp Hahn wrote: > $ strings /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so | grep > bridge-helper > /usr/libexec/qemu-bridge-helper > > # dpkg -S bridge-helper > qemu-system-common: /usr/lib/qemu/qemu-bridge-helper This was already fixed in the above version so closing this (to have the bug information correct for the release team). > PS: I hope I didn't break some test-suite - at least building the new > version in my pbuilder environment worked okay. > > -- System Information: > Debian Release: 8.3 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable'), (90, 'testing') > Architecture: amd64 (x86_64) > > Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) > Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages libvirt-daemon depends on: > ii libapparmor1 2.9.0-3 > ii libaudit1 1:2.4-1+b1 > ii libavahi-client3 0.6.31-5 > ii libavahi-common3 0.6.31-5 > ii libblkid1 2.25.2-6 > ii libc6 2.19-18+deb8u3 > ii libcap-ng0 0.7.4-2 > ii libdbus-1-3 1.8.20-0+deb8u1 > ii libdevmapper1.02.1 2:1.02.90-2.2 > ii libfuse2 2.9.3-15+deb8u2 > ii libgnutls-deb0-28 3.3.8-6+deb8u3 > ii libnetcf1 1:0.2.3-4.1 > ii libnl-3-200 3.2.24-2 > ii libnl-route-3-200 3.2.24-2 > ii libnuma1 2.0.10-1 > ii libparted2 3.2-7 > ii libpcap0.8 1.6.2-2 > ii libpciaccess0 0.13.2-3+b1 > ii librados2 0.80.7-2+deb8u1 > ii librbd1 0.80.7-2+deb8u1 > ii libsasl2-2 2.1.26.dfsg1-13+deb8u1 > ii libselinux1 2.3-2 > ii libssh2-1 1.4.3-4.1+deb8u1n > ii libsystemd0 215-17+deb8u3 > ii libudev1 215-17+deb8u3 > ii libvirt0 1.2.9-9+deb8u1 > ii libxen-4.4 4.4.1-9+deb8u3 > ii libxenstore3.0 4.4.1-9+deb8u3 > ii libxml2 2.9.1+dfsg1-5+deb8u1 > ii libyajl2 2.1.0-2 > > Versions of packages libvirt-daemon recommends: > ii libxml2-utils 2.9.1+dfsg1-5+deb8u1 > ii netcat-openbsd 1.105-7 > ii qemu-kvm 1:2.1+dfsg-12+deb8u5a > > Versions of packages libvirt-daemon suggests: > ii libvirt-daemon-system 1.2.9-9+deb8u1 > > -- no debconf information > --- a/src/qemu/qemu.conf > +++ b/src/qemu/qemu.conf > @@ -357,7 +357,7 @@ > # is used to create <source type='bridge'> interfaces when libvirtd is > # running unprivileged. libvirt invokes the helper directly, instead > # of using "-netdev bridge", for security reasons. > -#bridge_helper = "/usr/libexec/qemu-bridge-helper" > +#bridge_helper = "/usr/lib/qemu/qemu-bridge-helper" > > > > --- a/src/qemu/qemu_conf.c > +++ b/src/qemu/qemu_conf.c > @@ -244,7 +244,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf > goto error; > } > > - if (VIR_STRDUP(cfg->bridgeHelperName, "/usr/libexec/qemu-bridge-helper") > < 0) > + if (VIR_STRDUP(cfg->bridgeHelperName, > "/usr/lib/qemu/qemu-bridge-helper") < 0) > goto error; > > cfg->clearEmulatorCapabilities = true; > --- a/src/qemu/test_libvirtd_qemu.aug.in > +++ b/src/qemu/test_libvirtd_qemu.aug.in > @@ -56,7 +56,7 @@ module Test_libvirtd_qemu = > { "auto_dump_bypass_cache" = "0" } > { "auto_start_bypass_cache" = "0" } > { "hugetlbfs_mount" = "/dev/hugepages" } > -{ "bridge_helper" = "/usr/libexec/qemu-bridge-helper" } > +{ "bridge_helper" = "/usr/lib/qemu/qemu-bridge-helper" } > { "clear_emulator_capabilities" = "1" } > { "set_process_name" = "1" } > { "max_processes" = "0" } > --- a/debian/README.Debian > +++ b/debian/README.Debian > @@ -51,6 +51,18 @@ EOF > This makes dnsmasq only bind to the loopback interface by default so libvirtd > can handle the virtual bridges. > > +Bridged network > +=============== > +libvirt can use the qemu-bridge-helper to create bridged network interfaces > for > +session domains. For this to work the helper must have the capability to > create > +TUN/TAP devices or must have the SUID permission set. > +This can be done by running the following command as the user root: > + > + setcap cap_net_admin+ep /usr/lib/qemu/qemu-bridge-helper > + > +The allowed bridges must be configured in the file '/etc/qemu/bridge.conf'. > For > +each bridge add a line like 'allow br0'. > + > Access Control > ============== > Access to the libvirt managing tasks is controlled by PolicyKit. To ease Make sense. Would you pick up the task to do a stable point release update adding a patch for https://security-tracker.debian.org/tracker/CVE-2015-5313 as well? I don't know when I would get around to it. Cheers, -- Guido
--- End Message ---
