Package: passt
Version: 0.0~git20250503.587980c-2
Severity: normal
Tags: patch
Dear Maintainer,
While trying to install Home Assistant using virt-install and the new
passt port forwarding it fails with:
ERROR internal error: Child process (passt --one-off --socket
/run/libvirt/qemu/passt/1-haos-net0.socket --pid
/run/libvirt/qemu/passt/1-haos-net0-passt.pid --tcp-ports 8123) unexpected exit
status 1: Multiple interfaces with IPv6 routes, picked first
UNIX domain socket bound at /run/libvirt/qemu/passt/1-haos-net0.socket
Couldn't create user namespace: Permission denied
This seems to be due to apparmor disallowing namespace creation:
Jan 06 21:55:10 nn kernel: audit: type=1400 audit(1767732910.047:562): apparmor="DENIED" operation="userns_create"
class="namespace" profile="libvirt-d91af33f-182a-4bf8-9293-f5837a4601d8//passt" pid=28241 comm="passt.avx2"
requested="userns_create" denied="userns_create"
The exact command I ran as root was:
virt-install --name haos --description "Home Assistant OS" --network
passt,portForward=8123 --os-variant=generic --ram=4096 --vcpus=2 --disk
/srv/virt/haos.qcow2,bus=scsi --controller type=scsi,model=virtio-scsi --import
--graphics none --boot uefi
After trying to add the apparmor userns flag via override files I
eventually gave up and edited /etc/apparmor.d/abstractions/passt
directly, adding the userns flag. The complete file is included by
reportbug below.
With this change virt-install succeeded, I don't know if this is the
correct solution but it did the job for me.
-- System Information:
Debian Release: 13.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.57+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages passt depends on:
ii libc6 2.41-12
passt recommends no packages.
Versions of packages passt suggests:
ii apparmor 4.1.0-1
-- Configuration Files:
/etc/apparmor.d/abstractions/passt changed:
abi <abi/3.0>,
include <abstractions/base>
include <abstractions/nameservice> # get_dns(), conf.c
capability net_bind_service, # isolation.c, conf.c
capability setuid,
capability setgid,
capability sys_admin,
capability setpcap,
capability net_admin,
capability sys_ptrace,
userns,
/ r, # isolate_prefork(), isolation.c
mount options=(rw, runbindable) -> /,
mount "" -> "/",
mount "" -> "/tmp/",
pivot_root "/tmp/" -> "/tmp/",
umount "/",
owner @{PROC}/@{pid}/uid_map r, # conf_ugid()
@{PROC}/sys/net/ipv4/ip_local_port_range r, # fwd_probe_ephemeral()
network netlink raw, # nl_sock_init_do(), netlink.c
network inet stream, # tcp.c
network inet6 stream,
network inet dgram, # udp.c
network inet6 dgram,
network unix stream, # tap.c
network unix dgram, # __openlog(), log.c
/usr/bin/passt.avx2 ix, # arch_avx2_exec(), arch.c
-- no debconf information
