On 6/24/2025 1:42 PM, Richard W.M. Jones wrote:
On Tue, Jun 24, 2025 at 01:25:47PM +0530, Aithal, Srikanth wrote:
libguestfs: command: run: \ --pid /tmp/libguestfsJamIlZ/passt1.pid
...
Don't run as root. Changing to nobody...
...
PID file open: Permission denied
libguestfs: trace: launch = -1 (error)
In libguestfs we already work around qemu changing its user when we
are running as root:
https://github.com/libguestfs/libguestfs/blob/0991b4dc2124a8d6c3d232663ea3473a0c78f81f/lib/tmpdirs.c#L202
However I think because passt is creating the file, it cannot write
into the 0755 directory.
Honestly (just as with libvirt / qemu) unilaterally changing the user
ID when running as root is not helping anyone nor adding any security.
As for working around the bug, just don't run virt-customize as root.
There's no need to run guestfs tools as root, unless for some reason
you need to edit a disk image which is only accessible by root.
Rich.
Hello Rich,
Thank you for your response.
I tried using a non-root user, but I'm still encountering the same
issue. I have confirmed that the user is part of the kvm and libvirt groups:
$ id $(whoami)
uid=1000(amd) gid=1000(amd)
groups=1000(amd),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),994(kvm),101(lxd),110(libvirt)
I ran the following command:
$ virt-customize -v -x -a noble-server-cloudimg-amd64.qcow2 --install
isc-dhcp-client
The output includes:
...
libguestfs: command: run: passt
libguestfs: command: run: \ --one-off
libguestfs: command: run: \ --socket
/run/user/1000/libguestfsr1TVUg/passt.sock
libguestfs: command: run: \ --pid /run/user/1000/libguestfsr1TVUg/passt3.pid
libguestfs: command: run: \ --address 169.254.2.15
libguestfs: command: run: \ --netmask 16
libguestfs: command: run: \ --mac-addr 52:56:00:00:00:02
libguestfs: command: run: \ --gateway 169.254.2.2
No routable interface for IPv6: IPv6 is disabled
Template interface: enp97s0 (IPv4)
MAC:
host: 52:56:00:00:00:02
DHCP:
assign: 169.254.2.15
mask: 255.255.0.0
router: 169.254.2.2
DNS:
169.254.2.2
DNS search list:
amd.com
UNIX domain socket bound at /run/user/1000/libguestfsr1TVUg/passt.sock
You can now start qemu (>= 7.2, with commit 13c6be96618c):
kvm ... -device virtio-net-pci,netdev=s -netdev
stream,id=s,server=off,addr.type=unix,addr.path=/run/user/1000/libguestfsr1TVUg/passt.sock
or qrap, for earlier qemu versions:
./qrap 5 kvm ... -net socket,fd=5 -net nic,model=virtio
PID file open: Permission denied
libguestfs: trace: launch = -1 (error)
virt-customize: error: libguestfs error: passt exited with status 1
...
I have attached the full log for your reference. Please let me know if
you need additional details.
amd@vitasta:~$ virt-customize -v -x -a noble-server-cloudimg-amd64.qcow2
--install isc-dhcp-client
[ 0.0] Examining the guest ...
libguestfs: trace: set_verbose true
libguestfs: trace: set_verbose = 0
libguestfs: trace: set_network true
libguestfs: trace: set_network = 0
libguestfs: trace: add_drive "noble-server-cloudimg-amd64.qcow2"
"readonly:false" "protocol:file" "discard:besteffort"
libguestfs: trace: add_drive = 0
libguestfs: trace: launch
libguestfs: trace: max_disks
libguestfs: trace: max_disks = 255
libguestfs: trace: get_tmpdir
libguestfs: trace: get_tmpdir = "/tmp"
libguestfs: trace: version
libguestfs: trace: version = <struct guestfs_version = major: 1, minor: 52,
release: 0, extra: , >
libguestfs: trace: get_backend
libguestfs: trace: get_backend = "direct"
libguestfs: launch: program=virt-customize
libguestfs: launch: version=1.52.0
libguestfs: launch: backend registered: libvirt
libguestfs: launch: backend registered: direct
libguestfs: launch: backend=direct
libguestfs: launch: tmpdir=/tmp/libguestfseApPPg
libguestfs: launch: umask=0002
libguestfs: launch: euid=1000
libguestfs: trace: get_cachedir
libguestfs: trace: get_cachedir = "/var/tmp"
libguestfs: begin building supermin appliance
libguestfs: run supermin
libguestfs: command: run: /usr/bin/supermin
libguestfs: command: run: \ --build
libguestfs: command: run: \ --verbose
libguestfs: command: run: \ --if-newer
libguestfs: command: run: \ --lock /var/tmp/.guestfs-1000/lock
libguestfs: command: run: \ --copy-kernel
libguestfs: command: run: \ -f ext2
libguestfs: command: run: \ --host-cpu x86_64
libguestfs: command: run: \ /usr/lib/x86_64-linux-gnu/guestfs/supermin.d
libguestfs: command: run: \ -o /var/tmp/.guestfs-1000/appliance.d
supermin: version: 5.2.2
supermin: package handler: debian/dpkg
supermin: acquiring lock on /var/tmp/.guestfs-1000/lock
supermin: build: /usr/lib/x86_64-linux-gnu/guestfs/supermin.d
supermin: reading the supermin appliance
supermin: build: visiting
/usr/lib/x86_64-linux-gnu/guestfs/supermin.d/base.tar.gz type gzip base image
(tar)
supermin: build: visiting
/usr/lib/x86_64-linux-gnu/guestfs/supermin.d/daemon.tar.gz type gzip base image
(tar)
supermin: build: visiting
/usr/lib/x86_64-linux-gnu/guestfs/supermin.d/excludefiles type uncompressed
excludefiles
supermin: build: visiting
/usr/lib/x86_64-linux-gnu/guestfs/supermin.d/hostfiles type uncompressed
hostfiles
supermin: build: visiting
/usr/lib/x86_64-linux-gnu/guestfs/supermin.d/init.tar.gz type gzip base image
(tar)
supermin: build: visiting /usr/lib/x86_64-linux-gnu/guestfs/supermin.d/packages
type uncompressed packages
supermin: build: visiting
/usr/lib/x86_64-linux-gnu/guestfs/supermin.d/packages-hfsplus type uncompressed
packages
supermin: build: visiting
/usr/lib/x86_64-linux-gnu/guestfs/supermin.d/packages-reiserfs type
uncompressed packages
supermin: build: visiting
/usr/lib/x86_64-linux-gnu/guestfs/supermin.d/packages-xfs type uncompressed
packages
supermin: build: visiting
/usr/lib/x86_64-linux-gnu/guestfs/supermin.d/udev-rules.tar.gz type gzip base
image (tar)
supermin: mapping package names to installed packages
supermin: resolving full list of package dependencies
supermin: build: 207 packages, including dependencies
supermin: build: 7971 files
supermin: build: 4268 files, after matching excludefiles
supermin: build: 4277 files, after adding hostfiles
supermin: build: 4277 files, after removing unreadable files
supermin: build: 4284 files, after munging
supermin: kernel: looking for kernel using environment variables ...
supermin: kernel: looking for kernels in /lib/modules/*/vmlinuz ...
supermin: kernel: looking for kernels in /boot ...
supermin: kernel: kernel version of /boot/vmlinuz-6.15.1 = 6.15.1 (from content)
supermin: kernel: picked modules path /lib/modules/6.15.1
supermin: kernel: kernel version of /boot/vmlinuz-6.14.5-kal = 6.14.5-kal (from
content)
supermin: kernel: picked modules path /lib/modules/6.14.5-kal
supermin: kernel: kernel version of
/boot/vmlinuz-6.14.2-amdsos-build66-ubuntu-24.04+ =
6.14.2-amdsos-build66-ubuntu-24.04+ (from content)
supermin: kernel: picked modules path
/lib/modules/6.14.2-amdsos-build66-ubuntu-24.04+
supermin: kernel: kernel version of /boot/vmlinuz-6.8.0-60-generic =
6.8.0-60-generic (from filename)
supermin: kernel: picked modules path /lib/modules/6.8.0-60-generic
supermin: kernel: picked vmlinuz /boot/vmlinuz-6.15.1
supermin: kernel: kernel_version 6.15.1
supermin: kernel: modpath /lib/modules/6.15.1
supermin: ext2: creating empty ext2 filesystem
'/var/tmp/.guestfs-1000/appliance.d.m5kegg5f/root'
supermin: ext2: populating from base image
supermin: ext2: copying files from host filesystem
supermin: ext2: copying kernel modules
supermin: ext2: creating minimal initrd
'/var/tmp/.guestfs-1000/appliance.d.m5kegg5f/initrd'
supermin: ext2: wrote 0 modules to minimal initrd
supermin: renaming /var/tmp/.guestfs-1000/appliance.d.m5kegg5f to
/var/tmp/.guestfs-1000/appliance.d
libguestfs: finished building supermin appliance
libguestfs: begin testing qemu features
libguestfs: trace: get_cachedir
libguestfs: trace: get_cachedir = "/var/tmp"
libguestfs: checking for previously cached test results of
/usr/bin/qemu-system-x86_64, in /var/tmp/.guestfs-1000
libguestfs: command: run: /usr/bin/qemu-system-x86_64
libguestfs: command: run: \ -display none
libguestfs: command: run: \ -help
libguestfs: command: run: /usr/bin/qemu-system-x86_64
libguestfs: command: run: \ -display none
libguestfs: command: run: \ -machine q35,accel=kvm:tcg
libguestfs: command: run: \ -device ?
libguestfs: command: run: echo '{ "execute": "qmp_capabilities" }' '{
"execute": "query-qmp-schema" }' '{ "execute": "quit" }' | QEMU_AUDIO_DRV=none
"/usr/bin/qemu-system-x86_64" -display none -machine "q35,accel=kvm:tcg" -qmp
stdio
libguestfs: command: run: echo '{ "execute": "qmp_capabilities" }' '{
"execute": "query-kvm" }' '{ "execute": "quit" }' | QEMU_AUDIO_DRV=none
"/usr/bin/qemu-system-x86_64" -display none -machine "q35,accel=kvm:tcg" -qmp
stdio
libguestfs: saving test results
libguestfs: qemu version: 8.2
libguestfs: qemu mandatory locking: yes
libguestfs: qemu KVM: enabled
libguestfs: trace: get_backend_setting "force_tcg"
libguestfs: trace: get_backend_setting = NULL (error)
libguestfs: trace: get_backend_setting "force_kvm"
libguestfs: trace: get_backend_setting = NULL (error)
libguestfs: trace: get_sockdir
libguestfs: trace: get_sockdir = "/run/user/1000"
libguestfs: finished testing qemu features
libguestfs: trace: get_backend_setting "gdb"
libguestfs: trace: get_backend_setting = NULL (error)
libguestfs: command: run: passt --help
Usage: passt [OPTION]...
-d, --debug\t\tBe verbose
--trace\t\tBe extra verbose, implies --debug
-q, --quiet\t\tDon't print informational messages
-f, --foreground\tDon't run in background
default: run in background if started from a TTY
-e, --stderr\t\tLog to stderr too
default: log to system logger only if started from a TTY
-l, --log-file PATH\tLog (only) to given file
--log-size BYTES\tMaximum size of log file
default: 1 MiB
--runas UID|UID:GID \tRun as given UID, GID, which can be
numeric, or login and group names
default: drop to user "nobody"
-h, --help\t\tDisplay this help message and exit
--version\t\tShow version and exit
-s, --socket PATH\tUNIX domain socket path
default: probe free path starting from /tmp/passt_1.socket
-F, --fd FD\t\tUse FD as pre-opened connected socket
-p, --pcap FILE\tLog tap-facing traffic to pcap file
-P, --pid FILE\tWrite own PID to the given file
-m, --mtu MTU\tAssign MTU via DHCP/NDP
a zero value disables assignment
default: 65520: maximum 802.3 MTU minus 802.3 header
length, rounded to 32 bits (IPv4 words)
-a, --address ADDR\tAssign IPv4 or IPv6 address ADDR
can be specified zero to two times (for IPv4 and IPv6)
default: use addresses from interface with default route
-n, --netmask MASK\tAssign IPv4 MASK, dot-decimal or bits
default: netmask from matching address on the host
-M, --mac-addr ADDR\tUse source MAC address ADDR
default: MAC address from interface with default route
-g, --gateway ADDR\tPass IPv4 or IPv6 address as gateway
default: gateway from interface with default route
-i, --interface NAME\tInterface for addresses and routes
default: from --outbound-if4 and --outbound-if6, if any
otherwise interface with first default route
-o, --outbound ADDR\tBind to address as outbound source
can be specified zero to two times (for IPv4 and IPv6)
default: use source address from routing tables
--outbound-if4 NAME\tBind to outbound interface for IPv4
default: use interface from default route
--outbound-if6 NAME\tBind to outbound interface for IPv6
default: use interface from default route
-D, --dns ADDR\tUse IPv4 or IPv6 address as DNS
can be specified multiple times
a single, empty option disables DNS information
default: use addresses from /etc/resolv.conf
-S, --search LIST\tSpace-separated list, search domains
a single, empty option disables the DNS search list
default: use search list from /etc/resolv.conf
--no-dhcp-dns\tNo DNS list in DHCP/DHCPv6/NDP
--no-dhcp-search\tNo list in DHCP/DHCPv6/NDP
--dns-forward ADDR\tForward DNS queries sent to ADDR
can be specified zero to two times (for IPv4 and IPv6)
default: don't forward DNS queries
--no-tcp\t\tDisable TCP protocol handler
--no-udp\t\tDisable UDP protocol handler
--no-icmp\t\tDisable ICMP/ICMPv6 protocol handler
--no-dhcp\t\tDisable DHCP server
--no-ndp\t\tDisable NDP responses
--no-dhcpv6\t\tDisable DHCPv6 server
--no-ra\t\tDisable router advertisements
--no-map-gw\t\tDon't map gateway address to host
-4, --ipv4-only\tEnable IPv4 operation only
-6, --ipv6-only\tEnable IPv6 operation only
-1, --one-off\tQuit after handling one single client
-t, --tcp-ports SPEC\tTCP port forwarding to guest
can be specified multiple times
SPEC can be:
'none': don't forward any ports
'all': forward all unbound, non-ephemeral ports
a comma-separated list, optionally ranged with '-'
and optional target ports after ':', with optional
address specification suffixed by '/' and optional
interface prefixed by '%'. Ranges can be reduced by
excluding ports or ranges prefixed by '~'
Examples:
-t 22\t\tForward local port 22 to 22 on guest
-t 22:23\tForward local port 22 to 23 on guest
-t 22,25\tForward ports 22, 25 to ports 22, 25
-t 22-80 \tForward ports 22 to 80
-t 22-80:32-90\tForward ports 22 to 80 to
\t\t\tcorresponding port numbers plus 10
-t 192.0.2.1/5\tBind port 5 of 192.0.2.1 to guest
-t 5-25,~10-20\tForward ports 5 to 9, and 21 to 25
-t ~25\t\tForward all ports except for 25
default: none
-u, --udp-ports SPEC\tUDP port forwarding to guest
SPEC is as described for TCP above
default: none
libguestfs: command: run: passt
libguestfs: command: run: \ --one-off
libguestfs: command: run: \ --socket /run/user/1000/libguestfsr1TVUg/passt.sock
libguestfs: command: run: \ --pid /run/user/1000/libguestfsr1TVUg/passt3.pid
libguestfs: command: run: \ --address 169.254.2.15
libguestfs: command: run: \ --netmask 16
libguestfs: command: run: \ --mac-addr 52:56:00:00:00:02
libguestfs: command: run: \ --gateway 169.254.2.2
No routable interface for IPv6: IPv6 is disabled
Template interface: enp97s0 (IPv4)
MAC:
host: 52:56:00:00:00:02
DHCP:
assign: 169.254.2.15
mask: 255.255.0.0
router: 169.254.2.2
DNS:
169.254.2.2
DNS search list:
amd.com
UNIX domain socket bound at /run/user/1000/libguestfsr1TVUg/passt.sock
You can now start qemu (>= 7.2, with commit 13c6be96618c):
kvm ... -device virtio-net-pci,netdev=s -netdev
stream,id=s,server=off,addr.type=unix,addr.path=/run/user/1000/libguestfsr1TVUg/passt.sock
or qrap, for earlier qemu versions:
./qrap 5 kvm ... -net socket,fd=5 -net nic,model=virtio
PID file open: Permission denied
libguestfs: trace: launch = -1 (error)
virt-customize: error: libguestfs error: passt exited with status 1
libguestfs: trace: close
libguestfs: closing guestfs handle 0x55e613a4edd0 (state 0)
libguestfs: command: run: rm
libguestfs: command: run: \ -rf /tmp/libguestfseApPPg
libguestfs: command: run: rm
libguestfs: command: run: \ -rf /run/user/1000/libguestfsr1TVUg
_______________________________________________
Libguestfs mailing list -- guestfs@lists.libguestfs.org
To unsubscribe send an email to guestfs-le...@lists.libguestfs.org
