Public bug reported:
Ubuntu 18.04 lxd container, running on Ubuntu 18.04 host (kernel
4.15.0-38-generic)
Inside the container, I installed libvirt-bin. However it fails to
start the predefined 'default' network:
root@bionic:/etc# virsh net-start default
error: Failed to start network default
error: Unable to set bridge virbr0 forward_delay: Permission denied
root@bionic:/etc# echo $?
1
root@bionic:/etc# virsh net-list
Name State Autostart Persistent
----------------------------------------------------------
root@bionic:/etc# virsh net-list --all
Name State Autostart Persistent
----------------------------------------------------------
default inactive yes yes
Here is the config:
root@bionic:/etc# cat /etc/libvirt/qemu/networks/default.xml
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh net-edit default
or other application using the libvirt API.
-->
<network>
<name>default</name>
<uuid>0c431cb9-7348-48df-b692-8eece268b0a0</uuid>
<forward mode='nat'/>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:11:cc:e6'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>
Using "virsh net-edit default" to remove "delay='0'" does not make a
difference; it gets reinserted and the same error occurs.
/var/log/syslog shows:
Nov 12 11:59:11 bionic networkd-dispatcher[212]: WARNING:Unknown index 4 seen,
reloading interface list
Nov 12 11:59:11 bionic systemd-networkd[178]: virbr0-nic: Gained carrier
Nov 12 11:59:11 bionic libvirtd[225]: 2018-11-12 11:59:11.257+0000: 251: error
: virNetDevBridgeSet:140 : Unable to set bridge virbr0 forward_delay:
Permission denied
Nov 12 11:59:11 bionic systemd-networkd[178]: virbr0-nic: Lost carrier
Nov 12 11:59:11 bionic networkd-dispatcher[212]: WARNING:Unknown index 5 seen,
reloading interface list
Nov 12 11:59:11 bionic networkd-dispatcher[212]: ERROR:Unknown interface index
5 seen even after reload
Nov 12 11:59:11 bionic networkd-dispatcher[212]: WARNING:Unknown index 5 seen,
reloading interface list
Nov 12 11:59:11 bionic networkd-dispatcher[212]: ERROR:Unknown interface index
5 seen even after reload
Nov 12 11:59:11 bionic networkd-dispatcher[212]: WARNING:Unknown index 5 seen,
reloading interface list
Nov 12 11:59:11 bionic networkd-dispatcher[212]: ERROR:Unknown interface index
5 seen even after reload
Nov 12 11:59:11 bionic networkd-dispatcher[212]: WARNING:Unknown index 5 seen,
reloading interface list
Nov 12 11:59:11 bionic networkd-dispatcher[212]: ERROR:Unknown interface index
5 seen even after reload
Attaching strace to libvirtd, this is what I see:
...
[pid 225] <... recvmsg resumed> {msg_name={sa_family=AF_NETLINK, nl_pid=0,
nl_groups=0x000001}, msg_namelen=12,
msg_iov=[{iov_base="add@/devices/virtual/net/virbr0-nic/queues/tx-0\0ACTION=add\0DEVPATH=/devices/virtual/net/virbr0-nic/queues/tx-0\0SUBSYSTEM=queues\0"...,
iov_len=16384}], msg_iovlen=1, msg_controllen=0, msg_flags=0},
MSG_PEEK|MSG_TRUNC) = 141
[pid 250] ioctl(23, SIOCGIFINDEX, {ifr_name="virbr0-nic" <unfinished ...>
[pid 225] recvmsg(13, <unfinished ...>
[pid 250] <... ioctl resumed> , }) = 0
[pid 225] <... recvmsg resumed> {msg_name={sa_family=AF_NETLINK, nl_pid=0,
nl_groups=0x000001}, msg_namelen=12,
msg_iov=[{iov_base="add@/devices/virtual/net/virbr0-nic/queues/tx-0\0ACTION=add\0DEVPATH=/devices/virtual/net/virbr0-nic/queues/tx-0\0SUBSYSTEM=queues\0"...,
iov_len=16384}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 141
[pid 250] close(23 <unfinished ...>
[pid 225] poll([{fd=4, events=POLLIN}, {fd=6, events=POLLIN}, {fd=9,
events=POLLIN}, {fd=10, events=POLLIN}, {fd=11, events=POLLIN}, {fd=12,
events=POLLIN}, {fd=13, events=POLLIN}, {fd=14, events=POLLIN}, {fd=17,
events=POLLIN}, {fd=18, events=POLLIN}, {fd=20, events=POLLIN}], 11, 4996
<unfinished ...>
[pid 250] <... close resumed> ) = 0
[pid 250] ioctl(22, SIOCBRADDIF) = 0
[pid 250] close(22) = 0
[pid 250] socket(AF_UNIX, SOCK_DGRAM, 0) = 22
[pid 250] fcntl(22, F_GETFD) = 0
[pid 250] fcntl(22, F_SETFD, FD_CLOEXEC) = 0
[pid 250] ioctl(22, SIOCGIFFLAGS, {ifr_name="virbr0-nic",
ifr_flags=IFF_BROADCAST|IFF_MULTICAST}) = 0
[pid 250] ioctl(22, SIOCSIFFLAGS, {ifr_name="virbr0-nic",
ifr_flags=IFF_UP|IFF_BROADCAST|IFF_MULTICAST}) = 0
[pid 250] close(22) = 0
[pid 250] access("/var/lib/libvirt/dnsmasq/virbr0.macs", F_OK) = -1 ENOENT
(No such file or directory)
[pid 250] socket(AF_UNIX, SOCK_DGRAM, 0) = 22
[pid 250] fcntl(22, F_GETFD) = 0
[pid 250] fcntl(22, F_SETFD, FD_CLOEXEC) = 0
[pid 250] access("/sys/class/net/virbr0/bridge/forward_delay", F_OK) = 0
[pid 250] openat(AT_FDCWD, "/sys/class/net/virbr0/bridge/forward_delay",
O_WRONLY|O_TRUNC) = -1 EACCES (Permission denied)
[pid 250] gettid() = 250
[pid 250] write(2, "2018-11-12 12:02:07.815+0000: 250: error :
virNetDevBridgeSet:140 : Unable to set bridge virbr0 forward_delay: Permission
denied"..., 129) = 129
...
WORKAROUND: "lxc config set bionic security.privileged yes && lxc restart
bionic"
However, I don't think that privileged mode should be necessary. If I
turn off privileged mode, I can still create and edit bridges by hand,
including setting the forwarding delay:
root@bionic:~# brctl show
bridge name bridge id STP enabled interfaces
root@bionic:~# brctl addbr testbr0
root@bionic:~# brctl show
bridge name bridge id STP enabled interfaces
testbr0 8000.000000000000 no
root@bionic:~# brctl setfd testbr0 0
root@bionic:~# brctl showstp testbr0 | grep "forward delay"
forward delay 0.00 bridge forward delay 0.00
root@bionic:~# cat /sys/class/net/testbr0/bridge/forward_delay
0
root@bionic:~# brctl setfd testbr0 1
root@bionic:~# brctl showstp testbr0 | grep "forward delay"
forward delay 1.00 bridge forward delay 1.00
root@bionic:~# cat /sys/class/net/testbr0/bridge/forward_delay
100
However, writing to the /sys filesystem directly does not work:
root@bionic:~# echo 0 > /sys/class/net/testbr0/bridge/forward_delay
bash: /sys/class/net/testbr0/bridge/forward_delay: Permission denied
root@bionic:~#
In fact, it looks like "brctl setfd" is failing silently to access the
/sys entry, as shown by strace, but is falling back to using an ioctl
which succeeds.
root@bionic:~# strace -f brctl setfd testbr0 1
...
socket(AF_UNIX, SOCK_STREAM, 0) = 4
brk(NULL) = 0x55e926464000
brk(0x55e926485000) = 0x55e926485000
openat(AT_FDCWD, "/sys/class/net/testbr0/bridge/forward_delay",
O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied)
ioctl(4, SIOCDEVPRIVATE, 0x7fff63a06da0) = 0
exit_group(0) = ?
+++ exited with 0 +++
root@bionic:~# echo $?
0
This suggests that the proper solution is for libvirt to do something
similar.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: libvirt0:amd64 4.0.0-1ubuntu8.5
ProcVersionSignature: Ubuntu 4.15.0-38.41-generic 4.15.18
Uname: Linux 4.15.0-38-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.4
Architecture: amd64
Date: Mon Nov 12 11:44:59 2018
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=C.UTF-8
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: libvirt (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug bionic uec-images
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1802906
Title:
libvirt inside lxd container cannot start virbr0 (Unable to set bridge
virbr0 forward_delay: Permission denied)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1802906/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
