qemu-discuss
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-discuss] How to set the network card for qemu to use?

From: Aleksei
Subject: Re: [Qemu-discuss] How to set the network card for qemu to use?
Date: Sun, 16 Oct 2016 10:41:36 +0300
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
Your link layer looks good, eth1 is enslaved to br0. On network layer, you don't get an IP address - is it because you don't have a physical cable plugged into eth1? Anyway, that shouldn't prevent Qemu from creating taps on that bridge.

As for permissions stuff from Qemu side:
Add "allow br0" line to /etc/qemu/bridge.conf to allow Qemu to create tap devices on br0.
Also check if qemu-bridge-helper script has setuid attribute. It should have it by default, but I'm not sure about Gentoo.

I know nothing about grsec, so can't help you there.

--Regards, Aleksei


From: Miroslav Rovis
Sent: Sunday, October 16, 2016 6:18AM
To: Qemu-discuss
Subject: Re: [Qemu-discuss] How to set the network card for qemu to use?
On 161014-12:11+0300, Aleksei wrote:
...

2) Include the following to your Qemu command line. You don't need to 
manually create tap devices on the host, qemu-bridge-helper script does 
this for you.
     -device virtio-net,netdev=internet \
     -netdev 
bridge,br=bridge0,id=internet,helper=/usr/lib/qemu/qemu-bridge-helper

3) Start VM, post results. Please try to be concise ;)

I thought about this, but what could I cut out from the log that is in
the end of this email, and which I misunderstood at first...


and post what you 
are trying to do and actual error messages. Also provide your Qemu version.

$ qemu-system-x86_64 --version
QEMU emulator version 2.7.0, Copyright (c) 2003-2016 Fabrice Bellard and
the QEMU Project developers
$

I set up a bridge, not the iproute2's bridge utility's way (the one thing that
I don't use, yet, from iproute2), but the brctl way, such as:
https://wiki.gentoo.org/wiki/Network_bridge#OpenRC

This is the setup (but read: /usr/share/doc/netifrc-0.4.0/net.example.bz2 if
you run Gentoo, for other distro it's different, can't tell) [the setup]
in Gentoo:

# cat /etc/conf.d/net

modules="!udhcpc !dhclient !pump"

mac_eth0="random-ending"
config_eth0="192.168.2.4 netmask 255.255.255.0"
config_br0="192.168.1.4/24"

brctl_br0="setfd 0"
brctl_br0="sethello 10"

bridge_br0="eth1"
rc_net_br0_need="net.eth1"

mac_eth1="00:0e:2e:fd:24:9c"
config_eth1="192.168.1.4/24"

But it is very specific to Gentoo, or whoever uses netifrc package in their
distro.

Anyway, I got the layer 2, the link layer (IIRC):

# ip l

...
3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:0e:2e:ac:5c:a9 brd ff:ff:ff:ff:ff:ff
4: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master br0 state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:0e:2e:fd:24:9c brd ff:ff:ff:ff:ff:ff
...
7: br0: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:0e:2e:fd:24:9c brd ff:ff:ff:ff:ff:ff

and I got the layer 3, the internet layer (IIRC):

# ip a

...
3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 00:0e:2e:ac:5c:a9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.4/24 brd 192.168.2.255 scope global eth0
       valid_lft forever preferred_lft forever
4: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master br0 state DOWN group default qlen 1000
    link/ether 00:0e:2e:fd:24:9c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::1d9f:ad47:f44d:8d9e/64 scope link 
       valid_lft forever preferred_lft forever
...
7: br0: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 00:0e:2e:fd:24:9c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::20e:2eff:fefd:249c/64 scope link 
       valid_lft forever preferred_lft forever

My mistake, several weeks ago when I tried this, but couldn't make it, was to
create tap0 device, instead what Aleksei said, to allow the helper to create
that tap0 device for the Qemu instance.

And this is the command that I started the Qemu with:

$ qemu-system-x86_64 -machine type=q35,accel=kvm -enable-kvm -cpu host \
	-display gtk -m 1024M -device virtio-net,netdev=internet -netdev
	bridge,br=br0,id=internet,helper=/usr/libexec/qemu-bridge-helper
	devuan_jessie_1.0.0-beta_amd64_cloud.qcow2 

Just the helper=/usr/libexec/qemu-bridge-helper is a different string than
what Aleksei suggested (it is not in /usr/lib/qemu/qemu-bridge-helper).

Must not forget to say, that I had to enable learning in the grsecurity policy
with adding this to /etc/grsec/policy:

# Role: miro
subject  /usr/libexec/qemu-bridge-helper ol
	/				h
	-CAP_ALL
	bind	disabled
	connect	disabled

However, a grsecurity-hardened system usually asks for even more care. It
protects you very well, but is quite a handful...

Here are the logs. And, of course, solving that remaining issue is a
grsecurity issue, not anymore qemu issue.

I think the issue of setting up the network card for qemu to use is solved.
I'll only try and give a link, for completeness, once I hopefully solve the
remaining issue with grsecurity.

UPDATE: No, it isn't solved, but it wouldn't fit in this email. And I already
wrote all of this. Pls. continuation should follow soon.
---
So here are the logs (tried to cut more out, but was unsure)):
----

Oct 16 04:17:13 g0n kernel: [166436.946935] grsec: (miro:U:/usr/bin/qemu-system-x86_64) exec of /usr/bin/qemu-system-x86_64 (qemu-system-x86_64 -machine type=q35,accel=kvm -enable-kvm -cpu host -display gtk -m 1024M -device virtio-net,netdev=internet -n) by /usr/bin/qemu-system-x86_64[bash:8537] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:7730] uid/euid:1000/1000 gid/egid:1000/1000
Oct 16 04:17:14 g0n kernel: [166437.088649] grsec: (miro:U:/usr/libexec/qemu-bridge-helper) exec of /usr/libexec/qemu-bridge-helper (/usr/libexec/qemu-bridge-helper --use-vnet --fd=14 --br=br0 ) by /usr/libexec/qemu-bridge-helper[qemu-system-x86:8539] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/qemu-system-x86_64[qemu-system-x86:8537] uid/euid:1000/1000 gid/egid:1000/1000
Oct 16 04:17:14 g0n dhcpcd[7442]: tap0: if_init: Permission denied

...[   9 lines like the above cut ]...

Oct 16 04:17:14 g0n kernel: [166437.091526] br0: port 2(tap0) entered blocking state
Oct 16 04:17:14 g0n kernel: [166437.091530] br0: port 2(tap0) entered disabled state
Oct 16 04:17:14 g0n kernel: [166437.091593] device tap0 entered promiscuous mode
Oct 16 04:17:14 g0n kernel: [166437.091780] br0: port 2(tap0) entered blocking state
Oct 16 04:17:14 g0n kernel: [166437.091782] br0: port 2(tap0) entered forwarding state
Oct 16 04:17:14 g0n kernel: [166437.091975] grsec: (root:U:/sbin/dhcpcd) denied open of /proc/sys/net/ipv4/conf/tap0/promote_secondaries for writing by /sbin/dhcpcd[dhcpcd:7442] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

...[   3 lines like the above cut ]...

Oct 16 04:17:14 g0n kernel: [166437.093061] grsec: more alerts, logging disabled for 10 seconds
Oct 16 04:17:14 g0n dhcpcd[7442]: tap0: if_init: Permission denied
Oct 16 04:17:14 g0n dhcpcd[7442]: tap0: if_init: Permission denied
Oct 16 04:17:14 g0n kernel: [166437.117118] grsec: (root:U:/) exec of /lib64/udev/net.sh (/lib/udev/net.sh tap0 start ) by /lib64/udev/net.sh[udevd:8541] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:8540] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:14 g0n kernel: [166437.251692] grsec: (miro:U:/bin/bash) exec of /bin/bash (sh -c "/usr/bin/xkbcomp" -w 1 "-R/usr/share/X11/xkb" -xkm "-" -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " ) by /bin/bash[X:8546] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/Xorg[X:3762] uid/euid:1000/0 gid/egid:1000/1000
Oct 16 04:17:14 g0n kernel: [166437.256460] grsec: (miro:U:/) exec of /usr/bin/xkbcomp (/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 The XKEYBOARD keymap compiler (xkbcomp) reports: -emp >  -eml Errors from) by /usr/bin/xkbcomp[sh:8546] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/Xorg[X:3762] uid/euid:1000/0 gid/egid:1000/1000
Oct 16 04:17:14 g0n kernel: [166437.289064] grsec: (miro:U:/) chdir to /usr/share/X11/xkb by /usr/bin/xkbcomp[xkbcomp:8546] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/Xorg[X:3762] uid/euid:1000/0 gid/egid:1000/1000
Oct 16 04:17:14 g0n kernel: [166437.496711] kvm: zapping shadow pages for mmio generation wraparound
Oct 16 04:17:14 g0n kernel: [166437.498685] kvm: zapping shadow pages for mmio generation wraparound
Oct 16 04:17:18 g0n kernel: [166441.484107] kvm [8537]: vcpu0, guest rIP: 0xffffffff81051ab2 unhandled rdmsr: 0xc0010048
Oct 16 04:17:19 g0n dhcpcd[7442]: tap0: if_init: Permission denied
Oct 16 04:17:21 g0n kernel: [166444.923022] kvm [8537]: vcpu0, guest rIP: 0xffffffff81051ab2 unhandled rdmsr: 0x3a
Oct 16 04:17:21 g0n kernel: [166444.923050] kvm [8537]: vcpu0, guest rIP: 0xffffffff81051ab2 unhandled rdmsr: 0xd90
Oct 16 04:17:23 g0n kernel: [166446.914901] mrfw_dropIN=br0 OUT= PHYSIN=tap0 MAC=ff:ff:ff:ff:ff:ff:52:54:00:12:34:56:08:00 SRC="" DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 
Oct 16 04:17:25 g0n kernel: [166448.056851] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:8577] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:7442] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.062714] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf/br0.ra ) by /bin/rm[dhcpcd-run-hook:8578] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8577] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.065854] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8580] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8577] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.066463] grsec: (root:U:/) exec of /bin/sed (sed -n s/^domain //p br0.dhcp br0.dhcp6 br0.ra ) by /bin/sed[dhcpcd-run-hook:8581] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8580] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.068624] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8582] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8577] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.069095] grsec: (root:U:/) exec of /bin/sed (sed -n s/^search //p br0.dhcp br0.dhcp6 br0.ra ) by /bin/sed[dhcpcd-run-hook:8583] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8582] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.070879] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8584] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8577] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.071328] grsec: (root:U:/) exec of /bin/sed (sed -n s/^nameserver //p br0.dhcp br0.dhcp6 br0.ra ) by /bin/sed[dhcpcd-run-hook:8585] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8584] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.074543] grsec: (root:U:/) exec of /usr/bin/cmp (cmp -s /etc/resolv.conf /run/dhcpcd/resolv.conf.br0.ra ) by /usr/bin/cmp[dhcpcd-run-hook:8587] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8577] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.075666] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.br0.ra ) by /bin/rm[dhcpcd-run-hook:8588] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8577] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.076639] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.br0.ra ) by /bin/rm[dhcpcd-run-hook:8589] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8577] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.079243] grsec: (root:U:/bin/hostname) exec of /bin/hostname (hostname ) by /bin/hostname[dhcpcd-run-hook:8591] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8590] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:26 g0n kernel: [166449.177067] mrfw_dropIN=br0 OUT= PHYSIN=tap0 MAC=ff:ff:ff:ff:ff:ff:52:54:00:12:34:56:08:00 SRC="" DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 
Oct 16 04:17:26 g0n kernel: [166449.356912] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=00:0e:2e:fd:24:9c:2c:95:7f:14:4e:c6:08:00 SRC="" DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556 
Oct 16 04:17:29 g0n dhcpcd[7442]: tap0: if_init: Permission denied
Oct 16 04:17:29 g0n kernel: [166452.124642] grsec: (root:U:/sbin/dhcpcd) denied open of /proc/sys/net/ipv4/conf/tap0/promote_secondaries for writing by /sbin/dhcpcd[dhcpcd:7442] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:33 g0n kernel: [166456.186541] mrfw_dropIN=br0 OUT= PHYSIN=tap0 MAC=ff:ff:ff:ff:ff:ff:52:54:00:12:34:56:08:00 SRC="" DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 
Oct 16 04:17:45 g0n kernel: [166468.386463] mrfw_dropIN=br0 OUT= PHYSIN=tap0 MAC=ff:ff:ff:ff:ff:ff:52:54:00:12:34:56:08:00 SRC="" DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 
Oct 16 04:17:58 g0n kernel: [166481.715249] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=00:0e:2e:fd:24:9c:2c:95:7f:14:4e:c6:08:00 SRC="" DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556 
Oct 16 04:18:06 g0n kernel: [166489.910925] mrfw_dropIN=br0 OUT= PHYSIN=tap0 MAC=ff:ff:ff:ff:ff:ff:52:54:00:12:34:56:08:00 SRC="" DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 
Oct 16 04:18:10 g0n kernel: [166493.027352] grsec: (root:U:/etc/cron.daily) exec of /bin/date (date +%y%m%d_%H ) by /bin/date[yclamscan:8602] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/yclamscan[yclamscan:8601] uid/euid:0/0 gid/egid:0/0
Oct 16 04:18:10 g0n kernel: [166493.031206] grsec: (root:U:/etc/cron.daily) exec of /bin/hostname (hostname ) by /bin/hostname[yclamscan:8603] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/yclamscan[yclamscan:8601] uid/euid:0/0 gid/egid:0/0
Oct 16 04:18:10 g0n kernel: [166493.033980] grsec: (root:U:/etc/cron.daily) exec of /usr/bin/clamscan (/usr/bin/clamscan -r -i --detect-pua=yes --detect-structured=yes --phishing-sigs=yes --cross-fs=no /Cmn ) by /usr/bin/clamscan[yclamscan:8601] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/yclamscan[yclamscan:4853] uid/euid:0/0 gid/egid:0/0
Oct 16 04:18:29 g0n kernel: [166512.519690] br0: port 2(tap0) entered disabled state
Oct 16 04:18:29 g0n kernel: [166512.519935] device tap0 left promiscuous mode
Oct 16 04:18:29 g0n kernel: [166512.519950] br0: port 2(tap0) entered disabled state
Oct 16 04:18:29 g0n kernel: [166512.522496] grsec: (root:U:/) exec of /lib64/udev/net.sh (/lib/udev/net.sh tap0 stop ) by /lib64/udev/net.sh[udevd:8640] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:8636] uid/euid:0/0 gid/egid:0/0
Oct 16 04:18:32 g0n kernel: [166515.032489] sky2 0000:06:00.0 eth1: Link is down
Oct 16 04:18:32 g0n dhcpcd[7442]: eth1: carrier lost
Oct 16 04:18:32 g0n kernel: [166515.033919] br0: port 1(eth1) entered disabled state

Regards!

reply via email to
[Prev in Thread] Current Thread [Next in Thread]