I believe there is a bug in the Purism package distro in relation to
virt-manager. I can’t remember if
virt-manager comes preinstalled with Librem13v3, but I’m 95% sure I installed it with
sudo apt-get install virt-manager. After installing, it worked great. That is until I wanted to create a virtual private network and attach virtual machines to the network. At this point I ran into a problem.
After creating a virtual network by following the RedHat tutorial 17.10 I attempted to connect my centos VM to it with the steps in the next section (17.11). After adding the NIC and starting the VM I got a permission denied error.
Error starting domain: '/usr/lib/qemu/qemu-bridge-helper' is not a suitable bridge helper: Permission denied
After intense googling, I found in several places that the
qemu-bridge-helper file is supposed to have the setuid bit set. But it doesn’t.
ls -l /usr/lib/qemu/qemu-bridge-helper -rw-rw---- 1 root kvm 14328 Jun 27 03:52 /usr/lib/qemu/qemu-bridge-helper
This appears to be a bug. I read somewhere that if this was the case, it is probably a bug with the distro. Some distros strip setuids because they are dangerous. If I’m not mistaken Purism uses it’s own distro and it would make a lot of sense for them to have setuid stripping enabled. Additionally though, this executable had no execute permissions at all…
That being said, after setting the file to be executable by owner and group, and setting the setuid bit, I received an odd error that said
failed to drop privileges. I still haven’t solved this issue, if anyone knows why it is happening, but I did find a workaround.
For anyone who is having this problem, here is how I got virtual networking to work:
I found the line of code that printed the weird error here. And from that I was able to deduce that there was something going wrong when it was trying to drop privileges after detecting that the
qemu-bridge-helper file was run with setuid. So I removed the setuid bit from that file.
ls -l /usr/lib/qemu/qemu-bridge-helper -rwxrwx--- 1 root kvm 14328 Jun 27 03:52 /usr/lib/qemu/qemu-bridge-helper
After trying to run the VM again, I got another error:
failed to parse default acl file '/etc/libvirt/qemu.conf'. So I checked the permissions on it:
ls -la /etc/libvirt/qemu.conf -rw------- 1 root root 30550 Dec 2 01:15 /etc/libvirt/qemu.conf
chmod to allow the file to be readable by the world. I believe this should be fine, because the file isn’t modifiable, and it’s only the default config that comes with the package. Additionally, I checked the contents, and every line is commented out. So having it readable shouldn’t be a security concern.
One last attempt at running the VM will give you another error.
failed to parse default acl file '/etc/qemu/bridge.conf'. Fixing this is pretty much the same process, only I found that
/etc/qemu didn’t exist. So I created the directory and a blank
bridge.conf file, making it readable to the world.
At this point, I bypassed the odd
failed to drop privileges error, and I was met with an
access denied by acl file error. This turns out to be a well documented problem with
qemu though, and I followed this blog to fix it.
I hope this helps anyone who is met with this issue. I believe the error stems from the fact that PureOS, or the Purism distro that you download software from, doesn’t give files proper permissions. So perhaps that is something that can be fixed.