Virt-manager and virtual networks on Librem


#1

I believe there is a bug in the Purism package distro in relation to virt-manager. I can’t remember if virt-manager comes preinstalled with Librem13v3, but I’m 95% sure I installed it with sudo apt-get install virt-manager. After installing, it worked great. That is until I wanted to create a virtual private network and attach virtual machines to the network. At this point I ran into a problem.

After creating a virtual network by following the RedHat tutorial 17.10 I attempted to connect my centos VM to it with the steps in the next section (17.11). After adding the NIC and starting the VM I got a permission denied error.

Error starting domain: '/usr/lib/qemu/qemu-bridge-helper' is not a suitable bridge helper: Permission denied

After intense googling, I found in several places that the qemu-bridge-helper file is supposed to have the setuid bit set. But it doesn’t.

ls -l /usr/lib/qemu/qemu-bridge-helper 
-rw-rw---- 1 root kvm 14328 Jun 27 03:52 /usr/lib/qemu/qemu-bridge-helper

This appears to be a bug. I read somewhere that if this was the case, it is probably a bug with the distro. Some distros strip setuids because they are dangerous. If I’m not mistaken Purism uses it’s own distro and it would make a lot of sense for them to have setuid stripping enabled. Additionally though, this executable had no execute permissions at all…

That being said, after setting the file to be executable by owner and group, and setting the setuid bit, I received an odd error that said failed to drop privileges. I still haven’t solved this issue, if anyone knows why it is happening, but I did find a workaround.

For anyone who is having this problem, here is how I got virtual networking to work:

I found the line of code that printed the weird error here. And from that I was able to deduce that there was something going wrong when it was trying to drop privileges after detecting that the qemu-bridge-helper file was run with setuid. So I removed the setuid bit from that file.

ls -l /usr/lib/qemu/qemu-bridge-helper 
-rwxrwx--- 1 root kvm 14328 Jun 27 03:52 /usr/lib/qemu/qemu-bridge-helper

After trying to run the VM again, I got another error: failed to parse default acl file '/etc/libvirt/qemu.conf'. So I checked the permissions on it:

ls -la /etc/libvirt/qemu.conf 
-rw------- 1 root root 30550 Dec  2 01:15 /etc/libvirt/qemu.conf

I used chmod to allow the file to be readable by the world. I believe this should be fine, because the file isn’t modifiable, and it’s only the default config that comes with the package. Additionally, I checked the contents, and every line is commented out. So having it readable shouldn’t be a security concern.

One last attempt at running the VM will give you another error. failed to parse default acl file '/etc/qemu/bridge.conf'. Fixing this is pretty much the same process, only I found that /etc/qemu didn’t exist. So I created the directory and a blank bridge.conf file, making it readable to the world.

At this point, I bypassed the odd failed to drop privileges error, and I was met with an access denied by acl file error. This turns out to be a well documented problem with qemu though, and I followed this blog to fix it.

I hope this helps anyone who is met with this issue. I believe the error stems from the fact that PureOS, or the Purism distro that you download software from, doesn’t give files proper permissions. So perhaps that is something that can be fixed.


#2

May be worth submitting a bug report:

https://tracker.pureos.net/