Received: from ncopa-desktop (ti0056a400-4870.bb.online.no [85.167.242.22]) (Authenticated sender: ncopa@alpinelinux.org) by gbr-app-1.alpinelinux.org (Postfix) with ESMTPSA id 7F9ED220546; Thu, 4 Jul 2024 15:46:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alpinelinux.org; s=smtp; t=1720108000; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zhuhNLSW/4EDTN2v83PuuUdbFLEgkoRLQ+pGyTwTrZI=; b=J6zMpZMkhfDEyoJA4IJ7Jk5v+gJkaCipDrteHCjICnxlGqTP2w1GNf01Qh9uJAbUD6Nvqz um13NzgsPbMcwz48nizKcR4DekGbExfxX+w+NcvTx+K5srldB6gF6SKxcTIBqjljzcHj53 fyZ3KGgyCZq857rhACgouiOwnOIwqAU= Date: Thu, 4 Jul 2024 17:46:37 +0200 From: Natanael Copa To: daggs Cc: ~alpine/users@lists.alpinelinux.org Subject: Re: unable to write to dev node Message-ID: <20240704174637.78fb7052@ncopa-desktop> In-Reply-To: References: X-Mailer: Claws Mail 4.2.0 (GTK 3.24.42; x86_64-alpine-linux-musl) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Thu, 4 Jul 2024 16:15:46 +0200 daggs wrote: > Greeting, > > I'm trying to debug a bug under alpine linux when it comes to session based libvirt vms. > when starting a vm that has a virt nic binded to a bridge, I get this error: Unable to create tap device vnet0: Operation not permitted > I've looked into the code of libvirt and narrowed it down to this func: virNetDevTapCreate > I've taken the relevant code to a side file for testing, there is the code I use: > # include > # include /* IFF_TUN, IFF_NO_PI */ > #include > #include > # include > #include > #include > #include > > > enum { > VIR_NETDEV_TAP_CREATE_NONE = 0, > /* Bring the interface up */ > VIR_NETDEV_TAP_CREATE_IFUP = 1 << 0, > /* Enable IFF_VNET_HDR on the tap device */ > VIR_NETDEV_TAP_CREATE_VNET_HDR = 1 << 1, > /* Set this interface's MAC as the bridge's MAC address */ > VIR_NETDEV_TAP_CREATE_USE_MAC_FOR_BRIDGE = 1 << 2, > /* The device will persist after the file descriptor is closed */ > VIR_NETDEV_TAP_CREATE_PERSIST = 1 << 3, > /* The device is allowed to exist before creation */ > VIR_NETDEV_TAP_CREATE_ALLOW_EXISTING = 1 << 4, > }; > > int main() > { > int fd; > char *tunpath = "/dev/net/tun"; > size_t tapfdSize = 1; > struct ifreq ifr = { 0 }; > unsigned int flags = VIR_NETDEV_TAP_CREATE_IFUP; > if (1) > flags |= VIR_NETDEV_TAP_CREATE_VNET_HDR; > > if ((fd = open(tunpath, O_RDWR)) < 0) { > perror("Unable to open, is tun module loaded?"); > exit(1); > } > > snprintf(ifr.ifr_name, 5, "vnet%d", 0); > ifr.ifr_flags = IFF_TAP | IFF_NO_PI; > /* If tapfdSize is greater than one, request multiqueue */ > if (tapfdSize > 1) > ifr.ifr_flags |= IFF_MULTI_QUEUE; > > if (flags & VIR_NETDEV_TAP_CREATE_VNET_HDR) > ifr.ifr_flags |= IFF_VNET_HDR; > > if (ioctl(fd, TUNSETIFF, &ifr) < 0) { > perror("Unable to create tap device"); > } > > return 0; > } > > it compiles fine and works under user root. > I have a user named foo which I use for the sessioned vm, looking at /dev/net/tun's permissions, I see this: > $ ll /dev/net/tun > crw-rw-rw- 1 root netdev 10, 200 Jul 4 15:52 /dev/net/tun > > so I added foo to netdev group, now it has the following id output: uid=1002(foo) gid=1002(foo) groups=1002(foo),28(netdev),34(kvm),36(qemu),102(libvirt) > and ran the code again, I'm getting the same error. > I went to the libvirt community and one of the devs tried to help me with it, he concluded that there is something wrong in the alpine because it works in fedora. > in contrast, /dev/null has the same permissions as /dev/net/tun but the group is root and I can write to it as user foo. > > any ideas what I am missing? Can you run your app under strace? To show which syscall that fails. Do you run this under docker? if so it might be libseccomp that is causing problems. -nc > > Thanks, > > Dagg