Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 151B12235B2 for <~alpine/users@lists.alpinelinux.org>; Fri, 5 Jul 2024 13:12:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.com; s=s31663417; t=1720185124; x=1720789924; i=daggs@gmx.com; bh=yffOdzRe+7Kmt4GtGEMNeBZ9pwqxJVLU705mmhQxp1k=; h=X-UI-Sender-Class:MIME-Version:Message-ID:From:To:Cc:Subject: Content-Type:Date:In-Reply-To:References: Content-Transfer-Encoding:cc:content-transfer-encoding: content-type:date:from:message-id:mime-version:reply-to:subject: to; b=Q4LuE3lu4XP5RxBbkLe+h1m8CeOmxtxDHzTY8vGLOttaUzeA/B5PNXC0Rr0np+Pk nXBcdOCiQ1vR6Lq/jL0ufSS26njb/mxukacWe78RFnqDKVICn/P4gXHU/kx7S1upf toV2H5aV4avRIfYmHhjdJ4wfqCkQiD3sovroQIxKmW5a9YZKY8txSZvtD5/2OVn1E 10dcvy02H/gdEWwb7Sen8omKKoXgw5LUrPcqQvo/GiGOVkU0oEUU5WAh0ruUsDUb8 Kbwm1FcoDg7cU48MTR2xVl8ZHnS2PJq3yISowavMRapGySLBwgzxitiYbWTtflLJa EGE/CjSJIpdL10j2lg== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [176.228.135.45] ([176.228.135.45]) by web-mail.gmx.net (3c-app-mailcom-bs03.server.lan [172.19.170.169]) (via HTTP); Fri, 5 Jul 2024 15:12:04 +0200 MIME-Version: 1.0 Message-ID: From: daggs To: Natanael Copa Cc: ~alpine/users@lists.alpinelinux.org Subject: Re: unable to write to dev node Content-Type: text/plain; charset=UTF-8 Date: Fri, 5 Jul 2024 15:12:04 +0200 Importance: normal Sensitivity: Normal In-Reply-To: <20240705092544.73dcb8c3@ncopa-desktop> References: <20240704174637.78fb7052@ncopa-desktop> <20240705092544.73dcb8c3@ncopa-desktop> X-UI-Message-Type: mail X-Priority: 3 X-Provags-ID: V03:K1:Zq1yd8FKOLCf/gN5eQ9APMkvv8Zpx7OIVSV0TWHXyRc7x/Kzy7s0yYPxnM4gRI2FeWtZ8 Ir4OCGYsgRdzpab42RD4910zuHPvieqTUBSrPwm7Mt1QwZXdRuDva3bzb7E+qeMqgF+RIyL+j4qw Yu/BKCIYqB8D9rYtdr+GuqSsxZT/7fmIYglH9vlt/ItQo6T5zrgJpF9JJB5KD5LH/FQLmiOtpsbQ 2GEA2krgNFqP+RQ/U0HDjEHTQDgxwTpHvWPQdLjbYRkVbOwCg6xosQYFuhthtObXlLOTnUeXpsyl UY= X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:EmqXUPP0C18=;fW6i0WD4DnlMkyEtLtCXup5S2LO wlSvbJ6e9ebK7Ig7CVG7r81VRRUCUnE48W0pbRO2eUPD8gWzDdSN9JZOEBLyAw8j0SzpnFYL0 W/oEuLF0Ip2ybTyy2YZMg1+DXKBW9TBMjV2AzYKzygxNVM/R6Lhfgr3NkFfAMIHQmz8P96HyE gdKI/v2gpPTyuxUFX8LdKs8A/1Bodxa9kATJgaXhrFO7cS44vBSaK0+3QZwa3ac+Sw/blu9B7 /0tePPYo0d+YqlwVbvfY08sdnu0ZWb+GvHsmFzJijGuk8CqxdVcass5AHzIZb1Vrh9khHfDzp hkN3DGLUBa7pA1vY8K1ekD0IasHOf2s9VdpKhAYqAzNGqNzk1iwVp4N+yXQbnhJr+25z12kh0 Wvtpe4RpHPd8ltI2ktlza4NMtxMCi/x0eGMZoxeVqntm3ssZJdIksmInKKavVi2wRF+gD2i7t 0MvHgMH4h1cSGpnWFSRC+C5fdhIyfsH/r8rfpVa/ElyqvYBh1+QYANa+hQ20Y5LGGj3x00Bbk iDl3/k+VpTyJWrjtBB+xNe/9TLY1krkq5/bIDhoQ7lxEXqjJmqVqYpGQBwm+8uviNQHhsGmJG RHqs31F8eWT+mU5AnhkKaoG86Bs7n4t81AlZPntFHIJEAAzksDRzi3Be2gZ29lCsVHRzQmpga E624aJ73mPNF+Qt1MItPjQOYpjhZNWbUIFjjmJNnyt1vGs+Jr+X0SuV9zyYHDu4= Content-Transfer-Encoding: quoted-printable > > > > Greeting, > > > > > > > > I'm trying to debug a bug under alpine linux when it comes to sess= ion based libvirt vms. > > > > when starting a vm that has a virt nic binded to a bridge, I get t= his error: Unable to create tap device vnet0: Operation not permitted > > > > I've looked into the code of libvirt and narrowed it down to this = func: virNetDevTapCreate > > > > I've taken the relevant code to a side file for testing, there is = the code I use: > > > > # include > > > > # include /* IFF_TUN, IFF_NO_PI */ > > > > #include > > > > #include > > > > # include > > > > #include > > > > #include > > > > #include > > > > > > > > > > > > enum { > > > > VIR_NETDEV_TAP_CREATE_NONE =3D 0, > > > > /* Bring the interface up */ > > > > VIR_NETDEV_TAP_CREATE_IFUP =3D 1 << 0, > > > > /* Enable IFF_VNET_HDR on the tap device */ > > > > VIR_NETDEV_TAP_CREATE_VNET_HDR =3D 1 << 1, > > > > /* Set this interface's MAC as the bridge's MAC address */ > > > > VIR_NETDEV_TAP_CREATE_USE_MAC_FOR_BRIDGE =3D 1 << 2, > > > > /* The device will persist after the file descriptor is closed = */ > > > > VIR_NETDEV_TAP_CREATE_PERSIST =3D 1 << 3, > > > > /* The device is allowed to exist before creation */ > > > > VIR_NETDEV_TAP_CREATE_ALLOW_EXISTING =3D 1 << 4, > > > > }; > > > > > > > > int main() > > > > { > > > > int fd; > > > > char *tunpath =3D "/dev/net/tun"; > > > > size_t tapfdSize =3D 1; > > > > struct ifreq ifr =3D { 0 }; > > > > unsigned int flags =3D VIR_NETDEV_TAP_CREATE_IFUP; > > > > if (1) > > > > flags |=3D VIR_NETDEV_TAP_CREATE_VNET_HDR; > > > > > > > > if ((fd =3D open(tunpath, O_RDWR)) < 0) { > > > > perror("Unable to open, is tun module loaded?"); > > > > exit(1); > > > > } > > > > > > > > snprintf(ifr.ifr_name, 5, "vnet%d", 0); > > > > ifr.ifr_flags =3D IFF_TAP | IFF_NO_PI; > > > > /* If tapfdSize is greater than one, request multiqueue */ > > > > if (tapfdSize > 1) > > > > ifr.ifr_flags |=3D IFF_MULTI_QUEUE; > > > > > > > > if (flags & VIR_NETDEV_TAP_CREATE_VNET_HDR) > > > > ifr.ifr_flags |=3D IFF_VNET_HDR; > > > > > > > > if (ioctl(fd, TUNSETIFF, &ifr) < 0) { > > > > perror("Unable to create tap device"); > > > > } > > > > > > > > return 0; > > > > } > > > > > > > > it compiles fine and works under user root. > > > > I have a user named foo which I use for the sessioned vm, looking = at /dev/net/tun's permissions, I see this: > > > > $ ll /dev/net/tun > > > > crw-rw-rw- 1 root netdev 10, 200 Jul 4 15:52 /dev/net/tun > > > > > > > > so I added foo to netdev group, now it has the following id output= : uid=3D1002(foo) gid=3D1002(foo) groups=3D1002(foo),28(netdev),34(kvm),36= (qemu),102(libvirt) > > > > and ran the code again, I'm getting the same error. > > > > I went to the libvirt community and one of the devs tried to help = me with it, he concluded that there is something wrong in the alpine becau= se it works in fedora. > > > > in contrast, /dev/null has the same permissions as /dev/net/tun bu= t the group is root and I can write to it as user foo. > > > > > > > > any ideas what I am missing? > > > > > > Can you run your app under strace? To show which syscall that fails. > > > > > $ strace ./test > > execve("./test", ["./test"], 0x7ffd948179e0 /* 17 vars */) =3D 0 > > arch_prctl(ARCH_SET_FS, 0x7f9eff1a1b28) =3D 0 > > set_tid_address(0x7f9eff1a1f90) =3D 3922 > > brk(NULL) =3D 0x559659075000 > > brk(0x559659077000) =3D 0x559659077000 > > mmap(0x559659075000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYM= OUS, -1, 0) =3D 0x559659075000 > > mprotect(0x7f9eff19e000, 4096, PROT_READ) =3D 0 > > mprotect(0x5596579ff000, 4096, PROT_READ) =3D 0 > > open("/dev/net/tun", O_RDWR|O_LARGEFILE) =3D 3 > > This means the permissions to /dev/net/tun and the group etc works. > > > ioctl(3, TUNSETIFF, 0x7ffd72891cf0) =3D -1 EPERM (Operation not pe= rmitted) > > So it is the ioctl that fails, for some reason. > > Is the kernel module `tun` loaded`? yes it is. is there a way to compile the kernel faster so I can debug it from within? > > > writev(2, [{iov_base=3D"", iov_len=3D0}, {iov_base=3D"Unable to create= tap device", iov_len=3D27}], 2Unable to create tap device) =3D 27 > > writev(2, [{iov_base=3D"", iov_len=3D0}, {iov_base=3D":", iov_len=3D1}= ], 2:) =3D 1 > > writev(2, [{iov_base=3D"", iov_len=3D0}, {iov_base=3D" ", iov_len=3D1}= ], 2 ) =3D 1 > > writev(2, [{iov_base=3D"", iov_len=3D0}, {iov_base=3D"Operation not pe= rmitted", iov_len=3D23}], 2Operation not permitted) =3D 23 > > writev(2, [{iov_base=3D"", iov_len=3D0}, {iov_base=3D"\n", iov_len=3D1= }], 2 > > ) =3D 1 > > exit_group(0) =3D ? > > +++ exited with 0 +++ > > > > > > > Do you run this under docker? if so it might be libseccomp that is > > > causing problems. > > no, I'm running inside a libvirt qemu vm. e.g. nested vm > > > > > > > > -nc > > > > > > > > > > > Thanks, > > > > > > > > Dagg > > > > > > > >