Red Hat Bugzilla – Bug 699817
Guests not starting using interface type= ethernet (could not configure /dev/net/tun : Operation not permitted
Last modified: 2012-01-24 17:40:21 EST
Description of problem:
VMS not starting using interface type = ethernet
Version-Release number of selected component (if applicable):0.8.3-9
Steps to Reproduce:
1. Configure /etc/libvirt/qemu.conf with user != root
2. Start guest using interface type = ethernet
Guests startup fail, and below error
[root@myhost ~]# virsh start vm-1
error: Failed to start domain vm-1
qemu-kvm: -net tap,ifname=tap5,script=/etc/KVM/vm-1.sh,vlan=0,name=hostnet0: could not configure /dev/net/tun (tap5): Operation not permitted
qemu-kvm: -net tap,ifname=tap5,script=/etc/KVM/vm-1.sh,vlan=0,name=hostnet0: Device 'tap' could not be initialized
It should be started.
Dump of xml file for guest vm-1 for related network section.
[root@myhost]# virsh dumpxml vm-1
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
In network script, i use root user for setup tap interface, i also try to bypass the below line, but result is same.
tunctl -b -u root -t tap5
Please suggest solution, as we need/require network interface (tap) for vms.
Any updates on this ???? is highly appreciated.
There is a FAQ page here about making type=ethernet work in fedora:
Since it sounds like you are running the qemu process as non-root, qemu likely doesn't have permissions to mess with /dev/net/tun, so this is probably NOTABUG
Thanks Cole Robinson, to look in to, can you plz suggest, if we run qemu process with root user, then any security consideration ? with root user its working f9 for tap/tun, can we set root user in qemu.conf ? Please suggest.
Running qemu as root is not as secure as running qemu as the 'qemu' user. If a user in the virtual machine can exploit qemu and escape, they will then have root privileges on the host.
However that's the only way I know how to make your network configuration work. There might be some other way, but I don't know it, and it's unlikely it will ever be anything that libvirt will automatically do for you, since using qemu network scripts isn't a really supportable configuration from libvirt's POV
So qemu only bond for bridge setup (normally for child networking), there must be professional approach like routed networking, as only way to use tap/ethernet networking for routing setup, but after privileges drop, its limited to root user, there must be some way to use routed networking in qemu.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
F14 is EOL, please reopen if this is still relevant in a more recent fedora.