Re: Running libvirt without dnsmasq

On 6/19/24 18:30, Daniel P. Berrangé wrote: > On Wed, Jun 19, 2024 at 06:21:29PM -0000, procmem(a)riseup.net wrote: > > Hi, we are trying to document a way for our users to run libvirt without > > dnsmasq to reduce attack surface on the host. We are aware that the > > default network uses it but plan to disable that and use our own custom > > configured networks instead. Uninstalling dnsmasq causes libvirt to > > refuse to start even if the default network is no longer running. > > Is this possible or is this something that needs code changes upstream? > > The virtual network driver validates existance of dnsmasq at startup, > but nothing requires you to actually run the virtual network driver, > if you're intending to do your own thing with network setup. > > It sounds like you're using the old monolithic 'libvirtd' daemon. We > always build libvirt with modules support, so all drivers are dlopen'd > on startup. > How to check that? > Thus if you're not intending to use the libvirt virtual network feature, > simply don't install its modyle, and then libvirtd will see the module > doesn't exist, and skip the dlopen. > That sounds like something people would do who compile from source code? We're using libvirtd (9.0.0-4) from Debian package sources. [1]

> If you're using the new modular daemons, then even if installed, the > virtnetworkd daemon won't get launched unless some guest is configured > to use it. So if you're intending to setup network bridges yourself, > virtnetworkd shouldn't run. > That is libvirtd 9.x or 10.x? Is there a chance that something is wrong with the libvirtd compilation settings by Debian's packaging? [1] packages.debian.org/bookworm/libvirt-daemon