How can I control iptables/nftables rules addition on libvirtd host on
Debian 12 ?
by oza.4h07@gmail.com
Hello,
When I install libvirt-daemon on a Debian 12 host, I can see the iptables rules below beeing added.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
For some reason, I need to add a couple of other rules.
How can I do that ?
Best regards
14 hours, 26 minutes
SEV Support Libvirt
by Paraskevas Nik
*Hello I am trying to enable libvirt to support sev-snp. Currently I am
using virsh domcapabilities to check if its enabled but I am getting : <sev
supported='no'/>*
*Followed the instructions at : *
*https://libvirt.org/kbase/launch_security_sev.html*
<https://libvirt.org/kbase/launch_security_sev.html>
* My AMD CPU supports SEV,SEV-SNP and I have followed all the steps and it
is enabled. BIOS settings are configured to support SEV,SNP CPU: AMD EPYC
9254*
*# cat /sys/module/kvm_amd/parameters/sev*
*Y*
*# dmesg | grep -i sev*
*[ 0.000000] SEV-SNP: RMP table physical range [0x000000002d500000 -
0x000000004ddfffff]*
*[ 0.009021] SEV-SNP: Reserving start/end of RMP table on a 2MB boundary
[0x000000002d400000]*
*[ 11.184492] ccp 0000:01:00.5: sev enabled*
*[ 12.664210] ccp 0000:01:00.5: SEV API:1.55 build:36*
*[ 12.664217] ccp 0000:01:00.5: SEV-SNP API:1.55 build:36*
*[ 12.671343] kvm_amd: SEV enabled (ASIDs 16 - 1006)*
*[ 12.671345] kvm_amd: SEV-ES enabled (ASIDs 1 - 15)*
*[ 12.671346] kvm_amd: SEV-SNP enabled (ASIDs 1 - 15)*
*Versions:*
*Libvirt version: 10.7.0*
*qemu-system-x86_64 version : 9.1.0*
*Linux kernel version: 6.11.0-rc3*
*Distro: Ubuntu 22.04.4 LTS*
* If you need any other information please let me know.*
Thanks!
3 days, 8 hours
Re: Network denied access
by Rodrigo Prieto
Thank you for taking the time to respond. I want to mention that I don't
speak English, and it's difficult for me to understand using a translator.
In the file */etc/libvirt/libvirtd.conf*, I have the following:
access_drivers = [ "polkit" ]
The *virtqemud* and *virtnetworkd* services are not installed. I used the
version from the Debian 12 repositories.
systemctl status virtnetworkd.socket
Unit virtnetworkd.socket could not be found.
systemctl status virtqemud.socket
Unit virtqemud.socket could not be found.
In the file */etc/libvirt/qemu.conf*, the default configuration is present.
Best regards.
El jue, 6 feb 2025 a las 20:48, Rodrigo Prieto (<rodrigoprieto2019(a)gmail.com>)
escribió:
> Thank you for taking the time to respond. I want to mention that I don't
> speak English, and it's difficult for me to understand using a translator.
>
> In the file */etc/libvirt/libvirtd.conf*, I have the following:
> access_drivers = [ "polkit" ]
>
>
> The *virtqemud* and *virtnetworkd* services are not installed. I used the
> version from the Debian 12 repositories.
>
> systemctl status virtnetworkd.socket
> Unit virtnetworkd.socket could not be found.
>
> systemctl status virtqemud.socket
> Unit virtqemud.socket could not be found.
>
> In the file */etc/libvirt/qemu.conf*, the default configuration is
> present.
>
> Best regards.
>
> El jue, 6 feb 2025 a las 12:55, Martin Kletzander (<mkletzan(a)redhat.com>)
> escribió:
>
>> On Fri, Jan 31, 2025 at 03:34:03AM -0300, Rodrigo Prieto wrote:
>> >Hello,
>> >
>> >I am configuring Polkit using an example I found on the web. It correctly
>> >displays the assigned domain for a given user, but when I try to start
>> the
>> >VM, I get the following error:
>> >
>> >error: Failed to start domain 'debian12'
>> >error: access denied: 'network' denied access
>> >
>> >Here is my configuration:
>> >
>> >polkit.addRule(function(action, subject) {
>> > if (action.id == "org.libvirt.unix.manage" &&
>> > subject.user == "lolo") {
>> > return polkit.Result.YES;
>> > }
>> >});
>> >polkit.addRule(function(action, subject) {
>> > if (action.id.indexOf("org.libvirt.api.domain.") == 0 &&
>> > subject.user == "lolo") {
>> > if (action.lookup("connect_driver") == 'QEMU' &&
>> > action.lookup("domain_name") == 'debian12') {
>> > return polkit.Result.YES;
>> > } else {
>> > return polkit.Result.NO;
>> > }
>> > }
>> >});
>> >
>>
>> So doing this allows you to do anything with debian12 domain on the QEMU
>> connection driver.
>>
>> >To grant network access, I have to configure the following:
>> >
>> >polkit.addRule(function(action, subject) {
>> > if (action.id.indexOf("org.libvirt.api.network") == 0 &&
>> > subject.user == "lolo") {
>> > return polkit.Result.YES;
>> > }
>> >});
>> >
>>
>> Adding this allows you to do anything with any network. This rule does
>> omit a condition similar to the above one from the api.domain rule.
>>
>> >The problem with the previous configuration is that it allows full access
>> >to the network, requiring the following configuration:
>> >
>>
>> *to all the networks
>>
>> >polkit.addRule(function(action, subject) {
>> > if ((action.id == "org.libvirt.api.network.stop" ||
>> > action.id == "org.libvirt.api.network.delete" ||
>> > action.id == "org.libvirt.api.network.write") &&
>> > subject.user == "lolo") {
>> > return polkit.Result.NO;
>> > }
>> >});
>> >
>> >By default, shouldn't network access behave like domains or pools, which
>> >cannot be deleted?
>>
>> Can you not? The domain undefine API checks domain:delete ACL with the
>> domain name and network undefine API checks network:delete ACL with the
>> network name. I'll have to test it, but in the meantime could you try
>> reproducing that with the same polkit rules (obviously modified to fit
>> the domain/network difference)?
>>
>> >I tested it on Libvirt 9.0.0 and 10.0.0
>> >
>>
>> I did not find any difference between 9.0.0 and the current master with
>> a quick git-fu.
>>
>> I tested it on current git master and it works fine, the user can
>> undefine both the network and the domain, but only the one named as
>> specified.
>>
>> >If you can help me, I would really appreciate it.
>>
>> Be sure to check that both virtqemud and virtnetworkd use polkit as
>> their access driver in their respective configs.
>>
>> Have a nice day,
>> Martin
>>
>
3 days, 17 hours
Network denied access
by Rodrigo Prieto
Hello,
I am configuring Polkit using an example I found on the web. It correctly
displays the assigned domain for a given user, but when I try to start the
VM, I get the following error:
error: Failed to start domain 'debian12'
error: access denied: 'network' denied access
Here is my configuration:
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
subject.user == "lolo") {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.libvirt.api.domain.") == 0 &&
subject.user == "lolo") {
if (action.lookup("connect_driver") == 'QEMU' &&
action.lookup("domain_name") == 'debian12') {
return polkit.Result.YES;
} else {
return polkit.Result.NO;
}
}
});
To grant network access, I have to configure the following:
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.libvirt.api.network") == 0 &&
subject.user == "lolo") {
return polkit.Result.YES;
}
});
The problem with the previous configuration is that it allows full access
to the network, requiring the following configuration:
polkit.addRule(function(action, subject) {
if ((action.id == "org.libvirt.api.network.stop" ||
action.id == "org.libvirt.api.network.delete" ||
action.id == "org.libvirt.api.network.write") &&
subject.user == "lolo") {
return polkit.Result.NO;
}
});
By default, shouldn't network access behave like domains or pools, which
cannot be deleted?
I tested it on Libvirt 9.0.0 and 10.0.0
If you can help me, I would really appreciate it.
4 days, 7 hours