virt-install 和 qemu-system-aarch64:无法创建 vmnet 接口:一般失败(可能没有足够的权限)

问题描述 投票:0回答:1

我正在尝试

virt-install
以下内容:

sudo virt-install \                             1
--name host1 \
--memory 2048 \
--vcpus 2 \
--disk size=30 \
--cdrom ./box.img \
--os-variant ubuntu22.04 \
--virt-type hvf \
--qemu-commandline='-M highmem=off -netdev vmnet-shared,id=net0 -device virtio-net-device,netdev=net0,mac=54:54:00:55:54:51' \
--network user

我收到以下错误:

ERROR    internal error: process exited while connecting to monitor: 2023-01-12T01:08:04.782892Z qemu-system-aarch64: -netdev vmnet-shared,id=net0: cannot create vmnet interface: general failure (possibly not enough privileges)

我尝试手动运行 libvirtd 并通过

brew services
运行,但遇到了相同的错误。

# when I run as a local user
/opt/homebrew/opt/libvirt/sbin/libvirtd -f /opt/homebrew/etc/libvirt/libvirtd.conf
# via homebrew services 
◼ ~ $ brew services
Name             Status  User File
libvirt          started root ~/Library/LaunchAgents/homebrew.mxcl.libvirt.plist

这是 libvirtd.conf:


# Master libvirt daemon configuration file
#

#################################################################
#
# Network connectivity controls
#

# Flag listening for secure TLS connections on the public TCP/IP port.
#
# To enable listening sockets with the 'libvirtd' daemon it's also required to
# pass the '--listen' flag on the commandline of the daemon.
# This is not needed with 'virtproxyd'.
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# It is necessary to setup a CA and issue server certificates before
# using this capability.
#
# This is enabled by default, uncomment this to disable it
#listen_tls = 0

# Listen for unencrypted TCP connections on the public TCP/IP port.
#
# To enable listening sockets with the 'libvirtd' daemon it's also required to
# pass the '--listen' flag on the commandline of the daemon.
# This is not needed with 'virtproxyd'.
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# Using the TCP socket requires SASL authentication by default. Only
# SASL mechanisms which support data encryption are allowed. This is
# DIGEST_MD5 and GSSAPI (Kerberos5)
#
# This is disabled by default, uncomment this to enable it.
#listen_tcp = 1



# Override the port for accepting secure TLS connections
# This can be a port number, or service name
#
# This setting is not required or honoured if using systemd socket
# activation.
#
#tls_port = "16514"

# Override the port for accepting insecure TCP connections
# This can be a port number, or service name
#
# This setting is not required or honoured if using systemd socket
# activation.
#
#tcp_port = "16509"


# Override the default configuration which binds to all network
# interfaces. This can be a numeric IPv4/6 address, or hostname
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# If the libvirtd service is started in parallel with network
# startup (e.g. with systemd), binding to addresses other than
# the wildcards (0.0.0.0/::) might not be available yet.
#
#listen_addr = "192.168.0.1"


#################################################################
#
# UNIX socket access controls
#

# Set the UNIX domain socket group ownership. This can be used to
# allow a 'trusted' set of users access to management capabilities
# without becoming root.
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# This is restricted to 'root' by default.
#unix_sock_group = "libvirt"

# Set the UNIX socket permissions for the R/O socket. This is used
# for monitoring VM status only
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# Default allows any user. If setting group ownership, you may want to
# restrict this too.
unix_sock_ro_perms = "0777"

# Set the UNIX socket permissions for the R/W socket. This is used
# for full management of VMs
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# Default allows only root. If PolicyKit is enabled on the socket,
# the default will change to allow everyone (eg, 0777)
#
# If not using PolicyKit and setting group ownership for access
# control, then you may want to relax this too.
unix_sock_rw_perms = "0770"

# Set the UNIX socket permissions for the admin interface socket.
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# Default allows only owner (root), do not change it unless you are
# sure to whom you are exposing the access to.
unix_sock_admin_perms = "0700"

# Set the name of the directory in which sockets will be found/created.
#
# This setting is not required or honoured if using systemd socket
# activation.
#
unix_sock_dir = "/opt/homebrew/var/run/libvirt"



#################################################################
#
# Authentication.
#
# There are the following choices available:
#
#  - none: do not perform auth checks. If you can connect to the
#          socket you are allowed. This is suitable if there are
#          restrictions on connecting to the socket (eg, UNIX
#          socket permissions), or if there is a lower layer in
#          the network providing auth (eg, TLS/x509 certificates)
#
#  - sasl: use SASL infrastructure. The actual auth scheme is then
#          controlled from /opt/homebrew/etc/sasl2/libvirt.conf. For the TCP
#          socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
#          For non-TCP or TLS sockets, any scheme is allowed.
#
#  - polkit: use PolicyKit to authenticate. This is only suitable
#            for use on the UNIX sockets. The default policy will
#            require a user to supply their own password to gain
#            full read/write access (aka sudo like), while anyone
#            is allowed read/only access.
#

# Set an authentication scheme for UNIX read-only sockets
#
# By default socket permissions allow anyone to connect
#
# If libvirt was compiled without support for 'polkit', then
# no access control checks are done, but libvirt still only
# allows execution of APIs which don't change state.
#
# If libvirt was compiled with support for 'polkit', then
# the libvirt socket will perform a check with polkit after
# connections. The default policy still allows any local
# user access.
#
# To restrict monitoring of domains you may wish to either
# enable 'sasl' here, or change the polkit policy definition.
#auth_unix_ro = "none"

# Set an authentication scheme for UNIX read-write sockets.
#
# If libvirt was compiled without support for 'polkit', then
# the systemd .socket files will use SocketMode=0600 by default
# thus only allowing root user to connect, and 'auth_unix_rw'
# will default to 'none'.
#
# If libvirt was compiled with support for 'polkit', then
# the systemd .socket files will use SocketMode=0666 which
# allows any user to connect and 'auth_unix_rw' will default
# to 'polkit'. If you disable use of 'polkit' here, then it
# is essential to change the systemd SocketMode parameter
# back to 0600, to avoid an insecure configuration.
#
#auth_unix_rw = "none"

# Change the authentication scheme for TCP sockets.
#
# If you don't enable SASL, then all TCP traffic is cleartext.
# Don't do this outside of a dev/test scenario. For real world
# use, always enable SASL and use the GSSAPI or DIGEST-MD5
# mechanism in /opt/homebrew/etc/sasl2/libvirt.conf
#auth_tcp = "sasl"

# Change the authentication scheme for TLS sockets.
#
# TLS sockets already have encryption provided by the TLS
# layer, and limited authentication is done by certificates
#
# It is possible to make use of any SASL authentication
# mechanism as well, by using 'sasl' for this option
#auth_tls = "none"

# Enforce a minimum SSF value for TCP sockets
#
# The default minimum is currently 56 (single-DES) which will
# be raised to 112 in the future.
#
# This option can be used to set values higher than 112
#tcp_min_ssf = 112


# Change the API access control scheme
#
# By default an authenticated user is allowed access
# to all APIs. Access drivers can place restrictions
# on this. By default the 'nop' driver is enabled,
# meaning no access control checks are done once a
# client has authenticated with libvirtd
#
#access_drivers = [ "polkit" ]

#################################################################
#
# TLS x509 certificate configuration
#

# Use of TLS requires that x509 certificates be issued. The default locations
# for the certificate files is as follows:
#
#   /opt/homebrew/etc/pki/CA/cacert.pem - The CA master certificate
#   /opt/homebrew/etc/pki/libvirt/servercert.pem - The server certificate signed by cacert.pem
#   /opt/homebrew/etc/pki/libvirt/private/serverkey.pem - The server private key
#
# It is possible to override the default locations by altering the 'key_file',
# 'cert_file', and 'ca_file' values and uncommenting them below.
#
# NB, overriding the default of one location requires uncommenting and
# possibly additionally overriding the other settings.
#

# Override the default server key file path
#
#key_file = "/opt/homebrew/etc/pki/libvirt/private/serverkey.pem"

# Override the default server certificate file path
#
#cert_file = "/opt/homebrew/etc/pki/libvirt/servercert.pem"

# Override the default CA certificate path
#
#ca_file = "/opt/homebrew/etc/pki/CA/cacert.pem"

# Specify a certificate revocation list.
#
# Defaults to not using a CRL, uncomment to enable it
#crl_file = "/opt/homebrew/etc/pki/CA/crl.pem"



#################################################################
#
# Authorization controls
#


# Flag to disable verification of our own server certificates
#
# When libvirtd starts it performs some sanity checks against
# its own certificates.
#
# Default is to always run sanity checks. Uncommenting this
# will disable sanity checks which is not a good idea
#tls_no_sanity_certificate = 1

# Flag to disable verification of client certificates
#
# Client certificate verification is the primary authentication mechanism.
# Any client which does not present a certificate signed by the CA
# will be rejected.
#
# Default is to always verify. Uncommenting this will disable
# verification.
#tls_no_verify_certificate = 1


# An access control list of allowed x509 Distinguished Names
# This list may contain wildcards such as
#
#    "C=GB,ST=London,L=London,O=Red Hat,CN=*"
#
# Any * matches any number of consecutive spaces, like a simplified glob(7).
#
# The format of the DN for a particular certificate can be queried
# using:
#
#    virt-pki-query-dn clientcert.pem
#
# NB If this is an empty list, no client can connect, so comment out
# entirely rather than using empty list to disable these checks
#
# By default, no DN's are checked
#tls_allowed_dn_list = ["DN1", "DN2"]


# Override the compile time default TLS priority string. The
# default is usually "NORMAL" unless overridden at build time.
# Only set this is it is desired for libvirt to deviate from
# the global default settings.
#
#tls_priority="NORMAL"


# An access control list of allowed SASL usernames. The format for username
# depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM
#
# This list may contain wildcards such as
#
#    "*@EXAMPLE.COM"
#
# See the g_pattern_match function for the format of the wildcards.
#
# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html
#
# NB If this is an empty list, no client can connect, so comment out
# entirely rather than using empty list to disable these checks
#
# By default, no Username's are checked
#sasl_allowed_username_list = ["[email protected]", "[email protected]" ]


#################################################################
#
# Processing controls
#

# The maximum number of concurrent client connections to allow
# over all sockets combined.
#max_clients = 5000

# The maximum length of queue of connections waiting to be
# accepted by the daemon. Note, that some protocols supporting
# retransmission may obey this so that a later reattempt at
# connection succeeds.
#max_queued_clients = 1000

# The maximum length of queue of accepted but not yet
# authenticated clients. The default value is 20. Set this to
# zero to turn this feature off.
#max_anonymous_clients = 20

# The minimum limit sets the number of workers to start up
# initially. If the number of active clients exceeds this,
# then more threads are spawned, up to max_workers limit.
# Typically you'd want max_workers to equal maximum number
# of clients allowed
#min_workers = 5
#max_workers = 20


# The number of priority workers. If all workers from above
# pool are stuck, some calls marked as high priority
# (notably domainDestroy) can be executed in this pool.
#prio_workers = 5

# Limit on concurrent requests from a single client
# connection. To avoid one client monopolizing the server
# this should be a small fraction of the global max_workers
# parameter.
#max_client_requests = 5

# Same processing controls, but this time for the admin interface.
# For description of each option, be so kind to scroll few lines
# upwards.

#admin_min_workers = 1
#admin_max_workers = 5
#admin_max_clients = 5
#admin_max_queued_clients = 5
#admin_max_client_requests = 5

#################################################################
#
# Logging controls
#

# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
# basically 1 will log everything possible
#
# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
#
# WARNING: It outputs too much information to practically read.
# WARNING: The "log_filters" setting is recommended instead.
#
# WARNING: Journald applies rate limiting of messages and so libvirt
# WARNING: will limit "log_level" to only allow values 3 or 4 if
# WARNING: journald is the current output.
#
# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
#log_level = 3

# Logging filters:
# A filter allows to select a different logging level for a given category
# of logs. The format for a filter is:
#
#    level:match
#
# where 'match' is a string which is matched against the category
# given in the VIR_LOG_INIT() at the top of each libvirt source
# file, e.g., "remote", "qemu", or "util.json". The 'match' in the
# filter matches using shell wildcard syntax (see 'man glob(7)').
# The 'match' is always treated as a substring match. IOW a match
# string 'foo' is equivalent to '*foo*'.
#
# 'level' is the minimal level where matching messages should
#  be logged:
#
#    1: DEBUG
#    2: INFO
#    3: WARNING
#    4: ERROR
#
# Multiple filters can be defined in a single @log_filters, they just need
# to be separated by spaces. Note that libvirt performs "first" match, i.e.
# if there are concurrent filters, the first one that matches will be applied,
# given the order in @log_filters.
#
# A typical need is to capture information from a hypervisor driver,
# public API entrypoints and some of the utility code. Some utility
# code is very verbose and is generally not desired. Taking the QEMU
# hypervisor as an example, a suitable filter string for debugging
# might be to turn off object, json & event logging, but enable the
# rest of the util code:
#
#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util"

# Logging outputs:
# An output is one of the places to save logging information
# The format for an output can be:
#    level:stderr
#      output goes to stderr
#    level:syslog:name
#      use syslog for the output and use the given name as the ident
#    level:file:file_path
#      output to a file, with the given filepath
#    level:journald
#      output to journald logging system
# In all cases 'level' is the minimal priority, acting as a filter
#    1: DEBUG
#    2: INFO
#    3: WARNING
#    4: ERROR
#
# Multiple outputs can be defined, they just need to be separated by spaces.
# e.g. to log all warnings and errors to syslog under the libvirtd ident:
#log_outputs="3:syslog:libvirtd"


##################################################################
#
# Auditing
#
# This setting allows usage of the auditing subsystem to be altered:
#
#   audit_level == 0  -> disable all auditing
#   audit_level == 1  -> enable auditing, only if enabled on host (default)
#   audit_level == 2  -> enable auditing, and exit if disabled on host
#
#audit_level = 2
#
# If set to 1, then audit messages will also be sent
# via libvirt logging infrastructure. Defaults to 0
#
#audit_logging = 1

###################################################################
# UUID of the host:
# Host UUID is read from one of the sources specified in host_uuid_source.
#
# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
# - 'machine-id': fetch the UUID from /etc/machine-id
#
# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
# a valid UUID a temporary UUID will be generated.
#
# Another option is to specify host UUID in host_uuid.
#
# Keep the format of the example UUID below. UUID must not have all digits
# be the same.

# NB This default all-zeros UUID will not work. Replace
# it with the output of the 'uuidgen' command and then
# uncomment this entry
#host_uuid = "00000000-0000-0000-0000-000000000000"
#host_uuid_source = "smbios"

###################################################################
# Keepalive protocol:
# This allows libvirtd to detect broken client connections or even
# dead clients.  A keepalive message is sent to a client after
# keepalive_interval seconds of inactivity to check if the client is
# still responding; keepalive_count is a maximum number of keepalive
# messages that are allowed to be sent to the client without getting
# any response before the connection is considered broken.  In other
# words, the connection is automatically closed approximately after
# keepalive_interval * (keepalive_count + 1) seconds since the last
# message received from the client.  If keepalive_interval is set to
# -1, libvirtd will never send keepalive requests; however clients
# can still send them and the daemon will send responses.  When
# keepalive_count is set to 0, connections will be automatically
# closed after keepalive_interval seconds of inactivity without
# sending any keepalive messages.
#
#keepalive_interval = 5
#keepalive_count = 5

#
# These configuration options are no longer used.  There is no way to
# restrict such clients from connecting since they first need to
# connect in order to ask for keepalive.
#
#keepalive_required = 1
#admin_keepalive_required = 1

# Keepalive settings for the admin interface
#admin_keepalive_interval = 5
#admin_keepalive_count = 5

###################################################################
# Open vSwitch:
# This allows to specify a timeout for openvswitch calls made by
# libvirt. The ovs-vsctl utility is used for the configuration and
# its timeout option is set by default to 5 seconds to avoid
# potential infinite waits blocking libvirt.
#
#

现在,为了确保这是一个权限错误,我运行了:

qemu-system-aarch64 -netdev vmnet-shared,id=net0 -machine virt-2.10

它重现了错误,但是:

sudo qemu-system-aarch64 -netdev vmnet-shared,id=net0 -machine virt-2.10

打开一个 qemu 窗口,我得到:

qemu-system-aarch64: warning: netdev net0 has no peer

好吧,我如何修复 Mac OS 上通过自制程序安装的 libvirt?

$ brew info libvirt                               1
==> libvirt: stable 8.10.0 (bottled), HEAD
C virtualization API
https://libvirt.org/
/opt/homebrew/Cellar/libvirt/8.10.0 (587 files, 40.8MB) *
  Poured from bottle on 2023-01-11 at 19:20:38
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/libvirt.rb
License: LGPL-2.1-or-later and GPL-2.0-or-later
==> Dependencies
Build: docutils ✘, meson ✘, ninja ✘, perl ✘, pkg-config ✔, [email protected] ✔, rpcgen ✘
Required: gettext ✔, glib ✔, gnu-sed ✔, gnutls ✔, grep ✔, libgcrypt ✔, libiscsi ✔, libssh2 ✔, yajl ✔
==> Options
--HEAD
    Install HEAD version
==> Caveats
To restart libvirt after an upgrade:
  brew services restart libvirt
Or, if you don't want/need a background service you can just run:
  /opt/homebrew/opt/libvirt/sbin/libvirtd -f /opt/homebrew/etc/libvirt/libvirtd.conf
==> Analytics
install: 4,452 (30 days), 18,333 (90 days), 69,415 (365 days)
install-on-request: 3,222 (30 days), 13,494 (90 days), 52,022 (365 days)
build-error: 4 (30 days)

更新

也许我已经找到了问题的根源在这里,如果有人可以确认的话

qemu libvirt
1个回答
0
投票

嗨,抱歉,我知道这已经有一段时间了,但我正在设置几年来的第一台 Mac,我正在经历这个过程。我想首先澄清一下 qemu 和 libvirtd 之间的区别。使用 qemu-system-* 手动运行机器实际上不会接触 libvirt,因此它的版本不会影响这里的行为。通过 libvirt/virt-manager 运行 QEMU VM 将会产生影响,因为 libvirt 将根据 VM 的 XML 配置决定要运行的 qemu 命令。

这里有两个问题。首先是您发现的权限问题。您可以以 root 身份运行 QEMU(不理想),也可以出于我的目的并使用 libvirt,只需更改 libvirtd 套接字上的权限以允许管理员访问(无论如何我的管理员都有 sudo):

sudo chmod 760 /opt/homebrew/var/run/libvirt/libvirt-sock

现在管理员可以访问 QEMU:///system 路径,而不仅仅是用户的 QEMU:///session。这与 Linux 不同,Linux 有专门的小组来处理此类事情。 Homebrew 附带 root:admins 拥有的套接字,具有 0700 安全权限,类似于早期仅允许 root 的 Docker 套接字。请注意向管理员开放此套接字并让您的 QEMU VM 以提升的权限/root 运行的任何安全问题。

第二个问题是您没有声明连接 netdev 的设备,那么它是 PCI 插槽吗?什么巴士?不幸的是,QEMU 并不总是清楚地说明这一点,但 virt-manager 在使用 libvirt 时通过有用的 GUI 使其变得更容易。

如果您使用 netdev 添加设备,它应该可以工作。这里我选择默认总线上的 PCI 插槽 8。更改为您想要的任何可用 PCI 插槽。

sudo qemu-system-aarch64 -device virtio-net,netdev=net0,mac=[create your MAC],addr=0x8 -netdev vmnet-shared,id=net0 -machine virt-2.10

另请注意,目前自制软件上的 libvirt 附带的 virt-manager 和 libvirt 域架构实际上还不支持 Mac

vmnet*
设备类型。我实际上尝试自己编辑这些内容,但有些东西仍然没有效果,因此需要进一步挖掘。同时,您可以在 virt-manager 中手动编辑 libvirt VM XML 以添加手动 qemu 参数来添加它们。

首先,您可能需要手动将架构设置为 XML 顶部的官方 QEMU 架构:

<domain xmlns:qemu="http://libvirt.org/schemas/domain/qemu/1.0" type="hvf">

然后在域的底部您可以手动添加任意参数:

<qemu:commandline>
  <qemu:arg value="-device"/>
  <qemu:arg value="virtio-net,netdev=example1,mac=52:54:00:9b:b7:34,addr=0xA"/>
  <qemu:arg value="-netdev"/>
  <qemu:arg value="vmnet-host,id=example1/>
</qemu:commandline

谁不喜欢一点怀旧的 XML,对吗?它很丑陋,但直到架构在 Homebrew 中添加 vmnet* 支持之前,这就是在 Mac libvirt 上添加具有主机虚拟机访问功能的额外 NIC 所需要的。您可以通过

ps -ef | grep qemu
验证命令是否正确运行,以查看它实际如何运行。否则 virt-manager 或 libvirt 将抛出 python 堆栈跟踪,直到它理解您要执行的操作。

我的 Mac 中的域架构存储在

/opt/homebrew/Cellar/libvirt/9.8.0/share/libvirt/schemas/domaincommon.rng
中,但向其中添加 vmnet-host 对我来说不起作用,因为其他一些系统似乎双重阻止了我。我已经习惯了 Linux 打包,所以如果有人可以参与的话,也许会发生其他事情。

© www.soinside.com 2019 - 2024. All rights reserved.