search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.8k stars 567 forks source link

dnsmasq: libvirtd cannot start NAT interface: PATH environment variable not set #5137

Closed rsramkis closed 2 years ago

rsramkis commented 2 years ago

Description

The default libvirt NAT network fails to start (even after applying the dnsmasq.profile which was in fix 5089.

Appears to be related to: https://github.com/netblue30/firejail/issues/5089

Steps to Reproduce

  1. Replace the dnsmasq.profile with the latest one in the repository:

https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/dnsmasq.profile

  1. Open terminal and try to start the NAT network inf 
sudo virsh net-start default
  1. Then the following error will show:
error: Failed to start network default
error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set

Expected behavior

  1. The NAT Nework interface should start and go active.

❯ sudo virsh net-start default Network default started

~ ❯ sudo virsh net-list --all Name State Autostart Persistent

default active yes yes


### Actual behavior

The NAT Network interface fails to go active when firejail is enabled.

### Environment

Linux info:

OS: EndeavourOS Linux x86_64 Kernel: 5.15.37-1-lts Shell: zsh 5.8.1 DE: GNOME 42.1 WM: Mutter


 firejail --version

firejail version 0.9.68

Compile time support:

Checklist

EDIT by @rusty-snake: Fix check-boxes

rsramkis commented 2 years ago

Is there anything else I should get for you to help troubleshoot the cause of the issue?

rusty-snake commented 2 years ago

Try to comment dnsmasq.profile line for line to find more.

rsramkis commented 2 years ago

Hi Rusty-snake,

I'll need more guidance on what you would like me to comment out in the dnsmasq.profile.

I ran the command:

 sudo LC_ALL=C firejail /usr/bin/dnsmasq
[sudo] password for user:

dnsmasq: failed to create listening socket for port 53: Address already in use

I then grabbed the follow debug:

LC_ALL=C firejail --debug /usr/bin/dnsmasq

(See attachment) firejail-dnsmasq-debug.txt

rusty-snake commented 2 years ago
  1. Comment everything in dnsmasq.profile
  2. Make sure sudo virsh ... works as expected.
  3. Uncomment a line in dnsmasq.profile
  4. Try if sudo virsh ... works.
  5. Go to step 3.
  6. Find the line which breaks it.
rsramkis commented 2 years ago

I did some testing today which leads me to believe the dnsmasq.profile is not causing the issue.

Test 1 - Firejail enabled, dnsmask.profile renamed to dnsmask.profile.old

(a) Firejail is enabled (sudo fircfg). (b) Rename dnsmask.profile renamed to dnsmask.profile.old. (c) Reboot Computer. (d) Login. From Terminal run the following command to check the virtual Network status:

sudo virsh net-list --all
[sudo] password for rsruser:
 Name      State    Autostart   Persistent
--------------------------------------------
 default   inactive   yes         yes

Test 2 - Disable Firejail and verify Virtual Network Starts (active):

(a) Disable Firejail (sudo firecfg --clean).

(b) Reboot Computer and login to system.

(c) From Terminal run the following command to check the network status.

sudo virsh net-list --all
[sudo] password for user:
 Name      State    Autostart   Persistent
--------------------------------------------
 default   active   yes         yes

I am assuming here that renaming the profile to dnsmask.profile.old means it is not loaded at all.

I also confirmed the ~/.config/firejail only has the file steam.profile in it.

rusty-snake commented 2 years ago

I am assuming here that renaming the profile to dnsmask.profile.old means it is not loaded at all.

If there is no dnsmasq.profile, server.profile(root)/default.profile(non-root) is used. You can create an empty dnsmasq.profile not load anything. (I assume the dnsmas(q|m) typo is only in you post).

I also confirmed the ~/.config/firejail only has the file steam.profile in it.

~/.config/firejail of which user? If virsh starts dnsmasq as root, firejail will look into /root/.config/firejail and if it starts dnsmasq as virsh-dnsmasq-user firejail will try this home dir.

rsramkis commented 2 years ago

If there is no dnsmasq.profile, server.profile(root)/default.profile(non-root) is used. You can create an empty dnsmasq.profile not load anything. (I assume the dnsmas(q|m) typo is only in you post).

My post above I spelled dnsmasq.profile wrong. Here the command showing that I have the correct name.

[root@mani firejail]# pwd
/etc/firejail

[root@mani firejail]# ls dnsmasq*
dnsmasq.profile.old

I used the su command to sign in as root. Then I went to the ~/root/.config directory and saw no ~/home/.config/firejail.

[root@mani .config]# ls
bleachbit  cpupower_gui  diffuse  geany  gtk-3.0  nautilus  pulse

I see a server.profile in the /etc/firejail directory. I will rename this server.profile.org and re-test.

rsramkis commented 2 years ago

I re-tested by renaming the server.profile to server.profile.org and still the virtual network failed to start when firejail was enabled. Below is the flow of the test:

[sudo] password for user:
Name:           default
UUID:           a96495c0-e476-44bc-b888-9421b7d12fd1
Active:         no
Persistent:     yes
Autostart:      yes
Bridge:         virbr0

~ took 4s
❯ sudo virsh net-start default
error: Failed to start network default
error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set

sudo firecfg --clean
Removing all firejail symlinks:
   man removed
   gnome-weather removed
   signal-desktop removed
   lomath removed
   calibre removed
   ebook-convert removed
   wireshark removed
   clamdtop removed
   inkview removed
   zaproxy removed
   bleachbit removed
   youtube-dl removed
   gnome-calculator removed
   qbittorrent removed
   strings removed
   clamscan removed
   com.github.tchx84.Flatseal removed
   mpg123-strip removed
   steam-runtime removed
   firefox removed
   gimp removed
   enchant-lsmod-2 removed
   out123 removed
   celluloid removed
   loimpress removed
   gnome-contacts removed
   enchant-2 removed
   pavucontrol removed
   ffplay removed
   flameshot removed
   gnome-font-viewer removed
   lodraw removed
   mediainfo removed
   krita removed
   vivaldi-stable removed
   steam removed
   conplay removed
   baobab removed
   mpv removed
   ffprobe removed
   gnome-nettool removed
   ebook-polish removed
   pdftotext removed
   libreoffice removed
   clamdscan removed
   gimp-2.10 removed
   gcalccmd removed
   secret-tool removed
   host removed
   xournalpp removed
   lowriter removed
   loweb removed
   clamtk removed
   mpg123 removed
   localc removed
   ssh removed
   meld removed
   ffmpegthumbnailer removed
   tracker removed
   geany removed
   dnsmasq removed
   skypeforlinux removed
   spotify removed
   display removed
   steam-native removed
   telnet removed
   drill removed
   nslookup removed
   eog removed
   lobase removed
   yelp removed
   checkbashisms removed
   gnome-logs removed
   clementine removed
   img2txt removed
   evince-thumbnailer removed
   qt-faststart removed
   file-roller removed
   dconf-editor removed
   whois removed
   ebook-meta removed
   ftp removed
   gapplication removed
   soffice removed
   evince-previewer removed
   lofromtemplate removed
   inkscape removed
   unbound removed
   wget removed
   patch removed
   freshclam removed
   mpg123-id3dump removed
   gnome-calendar removed
   ebook-edit removed
   darktable removed
   wine removed
   conky removed
   evince removed
   thunderbird removed
   ebook-viewer removed
   tshark removed
   gnome-clocks removed
   dig removed
   loffice removed
   yt-dlp removed

~
❯ sudo virsh net-start default
Network default started

~
❯ sudo virsh net-list --all
 Name      State    Autostart   Persistent
--------------------------------------------
 default   active   yes         yes
rusty-snake commented 2 years ago

I re-tested by renaming the server.profile to server.profile.org and still the virtual network failed to start when firejail was enabled. Below is the flow of the test:

  1. Is dnsmasq started as root? Otherwise this test is useless.
  2. IDK how firejail behaves if you remove the fallback profiles. Instead you should replace them with an empty file.
rsramkis commented 2 years ago

So I went ahead and made to blank files for the profiles:

I rebooted the system and still the same error:

[sudo] password for user:
Name:           def```
ault
UUID:           a96495c0-e476-44bc-b888-9421b7d12fd1
Active:         no
Persistent:     yes
Autostart:      yes
Bridge:         virbr0

sudo virsh net-start default
error: Failed to start network default
error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set

As you requested I did check the dnsmasq.service but it is not started (with firejail enabled\disabled). 

 sudo systemctl status dnsmasq.service
○ dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
     Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: >
     Active: inactive (dead)
       Docs: man:dnsmasq(8)

journalctl -u dnsmasq.service
-- No entries --

 dnsmasq --test
dnsmasq: syntax check OK.

I was reading on the Arch Wiki (https://wiki.archlinux.org/title/Libvirt )that libvirt utililizes dnsmasq as part of its virtual network. Specifically:

Note: libvirt handles DHCP and DNS with [dnsmasq](https://archlinux.org/packages/?name=dnsmasq), launching a separate instance for every virtual network. It also adds iptables rules for proper routing, and enables the ip_forward kernel parameter. This also means that having dnsmasq running on the host system is not necessary to support libvirt requirements (and could interfere with libvirt dnsmasq instances).`

I also checked the /etc/dnsmasq.conf file and everything was commented out. So I'm not sure what the next step is as I cannot prove how\when\who the dnsmasq.service is started.

rusty-snake commented 2 years ago

As you requested I did check the dnsmasq.service but it is not started (with firejail enabled\disabled).

Where did I? How does dnsmasq.service relate here?

Note: libvirtd starts it's own instance of dnsmasq.

/etc/dnsmasq.conf

Is never read by the libvirtd dnsmasq instance. See --conf-file=/var/lib/libvirt/... in your logs.

dnsmasq.service

See above.

rsramkis commented 2 years ago

I am not sure how to check who is starting dnsmasq?

When I go to /var/lib/libvirt/dnsmasq I do see the default.conf.

##WARNING:  THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
##OVERWRITTEN AND LOST.  Changes to this configuration should be made using:
##    virsh net-edit default
## or other application using the libvirt API.
##
## dnsmasq conf file created by libvirt
strict-order
pid-file=/run/libvirt/network/default.pid
except-interface=lo
bind-dynamic
interface=virbr0
dhcp-range=192.168.122.2,192.168.122.254,255.255.255.0
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile
addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts
rsramkis commented 2 years ago

I decided to do a little circle back and check the journals. So on boot you can see when the error occur hwne trying to enable the virtual network:

With Firejail Disabled:

journalctl -b | grep libvirt
May 19 13:12:45 mani audit[471]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="dnsmasq//libvirt_leaseshelper" pid=471 comm="apparmor_parser"
May 19 13:12:46 mani audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=libvirtd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
May 19 13:12:46 mani dnsmasq[696]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
May 19 13:12:46 mani dnsmasq-dhcp[696]: read /var/lib/libvirt/dnsmasq/default.hostsfile

With Firejail Enabled:

❯ journalctl -b | grep libvirt
May 19 13:08:25 mani audit[468]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="dnsmasq//libvirt_leaseshelper" pid=468 comm="apparmor_parser"
May 19 13:08:26 mani audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=libvirtd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
May 19 13:08:27 mani libvirtd[554]: libvirt version: 8.3.0
May 19 13:08:27 mani libvirtd[554]: hostname: mani
May 19 13:08:27 mani libvirtd[554]: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set
rusty-snake commented 2 years ago

I am not sure how to check who is starting dnsmasq?

Start it successful (w/o firejail) and use something like ps -f -C dnsmasq.

rsramkis commented 2 years ago

When I first boot with firejail disabled and no VM started this is what is running:

❯ ps -f -C dnsmasq
UID          PID    PPID  C STIME TTY          TIME CMD
nobody       704       1  0 08:18 ?        00:00:00 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
root         705     704  0 08:18 ?        00:00:00 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper

I did start a virtual machine after to confirm I had network connectivity. There was no additional PID added.

rusty-snake commented 2 years ago

If you look for dnsmasq in ps -f -H, how does it look like?

libvirt
  dnsmasq (root)
    dnsmasq (nobody)

?

You can use sudo firemon to see who(/when/...) starts a firejail sandbox.

PATH environment variable not set

Why is it not set?

rsramkis commented 2 years ago
  1. If you look for dnsmasq in ps -f -H, how does it look like?

Looks like this when firejail is disabled.

❯ ps -efH
UID          PID    PPID  C STIME TTY          TIME CMD
nobody       700       1  0 08:58 ?        00:00:00   /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
root         701     700  0 08:58 ?        00:00:00     /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
  1. Why is the PATH environment not set?

Is it possible that firejail is not allowing access to "/var/lib/libvirt/dnsmasq/default.conf "?

  1. You can use sudo firemon to see who(/when/...) starts a firejail sandbox.

So are the correct steps:

(a) Enable Firejail.

(b) Open Terminal and start firemon (sudo firemon).

(c) Then in separate terminal try to start the virtual network with "sudo virsh net-start default".

rusty-snake commented 2 years ago

Is it possible that firejail is not allowing access to "/var/lib/libvirt/dnsmasq/default.conf "?

What has this to do with that?

Summary of the problem so far:

=> Check you system configuration to make sure $PATH is set.

rsramkis commented 2 years ago

This is the PATH I have set:

❯ echo $PATH /home/user/.nvm/versions/node/v16.15.0/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/var/lib/flatpak/exports/bin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/usr/lib/jvm/default/bin:/usr/lib/jvm/default/bi

Then I ran which:

which dnsmasq
/usr/local/bin/dnsmasq

which libvirtd
/usr/bin/libvirtd

I am guessing here (I don't know the ins and outs of firejail). So should I be adding to the dnsmasq.profile the following lines:

noblackkist /usr/local/bin/dnsmasq
noblacklist /usr/bin/libvirtd
rusty-snake commented 2 years ago

This is the PATH I have set:

Is your terminal, but this does not matter because libvirtd/dnsmasq/firejail is not running as a child of this shell.

I am guessing here (I don't know the ins and outs of firejail). So should I be adding to the dnsmasq.profile the following lines:

No, you don't need to do anything with firejail profiles.

This is not a firejail issues, it is a issues with you configuration of the part which starts dnsmasq/libvirtd.

rsramkis commented 2 years ago

This is not a firejail issues, it is a issues with you configuration of the part which starts dnsmasq/libvirtd.

So lets put aside that with firejail disabled I can stop and start the NAT service with:

sudo virsh net-destroy default
sudo virsh net-start default

Are you suggesting I add something to the PATH or modify a configuration file? I can test whatever you suggest.

rusty-snake commented 2 years ago

How is libvirtd started? By systemd? If so make sure it is started with a minimal $PATH (e.g. /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin).

This assumes dnsmasq is started by libvirtd via fork-exec.

rsramkis commented 2 years ago

I do have the libvirtd.service enabled in systemd. I used the suggested configuration here: https://wiki.archlinux.org/title/Libvirt

When I have firejail disabled this is what I see checking the service:

 sudo systemctl status libvirtd.service
● libvirtd.service - Virtualization daemon
     Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: disabled)
     Active: active (running) since Fri 2022-05-20 11:03:53 EDT; 1min 7s ago
TriggeredBy: ● libvirtd-admin.socket
             ● libvirtd-ro.socket
             ● libvirtd.socket
       Docs: man:libvirtd(8)
             https://libvirt.org
   Main PID: 547 (libvirtd)
      Tasks: 21 (limit: 32768)
     Memory: 30.0M
        CPU: 436ms
     CGroup: /system.slice/libvirtd.service
             ├─ 547 /usr/bin/libvirtd --timeout 120
             ├─ 705 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
             └─ 706 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper

May 20 11:03:53 mani dnsmasq[705]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile
May 20 11:03:53 mani dnsmasq-dhcp[705]: DHCP, IP range 192.168.122.2 -- 192.168.122.254, lease time 1h
May 20 11:03:53 mani dnsmasq-dhcp[705]: DHCP, sockets bound exclusively to interface virbr0
May 20 11:03:53 mani dnsmasq[705]: reading /etc/resolv.conf
May 20 11:03:53 mani dnsmasq[705]: using nameserver 127.0.0.1#53
May 20 11:03:53 mani dnsmasq[705]: read /etc/hosts - 5 addresses
May 20 11:03:53 mani dnsmasq[705]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
May 20 11:03:53 mani dnsmasq-dhcp[705]: read /var/lib/libvirt/dnsmasq/default.hostsfile
May 20 11:03:57 mani dnsmasq[705]: reading /etc/resolv.conf
May 20 11:03:57 mani dnsmasq[705]: using nameserver 127.0.0.1#53

~
❯ sudo virsh net-list --all
 Name      State    Autostart   Persistent
--------------------------------------------
 default   active   yes         yes

So everything is functional in the service. But when I enable firejail the service output changes to:


❯ sudo systemctl status libvirtd.service
● libvirtd.service - Virtualization daemon
     Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: disabled)
     Active: active (running) since Fri 2022-05-20 10:59:10 EDT; 2min 12s ago
TriggeredBy: ● libvirtd.socket
             ● libvirtd-admin.socket
             ● libvirtd-ro.socket
       Docs: man:libvirtd(8)
             https://libvirt.org
   Main PID: 553 (libvirtd)
      Tasks: 19 (limit: 32768)
     Memory: 28.5M
        CPU: 490ms
     CGroup: /system.slice/libvirtd.service
             └─ 553 /usr/bin/libvirtd --timeout 120

May 20 10:59:10 mani systemd[1]: Starting Virtualization daemon...
May 20 10:59:10 mani systemd[1]: Started Virtualization daemon.
May 20 10:59:11 mani libvirtd[553]: libvirt version: 8.3.0
May 20 10:59:11 mani libvirtd[553]: hostname: mani
May 20 10:59:11 mani libvirtd[553]: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/li>
rusty-snake commented 2 years ago

systemctl show-environment | grep PATH?

rsramkis commented 2 years ago

❯ systemctl show-environment | grep PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin

rusty-snake commented 2 years ago

Ok, now I'm out of ideas.

Try to install a script in $PATH named dnsmasq before any other dnsmasq (so libvirtd will pick it) and use it to gather more information.

rsramkis commented 2 years ago

I know this was all working before as I had set up libvirtd on 01-10-2022, and firejail I have been running for maybe 3 years. But like usual libvirt changed in one of the upgrades and I assume the applications behaviour has changed. You would think other people would have reported this too (as defect 5089 was mentioned in the Arch forums).

As a temporary work around to get the NAT network working I can:

  1. Disable Firejail.

  2. Start the NAT service manually ( sudo virsh net-start default)

  3. Then re-enable Firejail.

This allows the Virtual machines to have network access.

I'm all for following your plan of creating some sort of diagnostics script to gather information. My knowledge level is just not there on what I should write or what to look for.

So my next step will be digging more into the changes on libvirt (as I am just running a simple setup on my laptop) where I run the odd test vm.

If you have a test for me to run, please let me know and I will get it done.

rusty-snake commented 2 years ago

As a temporary work around to get the NAT network working I can:

Just remove dnsmasq from firecfg.config?

If you have a test for me to run, please let me know and I will get it done.

#!/bin/bash
# Is $PATH set?
echo "$PATH"
# Can firejail be used?
firejail --noprofile true
firejail dnsmasq --arguments-...
rsramkis commented 2 years ago

One thing I am curious about is what is the difference between having an empty dnsmasq.profile vs commenting out dnsmasq in the firecfg file?

Additionally I did some checking for network listen ports. For dnsmasq to get port 53 you need to start it with root. But then I used ss and found this:

ss -l | grep virt
u_str LISTEN 0      1000                                                                                      /run/libvirt/libvirt-sock 16846                                    * 0
u_str LISTEN 0      20                                                                                  /run/libvirt/libvirt-admin-sock 16848                                    * 0
u_str LISTEN 0      1000                                                                                   /run/libvirt/libvirt-sock-ro 16850                                    * 0
u_str LISTEN 0      4096                                                                                    /run/libvirt/virtlockd-sock 16854                                    * 0
u_str LISTEN 0      4096                                                                                     /run/libvirt/virtlogd-sock 16856                                    * 0

Trying to find dnsmasq in the listening ports found no results.

rusty-snake commented 2 years ago

port 53

Is dnsmasq used as DNS server?

Trying to find dnsmasq in the listening ports found no results.

network-namespaces?

One thing I am curious about is what is the difference between having an empty dnsmasq.profile vs commenting out dnsmasq in the firecfg file?

(The solution to your problem has nothing to do with any firejail profile)

rsramkis commented 2 years ago

I've been doing some further research on this issue and found the two following threads on the issue:

virsh net-start default failes with PATH environment variable not set https://gitlab.com/libvirt/libvirt/-/issues/282

[[SOLVED]Libvirt Virtual Network Start/Create Fails w/ PATH envvar...] https://bbs.archlinux.org/viewtopic.php?id=274744

The bug seems to state that libvirtd calls dnsmasq from the $PATH now and not a hard coded value. This is something you had mentioned as we verified my PATH. My PATH does contain '/usr/bin', and yet libvirtd still reports it can't find dnsmasq. I hope the above links will assist you if you decide to reach out to libvirtd project to find out how the firejail dnsmasq.profile could be altered to support your product.

I'm going to close this bug with the work around of:

  1. Editing the /etc/firejail/firecfg.conf file and commenting out 'dnsmasq' so no profile is applied.
  2. Run "sudo firejail --clean" to clean out all system links.
  3. Run "sudo firejail to re-enable all system links except dnsmasq.profile.

Thank you again for all of your assistance on troubleshooting the issue.

ShellCode33 commented 11 months ago

I'm facing the same problem. Did you find a real fix @rsramkis ? I think this issue is worth being left open.

I don't know if this is relevant to this error but notice in the command line from the error that --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper is used, but /usr/lib/libvirt doesn't seem to be whitelisted in the dnsmasq profile.

rsramkis commented 11 months ago

I'm facing the same problem. Did you find a real fix @rsramkis ? I think this issue is worth being left open.

I don't know if this is relevant to this error but notice in the command line from the error that --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper is used, but /usr/lib/libvirt doesn't seem to be whitelisted in the dnsmasq profile.

After I shared my finding ... I did not investigate any further.

marek22k commented 11 months ago

I have the same problem. Is there a solution in the meantime?

glitsj16 commented 11 months ago

I have the same problem. Is there a solution in the meantime?

There's persistent firecfg override functionality in git now. See my comment in #6121.