libvirt inside lxd container cannot start virbr0 (Unable to set bridge virbr0 forward_delay: Permission denied)

Hi,
to me it seems this is not a bug, but an issue with the default config.
To run virtualization in a LXD container - which by default is unprivileged for security you have to make some changes.
We will not change LXD/Libvirt defaults for that afaik, but the following is my recommendation as a container profile addition to get KVM+Libvirt running fine in a container.

config:
  boot.autostart: "true"
  linux.kernel_modules: openvswitch,nbd,ip_tables,ip6_tables,kvm
  security.nesting: "true"
  security.privileged: "true"
description: ""
devices:
  eth0:
    mtu: "9000"
    name: eth0
    nictype: bridged
    parent: lxdbr0
    type: nic
  kvm:
    path: /dev/kvm
    type: unix-char
  mem:
    path: /dev/mem
    type: unix-char
  tun:
    path: /dev/net/tun
    type: unix-char
name: kvm
used_by: []

You can create that with "lxc profile new kvm" and then launch those guests that need it with default+kvm profile, while leaving the other secure and unprivileged.
  $ lxc launch ubuntu-daily:c/amd64 c --profile default --profile kvm

I hope that helps to understand, but IMHO it is not a bug.

I'm marking it incomplete assuming it is not a bug as explained and hope my explanations helped you.
Let me know if you think it is actually a bug and set it back to new then.

Sorry, but I still think it's a bug.

The reason is that "brctl setfd ..." works fine in an unprivileged container, but libvirt-daemon fails. In other words: brctl shows that it *is* possible to create and manage bridges in an unprivileged container, but libvirt-daemon isn't doing it correctly.

I am currently only using libvirt to create virbr0 (for GNS3) - I'm not running kvm.

It's quite possible that anyone who wants to run kvm would require privileged mode for other reasons, but that would be a separate point.

Thanks for the clarification Brian.
I'll take a deeper look then, but FYI I'm on a trip this week - so it might take a few days more - sorry.

Hi Brian, I now had more time to look at it - thanks for your patience and your detailed report!
The around that currently is this in libvirt doing that is like this:

 110 #if defined(HAVE_STRUCT_IFREQ) && defined(__linux__)
 111 /*
 112 * Bridge parameters can be set via sysfs on newish kernels,
 113 * or by ioctl on older kernels. Perhaps we could just use
 114 * ioctl for every kernel, but its not clear what the long
 115 * term lifespan of the ioctl interface is...
 116 */
 117 static int virNetDevBridgeSet(const char *brname,
 118 const char *paramname, /* sysfs param name */
 119 unsigned long value, /* new value */
 120 int fd, /* control socket */
 121 struct ifreq *ifr) /* pre-filled bridge name */
 122 {
 123 VIR_AUTOFREE(char *) path = NULL;
 124
 125 if (virAsprintf(&path, SYSFS_NET_DIR "%s/bridge/%s", brname, paramname) < 0)
 126 return -1;
 127
 128 if (virFileExists(path)) {
 129 char valuestr[INT_BUFSIZE_BOUND(value)];
 130 snprintf(valuestr, sizeof(valuestr), "%lu", value);
 131 if (virFileWriteStr(path, valuestr, 0) < 0) {
 132 virReportSystemError(errno,
 133 _("Unable to set bridge %s %s"), brname, paramname);
 134 return -1;
 135 }
 136 } else {
 137 unsigned long paramid;
 138 if (STREQ(paramname, "stp_state")) {
 139 paramid = BRCTL_SET_BRIDGE_STP_STATE;
 140 } else if (STREQ(paramname, "forward_delay")) {
 141 paramid = BRCTL_SET_BRIDGE_FORWARD_DELAY;
 142 } else {
 143 virReportSystemError(EINVAL,
 144 _("Unable to set bridge %s %s")...

Yes, it worked - as soon as the new packages were installed. Thank you!

root@bionic:~# ls
libvirt-bin_4.0.0-1ubuntu8.7~ppa2_amd64.deb
libvirt-clients_4.0.0-1ubuntu8.7~ppa2_amd64.deb
libvirt-daemon-driver-storage-rbd_4.0.0-1ubuntu8.7~ppa2_amd64.deb
libvirt-daemon-system_4.0.0-1ubuntu8.7~ppa2_amd64.deb
libvirt-daemon_4.0.0-1ubuntu8.7~ppa2_amd64.deb
libvirt0_4.0.0-1ubuntu8.7~ppa2_amd64.deb
root@bionic:~# dpkg -i *.deb
(Reading database ... 30717 files and directories currently installed.)
...
root@bionic:~# ifconfig virbr0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
        inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
        ether 52:54:00:11:cc:e6 txqueuelen 1000 (Ethernet)
        RX packets 0 bytes 0 (0.0 B)
        RX errors 0 dropped 0 overruns 0 frame 0
        TX packets 0 bytes 0 (0.0 B)
        TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@bionic:~# virsh net-destroy default
Network default destroyed

root@bionic:~# virsh net-start default
Network default started

I submitted it upstream for review there, if you want pass me your full email so I can add you as "Reported-by" on the patch. You can find my email here on launchpad on my users page in case you don't want to add it to the bug :-)

Ref: https://www.redhat.com/archives/libvir-list/2018-November/msg00747.html

Note: upstream had made slight changes to the File in August, but the logical approach still was the same. Lets see what the feedback will be there.

Upstreaming complete:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=6aa75b94627c9ad3bf6a836cc821750979a2fe05

I already have a working backport version from our PPA Tests on Bionic before.

To hit this with virsh you'd see in an unprivileged contianer after install that it failed to start

$ apt install uvtool-libvirt
$ virsh net-list --all
 Name State Autostart Persistent
----------------------------------------------------------
 default inactive yes yes

If you try to do so you'll see your error:
$ virsh net-start default
error: Failed to start network default
error: Unable to set bridge virbr0 forward_delay: Permission denied

Right after the upgrade to the new version (or if you would have installed the new version to begin with) the fix works:

$ virsh net-list --all
 Name State Autostart Persistent
----------------------------------------------------------
 default active yes yes

If one wants he can now stop/start networks in unprivileged guest
root@b:~# virsh net-destroy default
Network default destroyed
root@b:~# virsh net-start default
Network default started

Of course without some privileges you will not be able to run full-virt KVM.
But qemu emulation based VMs work fine.

# Get an ISO
$ wget http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-live-server-amd64.iso
# Use virt manager to start a guest with that ISO
# It will auto-select Qemu-TCG mode as it can't run KVM without some privileges on the container

=> Works fine with the PPA.

I still think while nice this isn't an SRU case IMHO.
People that really need to run KVM in containers back in existing releases can just tweak the container privileges a bit - and they most likely want to to get full virtualization instead of "just" TCG-emulation.

But for upcoming releases this surely is a nice little feature to grow.

To get it ahead of the merge of a newer libvirt which will take a while I'll push the change to the current Ubuntu Development release (19.04 Disco) soon.

This bug was fixed in the package libvirt - 4.6.0-2ubuntu4

---------------
libvirt (4.6.0-2ubuntu4) disco; urgency=medium

  * debian/patches/ubuntu/lp1787405-*: Support guest dedicated Crypto
    Adapters on s390x (LP: #1787405)
  * d/p/ubuntu/lp-1802727-netdevbridge-fall-back-to-ioctl-from-sysfs.patch:
    fix libvirt bridge handling in unprivileged containers (LP: #1802906)

 -- Christian Ehrhardt <email address hidden> Fri, 09 Nov 2018 07:42:01 +0100