Virtual machines with lxc do not start due to permissions er

elover · Apprentice Joined: 20 Nov 2019 Posts: 159 Location: Spain

Hello, I can't get any virtual machine to work, I get this error message

warning: tap: open vhost char device failed: Permission denied
warning: tap: open vhost char device failed: Permission denied
qemu-system-x86_64: ../net/net.c:1106: net_client_init1: Assertion `nc' failed.

The groups
mount | grep cgroup
cgroup_root on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,size=10240k,mode=755)
openrc on /sys/fs/cgroup/openrc type cgroup (rw,nosuid,nodev,noexec,relatime,favordynmods,release_agent=/lib/rc/sh/cgroup-release-agent.sh,name=openrc)
none on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime,favordynmods)
cpuset on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset,favordynmods)
cpu on /sys/fs/cgroup/cpu type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,favordynmods)
cpuacct on /sys/fs/cgroup/cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct,favordynmods)
blkio on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio,favordynmods)
memory on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory,favordynmods)
devices on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices,favordynmods)
freezer on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer,favordynmods)
net_cls on /sys/fs/cgroup/net_cls type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,favordynmods)
perf_event on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event,favordynmods)
net_prio on /sys/fs/cgroup/net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_prio,favordynmods)
hugetlb on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb,favordynmods)
pids on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids,favordynmods)
rdma on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma,favordynmods)
misc on /sys/fs/cgroup/misc type cgroup (rw,nosuid,nodev,noexec,relatime,misc,favordynmods)
debug on /sys/fs/cgroup/debug type cgroup (rw,nosuid,nodev,noexec,relatime,debug,favordynmods)
systemd on /sys/fs/cgroup/systemd type cgroup (rw,relatime,favordynmods,name=systemd)
tmpfs on /sys/fs/cgroup/portage type cgroup (rw,nosuid,nodev,noexec,relatime,favordynmods,release_agent=/usr/lib/portage/python3.10/cgroup-release-agent,name=portage)

Kernel:
LXC version 5.0.1
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

--- Control groups ---
Cgroups: enabled
Cgroup namespace: enabled

Cgroup v1 mount points:
/sys/fs/cgroup/openrc
/sys/fs/cgroup/cpuset
/sys/fs/cgroup/cpu
/sys/fs/cgroup/cpuacct
/sys/fs/cgroup/blkio
/sys/fs/cgroup/memory
/sys/fs/cgroup/devices
/sys/fs/cgroup/freezer
/sys/fs/cgroup/net_cls
/sys/fs/cgroup/perf_event
/sys/fs/cgroup/net_prio
/sys/fs/cgroup/hugetlb
/sys/fs/cgroup/pids
/sys/fs/cgroup/rdma
/sys/fs/cgroup/misc
/sys/fs/cgroup/debug
/sys/fs/cgroup/systemd
/sys/fs/cgroup/portage

Cgroup v2 mount points:
/sys/fs/cgroup/unified

Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, not loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, not loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled

emerge -pv lxc
[ebuild r U ] app-containers/lxc-5.0.2:0/1.502::gentoo [5.0.1-r2:0/0::gentoo] USE="caps man pam seccomp ssl tools -apparmor -examples -io-uring -lto (-selinux) -systemd -test -verify-sig" 0 KiB
[ebuild rR ] app-containers/lxd-5.0.2-r1::gentoo USE="nls -apparmor -verify-sig" 0 KiB

groups juanpe
lp wheel audio cdrom video users portage kvm lxc lxd docker juanpe

elover · Apprentice Joined: 20 Nov 2019 Posts: 159 Location: Spain

If I try to start the instance, I get this error message

lxc start desktop-kde2

Error: Failed setting up device via monitor: Failed setting up device "eth0": Failed adding NIC netdev: Monitor is disconnected

Try `lxc info --show-log desktop-kde2` for more info

lxc info --show-log desktop-kde2
Name: desktop-kde2
Status: STOPPED
Type: virtual-machine
Arquitectura: x86_64
Creado: 2023/02/03 23:44 CET

Registro:

warning: tap: open vhost char device failed: Permission denied
warning: tap: open vhost char device failed: Permission denied
qemu-system-x86_64: ../net/net.c:1106: net_client_init1: Assertion `nc' failed.

elover · Apprentice Joined: 20 Nov 2019 Posts: 159 Location: Spain

Edit: solution

https://discuss.linuxcontainers.org/t/failed-adding-nic-netdev-monitor-is-disconnected/15946/2

Downgrading to version 7.1 of qemu solves the error.

Hu · Moderator Joined: 06 Mar 2007 Posts: 21657

Could you explain the solution? As I read the linked issue, there is a known problem with qemu-7.2 and this supporting package. Avoiding the failed combination is a workaround, but what is the solution for people who need to use qemu-7.2 and this package?

elover · Apprentice Joined: 20 Nov 2019 Posts: 159 Location: Spain

vcmota · Guru Joined: 19 Jun 2017 Posts: 367

Hu · Moderator Joined: 06 Mar 2007 Posts: 21657

The patch appears to remove the assert that is causing the fatal exit, so it will solve the immediate problem. Whether the resulting VM will work afterward is a more complex question.

The commit log for the patch suggests to me that the problem is that the guest is started without a network device, then one is later hotplugged in. Perhaps if the guest were started with the proper devices configured, this assertion would not fail.

vcmota · Guru Joined: 19 Jun 2017 Posts: 367

Just an update: qemu has been updated to a sligthly newer version, 7.2.0-r3 instead of 7.2.0. The problem however has not been solved. I wonder whether the problem persists with the 8.0 qemu version, already available at upstream but not yet in the stable tree.

vcmota · Guru Joined: 19 Jun 2017 Posts: 367

Recent desperate attempts:

1. I got tired of waiting for qemu-8.0.2 to became stable, so I just unmask it. Installation ok, problem presists;

2. I tried this possible workaround, related to permissions in qemu. Did not work, although one of the four warning messagens have desapeared from the "lxc info --show-log ubuntu-lts" log output;

3. I finally tried the patch that removed the error message, following gentoo instructions. Installation was smooth, and the error message vanishes:

vcmota · Guru Joined: 19 Jun 2017 Posts: 367

This has been solved for my, when working on an apparently unrelated issue. You may take a look here and here.