github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5137] dnsmasq: libvirtd cannot start NAT interface: PATH environment variable not set #2890

New issue
Closed
opened 2026-05-05 09:33:15 -06:00 by gitea-mirror · 35 comments
gitea-mirror commented 2026-05-05 09:33:15 -06:00
Owner
Copy link

Originally created by @rsramkis on GitHub (May 9, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5137

Description

The default libvirt NAT network fails to start (even after applying the dnsmasq.profile which was in fix 5089.

Appears to be related to:
https://github.com/netblue30/firejail/issues/5089

Steps to Reproduce

  1. Replace the dnsmasq.profile with the latest one in the repository:

https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/dnsmasq.profile

  1. Open terminal and try to start the NAT network inf
sudo virsh net-start default
  1. Then the following error will show:
error: Failed to start network default
error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set

Expected behavior

  1. The NAT Nework interface should start and go active.

❯ sudo virsh net-start default
Network default started

~
❯  sudo virsh net-list --all
 Name      State    Autostart   Persistent
--------------------------------------------
 default   active   yes         yes

Actual behavior

The NAT Network interface fails to go active when firejail is enabled.

Environment

Linux info:

OS: EndeavourOS Linux x86_64
Kernel: 5.15.37-1-lts
Shell: zsh 5.8.1
DE: GNOME 42.1
WM: Mutter

firejail --version

firejail version 0.9.68

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

EDIT by @rusty-snake: Fix check-boxes

Originally created by @rsramkis on GitHub (May 9, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5137 ### Description The default libvirt NAT network fails to start (even after applying the dnsmasq.profile which was in fix 5089. Appears to be related to: https://github.com/netblue30/firejail/issues/5089 ### Steps to Reproduce 1. Replace the dnsmasq.profile with the latest one in the repository: https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/dnsmasq.profile 2. Open terminal and try to start the NAT network inf ``` sudo virsh net-start default ``` 3. Then the following error will show: ``` error: Failed to start network default error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set ``` ### Expected behavior 1. The NAT Nework interface should start and go active. ``` ❯ sudo virsh net-start default Network default started ~ ❯ sudo virsh net-list --all Name State Autostart Persistent -------------------------------------------- default active yes yes ``` ### Actual behavior The NAT Network interface fails to go active when firejail is enabled. ### Environment Linux info: ``` OS: EndeavourOS Linux x86_64 Kernel: 5.15.37-1-lts Shell: zsh 5.8.1 DE: GNOME 42.1 WM: Mutter ``` firejail --version ``` firejail version 0.9.68 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) --- EDIT by @rusty-snake: Fix check-boxes
gitea-mirror 2026-05-05 09:33:15 -06:00
gitea-mirror commented 2026-05-05 09:33:18 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 15, 2022):

Is there anything else I should get for you to help troubleshoot the cause of the issue?

<!-- gh-comment-id:1126966177 --> @rsramkis commented on GitHub (May 15, 2022): Is there anything else I should get for you to help troubleshoot the cause of the issue?
gitea-mirror commented 2026-05-05 09:33:20 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 15, 2022):

Try to comment dnsmasq.profile line for line to find more.

<!-- gh-comment-id:1126980714 --> @rusty-snake commented on GitHub (May 15, 2022): Try to comment dnsmasq.profile line for line to find more.
gitea-mirror commented 2026-05-05 09:33:21 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 16, 2022):

Hi Rusty-snake,

I'll need more guidance on what you would like me to comment out in the dnsmasq.profile.

I ran the command:

 sudo LC_ALL=C firejail /usr/bin/dnsmasq
[sudo] password for user:

dnsmasq: failed to create listening socket for port 53: Address already in use

I then grabbed the follow debug:

LC_ALL=C firejail --debug /usr/bin/dnsmasq

(See attachment)
firejail-dnsmasq-debug.txt

<!-- gh-comment-id:1127936793 --> @rsramkis commented on GitHub (May 16, 2022): Hi Rusty-snake, I'll need more guidance on what you would like me to comment out in the dnsmasq.profile. **I ran the command:** ``` sudo LC_ALL=C firejail /usr/bin/dnsmasq [sudo] password for user: dnsmasq: failed to create listening socket for port 53: Address already in use ``` I then grabbed the follow debug: LC_ALL=C firejail --debug /usr/bin/dnsmasq (See attachment) [firejail-dnsmasq-debug.txt](https://github.com/netblue30/firejail/files/8702109/firejail-dnsmasq-debug.txt)
gitea-mirror commented 2026-05-05 09:33:22 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 16, 2022):

  1. Comment everything in dnsmasq.profile
  2. Make sure sudo virsh ... works as expected.
  3. Uncomment a line in dnsmasq.profile
  4. Try if sudo virsh ... works.
  5. Go to step 3.
  6. Find the line which breaks it.
<!-- gh-comment-id:1128007789 --> @rusty-snake commented on GitHub (May 16, 2022): 1. Comment everything in dnsmasq.profile 2. Make sure `sudo virsh ...` works as expected. 3. Uncomment a line in dnsmasq.profile 4. Try if `sudo virsh ...` works. 5. Go to step 3. 6. Find the line which breaks it.
gitea-mirror commented 2026-05-05 09:33:23 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 17, 2022):

I did some testing today which leads me to believe the dnsmasq.profile is not causing the issue.

Test 1 - Firejail enabled, dnsmask.profile renamed to dnsmask.profile.old

(a) Firejail is enabled (sudo fircfg).
(b) Rename dnsmask.profile renamed to dnsmask.profile.old.
(c) Reboot Computer.
(d) Login. From Terminal run the following command to check the virtual Network status:

sudo virsh net-list --all
[sudo] password for rsruser:
 Name      State    Autostart   Persistent
--------------------------------------------
 default   inactive   yes         yes

Test 2 - Disable Firejail and verify Virtual Network Starts (active):

(a) Disable Firejail (sudo firecfg --clean).

(b) Reboot Computer and login to system.

(c) From Terminal run the following command to check the network status.

sudo virsh net-list --all
[sudo] password for user:
 Name      State    Autostart   Persistent
--------------------------------------------
 default   active   yes         yes

I am assuming here that renaming the profile to dnsmask.profile.old means it is not loaded at all.

I also confirmed the ~/.config/firejail only has the file steam.profile in it.

<!-- gh-comment-id:1128258225 --> @rsramkis commented on GitHub (May 17, 2022): I did some testing today which leads me to believe the dnsmasq.profile is not causing the issue. **Test 1 - Firejail enabled, dnsmask.profile renamed to dnsmask.profile.old** (a) Firejail is enabled (sudo fircfg). (b) Rename _dnsmask.profile_ renamed to _dnsmask.profile.old_. (c) Reboot Computer. (d) Login. From Terminal run the following command to check the virtual Network status: ``` sudo virsh net-list --all [sudo] password for rsruser: Name State Autostart Persistent -------------------------------------------- default inactive yes yes ``` **Test 2 - Disable Firejail and verify Virtual Network Starts (active):** (a) Disable Firejail (sudo firecfg --clean). (b) Reboot Computer and login to system. (c) From Terminal run the following command to check the network status. ``` sudo virsh net-list --all [sudo] password for user: Name State Autostart Persistent -------------------------------------------- default active yes yes ``` I am assuming here that renaming the profile to _dnsmask.profile.old_ means it is not loaded at all. I also confirmed the ~/.config/firejail only has the file steam.profile in it.
gitea-mirror commented 2026-05-05 09:33:23 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 17, 2022):

I am assuming here that renaming the profile to dnsmask.profile.old means it is not loaded at all.

If there is no dnsmasq.profile, server.profile(root)/default.profile(non-root) is used. You can create an empty dnsmasq.profile not load anything. (I assume the dnsmas(q|m) typo is only in you post).

I also confirmed the ~/.config/firejail only has the file steam.profile in it.

~/.config/firejail of which user? If virsh starts dnsmasq as root, firejail will look into /root/.config/firejail and if it starts dnsmasq as virsh-dnsmasq-user firejail will try this home dir.

<!-- gh-comment-id:1128931903 --> @rusty-snake commented on GitHub (May 17, 2022): > I am assuming here that renaming the profile to dnsmask.profile.old means it is not loaded at all. If there is no dnsmasq.profile, server.profile(root)/default.profile(non-root) is used. You can create an empty dnsmasq.profile not load anything. (I assume the dnsmas(q|m) typo is only in you post). > I also confirmed the ~/.config/firejail only has the file steam.profile in it. `~/.config/firejail` of which user? If virsh starts dnsmasq as root, firejail will look into `/root/.config/firejail` and if it starts dnsmasq as virsh-dnsmasq-user firejail will try this home dir.
gitea-mirror commented 2026-05-05 09:33:24 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 18, 2022):

If there is no dnsmasq.profile, server.profile(root)/default.profile(non-root) is used. You can create an empty dnsmasq.profile
not load anything. (I assume the dnsmas(q|m) typo is only in you post).

My post above I spelled dnsmasq.profile wrong. Here the command showing that I have the correct name.

[root@mani firejail]# pwd
/etc/firejail

[root@mani firejail]# ls dnsmasq*
dnsmasq.profile.old

I used the su command to sign in as root. Then I went to the ~/root/.config directory and saw no ~/home/.config/firejail.

[root@mani .config]# ls
bleachbit  cpupower_gui  diffuse  geany  gtk-3.0  nautilus  pulse

I see a server.profile in the /etc/firejail directory. I will rename this server.profile.org and re-test.

<!-- gh-comment-id:1129458003 --> @rsramkis commented on GitHub (May 18, 2022): > >If there is no dnsmasq.profile, server.profile(root)/default.profile(non-root) is used. You can create an empty dnsmasq.profile >> not load anything. (I assume the dnsmas(q|m) typo is only in you post). My post above I spelled dnsmasq.profile wrong. Here the command showing that I have the correct name. ``` [root@mani firejail]# pwd /etc/firejail [root@mani firejail]# ls dnsmasq* dnsmasq.profile.old ``` I used the su command to sign in as root. Then I went to the ~/root/.config directory and saw no ~/home/.config/firejail. ``` [root@mani .config]# ls bleachbit cpupower_gui diffuse geany gtk-3.0 nautilus pulse ``` I see a server.profile in the /etc/firejail directory. I will rename this server.profile.org and re-test.
gitea-mirror commented 2026-05-05 09:33:25 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 18, 2022):

I re-tested by renaming the server.profile to server.profile.org and still the virtual network failed to start when firejail was enabled. Below is the flow of the test:

[sudo] password for user:
Name:           default
UUID:           a96495c0-e476-44bc-b888-9421b7d12fd1
Active:         no
Persistent:     yes
Autostart:      yes
Bridge:         virbr0


~ took 4s
❯ sudo virsh net-start default
error: Failed to start network default
error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set

sudo firecfg --clean
Removing all firejail symlinks:
   man removed
   gnome-weather removed
   signal-desktop removed
   lomath removed
   calibre removed
   ebook-convert removed
   wireshark removed
   clamdtop removed
   inkview removed
   zaproxy removed
   bleachbit removed
   youtube-dl removed
   gnome-calculator removed
   qbittorrent removed
   strings removed
   clamscan removed
   com.github.tchx84.Flatseal removed
   mpg123-strip removed
   steam-runtime removed
   firefox removed
   gimp removed
   enchant-lsmod-2 removed
   out123 removed
   celluloid removed
   loimpress removed
   gnome-contacts removed
   enchant-2 removed
   pavucontrol removed
   ffplay removed
   flameshot removed
   gnome-font-viewer removed
   lodraw removed
   mediainfo removed
   krita removed
   vivaldi-stable removed
   steam removed
   conplay removed
   baobab removed
   mpv removed
   ffprobe removed
   gnome-nettool removed
   ebook-polish removed
   pdftotext removed
   libreoffice removed
   clamdscan removed
   gimp-2.10 removed
   gcalccmd removed
   secret-tool removed
   host removed
   xournalpp removed
   lowriter removed
   loweb removed
   clamtk removed
   mpg123 removed
   localc removed
   ssh removed
   meld removed
   ffmpegthumbnailer removed
   tracker removed
   geany removed
   dnsmasq removed
   skypeforlinux removed
   spotify removed
   display removed
   steam-native removed
   telnet removed
   drill removed
   nslookup removed
   eog removed
   lobase removed
   yelp removed
   checkbashisms removed
   gnome-logs removed
   clementine removed
   img2txt removed
   evince-thumbnailer removed
   qt-faststart removed
   file-roller removed
   dconf-editor removed
   whois removed
   ebook-meta removed
   ftp removed
   gapplication removed
   soffice removed
   evince-previewer removed
   lofromtemplate removed
   inkscape removed
   unbound removed
   wget removed
   patch removed
   freshclam removed
   mpg123-id3dump removed
   gnome-calendar removed
   ebook-edit removed
   darktable removed
   wine removed
   conky removed
   evince removed
   thunderbird removed
   ebook-viewer removed
   tshark removed
   gnome-clocks removed
   dig removed
   loffice removed
   yt-dlp removed


~
❯ sudo virsh net-start default
Network default started


~
❯ sudo virsh net-list --all
 Name      State    Autostart   Persistent
--------------------------------------------
 default   active   yes         yes
<!-- gh-comment-id:1129462974 --> @rsramkis commented on GitHub (May 18, 2022): I re-tested by renaming the server.profile to server.profile.org and still the virtual network failed to start when firejail was enabled. Below is the flow of the test: ``` [sudo] password for user: Name: default UUID: a96495c0-e476-44bc-b888-9421b7d12fd1 Active: no Persistent: yes Autostart: yes Bridge: virbr0 ~ took 4s ❯ sudo virsh net-start default error: Failed to start network default error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set sudo firecfg --clean Removing all firejail symlinks: man removed gnome-weather removed signal-desktop removed lomath removed calibre removed ebook-convert removed wireshark removed clamdtop removed inkview removed zaproxy removed bleachbit removed youtube-dl removed gnome-calculator removed qbittorrent removed strings removed clamscan removed com.github.tchx84.Flatseal removed mpg123-strip removed steam-runtime removed firefox removed gimp removed enchant-lsmod-2 removed out123 removed celluloid removed loimpress removed gnome-contacts removed enchant-2 removed pavucontrol removed ffplay removed flameshot removed gnome-font-viewer removed lodraw removed mediainfo removed krita removed vivaldi-stable removed steam removed conplay removed baobab removed mpv removed ffprobe removed gnome-nettool removed ebook-polish removed pdftotext removed libreoffice removed clamdscan removed gimp-2.10 removed gcalccmd removed secret-tool removed host removed xournalpp removed lowriter removed loweb removed clamtk removed mpg123 removed localc removed ssh removed meld removed ffmpegthumbnailer removed tracker removed geany removed dnsmasq removed skypeforlinux removed spotify removed display removed steam-native removed telnet removed drill removed nslookup removed eog removed lobase removed yelp removed checkbashisms removed gnome-logs removed clementine removed img2txt removed evince-thumbnailer removed qt-faststart removed file-roller removed dconf-editor removed whois removed ebook-meta removed ftp removed gapplication removed soffice removed evince-previewer removed lofromtemplate removed inkscape removed unbound removed wget removed patch removed freshclam removed mpg123-id3dump removed gnome-calendar removed ebook-edit removed darktable removed wine removed conky removed evince removed thunderbird removed ebook-viewer removed tshark removed gnome-clocks removed dig removed loffice removed yt-dlp removed ~ ❯ sudo virsh net-start default Network default started ~ ❯ sudo virsh net-list --all Name State Autostart Persistent -------------------------------------------- default active yes yes ```
gitea-mirror commented 2026-05-05 09:33:25 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 19, 2022):

I re-tested by renaming the server.profile to server.profile.org and still the virtual network failed to start when firejail was enabled. Below is the flow of the test:

  1. Is dnsmasq started as root? Otherwise this test is useless.
  2. IDK how firejail behaves if you remove the fallback profiles. Instead you should replace them with an empty file.
<!-- gh-comment-id:1131377969 --> @rusty-snake commented on GitHub (May 19, 2022): > I re-tested by renaming the server.profile to server.profile.org and still the virtual network failed to start when firejail was enabled. Below is the flow of the test: 1. Is dnsmasq started as root? Otherwise this test is useless. 2. IDK how firejail behaves if you remove the fallback profiles. Instead you should replace them with an empty file.
gitea-mirror commented 2026-05-05 09:33:26 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 19, 2022):

So I went ahead and made to blank files for the profiles:

  • sudo touch /etc/firejail/server.profile
  • sudo touch /etc/firejail/server.profile

I rebooted the system and still the same error:

[sudo] password for user:
Name:           def```
ault
UUID:           a96495c0-e476-44bc-b888-9421b7d12fd1
Active:         no
Persistent:     yes
Autostart:      yes
Bridge:         virbr0

sudo virsh net-start default
error: Failed to start network default
error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set

As you requested I did check the dnsmasq.service but it is not started (with firejail enabled\disabled).

 sudo systemctl status dnsmasq.service
○ dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
     Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: >
     Active: inactive (dead)
       Docs: man:dnsmasq(8)

journalctl -u dnsmasq.service
-- No entries --

 dnsmasq --test
dnsmasq: syntax check OK.

I was reading on the Arch Wiki (https://wiki.archlinux.org/title/Libvirt )that libvirt utililizes dnsmasq as part of its virtual network.
Specifically:

Note: libvirt handles DHCP and DNS with [dnsmasq](https://archlinux.org/packages/?name=dnsmasq), launching a separate instance for every virtual network. It also adds iptables rules for proper routing, and enables the ip_forward kernel parameter. This also means that having dnsmasq running on the host system is not necessary to support libvirt requirements (and could interfere with libvirt dnsmasq instances).`

I also checked the /etc/dnsmasq.conf file and everything was commented out. So I'm not sure what the next step is as I cannot prove how\when\who the dnsmasq.service is started.

<!-- gh-comment-id:1131888003 --> @rsramkis commented on GitHub (May 19, 2022): So I went ahead and made to blank files for the profiles: * sudo touch /etc/firejail/server.profile * sudo touch /etc/firejail/server.profile I rebooted the system and still the same error: ``` [sudo] password for user: Name: def``` ault UUID: a96495c0-e476-44bc-b888-9421b7d12fd1 Active: no Persistent: yes Autostart: yes Bridge: virbr0 sudo virsh net-start default error: Failed to start network default error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set ``` As you requested I did check the dnsmasq.service but it is not started (with firejail enabled\disabled). ``` sudo systemctl status dnsmasq.service ○ dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: > Active: inactive (dead) Docs: man:dnsmasq(8) journalctl -u dnsmasq.service -- No entries -- dnsmasq --test dnsmasq: syntax check OK. ``` I was reading on the Arch Wiki (https://wiki.archlinux.org/title/Libvirt )that libvirt utililizes dnsmasq as part of its virtual network. **Specifically:** ``` Note: libvirt handles DHCP and DNS with [dnsmasq](https://archlinux.org/packages/?name=dnsmasq), launching a separate instance for every virtual network. It also adds iptables rules for proper routing, and enables the ip_forward kernel parameter. This also means that having dnsmasq running on the host system is not necessary to support libvirt requirements (and could interfere with libvirt dnsmasq instances).` ``` I also checked the /etc/dnsmasq.conf file and everything was commented out. So I'm not sure what the next step is as I cannot prove how\when\who the dnsmasq.service is started.
gitea-mirror commented 2026-05-05 09:33:27 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 19, 2022):

As you requested I did check the dnsmasq.service but it is not started (with firejail enabled\disabled).

Where did I? How does dnsmasq.service relate here?

Note: libvirtd starts it's own instance of dnsmasq.

/etc/dnsmasq.conf

Is never read by the libvirtd dnsmasq instance.
See --conf-file=/var/lib/libvirt/... in your logs.

dnsmasq.service

See above.

<!-- gh-comment-id:1131893659 --> @rusty-snake commented on GitHub (May 19, 2022): > As you requested I did check the dnsmasq.service but it is not started (with firejail enabled\disabled). Where did I? How does dnsmasq.service relate here? Note: libvirtd starts it's own instance of dnsmasq. > /etc/dnsmasq.conf Is never read by the libvirtd dnsmasq instance. See `--conf-file=/var/lib/libvirt/...` in your logs. > dnsmasq.service See above.
gitea-mirror commented 2026-05-05 09:33:28 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 19, 2022):

I am not sure how to check who is starting dnsmasq?

When I go to /var/lib/libvirt/dnsmasq I do see the default.conf.

##WARNING:  THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
##OVERWRITTEN AND LOST.  Changes to this configuration should be made using:
##    virsh net-edit default
## or other application using the libvirt API.
##
## dnsmasq conf file created by libvirt
strict-order
pid-file=/run/libvirt/network/default.pid
except-interface=lo
bind-dynamic
interface=virbr0
dhcp-range=192.168.122.2,192.168.122.254,255.255.255.0
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile
addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts
<!-- gh-comment-id:1131946699 --> @rsramkis commented on GitHub (May 19, 2022): I am not sure how to check who is starting dnsmasq? When I go to /var/lib/libvirt/dnsmasq I do see the default.conf. ``` ##WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE ##OVERWRITTEN AND LOST. Changes to this configuration should be made using: ## virsh net-edit default ## or other application using the libvirt API. ## ## dnsmasq conf file created by libvirt strict-order pid-file=/run/libvirt/network/default.pid except-interface=lo bind-dynamic interface=virbr0 dhcp-range=192.168.122.2,192.168.122.254,255.255.255.0 dhcp-no-override dhcp-authoritative dhcp-lease-max=253 dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts ```
gitea-mirror commented 2026-05-05 09:33:28 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 19, 2022):

I decided to do a little circle back and check the journals. So on boot you can see when the error occur hwne trying to enable the virtual network:

With Firejail Disabled:

journalctl -b | grep libvirt
May 19 13:12:45 mani audit[471]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="dnsmasq//libvirt_leaseshelper" pid=471 comm="apparmor_parser"
May 19 13:12:46 mani audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=libvirtd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
May 19 13:12:46 mani dnsmasq[696]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
May 19 13:12:46 mani dnsmasq-dhcp[696]: read /var/lib/libvirt/dnsmasq/default.hostsfile

With Firejail Enabled:

❯ journalctl -b | grep libvirt
May 19 13:08:25 mani audit[468]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="dnsmasq//libvirt_leaseshelper" pid=468 comm="apparmor_parser"
May 19 13:08:26 mani audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=libvirtd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
May 19 13:08:27 mani libvirtd[554]: libvirt version: 8.3.0
May 19 13:08:27 mani libvirtd[554]: hostname: mani
May 19 13:08:27 mani libvirtd[554]: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set
<!-- gh-comment-id:1132063864 --> @rsramkis commented on GitHub (May 19, 2022): I decided to do a little circle back and check the journals. So on boot you can see when the error occur hwne trying to enable the virtual network: **With Firejail Disabled:** ``` journalctl -b | grep libvirt May 19 13:12:45 mani audit[471]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="dnsmasq//libvirt_leaseshelper" pid=471 comm="apparmor_parser" May 19 13:12:46 mani audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=libvirtd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' May 19 13:12:46 mani dnsmasq[696]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses May 19 13:12:46 mani dnsmasq-dhcp[696]: read /var/lib/libvirt/dnsmasq/default.hostsfile ``` **With Firejail Enabled:** ``` ❯ journalctl -b | grep libvirt May 19 13:08:25 mani audit[468]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="dnsmasq//libvirt_leaseshelper" pid=468 comm="apparmor_parser" May 19 13:08:26 mani audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=libvirtd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' May 19 13:08:27 mani libvirtd[554]: libvirt version: 8.3.0 May 19 13:08:27 mani libvirtd[554]: hostname: mani May 19 13:08:27 mani libvirtd[554]: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set ```
gitea-mirror commented 2026-05-05 09:33:29 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 20, 2022):

I am not sure how to check who is starting dnsmasq?

Start it successful (w/o firejail) and use something like ps -f -C dnsmasq.

<!-- gh-comment-id:1132626549 --> @rusty-snake commented on GitHub (May 20, 2022): > I am not sure how to check who is starting dnsmasq? Start it successful (w/o firejail) and use something like `ps -f -C dnsmasq`.
gitea-mirror commented 2026-05-05 09:33:29 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 20, 2022):

When I first boot with firejail disabled and no VM started this is what is running:

❯ ps -f -C dnsmasq
UID          PID    PPID  C STIME TTY          TIME CMD
nobody       704       1  0 08:18 ?        00:00:00 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
root         705     704  0 08:18 ?        00:00:00 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper

I did start a virtual machine after to confirm I had network connectivity. There was no additional PID added.

<!-- gh-comment-id:1132843243 --> @rsramkis commented on GitHub (May 20, 2022): When I first boot with firejail disabled and no VM started this is what is running: ``` ❯ ps -f -C dnsmasq UID PID PPID C STIME TTY TIME CMD nobody 704 1 0 08:18 ? 00:00:00 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper root 705 704 0 08:18 ? 00:00:00 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper ``` I did start a virtual machine after to confirm I had network connectivity. There was no additional PID added.
gitea-mirror commented 2026-05-05 09:33:30 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 20, 2022):

If you look for dnsmasq in ps -f -H, how does it look like?

libvirt
  dnsmasq (root)
    dnsmasq (nobody)

?

You can use sudo firemon to see who(/when/...) starts a firejail sandbox.

PATH environment variable not set

Why is it not set?

<!-- gh-comment-id:1132865799 --> @rusty-snake commented on GitHub (May 20, 2022): If you look for `dnsmasq` in `ps -f -H`, how does it look like? ``` libvirt dnsmasq (root) dnsmasq (nobody) ``` ? --- You can use `sudo firemon` to see who(/when/...) starts a firejail sandbox. --- > PATH environment variable not set Why is it not set?
gitea-mirror commented 2026-05-05 09:33:30 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 20, 2022):

  1. If you look for dnsmasq in ps -f -H, how does it look like?

Looks like this when firejail is disabled.

❯ ps -efH
UID          PID    PPID  C STIME TTY          TIME CMD
nobody       700       1  0 08:58 ?        00:00:00   /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
root         701     700  0 08:58 ?        00:00:00     /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
  1. Why is the PATH environment not set?

Is it possible that firejail is not allowing access to "/var/lib/libvirt/dnsmasq/default.conf "?

  1. You can use sudo firemon to see who(/when/...) starts a firejail sandbox.

So are the correct steps:

(a) Enable Firejail.

(b) Open Terminal and start firemon (sudo firemon).

(c) Then in separate terminal try to start the virtual network with "sudo virsh net-start default".

<!-- gh-comment-id:1132906891 --> @rsramkis commented on GitHub (May 20, 2022): 1. If you look for dnsmasq in ps -f -H, how does it look like? Looks like this when firejail is disabled. ``` ❯ ps -efH UID PID PPID C STIME TTY TIME CMD nobody 700 1 0 08:58 ? 00:00:00 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper root 701 700 0 08:58 ? 00:00:00 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper ``` 2. Why is the PATH environment not set? Is it possible that firejail is not allowing access to "/var/lib/libvirt/dnsmasq/default.conf "? 3. You can use sudo firemon to see who(/when/...) starts a firejail sandbox. **So are the correct steps:** (a) Enable Firejail. (b) Open Terminal and start firemon (sudo firemon). (c) Then in separate terminal try to start the virtual network with "sudo virsh net-start default".
gitea-mirror commented 2026-05-05 09:33:30 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 20, 2022):

Is it possible that firejail is not allowing access to "/var/lib/libvirt/dnsmasq/default.conf "?

What has this to do with that?

Summary of the problem so far:

  • libvird starts dnsmasq (firts one in $PATH) without $PATH being set.
  • first dnsmasq in $PATH is the firecfg-firejail symlink
  • firejail is started
  • firejail complains because it does not know where to search for the real dnsmasq binary.

=> Check you system configuration to make sure $PATH is set.

<!-- gh-comment-id:1132915001 --> @rusty-snake commented on GitHub (May 20, 2022): > Is it possible that firejail is not allowing access to "/var/lib/libvirt/dnsmasq/default.conf "? What has this to do with that? --- Summary of the problem so far: - libvird starts dnsmasq (firts one in $PATH) without $PATH being set. - first dnsmasq in $PATH is the firecfg-firejail symlink - firejail is started - firejail complains because it does not know where to search for the real dnsmasq binary. => Check you system configuration to make sure $PATH is set.
gitea-mirror commented 2026-05-05 09:33:31 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 20, 2022):

This is the PATH I have set:

❯ echo $PATH
/home/user/.nvm/versions/node/v16.15.0/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/var/lib/flatpak/exports/bin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/usr/lib/jvm/default/bin:/usr/lib/jvm/default/bi

Then I ran which:

which dnsmasq
/usr/local/bin/dnsmasq

which libvirtd
/usr/bin/libvirtd

I am guessing here (I don't know the ins and outs of firejail). So should I be adding to the dnsmasq.profile the following lines:

noblackkist /usr/local/bin/dnsmasq
noblacklist /usr/bin/libvirtd
<!-- gh-comment-id:1132936443 --> @rsramkis commented on GitHub (May 20, 2022): **This is the PATH I have set**: ❯ echo $PATH /home/user/.nvm/versions/node/v16.15.0/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/var/lib/flatpak/exports/bin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/usr/lib/jvm/default/bin:/usr/lib/jvm/default/bi **Then I ran which:** ``` which dnsmasq /usr/local/bin/dnsmasq which libvirtd /usr/bin/libvirtd ``` I am guessing here (I don't know the ins and outs of firejail). So should I be adding to the dnsmasq.profile the following lines: ``` noblackkist /usr/local/bin/dnsmasq noblacklist /usr/bin/libvirtd ```
gitea-mirror commented 2026-05-05 09:33:31 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 20, 2022):

This is the PATH I have set:

Is your terminal, but this does not matter because libvirtd/dnsmasq/firejail is not running as a child of this shell.

I am guessing here (I don't know the ins and outs of firejail). So should I be adding to the dnsmasq.profile the following lines:

No, you don't need to do anything with firejail profiles.

This is not a firejail issues, it is a issues with you configuration of the part which starts dnsmasq/libvirtd.

<!-- gh-comment-id:1132945362 --> @rusty-snake commented on GitHub (May 20, 2022): > This is the PATH I have set: Is your terminal, but this does not matter because libvirtd/dnsmasq/firejail is not running as a child of this shell. > I am guessing here (I don't know the ins and outs of firejail). So should I be adding to the dnsmasq.profile the following lines: No, you don't need to do anything with firejail profiles. This is not a firejail issues, it is a issues with you configuration of the part which starts dnsmasq/libvirtd.
gitea-mirror commented 2026-05-05 09:33:32 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 20, 2022):

This is not a firejail issues, it is a issues with you configuration of the part which starts dnsmasq/libvirtd.

So lets put aside that with firejail disabled I can stop and start the NAT service with:

sudo virsh net-destroy default
sudo virsh net-start default

Are you suggesting I add something to the PATH or modify a configuration file? I can test whatever you suggest.

<!-- gh-comment-id:1132973314 --> @rsramkis commented on GitHub (May 20, 2022): >>This is not a firejail issues, it is a issues with you configuration of the part which starts dnsmasq/libvirtd. So lets put aside that with firejail disabled I can stop and start the NAT service with: ``` sudo virsh net-destroy default sudo virsh net-start default ``` Are you suggesting I add something to the PATH or modify a configuration file? I can test whatever you suggest.
gitea-mirror commented 2026-05-05 09:33:32 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 20, 2022):

How is libvirtd started? By systemd? If so make sure it is started with a minimal $PATH (e.g. /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin).

This assumes dnsmasq is started by libvirtd via fork-exec.

<!-- gh-comment-id:1132993675 --> @rusty-snake commented on GitHub (May 20, 2022): How is libvirtd started? By systemd? If so make sure it is started with a minimal $PATH (e.g. `/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin`). This assumes dnsmasq is started by libvirtd via fork-exec.
gitea-mirror commented 2026-05-05 09:33:33 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 20, 2022):

I do have the libvirtd.service enabled in systemd. I used the suggested configuration here:
https://wiki.archlinux.org/title/Libvirt

When I have firejail disabled this is what I see checking the service:

 sudo systemctl status libvirtd.service
● libvirtd.service - Virtualization daemon
     Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: disabled)
     Active: active (running) since Fri 2022-05-20 11:03:53 EDT; 1min 7s ago
TriggeredBy: ● libvirtd-admin.socket
             ● libvirtd-ro.socket
             ● libvirtd.socket
       Docs: man:libvirtd(8)
             https://libvirt.org
   Main PID: 547 (libvirtd)
      Tasks: 21 (limit: 32768)
     Memory: 30.0M
        CPU: 436ms
     CGroup: /system.slice/libvirtd.service
             ├─ 547 /usr/bin/libvirtd --timeout 120
             ├─ 705 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
             └─ 706 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper

May 20 11:03:53 mani dnsmasq[705]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile
May 20 11:03:53 mani dnsmasq-dhcp[705]: DHCP, IP range 192.168.122.2 -- 192.168.122.254, lease time 1h
May 20 11:03:53 mani dnsmasq-dhcp[705]: DHCP, sockets bound exclusively to interface virbr0
May 20 11:03:53 mani dnsmasq[705]: reading /etc/resolv.conf
May 20 11:03:53 mani dnsmasq[705]: using nameserver 127.0.0.1#53
May 20 11:03:53 mani dnsmasq[705]: read /etc/hosts - 5 addresses
May 20 11:03:53 mani dnsmasq[705]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
May 20 11:03:53 mani dnsmasq-dhcp[705]: read /var/lib/libvirt/dnsmasq/default.hostsfile
May 20 11:03:57 mani dnsmasq[705]: reading /etc/resolv.conf
May 20 11:03:57 mani dnsmasq[705]: using nameserver 127.0.0.1#53

~
❯ sudo virsh net-list --all
 Name      State    Autostart   Persistent
--------------------------------------------
 default   active   yes         yes

So everything is functional in the service. But when I enable firejail the service output changes to:


❯ sudo systemctl status libvirtd.service
● libvirtd.service - Virtualization daemon
     Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: disabled)
     Active: active (running) since Fri 2022-05-20 10:59:10 EDT; 2min 12s ago
TriggeredBy: ● libvirtd.socket
             ● libvirtd-admin.socket
             ● libvirtd-ro.socket
       Docs: man:libvirtd(8)
             https://libvirt.org
   Main PID: 553 (libvirtd)
      Tasks: 19 (limit: 32768)
     Memory: 28.5M
        CPU: 490ms
     CGroup: /system.slice/libvirtd.service
             └─ 553 /usr/bin/libvirtd --timeout 120

May 20 10:59:10 mani systemd[1]: Starting Virtualization daemon...
May 20 10:59:10 mani systemd[1]: Started Virtualization daemon.
May 20 10:59:11 mani libvirtd[553]: libvirt version: 8.3.0
May 20 10:59:11 mani libvirtd[553]: hostname: mani
May 20 10:59:11 mani libvirtd[553]: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/li>
<!-- gh-comment-id:1133022781 --> @rsramkis commented on GitHub (May 20, 2022): I do have the libvirtd.service enabled in systemd. I used the suggested configuration here: https://wiki.archlinux.org/title/Libvirt When I have firejail disabled this is what I see checking the service: ``` sudo systemctl status libvirtd.service ● libvirtd.service - Virtualization daemon Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2022-05-20 11:03:53 EDT; 1min 7s ago TriggeredBy: ● libvirtd-admin.socket ● libvirtd-ro.socket ● libvirtd.socket Docs: man:libvirtd(8) https://libvirt.org Main PID: 547 (libvirtd) Tasks: 21 (limit: 32768) Memory: 30.0M CPU: 436ms CGroup: /system.slice/libvirtd.service ├─ 547 /usr/bin/libvirtd --timeout 120 ├─ 705 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper └─ 706 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper May 20 11:03:53 mani dnsmasq[705]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile May 20 11:03:53 mani dnsmasq-dhcp[705]: DHCP, IP range 192.168.122.2 -- 192.168.122.254, lease time 1h May 20 11:03:53 mani dnsmasq-dhcp[705]: DHCP, sockets bound exclusively to interface virbr0 May 20 11:03:53 mani dnsmasq[705]: reading /etc/resolv.conf May 20 11:03:53 mani dnsmasq[705]: using nameserver 127.0.0.1#53 May 20 11:03:53 mani dnsmasq[705]: read /etc/hosts - 5 addresses May 20 11:03:53 mani dnsmasq[705]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses May 20 11:03:53 mani dnsmasq-dhcp[705]: read /var/lib/libvirt/dnsmasq/default.hostsfile May 20 11:03:57 mani dnsmasq[705]: reading /etc/resolv.conf May 20 11:03:57 mani dnsmasq[705]: using nameserver 127.0.0.1#53 ~ ❯ sudo virsh net-list --all Name State Autostart Persistent -------------------------------------------- default active yes yes ``` So everything is functional in the service. But when I enable firejail the service output changes to: ``` ❯ sudo systemctl status libvirtd.service ● libvirtd.service - Virtualization daemon Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2022-05-20 10:59:10 EDT; 2min 12s ago TriggeredBy: ● libvirtd.socket ● libvirtd-admin.socket ● libvirtd-ro.socket Docs: man:libvirtd(8) https://libvirt.org Main PID: 553 (libvirtd) Tasks: 19 (limit: 32768) Memory: 28.5M CPU: 490ms CGroup: /system.slice/libvirtd.service └─ 553 /usr/bin/libvirtd --timeout 120 May 20 10:59:10 mani systemd[1]: Starting Virtualization daemon... May 20 10:59:10 mani systemd[1]: Started Virtualization daemon. May 20 10:59:11 mani libvirtd[553]: libvirt version: 8.3.0 May 20 10:59:11 mani libvirtd[553]: hostname: mani May 20 10:59:11 mani libvirtd[553]: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/li> ```
gitea-mirror commented 2026-05-05 09:33:33 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 20, 2022):

systemctl show-environment | grep PATH?

<!-- gh-comment-id:1133033449 --> @rusty-snake commented on GitHub (May 20, 2022): `systemctl show-environment | grep PATH`?
gitea-mirror commented 2026-05-05 09:33:33 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 20, 2022):

❯ systemctl show-environment | grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/bin

<!-- gh-comment-id:1133067322 --> @rsramkis commented on GitHub (May 20, 2022): ❯ systemctl show-environment | grep PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
gitea-mirror commented 2026-05-05 09:33:34 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 20, 2022):

Ok, now I'm out of ideas.

Try to install a script in $PATH named dnsmasq before any other dnsmasq (so libvirtd will pick it) and use it to gather more information.

<!-- gh-comment-id:1133072159 --> @rusty-snake commented on GitHub (May 20, 2022): Ok, now I'm out of ideas. Try to install a script in $PATH named `dnsmasq` before any other `dnsmasq` (so libvirtd will pick it) and use it to gather more information.
gitea-mirror commented 2026-05-05 09:33:34 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 20, 2022):

I know this was all working before as I had set up libvirtd on 01-10-2022, and firejail I have been running for maybe 3 years. But like usual libvirt changed in one of the upgrades and I assume the applications behaviour has changed. You would think other people would have reported this too (as defect 5089 was mentioned in the Arch forums).

As a temporary work around to get the NAT network working I can:

  1. Disable Firejail.

  2. Start the NAT service manually ( sudo virsh net-start default)

  3. Then re-enable Firejail.

This allows the Virtual machines to have network access.

I'm all for following your plan of creating some sort of diagnostics script to gather information. My knowledge level is just not there on what I should write or what to look for.

So my next step will be digging more into the changes on libvirt (as I am just running a simple setup on my laptop) where I run the odd test vm.

If you have a test for me to run, please let me know and I will get it done.

<!-- gh-comment-id:1133117417 --> @rsramkis commented on GitHub (May 20, 2022): I know this was all working before as I had set up libvirtd on 01-10-2022, and firejail I have been running for maybe 3 years. But like usual libvirt changed in one of the upgrades and I assume the applications behaviour has changed. You would think other people would have reported this too (as defect 5089 was mentioned in the Arch forums). **As a temporary work around to get the NAT network working I can:** 1. Disable Firejail. 2. Start the NAT service manually ( sudo virsh net-start default) 3. Then re-enable Firejail. This allows the Virtual machines to have network access. I'm all for following your plan of creating some sort of diagnostics script to gather information. My knowledge level is just not there on what I should write or what to look for. So my next step will be digging more into the changes on libvirt (as I am just running a simple setup on my laptop) where I run the odd test vm. If you have a test for me to run, please let me know and I will get it done.
gitea-mirror commented 2026-05-05 09:33:35 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 20, 2022):

As a temporary work around to get the NAT network working I can:

Just remove dnsmasq from firecfg.config?

If you have a test for me to run, please let me know and I will get it done.

#!/bin/bash
# Is $PATH set?
echo "$PATH"
# Can firejail be used?
firejail --noprofile true
firejail dnsmasq --arguments-...
<!-- gh-comment-id:1133127424 --> @rusty-snake commented on GitHub (May 20, 2022): > As a temporary work around to get the NAT network working I can: Just remove dnsmasq from firecfg.config? > If you have a test for me to run, please let me know and I will get it done. ```bash #!/bin/bash # Is $PATH set? echo "$PATH" # Can firejail be used? firejail --noprofile true firejail dnsmasq --arguments-... ```
gitea-mirror commented 2026-05-05 09:33:35 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 20, 2022):

One thing I am curious about is what is the difference between having an empty dnsmasq.profile vs commenting out dnsmasq in the firecfg file?

Additionally I did some checking for network listen ports. For dnsmasq to get port 53 you need to start it with root. But then I used ss and found this:

ss -l | grep virt
u_str LISTEN 0      1000                                                                                      /run/libvirt/libvirt-sock 16846                                    * 0
u_str LISTEN 0      20                                                                                  /run/libvirt/libvirt-admin-sock 16848                                    * 0
u_str LISTEN 0      1000                                                                                   /run/libvirt/libvirt-sock-ro 16850                                    * 0
u_str LISTEN 0      4096                                                                                    /run/libvirt/virtlockd-sock 16854                                    * 0
u_str LISTEN 0      4096                                                                                     /run/libvirt/virtlogd-sock 16856                                    * 0

Trying to find dnsmasq in the listening ports found no results.

<!-- gh-comment-id:1133160232 --> @rsramkis commented on GitHub (May 20, 2022): One thing I am curious about is what is the difference between having an empty dnsmasq.profile vs commenting out dnsmasq in the firecfg file? Additionally I did some checking for network listen ports. For dnsmasq to get port 53 you need to start it with root. But then I used ss and found this: ``` ss -l | grep virt u_str LISTEN 0 1000 /run/libvirt/libvirt-sock 16846 * 0 u_str LISTEN 0 20 /run/libvirt/libvirt-admin-sock 16848 * 0 u_str LISTEN 0 1000 /run/libvirt/libvirt-sock-ro 16850 * 0 u_str LISTEN 0 4096 /run/libvirt/virtlockd-sock 16854 * 0 u_str LISTEN 0 4096 /run/libvirt/virtlogd-sock 16856 * 0 ``` Trying to find dnsmasq in the listening ports found no results.
gitea-mirror commented 2026-05-05 09:33:35 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 20, 2022):

port 53

Is dnsmasq used as DNS server?

Trying to find dnsmasq in the listening ports found no results.

network-namespaces?

One thing I am curious about is what is the difference between having an empty dnsmasq.profile vs commenting out dnsmasq in the firecfg file?

(The solution to your problem has nothing to do with any firejail profile)

  • empty profile => no additional restrictions besides the hardcoded ones (which are minimal as firejail has a blacklisting logic for the most things)
  • commenting in firecfg.config => no firecfg-firejail symlink => no firejail
<!-- gh-comment-id:1133165117 --> @rusty-snake commented on GitHub (May 20, 2022): > port 53 Is dnsmasq used as DNS server? > Trying to find dnsmasq in the listening ports found no results. network-namespaces? > One thing I am curious about is what is the difference between having an empty dnsmasq.profile vs commenting out dnsmasq in the firecfg file? (The solution to your problem has nothing to do with any firejail profile) - empty profile => no additional restrictions besides the hardcoded ones (which are minimal as firejail has a blacklisting logic for the most things) - commenting in firecfg.config => no firecfg-firejail symlink => no firejail
gitea-mirror commented 2026-05-05 09:33:36 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (May 23, 2022):

I've been doing some further research on this issue and found the two following threads on the issue:

virsh net-start default failes with PATH environment variable not set
https://gitlab.com/libvirt/libvirt/-/issues/282

[[SOLVED]Libvirt Virtual Network Start/Create Fails w/ PATH envvar...]
https://bbs.archlinux.org/viewtopic.php?id=274744

The bug seems to state that libvirtd calls dnsmasq from the $PATH now and not a hard coded value. This is something you had mentioned as we verified my PATH. My PATH does contain '/usr/bin', and yet libvirtd still reports it can't find dnsmasq. I hope the above links will assist you if you decide to reach out to libvirtd project to find out how the firejail dnsmasq.profile could be altered to support your product.

I'm going to close this bug with the work around of:

  1. Editing the /etc/firejail/firecfg.conf file and commenting out 'dnsmasq' so no profile is applied.
  2. Run "sudo firejail --clean" to clean out all system links.
  3. Run "sudo firejail to re-enable all system links except dnsmasq.profile.

Thank you again for all of your assistance on troubleshooting the issue.

<!-- gh-comment-id:1134042482 --> @rsramkis commented on GitHub (May 23, 2022): I've been doing some further research on this issue and found the two following threads on the issue: virsh net-start default failes with PATH environment variable not set https://gitlab.com/libvirt/libvirt/-/issues/282 [[SOLVED]Libvirt Virtual Network Start/Create Fails w/ PATH envvar...] https://bbs.archlinux.org/viewtopic.php?id=274744 The bug seems to state that libvirtd calls dnsmasq from the $PATH now and not a hard coded value. This is something you had mentioned as we verified my PATH. My PATH does contain '/usr/bin', and yet libvirtd still reports it can't find dnsmasq. I hope the above links will assist you if you decide to reach out to libvirtd project to find out how the firejail dnsmasq.profile could be altered to support your product. I'm going to close this bug with the work around of: 1. Editing the /etc/firejail/firecfg.conf file and commenting out 'dnsmasq' so no profile is applied. 2. Run "sudo firejail --clean" to clean out all system links. 3. Run "sudo firejail to re-enable all system links except dnsmasq.profile. Thank you again for all of your assistance on troubleshooting the issue.
gitea-mirror commented 2026-05-05 09:33:36 -06:00
Author
Owner
Copy link

@ShellCode33 commented on GitHub (Nov 30, 2023):

I'm facing the same problem. Did you find a real fix @rsramkis ? I think this issue is worth being left open.

I don't know if this is relevant to this error but notice in the command line from the error that --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper is used, but /usr/lib/libvirt doesn't seem to be whitelisted in the dnsmasq profile.

<!-- gh-comment-id:1834673972 --> @ShellCode33 commented on GitHub (Nov 30, 2023): I'm facing the same problem. Did you find a real fix @rsramkis ? I think this issue is worth being left open. I don't know if this is relevant to this error but notice in the command line from the error that `--dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper` is used, but `/usr/lib/libvirt` doesn't seem to be whitelisted in the dnsmasq profile.
gitea-mirror commented 2026-05-05 09:33:37 -06:00
Author
Owner
Copy link

@rsramkis commented on GitHub (Dec 1, 2023):

I'm facing the same problem. Did you find a real fix @rsramkis ? I think this issue is worth being left open.

I don't know if this is relevant to this error but notice in the command line from the error that --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper is used, but /usr/lib/libvirt doesn't seem to be whitelisted in the dnsmasq profile.

After I shared my finding ... I did not investigate any further.

<!-- gh-comment-id:1834957811 --> @rsramkis commented on GitHub (Dec 1, 2023): > I'm facing the same problem. Did you find a real fix @rsramkis ? I think this issue is worth being left open. > > I don't know if this is relevant to this error but notice in the command line from the error that `--dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper` is used, but `/usr/lib/libvirt` doesn't seem to be whitelisted in the dnsmasq profile. After I shared my finding ... I did not investigate any further.
gitea-mirror commented 2026-05-05 09:33:37 -06:00
Author
Owner
Copy link

@marek22k commented on GitHub (Dec 10, 2023):

I have the same problem. Is there a solution in the meantime?

<!-- gh-comment-id:1849017800 --> @marek22k commented on GitHub (Dec 10, 2023): I have the same problem. Is there a solution in the meantime?
gitea-mirror commented 2026-05-05 09:33:38 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 10, 2023):

I have the same problem. Is there a solution in the meantime?

There's persistent firecfg override functionality in git now. See my comment in #6121.

<!-- gh-comment-id:1849064071 --> @ghost commented on GitHub (Dec 10, 2023): > I have the same problem. Is there a solution in the meantime? There's persistent firecfg override functionality in git now. See my comment in #6121.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2890
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?