In our environment with stable `hardened-sourcew-4.8.17` on both host and guest, `qemu-2.8.0-r9` breaks bridged network connectivity entirely without apparent error messages and without any clean way to downgrade to a working version (eg. `qemu-2.7.0-r7`) which has been removed already. I had to revert to inofficial `app-emulation/qemu-2.6.0::shnurise` to get going again. Reproducible: Always Host `emerge --info` Portage 2.3.3 (python 3.4.5-final-0, hardened/linux/amd64, gcc-4.9.4, glibc-2.23-r3, 4.8.17-hardened-r2 x86_64) ================================================================= System uname: Linux-4.8.17-hardened-r2-x86_64-Intel-R-_Xeon-R-_CPU_E3-1260L_v5_@_2.90GHz-with-gentoo-2.3 KiB Mem: 16252264 total, 187708 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Sun, 02 Apr 2017 22:30:01 +0000 sh bash 4.3_p48-r1 ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1 app-shells/bash: 4.3_p48-r1::gentoo dev-lang/perl: 5.22.3_rc4::gentoo dev-lang/python: 2.7.12::gentoo, 3.4.5::gentoo dev-util/cmake: 3.7.2::gentoo dev-util/pkgconfig: 0.28-r2::gentoo sys-apps/baselayout: 2.3::gentoo sys-apps/openrc: 0.23.2::gentoo sys-apps/sandbox: 2.10-r3::gentoo sys-devel/autoconf: 2.69::gentoo sys-devel/automake: 1.14.1::gentoo, 1.15::gentoo sys-devel/binutils: 2.25.1-r1::gentoo, 2.26.1::gentoo sys-devel/gcc: 4.9.3::gentoo, 4.9.4::gentoo sys-devel/gcc-config: 1.7.3::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1::gentoo sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers) sys-libs/glibc: 2.23-r3::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 shnurise location: /var/lib/layman/shnurise masters: gentoo priority: 50 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=native -O2 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=native -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://mirror.leaseweb.com/gentoo/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo rsync://mirror.netcologne.de/gentoo/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo rsync://ftp.halifax.rwth-aachen.de/gentoo/ http://ftp.halifax.rwth-aachen.de/gentoo/ ftp://mirror.netcologne.de/gentoo/ http://mirror.netcologne.de/gentoo/ rsync://ftp-stud.hs-esslingen.de/gentoo/" LC_ALL="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j8" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="acl amd64 berkdb bzip2 cli cracklib crypt cxx dri gdbm hardened iconv ipv6 justify kvm libvirt libvirtd lm_sensors logrotate lvm modules multilib ncurses nls nptl openmp pam pax_kernel pcre pie python qemu qemu-ifup readline seccomp session ssl ssp tcpd unicode urandom virt-network xattr xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 fma3 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" QEMU_SOFTMMU_TARGETS="x86_64 i386" QEMU_USER_TARGETS="x86_64 i386" RUBY_TARGETS="ruby21" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON Guest `emerge --info` Portage 2.3.3 (python 3.4.5-final-0, hardened/linux/amd64, gcc-4.9.4, glibc-2.23-r3, 4.8.17-hardened-r2 x86_64) ================================================================= System uname: Linux-4.8.17-hardened-r2-x86_64-Intel-R-_Xeon-R-_CPU_E3-1260L_v5_@_2.90GHz-with-gentoo-2.3 KiB Mem: 4046724 total, 240032 free KiB Swap: 8388604 total, 8388604 free Timestamp of repository gentoo: Sun, 02 Apr 2017 20:00:01 +0000 sh bash 4.3_p48-r1 ld GNU ld (Gentoo 2.24 p1.4) 2.24 ccache version 3.2.4 [disabled] app-shells/bash: 4.3_p48-r1::gentoo dev-java/java-config: 2.2.0-r3::gentoo dev-lang/perl: 5.22.3_rc4::gentoo dev-lang/python: 2.7.12::gentoo, 3.4.5::gentoo dev-util/ccache: 3.2.4::gentoo dev-util/cmake: 3.7.2::gentoo dev-util/pkgconfig: 0.28-r2::gentoo sys-apps/baselayout: 2.3::gentoo sys-apps/openrc: 0.23.2::gentoo sys-apps/sandbox: 2.10-r3::gentoo sys-devel/autoconf: 2.69::gentoo sys-devel/automake: 1.15::gentoo sys-devel/binutils: 2.26.1::gentoo sys-devel/gcc: 4.9.4::gentoo sys-devel/gcc-config: 1.7.3::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1::gentoo sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers) sys-libs/glibc: 2.23-r3::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 gitlab location: /var/lib/layman/gitlab masters: gentoo priority: 50 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -fomit-frame-pointer -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind /var/www/localhost/htdocs/roundcube/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.6/ext-active/ /etc/php/apache2-php7.0/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cgi-php7.0/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/php/cli-php7.0/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -fomit-frame-pointer -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="ftp://mirror.leaseweb.com/gentoo/ rsync://mirror.leaseweb.com/gentoo/ http://mirror.leaseweb.com/gentoo/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo http://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.halifax.rwth-aachen.de/gentoo/ rsync://mirror.netcologne.de/gentoo/ http://ftp.halifax.rwth-aachen.de/gentoo/ http://mirror.netcologne.de/gentoo/" LANG="en_US.utf8" LC_ALL="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="acl acpi amd64 apache2 authdaemond berkdb bind-mysql bzip2 cli cracklib crypt cryptsetup curl cxx dri exif expat extensions ftp gd gdbm hardened iconv imagemagick imap innodb ipv6 javascript justify logrotate maildir memlimit mime mmxext modules multilib mysql ncurses nls nptl openmp pam pax_kernel pcre perl php pie python readline sasl seccomp session shaper sockets softquota spf sqlite srs ssl ssp suhosin svg tcpd threads unicode urandom xattr xml xsl xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_core authn_dbd authn_dbm authn_default authn_file authz_core authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so slotmem_shm socache_shmcb speling status unique_id unixd userdir usertrack vhost_alias" APACHE2_MPMS="prefork" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 fma3 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-0" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby21" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
I noticed problems with qemu-2.8.0-r9 in a bridged network setup too. Some details: Only guests with vga passthrough seem to be affected. Guests with qxl graphics worked fine. DNS works, ICMP works. While trying to download anything, wget simply stalls after printing "HTTP request sent, awaiting response..." After I remove the host user from the kvm group (and relogin), everything works fine again in all guests. This is the opposite of what is recommended in elog. The problem must have been introduced somewhere between 2.8.0-r3 (which worked) and 2.8.0-r9.
I'm running 2.8.0-r9 and I have no problems. However I'm not running the hardened kernel.
(In reply to Agostino Sarubbo from comment #2) > I'm running 2.8.0-r9 and I have no problems. However I'm not running the > hardened kernel. I verified on hardened too. It works for me where both host and guest have an hardened userland and kernel. The kernel version is 4.8.12-hardened-r1
if I can provide anything to reproduce this let me know. I tried various kernels, restored various backups, even tried a non-hardened kernel once on both host/guest, but couldn't resolve this or find any indication why this would happen after 8h of downtime. I was just glad I could get the systems back up before monday morning by downgrading to qemu-2.6. I believe it's related to hardened userland as I'm running 2.8.0-r9 without issues in my local non-hardened environment.
also worth noting, one of the test runs I tried the current livecd on the same hardened host and there, networking appeared to work. it wasn't an extensive test though, just briefly checked icmp.
I can confirm that on my libvirt server with 10 vms, including Gentoo, RHEL, Windows 2003, Windows 2008, Windows 2012, Windows 2016 and Windows 10, and 3 different VLANs over an LACP link, there are no network issues. I run a hardened system on the host and on the Gentoo VMs.
(In reply to Jorge Manuel B. S. Vicetto from comment #6) > I can confirm that on my libvirt server with 10 vms, including Gentoo, RHEL, > Windows 2003, Windows 2008, Windows 2012, Windows 2016 and Windows 10, and 3 > different VLANs over an LACP link, there are no network issues. > I run a hardened system on the host and on the Gentoo VMs. is it possible for you to share your host & guest kernel config and useflags? then I could try to narrow down the cause.
for reference, this issue https://bbs.archlinux.org/viewtopic.php?id=221434 describes exactly what I have been experiencing as well and it doesn't even involve hardened. I didn't check against `rtl8139` yet though.
From your last comments, and if this is affecting Windows VMs with the virtio driver, don't forget you may need to update it to the latest version. I've had in the past a VM lose network access because I was using a old version of the virtio drivers. After an update it started working correctly again. You could try to confirm this is the issue, by running a Linux live-cd inside a VM and testing the network connectivity.
Created attachment 469096 [details] hardened-sources-4.7.10 host config Kernel config file for the host.
Created attachment 469098 [details] hardened-sources-4.7.10 vm config Kernel config for a VM.
Created attachment 469100 [details] net config The /etc/conf.d/net config file for the host. The bond4, br{10-12} and bond4.{10-25} interfaces are duplicates of the bond1, br{0-2} and bond1.{10-25} interfaces. I'm in the process of migrating from an old LACPI link with 4 * 1GB links to an LACP link with 2 * 10GB links.
(In reply to Jorge Manuel B. S. Vicetto from comment #9) > From your last comments, and if this is affecting Windows VMs with the > virtio driver no it's all hardened-4.8.12-r2, both host & guest, see also `emerge --info` attached. it's just the same broken behaviour outlined in that post (can't even ping between host/guest). btw, this is not a new system. host has been productive on qemu/kvm since `hardened-2.6.35-r1` & `qemu-kvm-0.12.5-r1`. guest system has been productive since `hardened-2.6.23-r4`, both systems are updated often and I have never seen breakage of that kind. there's not a shadow of a doubt that `qemu-2.8.0` is at least the trigger for this weird behaviour as I can simply go from working flawlessly to entirely broken by simply switching between `qemu-2.8.0` and any older stable version. thanks for providing the config, I will do some tests, but this will take me a while to complete.
Created attachment 469354 [details] 4.8.17-hardened-r2 guest kernel config for replication I narrowed it down to the guest kernel config. Let me know if you can see the issue when using that one.
as a sidenote, this guest always freezes entirely on soft reboot with `qemu-2.8.0` (also with the vm config that does not expose the networking issue). that's another critical issue for this configuration.
the issue does not occur with qemu-9999, only 2.8.0-r9.
Adjusting importance to normal.
All, please test again with qemu-2.9.0.
`2.9.0` fixes this issue for me. soft reboot is still broken for all versions >= 2.7.1 including HEAD.
correction: for reboot is broken for all versions >= 2.8.0
Well, 2.9.0 does not have any significant patch sets yet - so it might be best to investigate that issue by bisection the sources and reporting the issue upstream.
https://bugs.gentoo.org/show_bug.cgi?id=617232, marking this one as resolved.