(Replies inlined as requested...)
> libvirtd is running as root, so that should be plenty of permissions.
I assume you can run /usr/local/bin/ovs-vsctl from a root shell,
correct?
Yes.
> Does your system have AppArmor or SELinux installed? Anything in their
logs that could indicate the reason for the denial? Anybody else have an
idea?
Have AppArmor, no SELinux. I did a status on the AppArmor, and I see
that libvirtd was in 'enforce' mode:
# apparmor_status
apparmor module is loaded.
6 profiles are loaded.
6 profiles are in enforce mode.
/sbin/dhclient
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/lib/libvirt/virt-aa-helper
/usr/sbin/libvirtd
/usr/sbin/tcpdump
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
/usr/sbin/libvirtd (6941)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
So I changed the mode across the board to 'complain':
# aa-complain /etc/apparmor.d/*
Setting /etc/apparmor.d/sbin.dhclient to complain mode.
Setting /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper to complain mode.
Setting /etc/apparmor.d/usr.sbin.libvirtd to complain mode.
Setting /etc/apparmor.d/usr.sbin.rsyslogd to complain mode.
Setting /etc/apparmor.d/usr.sbin.tcpdump to complain mode.
# apparmor_status
apparmor module is loaded.
7 profiles are loaded.
0 profiles are in enforce mode.
7 profiles are in complain mode.
/sbin/dhclient
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/lib/libvirt/virt-aa-helper
/usr/sbin/libvirtd
/usr/sbin/rsyslogd
/usr/sbin/tcpdump
2 processes have profiles defined.
0 processes are in enforce mode.
1 processes are in complain mode.
/usr/sbin/libvirtd (6941)
1 processes are unconfined but have a profile defined.
/usr/sbin/rsyslogd (815)
And then virt-manager could indeed attach the VM nic to the defined
network! (used "10-net" on this one, which corresponds to the
"vl10-ovsbr0" fake bridge):
# /usr/local/bin/ovs-vsctl show
3e0d861b-efb7-46b1-af1b-4a76cd833558
Bridge "ovsbr0"
Controller "tcp:127.0.0.1:6633"
is_connected: true
Port "ovsbr0"
Interface "ovsbr0"
type: internal
Port "vnet0" <<<<<<<<<<<
tag: 10 <<<<<<<<<<<
Interface "vnet0"
Port "vl10-ovsbr0"
tag: 10
Interface "vl10-ovsbr0"
type: internal
Port "vl20-ovsbr0"
tag: 20
Interface "vl20-ovsbr0"
type: internal
Yay.
>> The reason I want to use OVS "fake bridges" is to keep it simple for
>> the team that will be using this virtualization server. If they just
>> select the correct libvirt network (which is tied to the OVS "fake
>> bridge") then the ports will be automatically tagged with the correct
>> VLAN. (I think of OVS fake bridges as something akin to VMware "Port
>> Groups" on an OVS level.) I have defined libvirt networks as
detailed
>> in Kyle's blogpost you referenced, but there does not seem to be a
way
>> in the virt-manager UI to select the desired portgroup as defined in
>> the network XML. (Yes, you can edit the VM's XML config and hack the
>> portgroup into there, but that's not what I want these users to have
>> to do...)
>
> Sigh.
>
> Yes, setting up a portgroup in the network definition for each vlan,
then telling the users to select the proper portgroup would be the right
way to do what you want,
> but unfortunately there has been little active development to support
new libvirt features in virt-manager for "awhile" now, and the addition
of portgroups to libvirt
> has happened in the meantime.
>
> If you're familiar with python and would like to add support for that,
I'm sure virt-manager would *gladly* accept a patch. Otherwise,
hopefully there will be some new
> blood in virt-manager, and they'll think this is a good request to
take on.
Sadly I have (very) little python-fu, so no doubt am unqualified to try
to patch virt-manager at this point... (Hopefully someday when I have
more time to dive into Python!)
It would be a great thing to add to the virt-manager UI, IMHO... Is
there a separate list for virt-manager (or is virt-manager, virt-viewer,
etc. devel discussed here?)
Thanks again for your guidance, Laine - community rocks!
Best,
Will
_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users
