On Sat, Jun 22, 2024 at 07:42:00PM +0000, procmem@xxxxxxxxxx wrote: > > > On 6/19/24 18:30, Daniel P. Berrangé wrote: > > On Wed, Jun 19, 2024 at 06:21:29PM -0000, procmem@xxxxxxxxxx wrote: > > > Hi, we are trying to document a way for our users to run libvirt without > > > dnsmasq to reduce attack surface on the host. We are aware that the > > > default network uses it but plan to disable that and use our own custom > > > configured networks instead. Uninstalling dnsmasq causes libvirt to > > > refuse to start even if the default network is no longer running. > > > Is this possible or is this something that needs code changes upstream? > > > > The virtual network driver validates existance of dnsmasq at startup, > > but nothing requires you to actually run the virtual network driver, > > if you're intending to do your own thing with network setup. > > > > It sounds like you're using the old monolithic 'libvirtd' daemon. We > > always build libvirt with modules support, so all drivers are dlopen'd > > on startup. > > > > How to check that? > > > Thus if you're not intending to use the libvirt virtual network feature, > > simply don't install its modyle, and then libvirtd will see the module > > doesn't exist, and skip the dlopen. > > > > That sounds like something people would do who compile from source code? > > We're using libvirtd (9.0.0-4) from Debian package sources. [1] This is possible on Fedora/RHEL with the RPM packages, but it seems Debian just bundle it all into one package :-( https://packages.debian.org/bookworm/amd64/libvirt-daemon/filelist > > If you're using the new modular daemons, then even if installed, the > > virtnetworkd daemon won't get launched unless some guest is configured > > to use it. So if you're intending to setup network bridges yourself, > > virtnetworkd shouldn't run. > > > That is libvirtd 9.x or 10.x? > > Is there a chance that something is wrong with the libvirtd compilation > settings by Debian's packaging? > > [1] packages.debian.org/bookworm/libvirt-daemon Yes, it seems debian is intentionally not shipping them :-( With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
