#1797 closed defect (fixed)
won't open host network interface => change TAP group setting
Reported by: | Andrew Schulman | Owned by: | |
---|---|---|---|
Component: | network | Version: | VirtualBox 1.6.2 |
Keywords: | VERR_HOSTIF_INIT_FAILED | Cc: | |
Guest type: | other | Host type: | Linux |
Description (last modified by )
I have the dreaded "Failed to open host network interface" problem. I'm using Host Interface networking on a Linux host (Debian AMD64, custom 2.6.24 kernel), with a tap device named vbox0 bridged to lan:
$ brctl show lan bridge name bridge id STP enabled interfaces lan 8000.00161711ac84 no lan0 vbox0
When user andrex tries to start the VM, it fails with the following VBox.log:
00:00:15.216 VirtualBox 1.6.2 r31466 linux.amd64 (May 31 2008 17:30:23) release log 00:00:15.216 Log opened 2008-07-02T15:28:43.546408000Z 00:00:15.230 VRDP: TCP server listening on port 33891. 00:00:15.238 SUP: Loaded VMMR0.r0 (/usr/lib/virtualbox/VMMR0.r0) at 0xffffffff88d44900 - ModuleInit at ffffffff88d50590 and ModuleTerm at ffffffff88d50560 00:00:15.238 SUP: VMMR0EntryEx located at ffffffff88d50300, VMMR0EntryFast at ffffffff88d505e0 and VMMR0EntryInt at ffffffff88d4fb30 00:00:15.256 Failed to open the host network interface vbox0 00:00:15.256 ERROR [COM]: aRC=NS_ERROR_FAILURE (0x80004005) aIID={d5a1cbda-f5d7-4824-9afe-d640c94c7dcf} aComponent={Console} aText={Failed to open the host network interface vbox0} aWarning=false, preserve=false 00:00:15.257 ERROR [COM]: aRC=NS_ERROR_FAILURE (0x80004005) aIID={d5a1cbda-f5d7-4824-9afe-d640c94c7dcf} aComponent={Console} aText={Failed to initialize Host Interface Networking. 00:00:15.257 VBox status code: -3100 (VERR_HOSTIF_INIT_FAILED)} aWarning=false, preserve=false 00:00:15.262 Power up failed (vrc=VERR_HOSTIF_INIT_FAILED, hrc=NS_ERROR_FAILURE (0X80004005)) 00:00:16.862 VRDP: TCP server closed.
andrex is a member of the group vboxusers, which has read/write permission on /dev/net/tun:
$ ll /dev/net total 0 crw-rw---- 1 root vboxusers 10, 200 2008-06-15 14:52 tun
A few other data points:
- I tried
chmod 0666 /dev/net/tun
, but it didn't help.
- root can run this VM, but no other users can AFAICT. So it sure seems like a permission problem, but permissions on interfaces and bridges are hard to debug since they apparently only live in kernel memory. syslog and kern.log provide no useful information.
- I applied the patch described in http://www.virtualbox.org/ticket/1714, and that does solve one problem, but
/etc/init.d/vboxnet start
works correctly now and the problem still isn't resolved.
- This VM used to work fine with the same configuration. I upgraded my kernel a few weeks ago, and probably upgraded some system tools around the same time, and now I can't get past this problem.
Any help would be much appreciated, as I'm currently dead in the water with this VM. NAT networking isn't an option because it doesn't allow me to read Samba shares.
Thanks, Andrew.
Attachments (4)
Change History (41)
comment:1 by , 16 years ago
Host type: | other → Linux |
---|
comment:2 by , 16 years ago
Component: | other → network |
---|---|
Description: | modified (diff) |
comment:3 by , 16 years ago
comment:4 by , 16 years ago
I just upgraded to kernel 2.6.25, and I'm no longer able to reproduce this problem. Members of the vboxusers group can start the VM, and host interface networking works fine.
comment:5 by , 16 years ago
I'm now using VirtualBox 1.6.4. I now have two VMs, both using host interface networking, connected to the same bridge:
$ brctl show lan bridge name bridge id STP enabled interfaces lan 8000.00161711ac84 no lan0 vbox-TinyXP vbox-Win2K
The problem now occurs on one of the two VMs:
VM name | Guest OS | Interface name | Works for ordinary user? |
Win2K | Win2K | vbox-Win2K | Yes |
TinyXP | none yet | vbox-TinyXP | No |
So, host-only networking:
- works for ordinary users (in the virtualbox group) with only some interfaces.
- always works for root.
- used to not work on the vbox-Win2K interface, but started working at some point, maybe coincidentally when I upgraded my kernel.
This sure reads like some kind of permission problem on the host interfaces, but I don't know what that would be. I'm not able to find any information about any such permissions.
$ ls -l /dev/net/tun crw-rw---- 1 root vboxusers 10, 200 2008-08-30 13:38 /dev/net/tun
Thanks, Andrew.
comment:6 by , 16 years ago
This problem is still present in version 2.0.0.
Can someone please update the version field in the ticket? I'm not able to do that. Thanks, Andrew.
comment:7 by , 16 years ago
I am having the same problem.
VirtualBox 2.0.2_OSE running on fully patched Slackware Linux 12.1 running a 2.6.27 kernel.
I have no problems whatsoever creating the TAP device:
10:28:32 vboxhost:~$ /etc/rc.d/rc.tap start Starting TAP: tap0 Set 'tap0' persistent and owned by uid 0 gid 215
crw-rw-rw- 1 root vboxusers 10, 200 2008-10-14 17:40 /dev/net/tun
But if anyone but root tries to start a guest OS (in fact, this is without even a guest OS, this is with an untouched fresh VBox disk), the following log is produced:
00:04:10.815 VirtualBox 2.0.2_OSE r12420 linux.x86 (Oct 14 2008 09:21:28) release log 00:04:10.815 Log opened 2008-10-15T09:28:51.096351000Z 00:04:10.815 OS Product: Linux 00:04:10.815 OS Release: 2.6.27-smp-vboxhost 00:04:10.815 OS Version: #1 SMP Mon Oct 13 17:22:15 BST 2008 00:04:10.820 Your keyboard layout does not appear to fully supported by 00:04:10.820 VirtualBox. If you would like to help us improve the product, 00:04:10.820 please submit a bug report and attach this logfile. 00:04:10.820 00:04:10.820 The correct table for your layout is: 00:04:10.820 "`\xac","1!","2\"","3\xa3","4$","5%","6","7&","8*","9(","0)","-_","=+", 00:04:10.820 "qQ","wW","eE","rR","tT","yY","uU","iI","oO","pP","[{","]}", 00:04:10.820 "aA","sS","dD","fF","gG","hH","jJ","kK","lL",";:","'@","#~", 00:04:10.820 "zZ","xX","cC","vV","bB","nN","mM",",<",".>","/?","\|","\x0\x0","\x0\x0" 00:04:10.821 00:04:10.832 SUP: Loaded VMMR0.r0 (/usr/lib/virtualbox/VMMR0.r0) at 0xfa7f9060 - ModuleInit at fa8065f0 and ModuleTerm at fa8065b0 00:04:10.832 SUP: VMMR0EntryEx located at fa806370, VMMR0EntryFast at fa806640 and VMMR0EntryInt at fa8059d0 00:04:10.871 Failed to open the host network interface tap0 00:04:10.871 ERROR [COM]: aRC=NS_ERROR_FAILURE (0x80004005) aIID={d5a1cbda-f5d7-4824-9afe-d640c94c7dcf} aComponent={Console} aText={Failed to open the host network interface tap0} aWarning=false, preserve=false 00:04:10.874 ERROR [COM]: aRC=NS_ERROR_FAILURE (0x80004005) aIID={d5a1cbda-f5d7-4824-9afe-d640c94c7dcf} aComponent={Console} aText={Failed to initialize Host Interface Networking. 00:04:10.874 VBox status code: -3100 (VERR_HOSTIF_INIT_FAILED)} aWarning=false, preserve=false 00:04:10.883 Power up failed (vrc=VERR_HOSTIF_INIT_FAILED, hrc=NS_ERROR_FAILURE (0X80004005))
follow-up: 9 comment:8 by , 16 years ago
Problem persists in version 2.0.2. Can someone please update the version field in the ticket?
Also, jennic is right, the problem happens even before any OS is installed, with a fresh VBox disk. In my case it happens with some interfaces, but not with one.
Thanks, Andrew.
comment:9 by , 16 years ago
I have the same problem, but managed to deal with it. Apparently, being a member of group vboxusers is not enough. When I start VirtualBox from the command line (I'm using Debian Linux, BTW), I get the following error when trying to start a VM:
Failed to initialize Host Interface Networking. VBox status code: -3100 (VERR_HOSTIF_INIT_FAILED).
However, if I issue 'newgrp vboxusers' before starting VirtualBox, everything works fine. Furthermore, if after 'newgrp vboxusers' I issue 'newgrp whateverothergroup', the problem returns. I think this is a bug in VirtualBox.
comment:10 by , 16 years ago
bello, please add the current user permanently to the group vboxusers. This is explained in the user manual.
comment:11 by , 16 years ago
frank, in each case we have ensured that the user in question is a member of the vboxusers group, including bello when he says "Apparently, being a member of group vboxusers is not enough".
I did see mention somewhere of there possibly being an issue with the way the kernel handles permissions and why it is hard to debug because the kernel holds permissions in memory only, but I can't remember where I saw it. It might make sense that for some reason the kernel is not picking up the group membership correctly and so using the newgrp command might be a method of forcing the kernel to pick this information up.
Thank you for the suggestion bello, I will try it when I get to work tomorrow and report back to see if it solves the problem.
comment:12 by , 16 years ago
Right, I missed that part. Which Linux distribution is that? I assume that you are not trying to start VBox as root, am I correct?
comment:13 by , 16 years ago
OK, this is bizarre. It does not make sense. But to my amazement, it's true.
$ whoami andrex $ groups parents dialout cdrom floppy tape audio dip backup video plugdev staff users lpadmin scanner camera fuse drupaldev ckdev vboxusers $ VirtualBox [ start VM -> fails with VERR_HOSTIF_INIT_FAILED ] $ newgrp vboxusers $$ groups vboxusers dialout cdrom floppy tape audio dip backup video plugdev staff users lpadmin scanner camera fuse drupaldev ckdev parents $$ VirtualBox [ start VM -> succeeds! ]
I'm going to hazard a guess here: VirtualBox is only checking the first element of the user's group vector. In the first case above it's not vboxusers, and access to the interface is denied. In the second case it is vboxusers, and access succeeds.
Nice catch, bello. Andrew.
comment:14 by , 16 years ago
I still would like to know which Linux distribution we are talking about. And no, VirtualBox is not checking any group vector. It just tries to open /dev/net/tun
which either succeeds or fails.
comment:15 by , 16 years ago
OK. Mine is Debian, with a custom 2.6.26 kernel. I'm attaching my kernel config.
comment:16 by , 16 years ago
As above, I'm running Slackware 12.1 with a custom 2.6.27 kernel that is very similar to the stock Slackware generic kernel + defaults from make oldconfig but with dynticks etc. enabled to allow for PowerTOP.
Kernel config attached.
It should be noted that there is some precedent for this type of behaviour. In a Solaris 7 environment still running here, access permissions are only checked against the first 8 groups, if the relevant group is not found in the first 8, then access is denied.
comment:17 by , 16 years ago
Could those experiencing this problem try executing
touch /dev/net/tun
to see whether or not this produces an error?
comment:18 by , 16 years ago
No error for me.
However, I'm looking into the possibility that my problem may be unrelated having not first used VBoxAddIF to add the tap interface to the VirtualBox config. I have suddenly come across this instruction having not previously seen it in any setup documentation I've seen so far.
comment:19 by , 16 years ago
No error for me.
$ whoami andrex $ ls -l /dev/net/tun crw-rw---- 1 root vboxusers 10, 200 2008-09-10 17:23 /dev/net/tun $ touch /dev/net/tun $ ls -l /dev/net/tun crw-rw---- 1 root vboxusers 10, 200 2008-10-16 04:10 /dev/net/tun
comment:20 by , 16 years ago
Ok, I can confirm that adding VBoxAddIF to the end of my start script does indeed solve my problem, but I don't think newgrp did. I may perhaps be experiencing a different issue.
If anyone might be able to clarify, I am attaching my rc.tap file that is my initialisation script for my bridged interface.
By the way, I am also very unclear as to why a username must be provided for use of the bridge. Surely it would be possible to provide a group name? Currently, if I wanted to provide another user access to the bridge, I would have to replace the username in the init script...(!)
by , 16 years ago
comment:21 by , 16 years ago
I am using Debian testing (Lenny), with a 2.6.26 kernel straight from the distribution (Debian package linux-image-2.6.26-1-686, version 2.6.26-5), and I have access to /dev/net/tun:
$ ls -l /dev/net/tun crw-rw---- 1 root vboxusers 10, 200 Out 16 08:52 /dev/net/tun $ touch /dev/net/tun $ ls -l /dev/net/tun crw-rw---- 1 root vboxusers 10, 200 Out 16 09:00 /dev/net/tun
Group vboxusers is #5 on my list. Running VBoxAddIF before VirtualBox does not help:
$ sudo VBoxAddIF vbox0 -g vboxusers br0 VirtualBox host networking interface creation utility, version 1.6.2_OSE (C) 2005-2007 Sun Microsystems, Inc. All rights reserved.
Creating the permanent host networking interface "vbox0" for group vboxusers. $ VirtualBox # (VERR_HOSTIF_INIT_FAILED when trying to run the VM) $ newgrp vboxusers $ VirtualBox # (runs OK) $ newgrp $ VirtualBox # (VERR_HOSTIF_INIT_FAILED when trying to run the VM)
Would it be possible to make VirtualBox change to group vboxusers before trying to open /dev/net/tun?
comment:22 by , 16 years ago
Sorry about the last post. Forgot to format it properly:
I am using Debian testing (Lenny), with a 2.6.26 kernel straight from the distribution (Debian package linux-image-2.6.26-1-686, version 2.6.26-5), and I have access to /dev/net/tun:
$ ls -l /dev/net/tun crw-rw---- 1 root vboxusers 10, 200 Out 16 08:52 /dev/net/tun $ touch /dev/net/tun $ ls -l /dev/net/tun crw-rw---- 1 root vboxusers 10, 200 Out 16 09:00 /dev/net/tun
Group vboxusers is #5 on my list. Running VBoxAddIF before VirtualBox does not help:
$ sudo VBoxAddIF vbox0 -g vboxusers br0 VirtualBox host networking interface creation utility, version 1.6.2_OSE (C) 2005-2007 Sun Microsystems, Inc. All rights reserved. Creating the permanent host networking interface "vbox0" for group vboxusers. $ VirtualBox # (VERR_HOSTIF_INIT_FAILED when trying to run the VM) $ newgrp vboxusers $ VirtualBox # (runs OK) $ newgrp $ VirtualBox # (VERR_HOSTIF_INIT_FAILED when trying to run the VM)
Would it be possible to make VirtualBox change to group vboxusers before trying to open /dev/net/tun?
comment:23 by , 16 years ago
jennic, back to your problem: Of course you should use VBoxAddIF
. Your original posting from 10/15/08 showed that the TAP device was successfully created and owned by uid 0 which means owned by root of course. If you use VBoxAddIF
then the TAP interface is assigned to the correct user.
To bello and andrex: I still was not able to reproduce your problem. I just tested 2.0.2 on Debian/Sid with Linux 2.6.26.6 (self-compiled kernel) and everything was fine as it should. It does not matter for me at which position vboxusers
is placed in the groups list.
comment:24 by , 16 years ago
frank, thanks for looking into this. Maybe a diff of my and bello's kernel configs against yours would suggest a suspect?
comment:25 by , 16 years ago
I don't think the problem is with /dev/net/tun or /dev/vboxdrv:
$ ls -l /dev/net/tun /dev/vboxdrv crw-rw---- 1 root vboxusers 10, 200 Out 16 09:00 /dev/net/tun crw-rw---- 1 root vboxusers 10, 60 Out 15 15:43 /dev/vboxdrv $ VirtualBox # (VERR_HOSTIF_INIT_FAILED when trying to run the VM) $ sudo chown bello /dev/net/tun /dev/vboxdrv $ ls -l /dev/net/tun /dev/vboxdrv crw-rw---- 1 bello vboxusers 10, 200 Out 16 09:00 /dev/net/tun crw-rw---- 1 bello vboxusers 10, 60 Out 15 15:43 /dev/vboxdrv $ VirtualBox # (VERR_HOSTIF_INIT_FAILED when trying to run the VM) $ sudo chmod 666 /dev/net/tun /dev/vboxdrv $ ls -l /dev/net/tun /dev/vboxdrv crw-rw-rw- 1 bello vboxusers 10, 200 Out 16 09:00 /dev/net/tun crw-rw-rw- 1 bello vboxusers 10, 60 Out 15 15:43 /dev/vboxdrv $ VirtualBox # (VERR_HOSTIF_INIT_FAILED when trying to run the VM) $ newgrp vboxusers $ VirtualBox # (runs OK)
I think the problem is somewhere else. Not even if I own the files and they are world-writable does it work. However, changing the order of groups solves the problem.
comment:26 by , 16 years ago
Agreed.
bello and frank, can you please post your kernel configs here, so we can compare them to mine? It seems likely that the problem is due to some kernel feature that both bello and I have enabled and frank has disabled, or vice versa.
comment:27 by , 16 years ago
Currently I can't because I don't have my installation handy. I had a short look at your configuration this afternoon and did not saw any relevant differnces except perhaps CONFIG_AUDIT
. But this was only a short look. But bello, please could you do the following:
$ sudo chmod u+s /usr/bin/strace $ strace -f -s128 -o log /usr/lib/virtualbox/VirtualBox -startvm VM_NAME
and attach the resulting file log? The strace
binary has to setuid root
otherwise it will not be possible to strace the VirtualBox
process.
comment:28 by , 16 years ago
bello: might the problem be that your tap interfaces (vbox0/tap0/whatever) are owned by the group vboxusers?
comment:29 by , 16 years ago
I attached my current kernel configuration. I should have said this earlier, but I am running version 1.6.2_OSE, which is not the latest version. What version are andrex and jennic running? Debian just put out 1.6.6, but the kernel module package virtualbox-ose-modules-2.6.26-1-686 (version 2.6.26+1.6.2-dfsg-4) was not updated, so after upgrading to 1.6.6 (about an hour ago) I had to downgrade back to 1.6.2. I wonder if the problem occurs with recent versions of VirtualBox.
michael: I think the tap interface is supposed to be owned by group vboxusers.
frank: strace didn't work:
$ strace -f -s128 -o log /usr/lib/virtualbox/VirtualBox -startvm Win98 /usr/lib/virtualbox/VirtualBox: error while loading shared libraries: VBoxKeyboard.so: cannot open shared object file: No such file or directory
comment:30 by , 16 years ago
Andrex, could you help out with an strace dump of VirtualBox 2.0.2?
bello, I was assuming that you are using the 2.0.2 release. With 1.6.2 please do
LD_LIBRARY_PATH=/usr/lib/virtualbox strace -f -s128 -o ~/log /usr/lib/virtualbox/VirtualBox -startvm Win98
Please could you all post the content of your /etc/vbox/interfaces file?
comment:32 by , 16 years ago
Still the same problem:
$ LD_LIBRARY_PATH=/usr/lib/virtualbox strace -f -s128 -o ~/log /usr/lib/virtualbox/VirtualBox -startvm Win98 /usr/lib/virtualbox/VirtualBox: error while loading shared libraries: VBoxKeyboard.so: cannot open shared object file: No such file or directory
Although this works (and then fails with VERR_HOSTIF_INIT_FAILED):
$ LD_LIBRARY_PATH=/usr/lib/virtualbox /usr/lib/virtualbox/VirtualBox -startvm Win98
Here's my /etc/vbox/interfaces:
vbox0 +vboxusers br0
follow-up: 34 comment:33 by , 16 years ago
Summary: | won't open host network interface → won't open host network interface => change TAP group setting |
---|
bello, thanks. That was helpful. Actually the problem is your +vboxusers
setting. We were not aware that a group setting of a TAP device denotes the primary group. But this is indeed forced by the Linux kernel. So change +vboxusers
to the user name which is starting vbox (without '+') and it should work. I assume that's the case for andrex as well.
Summary: If a tap device is assigned to a group, that must be the primary group. The next major release will make this problem obsolete as we will change the rules a bit. Note that starting with 2.0.0, VirtualBox is started setuid root
...
comment:34 by , 16 years ago
Replying to frank:
We were not aware that a group setting of a TAP device denotes the primary group. But this is indeed forced by the Linux kernel.
OK, I didn't know that either. Strange, but I guess there must be a good reason.
So change
+vboxusers
to the user name which is starting vbox (without '+') and it should work. I assume that's the case for andrex as well.
So far I'm not able to confirm this. I've deleted the interface and recreated it owned by andrex, and so far I still get the error. Let me keep working on this for a bit though. Any other restart needed?
The next major release will make this problem obsolete as we will change the rules a bit.
Not sure how you'll do that, but I'll look forward to the fix. Note that I'm trying to work out a way to share VMs, and group ownership of the interface seems to be an important part of that (though I haven't fully figured out how to do it yet).
Note that starting with 2.0.0, VirtualBox is started
setuid root
...
Not on my box:
$ lw VirtualBox lrwxrwxrwx 1 root root 4 2008-09-13 11:54 /usr/bin/VirtualBox -> VBox* -rwxr-xr-x 1 root root 2384 2008-09-12 11:49 VBox*
and I use the .deb from virtualbox.org. Actually I really hope you don't do this-- the current problem aside, VirtualBox works now without SUID root, and changing to SUID root would be a step backwards. But that's another bug report I guess.
Thanks, Andrew.
comment:35 by , 16 years ago
Have a look at VBox and you will find out that this is just a shell script calling the executable /usr/lib/virtualbox/VirtualBox
. And this one is setuid root
. Yes, a restart might be required as the script in `/etc/init.d/vboxnet has to create the tap device with the correct ownership. You might want to check the script yourself and create the tap device yourself with the correct permission during tests.
Regarding setuid in general: This isn't a step backward. Note that the binary /usr/bin/virtualbox/VirtualBox
is just a small stub which checks the integrity of the required libraries before starting the real application. Then the /dev/vboxdrv
device is opened and finally the privileges are dropped. And then (with limited privileges) the real binary is loaded and the real application starts. Actually this is a step forwards not backwards as this increases the security. But I don't want to discuss this in this defect.
comment:36 by , 16 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Host networking changed completely with VirtualBox 2.1.0 and VirtualBox 2.2.0.
comment:37 by , 16 years ago
Agreed-- this problem has disappeared in 2.1.0, and networking has become much simpler besides. Thanks, and sorry I didn't follow up sooner to report the problem as fixed.
I just wanted to confirm this.
I have a 64 bit server running openSUSE 11.0 and I installed Virtualbox from the openSUSE repository.
I am not able to get this host networking work, everything just stops before being able to start with the guest installation with "VBox status code: -3100 (VERR_HOSTIF_INIT_FAILED)".
NAT networking works, but it isn't an option since the VM should become a mail server and should be reachable from outside and the smtp port is needed on the host as well.
Since I am quite new to VBox I am trying to get things done as "root", I'll try with another user once I am able to have my VMs running ...
Thanks a lot for your help! Luca