libvirtd issue with listen_addr and virbr0

I order to prevent external systems from talking to my libvirtd service, I tried limiting the listening address to the default virbr0, 192.168.122.1. So in /etc/libvirt/libvirtd.conf, I put:

listen_addr = "192.168.122.1"

After rebooting, my libvirtd service wouldn’t start. From /var/log/messages:

Jul  6 11:33:06 localhost systemd: Starting Virtualization daemon...
Jul  6 11:33:06 localhost libvirtd: 12436: info : libvirt version: 1.1.3.5, package: 2.fc20 (Fedora Project, 2014-05-19-22:55:50, buildvm-04.phx2.fedoraproject.org)
Jul  6 11:33:06 localhost libvirtd: 12436: warning : virDriverLoadModule:73 : Module /usr/lib64/libvirt/connection-driver/libvirt_driver_xen.so not accessible
Jul  6 11:33:06 localhost libvirtd: 12436: warning : virDriverLoadModule:73 : Module /usr/lib64/libvirt/connection-driver/libvirt_driver_libxl.so not accessible
Jul  6 11:33:06 localhost libvirtd: 12436: warning : virDriverLoadModule:73 : Module /usr/lib64/libvirt/connection-driver/libvirt_driver_lxc.so not accessible
Jul  6 11:33:06 localhost libvirtd: 12436: warning : virDriverLoadModule:73 : Module /usr/lib64/libvirt/connection-driver/libvirt_driver_uml.so not accessible
Jul  6 11:33:06 localhost libvirtd: 12436: warning : virDriverLoadModule:73 : Module /usr/lib64/libvirt/connection-driver/libvirt_driver_vbox.so not accessible
Jul  6 11:33:06 localhost libvirtd: 12436: error : virNetSocketNewListenTCP:283 : Unable to bind to port: Cannot assign requested address
Jul  6 11:33:06 localhost libvirtd: 12436: error : netcfStateCleanup:105 : internal error: Attempt to close netcf state driver already closed
Jul  6 11:33:06 localhost systemd: libvirtd.service: main process exited, code=exited, status=6/NOTCONFIGURED
Jul  6 11:33:06 localhost systemd: Failed to start Virtualization daemon.
Jul  6 11:33:06 localhost systemd: Unit libvirtd.service entered failed state.
Jul  6 11:33:06 localhost systemd: libvirtd.service holdoff time over, scheduling restart.
Jul  6 11:33:06 localhost systemd: Stopping Virtualization daemon...

After some troubleshooting, I noticed that virbr0 wasn’t plumbed. So I commented out my listen_addr line in libvirtd.conf, and the service came back up.

It seems there’s a sequencing error here. virbr0 is getting started after the listen logic is handled. This seems like a bug to me, but the workaround is easy — just let libvirtd bind to all your interfaces, then control access with iptables.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s