I got my Debian Guest VM working without dnsmasq.
1.Removed dnsmasq completely.
2.Tried start Guest VM, virt-manager gives error about dnsmasq missing.
3.Edited “default” network xml file.
added: <dns enable="no"/>
removed: dhcp range
4.Tried start Guest VM again, all working.
Same should work with Whonix, since whonix don’t need dns or dhcp.
I hope you guys can fix this in whonix network xmls. And attack surface will be reduced.
My experience was different. After uninstalling dnsmasq-base and modifying default network settings, I ended up with libvirt process instability where it crashed and refused to start-up or let the virtual machine manager GUI to connect to it until
Done:
KVM: Difference between revisions - Whonix
Could you please report this upstream as a bug?
Went ahead and asked upstream on how to do this if possible
Nice! I think we’re onto something here…
Suggestions to include in reply, draft:
> It sounds like you're using the old monolithic 'libvirtd' daemon.
How to check that?
> Thus if you're not intending to use the libvirt virtual network feature,
simply don't install its modyle, and then libvirtd will see the module
doesn't exist, and skip the dlopen.
That sounds like something people would do who compile from source code?
We're using libvirtd (9.0.0-4) from Debian package sources. [1]
> If you're using the new modular daemons,
That is libvirtd 9.x or 10.x?
Is there a chance that something is wrong with the libvirtd compilation settings by Debian's packaging?
[1] packages.debian.org/bookworm/libvirt-daemon
Which Linux distribution did you you? From user name, I suppose Gentoo.
Which version of libvirtd did you use?
Sent
@Patrick got a reply and it seems that Debian package maintainers are causing this by the way they choose to put it together. Let’s work on a draft for a request/bug report and ill go ahead and send it to their tracker.
Draft.
to:
subject:
Running libvirt without dnsmasq broken due to Debian’s packaging
content:
Package: libvirt-daemon
Severity: normalExpected behavior:
Running libvirt should be possible without dnsmasq should be possibleActual behavior:
Libvirt crashes when dnsmasq is not installed by default.Additional information:
Upstream libvirt confirmed, that Debian packages all into libvirt-daemon. [1] This is apparently not how upstream libvirt has designed it to be. Could you look into it please?[1]
https://lists.libvirt.org/archives/list/users@lists.libvirt.org/thread/PVI6KFUVNUKG6FZK7UOHM5PMSIWNHLNC/
Debian bug report:
Running libvirt without dnsmasq broken due to Debian’s packaging
Should,
use <dns enable="no"/>? Or unnecessary?
Unnecessary. By omitting it, it is disabled. I believe the availability of DNS on the internal network can easily be tested.
Unfortunately, the assumption that “omitting = disabled” is false.
Quote libvirt: Network XML format
The dns element can have an optional enable attribute Since 2.2.0. If enable is “no”, then no DNS server will be setup by libvirt for this network (and any other configuration in will be ignored). If enable is “yes” or unspecified (including the complete absence of any element) then a DNS server will be setup by libvirt to listen on all IP addresses specified in the network’s configuration.
This means, if is unspecified then a DNS server will be setup by libvirt to listen on all IP addresses specified in the network’s configuration.
So should add <dns enable="no"/>?
Yes then we should go ahead and add this. There is absolutely no need for it.
Added pull requests for internal and external:
How to modify the xml and make it work:
Whonix-External:
<dns enable="no"/> line there:sudo virsh net-edit Whonix-External
sudo virsh net-define /etc/libvirt/qemu/networks/Whonix-External.xml
sudo virsh net-destroy Whonix-External
sudo virsh ne-start Whonix-External
Do the same steps for Whonix-Internal.
Could you try please using <dns enable="no"/> for the default network (and any other networks you may have)?
sudo virsh net-edit default
Then try:
sudo apt purge dnsmasq
Maybe that way we can completely get rid of dnsmasq?
Or libvirt will still crash due to:
This would initially break DNS inside any non-Whonix VMs. That could be fixed by using a public DNS resolver.
tried with no dnsmasq (but dnsmasq-base installed), internet works fine in VMs, and when no dns added to xml then there will be no internet for VM.
Ah. Sorry. I meant, try also to remove dnsmasq-base.
Sadly still not possible, once you remove the package and redefine the networks from scratch it will lead into error of unable to find ‘dnsmasq’ binary. maybe alternative last try is a dummy package, but i dunno if it will resolve it or not.