Hello, I use a Debian-based operating system called Kicksecure as a host OS, and run an operating system called Whonix inside two VMs using KVM. This setup makes use of dnsmasq. In case you are unfamiliar with Kicksecure and Whonix, here are the project pages:
https://kicksecure.com https://whonix.org https://whonix.org/wiki/KVM#Start It was recent that I upgraded from the Debian 12.8 point release to Debian 12.9. When I did, I became unable to run the Whonix-Gateway VM when I click the 'Play' button in virt-manager. Here is a link to a forum user with the same problem as me: https://forums.whonix.org/t/cannot-start-whonix-external-virtual-network/21092 This is the error I receive: Error starting domain: Requested operation is not valid: network 'Whonix-External' is not active Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/asyncjob.py", line 108, in tmpcb callback(*args, **kwargs) File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn ret = fn(self, *args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/share/virt-manager/virtManager/object/domain.py", line 1402, in startup self._backend.create() File "/usr/lib/python3/dist-packages/libvirt.py", line 1373, in create raise libvirtError('virDomainCreate() failed') libvirt.libvirtError: Requested operation is not valid: network 'Whonix-External' is not active When I tried the command virsh -c qemu:///system net-start Whonix-External to start the VM, I receive this error involving dnsmasq: error: Failed to start network Whonix-External error: internal error: Child process (VIR_BRIDGE_NAME=virbr1 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/Whonix-External.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 2: dnsmasq: failed to create listening socket for 10.0.2.2: Address already in use I used this command, but I do not see any mention of 10.0.2.2 at all: ss -l -p Since dnsmasq is giving me this error message, is there a command I can use to have dnsmasq tell me about this error in more detail? I leafed through the man page and tried the following: dnsmasq --test and it tells me 'dnsmasq: syntax check OK' sudo dnsmasq --listen-address=10.0.2.2 and it tells me 'dnsmasq: failed to create listening socket for port 53: Address already in use' Since it was working until I upgraded, I had a look through the Debian changelog. I noticed changes were made to dnsmasq and qemu, two packages I use in this setup. Here are the changes to dnsmasq in particular: dnsmasq Fix denial of service issues [CVE-2023-50387 CVE-2023-50868]; set default maximum EDNS.0 UDP packet size to 1232 [CVE-2023-28450] dnsmasq (2.90-4~deb12u1) bookworm; urgency=medium . * Non-maintainer upload. * Backport to bookworm, fixing: - CVE-2023-28450 - Reduce default maximum EDNS.0 UDP packet size due to DNS Flag Day 2020 - CVE-2023-50387, CVE-2023-50868 - DNSSEC validation CPU exhaustion ("Keytrap") dnsmasq (2.90-3) unstable; urgency=medium . * Update d/control: - Add passwd to Depends of dnsmasq-base(-lua) (closes: #1064518). - Update the Vcs-* fields (closes: #1065347). - Fix lintian issue build-depends-on-obsolete-package. - Add myself as uploader. * Update d/copyright: - Fix lintian issue missing-field-in-dep5-copyright. * Add missing CVE number to the 2.90-1 change log. dnsmasq (2.90-2) unstable; urgency=medium . [ Sven Geuer ] * Relax limits imposed by d/t/functions.d/ip-addr.patterns to allow for successful tests on ci.debian.net. dnsmasq (2.90-1) unstable; urgency=medium . [ Simon Kelley ] * New upstream. (closes: #1033165) * Move hard-coding of Lua version from the upstream Makefile to d/rules. * Security fixes for Keytrap - DNSSEC validation CPU exhaustion. CVE-2023-50387 and CVE-2023-50868 [ Sven Geuer ] * Introduce autokpgtests per d/tests/* (closes: #1034135). * Switch to dpkg-source 3.0 (quilt) format (closes: #1007041). * doc.html: Add patch to eliminate privacy breaches leaving the Donations paragraph as untouched as possible. * Prepend dnsmasq. to default, init, preinst, postinst, prerm, postrm. * Rename d/systemd.service to d/dnsmasq.service. * Rename d/systemd@.service to d/dnsmasq@.service. * Refactor d/rules to use the DH sequencer and fix major lintian issues (closes: #844989, #1040923, #1063551). Modified files: - d/rules Complete rewrite making use of debhelper and its tools, fixes lintian warning debian-rules-sets-dpkg-architecture-variable. - d/control Build-Depends, Pre-Depends, Depends added or changed as needed, lintian error depends-on-obsolete-package fixed. - d/dnsmasq.default ENABLED removed and comment changed to fix lintian error init.d-script-should-always-start-service. - d/dnsmasq.init Remove handling of obsolete ENABLED flag. Extract code used with System-V-style init and systemd into d/init-system-common, extract code used with systemd only into d/systemd-helper. This fixes lintian warning systemd-service-file-wraps-init-script. Drop workaround for hypothetically non-existent file /lib/lsb/init-functions, it has been around for more than a decade. - d/dnsmasq.service, d/dnsmasq@.service Adapt these files to make use of init-system-common and systemd-helper. - d/dnsmasq.{post,pre}{inst,rm} Rely mostly on the script snippets created by the DH tools to get things done, implicitly fixes the lintian warnings maintainer-script-should-not-use-dpkg-maintscript-helper and command-with-path-in-maintainer-script. - d/resolvconf* Change file mode bits to 0755, the installed files need it New files: - d/dnsmasq.{install,links,maintscript} - d/dnsmasq-base.{dirs,docs,install} - d/dnsmasq-base-lua.{dirs,docs,install,links} - d/dnsmasq-utils.{install,manpages} The DH tools use these to install what was scripted explicitly in the previous version of the d/rules file, lintian warning dbus-policy-in-etc fixed - d/init-system-common - d/systemd-helper These files contain slightly modified code formerly part of in d/dnsmasq.init. Deleted files: - d/*conffiles - d/lintian-override - d/installed-marker These are not in use anymore. * Deal with a removed conffile and changed links. Modified files: - d/dnsmasq-base.{postinst,postrm} New files: - d/dnsmasq-base.maintscript - d/dnsmasq-base-lua.maintscript * Add watch file and upstream's signing key. New files: - d/watch - d/u/signing-key.asc * Remove dependency on package adduser. Modified files: - d/control - d/dnsmasq.post{inst,rm} * Refactor d/copyright to comply with DEP 5 (closes: #966505). * Remove trailing whitespace from various files under debian/. * Bump Standards-Version to 4.6.2. * Specify Rules-Requires-Root. * Update http:// to https:// with Homepage, Vcs-Git and Vcs-Browser. * Introduce d/u/metadata. * Fix lintian issue duplicate-short-description. * Fix lintian issue capitalization-error-in-description. * Bump Lua version to 5.4 (closes: #1050750). Modified files: - d/control - d/t/functions.d/log.patterns For reference, here were the changes made to qemu. When I was browsing dnsmasq's git repository, I saw a reference to libvirt, so I included this info in case there is a relationship between these packages with regard to my problem. qemu New upstream bugfix release [CVE-2024-7409]; mark internal codegen helper symbols as hidden, fixing build failure on arm64 qemu (1:7.2+dfsg-7+deb12u1) bookworm; urgency=medium . * d/rules: add the forgotten --enable-libusb for the xen build. This makes usb devices available for xen hvm domUs again, as it has always been before. Closes: #1037341 * update to upstream 7.2.3 stable/bugfix release, v7.2.3.diff, https://gitlab.com/qemu-project/qemu/-/commits/v7.2.3 : - vnc: avoid underflow when accessing user-provided address - target/i386: Change wrong XFRM value in SGX CPUID leaf (was in debian already) - acpi: pcihp: allow repeating hot-unplug requests - qemu-options: finesse the recommendations around -blockdev - docs/about/deprecated.rst: Add "since 7.1" tag to dtb-kaslr-seed deprecation - target/arm: Initialize debug capabilities only once - hw/net/msf2-emac: Don't modify descriptor in-place in emac_store_desc() - hw/arm/boot: Make write_bootloader() public as arm_write_bootloader() - hw/arm/aspeed: Use arm_write_bootloader() to write the bootloader - hw/arm/raspi: Use arm_write_bootloader() to write boot code - hw/intc/allwinner-a10-pic: Don't use set_bit()/clear_bit() - target/arm: Define and use new load_cpu_field_low32() - hw/sd/allwinner-sdhost: Correctly byteswap descriptor fields - hw/net/allwinner-sun8i-emac: Correctly byteswap descriptor fields - softfloat: Fix the incorrect computation in float32_exp2 - meson: leave unnecessary modules out of the build - block: Fix use after free in blockdev_mark_auto_del() - target/riscv: Fix itrigger when icount is used - accel/tcg: Fix atomic_mmu_lookup for reads - ui: Fix pixel colour channel order for PNG screenshots - async: Suppress GCC13 false positive in aio_bh_poll() - tcg: ppc64: Fix mask generation for vextractdm - hw/virtio/vhost-user: avoid using uninitialized errp - virtio: fix reachable assertion due to stale value of cached region size - block/monitor: Fix crash when executing HMP commit - target/s390x: Fix EXECUTE of relative branches - s390x/tcg: Fix LDER instruction format - 9pfs/xen: Fix segfault on shutdown - xen/pt: reserve PCI slot 2 for Intel igd-passthru - Revert "vhost-user: Monitor slave channel in vhost_user_read()" - Revert "vhost-user: Introduce nested event loop in vhost_user_read()" - target/ppc: Fix helper_pminsn() prototype - tests/docker: bump the xtensa base to debian:11-slim - linux-user: Fix mips fp64 executables loading - linux-user: fix getgroups/setgroups allocations (was in debian already) - migration: Handle block device inactivation failures better - migration: Minor control flow simplification - migration: Attempt disk reactivation in more failure scenarios - target/arm: Fix vd == vm overlap in sve_ldff1_z - scsi-generic: fix buffer overflow on block limits inquiry - target/i386: fix operand size for VCOMI/VUCOMI instructions - target/i386: fix avx2 instructions vzeroall and vpermdq - vhost: fix possible wrap in SVQ descriptor ring - virtio-net: not enable vq reset feature unconditionally - virtio-crypto: fix NULL pointer dereference in virtio_crypto_free_request - e1000: Count CRC in Tx statistics - e1000e: Fix tx/rx counters - rtl8139: fix large_send_mss divide-by-zero (was in debian already) - util/vfio-helpers: Use g_file_read_link() - usb/ohci: Set pad to 0 after frame update - hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (Closes: #1029155, CVE-2023-0330) - machine: do not crash if default RAM backend name has been stolen - Update version for 7.2.3 release * update to upstream 7.2.4 stable/bugfix release, v7.2.4.diff, https://gitlab.com/qemu-project/qemu/-/commits/v7.2.4 : - gitlab-ci: Avoid to re-run "configure" in the device-crash-test jobs - scripts/device-crash-test: Add a parameter to run with TCG only - hw/ppc/prep: Fix wiring of PIC -> CPU interrupt - ui/gtk: fix passing y0_top parameter to scanout - ui/gtk: use widget size for cursor motion event - ui/gtk-egl: fix scaling for cursor position in scanout mode - ui/sdl2: fix surface_gl_update_texture: Assertion 'gls' failed - ui/sdl2: Grab Alt+Tab also in fullscreen mode - ui/sdl2: Grab Alt+F4 also under Windows - ui/sdl2: disable SDL_HINT_GRAB_KEYBOARD on Windows - hw/dma/xilinx_axidma: Check DMASR.HALTED to prevent infinite loop. - hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs number - target/arm: Explicitly select short-format FSR for M-profile - target/s390x: Fix LCBB overwriting the top 32 bits - tests/tcg/s390x: Test LCBB - target/s390x: Fix LOCFHR taking the wrong half of R2 - tests/tcg/s390x: Test LOCFHR - linux-user/s390x: Fix single-stepping SVC - tests/tcg/s390x: Test single-stepping SVC - s390x/tcg: Fix CPU address returned by STIDP - docs: fix multi-process QEMU documentation - qga: Fix suspend on Linux guests without systemd - 9pfs: prevent opening special files (CVE-2023-2861) - hw/remote: Fix vfu_cfg trace offset format - vnc: move assert in vnc_worker_thread_loop - target/ppc: Fix lqarx to set cpu_reserve - target/ppc: Fix nested-hv HEAI delivery - target/ppc: Fix PMU hflags calculation - hw/riscv: qemu crash when NUMA nodes exceed available CPUs - aspeed/hace: Initialize g_autofree pointer - target/arm: Fix return value from LDSMIN/LDSMAX 8/16 bit atomics - target/arm: Return correct result for LDG when ATA=0 - hw/intc/allwinner-a10-pic: Handle IRQ levels other than 0 or 1 - hw/timer/nrf51_timer: Don't lose time when timer is queried in tight loop - host-utils: Avoid using __builtin_subcll on buggy versions of Apple Clang - pc-bios/keymaps: Use the official xkb name for Arabic layout, not the legacy synonym - target/hppa: Fix OS reboot issues - target/hppa: Provide qemu version via fw_cfg to firmware - target/hppa: New SeaBIOS-hppa version 7 (minus the binary pc-bios/hppa-firmware.img changes) - target/hppa: Update to SeaBIOS-hppa version 8 (minus the binary pc-bios/hppa-firmware.img changes) - vhost: release memory_listener object in error path - vdpa: fix not using CVQ buffer in case of error - vhost-vdpa: do not cleanup the vdpa/vhost-net structures if peer nic is present - virtio-gpu: Make non-gl display updates work again when blob=true - icount: don't adjust virtual time backwards after warp - vdpa: mask _F_CTRL_GUEST_OFFLOADS for vhost vdpa devices - target/ppc: Fix decrementer time underflow and infinite timer loop - vfio/pci: Fix a segfault in vfio_realize - vfio/pci: Call vfio_prepare_kvm_msi_virq_batch() in MSI retry path - ui/gtk: set the area of the scanout texture correctly - Update version for 7.2.4 release * remove patches included in v7.2.4: - linux-user-fix-getgroups-setgroups-allocations.patch - rtl8139-fix-large_send_mss-divide-by-zero.patch - target_i386-Change-wrong-XFRM-value.patch I went to the Debian bookworm dnsmasq source package page to find the git repository, thinking I might be able to compare the two in order to find some clues so I could ask better questions. I went to https://thekelleys.org.uk and clicked on the links for version 2.89-1 (Debian 12.8 version) and version 2.90-4 (Debian 12.9 version). I went through a few files that had matching names or arrows pointing to equivalents, but I notice that there are many files in 2.90-4 that do not exist 2.89-1, so it makes it a little confusing for me to do a side-by-side comparison. Because I am not a programmer, I'm unsure of exactly for what I am looking. The few files I went through (eg. dbus.conf, resolvconf, resolvconf-package, dnsmasq-base.postrm) either don't appear to have changes between versions, don't seem related to my problem, or seem to have something to do with building the package in Debian. If you suppose my problem were because of a change in one of the packages, for what would I be looking? If it is something else, what would I need to do in order to find it? Thank you for reading. If you need any more information from me, please let me know.
publickey - newtyperacer@proton.me - 0x48E2D297.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
