Guest won't start - warning: could not open /dev/net/tun ('generic ethernet' interface)

Use of the 'generic ethernet' interface type (<interface type='ethernet'>) is discouraged, because using it requires lowering the level of host protection against potential security flaws in qemu and its guests, but occasionally it's necessary to use this type of interface in order to take advantage of some other facility that isn't yet supported directly in libvirt (for example, openvswitch was not supported in libvirt until libvirt-0.9.11, and <interface type='ethernet'> was the only way to connect a guest to an openvswitch bridge).

If you try to configure a type='ethernet' interface with no other changes to your host system, you will not be successful in starting your guest; instead, you will see an error similar to the following:

warning: could not open /dev/net/tun: no virtual network emulation qemu-kvm: -netdev tap,script=/etc/my-qemu-ifup,id=hostnet0: Device 'tap' could not be initialized

either in libvirtd.log, in /var/log/libvirt/qemu/$guestname.log, or both.

The reason for this failure is that for this type of interface, a script called by qemu needs to manipulate the tap device, but in an attempt to lock down qemu, libvirt and selinux have put in place several checks to prevent this (normally, libvirt does all of the tap device creation/manipulation, and passes an open file descriptor for the tap device to qemu.)


There are multiple steps to solving this problem:

1) disable SELinux

a) in /etc/selinux/config, change the line "SELINUX=enforcing" to SELINUX=permissive b) from a root shell, run "setenforce permissive"

2) in /etc/libvirt/qemu.conf add/edit the following lines:

 a) clear_emulator_capabilities = 0
 b) user = root
 c) group = root
    cgroup_device_acl = [
        "/dev/null", "/dev/full", "/dev/zero",
        "/dev/random", "/dev/urandom",
        "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
        "/dev/rtc", "/dev/hpet", "/dev/net/tun",

(the final "/dev/net/tun" is the most important part of (d)).

3) restart libvirtd

Since each of these steps is significantly decreasing security protections of the host against qemu guest domains, you should only do it if there is no alternative to using <interface type='ethernet'>