virbr0 network interface starts on its own

[LMHmedchem]

Hello,

I don't know if this is a software question or a security question. I suppose it's both but my concern is security.

If I don't shut down my computer overnight I will at least shut off the internet connection. I also do this if I am away from the computer for an extended time. Last night when I opened the connections manager from the panel it listed the eno1 network connection as usual but also listed the virbr0 virtualization network connection. I have not seen that interface since 2020 so it caused concern. I believe that it showed up when I first installed this version. It disappeared from the network manager shortly after and didn't come back until now (at least not that I saw).

I do have virtualbox installed but the only VM I have installed at the moment does not have a network interface and I haven't created a network adapter in virtualbox. I assume that virbr0 is installed by default but I have no idea why it would have started now. I have had this installation for quite a while now (three years at least), and it has not started up since the original sintall. I shut it down and it has not come back so far.

There is no reason that I am aware of for this to run at the moment. In my opinion, any software on a computer that is never used is an unnecessary security risk. Programs that make internet connections are even worse and even more so for a network interface.

What can I do to prevent this from running, at least until I need it?
What steps should I take to make sure I don't have some additional problem going on?

LMHmedchem

[TrevorH]

If you have virbr0 then you most likely have libvirtd installed. It's for running VMs under KVM on CentOS and if you only use VBox then you probably don't need it. Also a package called gnome-boxes is part of the default GUI install and that is also for running VMs and it pulls in libvirt and all its 500 dependencies so you might want to check if that is installed and remove it if so.

[jlehtone]

Code: Select all

systemctl status libvirtd

A default install includes libvirt and that has network "default" set to autostart.
That virtual subnet shows as virbr0.

The only mystery is why something would happen now, if it did not before?
Something new got installed?

[LMHmedchem]

Also a package called gnome-boxes is part of the default GUI install and that is also for running VMs and it pulls in libvirt and all its 500 dependencies so you might want to check if that is installed and remove it if so.

I un-installed gnome-boxes. I'm not sure why so much gnome stuff is installed when I'm running kde.

The only mystery is why something would happen now, if it did not before?
Something new got installed?

I haven't installed much on this. I don't remember installing anything lately.

Is there any reasonable way to log access to a given file to see when and how it starts up?

LMHmedchem

[jlehtone]

You could look at system log first:

Code: Select all

sudo journalctl | grep -10 virbr0
# and/or
sudo grep vlan-sbl /var/log/messages*

[LMHmedchem]

Also, I have noticed that a couple of times lately my time has been off. I find that it is displaying the UTC time and not my time zone. I have unchecked UTC in the settings but it seems to reappear. I did have a day a few days ago when I came down to find that the computer had restarted. All of these things together make me a bit suspicious.

I checked the log as you suggested. There are quite a few entries for virbr0. This first one I see is yesterday,

Code: Select all

Jun 09 10:50:00 localhost.localdomain NetworkManager[1595]: <info>  [1686322200.9583] manager: (virbr0): new Bridge device (/org/freedesktop/NetworkManager/Devices/3)

The next set is this,

Code: Select all

Jun 09 10:50:00 localhost.localdomain kernel: tun: Universal TUN/TAP device driver, 1.6
Jun 09 10:50:00 localhost.localdomain kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Jun 09 10:50:00 localhost.localdomain kernel: virbr0: port 1(virbr0-nic) entered blocking state
Jun 09 10:50:00 localhost.localdomain kernel: virbr0: port 1(virbr0-nic) entered disabled state
Jun 09 10:50:00 localhost.localdomain kernel: device virbr0-nic entered promiscuous mode
Jun 09 10:50:00 localhost.localdomain NetworkManager[1595]: <info>  [1686322200.9946] manager: (virbr0-nic): new Tun device (/org/freedesktop/NetworkManager/Devices/4)
Jun 09 10:50:01 localhost.localdomain NetworkManager[1595]: <info>  [1686322201.0094] device (virbr0-nic): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
Jun 09 10:50:01 localhost.localdomain NetworkManager[1595]: <info>  [1686322201.0104] device (virbr0-nic): state change: unavailable -> disconnected (reason 'none', sys-iface-state: 'external')

It's hard to tell what is going on here. Let me know if you want met to post all of the output.

LMHmedchem

[LMHmedchem]

The virtualization daemon is running,

Code: Select all

[user@localhost ~]$ systemctl status libvirtd -l     
● libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2023-06-09 10:50:00 EDT; 1 day 23h ago
     Docs: man:libvirtd(8)
           https://libvirt.org
 Main PID: 2089 (libvirtd)
    Tasks: 19 (limit: 32768)
   CGroup: /system.slice/libvirtd.service
           ├─2089 /usr/sbin/libvirtd
           ├─2424 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
           └─2425 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper

Jun 09 10:50:01 localhost.localdomain dnsmasq[2424]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth nettlehash no-DNSSEC loop-detect inotify
Jun 09 10:50:01 localhost.localdomain dnsmasq-dhcp[2424]: DHCP, IP range 192.168.122.2 -- 192.168.122.254, lease time 1h
Jun 09 10:50:01 localhost.localdomain dnsmasq-dhcp[2424]: DHCP, sockets bound exclusively to interface virbr0
Jun 09 10:50:01 localhost.localdomain dnsmasq[2424]: reading /etc/resolv.conf
Jun 09 10:50:01 localhost.localdomain dnsmasq[2424]: using nameserver 208.67.222.222#53
Jun 09 10:50:01 localhost.localdomain dnsmasq[2424]: using nameserver 208.67.220.220#53
Jun 09 10:50:01 localhost.localdomain dnsmasq[2424]: read /etc/hosts - 2 addresses
Jun 09 10:50:01 localhost.localdomain dnsmasq[2424]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
Jun 09 10:50:01 localhost.localdomain dnsmasq-dhcp[2424]: read /var/lib/libvirt/dnsmasq/default.hostsfile
Jun 10 00:12:39 localhost.localdomain dnsmasq[2424]: stopped listening on virbr0(#3): 192.168.122.1

This is another one of my pet annoyances. Why have a daemon installed and running by default if it is never used. Why not install it on first use of a program that needs it?

Can I just disable the service?

Code: Select all

/bin/systemctl disable libvirtd.service

LMHmedchem

[jlehtone]

Can I just disable the service?

Yes.

[TrevorH]

Or uninstall it - though be sure to read the list of other packages that will be removed with it before replying 'y' to the prompt to confirm. And don't use yum -y!

[jlehtone]

If the libvirt did appear now as dependency, then that could happen again (although unlikely within el7 lifetime). Hence, disable and keep sounds safer.