Bug 1413922
Summary: | internal error in libvirt: Cannot unshare mount namespace: Operation not permitted | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Community] Virtualization Tools | Reporter: | Richard W.M. Jones <rjones> | ||||||
Component: | libvirt | Assignee: | Michal Privoznik <mprivozn> | ||||||
Status: | CLOSED NEXTRELEASE | QA Contact: | |||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | unspecified | CC: | libvirt-maint, mprivozn, rbalakri | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | aarch64 | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2017-01-17 12:25:34 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 910269 | ||||||||
Attachments: |
|
Description
Richard W.M. Jones
2017-01-17 10:28:16 UTC
Created attachment 1241660 [details]
log file
Created attachment 1241662 [details]
libvirtd.log
Log from libvirtd. Note that it doesn't correspond to the same
session as the client-side log posted in the previous comment.
I added the following patch/hack to libvirt which fixes it: diff --git a/src/util/virprocess.c b/src/util/virprocess.c index f5c7ebb..ef3ed26 100644 --- a/src/util/virprocess.c +++ b/src/util/virprocess.c @@ -1155,6 +1155,7 @@ virProcessSetupPrivateMountNS(void) { int ret = -1; +#if 0 if (unshare(CLONE_NEWNS) < 0) { virReportSystemError(errno, "%s", _("Cannot unshare mount namespace")); @@ -1166,9 +1167,12 @@ virProcessSetupPrivateMountNS(void) _("Failed to switch root mount into slave mode")); goto cleanup; } +#endif ret = 0; +#if 0 cleanup: +#endif return ret; } I've pushed the patch upstream: commit d0baf54e53faa544cc41abe8353ee3dce0b0861a Author: Michal Privoznik <mprivozn> AuthorDate: Tue Jan 17 12:15:16 2017 +0100 Commit: Michal Privoznik <mprivozn> CommitDate: Tue Jan 17 13:23:56 2017 +0100 qemu: Actually unshare() iff running as root https://bugzilla.redhat.com/show_bug.cgi?id=1413922 While all the code that deals with qemu namespaces correctly detects whether we are running as root (and turn into NO-OP for qemu:///session) the actual unshare() call is not guarded with such check. Therefore any attempt to start a domain under qemu:///session shall fail as unshare() is reserved for root. The fix consists of moving unshare() call (for which we have a wrapper called virProcessSetupPrivateMountNS) into qemuDomainBuildNamespace() where the proper check is performed. Signed-off-by: Michal Privoznik <mprivozn> Tested-by: Richard W.M. Jones <rjones> v3.0.0-rc2-4-gd0baf54e5 |