Bug 1413922

Summary: internal error in libvirt: Cannot unshare mount namespace: Operation not permitted
Product: [Community] Virtualization Tools Reporter: Richard W.M. Jones <rjones>
Component: libvirtAssignee: Michal Privoznik <mprivozn>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: libvirt-maint, mprivozn, rbalakri
Target Milestone: ---   
Target Release: ---   
Hardware: aarch64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-17 12:25:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 910269    
Attachments:
Description Flags
log file
none
libvirtd.log none

Description Richard W.M. Jones 2017-01-17 10:28:16 UTC 
Description of problem:

Cannot launch a guest as non-root (ie using qemu:///session)
with libvirt 3.0.0 rc2.

The error is:

libvirt: internal error: Process exited prior to exec: libvirt:  error : Cannot unshare mount namespace: Operation not permitted [code=1 int1=-1]

Version-Release number of selected component (if applicable):

libvirt 3.0.0 rc2

How reproducible:

100%

Steps to Reproduce:
1. Install libvirt 3.0.0 rc2
2. Run libguestfs-test-tool.
Comment 1 Richard W.M. Jones 2017-01-17 10:30:14 UTC 
Created attachment 1241660 [details]
log file
Comment 2 Richard W.M. Jones 2017-01-17 10:33:50 UTC 
Created attachment 1241662 [details]
libvirtd.log

Log from libvirtd.  Note that it doesn't correspond to the same
session as the client-side log posted in the previous comment.
Comment 3 Richard W.M. Jones 2017-01-17 11:26:14 UTC 
I added the following patch/hack to libvirt which fixes it:

diff --git a/src/util/virprocess.c b/src/util/virprocess.c
index f5c7ebb..ef3ed26 100644
--- a/src/util/virprocess.c
+++ b/src/util/virprocess.c
@@ -1155,6 +1155,7 @@ virProcessSetupPrivateMountNS(void)
 {
     int ret = -1;
 
+#if 0
     if (unshare(CLONE_NEWNS) < 0) {
         virReportSystemError(errno, "%s",
                              _("Cannot unshare mount namespace"));
@@ -1166,9 +1167,12 @@ virProcessSetupPrivateMountNS(void)
                              _("Failed to switch root mount into slave mode"));
         goto cleanup;
     }
+#endif
 
     ret = 0;
+#if 0
  cleanup:
+#endif
     return ret;
 }
Comment 4 Michal Privoznik 2017-01-17 11:33:08 UTC 
To POST:

https://www.redhat.com/archives/libvir-list/2017-January/msg00719.html
Comment 5 Michal Privoznik 2017-01-17 12:25:34 UTC 
I've pushed the patch upstream:

commit d0baf54e53faa544cc41abe8353ee3dce0b0861a
Author:     Michal Privoznik <mprivozn>
AuthorDate: Tue Jan 17 12:15:16 2017 +0100
Commit:     Michal Privoznik <mprivozn>
CommitDate: Tue Jan 17 13:23:56 2017 +0100

    qemu: Actually unshare() iff running as root
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1413922
    
    While all the code that deals with qemu namespaces correctly
    detects whether we are running as root (and turn into NO-OP for
    qemu:///session) the actual unshare() call is not guarded with
    such check. Therefore any attempt to start a domain under
    qemu:///session shall fail as unshare() is reserved for root.
    
    The fix consists of moving unshare() call (for which we have a
    wrapper called virProcessSetupPrivateMountNS) into
    qemuDomainBuildNamespace() where the proper check is performed.
    
    Signed-off-by: Michal Privoznik <mprivozn>
    Tested-by: Richard W.M. Jones <rjones>

v3.0.0-rc2-4-gd0baf54e5