Bug 591372

Summary: [LXC] restart network on guest make the /etc/resolv.conf has been changed on host.
Product: Red Hat Enterprise Linux 6 Reporter: dyuan
Component: libvirtAssignee: Jiri Denemark <jdenemar>
Status: CLOSED NOTABUG QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 6.0CC: berrange, borgan, hbrock, llim, tyan, xen-maint, yoyzhang
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-30 13:05:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 599016, 609429    

Description dyuan 2010-05-12 03:43:58 UTC 
Description of problem:
Restart network on guest, make the network does not work fine on host, also  the /etc/resolv.conf has been modified. Then restart network on host, the NetworkManager dead.

Version-Release number of selected component (if applicable):
kernel-2.6.32-24.el6.x86_64
libvirt-0.8.1-2.el6.x86_64

How reproducible:
always

Steps to Reproduce:

1. define a simple application container and make it running

# virsh -c lxc:///
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # define toy.xml 
Domain toy defined from toy.xml
virsh # start toy
Domain toy started
virsh # list --all
 Id Name                 State
----------------------------------
7081 toy                  running

virsh # dumpxml toy
<domain type='lxc' id='3420'>
  <name>toy</name>
  <uuid>386f5b25-43ee-9d62-4ce2-58c3809e47c1</uuid>
  <memory>500000</memory>
  <currentMemory>500000</currentMemory>
  <vcpu>1</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/bin/sh</init>
  </os>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <interface type='network'>
      <mac address='52:54:00:ca:84:12'/>
      <source network='default'/>
      <target dev='veth0'/>
    </interface>
    <console type='pty' tty='/dev/pts/2'>
      <source path='/dev/pts/2'/>
      <target port='0'/>
    </console>
  </devices>
</domain>

2. connect to the container via console
virsh # console toy
Connected to domain toy
Escape character is ^]
sh-4.1# 

3. check the network status on toy
sh-4.1# more /etc/resolv.conf 
# Generated by NetworkManager
domain nay.redhat.com
search nay.redhat.com
nameserver 10.66.127.10
nameserver 10.32.63.5
nameserver 172.16.52.28

sh-4.1# ifconfig

sh-4.1# ping google.com
ping: unknown host google.com

sh-4.1# ping 10.66.70.12
connect: Network is unreachable

sh-4.1# more /etc/sysconfig/network-scripts/ifcfg-eth0 
DEVICE=eth0
HWADDR=6C:F0:49:27:0C:06
ONBOOT=yes
BOOTPROTO=dhcp

sh-4.1# 
virsh # domifstat toy veth0
veth0 rx_bytes 9840
veth0 rx_packets 147
veth0 rx_errs 0
veth0 rx_drop 0
veth0 tx_bytes 552
veth0 tx_packets 6
veth0 tx_errs 0
veth0 tx_drop 0

4. check the network on host
# ping google.com
PING google.com (74.125.71.103) 56(84) bytes of data.
64 bytes from hx-in-f103.1e100.net (74.125.71.103): icmp_seq=1 ttl=49 time=100 ms

# ping 10.66.70.12
PING 10.66.70.12 (10.66.70.12) 56(84) bytes of data.
64 bytes from 10.66.70.12: icmp_seq=1 ttl=64 time=0.385 ms

# more /etc/resolv.conf 
# Generated by NetworkManager
domain nay.redhat.com
search nay.redhat.com
nameserver 10.66.127.10
nameserver 10.32.63.5
nameserver 172.16.52.28

# brctl show virbr0
bridge name	bridge id		STP enabled	interfaces
virbr0		8000.1661f96cd7a3	yes		veth0

5. restart network on toy, check the network on toy
virsh # console toy
Connected to domain toy
Escape character is ^]

sh-4.1# service network restart
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:  
Determining IP information for eth0... done.
                                                           [  OK  ]
sh-4.1# more /etc/resolv.conf 
; generated by /sbin/dhclient-script
nameserver 192.168.122.1

sh-4.1# ping google.com
ping: unknown host google.com

sh-4.1# ping 10.66.70.12
PING 10.66.70.12 (10.66.70.12) 56(84) bytes of data.
64 bytes from 10.66.70.12: icmp_seq=1 ttl=63 time=1.12 ms

6. check the network on host
# more /etc/resolv.conf 
; generated by /sbin/dhclient-script
nameserver 192.168.122.1

# ping google.com
ping: unknown host google.com

# ping 10.66.70.12
PING 10.66.70.12 (10.66.70.12) 56(84) bytes of data.
64 bytes from 10.66.70.12: icmp_seq=1 ttl=64 time=0.159 ms

7. restart network on host, check the network on host
# service network restart
Shutting down interface eth0:  Device state: 3 (disconnected)
                                                           [  OK  ]
Shutting down loopback interface:  Error org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus)
                                                           [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:  
Determining IP information for eth0... done.
                                                           [  OK  ]
# more /etc/resolv.conf 
; generated by /sbin/dhclient-script
search nay.redhat.com
nameserver 10.66.127.10
nameserver 10.32.63.5
nameserver 172.16.52.28

# service NetworkManager status
NetworkManager dead but pid file exists

# ping google.com
PING google.com (74.125.71.99) 56(84) bytes of data.
64 bytes from hx-in-f99.1e100.net (74.125.71.99): icmp_seq=1 ttl=51 time=77.4 ms

# brctl show virbr0
bridge name	bridge id		STP enabled	interfaces
virbr0		8000.1661f96cd7a3	yes		veth0


Actual results:
step 5 and step 6, the resolv.conf has been modified.
step 7, restart network on host make the NetworkManager dead.

Expected results:
restart network with determining IP information done [OK], the network should be work fine.

Additional info:

when testing with kernel-2.6.32-25.el6.x86_64

step 5, toy cannot connect to 10.66.70.12
sh-4.1# ping 10.66.70.12
PING 10.66.70.12 (10.66.70.12) 56(84) bytes of data.

####no output here, can only press Ctrl+C.
Comment 2 RHEL Program Management 2010-05-12 04:53:05 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 5 Daniel Berrangé 2010-06-30 13:05:43 UTC 
>  <devices>
>    <emulator>/usr/libexec/libvirt_lxc</emulator>
>    <interface type='network'>
>      <mac address='52:54:00:ca:84:12'/>
>      <source network='default'/>
>      <target dev='veth0'/>
>    </interface>
>    <console type='pty' tty='/dev/pts/2'>
>      <source path='/dev/pts/2'/>
>      <target port='0'/>
>    </console>
>  </devices>


There is no <filesystem> device configured in this guest, thus the container will inherit full access to the host filesystem. Thus any changes you make to /etc/resolv.conf in the container will obviously impact the host OS. This is essentially an 'application workload isolation' configuration, and not a 'virtual operating system container' configuration. You can't expect to run arbitrary apps in such a config and not have them impact the host, since the configuration isn't providing any security. If you want the container to be isolated, then you need to configure a custom filesystem for it.