| Summary: | [LXC] restart network on guest make the /etc/resolv.conf has been changed on host. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | dyuan |
| Component: | libvirt | Assignee: | Jiri Denemark <jdenemar> |
| Status: | CLOSED NOTABUG | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.0 | CC: | berrange, borgan, hbrock, llim, tyan, xen-maint, yoyzhang |
| Target Milestone: | rc | Keywords: | TestBlocker |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-06-30 13:05:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 599016, 609429 | ||
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion. > <devices>
> <emulator>/usr/libexec/libvirt_lxc</emulator>
> <interface type='network'>
> <mac address='52:54:00:ca:84:12'/>
> <source network='default'/>
> <target dev='veth0'/>
> </interface>
> <console type='pty' tty='/dev/pts/2'>
> <source path='/dev/pts/2'/>
> <target port='0'/>
> </console>
> </devices>
There is no <filesystem> device configured in this guest, thus the container will inherit full access to the host filesystem. Thus any changes you make to /etc/resolv.conf in the container will obviously impact the host OS. This is essentially an 'application workload isolation' configuration, and not a 'virtual operating system container' configuration. You can't expect to run arbitrary apps in such a config and not have them impact the host, since the configuration isn't providing any security. If you want the container to be isolated, then you need to configure a custom filesystem for it.
|
Description of problem: Restart network on guest, make the network does not work fine on host, also the /etc/resolv.conf has been modified. Then restart network on host, the NetworkManager dead. Version-Release number of selected component (if applicable): kernel-2.6.32-24.el6.x86_64 libvirt-0.8.1-2.el6.x86_64 How reproducible: always Steps to Reproduce: 1. define a simple application container and make it running # virsh -c lxc:/// Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit virsh # define toy.xml Domain toy defined from toy.xml virsh # start toy Domain toy started virsh # list --all Id Name State ---------------------------------- 7081 toy running virsh # dumpxml toy <domain type='lxc' id='3420'> <name>toy</name> <uuid>386f5b25-43ee-9d62-4ce2-58c3809e47c1</uuid> <memory>500000</memory> <currentMemory>500000</currentMemory> <vcpu>1</vcpu> <os> <type arch='x86_64'>exe</type> <init>/bin/sh</init> </os> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/libexec/libvirt_lxc</emulator> <interface type='network'> <mac address='52:54:00:ca:84:12'/> <source network='default'/> <target dev='veth0'/> </interface> <console type='pty' tty='/dev/pts/2'> <source path='/dev/pts/2'/> <target port='0'/> </console> </devices> </domain> 2. connect to the container via console virsh # console toy Connected to domain toy Escape character is ^] sh-4.1# 3. check the network status on toy sh-4.1# more /etc/resolv.conf # Generated by NetworkManager domain nay.redhat.com search nay.redhat.com nameserver 10.66.127.10 nameserver 10.32.63.5 nameserver 172.16.52.28 sh-4.1# ifconfig sh-4.1# ping google.com ping: unknown host google.com sh-4.1# ping 10.66.70.12 connect: Network is unreachable sh-4.1# more /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 HWADDR=6C:F0:49:27:0C:06 ONBOOT=yes BOOTPROTO=dhcp sh-4.1# virsh # domifstat toy veth0 veth0 rx_bytes 9840 veth0 rx_packets 147 veth0 rx_errs 0 veth0 rx_drop 0 veth0 tx_bytes 552 veth0 tx_packets 6 veth0 tx_errs 0 veth0 tx_drop 0 4. check the network on host # ping google.com PING google.com (74.125.71.103) 56(84) bytes of data. 64 bytes from hx-in-f103.1e100.net (74.125.71.103): icmp_seq=1 ttl=49 time=100 ms # ping 10.66.70.12 PING 10.66.70.12 (10.66.70.12) 56(84) bytes of data. 64 bytes from 10.66.70.12: icmp_seq=1 ttl=64 time=0.385 ms # more /etc/resolv.conf # Generated by NetworkManager domain nay.redhat.com search nay.redhat.com nameserver 10.66.127.10 nameserver 10.32.63.5 nameserver 172.16.52.28 # brctl show virbr0 bridge name bridge id STP enabled interfaces virbr0 8000.1661f96cd7a3 yes veth0 5. restart network on toy, check the network on toy virsh # console toy Connected to domain toy Escape character is ^] sh-4.1# service network restart Shutting down interface eth0: [ OK ] Shutting down loopback interface: [ OK ] Bringing up loopback interface: [ OK ] Bringing up interface eth0: Determining IP information for eth0... done. [ OK ] sh-4.1# more /etc/resolv.conf ; generated by /sbin/dhclient-script nameserver 192.168.122.1 sh-4.1# ping google.com ping: unknown host google.com sh-4.1# ping 10.66.70.12 PING 10.66.70.12 (10.66.70.12) 56(84) bytes of data. 64 bytes from 10.66.70.12: icmp_seq=1 ttl=63 time=1.12 ms 6. check the network on host # more /etc/resolv.conf ; generated by /sbin/dhclient-script nameserver 192.168.122.1 # ping google.com ping: unknown host google.com # ping 10.66.70.12 PING 10.66.70.12 (10.66.70.12) 56(84) bytes of data. 64 bytes from 10.66.70.12: icmp_seq=1 ttl=64 time=0.159 ms 7. restart network on host, check the network on host # service network restart Shutting down interface eth0: Device state: 3 (disconnected) [ OK ] Shutting down loopback interface: Error org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus) [ OK ] Bringing up loopback interface: [ OK ] Bringing up interface eth0: Determining IP information for eth0... done. [ OK ] # more /etc/resolv.conf ; generated by /sbin/dhclient-script search nay.redhat.com nameserver 10.66.127.10 nameserver 10.32.63.5 nameserver 172.16.52.28 # service NetworkManager status NetworkManager dead but pid file exists # ping google.com PING google.com (74.125.71.99) 56(84) bytes of data. 64 bytes from hx-in-f99.1e100.net (74.125.71.99): icmp_seq=1 ttl=51 time=77.4 ms # brctl show virbr0 bridge name bridge id STP enabled interfaces virbr0 8000.1661f96cd7a3 yes veth0 Actual results: step 5 and step 6, the resolv.conf has been modified. step 7, restart network on host make the NetworkManager dead. Expected results: restart network with determining IP information done [OK], the network should be work fine. Additional info: when testing with kernel-2.6.32-25.el6.x86_64 step 5, toy cannot connect to 10.66.70.12 sh-4.1# ping 10.66.70.12 PING 10.66.70.12 (10.66.70.12) 56(84) bytes of data. ####no output here, can only press Ctrl+C.