Bug 617096
Summary: | fail to start the guest on pool without svirt configuration after conversion(rhel 6) | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Mohua Li <moli> |
Component: | libvirt | Assignee: | Daniel Veillard <veillard> |
Status: | CLOSED NOTABUG | QA Contact: | Virtualization Bugs <virt-bugs> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 6.0 | CC: | berrange, cshao, dwalsh, eblake, leiwang, llim, mbooth, moli, mshao, rwu, xen-maint |
Target Milestone: | rc | Keywords: | RHELNAK, TestBlocker |
Target Release: | --- | Flags: | moli:
needinfo-
|
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-08-11 06:06:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mohua Li
2010-07-22 07:33:46 UTC
tested version as below, [root@dhcp-66-70-73 qemu]# rpm -qa libguestfs libguestfs-1.2.7-1.16.el6.x86_64 [root@dhcp-66-70-73 qemu]# rpm -qa libvirt libvirt-0.8.1-15.el6.x86_64 [root@dhcp-66-70-73 qemu]# rpm -qa virt-v2v virt-v2v-0.6.1-1.el6.x86_64 this bug will make all the guests fail to start on libvirt pool, so set the keywords TestBlocker. This issue has been proposed when we are only considering blocker issues in the current Red Hat Enterprise Linux release. ** If you would still like this issue considered for the current release, ask your support representative to file as a blocker on your behalf. Otherwise ask that it be considered for the next Red Hat Enterprise Linux release. ** I've been trying to work out why I couldn't replicate this. I've asked around, and the suggestion is that the issue is where the images have been placed: namely in a directory under /root. This directory will not have a correct SELinux label by default, and may not have appropriate DAC permissions either. Can you please try again using a directory pool under /var/lib/libvirt/images as the target. Either way, could you please post any related AVC denials from the audit log to this bug? I'm moving this over to libvirt as it doesn't appear to relate to virt-v2v. I'm also not convinced it's a bug, but I'll let somebody more authoritative make that determination. (In reply to comment #7) > I've been trying to work out why I couldn't replicate this. I've asked around, > and the suggestion is that the issue is where the images have been placed: > namely in a directory under /root. This directory will not have a correct > SELinux label by default, and may not have appropriate DAC permissions either. > > Can you please try again using a directory pool under /var/lib/libvirt/images > as the target. Either way, could you please post any related AVC denials from > the audit log to this bug? actually, i also try some pools on /var/lib/libvirt/images, also have such issues, i will post the audit log for AVC denials later, (In reply to comment #9) > (In reply to comment #7) > > I've been trying to work out why I couldn't replicate this. I've asked around, > > and the suggestion is that the issue is where the images have been placed: > > namely in a directory under /root. This directory will not have a correct > > SELinux label by default, and may not have appropriate DAC permissions either. > > > > Can you please try again using a directory pool under /var/lib/libvirt/images > > as the target. Either way, could you please post any related AVC denials from > > the audit log to this bug? > > actually, i also try some pools on /var/lib/libvirt/images, also have such > issues, i will post the audit log for AVC denials later, audit.log, for virsh start domain output, type=ANOM_PROMISCUOUS msg=audit(1281064234.033:77): dev=vnet0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=SYSCALL msg=audit(1281064234.033:77): arch=c000003e syscall=16 success=yes exit=0 a0=13 a1=89a2 a2=7fef25632ae0 a3=7 items=0 ppid=1 pid=8404 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) type=ANOM_PROMISCUOUS msg=audit(1281064234.186:78): dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295 type=ANOM_PROMISCUOUS msg=audit(1281064240.574:79): dev=vnet0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=SYSCALL msg=audit(1281064240.574:79): arch=c000003e syscall=16 success=yes exit=0 a0=13 a1=89a2 a2=7fef27e36ae0 a3=361dd7a14c items=0 ppid=1 pid=8400 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) type=ANOM_PROMISCUOUS msg=audit(1281064240.806:80): dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295 /var/log/messages, for virsh start $domain output, Aug 6 11:10:34 dhcp-66-70-73 libvirtd: 11:10:34.267: error : qemudReadLogOutput:2313 : internal error Process exited while reading console log output: char device redirected to /dev/pts/1#012qemu: could not open disk image /root/esx4/ESXi4_Linux_ESX4-RHEL3U9-i386_ESX4-RHEL3U9-i386: Permission denied#012 Aug 6 11:10:40 dhcp-66-70-73 kernel: device vnet0 entered promiscuous mode Aug 6 11:10:40 dhcp-66-70-73 kernel: virbr0: topology change detected, propagating Aug 6 11:10:40 dhcp-66-70-73 kernel: virbr0: port 1(vnet0) entering forwarding state Aug 6 11:10:40 dhcp-66-70-73 NetworkManager[7911]: <warn> /sys/devices/virtual/net/vnet0: couldn't determine device driver; ignoring... Aug 6 11:10:40 dhcp-66-70-73 kernel: virbr0: port 1(vnet0) entering disabled state Aug 6 11:10:40 dhcp-66-70-73 kernel: device vnet0 left promiscuous mode Aug 6 11:10:40 dhcp-66-70-73 kernel: virbr0: port 1(vnet0) entering disabled state Aug 6 11:10:40 dhcp-66-70-73 libvirtd: 11:10:40.885: error : qemudReadLogOutput:2313 : internal error Process exited while reading console log output: char device redirected to /dev/pts/1#012qemu: could not open disk image /root/xen/rhel5u4-32b-hv-raw-intel.img: Permission denied#012 None of those audit.log messages are AVC denials. The syslog messages show you are still using /root. Please put the disk images in /var/lib/libvirt/images as previously requested actually i also don't know why there is no AVC log ouptput in audit.log, that's what i saw where i execute "virsh start rhel5u4-32b-hv-raw-intel", any suggestion? test pool create on /var/lib/libvirt/images, <pool type="netfs"> <name>test</name> <source> <host name="10.66.65.43"/> <dir path="/virt-v2v/v2v-convert/0.6.1-1.el5/20100713/test"/> </source> <target> <path>/var/lib/libvirt/images/test</path> </target> </pool> [root@dhcp-66-70-73 ~]# virsh vol-list test Name Path ----------------------------------------- ESXi35U4_Linux_ESX35-RHEL5U4-i386-noxen-smp_ESX35-RHEL5U4-i386-noxen-smp /var/lib/libvirt/images/test/ESXi35U4_Linux_ESX35-RHEL5U4-i386-noxen-smp_ESX35-RHEL5U4-i386-noxen-smp rhel5u4-64b-pv-raw-intel.img /var/lib/libvirt/images/test/rhel5u4-64b-pv-raw-intel.img [root@dhcp-66-70-73 ~]# virsh list --all Id Name State ---------------------------------- - ESX4.0-RHEL3.9-i386 shut off - rhel5u4-32b-hv-raw-intel shut off [root@dhcp-66-70-73 ~]# virsh start rhel5u4-32b-hv-raw-intel error: Failed to start domain rhel5u4-32b-hv-raw-intel error: internal error Process exited while reading console log output: char device redirected to /dev/pts/3 qemu: could not open disk image /root/xen/rhel5u4-32b-hv-raw-intel.img: Permission denied audit.log, type=ANOM_PROMISCUOUS msg=audit(1281091952.358:971): dev=vnet0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=SYSCALL msg=audit(1281091952.358:971): arch=c000003e syscall=16 success=yes exit=0 a0=13 a1=89a2 a2=7fef27435ae0 a3=361dd7a14c items=0 ppid=1 pid=8401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) type=ANOM_PROMISCUOUS msg=audit(1281091952.476:972): dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295 type=USER_ACCT msg=audit(1281092101.869:973): user pid=15385 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' Simply creating a new storage pool doesn't magically move all existing guests into that pool. Your guest is clearly still configured to use /root/ as shown by this error message: [root@dhcp-66-70-73 ~]# virsh start rhel5u4-32b-hv-raw-intel error: Failed to start domain rhel5u4-32b-hv-raw-intel error: internal error Process exited while reading console log output: char device redirected to /dev/pts/3 qemu: could not open disk image /root/xen/rhel5u4-32b-hv-raw-intel.img: Permission denied Please fix your guest to use the correct locations. sorry, it should be a wrong paste, too quick operation make mistake, here the log clear shows that vol "rhel5u5-32b-hv-raw-intel.img", "rhel5u4-64b-hv-raw-intel.img" locate on pool "test", start with a error, below, [root@dhcp-66-70-73 libvirt]# virsh vol-list test Name Path ----------------------------------------- ESXi35U4_Linux_ESX35-RHEL5U4-i386-noxen-smp_ESX35-RHEL5U4-i386-noxen-smp /var/lib/libvirt/images/test/ESXi35U4_Linux_ESX35-RHEL5U4-i386-noxen-smp_ESX35-RHEL5U4-i386-noxen-smp rhel5u4-64b-hv-raw-intel.img /var/lib/libvirt/images/test/rhel5u4-64b-hv-raw-intel.img rhel5u5-32b-hv-raw-intel.img /var/lib/libvirt/images/test/rhel5u5-32b-hv-raw-intel.img [root@dhcp-66-70-73 libvirt]# ll /var/lib/libvirt/images/test/ total 12031180 -rw-------. 1 root root 10737418240 Aug 7 2010 ESXi35U4_Linux_ESX35-RHEL5U4-i386-noxen-smp_ESX35-RHEL5U4-i386-noxen-smp -rw-------. 1 root root 4294967297 Aug 7 2010 rhel5u4-64b-hv-raw-intel.img -rw-------. 1 root root 6291456000 Aug 7 2010 rhel5u5-32b-hv-raw-intel.img [root@dhcp-66-70-73 libvirt]# virsh start rhel5u4-64b-hv-raw-intel error: Failed to start domain rhel5u4-64b-hv-raw-intel error: internal error Process exited while reading console log output: char device redirected to /dev/pts/4 qemu: could not open disk image /var/lib/libvirt/images/test/rhel5u4-64b-hv-raw-intel.img: Permission denied [root@dhcp-66-70-73 libvirt]# virsh start rhel5u5-32b-hv-raw-intel error: Failed to start domain rhel5u5-32b-hv-raw-intel error: internal error Process exited while reading console log output: char device redirected to /dev/pts/4 qemu: could not open disk image /var/lib/libvirt/images/test/rhel5u5-32b-hv-raw-intel.img: Permission denied audit.log type=ANOM_PROMISCUOUS msg=audit(1281095542.608:1104): dev=vnet0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=SYSCALL msg=audit(1281095542.608:1104): arch=c000003e syscall=16 success=yes exit=0 a0=13 a1=89a2 a2=7fef26033ae0 a3=361dd7a14c items=0 ppid=1 pid=8403 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) type=ANOM_PROMISCUOUS msg=audit(1281095542.735:1105): dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295 type=ANOM_PROMISCUOUS msg=audit(1281095548.973:1106): dev=vnet0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=SYSCALL msg=audit(1281095548.973:1106): arch=c000003e syscall=16 success=yes exit=0 a0=13 a1=89a2 a2=7fef26a34ae0 a3=361dd7a14c items=0 ppid=1 pid=8402 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) type=ANOM_PROMISCUOUS msg=audit(1281095549.108:1107): dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295 What are the permissions on the directory /var/lib/libvirt/images/test itself ? here is the permission setting for /var/lib/libvirt/images, [root@dhcp-66-70-73 images]# ll total 4 drwxr-xr-x. 2 root root 4096 Aug 7 03:32 test [root@dhcp-66-70-73 images]# pwd /var/lib/libvirt/images the most obvious thing is when i disable the selinux, i could start the guest successfully, without any error, can you provide the output of ls -laZ /var/lib/libvirt/images ls -laZ /var/lib/libvirt/images/test so we can see the SELinux labelling of that subtree Daniel as before i setenforce 0, to start the guest, i set it back, here is the output, [root@dhcp-66-70-73 v2v]# getenforce Permissive [root@dhcp-66-70-73 v2v]# setenforce 1 [root@dhcp-66-70-73 v2v]# getenforce Enforcing [root@dhcp-66-70-73 v2v]# ls -laZ /var/lib/libvirt/images drwx--x--x. root root system_u:object_r:virt_image_t:s0 . drwxr-xr-x. root root system_u:object_r:virt_var_lib_t:s0 .. -rw-r--r--. root root unconfined_u:object_r:virt_image_t:s0 rhel5u4-64b-hv-raw-intel.xml drwxr-xr-x. root root unconfined_u:object_r:virt_image_t:s0 test drwxr-xr-x. root root system_u:object_r:nfs_t:s0 v2v [root@dhcp-66-70-73 v2v]# ls -laZ /var/lib/libvirt/images/test drwxr-xr-x. root root unconfined_u:object_r:virt_image_t:s0 . drwx--x--x. root root system_u:object_r:virt_image_t:s0 .. the test subdir doesn not have the same SELinux attributes than /var/lib/libvirt/images Move all the data from the test subdir to the main /var/lib/libvirt/images directory, change the guest config to point to the new location for the files, and try again. This looks like a user problem of mislabelling the directory conatining the guest files. A priori not a bug, but I'm waiting for confirmation ! Daniel DV, try exactly what you told, still met the error, and also i change the pool owner/group from -1 to qemu/qemu, also met the same error, [root@dhcp-66-70-73 virt]# ls -laZ /var/lib/libvirt/images/ drwxr-xr-x. root root system_u:object_r:nfs_t:s0 . drwxr-xr-x. root root system_u:object_r:virt_var_lib_t:s0 .. -rw-------. root root system_u:object_r:nfs_t:s0 rhel5u4-32b-hv-raw-intel.img -rw-------. root root system_u:object_r:nfs_t:s0 rhel5u4-64b-hv-raw-intel.img [root@dhcp-66-70-73 virt]# virsh list --all Id Name State ---------------------------------- - rhel5u4-32b-hv-raw-intel shut off - rhel5u4-64b-hv-raw-intel shut off [root@dhcp-66-70-73 virt]# virsh start rhel5u4-32b-hv-raw-intel error: Failed to start domain rhel5u4-32b-hv-raw-intel error: internal error Process exited while reading console log output: char device redirected to /dev/pts/5 qemu: could not open disk image /var/lib/libvirt/images/rhel5u4-32b-hv-raw-intel.img: Permission denied [root@dhcp-66-70-73 virt]# virsh pool-dumpxml v2v <pool type='netfs'> <name>v2v</name> <uuid>8d25c92b-03b1-a4b0-6435-03c471e9a505</uuid> <capacity>1969006968832</capacity> <allocation>1054794809344</allocation> <available>914212159488</available> <source> <host name='10.66.65.43'/> <dir path='/virt-v2v/v2v-convert/v2v'/> <format type='auto'/> </source> <target> <path>/var/lib/libvirt/images</path> <permissions> <mode>0700</mode> <owner>107</owner> <group>107</group> </permissions> </target> </pool> [root@dhcp-66-70-73 v2v]# cat /etc/passwd | grep qemu qemu:x:107:107:qemu user:/:/sbin/nologin we need to use "setsebool virt_use_nfs=on" in order for it to work with SELinux,after set this boolean, everything is ok, so this is not a bug, [root@dhcp-66-70-73 ~]# getsebool -a | grep virt virt_use_comm --> off virt_use_fusefs --> off virt_use_nfs --> on virt_use_samba --> off virt_use_sysfs --> off virt_use_usb --> on |