| Summary: | [6.0.z] virsh console should be forbidden under readonly mode | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Vivian Bian <vbian> |
| Component: | libvirt | Assignee: | Daniel Veillard <veillard> |
| Status: | CLOSED NOTABUG | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.0 | CC: | berrange, eblake, jdenemar, jyang |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-04-06 02:29:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
In RHEL-6.1, there is an explicit API for opening consoles 'virDomainOpenConsole'. For this, the readonly flag takes effect and will reject an attempt to open a console over a readonly connection. in RHEL-6.0.x, there is no API for opening consoles. virsh instead just opens the /dev/pts/XXX file directly. The read-only flag is irrelevant in this context, the file permissions on /dev/pts/XXX are the only check. I suspect you were using 'virsh' as root and so were able to access /dev/pts/XXXX. If you ran virsh as non-root, you would see a permission denial. So this BZ should likely be NOTABUG retested with
libvirt-0.8.1-27.el6_0.5.x86_64
qemu-kvm-0.12.1.2-2.113.el6_0.8.x86_64
kernel-2.6.32-71.20.1.el6.x86_64
Run virsh as non-root, could get following result -- no permission denial .
# virsh -r -c qemu:///system
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh > console RHEL6.0
Connected to domain RHEL6.1
Escape character is ^]
virsh > console RHEL6.0
Connected to domain RHEL6.1
Escape character is ^]
�could not read byte from child: Success
Welcome to Red Hat Enterprise Linux Server
Starting udev: [ OK ]
Setting hostname localhost.localdomain: [ OK ]
Setting up Logical Volume Management: 2 logical volume(s) in volume group "VolGroup" now active
[ OK ]
Checking filesystems
Checking all file systems.
[/sbin/fsck.ext4 (1) -- /] fsck.ext4 -a /dev/mapper/VolGroup-lv_root
/dev/mapper/VolGroup-lv_root: clean, 95143/246016 files, 607386/984064 blocks
[/sbin/fsck.ext4 (1) -- /boot] fsck.ext4 -a /dev/vda1
/dev/vda1: clean, 39/128016 files, 51317/512000 blocks
[ OK ]
Remounting root filesystem in read-write mode: [ OK ]
Mounting local filesystems: [ OK ]
Enabling local filesystem quotas: [ OK ]
Enabling /etc/fstab swaps: [ OK ]
Entering non-interactive startup
Applying Intel CPU microcode update: Calling the system activity data collector (sadc):
Starting monitoring for VG VolGroup: 2 logical volume(s) in volume group "VolGroup" monitored
[ OK ]
ip6tables: Applying firewall rules: [ OK ]
iptables: Applying firewall rules: [ OK ]
Bringing up loopback interface: [ OK ]
Starting auditd: [ OK ]
Starting portreserve: [ OK ]
Starting system logger: [ OK ]
Starting irqbalance: [ OK ]
Starting rpcbind: [ OK ]
Starting mdmonitor: [ OK ]
Starting kdump:[ OK ]
Starting system message bus: [ OK ]
Setting network parameters... [ OK ]
Starting NetworkManager daemon: [ OK ]
Starting Avahi daemon... [ OK ]
Starting NFS statd: [ OK ]
Starting RPC idmapd: [ OK ]
Starting cups: [ OK ]
Mounting other filesystems: [ OK ]
Starting acpi daemon: [ OK ]
Starting HAL daemon: [ OK ]
Retrigger failed udev events[ OK ]
Loading autofs4: [ OK ]
Starting automount: [ OK ]
Enabling Bluetooth devices:
Starting sshd: [ OK ]
Starting postfix: [ OK ]
Starting abrt daemon: [ OK ]
[ OK ] crond: [ OK ]
[ OK ] atd: [ OK ]
Red Hat Enterprise Linux Server release 6.0 (Santiago)
Kernel 2.6.32-71.el6.x86_64 on an x86_64
localhost.localdomain login:
Since RHEL 6.1 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. Are you sure you ran virsh as non-root? And if you did, are you sure you were not privileged enough to be able to read the appropriate /dev/pts/... file? I tested with libvirt-0.8.1-27.el6 and I wasn't allowed to read domain's console: $ virsh -r -c qemu:///system console guest Connected to domain console Escape character is ^] 16:29:50.255: error : vshRunConsole:77 : unable to open tty /dev/pts/3: Permission denied (In reply to comment #5) The difference here is the "#" and "$" , so mine wasn't the correct non-root mode , but root . Retested with libvirt-0.8.1-27.el6, and got the same permission denied prompt .So close the bug as NOTABUG according to comment #2 |
Description of problem: virDomainOpenConsole: conn = dom->conn; if (conn->flags & VIR_CONNECT_RO) { virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__); goto error; } since it uses this this should fail if (virDomainOpenConsole(dom, devname, con->st, 0) < 0) goto cleanup; But on 6.0.z , we could connect to guest console successfully with readonly mode Version-Release number of selected component (if applicable): libvirt-0.8.1-27.el6_0.5.x86_64 qemu-kvm-0.12.1.2-2.113.el6_0.8.x86_64 kernel-2.6.32-71.20.1.el6.x86_64 How reproducible: Always Steps to Reproduce: # virsh -r Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit virsh > console local Connected to domain local Escape character is ^] Red Hat Enterprise Linux Server release 6.0 (Santiago) Kernel 2.6.32-71.el6.x86_64 on an x86_64 localhost.localdomain login: se Linux Server release 6.0 (Santiago) Kernel 2.6.32-71.el6.x86_64 on an x86_64 localhost Actual results: was allowed to connect guest console under readonly mode Expected results: Forbidden to connect guest console under readonly mode Additional info: Tested with RHEL6.1 , didn't meet this issue