Bug 752254
| Summary: | libvirt fails to initialize nwfilter when /tmp is mounted with noexec option | |||
|---|---|---|---|---|
| Product: | [Community] Virtualization Tools | Reporter: | Bartlomiej Leszak <bartekl> | |
| Component: | libvirt | Assignee: | Eric Blake <eblake> | |
| Status: | CLOSED NEXTRELEASE | QA Contact: | ||
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | unspecified | CC: | crobinso, eblake, xen-maint | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 752255 (view as bug list) | Environment: | ||
| Last Closed: | 2011-11-10 00:48:12 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 752255 | |||
(In reply to comment #0) > Description of problem: > > Additional info: > Since ebiptablesExecCLI() function's only purpose is to run script generated > for checking iptables/ip6tables/ebtables capabilities it should be easy to fix > this function. It should invoke this script with `/bin/sh /tmp/tmp_script_path' > instead of calling it directly. Agree - and this should be a fairly easy patch to get approved. Libvirt 0.9.8 (or whatever it is numbered) will include this.
commit 3b7122c0b24b59ade17dbf72c22dbdfdad89bb08
Author: Eric Blake <eblake>
Date: Wed Nov 9 10:29:57 2011 -0700
nwfilter: simplify execution of ebiptables scripts
It's not worth even worrying about a temporary file, unless we
ever expect the script to exceed maximum command-line argument
length limits.
* src/nwfilter/nwfilter_ebiptables_driver.c (ebiptablesExecCLI):
Run the commands as an argument to /bin/sh, rather than worrying
about a temporary file.
(ebiptablesWriteToTempFile): Delete unused function.
|
Description of problem: When /tmp filesystem is mounted with noexec option: tmpfs on /tmp type tmpfs (rw,noexec,nosuid,size=512M) libvirt fails to initialize nwfilter framework and then fails to start any domain using nwfilter rules. 22:22:32.545: 7699: debug : ebiptablesExecCLI:2590 : cmd='/sbin/ebtables -t nat -L' eval res=\$\("${cmd}"\) if [ $? -ne 0 ]; then echo "Failure to execute command '${cmd}'."; exit 1;fi 22:22:32.545: 7699: debug : virRunWithHook:833 : /tmp/virtduqjigQ 22:22:32.549: 7699: debug : virRunWithHook:851 : Command stderr: 22:22:32.548: 7733: info : libvirt version: 0.8.7, package: 18.el6_1.1 (Unknown, 2011-09-01-11:22:40, sl6.fnal.gov) 22:22:32.548: 7733: error : __virExec:676 : cannot execute binary /tmp/virtduqjigQ: Permission denied libvir: error : cannot execute binary /tmp/virtduqjigQ: Permission denied 22:22:32.549: 7699: debug : ebiptablesExecCLI:2611 : rc = 0, status = 1 I have seen similar problems over the internet, and it seems these problems were incorrectly classified as iptables/ip6tables/ebtables not being available in PATH. Version-Release number of selected component (if applicable): libvirt-0.8.7-18.el6_1.1.x86_64 (but as far as I can tell after looking at 0.9.7 sources the same problem persists in this version too) How reproducible: Mount /tmp with noexec option, restart libvirt. Actual results: 1. Nwfilter not being initialized at libvirt's start: Nov 8 22:20:48 kastor libvirtd: 22:20:48.984: 7523: info : libvirt version: 0.8.7, package: 18.el6_1.1 (Unknown, 2011-09-01-11:22:40, sl6.fnal.gov) Nov 8 22:20:48 kastor libvirtd: 22:20:48.994: 7523: info : networkReloadIptablesRules:1382 : Reloading iptables rules Nov 8 22:20:49 kastor libvirtd: 22:20:49.231: 7523: error : ebiptablesDriverInit:3766 : internal error firewall tools were not found or cannot be used 2. Nwfilter not being usable within domain configuration: [root@kastor ~]# virsh start av error: Failed to start domain av error: internal error Could not get access to ACL tech driver 'ebiptables' [root@kastor ~]# Additional info: Since ebiptablesExecCLI() function's only purpose is to run script generated for checking iptables/ip6tables/ebtables capabilities it should be easy to fix this function. It should invoke this script with `/bin/sh /tmp/tmp_script_path' instead of calling it directly.