Bug 752255
Summary: | libvirt fails to initialize nwfilter when /tmp is mounted with noexec option | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Eric Blake <eblake> |
Component: | libvirt | Assignee: | Eric Blake <eblake> |
Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 6.2 | CC: | acathrow, bartekl, bsarathy, crobinso, dallan, dyuan, eblake, jpallich, mshao, mvadkert, mzhan, rwu, sgrubb, veillard, whuang, xen-maint |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Previously, libvirt's implementation of nwfilter would attempt to execute a temporary file generated directly in /tmp, which would fail if /tmp is mounted noexec for security reasons. The implementation of nwfilter has been improved to avoid the need for a temporary file altogether, which removed the need for libvirt to modify or use files in /tmp.
|
Story Points: | --- |
Clone Of: | 752254 | Environment: | |
Last Closed: | 2012-06-20 06:36:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 752254 | ||
Bug Blocks: | 584498, 754182, 846801, 846802 |
Description
Eric Blake
2011-11-08 23:34:17 UTC
I reproduce this bug with : libvirt-0.9.4-22.el6.x86_64 and libvirt-0.8.7-18.el6_1.1.x86_64.rpm Steps: 1)Create a lv(vg_intelw352081-tmp) or a new partition(sda7) .mkfs it and mount it 2)#mount /dev/mapper/vg_intelw352081-tmp /mnt/tmp 3)#cp -ar /tmp /mnt/ 4)#umount /mnt/tmp 5)#mount /dev/mapper/vg_intelw352081-tmp /tmp -o noexec,nosuid 6)#service libvirtd restart 7)#tail /var/log/libvirt/libvirtd.log 14:04:33.164: 5537: error : ebiptablesDriverInit:3779 : internal error firewall tools were not found or cannot be used 8)Need add a nwfilter in test's xml ,like this : <interface type='bridge'> <mac address='52:54:00:61:cd:ed'/> <source bridge='breth0'/> <filterref filter='clean-traffic'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> 9)#virsh start test error: Failed to start domain test error: internal error Could not get access to ACL tech driver 'ebiptables' Roproduce it with libvirt-0.9.4-22.el6.x86_64. And Verify it with libvirt-0.9.8-1.el6.x86_64 and it passed. Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Previously, libvirt's implementation of nwfilter would attempt to execute a temporary file generated directly in /tmp, which would fail if /tmp is mounted noexec for security reasons. The implementation of nwfilter has been improved to avoid the need for a temporary file altogether, which removed the need for libvirt to modify or use files in /tmp. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0748.html |