Bug 770020

Can you post the qemu commandline generated by both the working and non-working libvirts? (from /var/log/libvirt/qemu/$guest.log)?

Also, is it necessary to downgrade all the way to 0.8.1? What about 0.8.7?

(In reply to comment #3)
> Can you post the qemu commandline generated by both the working and non-working
> libvirts? (from /var/log/libvirt/qemu/$guest.log)?
> 
> Also, is it necessary to downgrade all the way to 0.8.1? What about 0.8.7?

Hi,Laine

Sorry , there is a mistake of my environment  , if you want to reproduce this bug , need setenforce = 1  always, then  old libvirt (libvirt-0.8.7-18.el6.x86_64) and new libvirt (libvirt-0.9.8-1.el6.x86_64) will all fail  :
error: Failed to start domain t
error: internal error Process exited while reading console log output: char
device redirected to /dev/pts/1
warning: could not open /dev/net/tun: no virtual network emulation
qemu-kvm: -netdev tap,script=/etc/my-qemu-ifup,id=hostnet0: Device 'tap' could
not be initialized


the guest should be started with SElinux ,right ?  



Wenlong

(In reply to comment #4)
> (In reply to comment #3)
> > Can you post the qemu commandline generated by both the working and non-working
> > libvirts? (from /var/log/libvirt/qemu/$guest.log)?
> > 
> > Also, is it necessary to downgrade all the way to 0.8.1? What about 0.8.7?
> 
> Hi,Laine
> 
> Sorry , there is a mistake of my environment  , if you want to reproduce this
> bug , need setenforce = 1  always, then  old libvirt
> (libvirt-0.8.7-18.el6.x86_64) and new libvirt (libvirt-0.9.8-1.el6.x86_64) will
> all fail  :
> error: Failed to start domain t
> error: internal error Process exited while reading console log output: char
> device redirected to /dev/pts/1
> warning: could not open /dev/net/tun: no virtual network emulation
> qemu-kvm: -netdev tap,script=/etc/my-qemu-ifup,id=hostnet0: Device 'tap' could
> not be initialized
> 
> 
> the guest should be started with SElinux ,right ?  

No, it was explicitly stated in 593903 and the description of this BZ that selinux has to be disabled for this to work.  This is NOTABUG.

Hi, Dave

I can reproduce this bug after remove the Host's bridge device  , now guest can not start as bug description even setenforce = 0  , so  it is still a bug ,please assign it thanks . 


libvirt-0.9.8-1.el6.x86_64  qemu.log

2012-01-06 03:21:02.755+0000: starting up
LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=none /usr/libexec/qemu-kvm -S -M rhel6.2.0 -enable-kvm -m 1024 -smp 1,sockets=1,cores=1,threads=1 -name q2 -uuid 07e8d4f7-7c14-29f4-8c33-83cd04dd5ad1 -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/q2.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -drive file=/var/lib/libvirt/images/q2.img,if=none,id=drive-ide0-0-0,format=qcow2,cache=none -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -netdev tap,script=/etc/my-qemu-ifup,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:d8:05:14,bus=pci.0,addr=0x6 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -usb -vnc 127.0.0.1:0 -vga cirrus -device AC97,id=sound0,bus=pci.0,addr=0x4 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
Domain id=3 is tainted: high-privileges
Domain id=3 is tainted: shell-scripts
char device redirected to /dev/pts/2
warning: could not open /dev/net/tun: no virtual network emulation
qemu-kvm: -netdev tap,script=/etc/my-qemu-ifup,id=hostnet0: Device 'tap' could not be initialized
2012-01-06 03:21:03.061+0000: shutting down



libvirt-0.8.1-27.el6_0.6.x86_64    qemu.log 
LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=none /usr/libexec/qemu-kvm -S -M rhel6.2.0 -enable-kvm -m 1024 -smp 1,sockets=1,cores=1,threads=1 -name q2 -uuid 07e8d4f7-7c14-29f4-8c33-83cd04dd5ad1 -nodefconfig -nodefaults -chardev socket,id=monitor,path=/var/lib/libvirt/qemu/q2.monitor,server,nowait -mon chardev=monitor,mode=control -rtc base=utc -boot c -drive file=/var/lib/libvirt/images/q2.img,if=none,id=drive-ide0-0-0,format=qcow2,cache=none -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 -netdev tap,script=/etc/my-qemu-ifup,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:d8:05:14,bus=pci.0,addr=0x6 -chardev pty,id=serial0 -device isa-serial,chardev=serial0 -usb -vnc 127.0.0.1:0 -vga cirrus -device AC97,id=sound0,bus=pci.0,addr=0x4 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 
char device redirected to /dev/pts/2

and libvirt-0.8.7-18.el6.x86_64  will fail with same error 



Wenlong

Laine, can you reproduce this?

Okay, I've tried this with 3 different libvirt versions (all other packages on the host are identical:

  libvirt-0.8.1-27.el6_0.5 - WORKS
  libvirt-0.8.7-18         - FAILS
  libvirt-0.9.4-11         - FAILS

In all cases, selinux was se to to permissive, user:group in qemu.conf was set to root:root, and clear_emulator_capabilities was set to 0. The script used was identical to the script used by Wenlong, and was set to be executable (qemu fails to execute it otherwise.

When I compare the qemu commandlines, there doesn't seem to be any relevant changes between the working and non-working versions. This leads me to be believe there may be some problem with clearing capabilities when we shouldn't be, or something like that.

The simplest way to find the problem may be to bisect between 0.8.1 and 0.8.7+patches.

Yeah, sounds like it.

I saw same thing on libvirt-0.9.10.

adding /dev/net/tun to cgroup in  /etc/libvirt/qemu.conf seems to fix the issue.

cgroup_device_acl = [
    "/dev/null", "/dev/full", "/dev/zero",
    "/dev/random", "/dev/urandom",
    "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
    "/dev/rtc", "/dev/hpet", "/dev/net/tun",
]

Thanks for the suggestion, Matt!

I just tried it on a RHEL system and it does indeed solve the problem.

So, in summary, in order to use <interface type='ethernet'>, you must make the following changes to your system:

1) disable SELinux

2) in /etc/libvirt/qemu.conf add/edit the following lines:

  a) clear_emulator_capabilities = 0
  b) user = root
  c) group = root
  d)
     cgroup_device_acl = [
         "/dev/null", "/dev/full", "/dev/zero",
         "/dev/random", "/dev/urandom",
         "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
         "/dev/rtc", "/dev/hpet", "/dev/net/tun",
     ]

Since each of these steps is decreasing security on the system, we obviously can't configure things this way by default. The fix for this "bug" then, is to put this somewhere useful in documentation. What is the best place for that? Should this BZ be closed as NOTABUG, or should it be made dependent on some in-tree change to documentation?

I'd add it to the upstream Troubleshooting wiki.

Okay, I've added an entry to the troubleshooting wiki, and am including a link in case anyone in the future finds this BZ before the wiki:

http://wiki.libvirt.org/page/Guest_won%27t_start_-_warning:_could_not_open_/dev/net/tun_%28%27generic_ethernet%27_interface%29

(This is linked off of http://wiki.libvirt.org/page/Troubleshooting which is in general very useful reading).

Since it is already known that reconfiguration to decrease security protections is required to use interface type='ethernet', and we don't recommend its use in RHEL, I am closing this as NOTABUG.

Removing the Regression keyword since this is not a bug and therefore is not a regression either.