Bug 862756
Summary: | Can't use kernel on r/o file system for VM direct kernel boot because it can't be chowned | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | David Jaša <djasa> | ||||
Component: | libvirt | Assignee: | Erik Skultety <eskultet> | ||||
Status: | CLOSED NOTABUG | QA Contact: | Virtualization Bugs <virt-bugs> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 7.0 | CC: | cwei, dyuan, gsun, laine, mzhan, rbalakri, riek, sreichar, weizhan, yury, zpeng | ||||
Target Milestone: | beta | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | 702044 | Environment: | |||||
Last Closed: | 2015-06-01 13:19:12 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 702044 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
David Jaša
2012-10-03 13:21:39 UTC
initrd and kernel files are both already chowned using the same function as disk images (virSecurityDACSetOwnership()), so if there is a problem, that isn't it. Please include the exact error message you are seeing (either from libvirtd.log, or from the guest's qemu logfile if that's where the problem is occurring) as well as the build of libvirt and qemu-kvm on your system. Created attachment 622165 [details] libvirtd.log qemu log says that permission to the kernel file is denied but there is no apparent problem that should cause it: qemu.log: /usr/libexec/qemu-kvm <snip> -kernel /mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora/x86_64/os/isolinux/vmlinuz -initrd /mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora/x86_64/os/isolinux/initrd.img -append repo=http://download.englab.brq.redhat.com//mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora/x86_64/os <snip> char device redirected to /dev/pts/13 qemu: could not load kernel '/mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora/x86_64/os/isolinux/vmlinuz': Permission denied 2012-10-05 12:29:20.507+0000: shutting down permissions seem to be ok for the file: $ ls -ldZ /mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora/x86_64/os/isolinux/vmlinuz -rwxr-xr-x. nobody nobody system_u:object_r:nfs_t:s0 /mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora/x86_64/os/isolinux/vmlinuz and all the directories all the way to the / do have r+x permissions for all: [djasa@dhcp-29-7 ~]$ ls -ldZ /mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora/x86_64/os/isolinux drwxr-sr-x. nobody nobody system_u:object_r:nfs_t:s0 /mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora/x86_64/os/isolinux [djasa@dhcp-29-7 ~]$ ls -ldZ /mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora/x86_64/os drwxr-sr-x. nobody nobody system_u:object_r:nfs_t:s0 /mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora/x86_64/os [djasa@dhcp-29-7 ~]$ ls -ldZ /mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora/x86_64 drwxr-sr-x. nobody nobody system_u:object_r:nfs_t:s0 /mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora/x86_64 [djasa@dhcp-29-7 ~]$ ls -ldZ /mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora drwxr-sr-x. nobody nobody system_u:object_r:nfs_t:s0 /mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora [djasa@dhcp-29-7 ~]$ ls -ldZ /mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1 drwxr-sr-x. nobody nobody system_u:object_r:nfs_t:s0 /mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1 [djasa@dhcp-29-7 ~]$ ls -ldZ /mnt/globalsync/pub/fedora/fedora-alt/stage drwxrwsr-x. nobody nobody system_u:object_r:nfs_t:s0 /mnt/globalsync/pub/fedora/fedora-alt/stage [djasa@dhcp-29-7 ~]$ ls -ldZ /mnt/globalsync/pub/fedora/fedora-alt drwxr-xr-x. nobody nobody system_u:object_r:nfs_t:s0 /mnt/globalsync/pub/fedora/fedora-alt [djasa@dhcp-29-7 ~]$ ls -ldZ /mnt/globalsync/pub/fedora drwxr-xr-x. nobody nobody system_u:object_r:nfs_t:s0 /mnt/globalsync/pub/fedora [djasa@dhcp-29-7 ~]$ ls -ldZ /mnt/globalsync/pub drwxr-xr-x. nobody nobody system_u:object_r:nfs_t:s0 /mnt/globalsync/pub [djasa@dhcp-29-7 ~]$ ls -ldZ /mnt/globalsync lrwxrwxrwx. root root system_u:object_r:mnt_t:s0 /mnt/globalsync -> /net/nfs.englab.brq.redhat.com [djasa@dhcp-29-7 ~]$ ls -ldZ /net/nfs.englab.brq.redhat.com dr-xr-xr-x. root root system_u:object_r:autofs_t:s0 /net/nfs.englab.brq.redhat.com [djasa@dhcp-29-7 ~]$ ls -ldZ /net drwxr-xr-x. root root system_u:object_r:autofs_t:s0 /net [djasa@dhcp-29-7 ~]$ ls -ldZ / dr-xr-xr-x. root root system_u:object_r:root_t:s0 / audit log doesn't receive any event during VM start attempt. qemu-kvm-0.12.1.2-2.319.el6.x86_64 libvirt-0.10.2-1.el6.x86_64 Moving to 6.6 for capacity. This bug was not selected to be addressed in Red Hat Enterprise Linux 6. We will look at it again within the Red Hat Enterprise Linux 7 product. (In reply to David Jaša from comment #2) > Created attachment 622165 [details] > libvirtd.log > > qemu log says that permission to the kernel file is denied but there is no > apparent problem that should cause it: > > qemu.log: > /usr/libexec/qemu-kvm <snip> -kernel > /mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora/x86_64/os/ > isolinux/vmlinuz -initrd > /mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora/x86_64/os/ > isolinux/initrd.img -append > repo=http://download.englab.brq.redhat.com//mnt/globalsync/pub/fedora/fedora- > alt/stage/18-Beta-TC1/Fedora/x86_64/os <snip> > char device redirected to /dev/pts/13 > qemu: could not load kernel > '/mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora/x86_64/os/ > isolinux/vmlinuz': Permission denied > 2012-10-05 12:29:20.507+0000: shutting down looking at the log file, see this line: "2012-10-05 13:09:58.499+0000: 20208: warning : virSecuritySELinuxSetFileconHelper:788 : Setting security context 'system_u:object_r:virt_content_t:s0' on '/mnt/globalsync/pub/fedora/fedora-alt/stage/18-Beta-TC1/Fedora/x86_64/os/isolinux/vmlinuz' not supported. Consider setting virt_use_nfs", with virt_use_nfs enabled in selinux I was able to start the VM successfully |