Bug 903449
| Summary: | Guest can not be booted with sandbox on | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | yunpingzheng <yunzheng> | ||||
| Component: | qemu-kvm | Assignee: | Paul Moore <pmoore> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Virtualization Bugs <virt-bugs> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 7.0 | CC: | acathrow, juzhang, knoel, michen, qzhang, sluo, virt-maint, xuhan | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | kernel-3.8.0-0.38.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-06-13 12:13:09 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 915825 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
yunpingzheng
2013-01-24 02:11:21 UTC
I tried to recreate this on a Fedora Rawhide system and everything worked as expected with the following packages installed: * kernel-3.8.0-0.rc4.git1.1.fc19.x86_64 * qemu-kvm-1.3.0-5.fc19.x86_64 * libseccomp-1.0.1-0.fc19.x86_64 My test process was as follows: 1. Create a F18 guest. I performed a minimal install but that shouldn't be too critical for this experiment. 2. Edit the guest's XML file, e.g. 'virsh edit <guest>', to add the sandbox QEMU command line option (see attached XML file). 3. Restart the guest via libvirt/virtmanager/virsh and observe proper operation of the guest. Can you verify a similar process? Have you tried this on Rawhide or just RHEL7? Created attachment 686979 [details]
F18 guest definition
hi Paul Moore (In reply to comment #2) > I tried to recreate this on a Fedora Rawhide system and everything worked as > expected with the following packages installed: > > * kernel-3.8.0-0.rc4.git1.1.fc19.x86_64 > * qemu-kvm-1.3.0-5.fc19.x86_64 > * libseccomp-1.0.1-0.fc19.x86_64 > > My test process was as follows: > > 1. Create a F18 guest. I performed a minimal install but that shouldn't be > too critical for this experiment. > > 2. Edit the guest's XML file, e.g. 'virsh edit <guest>', to add the sandbox > QEMU command line option (see attached XML file). > > 3. Restart the guest via libvirt/virtmanager/virsh and observe proper > operation of the guest. > > Can you verify a similar process? Have you tried this on Rawhide or just > RHEL7? I tried it using your xml files in RHEL7, can repeat this issue: [root@localhost ~]# virsh start f18-test-1 error: Failed to start domain f18-test-1 error: internal error Process exited while reading console log output: qemu-kvm: -sandbox on: failed to install seccomp syscall filter in the kernel I just test it on RHEL7(beta). will test it on rhel7(RHEL-7.0-20130120.0), and update this BZ Also hit it on the following environment: host info: kernel-3.8.0-0.37.el7.x86_64 qemu-kvm-1.3.0-7.el7.x86_64 guest info: kernel-3.8.0-0.37.el7.x86_64 boot guest with sandbox enabled, but the it will fail to boot up. e.g:...-sandbox on -monitor stdio qemu-kvm: -sandbox on: failed to install seccomp syscall filter in the kernel Best Regards. sluo (In reply to comment #5) > Also hit it on the following environment: > host info: > kernel-3.8.0-0.37.el7.x86_64 > qemu-kvm-1.3.0-7.el7.x86_64 > guest info: > kernel-3.8.0-0.37.el7.x86_64 > > boot guest with sandbox enabled, but the it will fail to boot up. > e.g:...-sandbox on -monitor stdio > qemu-kvm: -sandbox on: failed to install seccomp syscall filter in the kernel > > Best Regards. > sluo hi pmoore, could you help to see this issue which block our syscall filters functional testing, thanks in advance. I will look at it again today, but based on the errors you are reporting it would appear that the RHEL7 kernel is not being built with the proper seccomp support. I'm currently trying to find the kernel-3.8.0-0.37.el7.x86_64 package but I just looked at the kernel-3.7.0-0.34.el7.x86_64 package and it does not have CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER enabled. Once I can verify that the 3.8.0 kernel does not have the right build configuration I will file a BZ with the kernel team. Unfortunately it does appear that the latest RHEL7 kernel is missing the necessary seccomp support. RH BZ #915825 has been created to track the missing kernel support. Until a proper RHEL7 kernel package is available I did a quick scratch build for x86_64 with the necessary kernel support enabled: * https://brewweb.devel.redhat.com/taskinfo?taskID=5443516 Moving this to modified as the kernel is now built with CONFIG_SECCOMP_FILTER, see BZ 915825. Reproduce this bug with component: kernel-3.7.0-0.36.el7.x86_64 Steps: 1. Boot guest with '-sandbox on' # /usr/libexec/qemu-kvm -monitor stdio -sandbox on Results: Fail to boot guest: qemu-kvm: -sandbox on: failed to install seccomp syscall filter in the kernel Verify this bug with component: kernel-3.10.0-67.el7.x86_64 Same steps as above. Results: QEMU 1.5.3 monitor - type 'help' for more information (qemu) VNC server running on `::1:5900' (qemu) info status VM status: running Base on these test results above, this bug has been fixed. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |