Bug 1029266 - Error message is not clear for command nwfilter-define under non-root user.
Error message is not clear for command nwfilter-define under non-root user.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt (Show other bugs)
7.0
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Ján Tomko
Virtualization Bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-11 21:44 EST by zhengqin
Modified: 2015-03-05 02:25 EST (History)
8 users (show)

See Also:
Fixed In Version: libvirt-1.2.7-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-05 02:25:46 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description zhengqin 2013-11-11 21:44:40 EST
Description
On latest RHEL7, For non-root user, when executing command “virsh nwfilter-define <nwfilterXML>”, error will occurs but error message is not clear.


Version:
libvirt-1.1.1-11.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Issue the following command to create a user and set its password:
#useradd non-root ;  passwd non-root

2. Switch to user “non-root” by command “su - non-root”, and prepare a xml file named disallow-arp.xml like below:
-----------------------------------------------------------------
<filter name='disallow-arp1' chain='arp'>
  <rule action='drop' direction='inout' priority='500'/>
</filter>
-----------------------------------------------------------------


3. Execute command “nwfilter-define” under “non-root” user, and error will occurs.


Actual results:
[non-root@localhost ~]$ virsh nwfilter-define disallow-arp.xml 
error: Failed to define network filter from disallow-arp.xml
error: cannot create config directory (null): Bad address


The above error message is not clear.



Expected results:
Error message should be clear and improved, such as, "error: cannot create config directory: permission denied."
Comment 1 Ján Tomko 2013-11-12 06:44:44 EST
Upstream patch proposed:
https://www.redhat.com/archives/libvir-list/2013-November/msg00368.html
Comment 2 Ján Tomko 2013-11-13 05:40:32 EST
Fixed upstream by:
commit b7829f959b33c6e32422222a9ed745c0da7dc696
Author:     Ján Tomko <jtomko@redhat.com>
AuthorDate: 2013-11-12 13:18:54 +0100
Commit:     Ján Tomko <jtomko@redhat.com>
CommitDate: 2013-11-13 09:41:57 +0100

    Disable nwfilter driver when running unprivileged
    
    When opening a new connection to the driver, nwfilterOpen
    only succeeds if the driverState has been allocated.
    
    Move the privilege check in driver initialization before
    the state allocation to disable the driver.
    
    This changes the nwfilter-define error from:
    error: cannot create config directory (null): Bad address
    To:
    this function is not supported by the connection driver:
    virNWFilterDefineXML
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1029266

git describe: v1.1.4-79-gb7829f9
Comment 5 zhenfeng wang 2014-11-24 00:55:17 EST
I can reproduce this issue with libvirt-1.1.1-11.el7.x86_64 follow the comment0's step

$ virsh nwfilter-define disallow-arp.xml 
error: Failed to define network filter from disallow-arp.xml
error: cannot create config directory (null): Bad address

Verify with the libvirt-1.2.8-8.el7.x86_64, could get the expect result, so the bug has been fixed, the verify steps like following :

1.cat disallow-arp.xml 
<filter name='disallow-arp1' chain='arp'>
  <rule action='drop' direction='inout' priority='500'/>
</filter>

$ virsh nwfilter-define disallow-arp.xml 
error: Failed to define network filter from disallow-arp.xml
error: this function is not supported by the connection driver: virNWFilterDefineXML


2.check the nwfilter with the non-root user
$ virsh nwfilter-list
error: Failed to count network filters
error: this function is not supported by the connection driver: virConnectNumOfNWFilters


3.give the normal permission to connect the libvirt system instance
$ virsh -c qemu:///system nwfilter-list
 UUID                                  Name                 
------------------------------------------------------------------
 2380965c-3aef-40e6-9cbc-67c3965c3bd7  allow-arp           
 3457b66c-597d-4c81-be19-a01f631ef99b  allow-dhcp          
 7086bb44-f181-4d9f-848e-e4e6ac02df41  allow-dhcp-server   
 92ffef96-0a2c-4342-acfc-8d21b8b0d430  allow-incoming-ipv4 
 473a3110-5220-4768-bbf4-5f80a29168b4  allow-ipv4          
 2dbd5ee5-b032-4575-bede-0a4caba01af1  clean-traffic       
 8075af04-d48d-4a55-a7f0-d18ccc18d48e  no-arp-ip-spoofing  
 06b71196-4f69-4972-ba0c-f15d97d67791  no-arp-mac-spoofing 
 4151e04a-b861-4781-8174-a4162cdf10a9  no-arp-spoofing     
 f010bcaf-8b0a-4368-b418-3c1711ed5342  no-ip-multicast     
 fa00719a-9369-414f-80a9-0a84c820a4d3  no-ip-spoofing      
 c8dfbf17-a884-46df-8139-361fc080f337  no-mac-broadcast    
 8bb6ec95-0784-4fa8-93d4-57db0c6108d6  no-mac-spoofing     
 703831ec-521d-4b5c-b50a-8ab2c4120671  no-other-l2-traffic 
 566580f1-dedb-4cc9-a237-f9b50deabf97  no-other-rarp-traffic
 44b28a60-1073-4030-b349-0c6f5190cd92  qemu-announce-self  
 23f082a2-57c1-4de6-868d-4fcfc7b27282  qemu-announce-self-rarp
 fac813ac-bdfa-4f37-91af-261a74011002  vdsm-no-mac-spoofing

4.check the nwfitler's info with non-root user, get the expect error

$ virsh nwfilter-dumpxml 2380965c-3aef-40e6-9cbc-67c3965c3bd7
error: failed to get nwfilter '2380965c-3aef-40e6-9cbc-67c3965c3bd7'
error: this function is not supported by the connection driver: virNWFilterLookupByName

$ virsh nwfilter-dumpxml  vdsm-no-mac-spoofing
error: failed to get nwfilter 'vdsm-no-mac-spoofing'
error: this function is not supported by the connection driver: virNWFilterLookupByName

5.delete the nwfilter with non-root user, get the expect error

$ virsh nwfilter-undefine qemu-announce-self-rarp
error: failed to get nwfilter 'qemu-announce-self-rarp'
error: this function is not supported by the connection driver: virNWFilterLookupByName


6.edit the nwfilter with the non-root user, get the expect error
$ virsh nwfilter-edit qemu-announce-self
error: failed to get nwfilter 'qemu-announce-self'
error: this function is not supported by the connection driver: virNWFilterLookupByName
Comment 7 errata-xmlrpc 2015-03-05 02:25:46 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0323.html

Note You need to log in before you can comment on or make changes to this bug.