Description of problem: I'm trying to define LXC domain with network. libvirt show error:Requested operation is not valid: System lacks NETNS support, but I have kernel with support for all namespaces. The same domain without network starts correctly. Problem does not occur when I use version 1.2.2. Version-Release number of selected component (if applicable): libvirt-1.2.3 build from sources iproute-3.12.0-2.fc21.i686 kernel-3.14.0-0.rc5.git0.1.fc21.1.i686 selinux-policy-3.13.1-41.fc21.noarch How reproducible: Always Steps to Reproduce: 1. # cat /etc/libvirt/lxc/container.xml <domain type='lxc'> <name>mycontainer</name> <uuid>d750af59-6082-437c-b860-922e76b46410</uuid> <memory unit='KiB'>819200</memory> <currentMemory unit='KiB'>819200</currentMemory> <vcpu placement='static'>1</vcpu> <os> <type arch='i686'>exe</type> <init>/usr/lib/systemd/systemd</init> </os> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <devices> <filesystem type='mount' accessmode='passthrough'> <source dir='/var/lib/libvirt/filesystems/mycontainer'/> <target dir='/'/> </filesystem> <interface type="network"> <source network="default"/> </interface> <console type='pty'> <target type='lxc' port='0'/> </console> </devices> </domain> 2. # virsh --connect lxc:/// define /etc/libvirt/lxc/container.xml Actual results: error: Failed to define domain from /etc/libvirt/lxc/container.xml error: Requested operation is not valid: System lacks NETNS support Expected results: LXC domain will be created. Additional info: I have found that the same error was reported 3 months ago: https://bugzilla.redhat.com/show_bug.cgi?id=1050210 I was trying Selinux in enforcing and permissive mode, but that doesn't help at all. Here are AVC log messages: type=SYSCALL msg=audit(01/04/14 13:00:08.106:817) : arch=i386 syscall=execve success=yes exit=0 a0=0xa256de8 a1=0xa0283f8 a2=0xa27a2e8 a3=0x1 items=0 ppid=564 pid=1962 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(01/04/14 13:00:08.106:817) : avc: denied { noatsecure } for pid=1962 comm=iptables scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process type=AVC msg=audit(01/04/14 13:00:08.106:817) : avc: denied { siginh } for pid=1962 comm=iptables scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process type=AVC msg=audit(01/04/14 13:00:08.106:817) : avc: denied { rlimitinh } for pid=1962 comm=iptables scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process
According to git bisect this bug was introduced in libvirt.git by commit b9dd878ff8a03a605865d347e01c0b80b0ee7798. It seems that some bad things are happening in src/lxc/lxc_driver.c in lxcCheckNetNsSupport() with virRun return and exit codes. when I try to run: {"ip", "link", "set", "lo", "netns", "-1", NULL} I get: # ip link set lo netns -1 RTNETLINK answers: No such process # echo $? 2 # ip link help <snip> [ netns PID ] [ netns NAME ] </snip>
This should be fixed upstream by: commit 21ec87f4f1a538f929c48ecb2bdbf48701022779 Author: Richard Weinberger <richard> AuthorDate: 2014-04-08 14:26:26 +0200 Commit: Eric Blake <eblake> CommitDate: 2014-04-08 09:19:24 -0600 LXC: Fix return code evaulation in lxcCheckNetNsSupport() Commit b9dd878f (util: make it easier to grab only regular command exit) changed the call semantics of virCommandRun() and therefore of virRun() too. But lxcCheckNetNsSupport() was not updated. As consequence of this lxcCheckNetNsSupport always failed and broke LXC. Signed-off-by: Richard Weinberger <richard> git describe: v1.2.3-76-g21ec87f