1328946 – lxc container with block device not start after use idmap in define

Bug 1328946 - lxc container with block device not start after use idmap in define

Summary: lxc container with block device not start after use idmap in define

Keywords:
Status:	NEW
Alias:	None
Product:	Virtualization Tools
Classification:	Community
Component:	libvirt
Sub Component:
Version:	unspecified
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Assignee:	Libvirt Maintainers
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1481816 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-20 16:59 UTC by Maxim
Modified:	2018-07-18 14:52 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Maxim 2016-04-20 16:59:25 UTC

Description of problem:
LXC container with idmap and device/filesystem type='block' can't started with error " Failed to mount device /dev/dm-X, Operation not permitted"

Version-Release number of selected component (if applicable):
1.3.2-1.el7.x86_64

How reproducible:
Anytime

Steps to Reproduce:
1. create LVM in VG data
# lvcreate -L10G -n test-idmap02  data

2. format as xfs or ext4:
# mkfs.xfs  /dev/data/test-idmap02

3. create container with virt-install
#/bin/virt-install --connect lxc:/// --name test-idmap-2 --memory 2048 --vcpu 1 
--filesystem /dev/data/test-idmap02,/,type=block \
--filesystem 524288,/dev/shm,type=ram \
--noautoconsole --noreboot

4. place linux image on /dev/data/test-idmap02

5. Check that container started, stop it after

6. Modify configuration as below:
<domain type='lxc'>
  <name>test-idmap02</name>
  <uuid>bf320dd1-b895-4d35-9745-0b9921327c68</uuid>
  <memory unit='KiB'>1048576</memory>
  <currentMemory unit='KiB'>1048576</currentMemory>
  <memtune>
    <hard_limit unit='KiB'>1048576</hard_limit>
    <soft_limit unit='KiB'>1048576</soft_limit>
    <swap_hard_limit unit='KiB'>2097152</swap_hard_limit>
  </memtune>
  <vcpu placement='static'>1</vcpu>
  <resource>
    <partition>/machine</partition>
  </resource>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/sbin/init</init>
  </os>
  <idmap>
    <uid start='0' target='0' count='1000'/>
    <uid start='1000' target='65535' count='4096'/>
    <gid start='0' target='0' count='1000'/>
    <gid start='1000' target='65535' count='4096'/>
  </idmap>
  <features>
    <privnet/>
    <capabilities policy='allow'>
      <audit_control state='on'/>
      <audit_write state='on'/>
      <block_suspend state='on'/>
      <chown state='on'/>
      <dac_override state='on'/>
      <dac_read_search state='on'/>
      <fowner state='on'/>
      <fsetid state='on'/>
      <ipc_lock state='on'/>
      <ipc_owner state='on'/>
      <kill state='on'/>
      <lease state='on'/>
      <linux_immutable state='on'/>
      <mac_admin state='on'/>
      <mac_override state='on'/>
      <mknod state='on'/>
      <net_admin state='on'/>
      <net_bind_service state='on'/>
      <net_broadcast state='on'/>
      <net_raw state='on'/>
      <setgid state='on'/>
      <setfcap state='on'/>
      <setpcap state='on'/>
      <setuid state='on'/>
      <sys_admin state='on'/>
      <sys_boot state='on'/>
      <sys_chroot state='on'/>
      <sys_module state='on'/>
      <sys_nice state='on'/>
      <sys_pacct state='on'/>
      <sys_ptrace state='on'/>
      <sys_rawio state='on'/>
      <sys_resource state='on'/>
      <sys_time state='on'/>
      <sys_tty_config state='on'/>
      <syslog state='on'/>
      <wake_alarm state='on'/>
    </capabilities>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <filesystem type='block' accessmode='passthrough'>
      <source dev='/dev/data/test-idmap02'/>
      <target dir='/'/>
    </filesystem>
    <filesystem type='ram' accessmode='passthrough'>
      <source usage='524288' units='KiB'/>
      <target dir='/dev/shm'/>
    </filesystem>
    <console type='pty'>
      <target type='lxc' port='0'/>
    </console>
  </devices>
</domain>

7. try start container again, get error:
# virsh start  test-idmap02 
error: Failed to start domain test-idmap02
error: internal error: guest failed to start: Failed to mount device /dev/dm-4 to /var/run/libvirt/lxc/test-idmap02.root as xfs: Operation not permitted

Actual results:
error: Failed to start domain test-idmap02
error: internal error: guest failed to start: Failed to mount device /dev/dm-4 to /var/run/libvirt/lxc/test-idmap02.root as xfs: Operation not permitted

Expected results:
Domain test-idmap02 started

Additional info:
Look like capabilities not applied for libvirt process:
[root@node01 ~]# unshare -U -f -r
[root@node01 ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@node01 ~]# mount /dev/data/test-idmap02  /mnt
mount: permission denied

Comment 1 Maxim 2016-04-20 17:03:42 UTC

Container start if remove mount operation.
mount as root /dev/data/idmap-test02 to /run/libvirt/lxc/idmap-test02.root
and change container config in such way:
<devices>
...
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/run/libvirt/lxc/idmap-test02.root'/>
      <target dir='/'/>
    </filesystem>

Comment 2 Radostin Stoyanov 2017-08-17 14:37:51 UTC

*** Bug 1481816 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.