Bug 1328946 - lxc container with block device not start after use idmap in define
Summary: lxc container with block device not start after use idmap in define
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt
Version: unspecified
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact:
URL:
Whiteboard:
: 1481816 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-20 16:59 UTC by Maxim
Modified: 2024-12-17 12:04 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2024-12-17 12:04:48 UTC
Embargoed:

Attachments (Terms of Use)

Description Maxim 2016-04-20 16:59:25 UTC 
Description of problem:
LXC container with idmap and device/filesystem type='block' can't started with error " Failed to mount device /dev/dm-X, Operation not permitted"

Version-Release number of selected component (if applicable):
1.3.2-1.el7.x86_64

How reproducible:
Anytime

Steps to Reproduce:
1. create LVM in VG data
# lvcreate -L10G -n test-idmap02  data

2. format as xfs or ext4:
# mkfs.xfs  /dev/data/test-idmap02

3. create container with virt-install
#/bin/virt-install --connect lxc:/// --name test-idmap-2 --memory 2048 --vcpu 1 
--filesystem /dev/data/test-idmap02,/,type=block \
--filesystem 524288,/dev/shm,type=ram \
--noautoconsole --noreboot

4. place linux image on /dev/data/test-idmap02

5. Check that container started, stop it after

6. Modify configuration as below:
<domain type='lxc'>
  <name>test-idmap02</name>
  <uuid>bf320dd1-b895-4d35-9745-0b9921327c68</uuid>
  <memory unit='KiB'>1048576</memory>
  <currentMemory unit='KiB'>1048576</currentMemory>
  <memtune>
    <hard_limit unit='KiB'>1048576</hard_limit>
    <soft_limit unit='KiB'>1048576</soft_limit>
    <swap_hard_limit unit='KiB'>2097152</swap_hard_limit>
  </memtune>
  <vcpu placement='static'>1</vcpu>
  <resource>
    <partition>/machine</partition>
  </resource>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/sbin/init</init>
  </os>
  <idmap>
    <uid start='0' target='0' count='1000'/>
    <uid start='1000' target='65535' count='4096'/>
    <gid start='0' target='0' count='1000'/>
    <gid start='1000' target='65535' count='4096'/>
  </idmap>
  <features>
    <privnet/>
    <capabilities policy='allow'>
      <audit_control state='on'/>
      <audit_write state='on'/>
      <block_suspend state='on'/>
      <chown state='on'/>
      <dac_override state='on'/>
      <dac_read_search state='on'/>
      <fowner state='on'/>
      <fsetid state='on'/>
      <ipc_lock state='on'/>
      <ipc_owner state='on'/>
      <kill state='on'/>
      <lease state='on'/>
      <linux_immutable state='on'/>
      <mac_admin state='on'/>
      <mac_override state='on'/>
      <mknod state='on'/>
      <net_admin state='on'/>
      <net_bind_service state='on'/>
      <net_broadcast state='on'/>
      <net_raw state='on'/>
      <setgid state='on'/>
      <setfcap state='on'/>
      <setpcap state='on'/>
      <setuid state='on'/>
      <sys_admin state='on'/>
      <sys_boot state='on'/>
      <sys_chroot state='on'/>
      <sys_module state='on'/>
      <sys_nice state='on'/>
      <sys_pacct state='on'/>
      <sys_ptrace state='on'/>
      <sys_rawio state='on'/>
      <sys_resource state='on'/>
      <sys_time state='on'/>
      <sys_tty_config state='on'/>
      <syslog state='on'/>
      <wake_alarm state='on'/>
    </capabilities>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <filesystem type='block' accessmode='passthrough'>
      <source dev='/dev/data/test-idmap02'/>
      <target dir='/'/>
    </filesystem>
    <filesystem type='ram' accessmode='passthrough'>
      <source usage='524288' units='KiB'/>
      <target dir='/dev/shm'/>
    </filesystem>
    <console type='pty'>
      <target type='lxc' port='0'/>
    </console>
  </devices>
</domain>

7. try start container again, get error:
# virsh start  test-idmap02 
error: Failed to start domain test-idmap02
error: internal error: guest failed to start: Failed to mount device /dev/dm-4 to /var/run/libvirt/lxc/test-idmap02.root as xfs: Operation not permitted

Actual results:
error: Failed to start domain test-idmap02
error: internal error: guest failed to start: Failed to mount device /dev/dm-4 to /var/run/libvirt/lxc/test-idmap02.root as xfs: Operation not permitted

Expected results:
Domain test-idmap02 started

Additional info:
Look like capabilities not applied for libvirt process:
[root@node01 ~]# unshare -U -f -r
[root@node01 ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@node01 ~]# mount /dev/data/test-idmap02  /mnt
mount: permission denied
Comment 1 Maxim 2016-04-20 17:03:42 UTC 
Container start if remove mount operation.
mount as root /dev/data/idmap-test02 to /run/libvirt/lxc/idmap-test02.root
and change container config in such way:
<devices>
...
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/run/libvirt/lxc/idmap-test02.root'/>
      <target dir='/'/>
    </filesystem>
Comment 2 Radostin Stoyanov 2017-08-17 14:37:51 UTC 
*** Bug 1481816 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Berrangé 2024-12-17 12:04:48 UTC 
Thank you for reporting this issue to the libvirt project. Unfortunately we have been unable to resolve this issue due to insufficient maintainer capacity and it will now be closed. This is not a reflection on the possible validity of the issue, merely the lack of resources to investigate and address it, for which we apologise. If you none the less feel the issue is still important, you may choose to report it again at the new project issue tracker https://gitlab.com/libvirt/libvirt/-/issues The project also welcomes contribution from anyone who believes they can provide a solution.
Note You need to log in before you can comment on or make changes to this bug.