Description of problem: I can't run minishift (probably other VMs too?) using libvirt Fedora Silverblue 30 Beta because libvirtd has an error because the tun module is not loaded Version-Release number of selected component (if applicable): $ minishift version minishift v1.31.0+d06603e CDK v3.8.0-2 $ rpm -q libvirt libvirt-5.1.0-4.fc30.x86_64 How reproducible: Until I load the tun module manually, 100% Steps to reproduce: I'm not sure if `minishift start` actually triggers the problem or not, I look at `systemctl status libvirtd` before running that. Actual results: Here's what I see before I load tun and reload: $ systemctl status libvirtd ● libvirtd.service - Virtualization daemon Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2019-04-17 10:34:12 IST; 1min 57s ago Docs: man:libvirtd(8) https://libvirt.org Main PID: 1185 (libvirtd) Tasks: 17 (limit: 32768) Memory: 69.7M CGroup: /system.slice/libvirtd.service └─1185 /usr/sbin/libvirtd --listen Apr 17 10:34:12 silverblue-t580 systemd[1]: Starting Virtualization daemon... Apr 17 10:34:12 silverblue-t580 systemd[1]: Started Virtualization daemon. Apr 17 10:34:12 silverblue-t580 libvirtd[1185]: libvirt version: 5.1.0, package: 4.fc30 (Fedora Project, 2019-04-02-16:12:24, ) Apr 17 10:34:12 silverblue-t580 libvirtd[1185]: hostname: silverblue-t580 Apr 17 10:34:12 silverblue-t580 libvirtd[1185]: internal error: Failed to apply firewall rules /usr/sbin/ip6tables --table filter --list-rules: ip6tables v1.8.0 (legacy): can't initialize ip6tables table `filter': Permission denied Perhaps ip6tables or your kernel needs to be upgraded. Apr 17 10:34:13 silverblue-t580 libvirtd[1185]: Unable to open /dev/net/tun, is tun module loaded?: No such file or directory Apr 17 10:34:13 silverblue-t580 libvirtd[1185]: Unable to open /dev/net/tun, is tun module loaded?: No such file or directory Apr 17 10:35:24 silverblue-t580 libvirtd[1185]: End of file while reading data: Input/output error Apr 17 10:35:34 silverblue-t580 libvirtd[1185]: End of file while reading data: Input/output error Expected results: After running the following two commands, everything works fine, so I guess that's "expected" :) $ sudo modprobe tun $ sudo systemctl reload libvirtd $ systemctl status libvirtd ● libvirtd.service - Virtualization daemon Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2019-04-17 10:34:12 IST; 2min 25s ago Docs: man:libvirtd(8) https://libvirt.org Process: 3517 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Main PID: 1185 (libvirtd) Tasks: 21 (limit: 32768) Memory: 74.1M CGroup: /system.slice/libvirtd.service ├─1185 /usr/sbin/libvirtd --listen ├─3574 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/docker-machines.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper ├─3575 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/docker-machines.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper ├─3640 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper └─3641 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper Apr 17 10:36:34 silverblue-t580 dnsmasq-dhcp[3574]: read /var/lib/libvirt/dnsmasq/docker-machines.hostsfile Apr 17 10:36:34 silverblue-t580 dnsmasq[3640]: started, version 2.80 cachesize 150 Apr 17 10:36:34 silverblue-t580 dnsmasq[3640]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify dumpfile Apr 17 10:36:34 silverblue-t580 dnsmasq-dhcp[3640]: DHCP, IP range 192.168.122.2 -- 192.168.122.254, lease time 1h Apr 17 10:36:34 silverblue-t580 dnsmasq-dhcp[3640]: DHCP, sockets bound exclusively to interface virbr0 Apr 17 10:36:34 silverblue-t580 dnsmasq[3640]: reading /etc/resolv.conf Apr 17 10:36:34 silverblue-t580 dnsmasq[3640]: using nameserver 127.0.0.1#53 Apr 17 10:36:34 silverblue-t580 dnsmasq[3640]: read /etc/hosts - 3 addresses Apr 17 10:36:34 silverblue-t580 dnsmasq[3640]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses Apr 17 10:36:34 silverblue-t580 dnsmasq-dhcp[3640]: read /var/lib/libvirt/dnsmasq/default.hostsfile Additional info: I'm not sure if this is a Silverblue issue or a libvirt issue or something else.
It is possibly the same thing we hit in Fedora 31 previously https://bugzilla.redhat.com/show_bug.cgi?id=1689975 Can you show output of $ systemctl status kmod-static-nodes.service And $ grep modules.devname /var/log/audit/audit.log
Thanks Daniel, here's the output of those commands: $ systemctl status kmod-static-nodes.service ● kmod-static-nodes.service - Create list of required static device nodes for the current kernel Loaded: loaded (/usr/lib/systemd/system/kmod-static-nodes.service; static; vendor preset: disabled) Active: inactive (dead) since Wed 2019-04-17 11:53:22 IST; 1min 9s ago Condition: start condition failed at Wed 2019-04-17 11:53:25 IST; 1min 6s ago └─ ConditionFileNotEmpty=/lib/modules/5.0.7-300.fc30.x86_64/modules.devname was not met Main PID: 308 (code=exited, status=0/SUCCESS) Apr 17 11:53:22 localhost systemd[1]: kmod-static-nodes.service: Succeeded. Apr 17 11:53:22 localhost systemd[1]: Stopped Create list of required static device nodes for the current kernel. Apr 17 11:53:24 silverblue-t580 systemd[1]: Condition check resulted in Create list of required static device nodes for the current kernel being skipped. Apr 17 11:53:24 silverblue-t580 systemd[1]: Condition check resulted in Create list of required static device nodes for the current kernel being skipped. Apr 17 11:53:24 silverblue-t580 systemd[1]: Condition check resulted in Create list of required static device nodes for the current kernel being skipped. Apr 17 11:53:24 silverblue-t580 systemd[1]: Condition check resulted in Create list of required static device nodes for the current kernel being skipped. Apr 17 11:53:25 silverblue-t580 systemd[1]: Condition check resulted in Create list of required static device nodes for the current kernel being skipped. Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. $ sudo grep modules.devname /var/log/audit/audit.log type=AVC msg=audit(1555081047.583:118): avc: denied { getattr } for pid=1 comm="systemd" path="/usr/lib/modules/5.0.6-300.fc30.x86_64/modules.devname" dev="dm-1" ino=2498251 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0 type=AVC msg=audit(1555085454.794:124): avc: denied { getattr } for pid=1 comm="systemd" path="/usr/lib/modules/5.0.6-300.fc30.x86_64/modules.devname" dev="dm-1" ino=2498251 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0 type=AVC msg=audit(1555493651.483:118): avc: denied { getattr } for pid=1 comm="systemd" path="/usr/lib/modules/5.0.7-300.fc30.x86_64/modules.devname" dev="dm-1" ino=2498251 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0 type=AVC msg=audit(1555498405.149:116): avc: denied { getattr } for pid=1 comm="systemd" path="/usr/lib/modules/5.0.7-300.fc30.x86_64/modules.devname" dev="dm-1" ino=2498251 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Ok, that looks like the same bug then. kmod-static-nodes.service is failing to start because systemd can't read /usr/lib/modules/5.0.6-300.fc30.x86_64/modules.devname due to SELinux AVC. So looks like the flaw from rawhide was pulled into Fedora 30, and the fix was rawhide was missed. SElinux policy in Fedora 30 will need the same fix from bug 1689975.
Since this has now moved to selinux-policy, in case it's useful the nvr of that that I've got installed is selinux-policy-3.14.3-29.fc30.noarch
Hi All, It should be fixed in this build: https://koji.fedoraproject.org/koji/buildinfo?buildID=1248382 Could you please test it? Thanks, Lukas
selinux-policy-3.14.3-31.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6
selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6
selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
I never got around to testing the update when you asked, sorry about that Lukas! The problem still exists for me on Fedora 30 Silverblue. Additionally, I also hit bug #1717405, which could be related given that it's also a kernel module that's not getting loaded when it's needed (and the fix for a seemingly similar issue in Rawhide was in the selinux-policy package also). I see the following error message in dmesg output, which might be related: [ 24.813270] systemd[1]: Unable to fix SELinux security context of /run/tmpfiles.d/kmod.conf: Invalid argument Also, in case it's useful: $ cat /run/tmpfiles.d/kmod.conf c! /dev/fuse 0600 - - - 10:229 c! /dev/btrfs-control 0600 - - - 10:234 c! /dev/loop-control 0600 - - - 10:237 c! /dev/uhid 0600 - - - 10:239 c! /dev/cuse 0600 - - - 10:203 Any ideas?
Hi Gerard, I push fixes for #1717405 and I think it will help also here. For now closing this ticket as duplicate, tomorrow I'll do new build so you can test it next week. Thanks, Lukas. *** This bug has been marked as a duplicate of bug 1717405 ***