First Last Prev Next    This bug is not in your last search results.
Bug 591372 - [LXC] restart network on guest make the /etc/resolv.conf has been changed on host.
[LXC] restart network on guest make the /etc/resolv.conf has been changed on ...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt (Show other bugs)
6.0
x86_64 Linux
high Severity high
: rc
: ---
Assigned To: Jiri Denemark
Virtualization Bugs
: TestBlocker
Depends On:
Blocks: 599016 Rhel6.0LibvirtTier1
  Show dependency treegraph
 
Reported: 2010-05-11 23:43 EDT by dyuan
Modified: 2010-06-30 09:32 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-30 09:05:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description dyuan 2010-05-11 23:43:58 EDT 
Description of problem:
Restart network on guest, make the network does not work fine on host, also  the /etc/resolv.conf has been modified. Then restart network on host, the NetworkManager dead.

Version-Release number of selected component (if applicable):
kernel-2.6.32-24.el6.x86_64
libvirt-0.8.1-2.el6.x86_64

How reproducible:
always

Steps to Reproduce:

1. define a simple application container and make it running

# virsh -c lxc:///
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # define toy.xml 
Domain toy defined from toy.xml
virsh # start toy
Domain toy started
virsh # list --all
 Id Name                 State
----------------------------------
7081 toy                  running

virsh # dumpxml toy
<domain type='lxc' id='3420'>
  <name>toy</name>
  <uuid>386f5b25-43ee-9d62-4ce2-58c3809e47c1</uuid>
  <memory>500000</memory>
  <currentMemory>500000</currentMemory>
  <vcpu>1</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/bin/sh</init>
  </os>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <interface type='network'>
      <mac address='52:54:00:ca:84:12'/>
      <source network='default'/>
      <target dev='veth0'/>
    </interface>
    <console type='pty' tty='/dev/pts/2'>
      <source path='/dev/pts/2'/>
      <target port='0'/>
    </console>
  </devices>
</domain>

2. connect to the container via console
virsh # console toy
Connected to domain toy
Escape character is ^]
sh-4.1# 

3. check the network status on toy
sh-4.1# more /etc/resolv.conf 
# Generated by NetworkManager
domain nay.redhat.com
search nay.redhat.com
nameserver 10.66.127.10
nameserver 10.32.63.5
nameserver 172.16.52.28

sh-4.1# ifconfig

sh-4.1# ping google.com
ping: unknown host google.com

sh-4.1# ping 10.66.70.12
connect: Network is unreachable

sh-4.1# more /etc/sysconfig/network-scripts/ifcfg-eth0 
DEVICE=eth0
HWADDR=6C:F0:49:27:0C:06
ONBOOT=yes
BOOTPROTO=dhcp

sh-4.1# 
virsh # domifstat toy veth0
veth0 rx_bytes 9840
veth0 rx_packets 147
veth0 rx_errs 0
veth0 rx_drop 0
veth0 tx_bytes 552
veth0 tx_packets 6
veth0 tx_errs 0
veth0 tx_drop 0

4. check the network on host
# ping google.com
PING google.com (74.125.71.103) 56(84) bytes of data.
64 bytes from hx-in-f103.1e100.net (74.125.71.103): icmp_seq=1 ttl=49 time=100 ms

# ping 10.66.70.12
PING 10.66.70.12 (10.66.70.12) 56(84) bytes of data.
64 bytes from 10.66.70.12: icmp_seq=1 ttl=64 time=0.385 ms

# more /etc/resolv.conf 
# Generated by NetworkManager
domain nay.redhat.com
search nay.redhat.com
nameserver 10.66.127.10
nameserver 10.32.63.5
nameserver 172.16.52.28

# brctl show virbr0
bridge name	bridge id		STP enabled	interfaces
virbr0		8000.1661f96cd7a3	yes		veth0

5. restart network on toy, check the network on toy
virsh # console toy
Connected to domain toy
Escape character is ^]

sh-4.1# service network restart
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:  
Determining IP information for eth0... done.
                                                           [  OK  ]
sh-4.1# more /etc/resolv.conf 
; generated by /sbin/dhclient-script
nameserver 192.168.122.1

sh-4.1# ping google.com
ping: unknown host google.com

sh-4.1# ping 10.66.70.12
PING 10.66.70.12 (10.66.70.12) 56(84) bytes of data.
64 bytes from 10.66.70.12: icmp_seq=1 ttl=63 time=1.12 ms

6. check the network on host
# more /etc/resolv.conf 
; generated by /sbin/dhclient-script
nameserver 192.168.122.1

# ping google.com
ping: unknown host google.com

# ping 10.66.70.12
PING 10.66.70.12 (10.66.70.12) 56(84) bytes of data.
64 bytes from 10.66.70.12: icmp_seq=1 ttl=64 time=0.159 ms

7. restart network on host, check the network on host
# service network restart
Shutting down interface eth0:  Device state: 3 (disconnected)
                                                           [  OK  ]
Shutting down loopback interface:  Error org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus)
                                                           [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:  
Determining IP information for eth0... done.
                                                           [  OK  ]
# more /etc/resolv.conf 
; generated by /sbin/dhclient-script
search nay.redhat.com
nameserver 10.66.127.10
nameserver 10.32.63.5
nameserver 172.16.52.28

# service NetworkManager status
NetworkManager dead but pid file exists

# ping google.com
PING google.com (74.125.71.99) 56(84) bytes of data.
64 bytes from hx-in-f99.1e100.net (74.125.71.99): icmp_seq=1 ttl=51 time=77.4 ms

# brctl show virbr0
bridge name	bridge id		STP enabled	interfaces
virbr0		8000.1661f96cd7a3	yes		veth0


Actual results:
step 5 and step 6, the resolv.conf has been modified.
step 7, restart network on host make the NetworkManager dead.

Expected results:
restart network with determining IP information done [OK], the network should be work fine.

Additional info:

when testing with kernel-2.6.32-25.el6.x86_64

step 5, toy cannot connect to 10.66.70.12
sh-4.1# ping 10.66.70.12
PING 10.66.70.12 (10.66.70.12) 56(84) bytes of data.

####no output here, can only press Ctrl+C.
Comment 2 RHEL Product and Program Management 2010-05-12 00:53:05 EDT 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 5 Daniel Berrange 2010-06-30 09:05:43 EDT 
>  <devices>
>    <emulator>/usr/libexec/libvirt_lxc</emulator>
>    <interface type='network'>
>      <mac address='52:54:00:ca:84:12'/>
>      <source network='default'/>
>      <target dev='veth0'/>
>    </interface>
>    <console type='pty' tty='/dev/pts/2'>
>      <source path='/dev/pts/2'/>
>      <target port='0'/>
>    </console>
>  </devices>


There is no <filesystem> device configured in this guest, thus the container will inherit full access to the host filesystem. Thus any changes you make to /etc/resolv.conf in the container will obviously impact the host OS. This is essentially an 'application workload isolation' configuration, and not a 'virtual operating system container' configuration. You can't expect to run arbitrary apps in such a config and not have them impact the host, since the configuration isn't providing any security. If you want the container to be isolated, then you need to configure a custom filesystem for it.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.