591372 – [LXC] restart network on guest make the /etc/resolv.conf has been changed on host.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 591372 - [LXC] restart network on guest make the /etc/resolv.conf has been changed on host.

Summary: [LXC] restart network on guest make the /etc/resolv.conf has been changed on ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	6.0
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Jiri Denemark
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	599016 Rhel6.0LibvirtTier1
TreeView+	depends on / blocked

Reported:	2010-05-12 03:43 UTC by dyuan
Modified:	2010-06-30 13:32 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-06-30 13:05:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description dyuan 2010-05-12 03:43:58 UTC

Description of problem:
Restart network on guest, make the network does not work fine on host, also  the /etc/resolv.conf has been modified. Then restart network on host, the NetworkManager dead.

Version-Release number of selected component (if applicable):
kernel-2.6.32-24.el6.x86_64
libvirt-0.8.1-2.el6.x86_64

How reproducible:
always

Steps to Reproduce:

1. define a simple application container and make it running

# virsh -c lxc:///
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # define toy.xml 
Domain toy defined from toy.xml
virsh # start toy
Domain toy started
virsh # list --all
 Id Name                 State
----------------------------------
7081 toy                  running

virsh # dumpxml toy
<domain type='lxc' id='3420'>
  <name>toy</name>
  <uuid>386f5b25-43ee-9d62-4ce2-58c3809e47c1</uuid>
  <memory>500000</memory>
  <currentMemory>500000</currentMemory>
  <vcpu>1</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/bin/sh</init>
  </os>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <interface type='network'>
      <mac address='52:54:00:ca:84:12'/>
      <source network='default'/>
      <target dev='veth0'/>
    </interface>
    <console type='pty' tty='/dev/pts/2'>
      <source path='/dev/pts/2'/>
      <target port='0'/>
    </console>
  </devices>
</domain>

2. connect to the container via console
virsh # console toy
Connected to domain toy
Escape character is ^]
sh-4.1# 

3. check the network status on toy
sh-4.1# more /etc/resolv.conf 
# Generated by NetworkManager
domain nay.redhat.com
search nay.redhat.com
nameserver 10.66.127.10
nameserver 10.32.63.5
nameserver 172.16.52.28

sh-4.1# ifconfig

sh-4.1# ping google.com
ping: unknown host google.com

sh-4.1# ping 10.66.70.12
connect: Network is unreachable

sh-4.1# more /etc/sysconfig/network-scripts/ifcfg-eth0 
DEVICE=eth0
HWADDR=6C:F0:49:27:0C:06
ONBOOT=yes
BOOTPROTO=dhcp

sh-4.1# 
virsh # domifstat toy veth0
veth0 rx_bytes 9840
veth0 rx_packets 147
veth0 rx_errs 0
veth0 rx_drop 0
veth0 tx_bytes 552
veth0 tx_packets 6
veth0 tx_errs 0
veth0 tx_drop 0

4. check the network on host
# ping google.com
PING google.com (74.125.71.103) 56(84) bytes of data.
64 bytes from hx-in-f103.1e100.net (74.125.71.103): icmp_seq=1 ttl=49 time=100 ms

# ping 10.66.70.12
PING 10.66.70.12 (10.66.70.12) 56(84) bytes of data.
64 bytes from 10.66.70.12: icmp_seq=1 ttl=64 time=0.385 ms

# more /etc/resolv.conf 
# Generated by NetworkManager
domain nay.redhat.com
search nay.redhat.com
nameserver 10.66.127.10
nameserver 10.32.63.5
nameserver 172.16.52.28

# brctl show virbr0
bridge name	bridge id		STP enabled	interfaces
virbr0		8000.1661f96cd7a3	yes		veth0

5. restart network on toy, check the network on toy
virsh # console toy
Connected to domain toy
Escape character is ^]

sh-4.1# service network restart
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:  
Determining IP information for eth0... done.
                                                           [  OK  ]
sh-4.1# more /etc/resolv.conf 
; generated by /sbin/dhclient-script
nameserver 192.168.122.1

sh-4.1# ping google.com
ping: unknown host google.com

sh-4.1# ping 10.66.70.12
PING 10.66.70.12 (10.66.70.12) 56(84) bytes of data.
64 bytes from 10.66.70.12: icmp_seq=1 ttl=63 time=1.12 ms

6. check the network on host
# more /etc/resolv.conf 
; generated by /sbin/dhclient-script
nameserver 192.168.122.1

# ping google.com
ping: unknown host google.com

# ping 10.66.70.12
PING 10.66.70.12 (10.66.70.12) 56(84) bytes of data.
64 bytes from 10.66.70.12: icmp_seq=1 ttl=64 time=0.159 ms

7. restart network on host, check the network on host
# service network restart
Shutting down interface eth0:  Device state: 3 (disconnected)
                                                           [  OK  ]
Shutting down loopback interface:  Error org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus)
                                                           [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:  
Determining IP information for eth0... done.
                                                           [  OK  ]
# more /etc/resolv.conf 
; generated by /sbin/dhclient-script
search nay.redhat.com
nameserver 10.66.127.10
nameserver 10.32.63.5
nameserver 172.16.52.28

# service NetworkManager status
NetworkManager dead but pid file exists

# ping google.com
PING google.com (74.125.71.99) 56(84) bytes of data.
64 bytes from hx-in-f99.1e100.net (74.125.71.99): icmp_seq=1 ttl=51 time=77.4 ms

# brctl show virbr0
bridge name	bridge id		STP enabled	interfaces
virbr0		8000.1661f96cd7a3	yes		veth0


Actual results:
step 5 and step 6, the resolv.conf has been modified.
step 7, restart network on host make the NetworkManager dead.

Expected results:
restart network with determining IP information done [OK], the network should be work fine.

Additional info:

when testing with kernel-2.6.32-25.el6.x86_64

step 5, toy cannot connect to 10.66.70.12
sh-4.1# ping 10.66.70.12
PING 10.66.70.12 (10.66.70.12) 56(84) bytes of data.

####no output here, can only press Ctrl+C.

Comment 2 RHEL Program Management 2010-05-12 04:53:05 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 5 Daniel Berrangé 2010-06-30 13:05:43 UTC

>  <devices>
>    <emulator>/usr/libexec/libvirt_lxc</emulator>
>    <interface type='network'>
>      <mac address='52:54:00:ca:84:12'/>
>      <source network='default'/>
>      <target dev='veth0'/>
>    </interface>
>    <console type='pty' tty='/dev/pts/2'>
>      <source path='/dev/pts/2'/>
>      <target port='0'/>
>    </console>
>  </devices>


There is no <filesystem> device configured in this guest, thus the container will inherit full access to the host filesystem. Thus any changes you make to /etc/resolv.conf in the container will obviously impact the host OS. This is essentially an 'application workload isolation' configuration, and not a 'virtual operating system container' configuration. You can't expect to run arbitrary apps in such a config and not have them impact the host, since the configuration isn't providing any security. If you want the container to be isolated, then you need to configure a custom filesystem for it.

Note You need to log in before you can comment on or make changes to this bug.