Bug 752254 - libvirt fails to initialize nwfilter when /tmp is mounted with noexec option
libvirt fails to initialize nwfilter when /tmp is mounted with noexec option
Status: CLOSED NEXTRELEASE
Product: Virtualization Tools
Classification: Community
Component: libvirt (Show other bugs)
unspecified
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Eric Blake
:
Depends On:
Blocks: 752255
  Show dependency treegraph
 
Reported: 2011-11-08 18:25 EST by Bartlomiej Leszak
Modified: 2011-11-09 19:48 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 752255 (view as bug list)
Environment:
Last Closed: 2011-11-09 19:48:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bartlomiej Leszak 2011-11-08 18:25:10 EST
Description of problem:

When /tmp filesystem is mounted with noexec option:

tmpfs on /tmp type tmpfs (rw,noexec,nosuid,size=512M)

libvirt fails to initialize nwfilter framework and then fails to start any domain using nwfilter rules.

22:22:32.545: 7699: debug : ebiptablesExecCLI:2590 : cmd='/sbin/ebtables -t nat -L'
eval res=\$\("${cmd}"\)
if [ $? -ne 0 ]; then  echo "Failure to execute command '${cmd}'.";  exit 1;fi

22:22:32.545: 7699: debug : virRunWithHook:833 : /tmp/virtduqjigQ
22:22:32.549: 7699: debug : virRunWithHook:851 : Command stderr: 22:22:32.548: 7733: info : libvirt version: 0.8.7, package: 18.el6_1.1 (Unknown, 2011-09-01-11:22:40, sl6.fnal.gov)
22:22:32.548: 7733: error : __virExec:676 : cannot execute binary /tmp/virtduqjigQ: Permission denied
libvir: error : cannot execute binary /tmp/virtduqjigQ: Permission denied

22:22:32.549: 7699: debug : ebiptablesExecCLI:2611 : rc = 0, status = 1

I have seen similar problems over the internet, and it seems these problems were incorrectly classified as iptables/ip6tables/ebtables not being available in PATH.

Version-Release number of selected component (if applicable):
libvirt-0.8.7-18.el6_1.1.x86_64

(but as far as I can tell after looking at 0.9.7 sources the same problem persists in this version too)

How reproducible:

Mount /tmp with noexec option, restart libvirt.
  
Actual results:

1. Nwfilter not being initialized at libvirt's start:

Nov  8 22:20:48 kastor libvirtd: 22:20:48.984: 7523: info : libvirt version: 0.8.7, package: 18.el6_1.1 (Unknown, 2011-09-01-11:22:40, sl6.fnal.gov)
Nov  8 22:20:48 kastor libvirtd: 22:20:48.994: 7523: info : networkReloadIptablesRules:1382 : Reloading iptables rules
Nov  8 22:20:49 kastor libvirtd: 22:20:49.231: 7523: error : ebiptablesDriverInit:3766 : internal error firewall tools were not found or cannot be used

2. Nwfilter not being usable within domain configuration:

[root@kastor ~]# virsh start av
error: Failed to start domain av
error: internal error Could not get access to ACL tech driver 'ebiptables'

[root@kastor ~]#

Additional info:
Since ebiptablesExecCLI() function's only purpose is to run script generated for checking iptables/ip6tables/ebtables capabilities it should be easy to fix this function. It should invoke this script with `/bin/sh /tmp/tmp_script_path' instead of calling it directly.
Comment 1 Eric Blake 2011-11-08 18:32:20 EST
(In reply to comment #0)
> Description of problem:
> 
> Additional info:
> Since ebiptablesExecCLI() function's only purpose is to run script generated
> for checking iptables/ip6tables/ebtables capabilities it should be easy to fix
> this function. It should invoke this script with `/bin/sh /tmp/tmp_script_path'
> instead of calling it directly.

Agree - and this should be a fairly easy patch to get approved.
Comment 2 Eric Blake 2011-11-09 12:47:17 EST
Patch proposed:
https://www.redhat.com/archives/libvir-list/2011-November/msg00410.html
Comment 3 Eric Blake 2011-11-09 19:48:12 EST
Libvirt 0.9.8 (or whatever it is numbered) will include this.

commit 3b7122c0b24b59ade17dbf72c22dbdfdad89bb08
Author: Eric Blake <eblake@redhat.com>
Date:   Wed Nov 9 10:29:57 2011 -0700

    nwfilter: simplify execution of ebiptables scripts
    
    It's not worth even worrying about a temporary file, unless we
    ever expect the script to exceed maximum command-line argument
    length limits.
    
    * src/nwfilter/nwfilter_ebiptables_driver.c (ebiptablesExecCLI):
    Run the commands as an argument to /bin/sh, rather than worrying
    about a temporary file.
    (ebiptablesWriteToTempFile): Delete unused function.

Note You need to log in before you can comment on or make changes to this bug.