805361 – RFE: privnet should work well with lxc

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 805361 - RFE: privnet should work well with lxc

Summary: RFE: privnet should work well with lxc

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	6.3
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Privoznik
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	842979
Blocks:
TreeView+	depends on / blocked

Reported:	2012-03-21 02:32 UTC by Min Zhan
Modified:	2013-02-21 07:09 UTC (History)
CC List:	9 users (show)
Fixed In Version:	libvirt-0.10.0-0rc1.el6
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-02-21 07:09:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0276	0	normal	SHIPPED_LIVE	Moderate: libvirt security, bug fix, and enhancement update	2013-02-20 21:18:26 UTC

Description Min Zhan 2012-03-21 02:32:44 UTC

Description of problem:
From libvirt.org: 
privnet
    Always create a private network namespace. This is automatically set if any interface devices are defined. This feature is only relevant for container based virtualization drivers, such as LXC. 

But privnet does not work well with lxc

Version-Release number of selected component (if applicable):
libvirt-0.9.10-6.el6

How reproducible:
Always

Steps to Reproduce:
1. Make sure a good lxc guest

 # virsh --connect lxc:///
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # list --all
 Id    Name                           State
----------------------------------------------------
 -     lxc                            shut off

virsh # dumpxml lxc
<domain type='lxc'>
  <name>lxc</name>
  <uuid>2a0c59a1-519b-3865-582b-5339f5e1b95d</uuid>
  <memory unit='KiB'>1048576</memory>
  <currentMemory unit='KiB'>1048576</currentMemory>
  <vcpu>1</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/bin/sh</init>
  </os>
  <features>
    <pae/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <interface type='network'>
      <mac address='00:16:3e:cb:17:2b'/>
      <source network='default'/>
    </interface>
    <console type='pty'>
      <target type='lxc' port='0'/>
    </console>
  </devices>
</domain>

2. Edit the guest, add the following to guest xml
<features>
  <privnet/>
</features>

virsh # edit lxc
error: internal error unexpected feature privnet

  
Actual results:
as above

Expected results:
It works well

Additional info:

ajia has found that Libvirt upstream has supported private network namespace for LXC guests, but related patches haven't been backported into RHEL.

Comment 4 Michal Privoznik 2012-08-03 09:50:27 UTC

In fact, this is in RHEL for a while (since libvirt-0.9.11-rc1). Hence moving to POST:

commit 10a8b1f9585d7414d6d3a2571fffc5d699c4576b
Author:     Daniel P. Berrange <berrange>
AuthorDate: Wed Jan 18 11:38:49 2012 +0000
Commit:     Daniel P. Berrange <berrange>
CommitDate: Thu Mar 15 17:00:39 2012 +0000

    Add support for forcing a private network namespace for LXC guests
    
    If no <interface> elements are included in an LXC guest XML
    description, then the LXC guest will just see the host's
    network interfaces. It is desirable to be able to hide the
    host interfaces, without having to define any guest interfaces.
    
    This patch introduces a new feature flag <privnet/> to allow
    forcing of a private network namespace for LXC. In the future
    I also anticipate that we will add <privuser/> to force a
    private user ID namespace.
    
    * src/conf/domain_conf.c, src/conf/domain_conf.h: Add support
      for <privnet/> feature. Auto-set <privnet> if any <interface>
      devices are defined
    * src/lxc/lxc_container.c: Honour request for private network
      namespace

Comment 6 Luwen Su 2012-08-24 03:00:24 UTC

Because there is another bug 842979 make the lxc can't start normally , so i just add the xml to a shut down lxc and it works .
My question is that the steps is enough to verfiy the bug ? Or should we defer the bug until the lxc function works well.


1.
#rpm -q libvirt
libvirt-0.10.0-0rc1.el6.x86_64
#virsh -c lxc:///
virsh # list --all
 Id    Name                           State
----------------------------------------------------
 -     lxc                            shut off

2.
virsh # dumpxml lxc
<domain type='lxc'>
  <name>lxc</name>
  <uuid>2a0c59a1-519b-3865-582b-5339f5e1b95d</uuid>
  <memory unit='KiB'>1048576</memory>
  <currentMemory unit='KiB'>1048576</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/bin/sh</init>
  </os>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <interface type='network'>
      <mac address='00:16:3e:cb:17:2b'/>
      <source network='default'/>
    </interface>
    <console type='pty'>
      <target type='lxc' port='0'/>
    </console>
  </devices>
</domain>

3.
add the <privnet/> feature 
virsh#dumpxml lxc
<domain type='lxc'>
  <name>lxc</name>
  <uuid>2a0c59a1-519b-3865-582b-5339f5e1b95d</uuid>
  <memory unit='KiB'>1048576</memory>
  <currentMemory unit='KiB'>1048576</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/bin/sh</init>
  </os>
  <features>
    <privnet/>                    <----success with no error
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <interface type='network'>
      <mac address='00:16:3e:cb:17:2b'/>
      <source network='default'/>
    </interface>
    <console type='pty'>
      <target type='lxc' port='0'/>
    </console>
  </devices>
</domain>

Comment 7 Michal Privoznik 2012-08-24 06:31:32 UTC

No, I think we should verify this on a running lxc domain.

Comment 8 Luwen Su 2012-08-24 09:30:37 UTC


(In reply to comment #7)
> No, I think we should verify this on a running lxc domain.

OK , i will verify this after the depends on's be fixed

Comment 9 Luwen Su 2012-10-12 06:05:18 UTC

verified bug with the steps in comment6 since the depends bugs is fixed.

Comment 10 Luwen Su 2012-10-12 07:05:00 UTC

Sorry for forgetting the pkg version
libvirt-0.10.2-2.el6.x86_64

Comment 11 errata-xmlrpc 2013-02-21 07:09:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0276.html

Note You need to log in before you can comment on or make changes to this bug.