Bug 805361 – RFE: privnet should work well with lxc

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 805361 - RFE: privnet should work well with lxc

Summary:	RFE: privnet should work well with lxc

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libvirt (Show other bugs)
Sub Component:
Version:	6.3
Hardware:	x86_64 Linux

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Michal Privoznik
QA Contact:	Virtualization Bugs
Docs Contact:

URL:
Whiteboard:
Keywords:	FutureFeature

Depends On:	842979
Blocks:
	Show dependency tree / graph

Reported:	2012-03-20 22:32 EDT by min zhan
Modified:	2013-02-21 02:09 EST (History)
CC List:	9 users (show)

See Also:
Fixed In Version:	libvirt-0.10.0-0rc1.el6
Doc Type:	Enhancement
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-02-21 02:09:07 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0276	normal	SHIPPED_LIVE	Moderate: libvirt security, bug fix, and enhancement update	2013-02-20 16:18:26 EST

Groups: None (edit)

Description min zhan 2012-03-20 22:32:44 EDT

Description of problem:
From libvirt.org: 
privnet
    Always create a private network namespace. This is automatically set if any interface devices are defined. This feature is only relevant for container based virtualization drivers, such as LXC. 

But privnet does not work well with lxc

Version-Release number of selected component (if applicable):
libvirt-0.9.10-6.el6

How reproducible:
Always

Steps to Reproduce:
1. Make sure a good lxc guest

 # virsh --connect lxc:///
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # list --all
 Id    Name                           State
----------------------------------------------------
 -     lxc                            shut off

virsh # dumpxml lxc
<domain type='lxc'>
  <name>lxc</name>
  <uuid>2a0c59a1-519b-3865-582b-5339f5e1b95d</uuid>
  <memory unit='KiB'>1048576</memory>
  <currentMemory unit='KiB'>1048576</currentMemory>
  <vcpu>1</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/bin/sh</init>
  </os>
  <features>
    <pae/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <interface type='network'>
      <mac address='00:16:3e:cb:17:2b'/>
      <source network='default'/>
    </interface>
    <console type='pty'>
      <target type='lxc' port='0'/>
    </console>
  </devices>
</domain>

2. Edit the guest, add the following to guest xml
<features>
  <privnet/>
</features>

virsh # edit lxc
error: internal error unexpected feature privnet

  
Actual results:
as above

Expected results:
It works well

Additional info:

ajia has found that Libvirt upstream has supported private network namespace for LXC guests, but related patches haven't been backported into RHEL.

Comment 4 Michal Privoznik 2012-08-03 05:50:27 EDT

In fact, this is in RHEL for a while (since libvirt-0.9.11-rc1). Hence moving to POST:

commit 10a8b1f9585d7414d6d3a2571fffc5d699c4576b
Author:     Daniel P. Berrange <berrange@redhat.com>
AuthorDate: Wed Jan 18 11:38:49 2012 +0000
Commit:     Daniel P. Berrange <berrange@redhat.com>
CommitDate: Thu Mar 15 17:00:39 2012 +0000

    Add support for forcing a private network namespace for LXC guests
    
    If no <interface> elements are included in an LXC guest XML
    description, then the LXC guest will just see the host's
    network interfaces. It is desirable to be able to hide the
    host interfaces, without having to define any guest interfaces.
    
    This patch introduces a new feature flag <privnet/> to allow
    forcing of a private network namespace for LXC. In the future
    I also anticipate that we will add <privuser/> to force a
    private user ID namespace.
    
    * src/conf/domain_conf.c, src/conf/domain_conf.h: Add support
      for <privnet/> feature. Auto-set <privnet> if any <interface>
      devices are defined
    * src/lxc/lxc_container.c: Honour request for private network
      namespace

Comment 6 Luwen Su 2012-08-23 23:00:24 EDT

Because there is another bug 842979 make the lxc can't start normally , so i just add the xml to a shut down lxc and it works .
My question is that the steps is enough to verfiy the bug ? Or should we defer the bug until the lxc function works well.


1.
#rpm -q libvirt
libvirt-0.10.0-0rc1.el6.x86_64
#virsh -c lxc:///
virsh # list --all
 Id    Name                           State
----------------------------------------------------
 -     lxc                            shut off

2.
virsh # dumpxml lxc
<domain type='lxc'>
  <name>lxc</name>
  <uuid>2a0c59a1-519b-3865-582b-5339f5e1b95d</uuid>
  <memory unit='KiB'>1048576</memory>
  <currentMemory unit='KiB'>1048576</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/bin/sh</init>
  </os>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <interface type='network'>
      <mac address='00:16:3e:cb:17:2b'/>
      <source network='default'/>
    </interface>
    <console type='pty'>
      <target type='lxc' port='0'/>
    </console>
  </devices>
</domain>

3.
add the <privnet/> feature 
virsh#dumpxml lxc
<domain type='lxc'>
  <name>lxc</name>
  <uuid>2a0c59a1-519b-3865-582b-5339f5e1b95d</uuid>
  <memory unit='KiB'>1048576</memory>
  <currentMemory unit='KiB'>1048576</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/bin/sh</init>
  </os>
  <features>
    <privnet/>                    <----success with no error
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <interface type='network'>
      <mac address='00:16:3e:cb:17:2b'/>
      <source network='default'/>
    </interface>
    <console type='pty'>
      <target type='lxc' port='0'/>
    </console>
  </devices>
</domain>

Comment 7 Michal Privoznik 2012-08-24 02:31:32 EDT

No, I think we should verify this on a running lxc domain.

Comment 8 Luwen Su 2012-08-24 05:30:37 EDT


(In reply to comment #7)
> No, I think we should verify this on a running lxc domain.

OK , i will verify this after the depends on's be fixed

Comment 9 Luwen Su 2012-10-12 02:05:18 EDT

verified bug with the steps in comment6 since the depends bugs is fixed.

Comment 10 Luwen Su 2012-10-12 03:05:00 EDT

Sorry for forgetting the pkg version
libvirt-0.10.2-2.el6.x86_64

Comment 11 errata-xmlrpc 2013-02-21 02:09:07 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0276.html

Note You need to log in before you can comment on or make changes to this bug.