Bug 858104 - Security context error when starting LXC domain via virsh
Security context error when starting LXC domain via virsh
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: libvirt (Show other bugs)
17
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Libvirt Maintainers
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-17 21:14 EDT by James R. Leu
Modified: 2012-10-27 13:00 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-27 13:00:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
LXC XML file (699 bytes, text/xml)
2012-09-17 21:14 EDT, James R. Leu
no flags Details
Patch that implements the change suggested by berrange (1.18 KB, patch)
2012-09-21 09:20 EDT, James R. Leu
no flags Details | Diff

  None (edit)
Description James R. Leu 2012-09-17 21:14:35 EDT
Created attachment 613833 [details]
LXC XML file

Description of problem:
Unable to start LXC container using a working XML config from previous version of libvirt.

error: Failed to start domain foo0
error: internal error guest failed to start: 2012-09-18 00:59:42.992+0000: 4113: info : libvirt version: 0.9.11.5, package: 3.fc17 (Fedora Project, 2012-08-22-14:23:38, )
2012-09-18 00:59:42.992+0000: 4113: error : lxcControllerRun:1486 : Failed to query file context on /home/foo: No data available


Version-Release number of selected component (if applicable):
libvirt version: 0.9.11.5

How reproducible:
I cannot get any LXC domains to start with selinux=disabled

Steps to Reproduce:
1.Create a working LXC XML config on RHEL 5.8, libvirt 0.9.10
2.Use the same config on F17, libvirt 0.9.11.5
3.
  
Actual results:
Error above

Expected results:
LXC domain should start

Additional info:
I have selinux=disabled on both RHEL and F17
Comment 1 Daniel Berrange 2012-09-18 09:55:35 EDT
The problem is this code in lxc_controller.c which should also check for the ENODATA error code

#if HAVE_SELINUX
        if (getfilecon(root->src, &con) < 0 &&
            errno != ENOTSUP) {
            virReportSystemError(errno,
                                 _("Failed to query file context on %s"),
                                 root->src);
            goto cleanup;
        }
#endif

In libvirt 0.10.0 or later, this code has actually be removed now.
Comment 2 James R. Leu 2012-09-21 09:20:28 EDT
Created attachment 615417 [details]
Patch that implements the change suggested by berrange
Comment 3 Daniel Berrange 2012-09-21 09:26:14 EDT
Looks fine as something to cherry-pick into Fedora 17 only. Moving to POST so Cole sees it with next Fedora update
Comment 4 James R. Leu 2012-10-01 09:49:12 EDT
FYI I've encountered the same issue when trying to migrate from RHEL 5.8 to RHEL 6.3.  I used the same SRPM with the patch from above to build a set of RPMs that work on RHEL 6.3.  Unfortunately this will not work well going forward, because now I'm out of sync with RHEL 6.

Should I create a new bug for RHEL 6?
Comment 5 Cole Robinson 2012-10-07 16:48:13 EDT
(In reply to comment #4)
> FYI I've encountered the same issue when trying to migrate from RHEL 5.8 to
> RHEL 6.3.  I used the same SRPM with the patch from above to build a set of
> RPMs that work on RHEL 6.3.  Unfortunately this will not work well going
> forward, because now I'm out of sync with RHEL 6.
> 
> Should I create a new bug for RHEL 6?

Yes, please file a separate RHEL6 bug.
Comment 6 Fedora Update System 2012-10-07 20:09:45 EDT
libvirt-0.9.11.6-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/libvirt-0.9.11.6-1.fc17
Comment 7 Fedora Update System 2012-10-08 17:53:24 EDT
Package libvirt-0.9.11.6-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libvirt-0.9.11.6-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15634/libvirt-0.9.11.6-1.fc17
then log in and leave karma (feedback).

Note You need to log in before you can comment on or make changes to this bug.