Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 872653

Summary: Provide an audit event containing the LXC "init" process ID.
Product: Red Hat Enterprise Linux 7 Reporter: Daniel Berrangé <berrange>
Component: libvirtAssignee: Daniel Berrangé <berrange>
Status: CLOSED CURRENTRELEASE QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: ajia, bili, cwei, dwalsh, dyuan, eparis, mzhan, sgrubb
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-1.0.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 918671 (view as bug list) Environment:
Last Closed: 2014-06-13 12:37:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 882324, 901535    
Bug Blocks:    
Attachments:
Description Flags
This patch adds auditing with the initpid call to the libvirt-lxc
none
oops wrong patch none

Description Daniel Berrangé 2012-11-02 16:33:20 UTC 
Description of problem:
The kernel is ensuring that processes in a non-initial PID namespace have their audit messages tagged with the PID of the process leader in that namespace. The libvirt LXC driver needs to log an audit message specifying the libvirt container UUID and the PID of the init process, to allow audit messages to be associated with containers. Libvirt must also allow the CAP_AUDIT capability for containers

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2012-11-07 16:27:41 UTC 
Created attachment 640177 [details]
This patch adds auditing with the initpid call to the libvirt-lxc

audit message looks like:

time->Wed Nov  7 11:22:41 2012
type=VIRT_CONTROL msg=audit(1352305361.019:4442): pid=27370 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 msg='lxc=apache1 op=start reason=booted uuid=13541cfd-4bf4-80fd-ff24-0779f856d558 init-pid=27371 exe="/usr/libexec/libvirt_lxc" hostname=? addr=? terminal=? res=success'

Problem is the stop message never happens.  Seems like libvirtd is just killing the libvirt-lxc process and it is not cleaning up problerly?
Comment 2 Daniel Berrangé 2012-11-08 20:59:14 UTC 
It seems like your attachment is only the .spec file changes, not the actual patch. The libvirt LXC driver in fact already issues audit logs on every start/stop of a container. These are issued from libvirtd, rather than libvirt_lxc precisely so that they're guaranteed to be issued even if libvirt_lxc crashes. So we don't need to add further stop/start audit events in libvirt_lxc. Rather we need to have libvirt_lxc sends the init pid back to libvirtd, so that it can include it in the event it already emits.
Comment 3 Daniel Walsh 2012-11-08 22:04:09 UTC 
Created attachment 641091 [details]
oops wrong patch

Here is the updated patch.  

I think pushing this into libvirt, would be difficult.
Comment 4 Daniel Berrangé 2012-11-28 20:34:01 UTC 
Merged upstream

http://libvirt.org/git/?p=libvirt.git;a=commit;h=a61583366412cf0254332fc8e3b678d9a3494d7c

Log an audit message with the LXC init pid

Currently the LXC driver logs audit messages when a container
is started or stopped. These audit messages, however, contain
the PID of the libvirt_lxc supervisor process. To enable
sysadmins to correlate with audit messages generated by
processes /inside/ the container, we need to include the
container init process PID.

We can't do this in the main 'start' audit message, since
the init PID is not available at that point. Instead we output
a completely new audit record, that lists both PIDs.

type=VIRT_CONTROL msg=audit(1353433750.071:363): pid=20180 uid=0 auid=501 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='virt=lxc op=init vm="busy" uuid=dda7b947-0846-1759-2873-0f375df7d7eb vm-pid=20371 init-pid=20372 exe="/home/berrange/src/virt/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/6 res=success'
Comment 5 EricLee 2012-12-24 03:28:51 UTC 
This bug can not be verified for the Bug 882324 has not been fixed.

# cat toy.xml 
<domain type='lxc'>
  <name>toy</name>
  <uuid>bb428983-cb9f-4702-0f8d-7d4e143d9aad</uuid>
  <memory unit='KiB'>500000</memory>
  <currentMemory unit='KiB'>500000</currentMemory>
  <vcpu>4</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/bin/sh</init>
  </os>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <console type='pty'>
      <target type='lxc' port='0'/>
    </console>
  </devices>
</domain>

# virsh -c lxc:/// define toy.xml 
Domain toy defined from toy.xml

# virsh -c lxc:/// start toy 
error: Failed to start domain toy
error: internal error Unable to find 'memory' cgroups controller mount

Because of the Bug 882324 is not fixed.
And audit.log:
# cat /var/log/audit/audit.log
.....
type=VIRT_CONTROL msg=audit(1356318313.853:457): pid=4195 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=lxc op=start reason=booted vm="toy" uuid=bb428983-cb9f-4702-0f8d-7d4e143d9aad vm-pid=0 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'
.....

Only get 'vm-pid=0' and no 'init-pid=xxxx' because of the lxc guet can not start.
Comment 6 EricLee 2013-01-18 13:23:05 UTC 
This bug still can not be verified for the new bug: 
Bug 901535 - can not start lxc guest with kernel-3.7.0-0.31.el7
adding depends on bug for it.
Comment 7 Alex Jia 2013-02-01 03:44:51 UTC 
(In reply to comment #4)
> 
> type=VIRT_CONTROL msg=audit(1353433750.071:363): pid=20180 uid=0 auid=501
> ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='virt=lxc op=init vm="busy" uuid=dda7b947-0846-1759-2873-0f375df7d7eb
> vm-pid=20371 init-pid=20372
> exe="/home/berrange/src/virt/libvirt/daemon/.libs/lt-libvirtd" hostname=?
> addr=? terminal=pts/6 res=success'

Hi Daniel,
I got different audit message with you when I successfully started a LXC guest, please see the following audit log:

<slice>

type=VIRT_MACHINE_ID msg=audit(1359689340.213:4604): pid=1521 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=lxc vm="toy" uuid=f61a1b4d-d6ef-a731-f302-b970f2a9aab2 vm-ctx=? img-ctx=? model=selinux exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1359689340.437:4605): pid=1521 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=lxc resrc=mem reason=start vm="toy" uuid=f61a1b4d-d6ef-a731-f302-b970f2a9aab2 old-mem=0 new-mem=500000 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1359689340.437:4606): pid=1521 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=lxc resrc=vcpu reason=start vm="toy" uuid=f61a1b4d-d6ef-a731-f302-b970f2a9aab2 old-vcpu=0 new-vcpu=4 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_CONTROL msg=audit(1359689340.437:4607): pid=1521 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=lxc op=start reason=booted vm="toy" uuid=f61a1b4d-d6ef-a731-f302-b970f2a9aab2 vm-pid=357 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1359689340.444:4608): avc:  denied  { read } for  pid=358 comm="sh" name=".bash_history" dev="dm-1" ino=397278 scontext=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1359689340.444:4608): arch=c000003e syscall=2 success=no exit=-13 a0=21645d0 a1=0 a2=1b6 a3=14 items=0 ppid=0 pid=358 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts3 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1359689340.444:4609): avc:  denied  { read } for  pid=358 comm="sh" name=".bash_history" dev="dm-1" ino=397278 scontext=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1359689340.444:4609): arch=c000003e syscall=2 success=no exit=-13 a0=21645d0 a1=0 a2=1b6 a3=14 items=0 ppid=0 pid=358 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts3 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 key=(null)

</slice>

There are several questions in here, the first, I haven't seen 'init' operation (op=init) except for "op=start"; the second, also can't find "init-pid=xxx" in audit message; finally, it exists a AVC denied(read) at above audit log.


# rpm -q libvirt kernel audit
libvirt-1.0.0-1.el7.x86_64
kernel-3.7.0-0.33.el7.x86_64
audit-2.2.1-2.el7.x86_64
Comment 8 Daniel Berrangé 2013-02-01 09:30:45 UTC 
Did the guest actually start up successfully ? The AVC message makes me thing it exited on startup due to SELinux denials. If so, this would explain the lack of the init audit message.
Comment 9 Alex Jia 2013-02-01 10:04:35 UTC 
(In reply to comment #8)
> Did the guest actually start up successfully ? The AVC message makes me
> thing it exited on startup due to SELinux denials. If so, this would explain
> the lack of the init audit message.

Yes, the previous bug 901535 has been fixed on kernel-3.7.0-0.33.el7.x86_64, I can successfully start a LXC guest now.



# virsh -c lxc:// list
 Id    Name                           State
----------------------------------------------------
 357   toy                            running

# virsh -c lxc:// dumpxml toy
<domain type='lxc' id='357'>
  <name>toy</name>
  <uuid>f61a1b4d-d6ef-a731-f302-b970f2a9aab2</uuid>
  <memory unit='KiB'>500000</memory>
  <currentMemory unit='KiB'>500000</currentMemory>
  <vcpu placement='static'>4</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/bin/sh</init>
  </os>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <console type='pty' tty='/dev/pts/2'>
      <source path='/dev/pts/2'/>
      <target type='lxc' port='0'/>
      <alias name='console0'/>
    </console>
  </devices>
  <seclabel type='none' model='selinux'/>
</domain>
Comment 10 EricLee 2013-02-04 08:50:52 UTC 
Hi Daniel,

As the Bug 901535 is verified,I am verifying this bug, and get expected result as Comment #1:

<snip>
type=VIRT_CONTROL msg=audit(1359966784.379:6704): pid=27795 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=lxc op=init vm="toy" uuid=bb428983-cb9f-4702-0f8d-7d4e143d9aad vm-pid=28019 init-pid=28029 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
<snip>

Can this bug be set to VERIFIED?

Thanks,
EricLee
Comment 11 Daniel Berrangé 2013-03-06 16:55:15 UTC 
It was decided that the init PID is insufficient on its own. Thus we must also include the container PID namespace inode number. Thus the audit message should look like this (note the extra 'pid-ns' field, which reflects the inode of /proc/CONTAINER-INIT-PID/ns/pid).

type=VIRT_CONTROL msg=audit(1362582468.378:50): pid=19284 uid=0 auid=0 ses=312 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='virt=lxc op=init vm="demo" uuid=0770f019-2d4e-09e9-8e4a-719e12b3a18e vm-pid=19620 init-pid=19622 pid-ns=3242 exe="/home/berrange/src/virt/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/6 res=success'

This is posted here

https://www.redhat.com/archives/libvir-list/2013-March/msg00211.html
Comment 12 Daniel Berrangé 2013-07-02 14:41:59 UTC 
commit ab1ef3bc6ced28d6796eb67151ef5a5328344827
Author: Daniel P. Berrange <berrange>
Date:   Wed Mar 6 14:56:49 2013 +0000

    Include pid namespace inode in LXC audit messages
    
    To allow the efficient correlation of container audit messages
    with host hosts, include the pid namespace inode in audit
    messages.
Comment 13 Alex Jia 2013-07-10 07:40:17 UTC 
This bug has been verified on libvirt-1.1.0-1.el7.x86_64 with kernel-3.10.0-0.rc7.64.el7.x86_64, so move it to VERIFIED status.

# tail -1 /var/log/audit/audit.log

type=VIRT_CONTROL msg=audit(1373428179.484:14): pid=982 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=lxc op=init vm="toy" uuid=9a1ef54e-1e66-4512-a0a1-47ea9023c7f7 vm-pid=1841 init-pid=1843 pid-ns=4026532272 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
Comment 14 Ludek Smid 2014-06-13 12:37:21 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.