Bug 890301
| Summary: | [hypervkvpd] Denied read/write when injecting IP to RHEL6.4 guest from Hyper-V Server 2012 | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Qin Guan <qguan> | ||||||||||
| Component: | hypervkvpd | Assignee: | Tomáš Hozza <thozza> | ||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | ||||||||||
| Severity: | high | Docs Contact: | |||||||||||
| Priority: | high | ||||||||||||
| Version: | 6.4 | CC: | ddeng, ddumas, dwalsh, habdi, jasowang, jbian, kys, leiwang, mmalik, ovasik, qguan, shwang | ||||||||||
| Target Milestone: | rc | ||||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | x86_64 | ||||||||||||
| OS: | Linux | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | hypervkvpd-0-0.9.el6 | Doc Type: | Bug Fix | ||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2013-02-21 11:01:48 UTC | Type: | Bug | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Bug Depends On: | |||||||||||||
| Bug Blocks: | 895654 | ||||||||||||
| Attachments: |
|
||||||||||||
Note that the IP injection is still failed after set SELinux disabled.
The message "avc: denied { read write }" is gone but the guest IP is still not changed.
No any message wrote into the kvp pool files.
K.Y. do you have any idea where might be the problem? Did you encounter issue like this when developing and testing the IP injection functionality? Thanks! This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. Looks like the operation were blocked by SELinux. Please re-test with SELinux disabked. (In reply to comment #5) > Looks like the operation were blocked by SELinux. Please re-test with > SELinux disabked. The function of IP injection is not work after setting the SELinux as disabled. Add the flag blocker as it's a new feature to be supported in 6.4.0. Sorry for delayed response; I was on vacation. Hashir, could you please have this replicated; I can take a look. Nick has done all of the IP injecvtion testing on our side. Looks like there's two issues:
1) According to the code, need rename the sample scripts to hv_get_dhcp_info, hv_get_dns_info and hv_set_ifconfig
2) A typo in the hv_set_ifconfig.sh, have sent a patch to fix this
diff --git a/tools/hv/hv_set_ifconfig.sh b/tools/hv/hv_set_ifconfig.sh
index 3e9427e..daf7ec0 100755
--- a/tools/hv/hv_set_ifconfig.sh
+++ b/tools/hv/hv_set_ifconfig.sh
@@ -65,4 +65,4 @@ cp $1 /etc/sysconfig/network-scripts/
interface=$(echo $1 | awk -F - '{ print $2 }')
/sbin/ifdown $interface 2>/dev/null
-/sbin/ifup $interfac 2>/dev/null
+/sbin/ifup $interface 2>/dev/null
Btw, in the long run, we need a log or a error reporting mechanism for ip injection.
There still will be SELinux policy issue regarding to the Bug Description, therefore I created Bug #892137. This is not an SELinux issue, it is a leaked file descriptors to /var/lib/hyperv/* Everyone of these needs to have it file descriptor closed on exec. fcntl(fd, F_SETFD, FD_CLOEXEC) Or add FD_CLOEXEC to the open calls. http://danwalsh.livejournal.com/53603.html BTW does hypervkvpd have policy written for it? ps -eZ | grep hypervkvpd # service hypervkvpd restart Shutting down Hyper-V KVP daemon [ OK ] Starting Hyper-V KVP daemon [ OK ] # ps -efZ | grep hv_kvp unconfined_u:system_r:initrc_t:s0 root 23320 1 0 08:56 ? 00:00:00 /usr/sbin/hv_kvp_daemon unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 23329 23261 0 08:56 pts/0 00:00:00 grep hv_kvp # (In reply to comment #12) > Three problems here: > > 1. The typo is still not fixed: > # cat /usr/libexec/hypervkvpd/hv_set_ifconfig | grep ifup > /sbin/ifup $interfac 2>/dev/null > > It may caused by the permission of this patch: > -rw------- 1 root root 1019 Jan 5 06:28 > hypervkvpd-0-fix_a_typo_in_hv_set_ifconfig_sh.patch I see. I fixed it. > 2. The auto pool (.kvp_pool_3) is empty when first installed and started the > hypervkvpd service: > # ll /var/lib/hyperv/.kvp_pool_3 > -rw-r--r-- 1 root root 0 Jan 5 18:08 .kvp_pool_3 > > It's ok after the guest rebooted: > -rw-r--r-- 1 root root 28160 Jan 6 07:13 .kvp_pool_3 > > Previously the content of .kvp_pool_3 is created during the daemon > initialization. The initialization should be executed in the same manner as before. The only difference is that the "/var/lib/hyperv" directory is not created because it already exists. > 3. The interface name should be "DEVICE" rather than "IF_NAME" in the > configuration file: > #cat /var/lib/hyperv/ifcfg-eth1 | grep eth > IF_NAME=eth1 > > It should be: > DEVICE=eth1 After inspection I see also another issue with the "BOOTPROTO". It will be not set to "BOOTPROTO=none" if DHCP is not enabled. I will prepare patches for this and for the issue mentioned in comment #13 and send it to upstream first. Then I will prepare new scratch build for you to test. Comment 13: Would you please submit a patch for this to the upstream code. Created attachment 674755 [details]
Fix how ifcfg-* file is created
Patch sent to upstream.
Created attachment 674756 [details]
Use CLOEXEC to prevent file descriptor leakage
Patch sent to upstream
Created attachment 674758 [details]
FIx for the typo error
Patch sent to upstream by Jason Wang
Below result is based on the testing with hypervkvpd-0-0.8.3 (https://brewweb.devel.redhat.com/taskinfo?taskID=5246379). After set SELinux as enforcing, the message "Denied read/write" is gone. For the IP injection, there are still three problems. # issue 1, the typo is still exists: Tested with the new scratch build (hypervkvpd-0-0.8.3), this typo is still exists. Not known the reason yet: # cat /usr/libexec/hypervkvpd/hv_set_ifconfig | grep ifup /sbin/ifup $interfac 2>/dev/null # issue 2, this update (both in 0.8.2 and 0.8.3) does break the automatically generating of content of the file .kvp_pool_3. Could you please check that what happened to this change? # issue 3, there is a new regression here. The injected parameters is not shown up in the new interface configuration file: Before fix (tested with hypervkvpd-0-0.8.2): # cat /etc/sysconfig/network-scripts/ifcfg-eth1 HWADDR=00:15:5D:48:20:0B IF_NAME=eth1 IPADDR=10.66.72.162 NETMASK=255.255.254.0 GATEWAY=10.66.73.254 DNS1=10.66.78.117 IPV6INIT=yes NM_CONTROLLED=no PEERDNS=yes ONBOOT=yes After fix (tested with hypervkvpd-0-0.8.3), the IPADDR/NETMASK/GATEWAY/DNS1 are missing: # cat /var/lib/hyperv/ifcfg-eth1 HWADDR=00:15:5D:48:20:0B DEVICE=eth1 BOOTPROTO=none IPV6INIT=yes NM_CONTROLLED=no PEERDNS=yes ONBOOT=yes The parameters (IPADDR/NETMASK/GATEWAY/DNS1) are injected through SetGuestNetworkAdapterConfiguration from host side (see attachment for detail): Part of the power shell script: ... $vmGuest = "kvp-rhel6u4-64" $VMIP = Get-VMIPAddress $vmGuest #Setting the VM Network settings to a static IPv4 address $VMIP $VMIP.DNSServers = @("10.66.78.117") $VMIP.IPAddresses = @("10.66.72.162") $VMIP.DefaultGateways = @("10.66.73.254") $VMIP.Subnets = @("255.255.254.0") $VMIP.DHCPEnabled = $False Set-VMIPAddress $vmGuest $VMIP ... Created attachment 676926 [details]
Fix how ifcfg-* file is created
Fixed patch
(In reply to comment #25) > # issue 1, the typo is still exists: > > Tested with the new scratch build (hypervkvpd-0-0.8.3), this typo is still > exists. Not known the reason yet: > # cat /usr/libexec/hypervkvpd/hv_set_ifconfig | grep ifup > /sbin/ifup $interfac 2>/dev/null Fixed and tested. > # issue 2, this update (both in 0.8.2 and 0.8.3) does break the > automatically generating of content of the file .kvp_pool_3. > > Could you please check that what happened to this change? This is not an issue! .kvp_pool_3 is not generated on the hypervkvpd start. Previously there was a mistake in the SPEC file which caused that the daemon package didn't delete the "/var/lib/hyperv" directory when it was removed. The "generated" .kvp_pool_3 was in fact not generated, but it was the file previously created by the daemon when it was KVP_OP_SET operation (setting some KEY-VALUE passed by the host to the guest). If you try to remove the hypervkvpd package and then install the original hypervkvpd-0-0.8 package you will see that the .kvp_pool_3 will be empty. > # issue 3, there is a new regression here. The injected parameters is not > shown up in the new interface configuration file: > > Before fix (tested with hypervkvpd-0-0.8.2): > # cat /etc/sysconfig/network-scripts/ifcfg-eth1 > HWADDR=00:15:5D:48:20:0B > IF_NAME=eth1 > IPADDR=10.66.72.162 > NETMASK=255.255.254.0 > GATEWAY=10.66.73.254 > DNS1=10.66.78.117 > IPV6INIT=yes > NM_CONTROLLED=no > PEERDNS=yes > ONBOOT=yes I fixed this, but note, that there are some changes in generated ifcfg-* file. There will be IPADDR0= instead of IPADDR= NETMASK0= instead of NETMASK= for more information about the syntax of generated ifcfg-* file, please see the /usr/libexec/hypervkvpd/hv_set_ifconfig file commented header. You can try the following scratch build: https://brewweb.devel.redhat.com/taskinfo?taskID=5261908 (In reply to comment #27) I am assumng that the scratch build is meant for Qin Guan's verification? > (In reply to comment #25) > > # issue 1, the typo is still exists: > > > > Tested with the new scratch build (hypervkvpd-0-0.8.3), this typo is still > > exists. Not known the reason yet: > > # cat /usr/libexec/hypervkvpd/hv_set_ifconfig | grep ifup > > /sbin/ifup $interfac 2>/dev/null > > Fixed and tested. > > > # issue 2, this update (both in 0.8.2 and 0.8.3) does break the > > automatically generating of content of the file .kvp_pool_3. > > > > Could you please check that what happened to this change? > > This is not an issue! .kvp_pool_3 is not generated on the hypervkvpd start. > Previously there was a mistake in the SPEC file which caused that the daemon > package didn't delete the "/var/lib/hyperv" directory when it was removed. > The "generated" .kvp_pool_3 was in fact not generated, but it was the file > previously created by the daemon when it was KVP_OP_SET operation (setting > some KEY-VALUE passed by the host to the guest). > > If you try to remove the hypervkvpd package and then install the original > hypervkvpd-0-0.8 package you will see that the .kvp_pool_3 will be empty. > > > # issue 3, there is a new regression here. The injected parameters is not > > shown up in the new interface configuration file: > > > > Before fix (tested with hypervkvpd-0-0.8.2): > > # cat /etc/sysconfig/network-scripts/ifcfg-eth1 > > HWADDR=00:15:5D:48:20:0B > > IF_NAME=eth1 > > IPADDR=10.66.72.162 > > NETMASK=255.255.254.0 > > GATEWAY=10.66.73.254 > > DNS1=10.66.78.117 > > IPV6INIT=yes > > NM_CONTROLLED=no > > PEERDNS=yes > > ONBOOT=yes > > I fixed this, but note, that there are some changes in generated ifcfg-* > file. > There will be > IPADDR0= instead of IPADDR= > NETMASK0= instead of NETMASK= > > for more information about the syntax of generated ifcfg-* file, please > see the /usr/libexec/hypervkvpd/hv_set_ifconfig file commented header. > > > You can try the following scratch build: > https://brewweb.devel.redhat.com/taskinfo?taskID=5261908 (In reply to comment #28) > I am assumng that the scratch build is meant for Qin Guan's verification? That is correct. Qin, did you test the scratch build? (In reply to comment #29) > (In reply to comment #28) > > I am assumng that the scratch build is meant for Qin Guan's verification? > > That is correct. > > Qin, did you test the scratch build? Yes, tested PASS with this scratch build(hypervkvpd-0-0.8.7.el6.x86_64.rpm). All the problems mentioned in comment 27 are resolved except the #issue 2 (the .kvp_pool_3 is empty when first initiate the hypervkvpd). If we treat this as not an issue, we need document such as *a step of guest reboot is requested* into the RHEL6.4 Known Issue, or user could not get the kvp information at the first time installed the hypervkvpd package. Otherwise, there should be some confusion for the customer using. (In reply to comment #30) > Yes, tested PASS with this scratch build(hypervkvpd-0-0.8.7.el6.x86_64.rpm). > > All the problems mentioned in comment 27 are resolved except the #issue 2 > (the .kvp_pool_3 is empty when first initiate the hypervkvpd). > > If we treat this as not an issue, we need document such as > > *a step of guest reboot is requested* > > into the RHEL6.4 Known Issue, or user could not get the kvp information at > the first time installed the hypervkvpd package. > > Otherwise, there should be some confusion for the customer using. I tested the issue #2 (empty pool files after reinstall) again and verified that this is not a behaviour change. The original hypervkvpd-0-0.8.el6.x86_64.rpm package creates empty pool files, too. Anyway the issue #2 is not connected to this Bug. It is connected to Bug #886781 and should be tracked there. Thanks Tomas... From our end, we shall document this issue in the LIS documentation... Suggest we close this issue and track 886781 (In reply to comment #36) > Thanks Tomas... From our end, we shall document this issue in the LIS > documentation... Suggest we close this issue and track 886781 You are welcome. This Bug will be closed automatically once it is VERIFIED and the Erratum including this Bug will be available through RHN. Tested PASS as above, mark the status as VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-0484.html |
Description of problem: Failed to inject IP into RHEL6.4 guest by using the WMI method SetGuestNetworkAdapterConfiguration from powershell on Hyper-V Server 2012 host. (The same test passed with a Windows 2012 guest) The following message found in the /var/log/message on the guest: ./messagesec 26 08:20:03 dhcp-66-73-131 kernel: type=1400 audit(1356481203.642:29352): avc: denied { read write } for pid=2563 comm="ip" path="/var/lib/hyperv/.kvp_pool_0" dev=sda2 ino=260765 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ./messagesec 26 08:20:03 dhcp-66-73-131 kernel: type=1400 audit(1356481203.642:29353): avc: denied { read write } for pid=2563 comm="ip" path="/var/lib/hyperv/.kvp_pool_1" dev=sda2 ino=260766 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ... Version-Release number of selected component (if applicable): Host: Windows 2012 Hyper-V Server Core Guest: RHEL6.4 guest (2.6.32-348.el6.x86_64) hypervkvpd-0-0.8.el6.x86_64 How reproducible: 100% Steps to Reproduce: 1. Start RHEL6.4 guest with a para-virtualizaed Network Adapter. 2. Installed and start the hypervkvpd daemon (a guest rebooting might be requested). 3. Make sure hypervkvpd is running and the kvp pool files are generated: # /etc/init.d/hypervkvpd status hv_kvp_daemon (pid 1489) is running... # ls /var/lib/hyperv/.kvp* -l -rw-r--r--. 1 root root 0 Dec 26 07:12 /var/lib/hyperv/.kvp_pool_0 -rw-r--r--. 1 root root 0 Dec 26 07:12 /var/lib/hyperv/.kvp_pool_1 -rw-r--r--. 1 root root 0 Dec 26 07:12 /var/lib/hyperv/.kvp_pool_2 -rw-r--r--. 1 root root 28160 Dec 26 07:14 /var/lib/hyperv/.kvp_pool_3 -rw-r--r--. 1 root root 0 Dec 26 07:12 /var/lib/hyperv/.kvp_pool_4 4. Set guest IP from host side: $Service = Get-WmiObject -Class "Msvm_VirtualSystemManagementService" -Namespace "root\virtualization\v2" $Service.SetGuestNetworkAdapterConfiguration($VM, $IPSettings.GetText(1)) Where the "$VM" is the RHEL6.4 guest, and the "$IPSettings" is the new IP to be injeced. (Please see the attachment for detail WMI powershell script) 5. Check that the IP configuration is not changed on the guest. 6. There are "denied { read write }" message found in the guest log file: ./messagesec 26 08:20:03 dhcp-66-73-131 kernel: type=1400 audit(1356481203.642:29352): avc: denied { read write } for pid=2563 comm="ip" path="/var/lib/hyperv/.kvp_pool_0" dev=sda2 ino=260765 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ./messagesec 26 08:20:03 dhcp-66-73-131 kernel: type=1400 audit(1356481203.642:29353): avc: denied { read write } for pid=2563 comm="ip" path="/var/lib/hyperv/.kvp_pool_1" dev=sda2 ino=260766 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ./messagesec 26 08:20:03 dhcp-66-73-131 kernel: type=1400 audit(1356481203.642:29354): avc: denied { read write } for pid=2563 comm="ip" path="/var/lib/hyperv/.kvp_pool_2" dev=sda2 ino=260767 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ./messagesec 26 08:20:03 dhcp-66-73-131 kernel: type=1400 audit(1356481203.642:29355): avc: denied { read write } for pid=2563 comm="ip" path="/var/lib/hyperv/.kvp_pool_3" dev=sda2 ino=260768 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ./messagesec 26 08:20:03 dhcp-66-73-131 kernel: type=1400 audit(1356481203.642:29356): avc: denied { read write } for pid=2563 comm="ip" path="/var/lib/hyperv/.kvp_pool_4" dev=sda2 ino=260769 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ./messagesec 26 08:20:03 dhcp-66-73-131 kernel: type=1400 audit(1356481203.654:29357): avc: denied { read write } for pid=2566 comm="ip" path="/var/lib/hyperv/.kvp_pool_0" dev=sda2 ino=260765 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ./messagesec 26 08:20:03 dhcp-66-73-131 kernel: type=1400 audit(1356481203.654:29358): avc: denied { read write } for pid=2566 comm="ip" path="/var/lib/hyperv/.kvp_pool_1" dev=sda2 ino=260766 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ./messagesec 26 08:20:03 dhcp-66-73-131 kernel: type=1400 audit(1356481203.654:29359): avc: denied { read write } for pid=2566 comm="ip" path="/var/lib/hyperv/.kvp_pool_2" dev=sda2 ino=260767 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ./messagesec 26 08:20:03 dhcp-66-73-131 kernel: type=1400 audit(1356481203.654:29360): avc: denied { read write } for pid=2566 comm="ip" path="/var/lib/hyperv/.kvp_pool_3" dev=sda2 ino=260768 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ./messagesec 26 08:20:03 dhcp-66-73-131 kernel: type=1400 audit(1356481203.654:29361): avc: denied { read write } for pid=2566 comm="ip" path="/var/lib/hyperv/.kvp_pool_4" dev=sda2 ino=260769 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file Actual results: In step 5, IP injection failed. In step 6, there are "denied { read write }" message found in the guest log. Expected results: In step 5, IP injection success. In step 6, there is no any exception found in the guest log. Additional info: The same test passed with a Windows 2012 guest.