Bug 970871 - [virt-sandbox-service] problem of container with dynamic labelling
[virt-sandbox-service] problem of container with dynamic labelling
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt-sandbox (Show other bugs)
7.0
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Berrange
Virtualization Bugs
:
Depends On: 921972
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-05 02:58 EDT by Wayne Sun
Modified: 2014-06-13 08:25 EDT (History)
9 users (show)

See Also:
Fixed In Version: libvirt-sandbox-0.2.1-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 921972
Environment:
Last Closed: 2014-06-13 08:25:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Wayne Sun 2013-06-05 02:58:43 EDT
pkgs
libvirt-sandbox-0.2.0-1.el7.x86_64
libvirt-1.0.6-1.el7.x86_64

If dynamic labelling only for image file, pls update mannual for it.
As start container created with -i blocked by bug 927125, test with start domain created with -i -s dynamic will fail.

+++ This bug was initially created as a clone of Bug #921972 +++

Description of problem:
create a sandbox without -l and -d, then start the container will fail start httpd.service within

# virt-sandbox-service create -u httpd.service apache11
Created sandbox container dir /var/lib/libvirt/filesystems/apache11
Created sandbox config /etc/libvirt-sandbox/services/apache11.sandbox
Created unit file /etc/systemd/system/httpd@apache11.service

# virt-sandbox-service start apache11
systemd 197 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
Detected virtualization 'lxc-libvirt'.

Welcome to Fedora 18 (Spherical Cow)!

Set hostname to <ibm-x3850x5-08.qe.lab.eng.nay.redhat.com>.
Initializing machine ID from container UUID.
[  OK  ] Listening on Delayed Shutdown Socket.
[  OK  ] Reached target Swap.
[  OK  ] Reached target Local File Systems.
[  OK  ] Listening on Journal Socket.
         Starting Recreate Volatile Files and Directories...
         Starting Journal Service...
[  OK  ] Started Journal Service.
[  OK  ] Started Recreate Volatile Files and Directories.
[  OK  ] Reached target System Initialization.
[  OK  ] Listening on D-Bus System Message Bus Socket.
[  OK  ] Reached target Sockets.
[  OK  ] Reached target Basic System.
         Starting The Apache HTTP Server...
httpd.service: main process exited, code=exited, status=1/FAILURE
httpd.service: control process exited, code=exited status=1
[FAILED] Failed to start The Apache HTTP Server.
See 'systemctl status httpd.service' for details.
Unit httpd.service entered failed state

with default label it will fail to start httpd.service, but with static label by -l it works fine

Version-Release number of selected component (if applicable):
libvirt-sandbox-0.1.0-1.fc18.x86_64
httpd-2.4.3-15.fc18.x86_64
kernel-3.8.2-206.fc18.x86_64

How reproducible:
always

Steps to Reproduce:
1. as descrption
2.
3.
  
Actual results:
failed to start httpd.service within

Expected results:
should success

Additional info:

--- Additional comment from Daniel Walsh on 2013-04-01 14:47:45 EDT ---

The -d stands for dynamic labeling and theoretically it would only work with an image file. since all of the content on disk would need to be relabeled everytime the container starts.
Comment 1 Wayne Sun 2013-06-05 03:04:37 EDT
detail steps
1. create a container with dynamic label
# virt-sandbox-service -c lxc:/// create -C -u httpd.service -s dynamic -N dhcp,source=default apache12
Created sandbox container dir /var/lib/libvirt/filesystems/apache12
Created unit file /etc/systemd/system/apache12_sandbox.service
Created sandbox config /etc/libvirt-sandbox/services/apache12.sandbox

2. start container
# virt-sandbox-service start apache12
systemd 204 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
Detected virtualization 'lxc-libvirt'.

Welcome to Red Hat Enterprise Linux Server 7.0 (Maipo)!

Failed to read configured hostname: Permission denied
Cannot open /etc/machine-id: Permission denied
Failed to open /etc/fstab: Permission denied
  /dev/mapper/control: mknod failed: Operation not permitted
  Failure to communicate with kernel device-mapper driver.
  Check that device-mapper is available in the kernel.
/usr/lib/systemd/system-generators/systemd-fstab-generator exited with exit status 1.
Failed to open directory /etc/systemd/system: Permission denied
opendir(/etc/rc.d/rc1.d) failed: Permission denied
opendir(/etc/rc.d/rc2.d) failed: Permission denied
opendir(/etc/rc.d/rc3.d) failed: Permission denied
opendir(/etc/rc.d/rc4.d) failed: Permission denied
opendir(/etc/rc.d/rc5.d) failed: Permission denied
opendir(/etc/rc.d/rc0.d) failed: Permission denied
opendir(/etc/rc.d/rc6.d) failed: Permission denied
Failed to load default target: Permission denied
Trying to load rescue target...
Failed to isolate default target: Unit sysinit.target failed to load: Permission denied. See system logs and 'systemctl status sysinit.target' for details.

3. start container created with -i -s dynamic
# virt-sandbox-service create -i 1000 -s dynamic -C -u httpd.service -N dhcp,source=default apache20
Created sandbox container image /var/lib/libvirt/images/apache20.raw
Created unit file /etc/systemd/system/apache20_sandbox.service
Created sandbox config /etc/libvirt-sandbox/services/apache20.sandbox

# virt-sandbox-service start apache20
Unable to start container: Failed to create domain: internal error guest failed to start: 2013-06-05 06:42:05.592+0000: 21096: debug :
Comment 3 Daniel Walsh 2013-06-07 16:20:02 EDT
danb, I could check if the user specifies dynamic type to force them to use an image file.
Comment 4 Daniel Berrange 2013-07-09 10:31:53 EDT
Upstream now refuses to allow dynamic labelling unless an image is used.
Comment 5 Wayne Sun 2013-07-10 06:47:53 EDT
pkgs:
libvirt-sandbox-0.2.1-1.el7.x86_64
libvirt-gobject-0.1.6-1.el7.x86_64
libvirt-1.1.0-1.el7.x86_64
kernel-3.9.0-0.55.el7.x86_64
libvirt-gconfig-0.1.7-1.el7.x86_64

steps:
1. create systemd container with dynamic label
# virt-sandbox-service -c lxc:/// create -C -u httpd.service -s dynamic -N dhcp,source=default dynamic_test
/usr/bin/virt-sandbox-service: Dynamic security label only supported for image based containers

2. create systemd container with -i and dynamic label

# virt-sandbox-service create -i 1000 -s dynamic -C -u httpd.service -N dhcp,source=default dynamic_img
Created sandbox container image /var/lib/libvirt/images/dynamic_img.raw
Created unit file /etc/systemd/system/dynamic_img_sandbox.service
Created sandbox config /etc/libvirt-sandbox/services/dynamic_img.sandbox

# virt-sandbox-service start dynamic_img
Unable to start container: Failed to create domain: internal error guest failed to start: 2013-07-10 10:42:23.437+0000: 3561: debug : virFileClose:

this is tracked by bug 927125

so this is fixed.
Comment 7 Ludek Smid 2014-06-13 08:25:45 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.