970871 – [virt-sandbox-service] problem of container with dynamic labelling

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 970871 - [virt-sandbox-service] problem of container with dynamic labelling

Summary: [virt-sandbox-service] problem of container with dynamic labelling

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt-sandbox
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Berrangé
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	921972
Blocks:
TreeView+	depends on / blocked

Reported:	2013-06-05 06:58 UTC by Wayne Sun
Modified:	2019-02-14 02:22 UTC (History)
CC List:	9 users (show)
Fixed In Version:	libvirt-sandbox-0.2.1-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:	921972
Environment:
Last Closed:	2014-06-13 12:25:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Wayne Sun 2013-06-05 06:58:43 UTC

pkgs
libvirt-sandbox-0.2.0-1.el7.x86_64
libvirt-1.0.6-1.el7.x86_64

If dynamic labelling only for image file, pls update mannual for it.
As start container created with -i blocked by bug 927125, test with start domain created with -i -s dynamic will fail.

+++ This bug was initially created as a clone of Bug #921972 +++

Description of problem:
create a sandbox without -l and -d, then start the container will fail start httpd.service within

# virt-sandbox-service create -u httpd.service apache11
Created sandbox container dir /var/lib/libvirt/filesystems/apache11
Created sandbox config /etc/libvirt-sandbox/services/apache11.sandbox
Created unit file /etc/systemd/system/httpd

# virt-sandbox-service start apache11
systemd 197 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
Detected virtualization 'lxc-libvirt'.

Welcome to Fedora 18 (Spherical Cow)!

Set hostname to <ibm-x3850x5-08.qe.lab.eng.nay.redhat.com>.
Initializing machine ID from container UUID.
[  OK  ] Listening on Delayed Shutdown Socket.
[  OK  ] Reached target Swap.
[  OK  ] Reached target Local File Systems.
[  OK  ] Listening on Journal Socket.
         Starting Recreate Volatile Files and Directories...
         Starting Journal Service...
[  OK  ] Started Journal Service.
[  OK  ] Started Recreate Volatile Files and Directories.
[  OK  ] Reached target System Initialization.
[  OK  ] Listening on D-Bus System Message Bus Socket.
[  OK  ] Reached target Sockets.
[  OK  ] Reached target Basic System.
         Starting The Apache HTTP Server...
httpd.service: main process exited, code=exited, status=1/FAILURE
httpd.service: control process exited, code=exited status=1
[FAILED] Failed to start The Apache HTTP Server.
See 'systemctl status httpd.service' for details.
Unit httpd.service entered failed state

with default label it will fail to start httpd.service, but with static label by -l it works fine

Version-Release number of selected component (if applicable):
libvirt-sandbox-0.1.0-1.fc18.x86_64
httpd-2.4.3-15.fc18.x86_64
kernel-3.8.2-206.fc18.x86_64

How reproducible:
always

Steps to Reproduce:
1. as descrption
2.
3.
  
Actual results:
failed to start httpd.service within

Expected results:
should success

Additional info:

--- Additional comment from Daniel Walsh on 2013-04-01 14:47:45 EDT ---

The -d stands for dynamic labeling and theoretically it would only work with an image file. since all of the content on disk would need to be relabeled everytime the container starts.

Comment 1 Wayne Sun 2013-06-05 07:04:37 UTC

detail steps
1. create a container with dynamic label
# virt-sandbox-service -c lxc:/// create -C -u httpd.service -s dynamic -N dhcp,source=default apache12
Created sandbox container dir /var/lib/libvirt/filesystems/apache12
Created unit file /etc/systemd/system/apache12_sandbox.service
Created sandbox config /etc/libvirt-sandbox/services/apache12.sandbox

2. start container
# virt-sandbox-service start apache12
systemd 204 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
Detected virtualization 'lxc-libvirt'.

Welcome to Red Hat Enterprise Linux Server 7.0 (Maipo)!

Failed to read configured hostname: Permission denied
Cannot open /etc/machine-id: Permission denied
Failed to open /etc/fstab: Permission denied
  /dev/mapper/control: mknod failed: Operation not permitted
  Failure to communicate with kernel device-mapper driver.
  Check that device-mapper is available in the kernel.
/usr/lib/systemd/system-generators/systemd-fstab-generator exited with exit status 1.
Failed to open directory /etc/systemd/system: Permission denied
opendir(/etc/rc.d/rc1.d) failed: Permission denied
opendir(/etc/rc.d/rc2.d) failed: Permission denied
opendir(/etc/rc.d/rc3.d) failed: Permission denied
opendir(/etc/rc.d/rc4.d) failed: Permission denied
opendir(/etc/rc.d/rc5.d) failed: Permission denied
opendir(/etc/rc.d/rc0.d) failed: Permission denied
opendir(/etc/rc.d/rc6.d) failed: Permission denied
Failed to load default target: Permission denied
Trying to load rescue target...
Failed to isolate default target: Unit sysinit.target failed to load: Permission denied. See system logs and 'systemctl status sysinit.target' for details.

3. start container created with -i -s dynamic
# virt-sandbox-service create -i 1000 -s dynamic -C -u httpd.service -N dhcp,source=default apache20
Created sandbox container image /var/lib/libvirt/images/apache20.raw
Created unit file /etc/systemd/system/apache20_sandbox.service
Created sandbox config /etc/libvirt-sandbox/services/apache20.sandbox

# virt-sandbox-service start apache20
Unable to start container: Failed to create domain: internal error guest failed to start: 2013-06-05 06:42:05.592+0000: 21096: debug :

Comment 3 Daniel Walsh 2013-06-07 20:20:02 UTC

danb, I could check if the user specifies dynamic type to force them to use an image file.

Comment 4 Daniel Berrangé 2013-07-09 14:31:53 UTC

Upstream now refuses to allow dynamic labelling unless an image is used.

Comment 5 Wayne Sun 2013-07-10 10:47:53 UTC

pkgs:
libvirt-sandbox-0.2.1-1.el7.x86_64
libvirt-gobject-0.1.6-1.el7.x86_64
libvirt-1.1.0-1.el7.x86_64
kernel-3.9.0-0.55.el7.x86_64
libvirt-gconfig-0.1.7-1.el7.x86_64

steps:
1. create systemd container with dynamic label
# virt-sandbox-service -c lxc:/// create -C -u httpd.service -s dynamic -N dhcp,source=default dynamic_test
/usr/bin/virt-sandbox-service: Dynamic security label only supported for image based containers

2. create systemd container with -i and dynamic label

# virt-sandbox-service create -i 1000 -s dynamic -C -u httpd.service -N dhcp,source=default dynamic_img
Created sandbox container image /var/lib/libvirt/images/dynamic_img.raw
Created unit file /etc/systemd/system/dynamic_img_sandbox.service
Created sandbox config /etc/libvirt-sandbox/services/dynamic_img.sandbox

# virt-sandbox-service start dynamic_img
Unable to start container: Failed to create domain: internal error guest failed to start: 2013-07-10 10:42:23.437+0000: 3561: debug : virFileClose:

this is tracked by bug 927125

so this is fixed.

Comment 7 Ludek Smid 2014-06-13 12:25:45 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.