<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt"><br><div style="display: block;" class="yahoo_quoted"><font face="Arial" size="2">Laine Stump <laine@laine.org> schrieb am 9:17 Mittwoch, 15.Januar 2014:<br> </font> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"><div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"> <div class="y_msg_container"><div id="yiv0386782083"><div>
<div class="yiv0386782083moz-cite-prefix">On 01/15/2014 10:05 AM, Karoline Haus
wrote:<br clear="none">
</div>
<blockquote type="cite">
<div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt;">
<div>Good morning,</div>
<div><br clear="none">
</div>
<div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;">I'm using libvirtd on Gentoo.</div>
<div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;">This is libvirt version: 1.1.3.1</div>
<div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;"><br clear="none">
</div>
<div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;">I have trouble starting a VM using virsh start $vm. I
do this as root, because as non-root user it did not work at
all (especially it failed attaching to the networks). So, when
I run the command (with sudo), I get the following error in
libvirtd.log:</div>
<div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;"><br clear="none">
</div>
<div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;">2014-01-15 07:51:00.423+0000: 16158: warning :
qemuDomainObjTaint:1573 : Domain id=5 name='vader'
uuid=f5b8c05b-9c7a-3211-49b9-2bd635f7e2aa is tainted:
high-privileges<br clear="none">
</div>
</div>
</blockquote>
<br clear="none">
This usually means that libvirt has been configured to run the qemu
process as root, which introduces the possibility that a guest
exploiting some theoretical security exploit in qemu could gain
control of the host system. Normally libvirt installations will by
default be configured to run the qemu-kvm process as user qemu, with
all privilege bits cleared; either gentoo's default install of
libvirt doesn't set things up this way, or you or someone else has
modified /etc/libvirt/qemu.conf to change the "user" and "group"
parameters to "root".<br clear="none">
<br clear="none">
To fix this problem, edit /etc/libvirt/qemu.conf and either comment
out those two parameters (if they aren't already commented out), or
change them to set both user and group to "qemu" (assuming that
gentoo follows the standard of adding a "qemu" user when installing
libvirt), then restart the libvirt service and try starting the
guest again.<br clear="none">
<br clear="none">
Note, however, that this is a *warning*, not an error, so the guest
should still be starting up and running. If not, then there should
be some subsequent error message in the log (and/or look at the end
of /var/log/libvirt/qemu/${vm}.log for error messages from qemu)<br clear="none">
<br clear="none">
<blockquote type="cite">
<div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt;">
<div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;">2014-01-15 07:51:00.428+0000: 16158: error :
virDBusCallMethod:1173 : Launch helper exited with unknown
return code 1</div>
<div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;"><br clear="none">
</div>
<div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;">At the same time I get an error in /var/log/messages
which seems related:</div>
<div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;">Jan 15 07:51:00 dbus[15845]: [system] Activating
service name='org.freedesktop.machine1' (using servicehelper)<br clear="none">
Jan 15 07:51:00 dbus[15845]: [system] Activated service
'org.freedesktop.machine1' failed: Launch helper exited with
unknown return code 1</div>
<div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;"><br clear="none">
</div>
<div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;">Anyone ever seen this issue? I have no idea where to
look for errors because the message don't really tell me much.</div>
</div>
</blockquote>
<br clear="none">
The problem is that the part that tells you something is pretty
short: "Domain [...] is tainted: high-privileges"<br clear="none">
<br clear="none">
<blockquote type="cite">
<div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt;">
<div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;"> I have tried to execute the qemu-kvm command on the
command line directly and that worked immediately.</div>
</div>
</blockquote>
<br clear="none">
Because when you run qemu-kvm from the commandline, it is being run
as root. libvirt goes to great lengths to enable running the
qemu-kvm process as "unprivileged" as possible, so that any
potential security exploits in qemu-kvm will be as limited as
possible in the damage they can do. Any operation that requires
elevated privileges (e.g. creating a tap device to hook up the
guest's networking, modifying the selinux labelling of various
resources) is done by libvirt, which passed open file descriptors to
the newly created resources to a qemu-kvm process that has been
created running as an unprivileged user, with all privilege bits
reset and pretty much all system resources limited by cgroups.<div class="yiv0386782083yqt5219376352" id="yiv0386782083yqtfd55727"><br clear="none">
<br clear="none">
</div><blockquote type="cite"><div class="yiv0386782083yqt5219376352" id="yiv0386782083yqtfd40716">
</div><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt;"><div class="yiv0386782083yqt5219376352" id="yiv0386782083yqtfd21620">
<div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;">So the problem must be in libvirt.</div></div>
</div>
</blockquote>
<br clear="none">
Well, in your system's libvirt configuration anyway.<div class="yiv0386782083yqt5219376352" id="yiv0386782083yqtfd82989"><br clear="none">
<br clear="none">
</div></div></div><br>The problem is not the "Domain is tainted" issue. I have set the privileges back to user libvirt (I had set it to root myself in libvirtd.conf) and the problem still exists.<br><br>2014-01-15 10:42:34.963+0000: 16162: info : libvirt version: 1.1.3.1<br>2014-01-15 10:42:34.963+0000: 16162: error : virDBusCallMethod:1173 : Launch helper exited with unknown return code 1<br><br>You can see now the "Domain is tainted" error (warning!) doesn't show anymore, but the domain still does not start. The only error message I get is the one above. <br><br>In /var/log/messages I still get:<br><br>Jan 15 10:42:34 dbus[15845]: [system] Activating service name='org.freedesktop.machine1' (using servicehelper)<br>Jan 15 10:42:34 dbus[15845]: [system] Activated service 'org.freedesktop.machine1' failed: Launch helper exited with unknown return code 1<br><br>I think the problem is in org.freedesktop.machine1. For some reason, that service
cannot be activated, but I don't understand why.<br><br>Any help would be greatly appreciated.<br></div> </div> </div> </div> </div></body></html>