[libvirt] inability to open local read-only connection

Tavares, John John_Tavares at bmc.com
Mon Jul 12 20:49:17 UTC 2010 

Hi Daniel,

I added some more info to this.  I added a call to try to get the max number of vcpus as well.  For starters, here is the output of my 3 tests:

$ info1
-bash: info1: command not found
[perform at pun-rlnx55-bpa01 tavares]$ ./info1
Failed to bind to socket /tmp/livirt_proxy_conn
Domains 0: 2 CPUs
Failed to get scheduler inforamtion for Domain 0
Failed to get max vcpus for Domain 0

$ su root -c "./info1"
Password: 
Domains 0: 2 CPUs
Scheduler = credit
Max VCPUs = 2

$ su root -c "chown 0:0 info1;chmod 6555 info1"
Password: 
[perform at pun-rlnx55-bpa01 tavares]$ ./info1
Domains 0: 2 CPUs
libvir: Xen Daemon error : this function is not supported by the hypervisor: unsupported in xendConfigVersion < 4
Failed to get scheduler inforamtion for Domain 0
Failed to get max vcpus for Domain 0

I have attached a zipped tar file which now contains the source code, the executable, the strace output from all three tests and the configuration files from /etc/libvirt.  Please let me know if there is anything else that I can provide.  I will also see if I could do this on the Oracle VM Dom0 (if I can remember which one I used) and run similar tests.

Thanks.

John

-----Original Message-----
From: Tavares, John 
Sent: Monday, July 12, 2010 7:38 AM
To: 'Daniel P. Berrange'
Cc: libvir-list at redhat.com; 'Tomen Tse'; Betley, Greg; Chen, Jianjiun; Tavares, John
Subject: RE: [libvirt] inability to open local read-only connection
Importance: High

Hi Daniel,

Sorry it took so long to back to this.  I just recently ran into the same problem on RHEL 5.5 where I am running into problems using the root owned setuid executable to get domain information.  Basically all that I needed to do to show this was to modify the example program dominfo/info1.c that ships with the libvirt source and added a function that attempts to get any information about that domain.  In this case, I chose the virDomainGetSchedulerType() function.  Here is the output of 3 separate runs, the first will be as a non-root user, the second is from root and the last is from the same executable but just root owned setuid and run as a normal user:

$ ll info1
-r-xr-xr-x 1 perform perform 9326 Jul 12 16:50 info1
$ whoami
perform
$ ./info1
Domains 0: 2 CPUs
$ su
Password: 
# ./info1
Domains 0: 2 CPUs
Scheduler = credit
# chown 0:0 info1;chmod 6555 info1
# ll info1
-r-sr-sr-x 1 root root 9326 Jul 12 16:50 info1
# exit
$ whoami
perform
$ ./info1
Domains 0: 2 CPUs
libvir: Xen Daemon error : this function is not supported by the hypervisor: unsupported in xendConfigVersion < 4

$ virsh version
error: failed to connect to the hypervisor

$ su root -c "virsh version"
Password: 
Compiled against library: libvir 0.6.3
Using library: libvir 0.6.3
Using API: Xen 3.0.1
Running hypervisor: Xen 3.1.0

As you can see, even virsh needs to be run as root in order to connect to the hypervisor.  To help, I have attached both the source code and the executable I was using.  Please let me know if anything else is required to get this problem resolved.

Thanks.

John

-----Original Message-----
From: Daniel P. Berrange [mailto:berrange at redhat.com] 
Sent: Monday, March 01, 2010 7:58 AM
To: Tavares, John
Cc: libvir-list at redhat.com
Subject: Re: [libvirt] inability to open local read-only connection

On Thu, Feb 25, 2010 at 02:34:02PM -0600, Tavares, John wrote:
> I have been experimenting with using libvirt (0.3.3) on a variety of
> systems (RHEL, CentOS and Oracle VM).  I have run into an issue when
> I try to open a local read-only connection to the hypervisor that is
> failing only on Oracle VM server release 2.2.0.  I have created a root
> owned setuid executable that is effectively running as root, but even 
> so, still cannot open the local read-only connection of the hypervisor.
>  It only works if I run it directly as root.  This is not an option.  I
> do not understand why it works as is on my RHEL and CentOS machines, but
> not my Oracle machine.  It would seem as thought it is not checking if
> the effective uid is root, just the uid.

A readonly connection essentially just goes to a separate UNIX socket, which
has more relaxed permissions (mode 0777, instead of 0700). The kernel does
the permissions checking when attempting to open it, so it should be using
the effective ID. 

> Has anyone run into a similar issue or have any suggestions of what I 
> might try to fix this issue or can tell me that this is a defect that 
> needs (is) fixed??

I'd suggest trying to strace your process & see where it fails, and/or run
with LIBVIRT_DEBUG=1 environemnt variable set.

Regards,
Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: info1.tar.gz
Type: application/x-gzip
Size: 17385 bytes
Desc: info1.tar.gz
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100712/1d32aeba/attachment-0001.bin>

More information about the libvir-list mailing list