[libvirt] possible 0.9.8 regression?
Daniel P. Berrange
berrange at redhat.com
Tue Dec 20 19:31:26 UTC 2011
On Tue, Dec 20, 2011 at 12:07:00PM -0700, Jim Fehlig wrote:
> Daniel P. Berrange wrote:
> > On Tue, Dec 20, 2011 at 08:59:48AM -0700, Jim Fehlig wrote:
> >
> >> xhu wrote:
> >>
> >>> On 12/16/2011 11:33 AM, Jim Fehlig wrote:
> >>>
> >>>> Hi All,
> >>>>
> >>>> I've noticed a regression in libvirt 0.9.8 on some of my kvm test machines
> >>>>
> >>>> # virsh start opensuse12
> >>>> error: Failed to start domain opensuse12
> >>>> error: Cannot open network interface control socket: Permission denied
> >>>>
> >>> For I can't reproduce it on my machine with 0.9.8, can you provide me
> >>> the detailed steps?
> >>>
> >> Nothing special, basic domain config using file-backed disk and
> >> connecting to a bridge.
> >>
> >>
> >>> Also your os, libvirt, qemu-kvm and kernel version?
> >>>
> >> Yeah, it has something to do with the kernel, glibc, or other such
> >> component. qemu-kvm isn't the problem as the error occurs before it is
> >> invoked.
> >>
> >> kernel 3.1.0, glibc 2.14.1 (openSUSE12.1):
> >> With libvirt 0.9.7, starting the domain works. This version of libvirt
> >> opens control socket with 'socket(AF_INET, SOCK_STREAM, 0)'. With
> >> libvirt 0.9.8, the domain does not start. In this version, the control
> >> socket is opened with 'socket(AF_PACKET, SOCK_DGRAM, 0)', which fails
> >> with EACCES.
> >>
> >> kernel 3.0.13, glibc 2.11.3 (SLES11 SP2):
> >> Regression between libvirt 0.9.7 and 0.9.8 not observed.
> >>
> >> Initially, I assumed the bug was in glibc. But I can open packet(7)
> >> sockets in a test program running as uid=euid=0, just not within
> >> libvirtd running with same privileges.
> >>
> >
> > Interesting, this is very bizarre. I assume that if you patch
> > libvirt 0.9.8 to use AF_INET again, it'll work fine ?
> >
>
> Yes, it is bizarre and yes, using AF_INET works.
>
> > Is there any other access control mechanism in force like SELinux
> > or AppArmour ?
> >
>
> No, which is why I'm rather confused...
Do you have a stack trace for the socket() call which generates
EACCESS ? I'm wondering if there is any chance that the call
is being made during the startup of QEMU inbetween fork() & exec()
where we might have already dropped some capabilities ?
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list