[libvirt] possible 0.9.8 regression?

Daniel P. Berrange berrange at redhat.com
Tue Dec 20 19:31:26 UTC 2011 

On Tue, Dec 20, 2011 at 12:07:00PM -0700, Jim Fehlig wrote:
> Daniel P. Berrange wrote:
> > On Tue, Dec 20, 2011 at 08:59:48AM -0700, Jim Fehlig wrote:
> >   
> >> xhu wrote:
> >>     
> >>> On 12/16/2011 11:33 AM, Jim Fehlig wrote:
> >>>       
> >>>> Hi All,
> >>>>
> >>>> I've noticed a regression in libvirt 0.9.8 on some of my kvm test machines
> >>>>
> >>>> # virsh start opensuse12
> >>>> error: Failed to start domain opensuse12
> >>>> error: Cannot open network interface control socket: Permission denied 
> >>>>         
> >>> For I can't reproduce it on my machine with 0.9.8, can you provide me
> >>> the detailed steps?
> >>>       
> >> Nothing special, basic domain config using file-backed disk and
> >> connecting to a bridge.
> >>
> >>     
> >>> Also your os, libvirt, qemu-kvm and kernel version?
> >>>       
> >> Yeah, it has something to do with the kernel, glibc, or other such
> >> component.  qemu-kvm isn't the problem as the error occurs before it is
> >> invoked.
> >>
> >> kernel 3.1.0, glibc  2.14.1 (openSUSE12.1):
> >> With libvirt 0.9.7, starting the domain works.  This version of libvirt
> >> opens control socket with 'socket(AF_INET, SOCK_STREAM, 0)'.  With
> >> libvirt 0.9.8, the domain does not start.  In this version, the control
> >> socket is opened with 'socket(AF_PACKET, SOCK_DGRAM, 0)', which fails
> >> with EACCES.
> >>
> >> kernel 3.0.13, glibc 2.11.3 (SLES11 SP2):
> >> Regression between libvirt 0.9.7 and 0.9.8 not observed.
> >>
> >> Initially, I assumed the bug was in glibc.  But I can open packet(7)
> >> sockets in a test program running as uid=euid=0, just not within
> >> libvirtd running with same privileges.
> >>     
> >
> > Interesting, this is very bizarre. I assume that if you patch
> > libvirt 0.9.8 to use  AF_INET again, it'll work fine ?
> >   
> 
> Yes, it is bizarre and yes, using AF_INET works.
> 
> > Is there any other access control mechanism in force like SELinux
> > or AppArmour ?
> >   
> 
> No, which is why I'm rather confused...

Do you have a stack trace for the socket() call which generates
EACCESS ?  I'm wondering if there is any chance that the call
is being made during the startup of QEMU inbetween fork() & exec()
where we might have already dropped some capabilities ?

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list