[libvirt] possible 0.9.8 regression?

[Daniel P. Berrange]

On Tue, Dec 20, 2011 at 08:59:48AM -0700, Jim Fehlig wrote:
> xhu wrote:
> > On 12/16/2011 11:33 AM, Jim Fehlig wrote:
> >> Hi All,
> >>
> >> I've noticed a regression in libvirt 0.9.8 on some of my kvm test machines
> >>
> >> # virsh start opensuse12
> >> error: Failed to start domain opensuse12
> >> error: Cannot open network interface control socket: Permission denied 
> > For I can't reproduce it on my machine with 0.9.8, can you provide me
> > the detailed steps?
> 
> Nothing special, basic domain config using file-backed disk and
> connecting to a bridge.
> 
> > Also your os, libvirt, qemu-kvm and kernel version?
> 
> Yeah, it has something to do with the kernel, glibc, or other such
> component.  qemu-kvm isn't the problem as the error occurs before it is
> invoked.
> 
> kernel 3.1.0, glibc  2.14.1 (openSUSE12.1):
> With libvirt 0.9.7, starting the domain works.  This version of libvirt
> opens control socket with 'socket(AF_INET, SOCK_STREAM, 0)'.  With
> libvirt 0.9.8, the domain does not start.  In this version, the control
> socket is opened with 'socket(AF_PACKET, SOCK_DGRAM, 0)', which fails
> with EACCES.
> 
> kernel 3.0.13, glibc 2.11.3 (SLES11 SP2):
> Regression between libvirt 0.9.7 and 0.9.8 not observed.
> 
> Initially, I assumed the bug was in glibc.  But I can open packet(7)
> sockets in a test program running as uid=euid=0, just not within
> libvirtd running with same privileges.

Interesting, this is very bizarre. I assume that if you patch
libvirt 0.9.8 to use  AF_INET again, it'll work fine ?

Is there any other access control mechanism in force like SELinux
or AppArmour ?

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|