[libvirt] Fwd: libvirtd failing on MacOS in setgroups

Daniel P. Berrangé berrange at redhat.com
Fri Aug 30 15:50:07 UTC 2019


On Fri, Aug 30, 2019 at 11:42:50AM -0400, Marcus Furlong wrote:
> On Thu, 22 Aug 2019 at 05:34, Daniel P. Berrangé <berrange at redhat.com> wrote:
> >
> > On Wed, Aug 21, 2019 at 09:34:05PM +0300, Roman Bolshakov wrote:
> > > On Wed, Aug 21, 2019 at 05:55:51PM +0100, Daniel P. Berrangé wrote:
> > > > On Wed, Aug 21, 2019 at 12:47:03PM -0400, Marcus Furlong wrote:
> > > > > On Wed, 21 Aug 2019 at 08:23, Daniel P. Berrangé <berrange at redhat.com> wrote:
> > > > > >
> > > > > > On Tue, Aug 20, 2019 at 11:11:07AM -0400, Marcus Furlong wrote:
> > > > > > > Resend to libvir-list in case that is more appropriate:
> > > > > > >
> > > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > I get the following error when running libvirtd on MacOS as root:
> > > > > > >
> > > > > > > 2019-07-11 00:12:33.673+0000: 123145573953536: error :
> > > > > > > qemuProcessQMPLaunch:8501 : internal error: Failed to start QEMU
> > > > > > > binary /usr/local/bin/qemu-system-x86_64 for probing: libvirt:  error
> > > > > > > : cannot set supplemental groups: Invalid argument
> > > > > >
> > > > > > Are you able to run 'strace' (or whatever MacOS eqiuv is) to see
> > > > > > the values passed to setgroups when it fails ?
> > > > >
> > > > > I ran `dtruss -f -l -s /usr/local/sbin/libvirtd` but the setgroups
> > > > > calls seem to be missing.
> > > > >
> > > > > Looking at other sources, it seems like some have special treatment of
> > > > > setgroups on MacOS, e.g. samba:
> > > > >
> > > > >    https://github.com/samba-team/samba/blob/v4-11-stable/source3/smbd/sec_ctx.c#L261-#L305
> > > > >
> > > > > Perhaps this is needed for libvirt?
> > > >
> > > > The capping of ngroups to NGROUPS_MAX looks like a possibe reason.
> > > >
> > > > Adding this debug might show us if we're exceeding it:
> > > >
> > > > diff --git a/src/util/virutil.c b/src/util/virutil.c
> > > > index 89d2cf011f..effc02b898 100644
> > > > --- a/src/util/virutil.c
> > > > +++ b/src/util/virutil.c
> > > > @@ -1043,6 +1043,7 @@ virSetUIDGID(uid_t uid, gid_t gid, gid_t *groups ATTRIBUTE_UNUSED,
> > > >      }
> > > >
> > > >  # if HAVE_SETGROUPS
> > > > +    VIR_DEBUG("setgroups %d max %d", ngroups, NGROUPS_MAX);
> > > >      if (gid != (gid_t)-1 && setgroups(ngroups, groups) < 0) {
> > > >          virReportSystemError(errno, "%s",
> > > >                               _("cannot set supplemental groups"));
> > > >
> > > >
> > >
> > > Yes, there's an overflow:
> > > 2019-08-21 18:25:37.943+0000: 123145413914624: debug : virSetUIDGID:1046 : setgroups 23 max 16
> > >
> > > Related samba ticket (it also has references to the python and dovecot
> > > issues):
> > > https://bugzilla.samba.org/show_bug.cgi?id=8773
> >
> > The quick hack is to simply truncate groups to NGROUPS_MAX.
> >
> > Reading that bug, the proper fix looks quite alot more complex
> 
> Just to confirm that the root cause of the issue was the above block,
> I bypassed the HAVE_SETGROUPS section completely on Darwin, and things
> work as expected.
> 
> Where would be an appropriate place to track this bug?

You can file a BZ here:

  https://libvirt.org/bugs.html

I would note, however, that very few libvirt maintainers use or have
access to macOS. So if you're able to try creating a viable patch
yourself that would maximise likelihood of it getting fixed in a
reasonable amount of time.

I'll happily review & give feedback on the approach, but I'm not
able to actively test myself, besides a plain compile-check we
get via Travis CI.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




More information about the libvir-list mailing list