[Libvirt-announce] [libvirt] Availability of libvirt-3.0.0 release candidate 2
mprivozn at redhat.com
Tue Jan 17 13:21:52 UTC 2017
On 01/17/2017 02:13 PM, Marc Hartmayer wrote:
> It's a SELinux labeling problem and seems to be introduced by the
> QEMU namespace patches.
I wouldn't guess from the error message that qemu is getting EPERM.
Anyway, the SELinux issue is fixed in -rc2:
Author: Michal Privoznik <mprivozn at redhat.com>
AuthorDate: Fri Jan 13 10:03:23 2017 +0100
Commit: Michal Privoznik <mprivozn at redhat.com>
CommitDate: Fri Jan 13 14:45:52 2017 +0100
qemu: Copy SELinux labels for namespace too
When creating new /dev/* for qemu, we do chown() and copy ACLs to
create the exact copy from the original /dev. I though that
copying SELinux labels is not necessary as SELinux will chose the
sane defaults. Surprisingly, it does not leaving namespace with
the following labels:
crw-rw-rw-. root root system_u:object_r:tmpfs_t:s0 random
crw-------. root root system_u:object_r:tmpfs_t:s0 rtc0
drwxrwxrwt. root root system_u:object_r:tmpfs_t:s0 shm
crw-rw-rw-. root root system_u:object_r:tmpfs_t:s0 urandom
As a result, domain is unable to start:
error: internal error: process exited while connecting to monitor:
Error in GnuTLS initialization: Failed to acquire random data.
qemu-kvm: cannot initialize crypto: Unable to initialize GNUTLS
library: Failed to acquire random data.
The solution is to copy the SELinux labels as well.
Reported-by: Andrea Bolognani <abologna at redhat.com>
Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> On Tue, Jan 17, 2017 at 11:18 AM +0100, Marc Hartmayer <mhartmay at linux.vnet.ibm.com> wrote:
>> I have tried to live hot plug a disk backed on a qcow2 disk (see XML
>> snippet below) on a s390 system and I've got the following error
>> internal error: unable to execute QEMU command 'device_add': Property
>> 'scsi-hd.drive' can't find value 'drive-scsi0-0-0-0'
>> <disk type="file">
>> <driver name="qemu" type="qcow2"/>
>> <source file="/tmp/virtd-test_e3hnhh5/disk1.qcow2" />
My namespace patches should not clash with this as this isn't a device
from /dev/*. In the namespace, it's just /dev that is different to the
parent namespace. So anything else (e.g. under /tmp) is "shared" with
the parent namespace (it is the same mount in fact).
>> <target bus="scsi" dev="sda" />
>> With v2.5.0 everything has worked. I'll take a closer look to it today.
You can try and see if this is a namespace caused issue. Just disable
the namespaces and retry. If it succeeds with namespaces disabled, the
bug indeed is in my namespaces patches.
btw: to disable namespaces set: namespaces= in /etc/libvirt/qemu.conf
More information about the Libvirt-announce