[libvirt-users] How can I make sVirt work with LXC (libvirt-0.9.13)?

Tue Jul 24 20:08:07 UTC 2012

 Hi,

 I've installed libvirt-0.9.13 on RHEL6.2 from the source code.
I cannot make sVirt working with LXC. (sVirt works well with KVM, though.)
I can start an LXC instance, but the label of the process is not right.
Can someone help me? 
I tried to change /etc/libvirtd/lxc.conf file to explicitly enable
security_driver = "selinux". 
But it ends up with error saying "error : virSecurityDriverLookup:74 : internal error Security driver selinux not found".
SELinux is in a permissive mode but is not enforcing.

 The current situation is as follows: 

* The label of an LXC container is not properly done:

$ ps auxZ | grep lxc
unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 root 27998 0.0  0.0 34716 1160 ?  Ss   11:54   0:00 /usr/libexec/libvirt_lxc --name instance-0000001f --console 16 --security=none --handshake 19 --background --veth veth1

* This is the lable of libvirtd process:

$ ps auxZ | grep libvirtd
unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 root 27376 0.1  0.0 919052 5324 ? Sl   11:51   0:00 libvirtd --daemon

* Here is the xml file that I used to run LXC instance, which was generated by OpenStack:

<domain type="lxc">
  <uuid>621adc56-2103-465c-bafd-1d0b51bea3a0</uuid>
  <name>instance-0000001f</name>
  <memory>2097152</memory>
  <vcpu>1</vcpu>
  <os>
    <type>exe</type>
    <cmdline>console=ttyS0</cmdline>
    <init>/sbin/init</init>
  </os>
  <clock offset="utc"/>
  <devices>
    <filesystem type="mount">
      <source dir="/usr/local/nova/instances/instance-0000001f/rootfs"/>
      <target dir="/"/>
    </filesystem>
    <interface type="bridge">
      <mac address="fa:16:3e:1e:33:f4"/>
      <model type="virtio"/>
      <source bridge="br100"/>
      <filterref filter="nova-instance-instance-0000001f-fa163e1e33f4">
        <parameter name="IP" value="10.0.0.4"/>
        <parameter name="DHCPSERVER" value="10.0.0.3"/>
        <parameter name="PROJNET" value="10.0.0.0"/>
        <parameter name="PROJMASK" value="255.255.0.0"/>
      </filterref>
    </interface>
    <console type="pty"/>
  </devices>
</domain>

* Svirt works well with KVM as is shown below:

$ ps auxZ | grep qemu
system_u:system_r:svirt_t:s0:c128,c132 root 22710 6.9  0.2 895040 34332 ?      Sl   11:17   0:07 /usr/libexec/qemu-kvm -name instance-0000001b -S -M pc-0.14 -cpu core2duo,+lahf_lm,+dca,+pdcm,+xtpr,+cx16,+tm2,+est,+vmx,+ds_cpl,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds -enable-kvm -m 512 -smp 1,sockets=1,cores=1,threads=1 -uuid 12716b13-001c-40de-9537-ca847aead70b -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/instance-0000001b.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -no-kvm-pit-reinjection -kernel /usr/local/nova/instances/instance-0000001b/kernel -initrd /usr/local/nova/instances/instance-0000001b/ramdisk -append root=/dev/vda console=ttyS0 -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/usr/local/nova/instances/instance-0000001b/disk,if=none,id=drive-virtio-disk0,format=qcow2,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=17,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=fa:16:3e:7a:5e:b6,bus=pci.0,addr=0x3 -chardev file,id=charserial0,path=/usr/local/nova/instances/instance-0000001b/console.log -device isa-serial,chardev=charserial0,id=serial0 -chardev pty,id=charserial1 -device isa-serial,chardev=charserial1,id=serial1 -device usb-tablet,id=input0 -vnc 127.0.0.1:0 -k en-us -vga cirrus -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5

 Thanks,
 David

----------------------
Dr. Dong-In "David" Kang
Computer Scientist
USC/ISI