[libvirt-users] How can I make sVirt work with LXC (libvirt-0.9.13)?
David Kang
dkang at isi.edu
Thu Jul 26 15:43:57 UTC 2012
Doesn't sVirt work for LXC when selinux_lxc_contexts_path() is not supported by libselinux?
Thanks,
David
----------------------
Dr. Dong-In "David" Kang
Computer Scientist
USC/ISI
----- Original Message -----
> Hi,
>
> I've installed libvirt-0.9.13 on RHEL6.2 from the source code.
> I cannot make sVirt working with LXC. (sVirt works well with KVM,
> though.)
> I can start an LXC instance, but the label of the process is not
> right.
> Can someone help me?
> I tried to change /etc/libvirtd/lxc.conf file to explicitly enable
> security_driver = "selinux".
> But it ends up with error saying "error : virSecurityDriverLookup:74 :
> internal error Security driver selinux not found".
> SELinux is in a permissive mode but is not enforcing.
>
> The current situation is as follows:
>
> * The label of an LXC container is not properly done:
>
> $ ps auxZ | grep lxc
> unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 root 27998 0.0 0.0 34716
> 1160 ? Ss 11:54 0:00 /usr/libexec/libvirt_lxc --name instance-0000001f
> --console 16 --security=none --handshake 19 --background --veth veth1
>
> * This is the lable of libvirtd process:
>
> $ ps auxZ | grep libvirtd
> unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 root 27376 0.1 0.0 919052
> 5324 ? Sl 11:51 0:00 libvirtd --daemon
>
> * Here is the xml file that I used to run LXC instance, which was
> generated by OpenStack:
>
> <domain type="lxc">
> <uuid>621adc56-2103-465c-bafd-1d0b51bea3a0</uuid>
> <name>instance-0000001f</name>
> <memory>2097152</memory>
> <vcpu>1</vcpu>
> <os>
> <type>exe</type>
> <cmdline>console=ttyS0</cmdline>
> <init>/sbin/init</init>
> </os>
> <clock offset="utc"/>
> <devices>
> <filesystem type="mount">
> <source dir="/usr/local/nova/instances/instance-0000001f/rootfs"/>
> <target dir="/"/>
> </filesystem>
> <interface type="bridge">
> <mac address="fa:16:3e:1e:33:f4"/>
> <model type="virtio"/>
> <source bridge="br100"/>
> <filterref filter="nova-instance-instance-0000001f-fa163e1e33f4">
> <parameter name="IP" value="10.0.0.4"/>
> <parameter name="DHCPSERVER" value="10.0.0.3"/>
> <parameter name="PROJNET" value="10.0.0.0"/>
> <parameter name="PROJMASK" value="255.255.0.0"/>
> </filterref>
> </interface>
> <console type="pty"/>
> </devices>
> </domain>
>
>
>
> * Svirt works well with KVM as is shown below:
>
> $ ps auxZ | grep qemu
> system_u:system_r:svirt_t:s0:c128,c132 root 22710 6.9 0.2 895040 34332
> ? Sl 11:17 0:07 /usr/libexec/qemu-kvm -name instance-0000001b -S -M
> pc-0.14 -cpu
> core2duo,+lahf_lm,+dca,+pdcm,+xtpr,+cx16,+tm2,+est,+vmx,+ds_cpl,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds
> -enable-kvm -m 512 -smp 1,sockets=1,cores=1,threads=1 -uuid
> 12716b13-001c-40de-9537-ca847aead70b -nodefconfig -nodefaults -chardev
> socket,id=charmonitor,path=/var/lib/libvirt/qemu/instance-0000001b.monitor,server,nowait
> -mon chardev=charmonitor,id=monitor,mode=control -rtc
> base=utc,driftfix=slew -no-kvm-pit-reinjection -kernel
> /usr/local/nova/instances/instance-0000001b/kernel -initrd
> /usr/local/nova/instances/instance-0000001b/ramdisk -append
> root=/dev/vda console=ttyS0 -device
> piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
> file=/usr/local/nova/instances/instance-0000001b/disk,if=none,id=drive-virtio-disk0,format=qcow2,cache=none
> -device
> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1
> -netdev tap,fd=17,id=hostnet0 -device
> virtio-net-pci,netdev=hostnet0,id=net0,mac=fa:16:3e:7a:5e:b6,bus=pci.0,addr=0x3
> -chardev
> file,id=charserial0,path=/usr/local/nova/instances/instance-0000001b/console.log
> -device isa-serial,chardev=charserial0,id=serial0 -chardev
> pty,id=charserial1 -device isa-serial,chardev=charserial1,id=serial1
> -device usb-tablet,id=input0 -vnc 127.0.0.1:0 -k en-us -vga cirrus
> -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
>
>
> Thanks,
> David
>
> ----------------------
> Dr. Dong-In "David" Kang
> Computer Scientist
> USC/ISI
>
> _______________________________________________
> libvirt-users mailing list
> libvirt-users at redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users
More information about the libvirt-users
mailing list