[libvirt-users] lxc-enter-namespace error: security model cannot be entered.

hzguanqiang hzguanqiang at corp.netease.com
Tue Jul 30 11:25:10 UTC 2013 

On 2013-07-30 17:52, "Daniel P. Berrange" <berrange at redhat.com> wrote:
>>On Tue, Jul 30, 2013 at 05:49:28PM +0800, hzguanqiang wrote:
>> Hi Guys,
>> I started a lxc container with libvit in ubuntu Operating system, and succeed using lxc-enter-namespace to enter the namespaces and security context of the container. But when I do the same thing in debian OS, It reported an error, with details as following:
>> 
>> root at debian:/etc# vir list
>>  Id    Name                           State
>> ----------------------------------------------------
>>  4424  instance-00000007              running
>>  25913 instance-00000008              running
>> 
>> root at debian:/etc# vir dumpxml 4424
>> <domain type='lxc' id='4424'>
>>   <name>instance-00000007</name>
>>   <uuid>f1ce5360-bb5e-4cfc-b5ef-d05f8db52618</uuid>
>>   <memory unit='KiB'>1048576</memory>
>>   <currentMemory unit='KiB'>1048576</currentMemory>
>>   <vcpu placement='static'>3</vcpu>
>>   <resource>
>>     <partition>/machine</partition>
>>   </resource>
>>   <os>
>>     <type arch='x86_64'>exe</type>
>>     <init>/sbin/init</init>
>>     <cmdline>console=tty0 console=ttyS0</cmdline>
>>   </os>
>>   <clock offset='utc'/>
>>   <on_poweroff>destroy</on_poweroff>
>>   <on_reboot>restart</on_reboot>
>>   <on_crash>destroy</on_crash>
>>   <devices>
>>     <emulator>/usr/lib/libvirt/libvirt_lxc</emulator>
>>     <filesystem type='mount' accessmode='passthrough'>
>>       <source dir='/opt/stack/data/nova/instances/f1ce5360-bb5e-4cfc-b5ef-d05f8db52618/rootfs'/>
>>       <target dir='/'/>
>>     </filesystem>
>>     <interface type='bridge'>
>>       <mac address='fa:16:3e:3a:c6:11'/>
>>       <source bridge='br100'/>
>>       <target dev='veth0'/>
>>       <filterref filter='nova-instance-instance-00000007-fa163e3ac611'/>
>>     </interface>
>>     <console type='pty' tty='/dev/pts/1'>
>>       <source path='/dev/pts/1'/>
>>       <target type='lxc' port='0'/>
>>       <alias name='console0'/>
>>     </console>
>>   </devices>
>>   <seclabel type='none'/>
>> </domain>
>> 
>> root at debian:/etc# vir lxc-enter-namespace 4424 /bin/sh/
>> libvirt:  error : argument unsupported: Security model  cannot be entered
>> 
>> Is there anything that needs to be configured in debian OS for using the 'lxc-enter-namespace' interface?
>
>Hmm, that's a bug in virsh. As a workaround use the  --noseclabel flag

Well, Daniel. I succeed to try 'lxc-enter-namespace' with --noseclabel flag to get the disk space info of the lxc container.
But the result is not what it might be. The operations I did are just as following:

		root at debian:~# vir version
		Compiled against library: libvirt 1.1.0
		Using library: libvirt 1.1.0
		Using API: LXC 1.1.0
		Running hypervisor: LXC 3.2.46

		root at debian:~# vir list
		 Id    Name                           State
		----------------------------------------------------
		 4424  instance-00000007              running
		 25913 instance-00000008              running

		root at debian:~# vir lxc-enter-namespace 4424 --noseclabel /bin/df -hl
		Filesystem                                              Size  Used Avail Use% Mounted on
		rootfs                                                   20G  9.5G  9.3G  51% /
		udev                                                     10M     0   10M   0% /dev
		tmpfs                                                   397M  228K  397M   1% /run
		/dev/disk/by-uuid/cc8a372b-907a-4cd9-a474-1a112033cfd6   20G  9.5G  9.3G  51% /
		tmpfs                                                   5.0M     0  5.0M   0% /run/lock
		tmpfs                                                   794M     0  794M   0% /run/shm
		cgroup                                                  2.0G     0  2.0G   0% /sys/fs/cgroup
        
Then I enter into the lxc container, and execute command 'df -hl' returning a different result as following:
		
		root at debian:~# vir console 4424
		Connected to domain instance-00000007
		Escape character is ^]


		Ubuntu 12.04.2 LTS lxc1 tty1

		lxc1 login: ubuntu
		Password: 
		Last login: Tue Jul 30 11:02:03 UTC 2013 on pts/0
		Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.2.46-openstack-amd64 x86_64)

		 * Documentation:  https://help.ubuntu.com/

		  System information as of Tue Jul 30 11:02:54 UTC 2013

		  System load:  0.08              Processes:           24
		  Usage of /:   70.5% of 1.35GB   Users logged in:     0
		  Memory usage: 56%               IP address for eth0: 10.0.0.2
		  Swap usage:   0%

		  Graph this data and manage this system at https://landscape.canonical.com/

		  Get cloud support with Ubuntu Advantage Cloud Guest:
			http://www.ubuntu.com/business/services/cloud

		  Use Juju to deploy your cloud instances and workloads:
			https://juju.ubuntu.com/#cloud-precise

		31 packages can be updated.
		21 updates are security updates.

		ubuntu at lxc1:~$ df -hl
		Filesystem      Size  Used Avail Use% Mounted on
		/dev/nbd10      1.4G  976M  340M  75% /
		devfs            64K  8.0K   56K  13% /dev
		tmpfs            64K     0   64K   0% /sys/fs/cgroup
		none            397M   12M  385M   3% /run
		none            5.0M     0  5.0M   0% /run/lock
		none            2.0G     0  2.0G   0% /run/shm


I used to try 'lxc-enter-namespace' to execute df command with libvirt version of 1.0.2 under host of ubuntu OS, and the Operation result is just the same as what I did in lxc container.
What's the problem? Could 'lxc-enter-namespace' be different with --noseclabel flag?

 
------------------     
Best regards!
GuanQiang
2013-07-30

More information about the libvirt-users mailing list