[libvirt-users] lxc-enter-namespace error: security model cannot be entered.
hzguanqiang
hzguanqiang at corp.netease.com
Tue Jul 30 11:25:10 UTC 2013
On 2013-07-30 17:52, "Daniel P. Berrange" <berrange at redhat.com> wrote:
>>On Tue, Jul 30, 2013 at 05:49:28PM +0800, hzguanqiang wrote:
>> Hi Guys,
>> I started a lxc container with libvit in ubuntu Operating system, and succeed using lxc-enter-namespace to enter the namespaces and security context of the container. But when I do the same thing in debian OS, It reported an error, with details as following:
>>
>> root at debian:/etc# vir list
>> Id Name State
>> ----------------------------------------------------
>> 4424 instance-00000007 running
>> 25913 instance-00000008 running
>>
>> root at debian:/etc# vir dumpxml 4424
>> <domain type='lxc' id='4424'>
>> <name>instance-00000007</name>
>> <uuid>f1ce5360-bb5e-4cfc-b5ef-d05f8db52618</uuid>
>> <memory unit='KiB'>1048576</memory>
>> <currentMemory unit='KiB'>1048576</currentMemory>
>> <vcpu placement='static'>3</vcpu>
>> <resource>
>> <partition>/machine</partition>
>> </resource>
>> <os>
>> <type arch='x86_64'>exe</type>
>> <init>/sbin/init</init>
>> <cmdline>console=tty0 console=ttyS0</cmdline>
>> </os>
>> <clock offset='utc'/>
>> <on_poweroff>destroy</on_poweroff>
>> <on_reboot>restart</on_reboot>
>> <on_crash>destroy</on_crash>
>> <devices>
>> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator>
>> <filesystem type='mount' accessmode='passthrough'>
>> <source dir='/opt/stack/data/nova/instances/f1ce5360-bb5e-4cfc-b5ef-d05f8db52618/rootfs'/>
>> <target dir='/'/>
>> </filesystem>
>> <interface type='bridge'>
>> <mac address='fa:16:3e:3a:c6:11'/>
>> <source bridge='br100'/>
>> <target dev='veth0'/>
>> <filterref filter='nova-instance-instance-00000007-fa163e3ac611'/>
>> </interface>
>> <console type='pty' tty='/dev/pts/1'>
>> <source path='/dev/pts/1'/>
>> <target type='lxc' port='0'/>
>> <alias name='console0'/>
>> </console>
>> </devices>
>> <seclabel type='none'/>
>> </domain>
>>
>> root at debian:/etc# vir lxc-enter-namespace 4424 /bin/sh/
>> libvirt: error : argument unsupported: Security model cannot be entered
>>
>> Is there anything that needs to be configured in debian OS for using the 'lxc-enter-namespace' interface?
>
>Hmm, that's a bug in virsh. As a workaround use the --noseclabel flag
Well, Daniel. I succeed to try 'lxc-enter-namespace' with --noseclabel flag to get the disk space info of the lxc container.
But the result is not what it might be. The operations I did are just as following:
root at debian:~# vir version
Compiled against library: libvirt 1.1.0
Using library: libvirt 1.1.0
Using API: LXC 1.1.0
Running hypervisor: LXC 3.2.46
root at debian:~# vir list
Id Name State
----------------------------------------------------
4424 instance-00000007 running
25913 instance-00000008 running
root at debian:~# vir lxc-enter-namespace 4424 --noseclabel /bin/df -hl
Filesystem Size Used Avail Use% Mounted on
rootfs 20G 9.5G 9.3G 51% /
udev 10M 0 10M 0% /dev
tmpfs 397M 228K 397M 1% /run
/dev/disk/by-uuid/cc8a372b-907a-4cd9-a474-1a112033cfd6 20G 9.5G 9.3G 51% /
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 794M 0 794M 0% /run/shm
cgroup 2.0G 0 2.0G 0% /sys/fs/cgroup
Then I enter into the lxc container, and execute command 'df -hl' returning a different result as following:
root at debian:~# vir console 4424
Connected to domain instance-00000007
Escape character is ^]
Ubuntu 12.04.2 LTS lxc1 tty1
lxc1 login: ubuntu
Password:
Last login: Tue Jul 30 11:02:03 UTC 2013 on pts/0
Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.2.46-openstack-amd64 x86_64)
* Documentation: https://help.ubuntu.com/
System information as of Tue Jul 30 11:02:54 UTC 2013
System load: 0.08 Processes: 24
Usage of /: 70.5% of 1.35GB Users logged in: 0
Memory usage: 56% IP address for eth0: 10.0.0.2
Swap usage: 0%
Graph this data and manage this system at https://landscape.canonical.com/
Get cloud support with Ubuntu Advantage Cloud Guest:
http://www.ubuntu.com/business/services/cloud
Use Juju to deploy your cloud instances and workloads:
https://juju.ubuntu.com/#cloud-precise
31 packages can be updated.
21 updates are security updates.
ubuntu at lxc1:~$ df -hl
Filesystem Size Used Avail Use% Mounted on
/dev/nbd10 1.4G 976M 340M 75% /
devfs 64K 8.0K 56K 13% /dev
tmpfs 64K 0 64K 0% /sys/fs/cgroup
none 397M 12M 385M 3% /run
none 5.0M 0 5.0M 0% /run/lock
none 2.0G 0 2.0G 0% /run/shm
I used to try 'lxc-enter-namespace' to execute df command with libvirt version of 1.0.2 under host of ubuntu OS, and the Operation result is just the same as what I did in lxc container.
What's the problem? Could 'lxc-enter-namespace' be different with --noseclabel flag?
------------------
Best regards!
GuanQiang
2013-07-30
More information about the libvirt-users
mailing list