[libvirt-users] Networkfilters in Routed setup

h0rst h0rst at localh0rst.de
Wed Feb 19 15:47:22 UTC 2014 

On Di, 2014-02-18 at 16:06 -0700, Eric Blake wrote:

> There should be no problem upgrading to a newer libvirt.  We take great
> pains to ensure that a newer version of libvirt can be reloaded and
> gracefully understand the XML recorded by older versions, with no loss
> to running VMs.  While there have been bugs on this front, they get
> caught and patched quickly, so by updating to something like the latest
> Fedora stable build (currently 1.1.3.3), you are even more likely to
> avoid these sorts of problems when compared to upgrading all the way to
> the master branch of libvirt.

After i forced myself to upgrade and compile a newer version of libvirt,
(to be precise, i wanted to upgrade to the latest libvirt-1.2.1.tar.gz)
i ran into some problems. I compiled libvirt with the following options:
As a reminder, i'm running ""good"" old Ubuntu 12.04:

./configure --with-lxc --with-storage-lvm --prefix=/usr --localstatedir=/var --sysconfdir=/etc

Compiling and installing worked perfectly after installing all missing 
dependencies. At first everything looked fine and all created networks
and domains where still running. To be sure everything would survive a 
system restart, i rebooted. Thats when everything (or something) went 
wrong. After starting libvirtd i got the following error:

>>> error: Failed to start network hetzner-subnet-v4
>>> error: unsupported configuration: Publicly routable address 1.2.3.65 is prohibited. 
>>> The version of dnsmasq on this host (2.59) doesn't support the bind-dynamic option 
>>> or use SO_BINDTODEVICE on listening sockets, one of which is required for safe 
>>> operation on a publicly routable subnet (see CVE-2012-3411). You must either upgrade 
>>> dnsmasq, or use a private/local subnet range for this network (as described in RFC1918/RFC3484/RFC4193).

Since no VM was running at this point (because of the missing networks),
i decided to quickly update to a newer version of DNSMASQ (2.68) and 
installed this to "/usr/local/sbin" and linked it to "/usr/sbin/dnsmasq" 
after removing the distribution specific packages. When i tried to start 
the hetzner-subnet-v4 network, i got the following error:

>>> 2014-02-19 14:11:58.636+0000: 7075: error : virCommandWait:2376 : internal error: Child process (LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOME=/root USER=root LOGNAME=root /usr/sbin/dnsmasq --version) unexpected exit status 1: libvirt:  error : cannot execute binary /usr/sbin/dnsmasq: Permission denied

>>> 2014-02-19 14:11:58.636+0000: 7075: error : dnsmasqCapsRefreshInternal:747 : failed to run '/usr/sbin/dnsmasq --version': : Success
>>> error: Failed to start network hetzner-subnet-v4
>>> error: failed to run '/usr/sbin/dnsmasq --version': : Success

However, running dnsmasq manually worked. Since that was the moment the first
phonecalls started because users could not access their services on the VMs
i quickly reverted everything to its previous state to get everything up and
running again. I dont have any testing server, so i could not play around with
it anymore (better to say not right now. I might have to wait until everyone is
sleeping ;)). Does libvirt has any problems when accessing a softlink instead
of a binary? Poorly that possibility came into my mind after reverting back to 
its original state!

I'm really sorry to spam you guys with all my problems ;)

Kind regards,
Sebastian

More information about the libvirt-users mailing list