[libvirt-users] error : Failed to switch root mount into slave mode: Permission denied
Michal Privoznik
mprivozn at redhat.com
Mon Feb 27 06:14:42 UTC 2017
On 26.02.2017 18:29, Kyle Peterson wrote:
> libvirt-3.0.0
>
> When attemping to create a virtual machine I receive the error "error : Failed to switch root mount into slave mode: Permission denied”.
>
> I’m attempting to run qemu/libvirt/virt-manager in an Arch Linux lxc container on a Ubuntu 16.04 host. The host uses zfs for its containers. The arch container is set up as a priveleged container. I do already have kvm/qemu/libvirt working in a Ubuntu container. The reason for the arch container is because I want to try a newer version of qemu/libvirt.
>
> I’m not finding anything on google about this error message. Any way to get around it?
Hey,
with 3.0.0 release qemu domains are started under a namespace too
(because of the error message I assume you're trying to start a qemu
domain). So far, every domain has its own /dev managed by libvirt. There
were two reasons for it:
a) avoid relabelling race with udev
b) enhance security as only configured devices are created in the namespace.
Therefore, when starting new qemu domain, libvirt calls
unshare(CLONE_NEWNS) and then tries to remount the root "/" into slave
mode so that all mounts from the master (= parent ns) are visible in the
namespace but not vice versa. Since you mention Ubuntu - could it be
that it is AppArmor that is denying the operation? Because frankly, I've
read some bug reports that AppArmor was denying libvirt to create a new
namespace but I'm no AppArmor expert and I don't know how to fix it.
There is a workaround too, just set:
namespaces = []
in qemu.conf, restart libvirtd and you should be all set.
BTW, the 3.1.0-rc1 release is out and it contains a lot of qemu
namespace fixes. So you might try that.
Michal
More information about the libvirt-users
mailing list