On Thu, 22 Aug 2019 at 05:34, Daniel P. Berrangé <berrange@redhat.com> wrote:
On Wed, Aug 21, 2019 at 09:34:05PM +0300, Roman Bolshakov wrote:
On Wed, Aug 21, 2019 at 05:55:51PM +0100, Daniel P. Berrangé wrote:
On Wed, Aug 21, 2019 at 12:47:03PM -0400, Marcus Furlong wrote:
On Wed, 21 Aug 2019 at 08:23, Daniel P. Berrangé <berrange@redhat.com> wrote:
On Tue, Aug 20, 2019 at 11:11:07AM -0400, Marcus Furlong wrote:
Resend to libvir-list in case that is more appropriate:
Hi,
I get the following error when running libvirtd on MacOS as root:
2019-07-11 00:12:33.673+0000: 123145573953536: error : qemuProcessQMPLaunch:8501 : internal error: Failed to start QEMU binary /usr/local/bin/qemu-system-x86_64 for probing: libvirt: error : cannot set supplemental groups: Invalid argument
Are you able to run 'strace' (or whatever MacOS eqiuv is) to see the values passed to setgroups when it fails ?
I ran `dtruss -f -l -s /usr/local/sbin/libvirtd` but the setgroups calls seem to be missing.
Looking at other sources, it seems like some have special treatment of setgroups on MacOS, e.g. samba:
https://github.com/samba-team/samba/blob/v4-11-stable/source3/smbd/sec_ctx.c...
Perhaps this is needed for libvirt?
The capping of ngroups to NGROUPS_MAX looks like a possibe reason.
Adding this debug might show us if we're exceeding it:
diff --git a/src/util/virutil.c b/src/util/virutil.c index 89d2cf011f..effc02b898 100644 --- a/src/util/virutil.c +++ b/src/util/virutil.c @@ -1043,6 +1043,7 @@ virSetUIDGID(uid_t uid, gid_t gid, gid_t *groups ATTRIBUTE_UNUSED, }
# if HAVE_SETGROUPS + VIR_DEBUG("setgroups %d max %d", ngroups, NGROUPS_MAX); if (gid != (gid_t)-1 && setgroups(ngroups, groups) < 0) { virReportSystemError(errno, "%s", _("cannot set supplemental groups"));
Yes, there's an overflow: 2019-08-21 18:25:37.943+0000: 123145413914624: debug : virSetUIDGID:1046 : setgroups 23 max 16
Related samba ticket (it also has references to the python and dovecot issues): https://bugzilla.samba.org/show_bug.cgi?id=8773
The quick hack is to simply truncate groups to NGROUPS_MAX.
Reading that bug, the proper fix looks quite alot more complex
Just to confirm that the root cause of the issue was the above block, I bypassed the HAVE_SETGROUPS section completely on Darwin, and things work as expected. Where would be an appropriate place to track this bug? Marcus. -- Marcus Furlong