4:21 a.m.
Hi folks,
Since I have moved the image file of a domain to an NFS
partition I get an error message at start time:
# virsh start mydomain
error: Failed to start domain mydomain
error: unable to set security context '110:140' on
'/storage/mydomain/vda.img': Invalid argument
The /storage partition is mounted with these options:
# cat /proc/mounts | grep /storage
nasl002:/storage/ /storage nfs4
rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.19.96.31,addr=172.19.96.213
0 0
If I use a local disk instead, then there is no such
problem.
libvirt is version 0.7.7-4, as included with Debian.
Any helpful comment would be highly appreciated.
Regards
Harri
5:48 a.m.
PS #1: same problem with libvirt 0.8.0
PS #2: there is no Kerberos installed on NFS client or server
Regards
Harri
3:06 p.m.
Harald Dunkel wrote:
Hi folks,
Since I have moved the image file of a domain to an NFS
partition I get an error message at start time:
# virsh start mydomain
error: Failed to start domain mydomain
error: unable to set security context '110:140' on
'/storage/mydomain/vda.img': Invalid argument
What is security_driver set to in /etc/libvirt/qemu.conf?
It appears to be the security driver trying to update the security
context stored on the filesystem as an extended attribute. The NFS v4
filesystem currently lacks extended attribute support. Without extended
attributes there isn't a place to store the security context associated
with the image file, hence the error.
I've CC'd James Morris who, in addition to working on the original
libvirt security driver implementation, happens to be spearheading the
NFS xattr support. Hopefully he can provide some more information.
The /storage partition is mounted with these options:
# cat /proc/mounts | grep /storage
nasl002:/storage/ /storage nfs4
rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.19.96.31,addr=172.19.96.213
0 0
If I use a local disk instead, then there is no such
problem.
The fact that it works on local disk is likely attributable to the local
filesystem supporting extended attributes. Examples of these
filesystems include ext2/3/4 and xfs.
libvirt is version 0.7.7-4, as included with Debian.
Any helpful comment would be highly appreciated.
Out of curiosity, are you using the SELinux support in Debian?
--Spencer
Regards
Harri
6:16 p.m.
On Thu, 15 Apr 2010, Spencer Shimko wrote:
Harald Dunkel wrote:
> Hi folks,
>
> Since I have moved the image file of a domain to an NFS
> partition I get an error message at start time:
>
> # virsh start mydomain
> error: Failed to start domain mydomain
> error: unable to set security context '110:140' on
> '/storage/mydomain/vda.img': Invalid argument
What is security_driver set to in /etc/libvirt/qemu.conf?
It appears to be the security driver trying to update the security context
stored on the filesystem as an extended attribute. The NFS v4 filesystem
currently lacks extended attribute support. Without extended attributes there
isn't a place to store the security context associated with the image file,
hence the error.
I've CC'd James Morris who, in addition to working on the original libvirt
security driver implementation, happens to be spearheading the NFS xattr
support. Hopefully he can provide some more information.
For NFSv4, we're working on adding security labeling directly to the
protocol (local SELinux xattrs will be transported with this new
protocol). The IETF process is slowing it down significantly.
Because of this, I'm adding a simple xattr protocol to NFSv3, which should
allow for server storage/retrieval of SELinux labels (but without
security enforcement on the server). Currently trying to get some
technical issues agreed upon upstream and also now wiring up SELinux to
the current code. We're hoping to see this in RHEL 6.x.
>
> The /storage partition is mounted with these options:
>
> # cat /proc/mounts | grep /storage
> nasl002:/storage/ /storage nfs4
>
rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.19.96.31,addr=172.19.96.213
> 0 0
>
> If I use a local disk instead, then there is no such
> problem.
The fact that it works on local disk is likely attributable to the local
filesystem supporting extended attributes. Examples of these filesystems
include ext2/3/4 and xfs.
>
> libvirt is version 0.7.7-4, as included with Debian.
> Any helpful comment would be highly appreciated.
Out of curiosity, are you using the SELinux support in Debian?
--Spencer
>
>
> Regards
>
> Harri
>
--
James Morris
<jmorris(a)redhat.com>
1:58 a.m.
Hi folks,
On 04/15/10 22:06, Spencer Shimko wrote:
What is security_driver set to in /etc/libvirt/qemu.conf?
It is not set at all. AFAICS there is no man page for qemu.conf,
but according to KISS I had assumed that the security_driver
stuff is disabled by default. Is it?
Out of curiosity, are you using the SELinux support in Debian?
For both NFS client and server:
selinux is enabled in the kernel. Debian's libselinux1 package
is installed, too, because it seems to be an essential dependency
for other packages. There are no selinux policies set up, and the
selinux-basics package is not installed, either.
Would you suggest to rebuild the kernel without selinux?
BTW, the NFS server uses reiserfs for its exported partitions.
Regards
Harri
9:38 a.m.
Harald Dunkel wrote:
Hi folks,
On 04/15/10 22:06, Spencer Shimko wrote:
> What is security_driver set to in /etc/libvirt/qemu.conf?
>
>
It is not set at all. AFAICS there is no man page for qemu.conf,
but according to KISS I had assumed that the security_driver
stuff is disabled by default. Is it?
According to the comments in qemu.conf on Fedora, if SELinux is enabled
on the host then security_driver defaults to selinux. This is probably
the case on Debian too.
> Out of curiosity, are you using the SELinux support in Debian?
>
>
For both NFS client and server:
selinux is enabled in the kernel. Debian's libselinux1 package
is installed, too, because it seems to be an essential dependency
for other packages. There are no selinux policies set up, and the
selinux-basics package is not installed, either.
Would you suggest to rebuild the kernel without selinux?
Run /usr/sbin/sestatus to reliably check the status of SELinux on your
system. If it reports "SELinux status: enabled" try setting the
security_driver field to "none".
--Spencer
(Apologies for any thread butchery that has occurred. My initial
response was from the wrong email account and didn't hit the list as a
result.)
BTW, the NFS server uses reiserfs for its exported partitions.
Regards
Harri
5503
days inactive
5504
days old
5 comments
4 participants
participants (4)
-
Harald Dunkel -
James Morris -
Spencer Shimko -
Spencer Shimko