[libvirt-users] trouble after upgrading from 3.0.0 to 3.1.0

HI! After the last OS update (openSUSE Tumbleweed) with libvirt being updated from 3.0.0 to 3.1.0 starting the VMs (qemu-kvm) does not work anymore: error: internal error: child reported: Kernel does not provide mount namespace: Permission denied Kernel was updated before to 4.10.1 and worked just fine with libvirt 3.0.0 packages. Any clue how to work around that? Ciao, Michael.

On 03/14/2017 10:51 AM, Michael Ströder wrote:
HI!
After the last OS update (openSUSE Tumbleweed) with libvirt being updated from 3.0.0 to 3.1.0 starting the VMs (qemu-kvm) does not work anymore:
error: internal error: child reported: Kernel does not provide mount namespace: Permission denied
Hey, this is definitely a libvirt bug. Since 3.1.0 libvirt spawns each qemu in its own mount namespace so that it can have private /dev mount. I've heard that there are some issues with AppArmor - is that what are you using? Can you try the current git HEAD - there were some fixes applied after 3.1.0 release. Meanwhile, you can disable namespaces by setting: namespaces=[] in qemu.conf. However, that should be just temporary solution until we fix all the bugs. Michal

Michal Privoznik wrote:
On 03/14/2017 10:51 AM, Michael Ströder wrote:
HI!
After the last OS update (openSUSE Tumbleweed) with libvirt being updated from 3.0.0 to 3.1.0 starting the VMs (qemu-kvm) does not work anymore:
error: internal error: child reported: Kernel does not provide mount namespace: Permission denied
Hey, this is definitely a libvirt bug. Since 3.1.0 libvirt spawns each qemu in its own mount namespace so that it can have private /dev mount. I've heard that there are some issues with AppArmor - is that what are you using?
Hmm, yes. I was using AppArmor. Disabling it helped. I will point the author of the AppArmor profiles in this direction.
Meanwhile, you can disable namespaces by setting:
namespaces=[]
in qemu.conf.
Only setting this did not help. Ciao, Michael.

On 03/14/2017 05:03 PM, Michael Ströder wrote:
Michal Privoznik wrote:
On 03/14/2017 10:51 AM, Michael Ströder wrote:
HI!
After the last OS update (openSUSE Tumbleweed) with libvirt being updated from 3.0.0 to 3.1.0 starting the VMs (qemu-kvm) does not work anymore:
error: internal error: child reported: Kernel does not provide mount namespace: Permission denied
Hey, this is definitely a libvirt bug. Since 3.1.0 libvirt spawns each qemu in its own mount namespace so that it can have private /dev mount. I've heard that there are some issues with AppArmor - is that what are you using?
Hmm, yes. I was using AppArmor. Disabling it helped. I will point the author of the AppArmor profiles in this direction.
Yeah, I still know that AppArmor is preventing our namespaces code from working properly. Unfortunately, I don't know much about it, and certainly not enough to fix it. But maybe I can find somebody who does.
Meanwhile, you can disable namespaces by setting:
namespaces=[]
in qemu.conf.
Only setting this did not help.
Have you restarted libvirtd afterwards? Maybe I should have written that explicitly instead of assuming it. Also, this is meant as a temporary workaround. Disabling namespaces does not enable the full security features. Ideally, users would use namespaces without even noticing it. Michal

Michal Privoznik wrote:
On 03/14/2017 05:03 PM, Michael Ströder wrote:
Michal Privoznik wrote:
Meanwhile, you can disable namespaces by setting:
namespaces=[]
in qemu.conf.
Only setting this did not help.
Have you restarted libvirtd afterwards?
Yes.
Also, this is meant as a temporary workaround. Disabling namespaces does not enable the full security features.
Ok, noted. Ciao, Michael.
participants (2)
-
Michael Ströder
-
Michal Privoznik