Sorry
“There is avc error messages in dmesg ……”
――should be “There is no avc error……”
发件人: Huang,Chaochang
发送时间: 2013年4月25日 15:41
收件人: 'libvir-list@redhat.com'; 'libvirt-us...@redhat.com'
主题: libvirt_lxc start problem when selinux enbale
Hi,all:
the problem came out when selinux was enforced in targeted+MCS
I start lxc through virsh――“virsh -c lxc:/// start instance-4bd6”
1. When selinux is Permissive,lxc start is ok
The result of “Ps auxZ” is:
system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 root 19218 0.0 0.0 47624 1244 ?
Ss 15:26 0:00 /usr/libexec/libvirt_lxc --name
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19219 0.3 0.0 19276 1532 ?
Ss 15:26 0:00 /sbin/init
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19406 0.0 0.0 177444 1332
? Sl 15:26 0:00 /sbin/rsyslogd -i /var/run/sysl
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19420 0.0 0.0 64120 1144 ?
Ss 15:26 0:00 /usr/sbin/sshd
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19427 0.0 0.0 22136 956 ?
Ss 15:26 0:00 xinetd -stayalive -pidfile /var
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19434 0.0 0.0 64316 832 ?
Ss 15:26 0:00 /usr/sbin/saslauthd -m /var/run
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19435 0.0 0.0 64316 600 ?
S15:26 0:00 /usr/sbin/saslauthd -m /var/run
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19450 0.0 0.0 82388 2392 ?
Ss 15:26 0:00 sendmail: rejecting new message
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 51 19459 0.0 0.0 78116 2016 ?
Ss 15:26 0:00 sendmail: Queue runner@01:00:00
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19467 0.0 0.0 175528 3672
? Ss 15:26 0:00 /usr/sbin/httpd
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 48 19470 0.0 0.0 175528 2204 ?
S15:26 0:00 /usr/sbin/httpd
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19475 0.0 0.0 117212 1348
? Ss 15:26 0:00 crond
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19491 0.0 0.0 4108 600
pts/0 Ss+ 15:26 0:00 /sbin/mingetty /dev/tty1
We can get into the lxc through “ssh”
2. When selinux is Enforcing,lxc start bad
Th result of “ps auxZ” is:
system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 root 20624 0.0 0.0 47624 1244 ?
Ss 15:29 0:00 /usr/libexec/libvirt_lxc --name
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 20625 0.0 0.0 17172 1036
pts/0 Ss+ 15:29 0:00 /sbin/init
Only /sbin/init process started, no else. This is the real
problem
There is avc error messages in
dmesg、/var/log/messages、/var/log/secure, and the same with selinux is Permissive
Can anybody give some hints?
Here are some system information:
Kernel version
3.3.4
Libvirt version
0.9.13
Lxc guest image
Centos 6.3
Lxc xml info is:
!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh edit instance-4bd6
or other application using the libvirt API.
--
domain type='lxc'
nameinstance-4bd6/name
uuid96eada0e-7ea0-4865-8271-3565811c8eb0/uuid
memory unit='KiB'524288/memory
currentMemory unit='KiB'524288/currentMemory
vcpu placement='static'1/vcpu
os
type arch='x86_64'exe/type
init/sbin/init/init
cmdlineconsole=ttyS0/cmdline
/os
clock offset='utc'/
on_poweroffdestroy/on_poweroff
on_rebootrestart/on_reboot
on_crashdestroy/on_crash
devices
emulator/usr/libexec/libvirt_lxc/emulator
filesystem type='mount' accessmode='passthrough'
source dir='/home/stack/nova_state/instances/instance-4bd6/rootfs'/
target dir='/'/
/filesystem
interface type='bridge'
mac address='fa:16:3e:09:00:a2'/
source bridge='br100'/
filterref filter='nova-instance-instance-4bd6-fa163e0900a2'
parameter name='DHCPSERVER' value='10.0.0.1'/
parameter name='IP' value='10.0.0.11'/
parameter name='PROJMASK' value='255.255.254.0'/
parameter name='PROJNET' value='10.0.0.0'/
/filterref
/interface
console type='pty'
target type='lxc' port='0'/
/console
/devices
seclabel type='static' model='selinux' relabel='yes'
labelsystem_u:system_r:svirt_lxc_net_t:s0:c192,c392/label
/seclabel
/domain
Best Regard
Huangchaochang
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
