David Kang
2012-Jul-24 20:08 UTC
[libvirt-users] How can I make sVirt work with LXC (libvirt-0.9.13)?
?Hi, ?I've installed libvirt-0.9.13 on RHEL6.2 from the source code. I cannot make sVirt working with LXC. (sVirt works well with KVM, though.) I can start an LXC instance, but the label of the process is not right. Can someone help me? I tried to change /etc/libvirtd/lxc.conf file to explicitly enable security_driver = "selinux". But it ends up with error saying "error : virSecurityDriverLookup:74 : internal error Security driver selinux not found". SELinux is in a permissive mode but is not enforcing. ?The current situation is as follows: * The label of an LXC container is not properly done: $ ps auxZ | grep lxc unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 root 27998 0.0 ?0.0 34716 1160 ? ?Ss ? 11:54 ? 0:00 /usr/libexec/libvirt_lxc --name instance-0000001f --console 16 --security=none --handshake 19 --background --veth veth1 * This is the lable of libvirtd process: $ ps auxZ | grep libvirtd unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 root 27376 0.1 ?0.0 919052 5324 ? Sl ? 11:51 ? 0:00 libvirtd --daemon * Here is the xml file that I used to run LXC instance, which was generated by OpenStack: <domain type="lxc"> ??<uuid>621adc56-2103-465c-bafd-1d0b51bea3a0</uuid> ??<name>instance-0000001f</name> ??<memory>2097152</memory> ??<vcpu>1</vcpu> ??<os> ?? ?<type>exe</type> ?? ?<cmdline>console=ttyS0</cmdline> ?? ?<init>/sbin/init</init> ??</os> ??<clock offset="utc"/> ??<devices> ?? ?<filesystem type="mount"> ?? ? ?<source dir="/usr/local/nova/instances/instance-0000001f/rootfs"/> ?? ? ?<target dir="/"/> ?? ?</filesystem> ?? ?<interface type="bridge"> ?? ? ?<mac address="fa:16:3e:1e:33:f4"/> ?? ? ?<model type="virtio"/> ?? ? ?<source bridge="br100"/> ?? ? ?<filterref filter="nova-instance-instance-0000001f-fa163e1e33f4"> ?? ? ? ?<parameter name="IP" value="10.0.0.4"/> ?? ? ? ?<parameter name="DHCPSERVER" value="10.0.0.3"/> ?? ? ? ?<parameter name="PROJNET" value="10.0.0.0"/> ?? ? ? ?<parameter name="PROJMASK" value="255.255.0.0"/> ?? ? ?</filterref> ?? ?</interface> ?? ?<console type="pty"/> ??</devices> </domain> * Svirt works well with KVM as is shown below: $ ps auxZ | grep qemu system_u:system_r:svirt_t:s0:c128,c132 root 22710 6.9 ?0.2 895040 34332 ? ? ? ?Sl ? 11:17 ? 0:07 /usr/libexec/qemu-kvm -name instance-0000001b -S -M pc-0.14 -cpu core2duo,+lahf_lm,+dca,+pdcm,+xtpr,+cx16,+tm2,+est,+vmx,+ds_cpl,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds -enable-kvm -m 512 -smp 1,sockets=1,cores=1,threads=1 -uuid 12716b13-001c-40de-9537-ca847aead70b -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/instance-0000001b.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -no-kvm-pit-reinjection -kernel /usr/local/nova/instances/instance-0000001b/kernel -initrd /usr/local/nova/instances/instance-0000001b/ramdisk -append root=/dev/vda console=ttyS0 -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/usr/local/nova/instances/instance-0000001b/disk,if=none,id=drive-virtio-disk0,format=qcow2,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=17,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=fa:16:3e:7a:5e:b6,bus=pci.0,addr=0x3 -chardev file,id=charserial0,path=/usr/local/nova/instances/instance-0000001b/console.log -device isa-serial,chardev=charserial0,id=serial0 -chardev pty,id=charserial1 -device isa-serial,chardev=charserial1,id=serial1 -device usb-tablet,id=input0 -vnc 127.0.0.1:0 -k en-us -vga cirrus -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 ?Thanks, ?David ---------------------- Dr. Dong-In "David" Kang Computer Scientist USC/ISI
David Kang
2012-Jul-26 15:43 UTC
[libvirt-users] How can I make sVirt work with LXC (libvirt-0.9.13)?
Doesn't sVirt work for LXC when selinux_lxc_contexts_path() is not supported by libselinux? Thanks, David ---------------------- Dr. Dong-In "David" Kang Computer Scientist USC/ISI ----- Original Message -----> Hi, > > I've installed libvirt-0.9.13 on RHEL6.2 from the source code. > I cannot make sVirt working with LXC. (sVirt works well with KVM, > though.) > I can start an LXC instance, but the label of the process is not > right. > Can someone help me? > I tried to change /etc/libvirtd/lxc.conf file to explicitly enable > security_driver = "selinux". > But it ends up with error saying "error : virSecurityDriverLookup:74 : > internal error Security driver selinux not found". > SELinux is in a permissive mode but is not enforcing. > > The current situation is as follows: > > * The label of an LXC container is not properly done: > > $ ps auxZ | grep lxc > unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 root 27998 0.0 0.0 34716 > 1160 ? Ss 11:54 0:00 /usr/libexec/libvirt_lxc --name instance-0000001f > --console 16 --security=none --handshake 19 --background --veth veth1 > > * This is the lable of libvirtd process: > > $ ps auxZ | grep libvirtd > unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 root 27376 0.1 0.0 919052 > 5324 ? Sl 11:51 0:00 libvirtd --daemon > > * Here is the xml file that I used to run LXC instance, which was > generated by OpenStack: > > <domain type="lxc"> > <uuid>621adc56-2103-465c-bafd-1d0b51bea3a0</uuid> > <name>instance-0000001f</name> > <memory>2097152</memory> > <vcpu>1</vcpu> > <os> > <type>exe</type> > <cmdline>console=ttyS0</cmdline> > <init>/sbin/init</init> > </os> > <clock offset="utc"/> > <devices> > <filesystem type="mount"> > <source dir="/usr/local/nova/instances/instance-0000001f/rootfs"/> > <target dir="/"/> > </filesystem> > <interface type="bridge"> > <mac address="fa:16:3e:1e:33:f4"/> > <model type="virtio"/> > <source bridge="br100"/> > <filterref filter="nova-instance-instance-0000001f-fa163e1e33f4"> > <parameter name="IP" value="10.0.0.4"/> > <parameter name="DHCPSERVER" value="10.0.0.3"/> > <parameter name="PROJNET" value="10.0.0.0"/> > <parameter name="PROJMASK" value="255.255.0.0"/> > </filterref> > </interface> > <console type="pty"/> > </devices> > </domain> > > > > * Svirt works well with KVM as is shown below: > > $ ps auxZ | grep qemu > system_u:system_r:svirt_t:s0:c128,c132 root 22710 6.9 0.2 895040 34332 > ? Sl 11:17 0:07 /usr/libexec/qemu-kvm -name instance-0000001b -S -M > pc-0.14 -cpu > core2duo,+lahf_lm,+dca,+pdcm,+xtpr,+cx16,+tm2,+est,+vmx,+ds_cpl,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds > -enable-kvm -m 512 -smp 1,sockets=1,cores=1,threads=1 -uuid > 12716b13-001c-40de-9537-ca847aead70b -nodefconfig -nodefaults -chardev > socket,id=charmonitor,path=/var/lib/libvirt/qemu/instance-0000001b.monitor,server,nowait > -mon chardev=charmonitor,id=monitor,mode=control -rtc > base=utc,driftfix=slew -no-kvm-pit-reinjection -kernel > /usr/local/nova/instances/instance-0000001b/kernel -initrd > /usr/local/nova/instances/instance-0000001b/ramdisk -append > root=/dev/vda console=ttyS0 -device > piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive > file=/usr/local/nova/instances/instance-0000001b/disk,if=none,id=drive-virtio-disk0,format=qcow2,cache=none > -device > virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 > -netdev tap,fd=17,id=hostnet0 -device > virtio-net-pci,netdev=hostnet0,id=net0,mac=fa:16:3e:7a:5e:b6,bus=pci.0,addr=0x3 > -chardev > file,id=charserial0,path=/usr/local/nova/instances/instance-0000001b/console.log > -device isa-serial,chardev=charserial0,id=serial0 -chardev > pty,id=charserial1 -device isa-serial,chardev=charserial1,id=serial1 > -device usb-tablet,id=input0 -vnc 127.0.0.1:0 -k en-us -vga cirrus > -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 > > > Thanks, > David > > ---------------------- > Dr. Dong-In "David" Kang > Computer Scientist > USC/ISI > > _______________________________________________ > libvirt-users mailing list > libvirt-users at redhat.com > https://www.redhat.com/mailman/listinfo/libvirt-users