"hzguanqiang"<hzguanqiang@corp.netease.com>
2013-Jul-30 09:49 UTC
[libvirt-users] lxc-enter-namespace error: security model cannot be entered.
Hi Guys, I started a lxc container with libvit in ubuntu Operating system, and succeed using lxc-enter-namespace to enter the namespaces and security context of the container. But when I do the same thing in debian OS, It reported an error, with details as following: root@debian:/etc# vir list Id Name State ---------------------------------------------------- 4424 instance-00000007 running 25913 instance-00000008 running root@debian:/etc# vir dumpxml 4424 <domain type='lxc' id='4424'> <name>instance-00000007</name> <uuid>f1ce5360-bb5e-4cfc-b5ef-d05f8db52618</uuid> <memory unit='KiB'>1048576</memory> <currentMemory unit='KiB'>1048576</currentMemory> <vcpu placement='static'>3</vcpu> <resource> <partition>/machine</partition> </resource> <os> <type arch='x86_64'>exe</type> <init>/sbin/init</init> <cmdline>console=tty0 console=ttyS0</cmdline> </os> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> <filesystem type='mount' accessmode='passthrough'> <source dir='/opt/stack/data/nova/instances/f1ce5360-bb5e-4cfc-b5ef-d05f8db52618/rootfs'/> <target dir='/'/> </filesystem> <interface type='bridge'> <mac address='fa:16:3e:3a:c6:11'/> <source bridge='br100'/> <target dev='veth0'/> <filterref filter='nova-instance-instance-00000007-fa163e3ac611'/> </interface> <console type='pty' tty='/dev/pts/1'> <source path='/dev/pts/1'/> <target type='lxc' port='0'/> <alias name='console0'/> </console> </devices> <seclabel type='none'/> </domain> root@debian:/etc# vir lxc-enter-namespace 4424 /bin/sh/ libvirt: error : argument unsupported: Security model cannot be entered Is there anything that needs to be configured in debian OS for using the 'lxc-enter-namespace' interface? -------------- Best regards! GuanQiang 2013-07-30
Daniel P. Berrange
2013-Jul-30 09:52 UTC
Re: [libvirt-users] lxc-enter-namespace error: security model cannot be entered.
On Tue, Jul 30, 2013 at 05:49:28PM +0800, hzguanqiang wrote:> Hi Guys, > I started a lxc container with libvit in ubuntu Operating system, and succeed using lxc-enter-namespace to enter the namespaces and security context of the container. But when I do the same thing in debian OS, It reported an error, with details as following: > > root@debian:/etc# vir list > Id Name State > ---------------------------------------------------- > 4424 instance-00000007 running > 25913 instance-00000008 running > > root@debian:/etc# vir dumpxml 4424 > <domain type='lxc' id='4424'> > <name>instance-00000007</name> > <uuid>f1ce5360-bb5e-4cfc-b5ef-d05f8db52618</uuid> > <memory unit='KiB'>1048576</memory> > <currentMemory unit='KiB'>1048576</currentMemory> > <vcpu placement='static'>3</vcpu> > <resource> > <partition>/machine</partition> > </resource> > <os> > <type arch='x86_64'>exe</type> > <init>/sbin/init</init> > <cmdline>console=tty0 console=ttyS0</cmdline> > </os> > <clock offset='utc'/> > <on_poweroff>destroy</on_poweroff> > <on_reboot>restart</on_reboot> > <on_crash>destroy</on_crash> > <devices> > <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> > <filesystem type='mount' accessmode='passthrough'> > <source dir='/opt/stack/data/nova/instances/f1ce5360-bb5e-4cfc-b5ef-d05f8db52618/rootfs'/> > <target dir='/'/> > </filesystem> > <interface type='bridge'> > <mac address='fa:16:3e:3a:c6:11'/> > <source bridge='br100'/> > <target dev='veth0'/> > <filterref filter='nova-instance-instance-00000007-fa163e3ac611'/> > </interface> > <console type='pty' tty='/dev/pts/1'> > <source path='/dev/pts/1'/> > <target type='lxc' port='0'/> > <alias name='console0'/> > </console> > </devices> > <seclabel type='none'/> > </domain> > > root@debian:/etc# vir lxc-enter-namespace 4424 /bin/sh/ > libvirt: error : argument unsupported: Security model cannot be entered > > Is there anything that needs to be configured in debian OS for using the 'lxc-enter-namespace' interface?Hmm, that's a bug in virsh. As a workaround use the --noseclabel flag Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
"hzguanqiang"<hzguanqiang@corp.netease.com>
2013-Jul-30 11:25 UTC
Re: [libvirt-users] lxc-enter-namespace error: security model cannot be entered.
On 2013-07-30 17:52, "Daniel P. Berrange" <berrange@redhat.com> wrote:>>On Tue, Jul 30, 2013 at 05:49:28PM +0800, hzguanqiang wrote: >> Hi Guys, >> I started a lxc container with libvit in ubuntu Operating system, and succeed using lxc-enter-namespace to enter the namespaces and security context of the container. But when I do the same thing in debian OS, It reported an error, with details as following: >> >> root@debian:/etc# vir list >> Id Name State >> ---------------------------------------------------- >> 4424 instance-00000007 running >> 25913 instance-00000008 running >> >> root@debian:/etc# vir dumpxml 4424 >> <domain type='lxc' id='4424'> >> <name>instance-00000007</name> >> <uuid>f1ce5360-bb5e-4cfc-b5ef-d05f8db52618</uuid> >> <memory unit='KiB'>1048576</memory> >> <currentMemory unit='KiB'>1048576</currentMemory> >> <vcpu placement='static'>3</vcpu> >> <resource> >> <partition>/machine</partition> >> </resource> >> <os> >> <type arch='x86_64'>exe</type> >> <init>/sbin/init</init> >> <cmdline>console=tty0 console=ttyS0</cmdline> >> </os> >> <clock offset='utc'/> >> <on_poweroff>destroy</on_poweroff> >> <on_reboot>restart</on_reboot> >> <on_crash>destroy</on_crash> >> <devices> >> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> >> <filesystem type='mount' accessmode='passthrough'> >> <source dir='/opt/stack/data/nova/instances/f1ce5360-bb5e-4cfc-b5ef-d05f8db52618/rootfs'/> >> <target dir='/'/> >> </filesystem> >> <interface type='bridge'> >> <mac address='fa:16:3e:3a:c6:11'/> >> <source bridge='br100'/> >> <target dev='veth0'/> >> <filterref filter='nova-instance-instance-00000007-fa163e3ac611'/> >> </interface> >> <console type='pty' tty='/dev/pts/1'> >> <source path='/dev/pts/1'/> >> <target type='lxc' port='0'/> >> <alias name='console0'/> >> </console> >> </devices> >> <seclabel type='none'/> >> </domain> >> >> root@debian:/etc# vir lxc-enter-namespace 4424 /bin/sh/ >> libvirt: error : argument unsupported: Security model cannot be entered >> >> Is there anything that needs to be configured in debian OS for using the 'lxc-enter-namespace' interface? > >Hmm, that's a bug in virsh. As a workaround use the --noseclabel flagWell, Daniel. I succeed to try 'lxc-enter-namespace' with --noseclabel flag to get the disk space info of the lxc container. But the result is not what it might be. The operations I did are just as following: root@debian:~# vir version Compiled against library: libvirt 1.1.0 Using library: libvirt 1.1.0 Using API: LXC 1.1.0 Running hypervisor: LXC 3.2.46 root@debian:~# vir list Id Name State ---------------------------------------------------- 4424 instance-00000007 running 25913 instance-00000008 running root@debian:~# vir lxc-enter-namespace 4424 --noseclabel /bin/df -hl Filesystem Size Used Avail Use% Mounted on rootfs 20G 9.5G 9.3G 51% / udev 10M 0 10M 0% /dev tmpfs 397M 228K 397M 1% /run /dev/disk/by-uuid/cc8a372b-907a-4cd9-a474-1a112033cfd6 20G 9.5G 9.3G 51% / tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 794M 0 794M 0% /run/shm cgroup 2.0G 0 2.0G 0% /sys/fs/cgroup Then I enter into the lxc container, and execute command 'df -hl' returning a different result as following: root@debian:~# vir console 4424 Connected to domain instance-00000007 Escape character is ^] Ubuntu 12.04.2 LTS lxc1 tty1 lxc1 login: ubuntu Password: Last login: Tue Jul 30 11:02:03 UTC 2013 on pts/0 Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.2.46-openstack-amd64 x86_64) * Documentation: https://help.ubuntu.com/ System information as of Tue Jul 30 11:02:54 UTC 2013 System load: 0.08 Processes: 24 Usage of /: 70.5% of 1.35GB Users logged in: 0 Memory usage: 56% IP address for eth0: 10.0.0.2 Swap usage: 0% Graph this data and manage this system at https://landscape.canonical.com/ Get cloud support with Ubuntu Advantage Cloud Guest: http://www.ubuntu.com/business/services/cloud Use Juju to deploy your cloud instances and workloads: https://juju.ubuntu.com/#cloud-precise 31 packages can be updated. 21 updates are security updates. ubuntu@lxc1:~$ df -hl Filesystem Size Used Avail Use% Mounted on /dev/nbd10 1.4G 976M 340M 75% / devfs 64K 8.0K 56K 13% /dev tmpfs 64K 0 64K 0% /sys/fs/cgroup none 397M 12M 385M 3% /run none 5.0M 0 5.0M 0% /run/lock none 2.0G 0 2.0G 0% /run/shm I used to try 'lxc-enter-namespace' to execute df command with libvirt version of 1.0.2 under host of ubuntu OS, and the Operation result is just the same as what I did in lxc container. What's the problem? Could 'lxc-enter-namespace' be different with --noseclabel flag? ------------------ Best regards! GuanQiang 2013-07-30