I hope this question isn't considered too off topic for this list, I am
trying to reach the libvirt-sandbox developers, but I could not find a
libvirt-sandbox specific mailing list, and it seemed to me that
libvirt-sandbox was a part of libvirt itself.
I am trying to port libvirt-sandbox to run on a CentOS 6.5 system. This
wasn't too hard but, I had to do the following:
I have used the CentOS repo addon ElRepo to upgrade the kernel to 3.10.28.
CentOS normally runs a 2.6.32 kernel.
I upgraded glib2 from 2.36 to 2.38.2. I did this by building 2.38.2 from
source and installing it into /usr/local. Thus, the 2.36 version still
exists in /lib64 and the normal CentOS applications use this version.
I built libvirt 1.2.1 from source and installed it into /usr/local. I used:
./configure --with-lxc --with-selinux --with-secdriver-selinux
--prefix=/usr/local
I built libvirt-glib 0.1.7 from source and installed it into /usr/local. I
used:
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure --prefix=/usr/local
I build libvirt-sandbox 0.5.1 from source and installed it into /usr/local.
I used:
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure
As a test, I am able to run the libvirt lxc helloworld example:
[root@scwnet1 lxc_helloworld]# virsh -c lxc:/// define helloworld.xml
Domain helloworld defined from helloworld.xml
[root@scwnet1 lxc_helloworld]# virsh -c lxc:/// start helloworld
Domain helloworld started
[root@scwnet1 lxc_helloworld]# virsh -c lxc:/// list
Id Name State
----------------------------------------------------
9819 helloworld running
[root@scwnet1 lxc_helloworld]# virsh -c lxc:/// console helloworld
Connected to domain helloworld
Escape character is ^]
sh-4.1# exit
exit
Next, I try to use libvirt-sandbox, and I get the following error:
[root@scwnet1 tests]# /usr/local/bin/virt-sandbox -c lxc:/// /bin/sh
Unable to start sandbox: Failed to create domain: unsupported
configuration: Unable to find security driver for label selinux
My libvirt config.log shows the SELinux security driver as yes:
configure:71172: Configuration summary
configure:71174: ====================configure:71176:
configure:71178: Drivers
configure:71180:
configure:71182: Xen: no
configure:71184: QEMU: yes
configure:71186: UML: yes
configure:71188: OpenVZ: yes
configure:71190: VMware: yes
configure:71192: VBox: yes
configure:71194: XenAPI: no
configure:71196: xenlight: no
configure:71198: LXC: yes
configure:71200: PHYP: no
configure:71202: ESX: yes
configure:71204: Hyper-V: no
configure:71206: Parallels: yes
configure:71208: Test: yes
configure:71210: Remote: yes
configure:71212: Network: yes
configure:71214: Libvirtd: yes
configure:71216: Interface: yes
configure:71218: macvtap: yes
configure:71220: virtport: yes
configure:71222:
configure:71224: Storage Drivers
configure:71226:
configure:71228: Dir: yes
configure:71230: FS: yes
configure:71232: NetFS: yes
configure:71234: LVM: yes
configure:71236: iSCSI: yes
configure:71238: SCSI: yes
configure:71240: mpath: yes
configure:71242: Disk: yes
configure:71244: RBD: no
configure:71246: Sheepdog: no
configure:71248: Gluster: no
configure:71250:
configure:71252: Security Drivers
configure:71254:
configure:71256: SELinux: yes (/sys/fs/selinux)
configure:71258: AppArmor: no (install profiles: no)
configure:71260:
configure:71262: Driver Loadable Modules
configure:71264:
configure:71267: dlopen: -ldl
configure:71273:
configure:71275: Libraries
configure:71277:
configure:71296: apparmor: no
configure:71326: attr: yes (CFLAGS='' LIBS='-lattr')
configure:71356: audit: yes (CFLAGS='' LIBS='-laudit')
configure:71386: avahi: yes (CFLAGS='-D_REENTRANT '
LIBS='-lavahi-common -lavahi-client ')
configure:71416: blkid: yes (CFLAGS='-I/usr/include/blkid
-I/usr/include/uuid ' LIBS='-lblkid ')
configure:71446: capng: yes (CFLAGS='' LIBS='-lcap-ng')
configure:71476: curl: yes (CFLAGS='-DCURL_DISABLE_TYPECHECK '
LIBS='-lcurl ')
configure:71506: dbus: no
configure:71536: fuse: no
configure:71566: glusterfs: no
configure:71596: hal: no
configure:71626: netcf: yes (CFLAGS=' ' LIBS='-lnetcf ')
configure:71656: numactl: yes (CFLAGS='' LIBS='-lnuma')
configure:71686: openwsman: no
configure:71716: pciaccess: yes (CFLAGS=' ' LIBS='-lpciaccess
')
configure:71746: readline: yes (CFLAGS='' LIBS='-lreadline')
configure:71776: sanlock: yes (CFLAGS=''
LIBS='-lsanlock_client')
configure:71806: sasl: yes (CFLAGS='' LIBS='-lsasl2')
configure:71836: selinux: yes (CFLAGS='' LIBS='-lselinux')
configure:71866: ssh2: no
configure:71897: udev: yes (CFLAGS=' ' LIBS='-ludev ')
configure:71927: yajl: yes (CFLAGS='' LIBS='-lyajl')
configure:71940: libxml: -I/usr/include/libxml2 -lxml2
configure:71942: dlopen: -ldl
configure:71948: openwsman: no
configure:71952: gnutls: -DGCRYPT_NO_DEPRECATED -lgnutls -lgcrypt
configure:71958: firewalld: no
configure:71965: polkit: /usr/bin/pkcheck (version 1)
configure:71976: xen: no
configure:71983: xenapi: no
configure:71990: xenlight: no
configure:71994: pcap: -lpcap
configure:72001: nl: -lnl
configure:72011: mscom: no
configure:72015: xdr:
configure:72025: rbd: no
configure:72029:
configure:72031: Test suite
configure:72033:
configure:72035: Coverage: no
configure:72037: Alloc OOM: no
configure:72039:
configure:72041: Miscellaneous
configure:72043:
configure:72045: Debug: yes
configure:72047: Use -Werror: no
My libvirt capabilites shows this:
[root@scwnet1 tests]# virsh -c lxc:/// capabilities
<capabilities>
<host>
<uuid>20b4e77c-3fb8-dc11-968d-c8600070189e</uuid>
<cpu>
<arch>x86_64</arch>
</cpu>
<power_management>
<suspend_mem/>
<suspend_disk/>
</power_management>
<topology>
<cells num='1'>
<cell id='0'>
<memory unit='KiB'>8334880</memory>
<cpus num='4'>
<cpu id='0' socket_id='0' core_id='0'
siblings='0-1'/>
<cpu id='1' socket_id='0' core_id='1'
siblings='0-1'/>
<cpu id='2' socket_id='0' core_id='2'
siblings='2-3'/>
<cpu id='3' socket_id='0' core_id='3'
siblings='2-3'/>
</cpus>
</cell>
</cells>
</topology>
<secmodel>
<model>none</model>
<doi>0</doi>
</secmodel>
</host>
<guest>
<os_type>exe</os_type>
<arch name='x86_64'>
<wordsize>64</wordsize>
<emulator>/usr/local/libexec/libvirt_lxc</emulator>
<domain type='lxc'>
</domain>
</arch>
</guest>
<guest>
<os_type>exe</os_type>
<arch name='i686'>
<wordsize>32</wordsize>
<emulator>/usr/local/libexec/libvirt_lxc</emulator>
<domain type='lxc'>
</domain>
</arch>
</guest>
</capabilities>
I am not sure if secmodel none is the problem.
Can someone give me some direction on how to fix this?
Cheers,
Chris.
On Wed, Jan 29, 2014 at 09:59:30AM -0500, Christopher Stone wrote:> I hope this question isn't considered too off topic for this list, I am > trying to reach the libvirt-sandbox developers, but I could not find a > libvirt-sandbox specific mailing list, and it seemed to me that > libvirt-sandbox was a part of libvirt itself.Yes, libvirt-sandbox questions are welcome here http://sandbox.libvirt.org/communicate/> Next, I try to use libvirt-sandbox, and I get the following error: > [root@scwnet1 tests]# /usr/local/bin/virt-sandbox -c lxc:/// /bin/sh > Unable to start sandbox: Failed to create domain: unsupported > configuration: Unable to find security driver for label selinuxOk, so libvirt either hasn't compiled selinux, or has failed to activate it> configure:71252: Security Drivers > configure:71254: > configure:71256: SELinux: yes (/sys/fs/selinux) > configure:71258: AppArmor: no (install profiles: no)That confirms you've got basic SELinux support compiled, but it doesn't mean that's enough to enable it for LXC. We also have a check for the selinux_lxc_contexts_path function in libselinux.so> My libvirt capabilites shows this: > [root@scwnet1 tests]# virsh -c lxc:/// capabilities > <capabilities> > <secmodel> > <model>none</model> > <doi>0</doi> > </secmodel> > </host>> </capabilities> > > > > I am not sure if secmodel none is the problem.Yes, that confirms that it definitely isn't available for LXC I think you'd probably need to upgrade the libselinux library and selinux policy too I'm afraid. FWIW, I've never really intended that libvirt-sandbox work on RHEL-6, since as you've discovered quite a few dependancies are too old and require updating. I've only targetted Fedora and forthcoming RHEL-7 Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|