libvirt users - Feb 2014 - Re: Networkfilters in Routed setup

On Di, 2014-02-18 at 16:06 -0700, Eric Blake wrote:
> There should be no problem upgrading to a newer libvirt.  We take great
> pains to ensure that a newer version of libvirt can be reloaded and
> gracefully understand the XML recorded by older versions, with no loss
> to running VMs.  While there have been bugs on this front, they get
> caught and patched quickly, so by updating to something like the latest
> Fedora stable build (currently 1.1.3.3), you are even more likely to
> avoid these sorts of problems when compared to upgrading all the way to
> the master branch of libvirt.
After i forced myself to upgrade and compile a newer version of libvirt,
(to be precise, i wanted to upgrade to the latest libvirt-1.2.1.tar.gz)
i ran into some problems. I compiled libvirt with the following options:
As a reminder, i'm running ""good"" old Ubuntu 12.04:

./configure --with-lxc --with-storage-lvm --prefix=/usr --localstatedir=/var
--sysconfdir=/etc

Compiling and installing worked perfectly after installing all missing 
dependencies. At first everything looked fine and all created networks
and domains where still running. To be sure everything would survive a 
system restart, i rebooted. Thats when everything (or something) went 
wrong. After starting libvirtd i got the following error:
>>> error: Failed to start network hetzner-subnet-v4
>>> error: unsupported configuration: Publicly routable address
1.2.3.65 is prohibited.
>>> The version of dnsmasq on this host (2.59) doesn't support the
bind-dynamic option
>>> or use SO_BINDTODEVICE on listening sockets, one of which is
required for safe
>>> operation on a publicly routable subnet (see CVE-2012-3411). You
must either upgrade
>>> dnsmasq, or use a private/local subnet range for this network (as
described in RFC1918/RFC3484/RFC4193).
Since no VM was running at this point (because of the missing networks),
i decided to quickly update to a newer version of DNSMASQ (2.68) and 
installed this to "/usr/local/sbin" and linked it to
"/usr/sbin/dnsmasq"
after removing the distribution specific packages. When i tried to start 
the hetzner-subnet-v4 network, i got the following error:
>>> 2014-02-19 14:11:58.636+0000: 7075: error : virCommandWait:2376 :
internal error: Child process (LC_ALL=C
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOME=/root
USER=root LOGNAME=root /usr/sbin/dnsmasq --version) unexpected exit status 1:
libvirt:  error : cannot execute binary /usr/sbin/dnsmasq: Permission denied
>>> 2014-02-19 14:11:58.636+0000: 7075: error :
dnsmasqCapsRefreshInternal:747 : failed to run '/usr/sbin/dnsmasq
--version': : Success
>>> error: Failed to start network hetzner-subnet-v4
>>> error: failed to run '/usr/sbin/dnsmasq --version': :
Success
However, running dnsmasq manually worked. Since that was the moment the first
phonecalls started because users could not access their services on the VMs
i quickly reverted everything to its previous state to get everything up and
running again. I dont have any testing server, so i could not play around with
it anymore (better to say not right now. I might have to wait until everyone is
sleeping ;)). Does libvirt has any problems when accessing a softlink instead
of a binary? Poorly that possibility came into my mind after reverting back to 
its original state!

I'm really sorry to spam you guys with all my problems ;)

Kind regards,
Sebastian

On 02/19/2014 08:47 AM, h0rst wrote:
> 
>>>> 2014-02-19 14:11:58.636+0000: 7075: error : virCommandWait:2376
: internal error: Child process (LC_ALL=C
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOME=/root
USER=root LOGNAME=root /usr/sbin/dnsmasq --version) unexpected exit status 1:
libvirt:  error : cannot execute binary /usr/sbin/dnsmasq: Permission denied
You'll need to figure out where the permission denied is coming from;
perhaps the problem is that your symlink requires resolution to a
directory that is not readable bu the
> 
>>>> 2014-02-19 14:11:58.636+0000: 7075: error :
dnsmasqCapsRefreshInternal:747 : failed to run '/usr/sbin/dnsmasq
--version': : Success
>>>> error: Failed to start network hetzner-subnet-v4
>>>> error: failed to run '/usr/sbin/dnsmasq --version': :
Success
These remaining error messages look awkward; we probably have issues in
the code that overwrites the useful message when it shouldn't.  But
that's just cosmetic, compared to getting the real root cause of why
libvirtd can't execute dnsmasq.
> 
> However, running dnsmasq manually worked. Since that was the moment the
first
> phonecalls started because users could not access their services on the VMs
> i quickly reverted everything to its previous state to get everything up
and
> running again. I dont have any testing server, so i could not play around
with
> it anymore (better to say not right now. I might have to wait until
everyone is
> sleeping ;)). Does libvirt has any problems when accessing a softlink
instead
> of a binary? Poorly that possibility came into my mind after reverting back
to
> its original state!
Libvirt shouldn't have any problems following a symlink, unless the
symlink resolves to a path that doesn't have proper permissions.  Can
you paste actual terminal transcripts proving that you can manually
execute /usr/sbin/dnsmasq --version?

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

On Mi, 2014-02-19 at 09:26 -0700, Eric Blake wrote:
> Libvirt shouldn't have any problems following a symlink, unless the
> symlink resolves to a path that doesn't have proper permissions.  Can
> you paste actual terminal transcripts proving that you can manually
> execute /usr/sbin/dnsmasq --version?
Yes. Sorry. I forgot to include those calls proving that in manually worked.

user@hv:~$ ls -la /usr/sbin/dnsmasq
lrwxrwxrwx 1 root root 23 Feb 19 18:26 /usr/sbin/dnsmasq ->
/usr/local/sbin/dnsmasq
user@hv:~$ ls -la /usr/local/sbin/dnsmasq
-rwxr-xr-x 1 root root 302941 Feb 19 18:25 /usr/local/sbin/dnsmasq

As unprivileged user:

user@hv:~$ /usr/sbin/dnsmasq --version
Dnsmasq version 2.68  Copyright (c) 2000-2013 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua
TFTP no-conntrack ipset auth

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.

As root:

root@hv ~ # /usr/sbin/dnsmasq --version
Dnsmasq version 2.68  Copyright (c) 2000-2013 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua
TFTP no-conntrack ipset auth

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.


I can do more test if the users aren't awake and cant complain about 
non working services and VMs ;)

Kind regards,
Sebastian