libvirt users - Feb 2017 - error : Failed to switch root mount into slave mode: Permission denied

libvirt-3.0.0

When attemping to create a virtual machine I receive the error "error :
Failed to switch root mount into slave mode: Permission denied”.

I’m attempting to run qemu/libvirt/virt-manager in an Arch Linux lxc container
on a Ubuntu 16.04 host.  The host uses zfs for its containers.  The arch
container is set up as a priveleged container.  I do already have
kvm/qemu/libvirt working in a Ubuntu container.  The reason for the arch
container is because I want to try a newer version of qemu/libvirt.

I’m not finding anything on google about this error message.  Any way to get
around it?

[root@arch ~]# uname -a
Linux arch 4.8.0-39-generic #42~16.04.1-Ubuntu SMP Mon Feb 20 15:06:07 UTC 2017
x86_64 GNU/Linux

[root@arch ~]# cat /proc/mounts
storage/lxd_root/containers/arch / zfs rw,noatime,xattr,posixacl 0 0
none /dev tmpfs rw,relatime,size=492k,mode=755 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
proc /proc/sys/net proc rw,nosuid,nodev,noexec,relatime 0 0
proc /proc/sys proc ro,nosuid,nodev,noexec,relatime 0 0
proc /proc/sysrq-trigger proc ro,nosuid,nodev,noexec,relatime 0 0
sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
sysfs /sys sysfs ro,nosuid,nodev,noexec,relatime 0 0
sysfs /sys/devices/virtual/net sysfs rw,relatime 0 0
sysfs /sys/devices/virtual/net sysfs rw,nosuid,nodev,noexec,relatime 0 0
mqueue /dev/mqueue mqueue rw,relatime 0 0
udev /dev/fuse devtmpfs
rw,nosuid,relatime,size=8179548k,nr_inodes=2044887,mode=755 0 0
udev /dev/net/tun devtmpfs
rw,nosuid,relatime,size=8179548k,nr_inodes=2044887,mode=755 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,relatime 0 0
fusectl /sys/fs/fuse/connections fusectl rw,relatime 0 0
pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
rpool/ROOT/ubuntu /dev/lxd zfs rw,relatime,xattr,noacl 0 0
rpool/ROOT/ubuntu /dev/kvm zfs rw,relatime,xattr,noacl 0 0
rpool/ROOT/ubuntu /dev/mem zfs rw,relatime,xattr,noacl 0 0
storage/downloads /mnt/downloads zfs rw,noatime,xattr,posixacl 0 0
storage/kvm_root/iso /mnt/iso zfs rw,noatime,xattr,posixacl 0 0
rpool/ROOT/ubuntu /dev/.lxd-mounts zfs rw,relatime,xattr,noacl 0 0
lxcfs /proc/cpuinfo fuse.lxcfs
rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
lxcfs /proc/diskstats fuse.lxcfs
rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
lxcfs /proc/meminfo fuse.lxcfs
rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
lxcfs /proc/stat fuse.lxcfs
rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
lxcfs /proc/swaps fuse.lxcfs
rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
lxcfs /proc/uptime fuse.lxcfs
rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
0 0
devpts /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0
tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0
tmpfs /run tmpfs rw,nosuid,nodev,mode=755 0 0
tmpfs /sys/fs/cgroup tmpfs ro,nosuid,nodev,noexec,mode=755 0 0
cgroup /sys/fs/cgroup/systemd cgroup
rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd
0 0
cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0
cgroup /sys/fs/cgroup/cpu,cpuacct cgroup
rw,nosuid,nodev,noexec,relatime,cpu,cpuacct 0 0
cgroup /sys/fs/cgroup/net_cls,net_prio cgroup
rw,nosuid,nodev,noexec,relatime,net_cls,net_prio 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0
cgroup /sys/fs/cgroup/perf_event cgroup
rw,nosuid,nodev,noexec,relatime,perf_event 0 0
cgroup /sys/fs/cgroup/pids cgroup rw,nosuid,nodev,noexec,relatime,pids 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0
cgroup /sys/fs/cgroup/hugetlb cgroup rw,nosuid,nodev,noexec,relatime,hugetlb 0 0
hugetlbfs /dev/hugepages hugetlbfs rw,relatime 0 0
tmpfs /tmp tmpfs rw,nosuid,nodev 0 0
tmpfs /run/user/0 tmpfs rw,nosuid,nodev,relatime,size=1646852k,mode=700 0 0

On 26.02.2017 18:29, Kyle Peterson wrote:
> libvirt-3.0.0
> 
> When attemping to create a virtual machine I receive the error "error
: Failed to switch root mount into slave mode: Permission denied”.
> 
> I’m attempting to run qemu/libvirt/virt-manager in an Arch Linux lxc
container on a Ubuntu 16.04 host.  The host uses zfs for its containers.  The
arch container is set up as a priveleged container.  I do already have
kvm/qemu/libvirt working in a Ubuntu container.  The reason for the arch
container is because I want to try a newer version of qemu/libvirt.
> 
> I’m not finding anything on google about this error message.  Any way to
get around it?
Hey,

with 3.0.0 release qemu domains are started under a namespace too
(because of the error message I assume you're trying to start a qemu
domain). So far, every domain has its own /dev managed by libvirt. There
were two reasons for it:
a) avoid relabelling race with udev
b) enhance security as only configured devices are created in the namespace.

Therefore, when starting new qemu domain, libvirt calls
unshare(CLONE_NEWNS) and then tries to remount the root "/" into slave
mode so that all mounts from the master (= parent ns) are visible in the
namespace but not vice versa. Since you mention Ubuntu - could it be
that it is AppArmor that is denying the operation? Because frankly, I've
read some bug reports that AppArmor was denying libvirt to create a new
namespace but I'm no AppArmor expert and I don't know how to fix it.
There is a workaround too, just set:

  namespaces = []

in qemu.conf, restart libvirtd and you should be all set.

BTW, the 3.1.0-rc1 release is out and it contains a lot of qemu
namespace fixes. So you might try that.


Michal