On Tue, Dec 20, 2011 at 12:07:00PM -0700, Jim Fehlig wrote: > Daniel P. Berrange wrote: > > On Tue, Dec 20, 2011 at 08:59:48AM -0700, Jim Fehlig wrote: > > > >> xhu wrote: > >> > >>> On 12/16/2011 11:33 AM, Jim Fehlig wrote: > >>> > >>>> Hi All, > >>>> > >>>> I've noticed a regression in libvirt 0.9.8 on some of my kvm test machines > >>>> > >>>> # virsh start opensuse12 > >>>> error: Failed to start domain opensuse12 > >>>> error: Cannot open network interface control socket: Permission denied > >>>> > >>> For I can't reproduce it on my machine with 0.9.8, can you provide me > >>> the detailed steps? > >>> > >> Nothing special, basic domain config using file-backed disk and > >> connecting to a bridge. > >> > >> > >>> Also your os, libvirt, qemu-kvm and kernel version? > >>> > >> Yeah, it has something to do with the kernel, glibc, or other such > >> component. qemu-kvm isn't the problem as the error occurs before it is > >> invoked. > >> > >> kernel 3.1.0, glibc 2.14.1 (openSUSE12.1): > >> With libvirt 0.9.7, starting the domain works. This version of libvirt > >> opens control socket with 'socket(AF_INET, SOCK_STREAM, 0)'. With > >> libvirt 0.9.8, the domain does not start. In this version, the control > >> socket is opened with 'socket(AF_PACKET, SOCK_DGRAM, 0)', which fails > >> with EACCES. > >> > >> kernel 3.0.13, glibc 2.11.3 (SLES11 SP2): > >> Regression between libvirt 0.9.7 and 0.9.8 not observed. > >> > >> Initially, I assumed the bug was in glibc. But I can open packet(7) > >> sockets in a test program running as uid=euid=0, just not within > >> libvirtd running with same privileges. > >> > > > > Interesting, this is very bizarre. I assume that if you patch > > libvirt 0.9.8 to use AF_INET again, it'll work fine ? > > > > Yes, it is bizarre and yes, using AF_INET works. > > > Is there any other access control mechanism in force like SELinux > > or AppArmour ? > > > > No, which is why I'm rather confused... Do you have a stack trace for the socket() call which generates EACCESS ? I'm wondering if there is any chance that the call is being made during the startup of QEMU inbetween fork() & exec() where we might have already dropped some capabilities ? Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list