Re: About seclabel configure,Migrate error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07/25/2017 04:16 AM, ΒΆΒΆ wrote:
> libvirt
> version: 3.4.0
> architecture: x86_64 ubuntu16.04-server
> hypervisor: kvm,qemu
> 
> When migrate vm, I encounter error:
>  "Migrate VM virt21 failed unsupported configuration: Unable to find security driver for model apparmor"
> but two host are same environment.before this error, migrate can be success.
> the source host seclabel configure is this :
> <seclabel type='dynamic' model='apparmor' relabel='yes'>
>     <label>libvirt-8e4ec209-17ca-4b59-abb7-72f3984244f3</label>
>     <imagelabel>libvirt-8e4ec209-17ca-4b59-abb7-72f3984244f3</imagelabel>
>   </seclabel>
> I create a vm on the destination host ,the vm configure not seclabel congfigure.

You mean, there's no apparmor seclabel when you run the domain on the
destination? Well, then the two hosts are not identical in
configuration. What's the output of `aa-status` ran on the destination?

> I reinstall libvirt on the destination host and migrate same vm, this error disappear.vm seclabel configure is default.
> I recreate a vm on the destination host ,the vm configure has the seclabel configure , I don't known the reason.

Is this the latest release? If not, can you try it because the bug might
have been fixed.

> 
> Another question:
> I configure a vm xml's seclabel like this:
>  <seclabel type='none' model='none'/>

Not quite sure what are you trying to achieve with this.

> and then call virDomainCreate create the vm, call virsh dumpxml, the vm xml's seclabel is this:
>  <seclabel type='none' model='none'/>
>   <seclabel type='dynamic' model='dac' relabel='yes'>
>     <label>+0:+0</label>
>     <imagelabel>+0:+0</imagelabel>
>   </seclabel>
> I don't the reason.

This is because DAC security driver is enabled by default. Therefore
when libvirt is starting new domain it changes ownership of files qemu
is going to touch (again, by default). If you want to suppress this
behaviour you can:

<seclabel type='none' model='dac' relabel='no'/>

Michal

_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users
[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux