<html>
<head>
<meta content="text/html; charset=ISO-8859-2"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Yes, it runs:<br>
<small>oneadmin@nebula-3:~$ ps aux |grep oned<br>
oneadmin 10158 0.0 0.1 1172252 8020 ? Sl Jun21 0:22
/usr/bin/oned -f</small><br>
<br>
When I changed security_driver in qemu.conf to default state<br>
<pre wrap="">/etc/libvirt/qemu.conf:
# security_driver = "selinux"</pre>
my error message went back to previous state (but still was there)
...<br>
<br>
When I replaced OS on host to Ubuntu 10.04 Server (with the same
settings), error message is:<br>
<br>
<small>Thu Jun 21 16:41:17 2012 [LCM][I]: New VM state is BOOT<br>
Thu Jun 21 16:41:17 2012 [VMM][I]: Generating deployment file:
/var/lib/one/1/deployment.4<br>
Thu Jun 21 16:41:17 2012 [VMM][I]: ExitCode: 0<br>
Thu Jun 21 16:41:17 2012 [VMM][I]: Successfully execute network
driver operation: pre.<br>
Thu Jun 21 16:41:48 2012 [VMM][I]: Command execution fail: cat
<< EOT | /var/tmp/one/vmm/kvm/deploy
/var/lib/one/1/images/deployment.4 tyan 1 tyan<br>
Thu Jun 21 16:41:48 2012 [VMM][I]: error: Failed to create domain
from /var/lib/one/1/images/deployment.4<br>
<b>Thu Jun 21 16:41:48 2012 [VMM][I]: error: cannot set ownership
on /var/lib/one/1/images/disk.1: Permission denied</b><br>
Thu Jun 21 16:41:48 2012 [VMM][E]: Could not create domain from
/var/lib/one/1/images/deployment.4<br>
Thu Jun 21 16:41:48 2012 [VMM][I]: ExitCode: 255<br>
Thu Jun 21 16:41:48 2012 [VMM][I]: Failed to execute
virtualization driver operation: deploy.<br>
Thu Jun 21 16:41:48 2012 [VMM][E]: Error deploying virtual
machine: Could not create domain from
/var/lib/one/1/images/deployment.4<br>
Thu Jun 21 16:41:49 2012 [DiM][I]: New VM state is FAILED</small><br>
<br>
Messages in /var/log/syslog at the same time:<br>
<small>Jun 22 10:17:01 tyan-host CRON[12881]: (root) CMD ( cd /
&& run-parts --report /etc/cron.hourly)<br>
Jun 22 10:22:04 tyan-host kernel: [59025.594722] type=1505
audit(1340353324.455:27): operation="profile_load" pid=13044
name="libvirt-f42d2d5f-e5a0-3bcd-a445-1d3d876451e1"<br>
Jun 22 10:22:04 tyan-host libvirtd: 10:22:04.470: error :
qemuDomainSetFileOwnership:2222 : cannot set ownership on
/var/lib/one/1/images/disk.0: Permission denied<br>
Jun 22 10:22:34 tyan-host libvirtd: 10:22:34.481: error :
qemuMonitorOpenUnix:268 : monitor socket did not show up.: No such
file or directory<br>
Jun 22 10:22:34 tyan-host libvirtd: 10:22:34.481: error :
qemuConnectMonitor:822 : Failed to connect monitor for one-1#012<br>
Jun 22 10:22:34 tyan-host libvirtd: 10:22:34.665: error :
qemuDomainSetFileOwnership:2222 : cannot set ownership on
/var/lib/one/1/images/disk.1: Permission denied<br>
Jun 22 10:22:34 tyan-host libvirtd: 10:22:34.665: warning :
qemudShutdownVMDaemon:2703 : Failed to restore all device
ownership for one-1<br>
Jun 22 10:22:34 tyan-host kernel: [59055.797448] type=1505
audit(1340353354.655:28): operation="profile_remove" pid=13051
name="libvirt-f42d2d5f-e5a0-3bcd-a445-1d3d876451e1"
namespace="root"</small><br>
<br>
Jan<br>
<br>
<br>
<br>
Dňa 21.06.2012 17:19, Javier Fontan wrote / napísal(a):
<blockquote
cite="mid:CAK+uMM9duAR7b84SR-dkCZD9LNAFVC7S5czr3UrmuKsVegfw1Q@mail.gmail.com"
type="cite">
<pre wrap="">Also, I supposte oned is running as oneadmin user. Just to check.
On Thu, Jun 21, 2012 at 5:19 PM, Javier Fontan <a class="moz-txt-link-rfc2396E" href="mailto:jfontan@opennebula.org"><jfontan@opennebula.org></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I am checking my configuration ans the only differences are:
* oneadmin is in group oneadmin
* qemu group is oneadmin
* �/var/lib/one/** lrwk, line is in /etc/apparmor.d/local/usr.sbin.libvirtd
Can you try moving the line of apparmor to
/etc/apparmor.d/local/usr.sbin.libvirtd? Maybe there's a precedence
problem that we don't know of. Unfortunately I am not an apparmor.
On Thu, Jun 21, 2012 at 9:55 AM, Jan Benadik <a class="moz-txt-link-rfc2396E" href="mailto:jan.benadik@atos.net"><jan.benadik@atos.net></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">So - now I have still the same error message in oned.log:
Thu Jun 21 09:26:42 2012 [LCM][I]: New VM state is BOOT
Thu Jun 21 09:26:42 2012 [VMM][I]: Generating deployment file:
/var/lib/one/0/deployment.38
Thu Jun 21 09:26:42 2012 [VMM][I]: ExitCode: 0
Thu Jun 21 09:26:42 2012 [VMM][I]: Successfully execute network driver
operation: pre.
Thu Jun 21 09:26:44 2012 [VMM][I]: Command execution fail: cat << EOT |
/var/tmp/one/vmm/kvm/deploy /var/lib/one/0/images/deployment.38 myto 0 myto
Thu Jun 21 09:26:44 2012 [VMM][I]: error: Failed to create domain from
/var/lib/one/0/images/deployment.38
Thu Jun 21 09:26:44 2012 [VMM][I]: error: Unable to read from monitor:
Connection reset by peer
Thu Jun 21 09:26:44 2012 [VMM][E]: Could not create domain from
/var/lib/one/0/images/deployment.38
Thu Jun 21 09:26:44 2012 [VMM][I]: ExitCode: 255
Thu Jun 21 09:26:44 2012 [VMM][I]: Failed to execute virtualization driver
operation: deploy.
Thu Jun 21 09:26:44 2012 [VMM][E]: Error deploying virtual machine: Could
not create domain from /var/lib/one/0/images/deployment.38
Thu Jun 21 09:26:45 2012 [DiM][I]: New VM state is FAILED
At the same time in the /var/log/libvirt/libvirtd.log the following message
appears:
2012-06-21 09:27:43.610+0000: 1114: warning :
virDomainDiskDefForeachPath:13244 : Ignoring open failure on
/var/lib/one/0/images/disk.1: Permission denied
2012-06-21 09:27:44.296+0000: 1110: error : qemuMonitorIORead:513 : Unable
to read from monitor: Connection reset by peer
Nothing in /var/log/syslog (doesn't matter if apparmor is running, stopped,
flushed ...!).
Permissions of files and folders:
oneadmin@opennebula-host:/var/lib$ ls -ld /var/lib/one
drwxr-xr-x 10 oneadmin root 4096 Jun 21 09:49 /var/lib/one
oneadmin@opennebula-host:/var/lib/one# ls -la
total 132
drwxr-xr-x� 8 oneadmin root�� 4096 Jun 21 09:27 .
drwxr-xr-x 37 root���� root�� 4096 Jun 21 06:30 ..
-rw-------� 1 oneadmin cloud� 2261 Jun 21 08:42 .bash_history
drwx------� 2 oneadmin cloud� 4096 Jun 20 09:48 .cache
drwx------� 2 oneadmin cloud� 4096 Jun 20 09:49 .one
drwx------� 2 oneadmin root�� 4096 Jun 20 17:43 .ssh
-rw-------� 1 oneadmin cloud� 3412 Jun 20 11:06 .viminfo
drwxrwxrwx� 3 oneadmin cloud� 4096 Jun 21 09:26 0
-rw-r--r--� 1 oneadmin cloud� 1738 Jun 21 08:50 config
drwxrwx--T� 2 oneadmin root�� 4096 Jun 20 10:57 images
-rw-r--r--� 1 oneadmin cloud 67584 Jun 21 09:27 one.db
-rw-r--r--� 1 oneadmin cloud 16384 Jun 20 16:28 oneacct.db
drwxr-xr-x� 8 root���� root�� 4096 Jun 20 09:33 remotes
oneadmin@opennebula-host:/var/lib/one/0# ls -la
total 20
drwxrwxrwx� 3 oneadmin cloud 4096 Jun 21 09:36 .
drwxr-xr-x 10 oneadmin root� 4096 Jun 21 09:35 ..
-rw-r--r--� 1 oneadmin cloud� 735 Jun 21 09:26 deployment.38
drwxrwxrwx� 2 oneadmin cloud 4096 Jun 21 09:26 images
-rw-r--r--� 1 oneadmin cloud� 201 Jun 21 09:26 transfer.38.prolog
oneadmin@opennebula-host:/var/lib/one/0/images# ls -la
total 906256
drwxrwxrwx 2 oneadmin cloud����� 4096 Jun 21 09:26 .
drwxrwxrwx 3 oneadmin cloud����� 4096 Jun 21 09:36 ..
-rw-r--r-- 1 oneadmin cloud������ 736 Jun 21 09:26 deployment.38
-rw-rw-rw- 1 oneadmin cloud 927989760 Jun 21 09:26 disk.0
lrwxrwxrwx 1 oneadmin cloud������� 52 Jun 21 09:26 disk.1 ->
/var/lib/one/images/9c52b90a79dba7c26a912d05ff5190b8
oneadmin@opennebula-host:~/images$ ls -la
total 1040116
drwxrwx--T� 2 oneadmin root������� 4096 Jun 20 10:57 .
drwxr-xr-x 10 oneadmin root������� 4096 Jun 21 09:37 ..
-rw-rw----� 1 oneadmin root�� 927989760 Jun 20 10:57
46440b43448202b4ee69b4b541f5eeab
-rw-rw----� 1 oneadmin root 10737418241 Jun 20 10:57
9c52b90a79dba7c26a912d05ff5190b8
Libvirtd and Qemu settings:
/etc/libvirt/libvirtd.conf:
listen_tls = 0
listen_tcp = 1
unix_sock_group = "libvirtd"
unix_sock_ro_perms = "0777"
unix_sock_rw_perms = "0777"
unix_sock_dir = "/var/run/libvirt"
auth_unix_ro = "none"
auth_unix_rw = "none"
/etc/libvirt/qemu.conf:
security_driver = "none"
user = "oneadmin"
group = "cloud"
dynamic_ownership = 0
/etc/default/libvirt-bin:
start_libvirtd="yes"
libvirtd_opts="-d -l"
/etc/apparmor.d/usr.sbin.libvirtd:
# Last Modified: Mon Jul� 6 17:23:58 2009
#include <tunables/global>
@{LIBVIRT}="libvirt"
/usr/sbin/libvirtd {
� #include <abstractions/base>
� # Site-specific additions and overrides. See local/README for details.
� #include <local/usr.sbin.libvirtd>
� capability kill,
� capability net_admin,
� capability net_raw,
� capability setgid,
� capability sys_admin,
� capability sys_module,
� capability sys_ptrace,
� capability sys_nice,
� capability sys_chroot,
� capability setuid,
� capability dac_override,
� capability dac_read_search,
� capability fowner,
� capability chown,
� capability setpcap,
� capability mknod,
� capability fsetid,
� capability ipc_lock,
� network inet stream,
� network inet dgram,
� network inet6 stream,
� network inet6 dgram,
� network packet dgram,
� # for now, use a very lenient profile since we want to first focus on
� # confining the guests
� / r,
� /** rwmkl,
� /bin/* PUx,
� /sbin/* PUx,
� /usr/bin/* PUx,
� /usr/sbin/* PUx,
� /lib/udev/scsi_id PUx,
� # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
� # write and run an ebtables script.
� /var/lib/libvirt/virtd* ixr,
� # force the use of virt-aa-helper
� audit deny /sbin/apparmor_parser rwxl,
� audit deny /etc/apparmor.d/libvirt/** wxl,
� audit deny /sys/kernel/security/apparmor/features rwxl,
� audit deny /sys/kernel/security/apparmor/matching rwxl,
� audit deny /sys/kernel/security/apparmor/.* rwxl,
� /sys/kernel/security/apparmor/profiles r,
� /usr/lib/libvirt/* PUxr,
� /etc/libvirt/hooks/** rmix,
� /var/lib/one/** lrwk,
� # allow changing to our UUID-based named profiles
� change_profile ->
@{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
}
User settings:
oneadmin@opennebula-host:~/images$ groups oneadmin
oneadmin : cloud root disk kvm libvirtd
My question - where is an issue?
Jan
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a>
</pre>
</blockquote>
<pre wrap="">
--
Javier Font�n Mui�os
Project Engineer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
<a class="moz-txt-link-abbreviated" href="http://www.OpenNebula.org�">www.OpenNebula.org�</a>|�<a class="moz-txt-link-abbreviated" href="mailto:jfontan@opennebula.org">jfontan@opennebula.org</a>�| @OpenNebula
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-2">
<title></title>
<font color="black" face="Verdana" size="3"> <img alt=""
src="cid:part1.02040805.03090205@atos.net" height="15"
width="252"><br>
<b>Ján Beňadik</b><br>
<font face="Verdana" size="2"> Managed Services - Solution
Design Architect<br>
+421 46 5151 332<br>
+421 903 691 634<br>
<a href="mailto://jan.benadik@atos.net">jan.benadik@atos.net</a><br>
Vinohradnícka 6, 971 01 Prievidza<br>
<a href="http://www.sk.atos.net">www.sk.atos.net</a><br>
__________________________________<br>
<br>
<img alt="" src="cid:part4.09050804.02030202@atos.net"
height="58" width="261"><br>
</font> </font></div>
</body>
</html>