[libvirt] unable to set security context (NFSv4 problem?)

Spencer Shimko sshimko at tresys.com
Thu Apr 15 20:06:56 UTC 2010


Harald Dunkel wrote:
> Hi folks,
> 
> Since I have moved the image file of a domain to an NFS
> partition I get an error message at start time:
> 
> # virsh start mydomain
> error: Failed to start domain mydomain
> error: unable to set security context '110:140' on '/storage/mydomain/vda.img': Invalid argument

What is security_driver set to in /etc/libvirt/qemu.conf?

It appears to be the security driver trying to update the security 
context stored on the filesystem as an extended attribute.  The NFS v4 
filesystem currently lacks extended attribute support.  Without extended 
attributes there isn't a place to store the security context associated 
with the image file, hence the error.

I've CC'd James Morris who, in addition to working on the original 
libvirt security driver implementation, happens to be spearheading the 
NFS xattr support.  Hopefully he can provide some more information.

> 
> The /storage partition is mounted with these options:
> 
> # cat /proc/mounts  | grep /storage
> nasl002:/storage/ /storage nfs4 rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.19.96.31,addr=172.19.96.213 0 0
> 
> If I use a local disk instead, then there is no such
> problem.

The fact that it works on local disk is likely attributable to the local 
filesystem supporting extended attributes.  Examples of these 
filesystems include ext2/3/4 and xfs.

> 
> libvirt is version 0.7.7-4, as included with Debian.
> Any helpful comment would be highly appreciated.

Out of curiosity, are you using the SELinux support in Debian?

--Spencer
> 
> 
> Regards
> 
> Harri
> 




More information about the libvir-list mailing list