1700739 – libvirtd has an error because tun module is not loaded

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1700739 - libvirtd has an error because tun module is not loaded

Summary: libvirtd has an error because tun module is not loaded

Keywords:
Status:	CLOSED DUPLICATE of bug 1717405
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	30
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-04-17 09:51 UTC by Gerard Ryan
Modified:	2019-07-25 14:03 UTC (History)
CC List:	15 users (show)
Fixed In Version:	selinux-policy-3.14.3-31.fc30
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-04-27 21:27:07 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Gerard Ryan 2019-04-17 09:51:42 UTC

Description of problem:
I can't run minishift (probably other VMs too?) using libvirt Fedora Silverblue 30 Beta because libvirtd has an error because the tun module is not loaded

Version-Release number of selected component (if applicable):

$ minishift version
minishift v1.31.0+d06603e
CDK v3.8.0-2

$ rpm -q libvirt
libvirt-5.1.0-4.fc30.x86_64

How reproducible:
Until I load the tun module manually, 100%

Steps to reproduce:
I'm not sure if `minishift start` actually triggers the problem or not, I look at `systemctl status libvirtd` before running that.

Actual results:
Here's what I see before I load tun and reload:

$ systemctl status libvirtd
● libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-04-17 10:34:12 IST; 1min 57s ago
     Docs: man:libvirtd(8)
           https://libvirt.org
 Main PID: 1185 (libvirtd)
    Tasks: 17 (limit: 32768)
   Memory: 69.7M
   CGroup: /system.slice/libvirtd.service
           └─1185 /usr/sbin/libvirtd --listen

Apr 17 10:34:12 silverblue-t580 systemd[1]: Starting Virtualization daemon...
Apr 17 10:34:12 silverblue-t580 systemd[1]: Started Virtualization daemon.
Apr 17 10:34:12 silverblue-t580 libvirtd[1185]: libvirt version: 5.1.0, package: 4.fc30 (Fedora Project, 2019-04-02-16:12:24, )
Apr 17 10:34:12 silverblue-t580 libvirtd[1185]: hostname: silverblue-t580
Apr 17 10:34:12 silverblue-t580 libvirtd[1185]: internal error: Failed to apply firewall rules /usr/sbin/ip6tables --table filter --list-rules: ip6tables v1.8.0 (legacy): can't initialize ip6tables table `filter': Permission denied
                                                Perhaps ip6tables or your kernel needs to be upgraded.
Apr 17 10:34:13 silverblue-t580 libvirtd[1185]: Unable to open /dev/net/tun, is tun module loaded?: No such file or directory
Apr 17 10:34:13 silverblue-t580 libvirtd[1185]: Unable to open /dev/net/tun, is tun module loaded?: No such file or directory
Apr 17 10:35:24 silverblue-t580 libvirtd[1185]: End of file while reading data: Input/output error
Apr 17 10:35:34 silverblue-t580 libvirtd[1185]: End of file while reading data: Input/output error


Expected results:
After running the following two commands, everything works fine, so I guess that's "expected" :)

$ sudo modprobe tun
$ sudo systemctl reload libvirtd

$ systemctl status libvirtd
● libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-04-17 10:34:12 IST; 2min 25s ago
     Docs: man:libvirtd(8)
           https://libvirt.org
  Process: 3517 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
 Main PID: 1185 (libvirtd)
    Tasks: 21 (limit: 32768)
   Memory: 74.1M
   CGroup: /system.slice/libvirtd.service
           ├─1185 /usr/sbin/libvirtd --listen
           ├─3574 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/docker-machines.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
           ├─3575 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/docker-machines.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
           ├─3640 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
           └─3641 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper

Apr 17 10:36:34 silverblue-t580 dnsmasq-dhcp[3574]: read /var/lib/libvirt/dnsmasq/docker-machines.hostsfile
Apr 17 10:36:34 silverblue-t580 dnsmasq[3640]: started, version 2.80 cachesize 150
Apr 17 10:36:34 silverblue-t580 dnsmasq[3640]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify dumpfile
Apr 17 10:36:34 silverblue-t580 dnsmasq-dhcp[3640]: DHCP, IP range 192.168.122.2 -- 192.168.122.254, lease time 1h
Apr 17 10:36:34 silverblue-t580 dnsmasq-dhcp[3640]: DHCP, sockets bound exclusively to interface virbr0
Apr 17 10:36:34 silverblue-t580 dnsmasq[3640]: reading /etc/resolv.conf
Apr 17 10:36:34 silverblue-t580 dnsmasq[3640]: using nameserver 127.0.0.1#53
Apr 17 10:36:34 silverblue-t580 dnsmasq[3640]: read /etc/hosts - 3 addresses
Apr 17 10:36:34 silverblue-t580 dnsmasq[3640]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
Apr 17 10:36:34 silverblue-t580 dnsmasq-dhcp[3640]: read /var/lib/libvirt/dnsmasq/default.hostsfile


Additional info:
I'm not sure if this is a Silverblue issue or a libvirt issue or something else.

Comment 1 Daniel Berrangé 2019-04-17 10:00:04 UTC

It is possibly the same thing we hit in Fedora 31 previously https://bugzilla.redhat.com/show_bug.cgi?id=1689975

Can you show output of 

 $ systemctl status kmod-static-nodes.service

And

 $ grep modules.devname /var/log/audit/audit.log

Comment 2 Gerard Ryan 2019-04-17 10:56:36 UTC

Thanks Daniel, here's the output of those commands:

$ systemctl status kmod-static-nodes.service
● kmod-static-nodes.service - Create list of required static device nodes for the current kernel
   Loaded: loaded (/usr/lib/systemd/system/kmod-static-nodes.service; static; vendor preset: disabled)
   Active: inactive (dead) since Wed 2019-04-17 11:53:22 IST; 1min 9s ago
Condition: start condition failed at Wed 2019-04-17 11:53:25 IST; 1min 6s ago
           └─ ConditionFileNotEmpty=/lib/modules/5.0.7-300.fc30.x86_64/modules.devname was not met
 Main PID: 308 (code=exited, status=0/SUCCESS)

Apr 17 11:53:22 localhost systemd[1]: kmod-static-nodes.service: Succeeded.
Apr 17 11:53:22 localhost systemd[1]: Stopped Create list of required static device nodes for the current kernel.
Apr 17 11:53:24 silverblue-t580 systemd[1]: Condition check resulted in Create list of required static device nodes for the current kernel being skipped.
Apr 17 11:53:24 silverblue-t580 systemd[1]: Condition check resulted in Create list of required static device nodes for the current kernel being skipped.
Apr 17 11:53:24 silverblue-t580 systemd[1]: Condition check resulted in Create list of required static device nodes for the current kernel being skipped.
Apr 17 11:53:24 silverblue-t580 systemd[1]: Condition check resulted in Create list of required static device nodes for the current kernel being skipped.
Apr 17 11:53:25 silverblue-t580 systemd[1]: Condition check resulted in Create list of required static device nodes for the current kernel being skipped.
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

$ sudo grep modules.devname /var/log/audit/audit.log
type=AVC msg=audit(1555081047.583:118): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/usr/lib/modules/5.0.6-300.fc30.x86_64/modules.devname" dev="dm-1" ino=2498251 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
type=AVC msg=audit(1555085454.794:124): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/usr/lib/modules/5.0.6-300.fc30.x86_64/modules.devname" dev="dm-1" ino=2498251 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
type=AVC msg=audit(1555493651.483:118): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/usr/lib/modules/5.0.7-300.fc30.x86_64/modules.devname" dev="dm-1" ino=2498251 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
type=AVC msg=audit(1555498405.149:116): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/usr/lib/modules/5.0.7-300.fc30.x86_64/modules.devname" dev="dm-1" ino=2498251 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0

Comment 3 Daniel Berrangé 2019-04-17 11:05:55 UTC

Ok, that looks like the same bug then.  kmod-static-nodes.service is failing to start because systemd can't read /usr/lib/modules/5.0.6-300.fc30.x86_64/modules.devname due to SELinux AVC.

So looks like the flaw from rawhide was pulled into Fedora 30, and the fix was rawhide was missed.

SElinux policy in Fedora 30 will need the same fix from bug 1689975.

Comment 4 Gerard Ryan 2019-04-17 11:18:31 UTC

Since this has now moved to selinux-policy, in case it's useful the nvr of that that I've got installed is selinux-policy-3.14.3-29.fc30.noarch

Comment 5 Lukas Vrabec 2019-04-18 08:51:52 UTC

Hi All, 

It should be fixed in this build:
https://koji.fedoraproject.org/koji/buildinfo?buildID=1248382 

Could you please test it? 

Thanks,
Lukas

Comment 6 Fedora Update System 2019-04-19 21:58:39 UTC

selinux-policy-3.14.3-31.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6

Comment 7 Fedora Update System 2019-04-20 14:42:18 UTC

selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6

Comment 8 Fedora Update System 2019-04-27 21:27:07 UTC

selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Gerard Ryan 2019-06-05 22:05:32 UTC

I never got around to testing the update when you asked, sorry about that Lukas!

The problem still exists for me on Fedora 30 Silverblue. Additionally, I also hit bug #1717405, which could be related given that it's also a kernel module that's not getting loaded when it's needed (and the fix for a seemingly similar issue in Rawhide was in the selinux-policy package also).

I see the following error message in dmesg output, which might be related:

[   24.813270] systemd[1]: Unable to fix SELinux security context of /run/tmpfiles.d/kmod.conf: Invalid argument

Also, in case it's useful:

$ cat /run/tmpfiles.d/kmod.conf
c! /dev/fuse 0600 - - - 10:229
c! /dev/btrfs-control 0600 - - - 10:234
c! /dev/loop-control 0600 - - - 10:237
c! /dev/uhid 0600 - - - 10:239
c! /dev/cuse 0600 - - - 10:203

Any ideas?

Comment 10 Lukas Vrabec 2019-07-25 14:03:19 UTC

Hi Gerard, 

I push fixes for #1717405 and I think it will help also here. For now closing this ticket as duplicate, tomorrow I'll do new build so you can test it next week. 

Thanks,
Lukas.

*** This bug has been marked as a duplicate of bug 1717405 ***

Note You need to log in before you can comment on or make changes to this bug.