[ovs-discuss] libvirt: error : cannot execute binary ovs-vsctl: Permission denied

Harsh Gondaliya harshgondaliya_vinodbhai at srmuniv.edu.in
Wed Apr 3 14:20:37 UTC 2019 

The config worked once I rebooted the host PC. So the issue got resolved.
Thanks.

On Wed, Apr 3, 2019 at 7:46 PM Harsh Gondaliya <
harshgondaliya_vinodbhai at srmuniv.edu.in> wrote:

> When I changed the prefix to --prefix=/usr everything worked well. Now
> when I want to change the AppArmor profile similar error pops up. I changed
> /usr/bin/* PUx to /usr/local/bin/* PUx in
> /etc/apparmor.d/usr.sbin.libvirtd. Unable to troubleshoot what is going
> wrong.
> These are my system logs:
>
> Apr  3 19:34:58 dpdk-OptiPlex-5040 kernel: [ 2818.045860] audit: type=1400
> audit(1554300298.503:71): apparmor="STATUS" operation="profile_load"
> profile="unconfined" name="libvirt-ae767ff5-9d0f-4413-999b-b6b14dbf9b0c"
> pid=9093 comm="apparmor_parser"
> Apr  3 19:34:58 dpdk-OptiPlex-5040 kernel: [ 2818.046045] audit: type=1400
> audit(1554300298.503:72): apparmor="STATUS" operation="profile_load"
> profile="unconfined"
> name="libvirt-ae767ff5-9d0f-4413-999b-b6b14dbf9b0c//qemu_bridge_helper"
> pid=9093 comm="apparmor_parser"
> Apr  3 19:34:58 dpdk-OptiPlex-5040 NetworkManager[8158]: <info>
> [1554300298.5148] manager: (vnet0): new Tun device
> (/org/freedesktop/NetworkManager/Devices/14)
> Apr  3 19:34:58 dpdk-OptiPlex-5040 NetworkManager[8158]: <info>
> [1554300298.5197] devices added (path: /sys/devices/virtual/net/vnet0,
> iface: vnet0)
> Apr  3 19:34:58 dpdk-OptiPlex-5040 NetworkManager[8158]: <info>
> [1554300298.5197] device added (path: /sys/devices/virtual/net/vnet0,
> iface: vnet0): no ifupdown configuration found.
> Apr  3 19:34:58 dpdk-OptiPlex-5040 libvirtd[8951]: internal error: Unable
> to add port vnet0 to OVS bridge br0
> Apr  3 19:34:58 dpdk-OptiPlex-5040 kernel: [ 2818.397087] audit: type=1400
> audit(1554300298.855:73): apparmor="DENIED" operation="exec"
> profile="/usr/sbin/libvirtd" name="/usr/local/bin/ovs-vsctl" pid=9110
> comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Apr  3 19:34:58 dpdk-OptiPlex-5040 NetworkManager[8158]: <info>
> [1554300298.8658] devices removed (path: /sys/devices/virtual/net/vnet0,
> iface: vnet0)
> Apr  3 19:34:58 dpdk-OptiPlex-5040 virtlogd[5635]: End of file while
> reading data: Input/output error
> Apr  3 19:34:59 dpdk-OptiPlex-5040 kernel: [ 2818.935155] audit: type=1400
> audit(1554300299.391:74): apparmor="STATUS" operation="profile_remove"
> profile="unconfined" name="libvirt-ae767ff5-9d0f-4413-999b-b6b14dbf9b0c"
> pid=9117 comm="apparmor_parser"
> Apr  3 19:34:58 dpdk-OptiPlex-5040 virtlogd[5635]: End of file while
> reading data: Input/output error
> Apr  3 19:34:59 dpdk-OptiPlex-5040 libvirtd[8951]: internal error: Unable
> to delete port (null) from OVS
> Apr  3 19:34:59 dpdk-OptiPlex-5040 kernel: [ 2819.157913] audit: type=1400
> audit(1554300299.615:75): apparmor="DENIED" operation="exec"
> profile="/usr/sbin/libvirtd" name="/usr/local/bin/ovs-vsctl" pid=9118
> comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
>
> On Wed, Mar 27, 2019 at 5:06 PM Harsh Gondaliya <
> harshgondaliya_vinodbhai at srmuniv.edu.in> wrote:
>
>> Thank you very much. I used --prefix=/usr while configuring OVS and the
>> issue got resolved.
>>
>> On Tue, Mar 26, 2019 at 10:48 PM <pierre.cregut at orange.com> wrote:
>>
>>> You are probably using an ubuntu distribution. The apparmor profile for
>>> libvirt in /etc/apparmor.d/usr.sbin.libvirtd states "/usr/bin/* PUx,"
>>> but not "/usr/local/bin/* PUx". When you use the distribution ovs, it is
>>> installed in /usr/bin but yours is in /usr/local.
>>>
>>> Either modify your apparmor profile or launch ./configure with
>>> --prefix=/usr
>>>
>>> Le 26/03/2019 à 15:06, Harsh Gondaliya a écrit :
>>> > I installed OVS from source int to my /usr/src directory using the
>>> > installation steps mentioned here:
>>> > http://docs.openvswitch.org/en/latest/intro/install/general/
>>> >
>>> > However when I try to create a VM in KVM-QEMU and add it to OVS Bridge
>>> > I get error: Error starting domain: internal error: Unable to add port
>>> > vnet0 to OVS bridge br0
>>> >
>>> > The system logs shows this error:
>>> >
>>> > Mar 26 19:25:01 dpdk-OptiPlex-5040 libvirtd.service: 20423: error :
>>> > virCommandWait:2553 : internal error: Child process (ovs-vsctl
>>> > --timeout=5 -- --if-exists del-port vnet0 -- add-port br0 vnet0 -- set
>>> > Interface vnet0 'external-ids:attached-mac="52:54:00:90:c6:c3"' -- set
>>> > Interface vnet0
>>> > 'external-ids:iface-id="a9700eff-03a7-4c47-a112-429fc20677a2"' -- set
>>> > Interface vnet0
>>> > 'external-ids:vm-id="41b4eef0-b820-41da-9034-9de22e1379e0"' -- set
>>> > Interface vnet0 external-ids:iface-status=active) unexpected exit
>>> > status 126:
>>> > *
>>> > *
>>> > *libvirt:  error : cannot execute binary ovs-vsctl: Permission denied*
>>> >
>>> > Mar 26 19:25:01 dpdk-OptiPlex-5040 kernel: [ 1932.243181] audit:
>>> > type=1400 audit(1553608501.701:59): apparmor="DENIED" operation="exec"
>>> > profile="/usr/sbin/libvirtd" name="/usr/local/bin/ovs-vsctl" pid=20679
>>> > comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
>>> >
>>> > Mar 26 19:25:01 dpdk-OptiPlex-5040 libvirtd.service: 20423: debug :
>>> > virCommandRun:2280 : Result status 0, stdout: '' stderr: 'libvirt:
>>> > error : cannot execute binary ovs-vsctl: Permission denied#012'
>>> > Mar 26 19:25:01 dpdk-OptiPlex-5040 libvirtd.service: 20423: error :
>>> > virNetDevOpenvswitchAddPort:155 : internal error: Unable to add port
>>> > vnet0 to OVS bridge br0
>>> > Mar 26 19:25:01 dpdk-OptiPlex-5040 NetworkManager[1096]: <info>
>>> > [1553608501.7126] devices removed (path:
>>> > /sys/devices/virtual/net/vnet0, iface: vnet0)
>>> >
>>> > Any guidance how can I give permissions to libvrt to execute ovs-vsctl?
>>> >
>>> > _______________________________________________
>>> > discuss mailing list
>>> > discuss at openvswitch.org
>>> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>>> --
>>>
>>> Orange Logo
>>>
>>> *Pierre Crégut*
>>> IMT/OLN/WNI/ODIS/NAVI
>>> tél. +33 (0)2 96 07 19 76
>>> pierre.cregut at orange.com <mailto:pierre.cregut at orange.com>
>>>
>>>
>>>
>>> _________________________________________________________________________________________________________________________
>>>
>>> Ce message et ses pieces jointes peuvent contenir des informations
>>> confidentielles ou privilegiees et ne doivent donc
>>> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez
>>> recu ce message par erreur, veuillez le signaler
>>> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
>>> electroniques etant susceptibles d'alteration,
>>> Orange decline toute responsabilite si ce message a ete altere, deforme
>>> ou falsifie. Merci.
>>>
>>> This message and its attachments may contain confidential or privileged
>>> information that may be protected by law;
>>> they should not be distributed, used or copied without authorisation.
>>> If you have received this email in error, please notify the sender and
>>> delete this message and its attachments.
>>> As emails may be altered, Orange is not liable for messages that have
>>> been modified, changed or falsified.
>>> Thank you.
>>>
>>> _______________________________________________
>>> discuss mailing list
>>> discuss at openvswitch.org
>>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20190403/7a286b3f/attachment.html>

More information about the discuss mailing list