svirt\u4ecb\u7ecd\uff1a
\n\u300c sVirt \u9879\u76ee\u662f\u4e00\u9879\u793e\u533a\u5de5\u4f5c\uff0c\u5c1d\u8bd5\u96c6\u6210\u5f3a\u5236\u8bbf\u95ee\u63a7\u5236 (MAC) \u5b89\u5168\u548c\u57fa\u4e8e Linux \u7684\u865a\u62df\u5316 (KVM)\u3002\u300d<\/p>\n
\u300c\u5b83\u6784\u5efa\u4e8e SELinux \u4e4b\u4e0a\uff0c\u63d0\u4f9b\u4e00\u4e2a\u57fa\u7840\u67b6\u6784\u6765\u4f7f\u7ba1\u7406\u5458\u80fd\u591f\u5b9a\u4e49\u865a\u62df\u673a\u9694\u79bb\u7b56\u7565\u3002
\nsVirt \u53ef\u4ee5\u5f00\u7bb1\u5373\u7528\u5730\u786e\u4fdd\u4e00\u4e2a\u865a\u62df\u673a\u8d44\u6e90\u65e0\u6cd5\u4f9b\u4efb\u4f55\u5176\u4ed6\u8fdb\u7a0b\uff08\u6216\u865a\u62df\u673a\uff09\u8bbf\u95ee\uff0c
\n\u8fd9\u53ef\u7531 sysadmin \u6269\u5c55\u6765\u5b9a\u4e49\u7ec6\u7c92\u5ea6\u7684\u6743\u9650\uff0c\u4f8b\u5982\u5c06\u865a\u62df\u673a\u5206\u7ec4\u5230\u4e00\u8d77\u4ee5\u5171\u4eab\u8d44\u6e90\u3002\u300d<\/p>\n
\u300c Svirt \u786e\u4fdd\u4e00\u53f0\u865a\u673a\u51fa\u73b0\u95ee\u9898\u7684\u865a\u62df\u673a\u4e0d\u4f1a\u5f71\u54cd\u5230\u4e3b\u673a\u64cd\u4f5c\u7cfb\u7edf\u3002\u300d<\/p>\n
\u300c sVirt= SELinuxpolicy + libvirtdriver\u300d<\/p>\n
sVirt\u5728\u7cfb\u7edf\u4e0a\u7684\u8bd5\u7528\uff1a
\n\u5728\u5f00\u542fselinux\u7684\u72b6\u6001\u4e0b\u8fdb\u884c\u6d4b\u8bd5\u4f7f\u7528\uff1a<\/p>\n
\r\n [root@localhost ceph]# getenforce\r\nEnforcing\r\n[root@svirt img]# ll -aZ\r\ndrwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 .\r\ndrwxr-xr-x. root root system_u:object_r:usr_t:s0 ..\r\n-rw-r--r--. root root system_u:object_r:usr_t:s0 testforsvirt.img\r\n-rw-r--r--. root root unconfined_u:object_r:usr_t:s0 testforsvirt_rbd.xml\r\n-rw-r--r--. root root unconfined_u:object_r:usr_t:s0 testforsvirt.xml<\/pre>\n\u542f\u52a8\u865a\u673a\uff1a<\/p>\n
[root@svirt img]# virsh start TestForSVirt\r\nDomain TestForSVirt started<\/pre>\ntestforsvirt.img\u5b89\u5168\u4e0a\u4e0b\u6587\u5df2\u7ecf\u53d1\u751f\u53d8\u5316\uff1a<\/p>\n
[root@svirt img]# ll -aZ\r\ndrwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 .\r\ndrwxr-xr-x. root root system_u:object_r:usr_t:s0 ..\r\n-rw-r--r--. root root unconfined_u:object_r:usr_t:s0 1\r\n-rw-r--r--. qemu qemu system_u:object_r:svirt_image_t:s0:c49,c668 testforsvirt.img\r\n-rw-r--r--. root root unconfined_u:object_r:usr_t:s0 testforsvirt_rbd.xml\r\n-rw-r--r--. root root unconfined_u:object_r:usr_t:s0 testforsvirt.xml\r\n[root@svirt img]# ps -eZ |grep qemu-kvm\r\nsystem_u:system_r:svirt_t:s0:c49,c668 25074 ? 00:00:11 qemu-kvm\r\n[root@svirt img]# ps -eZ |grep libvirt\r\nsystem_u:system_r:virtd_t:s0-s0:c0.c1023 24402 ? 00:00:00 libvirtd<\/pre>\nsVirt libvirt\u5728ceph\u7684rbd\u4e0a\u8fdb\u884c\u5c1d\u8bd5\uff1a<\/p>\n
\r\n[root@localhost ceph]# getenforce\r\nEnforcing\r\n[root@localhost ceph]# service ceph -a start\r\n=== mon.a === \r\nStarting ceph mon.a on svirt...\r\n=== mds.a === \r\nStarting ceph mds.a on svirt...\r\nstarting mds.a at :\/0\r\n=== osd.0 === \r\nMounting xfs on svirt:\/data\/osd.0\r\ncreate-or-move updated item id 0 name 'osd.0' weight 1.82 at location {host=svirt,root=default} to crush map\r\nStarting ceph osd.0 on svirt...\r\nstarting osd.0 at :\/0 osd_data \/data\/osd.0 \/data\/osd.0\/journal\r\n=== osd.1 === \r\nMounting xfs on svirt:\/data\/osd.1\r\ncreate-or-move updated item id 1 name 'osd.1' weight 1.82 at location {host=svirt,root=default} to crush map\r\nStarting ceph osd.1 on svirt...\r\nstarting osd.1 at :\/0 osd_data \/data\/osd.1 \/data\/osd.1\/journal\r\n=== osd.2 === \r\nMounting xfs on svirt:\/data\/osd.2\r\ncreate-or-move updated item id 2 name 'osd.2' weight 1.82 at location {host=svirt,root=default} to crush map\r\nStarting ceph osd.2 on svirt...\r\nstarting osd.2 at :\/0 osd_data \/data\/osd.2 \/data\/osd.2\/journal\r\n[root@localhost ceph]# ceph osd tree\r\n\r\n# id weight type name up\/down reweight\r\n-1 3 root default\r\n-3 3 rack unknownrack\r\n-2 3 host svirt\r\n0 1 osd.0 up 1\r\n1 1 osd.1 up 1\r\n2 1 osd.2 up 1\r\n\r\n<\/pre>\n\u4f7f\u7528ceph rbd\u5757\u5b58\u50a8\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n
[root@localhost ceph]# rbd import \/opt\/img\/testforsvirt.img \r\n\r\n[root@localhost img]# rbd ls\r\ntestforsvirt.img<\/pre>\n\u51fa\u73b0\u4ee5\u4e0b\u9519\u8bef\uff1a<\/p>\n
[root@localhost audit]# virsh start TestForSVirt_RBD\r\nerror: Failed to start domain TestForSVirt_RBD\r\nerror: internal error Process exited while reading console log output: char device redirected to \/dev\/pts\/6\r\nqemu-kvm: -drive file=rbd:rbd\/testforsvirt.img:auth_supported=none,if=none,id=drive-ide0-0-0,format=raw,cache=writeback: could not open disk image rbd:rbd\/testforsvirt.img:auth_supported=none: No such file or directory\r\n<\/pre>\n\u8fd9\u4e2a\u65f6\u5019\u9700\u8981\u5bf9libvirt\u8fdb\u884c\u8ba4\u8bc1\u8bbe\u7f6e
\n\u8bbe\u7f6e\u8bbf\u95eeceph\u7684\u7528\u6237\uff1a<\/p>\n[root@svirt img]# ceph auth get-or-create client.libvirt mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool=rbd'\r\n[client.libvirt]\r\n key = AQDiZDFTQCv4ABAAw9JIhjomuDaDnciDvb4hmA==<\/pre>\n\u5f97\u5230libvirt\u7684key\uff1b<\/p>\n
ceph auth list\r\nclient.libvirt\r\n key: AQDiZDFTQCv4ABAAw9JIhjomuDaDnciDvb4hmA==\r\n caps: [mon] allow r\r\n caps: [osd] allow class-read object_prefix rbd_children, allow rwx pool=rbd<\/pre>\n\u5199\u5165type\u7b49\u4e8e’ceph’\u5230secret.xml <\/p>\n
[root@svirt img]# cat secret.xml \r\n<secret ephemeral='no' private='no'>\r\n <usage type='ceph'>\r\n <name>client.libvirt secret<\/name>\r\n <\/usage>\r\n<\/secret><\/pre>\n\u751f\u6210secret\u6587\u4ef6\u7684uuid\u3002<\/p>\n
[root@svirt img]# virsh secret-define --file secret.xml \r\nSecret 9a9126ef-1402-7708-2931-91bbf8218a38 created<\/pre>\n\u5c06libvirt\u7684\u5bc6\u94a5\u5199\u5165\u6587\u4ef6secret.xml <\/p>\n
[root@svirt img]# cat client.libvirt.key \r\nAQDiZDFTQCv4ABAAw9JIhjomuDaDnciDvb4hmA==<\/pre>\n\u4f7f\u7528virsh\u8bbe\u7f6e\u5bc6\u94a5\u3002<\/p>\n
[root@svirt img]# virsh secret-set-value --secret 9a9126ef-1402-7708-2931-91bbf8218a38 --base64 $(cat client.libvirt.key) && rm client.libvirt.key secret.xml\r\nSecret value set\r\nrm: remove regular file `client.libvirt.key'? y\r\nrm: remove regular file `secret.xml'? y<\/pre>\n\u5728testforsvirt_rbd.xml\u6587\u4ef6\u4e2d\u5199\u5165\u4ee5\u4e0b\u8bbe\u7f6e\uff1b<\/p>\n
<auth username='libvirt'>\r\n <secret type='ceph' uuid='9a9126ef-1402-7708-2931-91bbf8218a38'\/>\r\n<\/auth>\r\n\r\n[root@svirt img]# virsh start TestForSVirt_RBD\r\nDomain TestForSVirt_RBD started<\/pre>\n\u67e5\u770b\u5b89\u5168\u4e0a\u4e0b\u6587\uff1a<\/p>\n
[root@svirt img]# ps -eZ |grep qemu-kvm\r\nsystem_u:system_r:svirt_t:s0:c394,c871 12668 ? 00:00:25 qemu-kvm\r\nsystem_u:system_r:svirt_t:s0:c49,c668 25074 ? 00:00:28 qemu-kvm\r\n\r\n[root@svirt img]# ps -eZf |grep qemu-kvm\r\nsystem_u:system_r:svirt_t:s0:c394,c871 qemu 12668 1 99 07:34 ? 00:00:35 \/usr\/libexec\/qemu-kvm -name TestForSVirt_RBD -S -M rhel5.4.0 -enable-kvm -m 1024 -realtime mlock=off -smp 3,sockets=3,cores=1,threads=1 -uuid 866a86ea-4a0c-9537-c51a-897ecf7724dc -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=\/var\/lib\/libvirt\/qemu\/TestForSVirt_RBD.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -no-acpi -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=rbd:rbd\/testforsvirt.img:id=libvirt:key=AQDiZDFTQCv4ABAAw9JIhjomuDaDnciDvb4hmA==:auth_supported=cephx\\;none:mon_host=192.168.8.39\\:6789,if=none,id=drive-ide0-0-0,format=raw,cache=writeback -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -netdev tap,fd=27,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=54:52:00:aa:8a:f1,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc 0.0.0.0:2,password -k en-us -vga cirrus -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4\r\nunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 12747 9520 0 07:35 pts\/0 00:00:00 grep qemu-kvm\r\nsystem_u:system_r:svirt_t:s0:c49,c668 qemu 25074 1 0 05:04 ? 00:00:28 \/usr\/libexec\/qemu-kvm -name TestForSVirt -S -M rhel5.4.0 -enable-kvm -m 1024 -realtime mlock=off -smp 3,sockets=3,cores=1,threads=1 -uuid 281f8d42-ecef-f890-919c-2534ef54ea96 -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=\/var\/lib\/libvirt\/qemu\/TestForSVirt.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -no-acpi -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=\/opt\/img\/testforsvirt.img,if=none,id=drive-ide0-0-0,format=raw -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -netdev tap,fd=23,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=54:52:00:aa:8a:f1,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc 0.0.0.0:0,password -k en-us -vga cirrus -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4<\/pre>\n\u5ba1\u8ba1\u65e5\u5fd7\uff1a<\/p>\n
type=AVC msg=audit(1395737328.996:439): avc: denied { setsched } for pid=6168 comm=\"qemu-kvm\" \r\ntype=SYSCALL msg=audit(1395737328.996:439): comm=\u201cqemu-kvm\" exe=\"\/usr\/libexec\/qemu-kvm\" subj=unconfined_u:system_r:svirt_t:s0:c378,c802 \r\ntype=SYSCALL msg=audit(1395737329.011:440): comm=\"qemu-kvm\" exe=\"\/usr\/libexec\/qemu-kvm\" subj=unconfined_u:system_r:svirt_t:s0:c378,c802 \r\ntype=VIRT_RESOURCE msg=audit(1395737329.122:441): user pid=6957 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=disk reason=start vm=\"TestForSVirt_RBD\" uuid=faf9d80e-0758-fd97-e4c7-24a06c611c9b\r\n\u2026\r\nold-disk=\"?\" new-disk=\"rbd\/testforsvirt.img\" exe=\"\/usr\/sbin\/libvirtd\u201c\r\nold-net=? new-net=54:52:00:AA:8A:F1 exe=\"\/usr\/sbin\/libvirtd\" \r\nold-mem=0 new-mem=1048576 exe=\"\/usr\/sbin\/libvirtd\u201c\r\nold-vcpu=0 new-vcpu=3 exe=\"\/usr\/sbin\/libvirtd\"\r\nvm-pid=-1 exe=\"\/usr\/sbin\/libvirtd\"<\/pre>\n","protected":false},"excerpt":{"rendered":"svirt\u4ecb\u7ecd\uff1a \u300c sVirt \u9879\u76ee\u662f\u4e00\u9879\u793e\u533a\u5de5…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[84,3,83],"tags":[180,94,92,179,93],"_links":{"self":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/455"}],"collection":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=455"}],"version-history":[{"count":1,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/455\/revisions"}],"predecessor-version":[{"id":456,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/455\/revisions\/456"}],"wp:attachment":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=455"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=455"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=455"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}