Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-37539

[rhel-9] nbd-connect fails to connect to '/tmp/nbdkit*/socket' as non-root: Permission denied

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • selinux-policy-38.1.52-1.el9
    • None
    • Moderate
    • 1
    • rhel-security-selinux
    • ssg_security
    • 25
    • 1
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • SELINUX 250219: 2
    • Release Note Not Required
    • x86_64
    • None

      What were you trying to do that didn't work?

      It fails to run the following nbdkit command as non-root on the RHEL9.5 host.

      $ nbdkit -U - memory 1G --run 'guestfish --ro --format=raw -a "$uri" run : list-devices'
libguestfs: error: could not create appliance through libvirt.
Try running qemu directly without libvirt using this environment variable:
export LIBGUESTFS_BACKEND=direct
Original error from libvirt: internal error: process exited while connecting to monitor: 2024-05-20T11:41:52.438144Z qemu-kvm: -blockdev {"driver":"nbd","server":{"type":"unix","path":"/tmp/nbdkitgymwYL/socket"},"node-name":"libvirt-4-storage","read-only":true,"cache":{"direct":false,"no-flush":true}}: Failed to connect to '/tmp/nbdkitgymwYL/socket': Permission denied [code=1 int1=-1]

      What is happening is that nbdkit is creating a temporary socket (/tmp/nbdkitgymwYL/socket), then qemu (via libvirt) is trying and failing to connect to that socket.

      It seems to be an SELinux failure (see comment below) so maybe the socket should be relabelled by something?

      The NBD connection happens through a backing file:

      qemu-img create -f qcow2 -o backing_file=nbd:unix:/tmp/nbdkitLrNz22/socket,backing_fmt=raw /tmp/libguestfsgymwYL/overlay1.qcow2

      which is added to the libvirt guest using:

          <disk device="disk" type="file">
      <source file="/tmp/libguestfsBUz6qp/overlay1.qcow2"/>
      <target dev="sda" bus="scsi"/>
      <driver name="qemu" type="qcow2" cache="unsafe"/>
      <address type="drive" controller="0" bus="0" target="0" unit="0"/>
    </disk>

      Please provide the package NVR for which bug is seen:

      libguestfs-1.50.1-9.el9.x86_64
      nbdkit-1.38.0-1.el9.x86_64
      libvirt-10.3.0-1.el9.x86_64

      How reproducible:

      100%

      Expected results

      $ nbdkit -U - memory 1G --run 'guestfish --ro --format=raw -a "$uri" run : list-devices'
/dev/sda

              rhn-support-zpytela Zdenek Pytela
              yoguo@redhat.com Yongkui Guo
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              19 Start watching this issue

                Created:
                Updated:
                Resolved: