加载中…
个人资料
peng
peng
  • 博客等级:
  • 博客积分:0
  • 博客访问:252,561
  • 关注人气:15
  • 获赠金笔:0支
  • 赠出金笔:0支
  • 荣誉徽章:
相关博文
推荐博文
正文 字体大小:

KVM 启虚拟机出错[转,根据该方法解决了实际问题]

(2013-05-30 17:09:00)
分类: 云计算/虚拟化
转载地址:http://hi.baidu.com/juacm/item/f1fc3f98d8428ad07a7f01e2

出错信息如下:

error: Failed to start domain instance-00000001
error: internal error process exited while connecting to monitor: char device redirected to /dev/pts/19
kvm: -netdev tap,ifname=tap2ed748c1-1c,script=,id=hostnet0: could not open /dev/net/tun: Operation not permitted
kvm: -netdev tap,ifname=tap2ed748c1-1c,script=,id=hostnet0: Device 'tap' could not be initialized

照下面修改:

 

The current open vswitch vif-plugging mechanism creates a tap device for each VM NIC, then has libvirt use that tap using an

This works fine on Ubuntu, but some distros have things locked down a bit more, which seems to prevent libvirt from using these tap devices.

I've seen some success working around this issue on RHEL by doing some combination of the following changes to "/etc/libvirt/qemu.conf" and then restarting libvirt:

Uncomment the line:

cgroup_controllers = [ "cpu", "devices", "memory" ]

Uncomment the following lines and add the reference to "/dev/net/tun":
cgroup_device_acl = [
    "/dev/null", "/dev/full", "/dev/zero",
    "/dev/random", "/dev/urandom",
    "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
    "/dev/rtc", "/dev/hpet", "/dev/net/tun"
]

uncomment and set
clear_emulator_capabilities=0

Also change the user to run as root
user = "root"
group = "root"

That said, if you're thinking about using this in production, you will have to put some time into exploring whether these changes are something you are comfortable with, as I believe the implication is that a malicious user that finds a way to break out of the KVM isolation would have root on your box, rather than just the permissions of the libvirt user.

It may also be the case that some of these problems go away if we instead set the permissions on the tap device to correspond to the libvirt user after creating it... I'm not really sure.

If you have any luck exploring this or have suggestions on how we can change the vif-plugging to work better on SUSE, let me know.

0

阅读 评论 收藏 转载 喜欢 打印举报/Report
  • 评论加载中,请稍候...
发评论

    发评论

    以上网友发言只代表其个人观点,不代表新浪网的观点或立场。

      

    新浪BLOG意见反馈留言板 电话:4000520066 提示音后按1键(按当地市话标准计费) 欢迎批评指正

    新浪简介 | About Sina | 广告服务 | 联系我们 | 招聘信息 | 网站律师 | SINA English | 会员注册 | 产品答疑

    新浪公司 版权所有