Guest with Fedora or Centos will not shutdown

K

Kei

Well-Known Member
May 29, 2016
88
2
48
38
Hi all,
I've noticed that I cannot gracefully power off any of my Centos 7 or Fedora 28 vm's with "right click -> Shutdown" from the WEB UI. If I do this, it's like I havent done anything and the VM just stays up. I've installed the Qemu drivers with "yum install qemu-guest-agent" and I've enable the flag for "Qemu Agent = Yes". Ubuntu and Debian VM's dont have any issue. I'm running PVE 4.4

Thanks for the help!
 
Hello,

When Qemu Agent enabled in PVE, it try to shutdown VM via the agent (when not enabled, it send ACPI event).

Please check if your communication beetwen your node and VM via the agent working well with
Code: 
qm agent <vmid> ping
command.
 
Hi Janos, I tried your test and it responded with an empty prompt, no error or no message whatsoever. Does it mean the communication is ok?
 
Hi Janos, I've looked at journalctl and indeed I got this message:

Code: 
qemu-ga[481]: info: guest-shutdown called, mode: (null)
audit[483]: USER_AVC pid=483 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.fre>
                                                      exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
audit[483]: USER_AVC pid=483 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.fre>
                                                      exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

At this point I belive there is some misconfiguration on the VM side, right?
 
Ok, I belive this is due to Selinux... I will need to understand how to configure it properly to enable shutdown on the guest.
 
Sorry dude, i don't have any idea, im not using selinux. Maybe you can add the required permission using selinux tools to this app.
 
It is indeed an SELinux issue, the following policy solved this for me:

Code: 
module fedora_proxmox 1.0;

require {
    type virt_qemu_ga_t;
    type systemd_logind_t;
    class dbus { send_msg };
}

allow virt_qemu_ga_t systemd_logind_t:dbus send_msg;
allow systemd_logind_t virt_qemu_ga_t:dbus send_msg;

I noticed that on Fedora, qemu agent is also unable to read the network configuration, adding a type of `proc_net_t`, the class `file { read open }`, and the policy `allow virt_qemu_ga_t proc_net_t:file { read open };` solved that as well.
 
ikogan said:
It is indeed an SELinux issue, the following policy solved this for me:

Code: 
module fedora_proxmox 1.0;

require {
    type virt_qemu_ga_t;
    type systemd_logind_t;
    class dbus { send_msg };
}

allow virt_qemu_ga_t systemd_logind_t:dbus send_msg;
allow systemd_logind_t virt_qemu_ga_t:dbus send_msg;

I noticed that on Fedora, qemu agent is also unable to read the network configuration, adding a type of `proc_net_t`, the class `file { read open }`, and the policy `allow virt_qemu_ga_t proc_net_t:file { read open };` solved that as well.
Click to expand...

For other people that have no idea what to do with this, it seems the following is necessary:

1. yum install policycoreutils-devel
2. save above module definition as fedora_proxmox.te
3. run make -f /usr/share/selinux/devel/Makefile fedora_proxmox.pp to compile the module
4. load module using semodule -i fedora_proxmox.pp, it will be automatically reloaded after reboots
 
  • Like
Reactions: ikogan
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back