Bug 1227558

Summary: No audit log when start a vm with iothreads
Product: Red Hat Enterprise Linux 7 Reporter: Luyao Huang <lhuang>
Component: libvirtAssignee: John Ferlan <jferlan>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: dyuan, honzhang, jdenemar, jferlan, mzhan, rbalakri, zhwang
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-1.2.17-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 06:39:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luyao Huang 2015-06-03 02:43:33 UTC 
Description of problem:
No audit log when start a vm with iothreads

Version-Release number of selected component (if applicable):
libvirt-1.2.15-2.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Make sure auditing is enabled

2. prepare a vm with iothreads and start it:
# virsh iothreadinfo test3
 IOThread ID     CPU Affinity   
---------------------------------------------------
 2               0-3
 1               3

# virsh start test3
Domain test3 started

3. check the audit log

# ausearch -ts today -m VIRT_RESOURCE | grep 'iothread'
(no output)

Actual results:
No audit log when start a vm with iothreads

but have a log when hot add a iothread:

type=VIRT_RESOURCE msg=audit(1433298675.005:15889): pid=2578 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=iothread reason=update vm="test3" uuid=7347d748-f7ce-448f-8d49-3d29c9bcac30 old-iothread=2 new-iothread=3 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'

Expected results:
audit the iothread number started at domain startup time, like this:

type=VIRT_RESOURCE msg=audit(1433298675.005:15889): pid=2578 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=iothread reason=start vm="test3" uuid=7347d748-f7ce-448f-8d49-3d29c9bcac30 old-iothread=0 new-iothread=2 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'

Additional info:

This upstream commit could fix this issue:

commit 038a03c7a7492865c3e714b2d36cd9bde6bf5fc8
Author: Luyao Huang <lhuang>
Date:   Sun May 31 22:07:58 2015 +0800

    audit: Audit number of iothreads at domain startup
    
    If the domain has IOThreads defined, then audit the number started
    at domain startup time.
    
    Signed-off-by: Luyao Huang <lhuang>

v1.2.16-27-g038a03c
Comment 2 zhenfeng wang 2015-07-07 08:39:26 UTC 
Verify this bug with libvirt-1.2.17-1.el7, the audit log about iothreads could be shown in ausearch output, however, didn't show in auvirt command, will this be acceptable? please help check it, thanks

1.Start a guest with iothread configured
#virsh dumpxml rhel7.0
--
  <iothreads>4</iothreads>
  <iothreadids>
    <iothread id='1'/>
    <iothread id='2'/>
    <iothread id='3'/>
    <iothread id='4'/>
  </iothreadids>

2.Start the guest, will fail to get the iothread info, thhe issue has been tracked by bug 1238589
# virsh iothreadinfo rhel7.0
error: Unable to get domain IOThreads information
error: Unable to encode message payload


3.check the audit log with ausearch command, could get the audit log about iothreads

# ausearch -ts today -m VIRT_RESOURCE | grep 'iothread'
type=VIRT_RESOURCE msg=audit(1436256617.284:46835): pid=5033 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=iothread reason=start vm="rhel7.0" uuid=322b9657-5616-4b5a-bfc8-a05475c2873e old-iothread=0 new-iothread=4 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'


4.Check the audit log with the auvirt command, couldn't see the iothreads in the output
# auvirt --all-events
--
res   rhel7.0                  	root       	Tue Jul  7 16:26                   	cgroup      	deny      	all		
res   rhel7.0                  	root       	Tue Jul  7 16:26                   	cgroup      	allow     	path	rw	/mnt/zhwang/img/vm3.qcow2
res   rhel7.0                  	root       	Tue Jul  7 16:26                   	cgroup      	allow     	major	rw	pty
res   rhel7.0                  	root       	Tue Jul  7 16:27                   	disk        	start     	/mnt/zhwang/img/vm3.qcow2
res   rhel7.0                  	root       	Tue Jul  7 16:27                   	net         	start     	"52:54:00:6e:35:dc"
res   rhel7.0                  	root       	Tue Jul  7 16:27                   	mem         	start     	1048576
res   rhel7.0                  	root       	Tue Jul  7 16:27                   	vcpu        	start     	2
start rhel7.0                  	root       	Tue Jul  7 16:27
Comment 3 John Ferlan 2015-07-09 13:23:04 UTC 
I don't believe it matters, but that would perhaps be a question for whomever owns the auvirt command.  I'll note that iothreads are just thread resources associated with the qemu process.  There are a number of resources audited at startup (virDomainAuditStart) that I don't necessarily see in the auvirt list. But what I do see specifically called out seems to be host level resources (vcpu, mem, net, disk) rather than things like threads, sockets, files, etc.
Comment 4 zhenfeng wang 2015-08-03 02:40:18 UTC 
Thanks John's response,then mark this bug verified and confirm the auvirt command's doubt in bug 982154
Comment 6 errata-xmlrpc 2015-11-19 06:39:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2202.html