Bug 1248105

Summary: USB passthrough doesn't work when qemu runs under non-root user
Product: Red Hat Enterprise Virtualization Manager Reporter: Martin Polednik <mpoledni>
Component: vdsmAssignee: Martin Polednik <mpoledni>
Status: CLOSED ERRATA QA Contact: Nisim Simsolo <nsimsolo>
Severity: urgent Docs Contact:
Priority: high    
Version: unspecifiedCC: amureini, bazulay, danken, dyuan, gklein, lpeer, lsurette, mavital, mgoldboi, michal.skrivanek, nsimsolo, pzhang, rbalakri, xuzhang, ycui, yeylon, ykaul, zhwang
Target Milestone: ovirt-3.6.0-rc3   
Target Release: 3.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-09 19:43:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1003572, 1154205, 1172230, 1261075    

Description Martin Polednik 2015-07-29 15:29:15 UTC 
Description of problem:
The USB passthrough via hostdev element doesn't work when qemu is set to run under non-root user (user = "qemu" in /etc/libvirt/qemu.conf). Example of used XML:

<hostdev managed="yes" mode="subsystem" type="usb">
        <source>
                <address bus="2" device="1"/>
        </source>
</hostdev>
<hostdev managed="yes" mode="subsystem" type="usb">
        <source>
                <address bus="3" device="1"/>
        </source>
</hostdev>

where the addresses point to USB mouse and USB mass storage device. None of the devices are visible in guest's lsusb when the process runs under the "qemu" user, both of them are visible when running under root.

Version-Release number of selected component (if applicable):
libvirt-1.2.17-2.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Change qemu to run under "qemu" user,
2. attach USB device via hostdev element to the domain,
3. start the domain.

Actual results:
USB device is missing in the guest

Expected results:
USB device is visible and usable in guest

Additional info:
Works as expected under root user.
Comment 2 Ján Tomko 2015-07-30 09:19:39 UTC 
It works for me with:
selinux-policy-3.13.1-34.el7.noarch
libvirt-daemon-1.2.17-2.el7.x86_64
qemu-kvm-rhev-2.3.0-13.el7.x86_64

Is there anything useful in the machine log in /var/log/libvirt/qemu/?
Does it work with SELinux in permissive mode?
If SELinux is enforcing, is virt_use_usb set?
# getsebool virt_use_usb
virt_use_usb --> on

Can you attach the whole domain XML and the part of audit.log related to domain startup?
Comment 3 Martin Polednik 2015-07-30 12:16:17 UTC 
After further investigation, the issue is caused by dynamic_ownership=0 in /etc/libvirt/qemu.conf. 

Using dynamic_ownership=1 does work as expected.
Comment 4 Michal Skrivanek 2015-07-30 15:09:10 UTC 
(In reply to Martin Polednik from comment #3)
> After further investigation, the issue is caused by dynamic_ownership=0 in
> /etc/libvirt/qemu.conf. 
> 
> Using dynamic_ownership=1 does work as expected.

that is explicitly disabled by vdsm. Don't remember why. Dan?
Comment 5 Dan Kenigsberg 2015-07-31 11:26:33 UTC 
With dynamic_ownership=1 libvirtd (running as root) attempted to chown NFS-mounted images. This fails on rootsquash NFS mounts.

I see in bug 810241 that libvirt's semantics has been refined a bit since then, so it may be that this is no longer needed for that.

There might have been other reasons for synamic_ownertship=0, but neither I nor git nor bugzilla remember them. It has been introduced long ago (bug 554961) and has been like that in oVirt ever since. A change to 1 requires proper regression check of file/block storage.
Comment 6 Pei Zhang 2015-08-05 04:07:02 UTC 
I can reproduce it .

version:
libvirt-1.2.17-3.el7.x86_64

reproduce steps :

1.change user in qemu.conf
user = "qemu"
group = "qemu"
dynamic_ownership = 0

2. add user qemu
#useradd qemu -g qemu

3.prepare a guest with OS 

4.prepare two usb devices on host :

# lsusb

Bus 001 Device 003: ID 0781:5567 SanDisk Corp. Cruzer Blade
Bus 002 Device 009: ID 1005:b113 Apacer Technology, Inc. Handy Steno/AH123 / Handy Steno 2.0/HT203

check usb device ownership:

# ls /dev/bus/usb/001/003 -alZ
crw-rw-r--. root root system_u:object_r:usb_device_t:s0 /dev/bus/usb/001/003

# ls /dev/bus/usb/002/009 -alZ
crw-rw-r--. root root system_u:object_r:usb_device_t:s0 /dev/bus/usb/002/009

5.attch usb devices to guest 
# cat usb2.xml 
<hostdev mode='subsystem' type='usb' managed='yes'>
<source>
<address bus='1' device='3'/> 
</source>
<boot order='4'/>
</hostdev>
# virsh attach-device usb usb2.xml 
Device attached successfully 

# cat usb3.xml 
<hostdev mode='subsystem' type='usb' managed='yes'>
<source>
<vendor id='0x1005'/>
<product id='0xb113'/>
</source>
</hostdev>

# virsh attach-device usb usb3.xml 
Device attached successfully

# virsh dumpxml usb |grep hostdev -A 9
    <hostdev mode='subsystem' type='usb' managed='yes'>
      <source>
        <address bus='1' device='3'/>
      </source>
      <alias name='hostdev0'/>
    </hostdev>
    <hostdev mode='subsystem' type='usb' managed='yes'>
      <source>
        <vendor id='0x1005'/>
        <product id='0xb113'/>
        <address bus='2' device='9'/>
      </source>
      <alias name='hostdev1'/>
    </hostdev>

6.login into guest to check :
#lsusb 
CANNOT find usb devices .

7.check the ownership again :

# ls /dev/bus/usb/001/003 -alZ
crw-rw-r--. root root system_u:object_r:svirt_image_t:s0:c179,c596 /dev/bus/usb/001/003
[root@184pzhang usb]# ls /dev/bus/usb/002/009 -alZ
crw-rw-r--. root root system_u:object_r:svirt_image_t:s0:c179,c596 /dev/bus/usb/002/009


additional info :

1>If I change the ownship of usb devices ,it will be OK

# chown qemu:qemu /dev/bus/usb/002/009
# ls /dev/bus/usb/002/009 -alZ
crw-rw-r--. qemu qemu system_u:object_r:usb_device_t:s0 /dev/bus/usb/002/009

# virsh attach-device usb usb2.xml 
Device attached successfully

login guest use lsusb to check , 
#lsusb 
The usb device could be found in guest .

2>If I set dynamic_ownership = 1

Than I attach the usb device to guest and start the guest :

# virsh dumpxml usb | grep hostdev -A 9
    <hostdev mode='subsystem' type='usb' managed='yes'>
      <source>
        <address bus='1' device='3'/>
      </source>
      <alias name='hostdev0'/>
    </hostdev>

# ls /dev/bus/usb/001/003 -alZ
crw-rw-r--. qemu qemu system_u:object_r:svirt_image_t:s0:c363,c560 /dev/bus/usb/001/003

login guest to check 
#lsusb 

usb device can be found in guest.
Comment 7 Ján Tomko 2015-08-05 12:26:59 UTC 
With dynamic_ownership disabled, libvirt obviously does not change the ownership of the device.
Comment 8 Michal Skrivanek 2015-09-17 09:08:34 UTC 
*** Bug 1261075 has been marked as a duplicate of this bug. ***
Comment 10 Nisim Simsolo 2015-10-15 12:41:08 UTC 
Fixed.
Verification scenario:
1. attach USB keyboard and mouse to VFIO VM and verify devices functionality.
2. Attach USB live image to VM and install VM.

Verification version:
rhevm-3.6.0.1-0.1.el6
sanlock-3.2.4-1.el7.x86_64
vdsm-4.17.9-1.el7ev.noarch
qemu-kvm-rhev-2.3.0-31.el7.x86_64
libvirt-client-1.2.17-5.el7.x86_64
Comment 12 errata-xmlrpc 2016-03-09 19:43:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0362.html