Bug 1371039

Summary: CPU features with policy 'disable' should not be supported in the guest.
Product: Red Hat Enterprise Linux 7 Reporter: chhu
Component: libvirtAssignee: Jiri Denemark <jdenemar>
Status: CLOSED ERRATA QA Contact: Jing Qi <jinqi>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.3CC: dyuan, lhuang, mtessun, rbalakri, xuzhang, yalzhang
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-2.5.0-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 17:14:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1199452    

Description chhu 2016-08-29 08:50:41 UTC 
Description of problem:
CPU features with policy 'disable' should not be supported in the guest.

Version-Release number of selected component (if applicable):
libvirt-2.0.0-6.el7.x86_64
qemu-kvm-rhev-2.6.0-22.el7.x86_64


How reproducible:
100%

Steps to Reproduce:
1. Start a VM with cpu feature arat,tsc_adjust, xsaveopt, policy='require',
check the qemu-kvm command line with "+arat,+tsc_adjust,+xsaveopt",
login to the guest, check the /proc/cpuinfo include: arat,tsc_adjust,xsaveopt.

2. Start a VM with cpu feature arat,tsc_adjust,xsaveopt disabled.  
# virsh start r7t
Domain r7t started

# virsh list --all
 Id    Name                           State
----------------------------------------------------
 72    r7t                            running

# virsh dumpxml r7t| grep "<cpu" -A 30
  <cpu mode='custom' match='exact'>    Or  <cpu mode='host-model'>
    <model fallback='allow'>Haswell-noTSX</model>
    <vendor>Intel</vendor>
    <feature policy='require' name='vme'/>
    <feature policy='require' name='ds'/>
    <feature policy='require' name='acpi'/>
    <feature policy='require' name='ss'/>
    <feature policy='require' name='ht'/>
    <feature policy='require' name='tm'/>
    <feature policy='require' name='pbe'/>
    <feature policy='require' name='dtes64'/>
    <feature policy='require' name='monitor'/>
    <feature policy='require' name='ds_cpl'/>
    <feature policy='require' name='vmx'/>
    <feature policy='require' name='smx'/>
    <feature policy='require' name='est'/>
    <feature policy='require' name='tm2'/>
    <feature policy='require' name='xtpr'/>
    <feature policy='require' name='pdcm'/>
    <feature policy='require' name='dca'/>
    <feature policy='require' name='osxsave'/>
    <feature policy='require' name='f16c'/>
    <feature policy='require' name='rdrand'/>
    <feature policy='disable' name='arat'/>
    <feature policy='disable' name='tsc_adjust'/>
    <feature policy='disable' name='xsaveopt'/>
    <feature policy='require' name='pdpe1gb'/>
    <feature policy='require' name='abm'/>
  </cpu>

3. Check the qemu-kvm commandline, "-arat,-tsc_adjust,-xsaveopt" are not included,
login to the guest, cat /proc/cpuinfo, include arat,xsaveopt, not include tsc_adjust.

# ps -ef|grep qemu-kvm
qemu      57192      1 28 23:39 ?        00:00:21 /usr/libexec/qemu-kvm -name guest=r7t......
 -cpu Haswell-noTSX,+vme,+ds,+acpi,+ss,+ht,+tm,+pbe,+dtes64,+monitor,+ds_cpl,+vmx,+smx,+est,+tm2,
+xtpr,+pdcm,+dca,+osxsave,+f16c,+rdrand,+pdpe1gb,+abm -m 1024


Expected results:
Qemu command line should has cpu flags similar as: "-arat,-tsc_adjust,-xsaveopt", and these disabled cpu flags are not supported in the guest.

Actual results:
Qemu command line has no cpu flag for the disabled feature. And some of the disabled cpu features are supported in the guest.
Comment 2 Jiri Denemark 2016-08-31 13:31:53 UTC 
This issue should be addressed by the patch series I sent upstream earlier this month: https://www.redhat.com/archives/libvir-list/2016-August/msg00660.html
Comment 3 Jiri Denemark 2016-09-22 13:57:14 UTC 
This should be fixed upstream as of

commit 7ce711a30eaf882ccd0217b2528362b563b6d670
Refs: v2.2.0-199-g7ce711a
Author:     Jiri Denemark <jdenemar>
AuthorDate: Wed Jun 22 15:53:48 2016 +0200
Commit:     Jiri Denemark <jdenemar>
CommitDate: Thu Sep 22 15:40:09 2016 +0200

    qemu: Update guest CPU def in live XML

    Storing the updated CPU definition in the live domain definition saves
    us from having to update it over and over when we need it. Not to
    mention that we will soon further update the CPU definition according to
    QEMU once it's started.

    A highly wanted side effect of this patch, libvirt will pass all CPU
    features explicitly specified in domain XML to QEMU, even those that are
    already included in the host model.

    This patch should fix the following bugs:
        https://bugzilla.redhat.com/show_bug.cgi?id=1207095
        https://bugzilla.redhat.com/show_bug.cgi?id=1339680
        https://bugzilla.redhat.com/show_bug.cgi?id=1371039
        https://bugzilla.redhat.com/show_bug.cgi?id=1373849
        https://bugzilla.redhat.com/show_bug.cgi?id=1375524
        https://bugzilla.redhat.com/show_bug.cgi?id=1377913

    Signed-off-by: Jiri Denemark <jdenemar>
Comment 5 Jing Qi 2017-03-03 04:23:35 UTC 
Verified on version :libvirt-2.5.0-1.el7.x86_64 & qemu-kvm-rhev-2.6.0-28.el7_3.1.x86_64. 
# ps -ef |grep qemu-kvm |grep arat
qemu     21300     1  1 11:42 ?        00:00:37 /usr/libexec/qemu-kvm -name guest=avocado-vt-2,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-12-avocado-vt-2/master-key.aes -machine rhel6.3.0,accel=kvm,usb=off,dump-guest-core=off -cpu Penryn,+pdcm,+xtpr,+tm2,+est,-smx,+vmx,+ds_cpl,+monitor,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds,+vme,-arat,-tsc_adjust,-xsaveopt -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid cc1e306e-ce22-44f2-8483-d08008fb706c -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-12-avocado-vt-2/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/images/generic-2.qcow2,format=qcow2,if=none,id=drive-ide0-0-0,cache=none -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -netdev tap,fd=27,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:6e:27:dd,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc 127.0.0.1:0 -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4 -msg timestamp=on
Comment 6 errata-xmlrpc 2017-08-01 17:14:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1846
Comment 7 errata-xmlrpc 2017-08-01 23:55:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1846
Comment 8 errata-xmlrpc 2017-08-02 01:27:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1846