Bug 1374232

Summary: selinux relabel fails on RHEL 6.2 guests with "libguestfs error: selinux_relabel: : Success"
Product: Red Hat Enterprise Linux 7 Reporter: laitao <laitao>
Component: libguestfsAssignee: Pino Toscano <ptoscano>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact: Yehuda Zimmerman <yzimmerm>
Priority: unspecified    
Version: 7.1CC: juzhou, laitao, mxie, pasik, ptoscano, rjones, tzheng, xiaodwan
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: V2V
Fixed In Version: libguestfs-1.36.2-1.el7 Doc Type: Bug Fix
Doc Text:
Red Hat Enterprise Linux 6.2 - 6.5 guest virtual machines can now be converted using *virt-v2v* Previously, an error in the SELinux `file_contexts` file in Red Hat Enterprise Linux versions 6.2 - 6.5 prevented conversion of these guests using the *virt-v2v* utiltiy. With this update, *virt-v2v* automatically fixes the error in the SElinux `file_contexts` file. As a result, Red Hat Enterprise Linux 6.2-6.5 guest virtual machines can now be converted using *virt-v2v*.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 22:08:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1359086    
Bug Blocks:    

Description laitao 2016-09-08 09:56:05 UTC
Description of problem:


Version-Release number of selected component (if applicable):

virt-v2v 1.32
libguestfs 1.32


when i use rel7 virt-v2v to convert all the linux system ,this problem appeal: virt-v2v: error: libguestfs error: selinux_relabel: : Success, i do not know how to fix it .

guestfsd: main_loop: proc 467 (selinux_relabel) took 1.76 seconds
libguestfs: trace: v2v: selinux_relabel = -1 (error)
virt-v2v: error: libguestfs error: selinux_relabel: : Success
rm -rf '/var/tmp/ova.Q8TNG6'
rm -rf '/var/tmp/null.fkFo25'
libguestfs: trace: v2v: close

Comment 1 Richard W.M. Jones 2016-09-08 10:22:25 UTC
Which exact version of libguestfs and virt-v2v, and where did
you get them from?

Secondly please run virt-v2v with the -v -x options and attach
the complete output to this bug.

Comment 3 laitao 2016-09-09 02:39:32 UTC
virt-v2v-1.32.7-1.el7.x86_64

libguestfs-1.32.7-1.el7.x86_64

get them from yum : http://people.redhat.com/~rjones/libguestfs-RHEL-7.3-preview/

error:
[root@bao-test-3 ~]# virt-v2v -i ova /usr/BXTT1V10152/ -o local -os /var/tmp -of qcow2
[   0.0] Opening the source -i ova /usr/BXTT1V10152/
[   0.0] Creating an overlay to protect the source from being modified
[   0.1] Initializing the target -o local -os /var/tmp
[   0.1] Opening the overlay
[  10.2] Inspecting the overlay
[  38.3] Checking for sufficient free disk space in the guest
[  38.3] Estimating space required on target for each disk
[  38.3] Converting Red Hat Enterprise Linux Server release 6.2 (Santiago) to run on KVM
virt-v2v: error: libguestfs error: selinux_relabel: : Success

If reporting bugs, run virt-v2v with debugging enabled and include the
complete output:

while:
[root@bao-test-3 ~]# virt-v2v -v -x -i ova /usr/BXTT1V10152/ -o local -os /var/tmp -of qcow2

libguestfs: trace: v2v: is_file "/usr/sbin/load_policy" "followsymlinks:true"
guestfsd: main_loop: proc 50 (command) took 172.13 seconds
guestfsd: main_loop: new request, len 0x48
guestfsd: main_loop: proc 37 (is_file) took 0.00 seconds
libguestfs: trace: v2v: is_file = 1
libguestfs: trace: v2v: is_file "/etc/selinux/config" "followsymlinks:true"
guestfsd: main_loop: new request, len 0x44
libguestfs: trace: v2v: is_file = 1
libguestfs: trace: v2v: feature_available "selinuxrelabel"
libguestfs: trace: v2v: internal_feature_available "selinuxrelabel"
guestfsd: main_loop: proc 37 (is_file) took 0.00 seconds
guestfsd: main_loop: new request, len 0x3c
guestfsd: main_loop: proc 458 (internal_feature_available) took 0.00 secondslibg                 uestfs: trace: v2v: internal_feature_available = 0
libguestfs: trace: v2v: feature_available = 1
libguestfs: trace: v2v: aug_init "/" 48

guestfsd: main_loop: new request, len 0x34
libguestfs: trace: v2v: aug_init = 0
libguestfs: trace: v2v: aug_rm "/augeas/load/*["/etc/selinux/config/" !~ regexp(                 '^') + glob(incl) + regexp('/.*')]"
guestfsd: main_loop: proc 16 (aug_init) took 4.06 seconds
guestfsd: main_loop: new request, len 0x80
libguestfs: trace: v2v: aug_rm = 1161
libguestfs: trace: v2v: aug_load
guestfsd: main_loop: proc 22 (aug_rm) took 0.17 seconds
guestfsd: main_loop: new request, len 0x28
libguestfs: trace: v2v: aug_load = 0
libguestfs: trace: v2v: aug_match "/augeas/files//error"
guestfsd: main_loop: proc 27 (aug_load) took 0.37 seconds
guestfsd: main_loop: new request, len 0x40
guestfsd: main_loop: proc 24 (aug_match) took 0.00 seconds
libguestfs: trace: v2v: aug_match = []
libguestfs: trace: v2v: aug_get "/files/etc/selinux/config/SELINUXTYPE"
guestfsd: main_loop: new request, len 0x54
guestfsd: main_loop: proc 19 (aug_get) took 0.00 seconds
libguestfs: trace: v2v: aug_get = "targeted"
libguestfs: trace: v2v: aug_close
guestfsd: main_loop: new request, len 0x28
libguestfs: trace: v2v: aug_close = 0
libguestfs: trace: v2v: selinux_relabel "/etc/selinux/targeted/contexts/files/fi                 le_contexts" "/" "force:true"
guestfsd: main_loop: proc 26 (aug_close) took 0.26 seconds
guestfsd: main_loop: new request, len 0x6c
commandrvf: stdout=n stderr=y flags=0x0
commandrvf: setfiles -F -e /sysroot/dev -e /sysroot/proc -e /sysroot/selinux -e                  /sysroot/sys -r /sysroot -q /sysroot/etc/selinux/targeted/contexts/files/file_co                 ntexts /sysroot/
[  952.895254] hrtimer: interrupt took 2425878 ns
guestfsd: error: : Success
libguestfs: trace: v2v: selinux_relabel = -1 (error)
virt-v2v: error: libguestfs error: selinux_relabel: : Success
rm -rf '/var/tmp/ova.DwHLIj'
rm -rf '/var/tmp/null.PcWnKl'
libguestfs: trace: v2v: close
libguestfs: closing guestfs handle 0x284e580 (state 2)
libguestfs: trace: v2v: internal_autosync
guestfsd: main_loop: proc 467 (selinux_relabel) took 518.76 seconds
guestfsd: main_loop: new request, len 0x28
umount-all: /proc/mounts: fsname=rootfs dir=/ type=rootfs opts=rw freq=0 passno=0
umount-all: /proc/mounts: fsname=proc dir=/proc type=proc opts=rw,relatime freq=0 passno=0
umount-all: /proc/mounts: fsname=/dev/root dir=/ type=ext2 opts=rw,noatime freq=0 passno=0
umount-all: /proc/mounts: fsname=/proc dir=/proc type=proc opts=rw,relatime freq=0 passno=0
umount-all: /proc/mounts: fsname=/sys dir=/sys type=sysfs opts=rw,relatime freq=0 passno=0
umount-all: /proc/mounts: fsname=tmpfs dir=/run type=tmpfs opts=rw,nosuid,relatime,size=158048k,mode=755 freq=0 passno=0
umount-all: /proc/unts: fsname=/dev dir=/dev type=devtmpfs opts=rw,relatime,size=392944k,nr_inodes=98236,mode=755 freq=0 passno=0
umount-all: /proc/mounts: fsname=/dev/mapper/VolGroup-lv_root dir=/sysroot type=ext4 opts=rw,relatime,data=ordered freq=0 passno=0
umount-all: /proc/mounts: fsname=/dev/sda1 dir=/sysroot/boot type=ext4 opts=rw,relatime,data=ordered freq=0 passno=0
commandrvf: stdout=n stderr=y flags=0x0
commandrvf: umount /sysroot/boot
commandrvf: stdout=n stderr=y flags=0x0
commandrvf: umount /sysroot
fsync /dev/sda
guestfsd: main_loop: proc 282 (internal_autosync) took 3.57 seconds
libguestfs: trace: v2v: internal_autosync = 0
libguestfs: calling virDomainDestroy flags=0
libguestfs: command: run: rm
libguestfs: command: run: \ -rf /tmp/libguestfs7jY9Sh



(In reply to Richard W.M. Jones from comment #1)
> Which exact version of libguestfs and virt-v2v, and where did
> you get them from?
> 
> Secondly please run virt-v2v with the -v -x options and attach
> the complete output to this bug.

Comment 4 Richard W.M. Jones 2016-09-09 08:06:34 UTC
It looks as if the setfiles command doesn't send all errors
to stderr.  It also does a lot of stupid stuff like:

https://github.com/SELinuxProject/selinux/blob/master/policycoreutils/setfiles/setfiles.c#L165
https://github.com/SELinuxProject/selinux/blob/master/policycoreutils/setfiles/setfiles.c#L463
(and more)

Anyway I'll see if I can reproduce this with a RHEL 6.2 guest.

Comment 5 Richard W.M. Jones 2016-09-09 08:14:15 UTC
The two line reproducer is:

$ virt-builder rhel-6.2

$ guestfish --ro -a rhel-6.2.img -i selinux-relabel /etc/selinux/targeted/contexts/files/file_contexts / force:true
libguestfs: error: selinux_relabel: /sysroot/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument: Success

Comment 6 tingting zheng 2016-09-09 08:31:15 UTC
(In reply to Richard W.M. Jones from comment #5)
> The two line reproducer is:
> 
> $ virt-builder rhel-6.2
> 
> $ guestfish --ro -a rhel-6.2.img -i selinux-relabel
> /etc/selinux/targeted/contexts/files/file_contexts / force:true
> libguestfs: error: selinux_relabel:
> /sysroot/etc/selinux/targeted/contexts/files/file_contexts: Invalid
> argument: Success

Hi,Richard

I saw you set devel_ack+ on this bug,will the bug be targeted for rhel7.3?

Comment 7 Richard W.M. Jones 2016-09-09 09:23:43 UTC
The problem turns out to be a faulty line in the RHEL 6.2
/etc/selinux/targeted/contexts/files/file_contexts.  The
problematic line is:

/var/run/spice-vdagentd.\pid   --      system_u:object_r:vdagent_var_run_t:s0  

setfiles doesn't exactly help because it hides the error amongst
a load of other irrelevant messages, but the actual error is:

contexts:  line 1838 has invalid regex /var/run/spice-vdagentd.\pid:  unknown property name after \P or \p

I believe the problem is: "spice-vdagentd.\pid" was intended to
be: "spice-vdagentd\.pid" but the backslash got misplaced.

Because this occurs in the guest filesystem (RHEL 6.2), it's
difficult to control from libguestfs/virt-v2v.  It was fixed
between 6.2 and 6.8, but I cannot find any Red Hat bug about it.

This is the same as the following Gentoo bug:
https://bugs.gentoo.org/show_bug.cgi?id=436688

Since this only affects unsupported RHEL 6, I'm going to defer it
to RHEL 7.4.

Comment 8 Richard W.M. Jones 2016-09-09 09:26:02 UTC
To the reporter:

To work around this you will need to edit
the file /etc/selinux/targeted/contexts/files/file_contexts in
the source guest.  Find the line which has the incorrect
\p regexp (see comment 7) and repair it.

Or: upgrade the guest to a more recent version of RHEL 6 before
trying to convert it.

Comment 9 laitao 2016-09-12 02:42:46 UTC
(In reply to Richard W.M. Jones from comment #8)
> To the reporter:
> 
> To work around this you will need to edit
> the file /etc/selinux/targeted/contexts/files/file_contexts in
> the source guest.  Find the line which has the incorrect
> \p regexp (see comment 7) and repair it.
> 
> Or: upgrade the guest to a more recent version of RHEL 6 before
> trying to convert it.

You are right, after I edit the /etc/selinux/targeted/contexts/files/file_contexts in the source guest,the conversion successed. what a amazing bug in the redhat...

Comment 10 mxie@redhat.com 2016-09-12 06:23:34 UTC
I can reproduce this bug with below builds when convert a rhel6.5 guest from ova file by virt-v2v

Packages:
virt-v2v-1.32.7-3.el7.x86_64
libguestfs-1.32.7-3.el7.x86_64
qemu-kvm-rhev-2.6.0-24.el7.x86_64
libvirt-2.0.0-8.el7.x86_64

Step:
1.# virt-v2v -i ova esx-rhel6-ova.tar -os default -of raw
[   0.0] Opening the source -i ova esx-rhel6-ova.tar
[  13.6] Creating an overlay to protect the source from being modified
[  14.2] Initializing the target -o libvirt -os default
[  14.3] Opening the overlay
[  51.5] Inspecting the overlay
[  59.9] Checking for sufficient free disk space in the guest
[  59.9] Estimating space required on target for each disk
[  59.9] Converting Red Hat Enterprise Linux Server release 6.5 (Santiago) to run on KVM
virt-v2v: error: libguestfs error: selinux_relabel: 
/sysroot/etc/selinux/targeted/contexts/files/file_contexts: Invalid 
argument: Success

If reporting bugs, run virt-v2v with debugging enabled and include the 
complete output:

  virt-v2v -v -x [...]

Comment 11 Richard W.M. Jones 2017-02-16 14:07:37 UTC
Fixed upstream in ad3c8fe7f49c4991e1aa536856a1a408f55d5409.

Comment 13 Christopher Brown 2017-03-03 17:01:21 UTC
I can confirm that updating selinux-policy* for RHEL 6.4 fixed this.

Comment 14 mxie@redhat.com 2017-03-06 09:48:34 UTC
Verify the bug with builds:
virt-v2v-1.36.1-1.el7.x86_64
libvirt-3.1.0-1.el7.x86_64
qemu-kvm-rhev-2.8.0-5.el7.x86_64
libguestfs-1.36.1-1.el7.x86_64

Steps:
1.Convert a rhel6.2 guest by virt-v2v
# virt-v2v -ic xen+ssh://root.3.21 xen-hvm-rhel6.2-i386 -of qcow2[   0.0] Opening the source -i libvirt -ic xen+ssh://root.3.21 xen-hvm-rhel6.2-i386
[   0.3] Creating an overlay to protect the source from being modified
[   0.8] Initializing the target -o libvirt -os default
[   1.0] Opening the overlay
[  15.1] Inspecting the overlay
[  27.2] Checking for sufficient free disk space in the guest
[  27.2] Estimating space required on target for each disk
[  27.2] Converting Red Hat Enterprise Linux Server release 6.2 Beta (Santiago) to run on KVM
virt-v2v: error: libguestfs error: selinux_relabel: 
/sysroot/etc/selinux/targeted/contexts/files/file_contexts: Invalid 
argument

If reporting bugs, run virt-v2v with debugging enabled and include the 
complete output:

  virt-v2v -v -x [...]

2.Convert a rhel6.5 guest from ova file by virt-v2v
# virt-v2v -i ova esx-rhel6-ova.tar -of raw
[   0.0] Opening the source -i ova esx-rhel6-ova.tar
[   1.7] Creating an overlay to protect the source from being modified
[   1.9] Initializing the target -o libvirt -os default
[   1.9] Opening the overlay
[   2.8] Inspecting the overlay
[   9.5] Checking for sufficient free disk space in the guest
[   9.5] Estimating space required on target for each disk
[   9.5] Converting Red Hat Enterprise Linux Server release 6.5 (Santiago) to run on KVM
virt-v2v: error: libguestfs error: selinux_relabel: 
/sysroot/etc/selinux/targeted/contexts/files/file_contexts: Invalid 
argument

If reporting bugs, run virt-v2v with debugging enabled and include the 
complete output:

  virt-v2v -v -x [...]


According to the above verify result, the bug has not been fixed yet

Comment 15 Richard W.M. Jones 2017-03-06 09:55:30 UTC
The fix is a documentation fix.

https://github.com/libguestfs/libguestfs/commit/ad3c8fe7f49c4991e1aa536856a1a408f55d5409

The real bug is essentially impossible to fix because it's a problem
with a broken regular expression in a file in the guest filesystem.

Comment 16 Richard W.M. Jones 2017-03-06 10:44:04 UTC
I posted an alternative fix upstream which rewrites the
invalid regexp in the file_contexts file:

https://www.redhat.com/archives/libguestfs/2017-March/msg00076.html

Comment 17 Richard W.M. Jones 2017-03-06 16:04:15 UTC
Improved fix for this is upstream in:

https://github.com/libguestfs/libguestfs/commit/25772a8123a1a800caf3472fb79c8eb3b4a074f3

Needs backporting to RHEL 7.4.

Comment 18 Richard W.M. Jones 2017-03-06 16:08:26 UTC
Sorry, there was a typo in the commit.  The full list of commits
needed to fix this is:

https://github.com/libguestfs/libguestfs/commit/25772a8123a1a800caf3472fb79c8eb3b4a074f3
https://github.com/libguestfs/libguestfs/commit/c6d8d68a4643794128c1d617bc83fc22438cc7c5

Comment 19 mxie@redhat.com 2017-03-09 14:44:59 UTC
Verify the bug again with builds:
virt-v2v-1.36.2-1.el7.x86_64
libguestfs-1.36.2-1.el7.x86_64
libvirt-3.1.0-2.el7.x86_64
qemu-kvm-rhev-2.8.0-6.el7.x86_64

Steps:
1.Convert a rhel6.2 guest from rhel5 host by virt-v2v
 virt-v2v -ic xen+ssh://root.3.21 xen-hvm-rhel6.2-i386 -of qcow2
[   0.0] Opening the source -i libvirt -ic xen+ssh://root.3.21 xen-hvm-rhel6.2-i386
[   0.4] Creating an overlay to protect the source from being modified
[   0.9] Initializing the target -o libvirt -os default
[   0.9] Opening the overlay
[   3.6] Inspecting the overlay
[  16.7] Checking for sufficient free disk space in the guest
[  16.7] Estimating space required on target for each disk
[  16.7] Converting Red Hat Enterprise Linux Server release 6.2 Beta (Santiago) to run on KVM
virt-v2v: This guest has virtio drivers installed.
[  70.6] Mapping filesystem data to avoid copying unused and blank areas
[  70.8] Closing the overlay
[  70.8] Checking if the guest needs BIOS or UEFI to boot
[  70.8] Assigning disks to buses
[  70.8] Copying disk 1/1 to /var/lib/libvirt/images/xen-hvm-rhel6.2-i386-sda (qcow2)
    (100.00/100%)
[ 444.7] Creating output metadata
Pool default refreshed

Domain xen-hvm-rhel6.2-i386 defined from /tmp/v2vlibvirt674d71.xml

[ 444.8] Finishing off

2.Power on the guest"xen-hvm-rhel6.2-i386 " and checkpoints of guest are passed

3.Convert a rhel6.5 guest from ova file by virt-v2v
# virt-v2v -i ova esx-rhel6-ova.tar -of raw
[   0.0] Opening the source -i ova esx-rhel6-ova.tar
[   2.0] Creating an overlay to protect the source from being modified
[   2.2] Initializing the target -o libvirt -os default
[   2.2] Opening the overlay
[   3.2] Inspecting the overlay
[  10.5] Checking for sufficient free disk space in the guest
[  10.5] Estimating space required on target for each disk
[  10.5] Converting Red Hat Enterprise Linux Server release 6.5 (Santiago) to run on KVM
virt-v2v: This guest has virtio drivers installed.
[  46.1] Mapping filesystem data to avoid copying unused and blank areas
[  46.2] Closing the overlay
[  46.2] Checking if the guest needs BIOS or UEFI to boot
[  46.2] Assigning disks to buses
[  46.2] Copying disk 1/1 to /var/lib/libvirt/images/esx-rhel6-sda (raw)
    (100.00/100%)
[  72.1] Creating output metadata
Pool default refreshed

Domain esx-rhel6 defined from /tmp/v2vlibvirt0d2f93.xml

[  75.2] Finishing off

4.Power on the guest and checkpoints of guest are passed


According to above result,the bug has been fixed

So move the bug from ON_QA to VERIFIED

Comment 20 Christopher Brown 2017-03-29 08:20:27 UTC
Hello, I can customize the disk image but would it be possible to release a new iso based on this?

Comment 21 Richard W.M. Jones 2017-03-29 09:20:51 UTC
Note that this bug is fixed in *virt-v2v* not in the ISO.  The
version of virt-v2v which should fix this is available here:

https://people.redhat.com/~rjones/libguestfs-RHEL-7.4-preview/

Incidentally there are also new virt-p2v preview images (although
it is not necessary to use them unless you want to):

http://oirase.annexia.org/virt-p2v/RHEL-7.4-preview/

Comment 23 errata-xmlrpc 2017-08-01 22:08:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2023