Bug 1723633

Summary: VM refuses to start: can't apply global IvyBridge-IBRS-x86_64-cpu.osxsave=on
Product: Red Hat Enterprise Linux Advanced Virtualization Reporter: jiyan <jiyan>
Component: libvirtAssignee: Jiri Denemark <jdenemar>
Status: CLOSED ERRATA QA Contact: jiyan <jiyan>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.1CC: amit, berrange, cfergeau, crobinso, dwmw2, extras-qa, itamar, jdenemar, jsuchane, pbonzini, poc, rbalakri, rjones, virt-maint, xuzhang
Target Milestone: rcKeywords: Reopened
Target Release: 8.1Flags: knoel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-5.5.0-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1644848 Environment:
Last Closed: 2019-11-06 07:17:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1644848    
Bug Blocks:    

Description jiyan 2019-06-25 03:46:03 UTC 
+++ This bug was initially created as a clone of Bug #1644848 +++

Description of problem:
An existing VM (running Fedora 28) will not start in F29.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.Attempt to run a VM created under F28, using Virtual Machine Manager
2.Fail
3.

Actual results:

Error starting domain: internal error: process exited while connecting to monitor: 2018-10-31T17:12:46.079682Z qemu-system-x86_64: can't apply global IvyBridge-IBRS-x86_64-cpu.osxsave=on: Property '.osxsave' not found

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 75, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 111, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 66, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1344, in startup
    self._backend.create()
  File "/usr/lib64/python3.7/site-packages/libvirt.py", line 1080, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirt.libvirtError: internal error: process exited while connecting to monitor: 2018-10-31T17:12:46.079682Z qemu-system-x86_64: can't apply global IvyBridge-IBRS-x86_64-cpu.osxsave=on: Property '.osxsave' not found

Expected results:
VM working as before

Additional info:
Guest is a basic F28 server with no GUI and has worked correctly before updating the host to F29.

--- Additional comment from Daniel Berrange on 2018-10-31 17:22:57 UTC ---

The "osxsave" property was removed from QEMU upstream as it was never actually exposed to the guests.

I expect that your existing guest has this CPU flag encoded in its XML config, as it was a previously supported flag.

Fixing it should be as simple as "virsh edit $guest" as root and delete the mention of "osxsave" feature flag.

Newly provisioned guests shouldn't get given this flag in the first place, only upgraded guests will suffer.

--- Additional comment from Patrick O'Callaghan on 2018-10-31 21:12:35 UTC ---

(In reply to Daniel Berrange from comment #1)
> The "osxsave" property was removed from QEMU upstream as it was never
> actually exposed to the guests.
> 
> I expect that your existing guest has this CPU flag encoded in its XML
> config, as it was a previously supported flag.
> 
> Fixing it should be as simple as "virsh edit $guest" as root and delete the
> mention of "osxsave" feature flag.
> 
> Newly provisioned guests shouldn't get given this flag in the first place,
> only upgraded guests will suffer.

That solved it, thanks. Curiously, a Windows 10 guest, also inherited from F28, does not have this problem as the osxsave feature was not set. I've no idea why.

--- Additional comment from Daniel Berrange on 2018-11-01 10:19:32 UTC ---

Maybe the problematic guest was in fact installed under an even earlier Fedora release than the Windows guest ? 

In any case, while this is a genuine problem, I don't think we're going to try todo anything to automagically remove the flags on upgrade, so i'm moving this to WONTFIX.

--- Additional comment from Patrick O'Callaghan on 2018-11-01 10:56:35 UTC ---

(In reply to Daniel Berrange from comment #3)
> Maybe the problematic guest was in fact installed under an even earlier
> Fedora release than the Windows guest ? 
> 
> In any case, while this is a genuine problem, I don't think we're going to
> try todo anything to automagically remove the flags on upgrade, so i'm
> moving this to WONTFIX.

In fact it's the oher way round. The Windows guest was installed over a year ago. The Fedora guest is only a couple of months old at most.

--- Additional comment from Patrick O'Callaghan on 2019-01-04 12:23:55 UTC ---

(In reply to Patrick O'Callaghan from comment #4)
> (In reply to Daniel Berrange from comment #3)
> > Maybe the problematic guest was in fact installed under an even earlier
> > Fedora release than the Windows guest ? 
> > 
> > In any case, while this is a genuine problem, I don't think we're going to
> > try todo anything to automagically remove the flags on upgrade, so i'm
> > moving this to WONTFIX.
> 
> In fact it's the oher way round. The Windows guest was installed over a year
> ago. The Fedora guest is only a couple of months old at most.

FYI an attempt to create a new VM triggered this error again. Since the VM XML file was never created, I had to track down the offending line in /usr/share/libvirt/cpu_map/x86_features.xml and remove it.

--- Additional comment from Patrick O'Callaghan on 2019-01-05 12:57:07 UTC ---

(In reply to Patrick O'Callaghan from comment #5)
> (In reply to Patrick O'Callaghan from comment #4)
> > (In reply to Daniel Berrange from comment #3)
> > > Maybe the problematic guest was in fact installed under an even earlier
> > > Fedora release than the Windows guest ? 
> > > 
> > > In any case, while this is a genuine problem, I don't think we're going to
> > > try todo anything to automagically remove the flags on upgrade, so i'm
> > > moving this to WONTFIX.
> > 
> > In fact it's the oher way round. The Windows guest was installed over a year
> > ago. The Fedora guest is only a couple of months old at most.
> 
> FYI an attempt to create a new VM triggered this error again. Since the VM
> XML file was never created, I had to track down the offending line in
> /usr/share/libvirt/cpu_map/x86_features.xml and remove it.

Removing the line from /usr/share/libvirt/cpu_map/x86_features.xml didn't fix the problem. I'm still getting a complaint about .osxsave so presumably it's being set somewhere else.

--- Additional comment from Cole Robinson on 2019-01-06 21:45:14 UTC ---

Reopening. Patrick can you provide:

* full virt-manager --debug output from app startup to reproducing the bug
* /var/log/libvirt/qemu/$vmname.log , for the VM name you are trying to create
* output of: sudo virsh domcapabilities

--- Additional comment from Patrick O'Callaghan on 2019-01-07 11:16:30 UTC ---

(In reply to Cole Robinson from comment #7)
> Reopening. Patrick can you provide:
> 
> * full virt-manager --debug output from app startup to reproducing the bug
> * /var/log/libvirt/qemu/$vmname.log , for the VM name you are trying to
> create
> * output of: sudo virsh domcapabilities

On a second attempt, the error refuses to show itself. I tried both with and without the change to /usr/share/libvirt/cpu_map/x86_features.xml and it made no difference. I can only assume it's because I rebooted after some system updates (though these were not to qemu or libvirt directly). Now on kernel 4.19.13-300.fc29.x86_64 if it matters.

Sorry for the noise. I'll come back to this if it happens again.
Comment 1 jiyan 2019-06-25 03:47:27 UTC 
According to the following info, cloned this bug:

commit 2900575db892700fab8a4b8541474d9bd3444a4a
Author: Christian Ehrhardt <christian.ehrhardt>
Date: Thu Apr 25 11:04:29 2019 +0200

qemu: do not define known no-op features

Qemu dropped cpu features for osxsave and ospke [1][2].
The reason for the instant removal is that those features were never
configurable as discussed in [3].

Fortunately the use cases adding those flags in the past are rare, but
they exist. One that I identified are e.g. older virt-install when used
with --cpu=host-model and there always could be the case of a user
adding it to the guest xml.

This triggers an issue like:
qemu-system-x86_64: can't apply global Broadwell-noTSX-x86_64-
cpu.osxsave=on: Property '.osxsave' not found

Ensure that this does no more break spawning newer qemu versions by
not rendering those features into the qemu command line.

Fixes: https://bugs.launchpad.net/fedora/+source/qemu/+bug/1825195
Comment 2 jiyan 2019-06-25 03:50:40 UTC 
Version:
kernel-4.18.0-83.el8.x86_64
qemu-kvm-4.0.0-0.module+el8.1.0+3169+3c501422.x86_64
libvirt-5.3.0-1.module+el8.1.0+3164+94495c71.x86_64

Info:
# lscpu |grep Flags
Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb cat_l3 cdp_l3 invpcid_single pti ssbd mba ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm cqm mpx rdt_a avx512f avx512dq rdseed adx smap clflushopt clwb intel_pt avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local dtherm ida arat pln pts pku ospke flush_l1d

# virsh domcapabilities |grep Ivy
      <model usable='yes'>IvyBridge-IBRS</model>
      <model usable='yes'>IvyBridge</model>

# virsh domstate test
shut off

# virsh dumpxml test |grep "<cpu" -A4
  <cpu mode='custom' match='exact' check='partial'>
    <model fallback='allow'>IvyBridge-IBRS</model>
    <feature policy='disable' name='osxsave'/>
  </cpu>

# virsh start test
error: Failed to start domain test
error: internal error: process exited while connecting to monitor: 2019-06-25T03:48:52.835394Z qemu-kvm: can't apply global IvyBridge-IBRS-x86_64-cpu.osxsave=off: Property '.osxsave' not found

# virsh domstate test
shut off

# virsh dumpxml test |grep "<cpu" -A4
  <cpu mode='custom' match='exact' check='partial'>
    <model fallback='allow'>IvyBridge-IBRS</model>
    <feature policy='disable' name='ospke'/>
  </cpu>

# virsh start test
error: Failed to start domain test
error: internal error: process exited while connecting to monitor: 2019-06-25T03:49:13.931562Z qemu-kvm: can't apply global IvyBridge-IBRS-x86_64-cpu.ospke=off: Property '.ospke' not found
Comment 3 Jiri Denemark 2019-07-01 11:34:57 UTC 
This is already fixed upstream by

commit 2900575db892700fab8a4b8541474d9bd3444a4a
Refs: v5.3.0-77-g2900575db8
Author:     Christian Ehrhardt <christian.ehrhardt>
AuthorDate: Thu Apr 25 11:04:29 2019 +0200
Commit:     Christian Ehrhardt <christian.ehrhardt>
CommitDate: Wed May 15 09:32:52 2019 +0200

    qemu: do not define known no-op features

    Qemu dropped cpu features for osxsave and ospke [1][2].
    The reason for the instant removal is that those features were never
    configurable as discussed in [3].

    Fortunately the use cases adding those flags in the past are rare, but
    they exist. One that I identified are e.g. older virt-install when used
    with --cpu=host-model and there always could be the case of a user
    adding it to the guest xml.

    This triggers an issue like:
      qemu-system-x86_64: can't apply global Broadwell-noTSX-x86_64-
      cpu.osxsave=on: Property '.osxsave' not found

    Ensure that this does no more break spawning newer qemu versions by
    not rendering those features into the qemu command line.

    Fixes: https://bugs.launchpad.net/fedora/+source/qemu/+bug/1825195
    Resolves: https://bugzilla.redhat.com/1644848

    [1]: https://git.qemu.org/?p=qemu.git;a=commit;h=f1a2352
    [2]: https://git.qemu.org/?p=qemu.git;a=commit;h=9ccb978
    [3]: https://www.mail-archive.com/qemu-devel@nongnu.org/msg561877.html

    Signed-off-by: Christian Ehrhardt <christian.ehrhardt>
    Reviewed-by: Daniel Henrique Barboza <danielhb413>
    Tested-by: Daniel Henrique Barboza <danielhb413>

and later updated with

commit b12865260a0f24ab86ddaf3547b2f2e2c595d429
Refs: v5.4.0-221-gb12865260a
Author:     Jiri Denemark <jdenemar>
AuthorDate: Thu Jun 6 14:39:52 2019 +0200
Commit:     Jiri Denemark <jdenemar>
CommitDate: Thu Jun 20 00:22:37 2019 +0200

    qemu: Drop qemuFeatureNoEffect

    We already have virQEMUCapsCPUFilterFeatures for filtering features
    which QEMU does not know about. Let's move osxsave and ospke from
    qemuFeatureNoEffect there.

    Signed-off-by: Jiri Denemark <jdenemar>
    Reviewed-by: Ján Tomko <jtomko>

commit 955fd6e7a2c8dc97e9e68d1bd9ba9d03c7d815b3
Refs: v5.4.0-222-g955fd6e7a2
Author:     Jiri Denemark <jdenemar>
AuthorDate: Thu Jun 6 12:33:43 2019 +0200
Commit:     Jiri Denemark <jdenemar>
CommitDate: Thu Jun 20 00:22:37 2019 +0200

    qemu_process: Drop cleanup label from qemuProcessUpdateGuestCPU

    Signed-off-by: Jiri Denemark <jdenemar>
    Reviewed-by: Ján Tomko <jtomko>

commit c145b660b8225f73db16660461077ef931730939
Refs: v5.4.0-223-gc145b660b8
Author:     Jiri Denemark <jdenemar>
AuthorDate: Fri Jun 7 14:07:10 2019 +0200
Commit:     Jiri Denemark <jdenemar>
CommitDate: Thu Jun 20 00:22:37 2019 +0200

    cpu_conf: Introduce virCPUDefFilterFeatures

    This new internal API can be used for in place filtering of CPU features
    in virCPUDef.

    Signed-off-by: Jiri Denemark <jdenemar>
    Reviewed-by: Ján Tomko <jtomko>

commit 0b763774a5e6eb87f109c86171631cebe012e2b3
Refs: v5.4.0-224-g0b763774a5
Author:     Jiri Denemark <jdenemar>
AuthorDate: Thu Jun 6 14:51:14 2019 +0200
Commit:     Jiri Denemark <jdenemar>
CommitDate: Thu Jun 20 00:22:37 2019 +0200

    qemu: Filter CPU features in active XML

    Properly filter features which should not be passed to QEMU because they
    were never supported by QEMU or they did nothing and QEMU dropped them.

    Currently they are just silently ignored by the command line generator.
    Let's make this process more visible and clean by dropping the features
    from the domain's active definition in qemuProcessUpdateGuestCPU.

    Signed-off-by: Jiri Denemark <jdenemar>
    Reviewed-by: Ján Tomko <jtomko>
Comment 5 jiyan 2019-07-09 01:55:27 UTC 
Hi jiri
I tried to verify this bug, and found the following issue:

Version:
libvirt-5.5.0-1.module+el8.1.0+3580+d7f6488d.x86_64
qemu-kvm-4.0.0-5.module+el8.1.0+3622+5812d9bf.x86_64
kernel-4.18.0-112.el8.x86_64

Steps:
The following scenario is tested in physical host which supports ospke flag.

# virsh domstate vm1
shut off

# virsh dumpxml vm1 |grep "<cpu" -A3
  <cpu mode='host-model' check='partial'>
    <model fallback='allow'/>
    <feature policy='disable' name='ospke'/>
  </cpu>

# virsh start vm1
Domain vm1 started

# virsh dumpxml vm1 |grep "<cpu" -A17
  <cpu mode='custom' match='exact' check='full'>
    <model fallback='forbid'>Cascadelake-Server</model>
    <vendor>Intel</vendor>
    <feature policy='require' name='ss'/>
    <feature policy='require' name='vmx'/>
    <feature policy='require' name='hypervisor'/>
    <feature policy='require' name='tsc_adjust'/>
    <feature policy='require' name='umip'/>
    <feature policy='require' name='pku'/>
    <feature policy='require' name='md-clear'/>
    <feature policy='require' name='stibp'/>
    <feature policy='require' name='arch-capabilities'/>
    <feature policy='require' name='xsaves'/>
    <feature policy='disable' name='mpx'/>
  </cpu>

# ps -ef |grep vm1
qemu      60266      1 86 21:44 ?        
-cpu Cascadelake-Server,ss=on,vmx=on,hypervisor=on,tsc_adjust=on,umip=on,pku=on,md-clear=on,stibp=on,arch-capabilities=on,xsaves=on 


# virsh console vm1
Connected to domain vm1
Escape character is ^]

Red Hat Enterprise Linux 8.1 Beta (Ootpa)
Kernel 4.18.0-107.el8.x86_64 on an x86_64

localhost login: root
Password: 
# lscpu |grep ospke
Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves arat umip pku ospke 

So my question is: 
Even through I configure ospke/oxsave for inactive dumpxml of VM, the related conf will disappear after VM starts. 
But this flag will be in guest OS, does that mean the related flags will be in guest OS when the physical host supports these two flags?
If not, How can I distinguish when the related flag will be in guest OS?
Comment 6 Jiri Denemark 2019-07-15 13:37:55 UTC 
The flag disappears from domain XML because QEMU does not support it to be
enabled or disabled on the command line. That is, there's no way to tell QEMU
to explicitly enable or disable ospke.

The QEMU commit which removed ospke flag says the following:

    OSPKE is not a static feature flag: it changes dynamically at
    runtime depending on CR4, and it was never configurable: KVM
    never returned OSPKE on GET_SUPPORTED_CPUID, and on TCG enables
    it automatically if CR4_PKE_MASK is set.

    Remove OSPKE from the feature name array so users don't try to
    configure it manually.

I think everything works as expected here.
Comment 7 jiyan 2019-07-16 06:30:08 UTC 
Verified this bug on libvirt-5.5.0-1.module+el8.1.0+3580+d7f6488d.x86_64.

Version:
libvirt-5.5.0-1.module+el8.1.0+3580+d7f6488d.x86_64
qemu-kvm-4.0.0-5.module+el8.1.0+3622+5812d9bf.x86_64
kernel-4.18.0-115.el8.x86_64

Steps:
1. Start a VM with the following conf; check dumpxml and qemu cmd line
# virsh domstate vm1
shut off

# virsh dumpxml vm1 --inactive |grep "<cpu" -A4
  <cpu mode='custom' match='exact' check='partial'>
    <model fallback='allow'>IvyBridge-IBRS</model>
    <feature policy='disable' name='osxsave'/>
    <feature policy='force' name='ospke'/>
  </cpu>

# virsh start vm1
Domain vm1 started

# virsh dumpxml vm1 |grep "<cpu" -A17
  <cpu mode='custom' match='exact' check='full'>
    <model fallback='forbid'>IvyBridge-IBRS</model>
    <feature policy='require' name='hypervisor'/>
    <feature policy='require' name='arat'/>
    <feature policy='require' name='xsaveopt'/>
  </cpu>

# ps -ef |grep vm1
qemu     40850     1 47 02:24 ?        
... -cpu IvyBridge-IBRS 

2. Managedsave VM and then start VM; then check VM dumpxml again
# virsh managedsave vm1
Domain vm1 state saved by libvirt

# virsh domstate vm1
shut off

# virsh dumpxml vm1 |grep "<cpu" -A3
  <cpu mode='custom' match='exact' check='partial'>
    <model fallback='allow'>IvyBridge-IBRS</model>
    <feature policy='disable' name='osxsave'/>
    <feature policy='force' name='ospke'/>
  </cpu>

# virsh start vm1
Domain vm1 started

# virsh dumpxml vm1 |grep "<cpu" -A17
  <cpu mode='custom' match='exact' check='full'>
    <model fallback='forbid'>IvyBridge-IBRS</model>
    <feature policy='require' name='hypervisor'/>
    <feature policy='require' name='arat'/>
    <feature policy='require' name='xsaveopt'/>
  </cpu>

# ps -ef |grep vm1
qemu     41150     1  5 02:26 ?        
...-cpu IvyBridge-IBRS,hypervisor=on,arat=on,xsaveopt=on

3. Create snapshot for VM and check snapshot-dumpxml
# virsh snapshot-create-as vm1 --disk-only 
Domain snapshot 1563258461 created

# virsh snapshot-list vm1
 Name         Creation Time               State
---------------------------------------------------------
 1563258461   2019-07-16 02:27:41 -0400   disk-snapshot

# virsh snapshot-dumpxml vm1 1563258461 |grep "<cpu" -A7
    <cpu mode='custom' match='exact' check='partial'>
      <model fallback='forbid'>IvyBridge-IBRS</model>
    </cpu>

As the test steps above shows, libvirt drops these 2 kinds of cpu features during starting VM, managedsaving VM and snapshot-creating.
The test result is as expected, move this bug to be verified.
Comment 9 errata-xmlrpc 2019-11-06 07:17:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3723