Bug 1894409

Summary: let domain without cpu pinning run without the need of CAP_SYS_NICE [rhel-8.3.0.z]
Product: Red Hat Enterprise Linux Advanced Virtualization Reporter: Oneata Mircea Teodor <toneata>
Component: libvirtAssignee: Martin Kletzander <mkletzan>
Status: CLOSED ERRATA QA Contact: Luyao Huang <lhuang>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.1CC: berrange, chhu, danken, ddepaula, fdeutsch, jdenemar, jsuchane, lhuang, lmen, mkletzan, mprivozn, virt-maint, vromanso, xuzhang, yalzhang, ymankad
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-6.6.0-7.1.el8 Doc Type: Bug Fix
Doc Text:
Cause: Original fix for this BZ (possibility of running with restricted CPU set and UID 0 and starting a domain without having the CAP_SYSNICE capability) did not account for the logic needed in order to set affinity with larger amount of CPUs. Consequence: That resulted in freeing a resource twice in case of pinning to a CPU without CAP_SYS_NICE capability resulting in a segfault and crash of the daemon. Fix: The logic was slightly reworked to avoid these cases. Result: Users and management applications can now restrict libvirt daemon operating CPU set, run it without CAP_SYS_NICE and safely start domains without a crash.
 Story Points: ---
Clone Of: 1819801 Environment:
Last Closed: 2020-12-02 16:07:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1819801    
Bug Blocks:    

Comment 7 Luyao Huang 2020-11-26 07:33:28 UTC 
Verify this bug with libvirt-daemon-6.6.0-7.1.module+el8.3.0+8852+b44fca9f.x86_64:

S1: Start guest without vcpupin and emulatorpin in a unprivileged env

0. prepare special env:

# useradd -u 33 -g 0 libvirt
# chown libvirt:root /run/libvirt/qemu/

1. disable cpuset cgroup and manualy start libvirtd:

# vim /etc/libvirt/qemu.conf

cgroup_controllers = ["devices", "memory", "blkio" ]
stdio_handler = "file"

# /usr/sbin/libvirtd

2. there is no vcpupin and emulatorpin in guest xml

3. use gdb to make a similar env:

# gdb -p `pidof libvirtd`

(gdb) b virProcessSetAffinity

4. start guest 
# virsh start vm1
(blocking)

5. in gdb terminal change libvirtd permission when set cpu Affinity:
(gdb) c
(gdb) c
(gdb) handle SIG33 nostop
Signal        Stop	Print	Pass to program	Description
SIG33         No	Yes	Yes		Real-time event 33
(gdb) call (int)setuid(33)
$1 = 0
(gdb) c

6. guest start without error like "cannot set CPU affinity on process X: Operation not permitted":

# virsh start vm1
Domain vm1 started

7. check libvirtd debug log, can find debug log like "cannot set CPU affinity on process 28649: Operation not permitted":

2020-11-26 06:25:59.701+0000: 28520: debug : virProcessSetAffinity:447 : Set process affinity on 28649
2020-11-26 06:25:59.701+0000: 28520: debug : virProcessSetAffinity:486 : cannot set CPU affinity on process 28649: Operation not permitted
2020-11-26 06:25:59.701+0000: 28520: debug : virProcessSetScheduler:1483 : pid=28649, policy=0, priority=0
2020-11-26 06:25:59.701+0000: 28520: debug : virFileClose:135 : Closed fd 36
2020-11-26 06:26:03.871+0000: 28520: debug : virProcessSetAffinity:447 : Set process affinity on 28650
2020-11-26 06:26:03.871+0000: 28520: debug : virProcessSetAffinity:486 : cannot set CPU affinity on process 28650: Operation not permitted


S2: Start guest with vcpupin in a unprivileged env

0. prepare special env:

# useradd -u 33 -g 0 libvirt
# chown libvirt:root /run/libvirt/qemu/

1. disable cpuset cgroup and manualy start libvirtd:

# vim /etc/libvirt/qemu.conf

cgroup_controllers = ["devices", "memory", "blkio" ]
stdio_handler = "file"

# /usr/sbin/libvirtd

2. set vcpupin to vcpu 0

# virsh vcpupin vm1 0 1-20 --config

3. use gdb to make a similar env:

# gdb -p `pidof libvirtd`

(gdb) b virProcessSetAffinity

4. start guest 
# virsh start vm1
(blocking)

5. in gdb terminal change libvirtd permission when set cpu Affinity:
(gdb) c
(gdb) c
(gdb) handle SIG33 nostop
Signal        Stop	Print	Pass to program	Description
SIG33         No	Yes	Yes		Real-time event 33
(gdb) call (int)setuid(33)
$1 = 0
(gdb) c

6. guest should failed to start since there is vcpupin setting in guest config:

# virsh start vm1
error: Failed to start domain vm1
error: cannot set CPU affinity on process 30112: Operation not permitted


Also test with emulatorpin and cpuset, get the same expected results.
Comment 9 errata-xmlrpc 2020-12-02 16:07:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (virt:8.3 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5328