Bug 1969354

Summary: Failed to start ovmf guest for the second time
Product: Red Hat Enterprise Linux 9 Reporter: Meina Li <meili>
Component: libvirtAssignee: Michal Privoznik <mprivozn>
Status: CLOSED CURRENTRELEASE QA Contact: Meina Li <meili>
Severity: high Docs Contact:
Priority: high    
Version: 9.0CC: jdenemar, jsuchane, juzhou, tzheng, virt-bugs, virt-maint, xuzhang, yafu
Target Milestone: betaKeywords: Automation, Regression, Upstream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-7.5.0-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1969347 Environment:
Last Closed: 2021-12-07 21:57:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version: 7.5.0
Embargoed:
Bug Depends On: 1969347    
Bug Blocks:    

Description Meina Li 2021-06-08 09:49:16 UTC 
+++ This bug was initially created as a clone of Bug #1969347 +++

Description of problem:
Failed to start ovmf guest for the second time

Version-Release number of selected component (if applicable):
libvirt-7.4.0-1.el9.x86_64
qemu-kvm-6.0.0-3.el9.x86_64

How reproducible:
100%

1. Start a ovmf guest with the following xml:
...

  <os>
    <type arch='x86_64' machine='pc-q35-rhel8.4.0'>hvm</type>
    <loader readonly='yes' secure='yes' type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader>
    <nvram>/var/lib/libvirt/qemu/nvram/avocado-vt-vm1_VARS.fd</nvram>
    <boot dev='hd'/>
  </os>
...
# virsh start avocado-vt-vm1 
Domain 'avocado-vt-vm1' started
# getfattr -n trusted.libvirt.security.ref_selinux /var/lib/libvirt/qemu/nvram/avocado-vt-vm1_VARS.fd
getfattr: Removing leading '/' from absolute path names
# file: var/lib/libvirt/qemu/nvram/avocado-vt-vm1_VARS.fd
trusted.libvirt.security.ref_selinux="2"

2. Destroy the guest and start again.
# virsh destroy avocado-vt-vm1 
Domain 'avocado-vt-vm1' destroyed
# getfattr -n trusted.libvirt.security.ref_selinux /var/lib/libvirt/qemu/nvram/avocado-vt-vm1_VARS.fd
getfattr: Removing leading '/' from absolute path names
# file: var/lib/libvirt/qemu/nvram/avocado-vt-vm1_VARS.fd
trusted.libvirt.security.ref_selinux="1"

# virsh start avocado-vt-vm1 
error: Failed to start domain 'avocado-vt-vm1'
error: Requested operation is not valid: Setting different SELinux label on /var/lib/libvirt/qemu/nvram/avocado-vt-vm1_VARS.fd which is already in use
# getfattr -n trusted.libvirt.security.ref_selinux /var/lib/libvirt/qemu/nvram/avocado-vt-vm1_VARS.fd
getfattr: Removing leading '/' from absolute path names
# file: var/lib/libvirt/qemu/nvram/avocado-vt-vm1_VARS.fd
trusted.libvirt.security.ref_selinux="1"

Actual results:
Can't start the guest for the second time

Expected results:
Can start the guest

Additional info:
Comment 1 Michal Privoznik 2021-06-09 15:20:47 UTC 
Patch posted upstream:

https://listman.redhat.com/archives/libvir-list/2021-June/msg00249.html
Comment 2 Michal Privoznik 2021-06-17 10:33:03 UTC 
Merged upstream:

fb1289c155 qemu: Don't set NVRAM label when creating it

v7.4.0-191-gfb1289c155
Comment 5 Meina Li 2021-06-30 09:26:26 UTC 
Verified:test on:
libvirt-7.0.0-4.fc34.x86_64
qemu-kvm-5.2.0-8.fc34.x86_64
Comment 9 Meina Li 2021-07-21 03:08:21 UTC 
Verified Version:
libvirt-7.5.0-1.el9.x86_64
qemu-kvm-6.0.0-9.el9.x86_64

Verified Steps:
1. Start a ovmf guest with the following os xml and rhel9 image:
...
  <os>
    <type arch='x86_64' machine='pc-q35-rhel8.5.0'>hvm</type>
    <loader readonly='yes' type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader>
    <nvram template='/usr/share/edk2/ovmf/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/lmn_VARS.fd</nvram>
    <boot dev='hd'/>
  </os>
...
# virsh start lmn
Domain 'lmn' started
# virsh console lmn
Connected to domain 'lmn'
Escape character is ^] (Ctrl + ])

localhost login: root
Password: 
[root@localhost ~]# 

2. Destroy the guest and start the guest again.
# virsh destroy lmn
Domain 'lmn' destroyed
# virsh start lmn
Domain 'lmn' started

3. Check the boot of the guest.
# virsh console lmn
Connected to domain 'lmn'
Escape character is ^] (Ctrl + ])

localhost login: root
Password: 
[root@localhost ~]# 

4. Start a guest with the following os xml and an enrolled image
...
  <os firmware='efi'>
    <type arch='x86_64' machine='pc-q35-rhel8.5.0'>hvm</type>
    <boot dev='hd'/>
  </os>
...
# rm -rf /var/lib/libvirt/qemu/nvram/lmn_VARS.fd
# virsh start lmn
Domain 'lmn' started
# virsh console lmn
Connected to domain 'lmn'
Escape character is ^] (Ctrl + ])

localhost login: root
Password: 
[root@localhost ~]# 

5. Repeat the step 2-3.

All the test results are expected.