Bug 649523

Summary: bogus permissions on /var/lib/libvirt in libvirt spec file
Product: Red Hat Enterprise Linux 6 Reporter: Eric Blake <eblake>
Component: libvirtAssignee: Eric Blake <eblake>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: berrange, clalance, crobinso, dallan, eblake, itamar, jdenemar, jforbes, laine, llim, mcermak, myllynen, plyons, vbian, veillard, virt-maint, xen-maint, yimwang, yoyzhang
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-0.8.6-1.el6 Doc Type: Bug Fix
Doc Text:
A specification file bug caused permissions on the /var/lib/libvirt directory to change when a system was upgraded. With this update, correct permissions are assigned to the aforementioned directory.
 Story Points: ---
Clone Of: 649511
: 684798 (view as bug list) Environment:
Last Closed: 2011-05-19 13:23:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 662045    

Description Eric Blake 2010-11-03 21:39:39 UTC 
+++ This bug was initially created as a clone of Bug #649511 +++

Description of problem:
After using preupgrade to convert from F13 to F14, I could no longer start any VMs.  I tracked the problem to bad permissions on /var/lib/libvirt.

Version-Release number of selected component (if applicable):
libvirt-0.8.3-2.fc14.x86_64


How reproducible:
Haven't tried reproducing, but if you need me to, I could set up an F13 VM and re-run preupgrade to see if it repeats.


Steps to Reproduce:
1. preupgrade from f13 -> f14
2. virsh start vm-name
3. ls -ld /var/lib/libvirt
4. chmod 755 /var/lib/libvirt
5. virsh start vm-name 
  
Actual results:
1. upgrade appears to work fine
2. # virsh start fedora_12
error: Failed to start domain fedora_12
error: internal error Process exited while reading console log output: bind(unix:/var/lib/libvirt/qemu/fedora_12.monitor): Permission denied
chardev: opening backend "socket" failed
3. # ll -d /var/lib/libvirt/{,qemu}
drwx------. 9 root root 4096 Aug 23 15:32 /var/lib/libvirt/
drwx------. 4 qemu qemu 4096 Aug 23 15:32 /var/lib/libvirt/qemu
4. success
5. can start vm again


Expected results:
upgrading should not corrupt directory permissions

Additional info:
/var/lib/libvirt should be 0755, not 0700.  It might be a bug in the libvirt-0.8.3-2.fc14.x86_64 spec file that sets inappropriate permissions, and the preupgrade process favored the spec file permissions rather than the permissions that were previously in place in F13.

--- Additional comment from eblake on 2010-11-03 15:09:32 MDT ---

Hmm - I see this in upstream libvirt.spec.in, as well as in the libvirt.spec included in libvirt-0.8.3-2.fc14.srpm:

%dir %{_localstatedir}/lib/libvirt/

%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt

So it's definitely a spec-file bug, and traces back to commit 66823690e (v0.8.2~203).

--- Additional comment from eblake on 2010-11-03 15:26:51 MDT ---

Upstream patch posted:
https://www.redhat.com/archives/libvir-list/2010-November/msg00238.html

---
Although this specfile bug was not present in libvirt-0.8.1, it was back-ported into the spec file used to build libvirt-0.8.1-7.el6, and has remained there through libvirt-0.8.1-27.el6.
Comment 1 Eric Blake 2010-11-03 21:41:53 UTC 
The upstream patch only touches libvirt.spec.in, and so it will automatically be picked up for RHEL 6.1 when we rebase to upstream 0.8.6 or newer.  But for the RHEL z-stream, it seems like this is an easy spec file fix to backport directly to libvirt.spec as soon as there is any other z-stream activity that warrants a release.
Comment 2 Eric Blake 2010-11-03 21:47:14 UTC 
If we fail to fix the specfile, then it is possible for a z-stream update for any other reason to result in rpm downgrading the permissions of /var/lib/libvirt from 0755 to 0700 during the upgrade process.  Reduced permissions on this directory will then render it impossible for anyone running a VM as the qemu user to obtain access to any /var/lib/libvirt/*.monitor sockets.
Comment 3 Eric Blake 2010-11-08 15:03:04 UTC 
I've reduced things to a minimal testcase that proves the problem can affect z-stream upgrades if the spec file is not patched:

# rpm -q libvirt{,-client}
libvirt-0.8.1-27.el6.x86_64
libvirt-client-0.8.1-27.el6.x86_64
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 7 root root 4096 Aug 18 06:07 /var/lib/libvirt/
# yum reinstall libvirt-client -y
...
# ls -ld /var/lib/libvirt/
drwx------. 7 root root 4096 Aug 18 06:07 /var/lib/libvirt/
# yum reinstall libvirt -y
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 7 root root 4096 Aug 18 06:07 /var/lib/libvirt/

Therefore, it is the libvirt-client package that has the broken permissions, and if libvirt-client is upgraded independently (or after) libvirt, then the problem is present.  In general, libvirt and libvirt-client bump versions simulatneously, and yum dependencies favor installing libvirt last, which is why we haven't run into the problem very many times in practice.
Comment 4 Dave Allan 2010-11-09 02:34:53 UTC 
*** Bug 634862 has been marked as a duplicate of this bug. ***
Comment 6 Daniel Berrangé 2010-11-12 16:36:50 UTC 
*** Bug 627124 has been marked as a duplicate of this bug. ***
Comment 7 Jiri Denemark 2010-12-10 12:07:12 UTC 
Fixed upstream by v0.8.5-60-gf970d80:

commit f970d802ab805f1a37af384f148f34e108714034
Author: Eric Blake <eblake>
Date:   Wed Nov 3 15:20:24 2010 -0600

    rpm: fix /var/lib/libvirt permissions
Comment 9 wangyimiao 2010-12-24 08:19:02 UTC 
verified it PASSED on build :
libvirt-0.8.6-1.el6.x86_64
libvirt-client-0.8.6-1.el6.x86_64
qemu-kvm-0.12.1.2-2.128.el6.x86_64
qemu-img-0.12.1.2-2.128.el6.x86_64
kernel-2.6.32-93.el6.x86_64
Steps:
1.
# rpm -q libvirt{,-client}
libvirt-0.8.6-1.el6.x86_64
libvirt-client-0.8.6-1.el6.x86_64

2.Check "/var/lib/libvirt" permission
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Dec 24 09:14 /var/lib/libvirt/

3.Reinstall "libvirt-client" package
# rpm -ivh --replacepkgs libvirt-client-0.8.6-1.el6.x86_64.rpm 

4.Check "/var/lib/libvirt" permission
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Dec 23 15:36 /var/lib/libvirt/


5.Reinstall "libvirt-client" package again
# rpm -ivh --replacepkgs libvirt-client-0.8.6-1.el6.x86_64.rpm 

6.Check "/var/lib/libvirt" permission again.
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Dec 23 15:36 /var/lib/libvirt/
Comment 11 Vivian Bian 2011-02-15 09:17:48 UTC 
retested with 

libvirt-0.8.7-6.el6.x86_64
libvirt-client-0.8.7-6.el6.x86_64

Steps:
1.# rpm -q libvirt{,-client}
libvirt-0.8.7-6.el6.x86_64
libvirt-client-0.8.7-6.el6.x86_64


2.Check "/var/lib/libvirt" permission
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Feb 12 00:35 /var/lib/libvirt/



3.Reinstall "libvirt-client" package
# rpm -ivh --replacepkgs libvirt-new/libvirt-client-0.8.7-6.el6.x86_64.rpm 
Preparing...                ########################################### [100%]
   1:libvirt-client         ########################################### [100%]


4.Check "/var/lib/libvirt" permission
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Feb 12 00:35 /var/lib/libvirt/


5.Reinstall "libvirt-client" package again
# rpm -ivh --replacepkgs libvirt-new/libvirt-client-0.8.7-6.el6.x86_64.rpm 
Preparing...                ########################################### [100%]
   1:libvirt-client         ########################################### [100%]

6.Check "/var/lib/libvirt" permission again.
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Feb 12 00:35 /var/lib/libvirt/

the permissions on /var/lib/libvirt is correct. So set bug status to VERIFIED
Comment 12 Martin Prpič 2011-04-15 14:22:18 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
A specification file bug caused permissions on the /var/lib/libvirt directory to change when upgrading a system. With this update, correct permissions are assigned to the aforementioned directory.
Comment 15 Laura Bailey 2011-05-04 05:12:46 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-A specification file bug caused permissions on the /var/lib/libvirt directory to change when upgrading a system. With this update, correct permissions are assigned to the aforementioned directory.+A specification file bug caused permissions on the /var/lib/libvirt directory to change when a system was upgraded. With this update, correct permissions are assigned to the aforementioned directory.
Comment 16 errata-xmlrpc 2011-05-19 13:23:35 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0596.html