Bug 1113860 - The guest will disappear after restart the libvirtd service while set seclabel type='static' model='none' relabel='yes'/> in guest's xml.
Summary: The guest will disappear after restart the libvirtd service while set seclabe...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt
Version: 6.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Michal Privoznik
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 1113861
TreeView+ depends on / blocked
 
Reported: 2014-06-27 05:37 UTC by zhenfeng wang
Modified: 2014-10-14 04:22 UTC (History)
8 users (show)

Fixed In Version: libvirt-0.10.2-42.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1113861 (view as bug list)
Environment:
Last Closed: 2014-10-14 04:22:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1374 0 normal SHIPPED_LIVE libvirt bug fix and enhancement update 2014-10-14 08:11:54 UTC

Description zhenfeng wang 2014-06-27 05:37:15 UTC
Description of problem:
The guest will disappear after restart the libvirtd service while set seclabel type='static' model='none'  relabel='yes'/> in guest's xml.

Version-Release number of selected component (if applicable):
kernel-2.6.32-466.el6.x86_64
libvirt-0.10.2-39.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.426.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Prepare a shutoff guest
# virsh list --all
 Id    Name                           State
----------------------------------------------------
 -     rhel6                          shut off

2.Edit the guest, add the following content to the guest's xml
#virsh edit rhel6
--
<seclabel type='static' model='none'  relabel='yes'/>
--

#virsh dumpxml rhel6
  <seclabel type='static' relabel='yes'/>

3.Check the guest status
# virsh list --all
 Id    Name                           State
----------------------------------------------------
 -     rhel6                          shut off

4.Restart the libvirtd service
#service libvirtd restart

5.Re-check the guest status, the guest has disappeared

# virsh list --all
 Id    Name                           State
----------------------------------------------------

# 
6.Check the libvirtd's log
#cat /var/log/libvirt/libvirtd.log
2014-06-27 05:27:46.343+0000: 11623: info : libvirt version: 0.10.2, package: 39.el6 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2014-06-23-13:41:14, x86-022.build.eng.bos.redhat.com)
2014-06-27 05:27:46.343+0000: 11623: error : virSecurityLabelDefParseXML:3323 : XML error: security label is missing


7.The issue always happens no matter i set the security_driver='selinux' or security_driver='none' in qemu.conf

Actual result:
The guest will disappear after restart the libvirtd service while set seclabel type='static' model='none'  relabel='yes'/> in guest's xml.

Expect result:
The guest shouldn't disappear after restart the libvirtd service

Comment 2 Michal Privoznik 2014-07-09 12:59:06 UTC
Patch proposed upstream:

https://www.redhat.com/archives/libvir-list/2014-July/msg00488.html

Comment 3 Michal Privoznik 2014-07-10 14:05:48 UTC
Another attempt:

https://www.redhat.com/archives/libvir-list/2014-July/msg00526.html

Comment 4 Michal Privoznik 2014-07-14 09:15:41 UTC
I've just pushed patch upstream:

commit 99c8d2e8087135a57a54f205aabad8e911e53519
Author:     Michal Privoznik <mprivozn@redhat.com>
AuthorDate: Wed Jul 9 14:36:04 2014 +0200
Commit:     Michal Privoznik <mprivozn@redhat.com>
CommitDate: Mon Jul 14 11:10:09 2014 +0200

    conf: Always format seclabel's model
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1113860
    
    We've always done that. Well, until 990e46c45. Point is, if we don't
    format model, we may lose a domain on libvirtd restart. If the
    seclabel is implicit however, we should skip it's formatting.
    
    Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

v1.2.6-131-g99c8d2e

Comment 6 Jiri Denemark 2014-07-16 14:58:52 UTC
The backport was nacked as incomplete.

Comment 9 zhenfeng wang 2014-08-04 09:21:03 UTC
I can reproduce this bug with libvirt-0.10.2-41.el6.x86_64, the following was my verify steps with libvirt-0.10.2-42.el6.x86_64

scenario 1

1.Prepare a shutoff guest
# virsh list --all
 Id    Name                           State
----------------------------------------------------
 -     rhel6                          shut off

2.Edit the guest, add the following content to the guest's xml, after save the guest's xml we could see the following content in the guest's xml
#virsh edit rhel6
--
<seclabel type='static' model='none'  relabel='yes'/>
--

#virsh dumpxml rhel6
  <seclabel type='none' model='none'/>

3.Restart the libvirtd service
#service libvirtd restart

4.Check the guest status, the guest was still exsiting
# virsh list --all
 Id    Name                           State
----------------------------------------------------
 -     rhel6                          shut off

5.Start the guest, get the expect error
# virsh start rhel6
error: Failed to start domain rhel6
error: unsupported configuration: Unable to find security driver for label none

scenario 2

1.Edit the guest's xml, after save the guest's xml we could see the following content in the guest's xml
#virsh edit rhel6
--
<seclabel type='static' model='none'  relabel='no'/>

#virsh dumpxml rhel6
  <seclabel type='none' model='none'/>

2.Restart the libvirtd service
#service libvirtd restart

3.Check the guest status, the guest was still exsiting
# virsh list --all
 Id    Name                           State
----------------------------------------------------
 -     rhel6                          shut off
4.Start the guest, get the expect error
# virsh start rhel6
error: Failed to start domain rhel6
error: unsupported configuration: Unable to find security driver for label none

scenario 3
Set security_driver = none in qemu.conf
Edit the /etc/libvirt/qemu.conf
security_driver = none
#service libvirtd restart

Retest secnario 1~2, get the same result as the following
1.After edit the guest's xml, we could see the following content in the guest's xml
#virsh dumpxml rhel6
--
 <seclabel type='none' model='none'/>

2.Start the guest, the guest could start successfully
# virsh start rhel6
Domain rhel6 started

3.Do some operations with the guest, could get the expect result
# virsh save rhel6 /tmp/rhel6.save

Domain rhel6 saved to /tmp/rhel6.save

# virsh restore /tmp/rhel6.save 
Domain restored from /tmp/rhel6.save

According to the scenario 1~3, mark this bug verified

Comment 11 errata-xmlrpc 2014-10-14 04:22:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1374.html


Note You need to log in before you can comment on or make changes to this bug.