1143832 – [graphical buffers]start guest failed when graphics defaultMode='secure', meanwhile add eight different channels mode='insecure'

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1143832 - [graphical buffers]start guest failed when graphics defaultMode='secure', meanwhile add eight different channels mode='insecure'

Summary: [graphical buffers]start guest failed when graphics defaultMode='secure', mea...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Pavel Hrdina
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1143834
TreeView+	depends on / blocked

Reported:	2014-09-18 05:54 UTC by vivian zhang
Modified:	2016-11-15 01:48 UTC (History)
CC List:	8 users (show)
Fixed In Version:	libvirt-1.2.14-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1143834 (view as bug list)
Environment:
Last Closed:	2015-11-19 05:52:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2202	0	normal	SHIPPED_LIVE	libvirt bug fix and enhancement update	2015-11-19 08:17:58 UTC

Description vivian zhang 2014-09-18 05:54:20 UTC

Description of problem:
[graphical buffers]start guest failed when graphics defaultMode='secure', meanwhile add eight different channels mode='insecure'.

Version-Release number of selected component (if applicable):
libvirt-1.2.8-2.el7.x86_64
qemu-kvm-rhev-2.1.0-3.el7.x86_64
kernel-3.10.0-150.el7.x86_64


How reproducible:
100%

Steps to Reproduce:

1. Prepare a guest with the following content

#virsh dumpxml win7

<graphics type='spice' autoport='yes' listen='0.0.0.0' keymap='en-us' defaultMode='secure'>
      <listen type='address' address='0.0.0.0'/>
      <channel name='main' mode='insecure'/>
      <channel name='display' mode='insecure'/>
      <channel name='inputs' mode='insecure'/>
      <channel name='cursor' mode='insecure'/>
      <channel name='playback' mode='insecure'/>
      <channel name='record' mode='insecure'/>
      <channel name='smartcard' mode='insecure'/>
      <channel name='usbredir' mode='insecure'/>
    </graphics>
2. configure host to tls env for spice ssl connection,restart libvirtd service.

3. start the guest failed, there is an error reported.

## virsh start win7
error: Failed to start domain win7
error: internal error: process exited while connecting to monitor: 2014-09-18T05:18:28.616213Z qemu-kvm: spice: tried to setup tls-channel without specifying a TLS port

4.when delete any one of the channels, start guest again, it will be successful.

#virsh dumpxml win7

<graphics type='spice' autoport='yes' listen='0.0.0.0' keymap='en-us' defaultMode='secure'>
      <listen type='address' address='0.0.0.0'/>
      <channel name='main' mode='insecure'/>
      <channel name='inputs' mode='insecure'/>
      <channel name='cursor' mode='insecure'/>
      <channel name='playback' mode='insecure'/>
      <channel name='record' mode='insecure'/>
      <channel name='smartcard' mode='insecure'/>
      <channel name='usbredir' mode='insecure'/>
    </graphics>

# virsh start win7
Domain win7 started

5. the issue also hit on RHEL6.6

Actual results:
when configure graphics defaultMode='secure', meanwhile add eight different channel mode='insecure', start guest failed with error.


Expected results:
when configure graphics defaultMode='secure', meanwhile add eight different channel mode='insecure', start guest success.

Additional info:
reference the libvirt org about defaultMode:
The defaultMode attribute sets the default channel security policy, valid values are secure, insecure and the default any (which is secure if possible, but falls back to insecure rather than erroring out if no secure path is available). "defaultMode" since 0.9.12.
When SPICE has both a normal and TLS secured TCP port configured, it can be desirable to restrict what channels can be run on each port. This is achieved by adding one or more <channel> elements inside the main <graphics> element and setting the mode attribute to either secure or insecure. Setting the mode attribute overrides the default value as set by the defaultMode attribute. (Note that specifying any as mode discards the entry as the channel would inherit the default mode anyways) Valid channel names include main, display, inputs, cursor, playback, record (all since 0.8.6); smartcard (since 0.8.8); and usbredir (since 0.9.12).

Comment 2 Pavel Hrdina 2015-02-27 14:38:18 UTC

Upstream patch proposed:

https://www.redhat.com/archives/libvir-list/2015-February/msg01215.html

Comment 3 Pavel Hrdina 2015-03-03 11:06:30 UTC

Upstream commit:

commit a16e5f0a91ee8654e37f1435d82ffb83aa617246
Author: Pavel Hrdina <phrdina>
Date:   Fri Feb 27 15:07:03 2015 +0100

    qemu: check defaultMode for spice graphics independently
    
    Instead of checking defaultMode for every channel that has no mode
    configured, test it only once outside of channel loop.  This fixes a bug
    that in case all possible channels are fore example set to insecure, but
    defaultMode is set to secure, we wouldn't auto-generate TLS port.  This
    results in failure while starting a guest.
    
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1143832
    
    Signed-off-by: Pavel Hrdina <phrdina>

Comment 6 vivian zhang 2015-05-26 10:13:33 UTC

I can produce this bug with build libvirt-1.2.8-16.el7.x86_64

Verify it with build libvirt-1.2.15-2.el7.x86_64

Steps:

1. prepare a tls env for spice connection,restart libvirtd service

2. edit guest with XML

# virsh edit vm1
...
<graphics type='spice' autoport='yes' listen='0.0.0.0' keymap='en-us' defaultMode='secure'>
      <listen type='address' address='0.0.0.0'/>
      <channel name='main' mode='insecure'/>
      <channel name='display' mode='insecure'/>
      <channel name='inputs' mode='insecure'/>
      <channel name='cursor' mode='insecure'/>
      <channel name='playback' mode='insecure'/>
      <channel name='record' mode='insecure'/>
      <channel name='smartcard' mode='insecure'/>
      <channel name='usbredir' mode='insecure'/>
    </graphics>
...

3. start guest success
# virsh start vm1
Domain vm1 started

4. # virsh domdisplay vm1
spice://localhost:5900?tls-port=5901

5. check qemu cmd
# ps aux |grep vm1
...
-spice port=5900,tls-port=5901,addr=0.0.0.0,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=default,plaintext-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=smartcard,plaintext-channel=usbredir
...


move to verififed

Comment 9 errata-xmlrpc 2015-11-19 05:52:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2202.html

Note You need to log in before you can comment on or make changes to this bug.