Bug 1248105 - USB passthrough doesn't work when qemu runs under non-root user
USB passthrough doesn't work when qemu runs under non-root user
Status: CLOSED ERRATA
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: vdsm (Show other bugs)
unspecified
Unspecified Unspecified
high Severity urgent
: ovirt-3.6.0-rc3
: 3.6.0
Assigned To: Martin Polednik
Nisim Simsolo
:
: 1261075 (view as bug list)
Depends On:
Blocks: 1154205 1172230 1003572 1261075
  Show dependency treegraph
 
Reported: 2015-07-29 11:29 EDT by Martin Polednik
Modified: 2016-03-09 14:43 EST (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-09 14:43:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Virt
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 44679 master MERGED hostdev: change ownership for passthrough USB devices Never
oVirt gerrit 46503 ovirt-3.6 MERGED supervdsm: remove unneeded version check Never
oVirt gerrit 46504 ovirt-3.6 MERGED supervdsm: remove guid from __udevReloadRules Never
oVirt gerrit 46505 ovirt-3.6 MERGED supervdsm: generalize udevTrigger method Never
oVirt gerrit 46506 ovirt-3.6 MERGED supervdsm: move udevadm methods to udevadm module Never
oVirt gerrit 46507 ovirt-3.6 MERGED supervdsm: rename appropriateDevice to appropriateMultipathDevice Never
oVirt gerrit 46508 ovirt-3.6 MERGED supervdsm: only trigger 'vfio' subsystem for VFIO devices Never
oVirt gerrit 46527 ovirt-3.6 MERGED hostdev: change ownership for passthrough USB devices Never
oVirt gerrit 46528 ovirt-3.6 MERGED hostdev: fix addressing Never

  None (edit)
Description Martin Polednik 2015-07-29 11:29:15 EDT
Description of problem:
The USB passthrough via hostdev element doesn't work when qemu is set to run under non-root user (user = "qemu" in /etc/libvirt/qemu.conf). Example of used XML:

<hostdev managed="yes" mode="subsystem" type="usb">
        <source>
                <address bus="2" device="1"/>
        </source>
</hostdev>
<hostdev managed="yes" mode="subsystem" type="usb">
        <source>
                <address bus="3" device="1"/>
        </source>
</hostdev>

where the addresses point to USB mouse and USB mass storage device. None of the devices are visible in guest's lsusb when the process runs under the "qemu" user, both of them are visible when running under root.

Version-Release number of selected component (if applicable):
libvirt-1.2.17-2.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Change qemu to run under "qemu" user,
2. attach USB device via hostdev element to the domain,
3. start the domain.

Actual results:
USB device is missing in the guest

Expected results:
USB device is visible and usable in guest

Additional info:
Works as expected under root user.
Comment 2 Ján Tomko 2015-07-30 05:19:39 EDT
It works for me with:
selinux-policy-3.13.1-34.el7.noarch
libvirt-daemon-1.2.17-2.el7.x86_64
qemu-kvm-rhev-2.3.0-13.el7.x86_64

Is there anything useful in the machine log in /var/log/libvirt/qemu/?
Does it work with SELinux in permissive mode?
If SELinux is enforcing, is virt_use_usb set?
# getsebool virt_use_usb
virt_use_usb --> on

Can you attach the whole domain XML and the part of audit.log related to domain startup?
Comment 3 Martin Polednik 2015-07-30 08:16:17 EDT
After further investigation, the issue is caused by dynamic_ownership=0 in /etc/libvirt/qemu.conf. 

Using dynamic_ownership=1 does work as expected.
Comment 4 Michal Skrivanek 2015-07-30 11:09:10 EDT
(In reply to Martin Polednik from comment #3)
> After further investigation, the issue is caused by dynamic_ownership=0 in
> /etc/libvirt/qemu.conf. 
> 
> Using dynamic_ownership=1 does work as expected.

that is explicitly disabled by vdsm. Don't remember why. Dan?
Comment 5 Dan Kenigsberg 2015-07-31 07:26:33 EDT
With dynamic_ownership=1 libvirtd (running as root) attempted to chown NFS-mounted images. This fails on rootsquash NFS mounts.

I see in bug 810241 that libvirt's semantics has been refined a bit since then, so it may be that this is no longer needed for that.

There might have been other reasons for synamic_ownertship=0, but neither I nor git nor bugzilla remember them. It has been introduced long ago (bug 554961) and has been like that in oVirt ever since. A change to 1 requires proper regression check of file/block storage.
Comment 6 Pei Zhang 2015-08-05 00:07:02 EDT
I can reproduce it .

version:
libvirt-1.2.17-3.el7.x86_64

reproduce steps :

1.change user in qemu.conf
user = "qemu"
group = "qemu"
dynamic_ownership = 0

2. add user qemu
#useradd qemu -g qemu

3.prepare a guest with OS 

4.prepare two usb devices on host :

# lsusb

Bus 001 Device 003: ID 0781:5567 SanDisk Corp. Cruzer Blade
Bus 002 Device 009: ID 1005:b113 Apacer Technology, Inc. Handy Steno/AH123 / Handy Steno 2.0/HT203

check usb device ownership:

# ls /dev/bus/usb/001/003 -alZ
crw-rw-r--. root root system_u:object_r:usb_device_t:s0 /dev/bus/usb/001/003

# ls /dev/bus/usb/002/009 -alZ
crw-rw-r--. root root system_u:object_r:usb_device_t:s0 /dev/bus/usb/002/009

5.attch usb devices to guest 
# cat usb2.xml 
<hostdev mode='subsystem' type='usb' managed='yes'>
<source>
<address bus='1' device='3'/> 
</source>
<boot order='4'/>
</hostdev>
# virsh attach-device usb usb2.xml 
Device attached successfully 

# cat usb3.xml 
<hostdev mode='subsystem' type='usb' managed='yes'>
<source>
<vendor id='0x1005'/>
<product id='0xb113'/>
</source>
</hostdev>

# virsh attach-device usb usb3.xml 
Device attached successfully

# virsh dumpxml usb |grep hostdev -A 9
    <hostdev mode='subsystem' type='usb' managed='yes'>
      <source>
        <address bus='1' device='3'/>
      </source>
      <alias name='hostdev0'/>
    </hostdev>
    <hostdev mode='subsystem' type='usb' managed='yes'>
      <source>
        <vendor id='0x1005'/>
        <product id='0xb113'/>
        <address bus='2' device='9'/>
      </source>
      <alias name='hostdev1'/>
    </hostdev>

6.login into guest to check :
#lsusb 
CANNOT find usb devices .

7.check the ownership again :

# ls /dev/bus/usb/001/003 -alZ
crw-rw-r--. root root system_u:object_r:svirt_image_t:s0:c179,c596 /dev/bus/usb/001/003
[root@184pzhang usb]# ls /dev/bus/usb/002/009 -alZ
crw-rw-r--. root root system_u:object_r:svirt_image_t:s0:c179,c596 /dev/bus/usb/002/009


additional info :

1>If I change the ownship of usb devices ,it will be OK

# chown qemu:qemu /dev/bus/usb/002/009
# ls /dev/bus/usb/002/009 -alZ
crw-rw-r--. qemu qemu system_u:object_r:usb_device_t:s0 /dev/bus/usb/002/009

# virsh attach-device usb usb2.xml 
Device attached successfully

login guest use lsusb to check , 
#lsusb 
The usb device could be found in guest .

2>If I set dynamic_ownership = 1

Than I attach the usb device to guest and start the guest :

# virsh dumpxml usb | grep hostdev -A 9
    <hostdev mode='subsystem' type='usb' managed='yes'>
      <source>
        <address bus='1' device='3'/>
      </source>
      <alias name='hostdev0'/>
    </hostdev>

# ls /dev/bus/usb/001/003 -alZ
crw-rw-r--. qemu qemu system_u:object_r:svirt_image_t:s0:c363,c560 /dev/bus/usb/001/003

login guest to check 
#lsusb 

usb device can be found in guest.
Comment 7 Ján Tomko 2015-08-05 08:26:59 EDT
With dynamic_ownership disabled, libvirt obviously does not change the ownership of the device.
Comment 8 Michal Skrivanek 2015-09-17 05:08:34 EDT
*** Bug 1261075 has been marked as a duplicate of this bug. ***
Comment 10 Nisim Simsolo 2015-10-15 08:41:08 EDT
Fixed.
Verification scenario:
1. attach USB keyboard and mouse to VFIO VM and verify devices functionality.
2. Attach USB live image to VM and install VM.

Verification version:
rhevm-3.6.0.1-0.1.el6
sanlock-3.2.4-1.el7.x86_64
vdsm-4.17.9-1.el7ev.noarch
qemu-kvm-rhev-2.3.0-31.el7.x86_64
libvirt-client-1.2.17-5.el7.x86_64
Comment 12 errata-xmlrpc 2016-03-09 14:43:19 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0362.html

Note You need to log in before you can comment on or make changes to this bug.