Red Hat Bugzilla – Bug 1368774
libvirt changes the guest xml on target host even if migration failed
Last modified: 2017-07-23 21:26:16 EDT
Description of problem: libvirt changes the guest xml on target host even if migration failed Version-Release number of selected component (if applicable): libvirt-2.0.0-5.el7.x86_64 qemu-kvm-rhev-2.6.0-21.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1.set this in source host qemu.conf and restart libvirtd service: security_driver = "none" 2.set this in target host qemu.conf and restart libvirtd service: security_driver = "selinux" 3.start a guest without seclabel in source, check the live xml of guest : #virsh dumpxml rhel7.3 no seclabel 4. migrate to target with option(success): # virsh migrate rhel7.3 --live qemu+ssh://yafu-test/system --dname rhel73-2 --verbose --p2p --tunnelled 5.try to migrate this guest back to source(fail and cause this issue): # virsh migrate rhel73-2 --live qemu+ssh://test1/system --dname rhel7.3 error: unsupported configuration: Unable to find security driver for label selinux 6.then destroy target guest: # virsh destroy rhel73-2 Domain rhel73-2 destroyed 7.start guest on source host again: #virsh start rhel7.3 error: Failed to start domain rhel7.3 error: unsupported configuration: Unable to find security driver for model selinux 8.Check the xml of rhel7.3 on source host, seclabel was added: #virsh dumpxml rhel7.3 ... <seclabel type='dynamic' model='selinux' relabel='yes'/> ... Actual results: After step 5, libvirt changes the guest xml on target host. Expected results: libvirt should not change the guest xml on target host if migration failed.
I was able to reproduce this bug with current libvirt, but 7.2 works just fine :(
Patches sent upstream for review: https://www.redhat.com/archives/libvir-list/2016-September/msg00279.html
This is now fixed upstream by commit 66278d4bc38aecff6661c91ce9cd3fff26e54a91 Refs: v2.2.0-49-g66278d4 Author: Jiri Denemark <jdenemar@redhat.com> AuthorDate: Thu Sep 8 15:22:28 2016 +0200 Commit: Jiri Denemark <jdenemar@redhat.com> CommitDate: Thu Sep 8 22:25:22 2016 +0200 qemu: Remove stale transient def when migration fails If a migration of a domain which is already defined on the destination host failed early (before we tried to start QEMU), we would forget to remove the incoming transient definition. Later on when someone starts the domain on the destination host, we will use the stale incoming definition and the persistent definition will just be ignored. https://bugzilla.redhat.com/show_bug.cgi?id=1368774 Signed-off-by: Jiri Denemark <jdenemar@redhat.com> commit 97a87333a0ac8b6b33bf4c45a7b1a526caa554cb Refs: v2.2.0-48-g97a8733 Author: Jiri Denemark <jdenemar@redhat.com> AuthorDate: Thu Sep 8 15:16:58 2016 +0200 Commit: Jiri Denemark <jdenemar@redhat.com> CommitDate: Thu Sep 8 22:25:22 2016 +0200 Add helper for removing transient definition The code for replacing domain's transient definition with the persistent one is repeated in several places and we'll need to add one more. Let's make a nice helper for it. Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reproduced with libvirt-2.0.0-5.el7.x86_64. Steps are as comment 0. Verify pass with libvirt-2.0.0-9.el7.x86_64. 1.Set this in source host qemu.conf and restart libvirtd service: security_driver = "none" 2.Set this in target host qemu.conf and restart libvirtd service: security_driver = "selinux" 3.Start a guest without seclabel in source, check the live xml of guest : #virsh dumpxml rhel7.3 no seclabel 4.Migrate to target with option(success): #virsh migrate rhel7.3 --live qemu+ssh://yafu-test/system --verbose 5.Try to migrate this guest back to source(fail and cause this issue): # virsh migrate rhel7.3 --live qemu+ssh://test1/system --verbose error: unsupported configuration: Unable to find security driver for model selinux 6.Then destroy target guest: # virsh destroy rhel7.3 Domain rhel7.3 destroyed 7.Check the live xml of guest on source host, no seclabel added. #virsh dumpxml rhel7.3 no seclabel 8.Start guest on source host again: #virsh start rhel7.3 Domain mig1 started
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2577.html