1409724 – [virtio-win][guest-agent] The file also can be created after executed guest-fsfreeze-freeze on win2008-32/64/r2 and win7-32

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1409724 - [virtio-win][guest-agent] The file also can be created after executed guest-fsfreeze-freeze on win2008-32/64/r2 and win7-32

Summary: [virtio-win][guest-agent] The file also can be created after executed guest-f...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	virtio-win
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Basil Salman
QA Contact:	xiagao
Docs Contact:
URL:
Whiteboard:
Depends On:	1682882
Blocks:	1473046 1558351
TreeView+	depends on / blocked

Reported:	2017-01-03 07:00 UTC by Peixiu Hou
Modified:	2021-07-10 13:59 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-06-23 06:08:35 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Peixiu Hou 2017-01-03 07:00:43 UTC

Description of problem:
Freeze guest fs via {"execute":"guest-fsfreeze-freeze" },then within 10 seconds, create a txt file on the guest through the cmd "cho foo > test.txt", it can be created successfully. 

Version-Release number of selected component (if applicable):
kernel-2.6.32-680.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.498.el6.x86_64
seabios-0.6.1.2-30.el6.x86_64
virtio-win-1.8.0-4

How reproducible:
100%

Steps to Reproduce:
1. Boot a guest with cli:
/usr/libexec/qemu-kvm \
-name win2008-32 \
-enable-kvm -m 3G -smp 4 -cpu SandyBridge -uuid ea78071a-f6e4-4347-8077-9cb9f7959e83 \
-nodefconfig --nodefaults -boot order=cd,menu=on \
-global kvm-pit.lost_tick_policy=delay \
-device virtio-scsi-pci,id=scsi3,bus=pci.0 -drive file=win2008-32.raw,if=none,id=drive-scsi-disk0,format=raw,serial=mike_cao,cache=none -device scsi-hd,bus=scsi3.0,drive=drive-scsi-disk0,id=scsi-disk0 \
-device virtio-scsi-pci,id=scsi1 -drive file=/home/function_6.9/vioscsi/en_windows_server_2008_datacenter_enterprise_standard_sp2_x86_dvd_342333.iso,media=cdrom,id=cdrom,if=none -device scsi-disk,bus=scsi1.0,drive=cdrom,id=scsi1-0 \
-vnc 0.0.0.0:0 -vga cirrus -monitor stdio -qmp tcp:0:4445,server,nowait \
-drive file=/usr/share/virtio-win/virtio-win_x86.vfd,if=none,id=drive-fdc0-0-0,format=raw,cache=none -global isa-fdc.driveA=drive-fdc0-0-0 \
-netdev tap,id=tap1,script=/etc/qemu-ifup,downscript=/etc/qemu-ifdown -device e1000,netdev=tap1,id=nic1,mac=1a:59:0a:4b:5a:94 \
-cdrom /usr/share/virtio-win/virtio-win.iso \
-device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x7 -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -device virtserialport,bus=virtio-serial0.0,chardev=qga0,name=org.qemu.guest_agent.0

2. freeze guest fs:
{"execute":"guest-fsfreeze-freeze" }
{"return": 3}

3.Create a txt file immediately（Within 10 seconds）in the guest
In guest cmd, run "echo foo > test.txt"

Actual results:
The txt file created successfully

Expected results:
The creating file operation should be blocked. 

Additional info:
1. Tried with virtio-win-1.7.5 qemu-ga, reproduced this issue.
2. Tried on win2008-64, also reproduced this issue.
3. Tried on rhel7 host, also reproduced this issue.

Comment 2 Yvugenfi@redhat.com 2017-03-28 15:30:14 UTC

The file creation is postponed. This is expected behaviour. Do you expect file creation to fail?

Comment 6 lijin 2017-12-04 03:35:35 UTC

According to https://bugzilla.redhat.com/show_bug.cgi?id=1514382#c17, windows 2008 still hit this issue with mingw-qemu-ga-win v2.9.3.

So re-assign this bug.

Comment 7 xiagao 2018-06-05 06:48:43 UTC

Win7-32 also hit this issue with mingw-qemu-ga-win-7.5.0-2.el7ev.

Comment 8 Sameeh Jubran 2018-06-19 10:06:43 UTC

Are there any interesting events in the Event Viewer? any errors/warnings that happen while reproducing this issue?

There is no difference in qga code between the various versions of Windows, it the same code for all of the Windows OSes.

So I'd say that this is either: 

* caused by Windows.
* the disk is not actually frozen, in this case some error / indication should show up in the Event viewer.

Comment 9 Peixiu Hou 2018-06-21 03:31:43 UTC

Reproduced this issue with qemu-ga-win-7.5.0-2 on win2008-32.

While reproducing this issue, Event error 8194,VSS occurred. 
Check the Qemu Guest Agent VSS Provider service was started.

Error Details as follows:

Event 8194,VSS:

Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005. This is often caused by incorrect security settings in either the writer or requestor process. 

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {c6d73adf-c1f0-432a-990d-3ddb9a31d7c6}


+ System 

  - Provider 

   [ Name]  VSS 
 
  - EventID 8194 

   [ Qualifiers]  0 
 
   Level 2 
 
   Task 0 
 
   Keywords 0x80000000000000 
 
  - TimeCreated 

   [ SystemTime]  2018-06-20T15:11:30.000Z 
 
   EventRecordID 2384 
 
   Channel Application 
 
   Computer WIN-QB0S33TY3C7 
 
   Security 
 

- EventData 

   0x80070005 
   Operation: Gathering Writer Data Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {c6d73adf-c1f0-432a-990d-3ddb9a31d7c6} 
   2D20436F64653A20575254575254494330303030313038382D2043616C6C3A20575254575254494330303030313035362D205049443A202030303030313139322D205449443A202030303030333034342D20434D443A2020433A5C57696E646F77735C73797374656D33325C737663686F73742E657865202D6B204E6574776F726B53657276696365202020202020202D20557365723A204E5420415554484F524954595C4E4554574F524B2053455256494345202020202D205369643A2020532D312D352D3230 


--------------------------------------------------------------------------------

Binary data:


In Words

0000: 6F43202D 203A6564 57545257 43495452 
0008: 30303030 38383031 6143202D 203A6C6C 
0010: 57545257 43495452 30303030 36353031 
0018: 4950202D 20203A44 30303030 32393131 
0020: 4954202D 20203A44 30303030 34343033 
0028: 4D43202D 20203A44 575C3A43 6F646E69 
0030: 735C7377 65747379 5C32336D 68637673 
0038: 2E74736F 20657865 4E206B2D 6F777465 
0040: 65536B72 63697672 20202065 20202020 
0048: 7355202D 203A7265 4120544E 4F485455 
0050: 59544952 54454E5C 4B524F57 52455320 
0058: 45434956 20202020 6953202D 20203A64 
0060: 2D312D53 30322D35   


In Bytes

0000: 2D 20 43 6F 64 65 3A 20   - Code: 
0008: 57 52 54 57 52 54 49 43   WRTWRTIC
0010: 30 30 30 30 31 30 38 38   00001088
0018: 2D 20 43 61 6C 6C 3A 20   - Call: 
0020: 57 52 54 57 52 54 49 43   WRTWRTIC
0028: 30 30 30 30 31 30 35 36   00001056
0030: 2D 20 50 49 44 3A 20 20   - PID:  
0038: 30 30 30 30 31 31 39 32   00001192
0040: 2D 20 54 49 44 3A 20 20   - TID:  
0048: 30 30 30 30 33 30 34 34   00003044
0050: 2D 20 43 4D 44 3A 20 20   - CMD:  
0058: 43 3A 5C 57 69 6E 64 6F   C:\Windo
0060: 77 73 5C 73 79 73 74 65   ws\syste
0068: 6D 33 32 5C 73 76 63 68   m32\svch
0070: 6F 73 74 2E 65 78 65 20   ost.exe 
0078: 2D 6B 20 4E 65 74 77 6F   -k Netwo
0080: 72 6B 53 65 72 76 69 63   rkServic
0088: 65 20 20 20 20 20 20 20   e       
0090: 2D 20 55 73 65 72 3A 20   - User: 
0098: 4E 54 20 41 55 54 48 4F   NT AUTHO
00a0: 52 49 54 59 5C 4E 45 54   RITY\NET
00a8: 57 4F 52 4B 20 53 45 52   WORK SER
00b0: 56 49 43 45 20 20 20 20   VICE    
00b8: 2D 20 53 69 64 3A 20 20   - Sid:  
00c0: 53 2D 31 2D 35 2D 32 30   S-1-5-20

Comment 11 Bishara AbuHattoum 2019-05-16 13:14:47 UTC

I have managed to prevent this event by fixing some kind of a security issue.
I don't think it is related to the bug presented here, because after fixing the VSS event 8194, got the same behavior as before.

Steps to fix VSS event 8194:
1. Start | Run | dcomcnfg. This brings up the Component Services application.
2. On the left pane navigate to Component Services | Computer | MyComputer.
3. Right click on MyComputer and select properties.
4. Select the COM Security tab and select the Edit Default button under Access Permissions.
5. Use the Add... button to add the "Network Service" account to the permission list.
6. Verify that ONLY the Local Access box is checked and click OK.
7. Close Component Services.
8. A reboot is then required to make the requested changes to COM Security.


(In reply to Peixiu Hou from comment #9)
> Reproduced this issue with qemu-ga-win-7.5.0-2 on win2008-32.
> 
> While reproducing this issue, Event error 8194,VSS occurred. 
> Check the Qemu Guest Agent VSS Provider service was started.
> 
> Error Details as follows:
> 
> Event 8194,VSS:
> 
> Volume Shadow Copy Service error: Unexpected error querying for the
> IVssWriterCallback interface.  hr = 0x80070005. This is often caused by
> incorrect security settings in either the writer or requestor process. 
> 
> Operation:
>    Gathering Writer Data
> 
> Context:
>    Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
>    Writer Name: System Writer
>    Writer Instance ID: {c6d73adf-c1f0-432a-990d-3ddb9a31d7c6}
> 
> 
> + System 
> 
>   - Provider 
> 
>    [ Name]  VSS 
>  
>   - EventID 8194 
> 
>    [ Qualifiers]  0 
>  
>    Level 2 
>  
>    Task 0 
>  
>    Keywords 0x80000000000000 
>  
>   - TimeCreated 
> 
>    [ SystemTime]  2018-06-20T15:11:30.000Z 
>  
>    EventRecordID 2384 
>  
>    Channel Application 
>  
>    Computer WIN-QB0S33TY3C7 
>  
>    Security 
>  
> 
> - EventData 
> 
>    0x80070005 
>    Operation: Gathering Writer Data Context: Writer Class Id:
> {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer
> Instance ID: {c6d73adf-c1f0-432a-990d-3ddb9a31d7c6} 
>   
> 2D20436F64653A20575254575254494330303030313038382D2043616C6C3A205752545752544
> 94330303030313035362D205049443A202030303030313139322D205449443A20203030303033
> 3034342D20434D443A2020433A5C57696E646F77735C73797374656D33325C737663686F73742
> E657865202D6B204E6574776F726B53657276696365202020202020202D20557365723A204E54
> 20415554484F524954595C4E4554574F524B2053455256494345202020202D205369643A20205
> 32D312D352D3230 
> 
> 
> -----------------------------------------------------------------------------
> ---
> 
> Binary data:
> 
> 
> In Words
> 
> 0000: 6F43202D 203A6564 57545257 43495452 
> 0008: 30303030 38383031 6143202D 203A6C6C 
> 0010: 57545257 43495452 30303030 36353031 
> 0018: 4950202D 20203A44 30303030 32393131 
> 0020: 4954202D 20203A44 30303030 34343033 
> 0028: 4D43202D 20203A44 575C3A43 6F646E69 
> 0030: 735C7377 65747379 5C32336D 68637673 
> 0038: 2E74736F 20657865 4E206B2D 6F777465 
> 0040: 65536B72 63697672 20202065 20202020 
> 0048: 7355202D 203A7265 4120544E 4F485455 
> 0050: 59544952 54454E5C 4B524F57 52455320 
> 0058: 45434956 20202020 6953202D 20203A64 
> 0060: 2D312D53 30322D35   
> 
> 
> In Bytes
> 
> 0000: 2D 20 43 6F 64 65 3A 20   - Code: 
> 0008: 57 52 54 57 52 54 49 43   WRTWRTIC
> 0010: 30 30 30 30 31 30 38 38   00001088
> 0018: 2D 20 43 61 6C 6C 3A 20   - Call: 
> 0020: 57 52 54 57 52 54 49 43   WRTWRTIC
> 0028: 30 30 30 30 31 30 35 36   00001056
> 0030: 2D 20 50 49 44 3A 20 20   - PID:  
> 0038: 30 30 30 30 31 31 39 32   00001192
> 0040: 2D 20 54 49 44 3A 20 20   - TID:  
> 0048: 30 30 30 30 33 30 34 34   00003044
> 0050: 2D 20 43 4D 44 3A 20 20   - CMD:  
> 0058: 43 3A 5C 57 69 6E 64 6F   C:\Windo
> 0060: 77 73 5C 73 79 73 74 65   ws\syste
> 0068: 6D 33 32 5C 73 76 63 68   m32\svch
> 0070: 6F 73 74 2E 65 78 65 20   ost.exe 
> 0078: 2D 6B 20 4E 65 74 77 6F   -k Netwo
> 0080: 72 6B 53 65 72 76 69 63   rkServic
> 0088: 65 20 20 20 20 20 20 20   e       
> 0090: 2D 20 55 73 65 72 3A 20   - User: 
> 0098: 4E 54 20 41 55 54 48 4F   NT AUTHO
> 00a0: 52 49 54 59 5C 4E 45 54   RITY\NET
> 00a8: 57 4F 52 4B 20 53 45 52   WORK SER
> 00b0: 56 49 43 45 20 20 20 20   VICE    
> 00b8: 2D 20 53 69 64 3A 20 20   - Sid:  
> 00c0: 53 2D 31 2D 35 2D 32 30   S-1-5-20

Comment 12 Peixiu Hou 2019-05-20 05:44:58 UTC

(In reply to Bishara AbuHattoum from comment #11)
> I have managed to prevent this event by fixing some kind of a security issue.
> I don't think it is related to the bug presented here, because after fixing
> the VSS event 8194, got the same behavior as before.
> 
> Steps to fix VSS event 8194:
> 1. Start | Run | dcomcnfg. This brings up the Component Services application.
> 2. On the left pane navigate to Component Services | Computer | MyComputer.
> 3. Right click on MyComputer and select properties.
> 4. Select the COM Security tab and select the Edit Default button under
> Access Permissions.
> 5. Use the Add... button to add the "Network Service" account to the
> permission list.
> 6. Verify that ONLY the Local Access box is checked and click OK.
> 7. Close Component Services.
> 8. A reboot is then required to make the requested changes to COM Security.
> 
> 
Hi Bishara,

I tried to reproduce this on win7-32 guest on rhel8.0.1 host, not hit event 8194, but also reproduced this issue.
And I found Event 12298 and 8 when the issue reproduced, details as follows, hope helpful~

Event 12298:
=============================================================================================================================================================
Log Name:      Application
Source:        VSS
Date:          5/20/2019 1:23:42 AM
Event ID:      12298
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      WIN-L5SNM4L8HCT
Description:
Volume Shadow Copy Service error: The I/O writes cannot be held during the shadow copy creation period on volume \\?\Volume{5a5bc086-732b-11e9-b98e-806e6f6e6963}\. The volume index in the shadow copy set is 0. Error details: Open[0x00000000, The operation completed successfully.
], Flush[0x00000000, The operation completed successfully.
], Release[0x00000000, The operation completed successfully.
], OnRun[0x80042314, The shadow copy provider timed out while holding writes to the volume being shadow copied. This is probably due to excessive activity on the volume by an application or a system service. Try again later when activity on the volume is reduced.
]. 

Operation:
   Executing Asynchronous Operation

Context:
   Current State: DoSnapshotSet
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="VSS" />
    <EventID Qualifiers="0">12298</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2019-05-19T17:23:42.000000000Z" />
    <EventRecordID>1585</EventRecordID>
    <Channel>Application</Channel>
    <Computer>WIN-L5SNM4L8HCT</Computer>
    <Security />
  </System>
  <EventData>
    <Data>\\?\Volume{5a5bc086-732b-11e9-b98e-806e6f6e6963}\</Data>
    <Data>0</Data>
    <Data>0x00000000, The operation completed successfully.
</Data>
    <Data>0x00000000, The operation completed successfully.
</Data>
    <Data>0x00000000, The operation completed successfully.
</Data>
    <Data>0x80042314, The shadow copy provider timed out while holding writes to the volume being shadow copied. This is probably due to excessive activity on the volume by an application or a system service. Try again later when activity on the volume is reduced.
</Data>
    <Data>

Operation:
   Executing Asynchronous Operation

Context:
   Current State: DoSnapshotSet</Data>
    <Binary>2D20436F64653A20434F524C4F564C4330303030313330372D2043616C6C3A20434F524C4F564C4330303030313139372D205049443A202030303030333834342D205449443A202030303030303531362D20434D443A2020433A5C57696E646F77735C73797374656D33325C76737376632E6578652020202D20557365723A204E616D653A204E5420415554484F524954595C53595354454D2C205349443A532D312D352D313820</Binary>
  </EventData>
</Event>
================================================================================================================================================================

Event 8:
=====================================================================================================
Log Name:      System
Source:        volsnap
Date:          5/20/2019 1:22:52 AM
Event ID:      8
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      WIN-L5SNM4L8HCT
Description:
The flush and hold writes operation on volume C: timed out while waiting for a release writes command.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="volsnap" />
    <EventID Qualifiers="49158">8</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2019-05-19T17:22:52.921875000Z" />
    <EventRecordID>7808</EventRecordID>
    <Channel>System</Channel>
    <Computer>WIN-L5SNM4L8HCT</Computer>
    <Security />
  </System>
  <EventData>
    <Data>
    </Data>
    <Data>C:</Data>
    <Binary>000000000200300000000000080006C0000000000000000003000000000000000000000000000000</Binary>
  </EventData>
</Event>
======================================================================================================

Thanks~
Peixiu

Comment 14 xiagao 2019-11-18 06:28:23 UTC

Hit the same issue with mingw-qemu-ga-win-101.0.0-5.el7ev.

Comment 15 Basil Salman 2020-06-22 14:38:32 UTC

I tested it with windows 10 both 32-bit and 64 bit, Windows server 2019 and windows 8 32-bit and 64-bit
with mingw-qemu-ga-win-101.1.0-1.el7ev
i was unable to reproduce on any of the OSes above, i was still able to reproduce it with windows 7 32-bit 
As Windows 7 is EOL and this bug seems to be fixed on more recent Windows releases, this bug will not be fixed.

Note You need to log in before you can comment on or make changes to this bug.