RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1471225 - pessimistic taint for passthrough cdrom
Summary: pessimistic taint for passthrough cdrom
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: John Ferlan
QA Contact: lijuan men
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-14 17:59 UTC by Dr. David Alan Gilbert
Modified: 2018-04-10 10:54 UTC (History)
7 users (show)

Fixed In Version: libvirt-3.8.0-1.el7
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2018-04-10 10:52:40 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2018:0704 0 None None None 2018-04-10 10:54:52 UTC

Description Dr. David Alan Gilbert 2017-07-14 17:59:41 UTC 
Description of problem:
(I originally noticed this looking through a customers log on an unrelated issue, I don't think it's that important)
If you pass through an iSCSI block device as a cdrom to a guest libvirt marks the domain as tainted as passthrough CDROM.  I don't think that's intended, it's not unreasonable to have a cache of ISOs served by iSCSI like that, and doesn't have the pain of serving from a real CDROM drive with a lens covered in grime and fluff.

Version-Release number of selected component (if applicable):
libvirt-2.0.0-5.el7.x86_64

How reproducible:
100% 

Steps to Reproduce:
1. Setup an iSCSI server (see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Storage_Administration_Guide/ch24.html#target-setup-create-iscsi-target) and populate it with an ISO
2. Take a previously prepared VM created in virt-manager with a CDROM
3. Create a storage pool corresponding to the iSCSI target
4. Have a dig in /dev/disk/by-path to find the path to your device
5. go to the CDROM device in virt-manager and hit 'connect' and when prompted paste the /dev/disk/by-path/big-long-iscsi-name-lun-0  into the top box

Actual results:
seen in /var/log/libvirt/qemu/domainname.log:
Domain id=6 is tainted: cdrom-passthrough

Expected results:
No taint

Additional info:

    <disk type='block' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source dev='/dev/disk/by-path/ip-virtlab413:3260-iscsi-iqn.2017-07.413.dgilbert.redhat.com:999-lun-0'/>
      <target dev='hda' bus='ide'/>
      <readonly/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
Comment 2 Jaroslav Suchanek 2017-09-04 14:37:51 UTC 
David, there is a bug 976387 where Paolo asked for tainting such domains. Maybe for iscsi it is just fine and domain should not be tainted. All in all, the log message is pretty harmless.
Comment 3 Dr. David Alan Gilbert 2017-09-05 09:12:05 UTC 
(In reply to Jaroslav Suchanek from comment #2)
> David, there is a bug 976387 where Paolo asked for tainting such domains.
> Maybe for iscsi it is just fine and domain should not be tainted. All in
> all, the log message is pretty harmless.

Right; I agree on tainting on host-cdrom, my only note is that the taint on iSCSI is probably unintended.
Comment 4 John Ferlan 2017-09-05 20:53:21 UTC 
Hmm, true and we already don't send the message on any 'file' cdrom path. The current check is only limiting on is the device a block device as would anything libvirt is presenting as a block device. In this case, iSCSI, but I would assume LVM and Disk partitions could conceivably fall into this category.  

All we check is:

   if (disk->device == VIR_DOMAIN_DISK_DEVICE_CDROM &&
        virStorageSourceGetActualType(disk->src) == VIR_STORAGE_TYPE_BLOCK &&
        disk->src->path)

I can add a check if the path is a "known" /dev/cdrom or /dev/sr0 (or anything that resolves to those) type check. But beyond that it gets a bit more complex than is probably worth it.

Anyway, posted the patch:

https://www.redhat.com/archives/libvir-list/2017-September/msg00103.html

It's really a simplistic check.  Maybe someone will suggest something fancier.
Comment 5 John Ferlan 2017-09-11 21:42:23 UTC 
After review, posted a v2 which handles things slightly differently, see:

https://www.redhat.com/archives/libvir-list/2017-September/msg00234.html

the patches there do work through the slight more complex logic, but there's also an option to just keep a much more simplistic check which essentially assumes that anyone not providing something that starts with "/dev/cdrom" or "/dev/sr" would then be providing a non physical device.  For extra credit, patches 2 and 3 will check the input path against the list of known cdrom devices on the host as determined by node device processing (just in case some other device by "/dev/XXN" path is used!
Comment 6 John Ferlan 2017-09-20 15:09:48 UTC 
Pushed the "basic" patch for dealing with this. Although the extra credit patches were posted, there's no need to push them.

commit 4f95d52abac049186f924fb11266403e53364aa0
Author: John Ferlan <jferlan>
Date:   Mon Sep 11 08:35:05 2017 -0400

    qemu: Be more selective when determining cdrom for taint messaging
    
...
    
    Commit id '99a2d6af2' was a bit too aggressive with determining whether
    the provided path was a "physical" cd-rom in order to generate a taint
    message due to the possibility of some guest and host trying to control
    the tray. For cd-rom guest devices backed to some VIR_STORAGE_TYPE_FILE
    storage, this wouldn't be a problem and as such it shouldn't be a problem
    for guest devices using some sort of block device on the host such as
    iSCSI, LVM, or a Disk pool would present.
    
    So before issuing a taint message, let's check if the provided path of
    the VIR_STORAGE_TYPE_BLOCK backed device is a "known" physical cdrom name
    by comparing the beginning of the path w/ "/dev/cdrom" and "/dev/sr".
    Also since it's possible the provided path could resolve to some /dev/srN
    device, let's get that path as well and perform the same check.
    
    Signed-off-by: John Ferlan <jferlan>

$ git describe 4f95d52abac049186f924fb11266403e53364aa0
v3.7.0-139-g4f95d52ab
$
Comment 7 John Ferlan 2017-09-21 14:33:45 UTC 
I am not quite sure what happened, but I noticed that the patch was missing from master... After checking various scrollbacks in my terminal screens, it seems even though I thought I had typed git push,  I hadn't so the commit id above was from my local branch.  Anyway, I just pushed for real this time...

Commit id ed2a741e483f65f2690e1c8aa340cd0c314ba34b

$ git describe ed2a741e483f65f2690e1c8aa340cd0c314ba34b
v3.7.0-153-ged2a741e4
$
Comment 13 errata-xmlrpc 2018-04-10 10:52:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0704
Note You need to log in before you can comment on or make changes to this bug.