1612721 – Starting VM with 'host' smartcard raise wrong error in qemu cmd line info

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1612721 - Starting VM with 'host' smartcard raise wrong error in qemu cmd line info

Summary: Starting VM with 'host' smartcard raise wrong error in qemu cmd line info

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm-rhev
Sub Component:
Version:	7.6
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Markus Armbruster
QA Contact:	Michael
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1708726 1708728
TreeView+	depends on / blocked

Reported:	2018-08-06 07:21 UTC by jiyan
Modified:	2019-07-22 20:29 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1708726 1708728 (view as bug list)
Environment:
Last Closed:	2019-07-22 20:29:36 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description jiyan 2018-08-06 07:21:35 UTC

Description:
Starting VM with 'host' startcard raise wrong error in qemu cmd line info

How reducible:
100%

Version:
libvirt-4.5.0-6.el7.x86_64
qemu-kvm-rhev-2.12.0-9.el7.x86_64
kernel-3.10.0-931.el7.x86_64

Steps:
1. Start VM with 'host' startcard
# virsh domstate new
shut off

# virsh dumpxml new |grep "<smartcard" -A3
    <smartcard mode='host'>
      <address type='ccid' controller='0' slot='0'/>
    </smartcard>

# virsh start new
error: Failed to start domain new
error: internal error: process exited while connecting to monitor: n,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -msg timestamp=on
2018-08-06T03:36:28.370897Z qemu-kvm: -device ccid-card-emulated,backend=nss-emulated,id=smartcard0,bus=ccid0.0: Parameter 'driver' expects pluggable device type

2. Start VM with "passthrough" smartcard (without real device plugged in)
# virsh domstate new
shut off

# virsh dumpxml new |grep "<smartcard" -A5
    <smartcard mode='passthrough' type='tcp'>
      <source mode='bind' host='127.0.0.1' service='2001'/>
      <protocol type='raw'/>
      <address type='ccid' controller='0' slot='0'/>
    </smartcard>

# virsh start new
Domain new started

# ps -ef |grep new |sed 's/-device/\n-device/g'
-chardev socket,id=charsmartcard0,host=127.0.0.1,port=2001,server,nowait 
-device ccid-card-passthru,chardev=charsmartcard0,id=smartcard0,bus=ccid0.0

Actual result:
As step-1 shows

Expected result:
In step-1, If this device is emulated, then libvirtd should not expect a real device.or the qemu cmd line should show "-device ccid-card-passthru"

Additional info:

Comment 2 Chris Venteicher 2018-10-05 14:22:24 UTC

jiyan's problem description shows the use of ccid-card-emulated in the qemu command line in response to smartcard mode "host" passed to libvirt to indicate host Network Security Services (NSS) should be used.

Apparently ccid-card-emulated / "host" / NSS has been disabled in RHEL QEMU per https://bugzilla.redhat.com/show_bug.cgi?id=1368077

Here is the key line in the problem description showing ccid-card-emulated pased to QEMU:

2018-08-06T03:36:28.370897Z qemu-kvm: -device ccid-card-emulated,backend=nss-emulated,id=smartcard0,bus=ccid0.0: Parameter 'driver' expects pluggable device type

Seems likely ccid-card-emulated would need to be re-supported in RHEL at QEMU level or below to avoid error condition.

Comment 4 Ján Tomko 2019-01-18 13:53:47 UTC

The device shows up in the output of "qom-list-types" even though it's disabled so libvirt thinks it's supported.

Comment 5 Ademar Reis 2019-01-18 17:10:04 UTC

(In reply to Ján Tomko from comment #4)
> The device shows up in the output of "qom-list-types" even though it's
> disabled so libvirt thinks it's supported.

Comment 6 Li Xiaohui 2019-01-23 03:15:42 UTC

Hi all,
In qemu-kvm-rhev-2.12.0-20.el7.x86_64 & kernel-3.10.0-957.el7.x86_64, boot rhel7.6 guest with qemu command, reproduce this bug:

1.boot guest with commands:
...
-usb \
-chardev socket,id=charsmartcard0,host=127.0.0.1,port=2001,server,nowait \
-usb \
-device usb-ccid,id=ccid0 \
-device ccid-card-emulated,backend=nss-emulated,id=smartcard0,bus=ccid0.0 \
...

2.guest boot failed:
qemu-kvm: -device ccid-card-emulated,backend=nss-emulated,id=smartcard0,bus=ccid0.0: Parameter 'driver' expects pluggable device type

3.boot a guest without step 1 commands, guest boot successfully, and get "ccid-card-emaluted" from qmp "qmp-list-types":
{"execute":"qom-list-types"}
..
{"name": "ccid-card-emulated", "parent": "ccid-card"}
...


Regards,
Li Xiaohui

Comment 7 Markus Armbruster 2019-01-28 09:52:09 UTC

Re comment #4:
> The device shows up in the output of "qom-list-types" even though it's
> disabled so libvirt thinks it's supported.

Presence in qom-list-types implies the device model exists.  It doesn't imply it's available with -device / device_add.  As far as I can tell, the only ways to find out the latter are -device help (present means it's available) and HMP info qdm (flag no-user absent means available).

Asking for a proper QMP interface would be a fair feature request.

Comment 8 Markus Armbruster 2019-01-28 09:53:23 UTC

May I have your exact QEMU command line both for step 1 and step 2?  Should be in your libvirt logs.

Comment 9 jiyan 2019-01-30 03:26:55 UTC

Step-1: 
2019-01-30 03:22:39.362+0000: 20917: debug : virCommandRunAsync:2476 : About to run LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin QEMU_AUDIO_DRV=none /usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-2-avocado-vt-vm1/master-key.aes -machine pc-i440fx-rhel7.6.0,accel=kvm,usb=off,dump-guest-core=off -cpu Haswell-noTSX-IBRS -m 1024 -realtime mlock=off -smp 1,maxcpus=4,sockets=4,cores=1,threads=1 -uuid 7f604926-faf0-40c8-9ab3-dc1f2ec93da5 -no-user-config -nodefaults -chardev socket,id=charmonitor,fd=27,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=delay -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x4.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x4 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x4.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x4.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -device usb-ccid,id=ccid0,bus=usb.0,port=2 -drive file=/var/lib/avocado/data/avocado-vt/images/jeos-27-x86_64.qcow2,format=qcow2,if=none,id=drive-virtio-disk0 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=29,id=hostnet0,vhost=on,vhostfd=30 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:ce:46:7d,bus=pci.0,addr=0x3 

-device ccid-card-emulated,backend=nss-emulated,id=smartcard0,bus=ccid0.0 

-chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev socket,id=charchannel0,fd=31,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 -device usb-tablet,id=input0,bus=usb.0,port=1 -vnc 127.0.0.1:0 -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -msg timestamp=on


Step-2:
2019-01-30 03:24:40.119+0000: 20914: debug : virCommandRunAsync:2476 : About to run LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin QEMU_AUDIO_DRV=none /usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-3-avocado-vt-vm1/master-key.aes -machine pc-i440fx-rhel7.6.0,accel=kvm,usb=off,dump-guest-core=off -cpu Haswell-noTSX-IBRS -m 1024 -realtime mlock=off -smp 1,maxcpus=4,sockets=4,cores=1,threads=1 -uuid 7f604926-faf0-40c8-9ab3-dc1f2ec93da5 -no-user-config -nodefaults -chardev socket,id=charmonitor,fd=27,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=delay -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x4.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x4 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x4.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x4.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -device usb-ccid,id=ccid0,bus=usb.0,port=2 -drive file=/var/lib/avocado/data/avocado-vt/images/jeos-27-x86_64.qcow2,format=qcow2,if=none,id=drive-virtio-disk0 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=29,id=hostnet0,vhost=on,vhostfd=30 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:ce:46:7d,bus=pci.0,addr=0x3 

-chardev socket,id=charsmartcard0,host=127.0.0.1,port=2001,server,nowait -device ccid-card-passthru,chardev=charsmartcard0,id=smartcard0,bus=ccid0.0 

-chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev socket,id=charchannel0,fd=31,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 -device usb-tablet,id=input0,bus=usb.0,port=1 -vnc 127.0.0.1:0 -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -msg timestamp=on

Comment 10 Markus Armbruster 2019-01-31 07:37:44 UTC

This bug is about the error reported for -device ccid-card-emulated,... in comment#0 step 1:

    qemu-kvm: -device ccid-card-emulated,backend=nss-emulated,id=smartcard0,bus=ccid0.0: Parameter 'driver' expects pluggable device type

qemu-kvm reports this error because its ccid-card-emulated device model is not available with -device.  We made it unavailable there in downstream commit 9746c405955 "Enable/disable devices for RHEL 7".

The best way to disable a device model for downstream is to remove it completely from the build.  Sometimes, that's deemed too invasive, and we instead make it unavailable at the external interface.  That's what we did here.  Drawback: the device model is still listed by QMP command qom-list-types.

On closer look, removing the device model from the build is actually not particularly invasive.  Doing so would drop it from output of qom-list-types, and change the error message to

    qemu-kvm: -device ccid-card-emulated,backend=nss-emulated,id=smartcard0,bus=ccid0.0: 'ccid-card-emulated' is not a valid device model name

Whether this error message change is much of an improvement may be debatable.  The more interesting question is whether the qom-list-types change materially improves behavior at the libvirt level.

Comment 13 Markus Armbruster 2019-02-04 06:10:32 UTC

Luyao Huang graciously tested a scratch build of qemu-kvm that has the device model removed rather than made unavailable.  The virsh error message improves to

    # virsh start vm1
    error: Failed to start domain vm1
    error: unsupported configuration: this QEMU binary lacks smartcard host mode support

Thanks!

Next step: figure out whether this is limited to <smartcard mode='host'>, or a more general issue.

Comment 14 Markus Armbruster 2019-03-13 13:34:14 UTC

We disable several devices the same way.  In theory, any of them could lead to confusion.  In practice,
ccid-card-emulated is the only case where we deceive libvirt's probe.

Note You need to log in before you can comment on or make changes to this bug.