Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Description of problem: Wrong Error info raised when hot-plugging disk with relabel='no' seclabel element Version-Release number of selected component (if applicable): libvirt-4.10.0-1.module+el8+2317+367e35b5.x86_64 kernel-4.18.0-57.el8.x86_64 qemu-kvm-3.1.0-1.module+el8+2538+1516be75.x86_64 How reproducible: 100% Steps to Reproduce: 1. Prepare a running VM and the following 2 XML file # virsh domstate fast1 running # ll -alZ /var/lib/libvirt/images/RHEL-8.0-x86_64-latest.qcow2 -rw-r--r--. 1 root root unconfined_u:object_r:virt_image_t:s0 1847656448 Dec 21 12:22 /var/lib/libvirt/images/RHEL-8.0-x86_64-latest.qcow2 # virsh dumpxml fast1 <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c67,c829</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c67,c829</imagelabel> </seclabel> <seclabel type='dynamic' model='dac' relabel='yes'> <label>+107:+107</label> <imagelabel>+107:+107</imagelabel> </seclabel> # cat disk2.xml <disk type='file' device='disk'> <driver name='qemu' type='qcow2' cache='none'/> <source file='/var/lib/libvirt/images/RHEL-8.0-x86_64-latest.qcow2'> <seclabel model='selinux' relabel='no'/> </source> <backingStore/> <target dev='vdb' bus='virtio'/> <alias name='ua-c5acafc3-c193-4e51-ab08-6ebc03bf9e90'/> <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/> </disk> # cat disk3.xml <disk type='file' device='disk'> <driver name='qemu' type='qcow2' cache='none'/> <source file='/var/lib/libvirt/images/RHEL-8.0-x86_64-latest.qcow2'> <seclabel model='dac' relabel='no'/> </source> <backingStore/> <target dev='vdb' bus='virtio'/> <alias name='ua-c5acafc3-c193-4e51-ab08-6ebc03bf9e90'/> <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/> </disk> 2. Hot-plug the 2 XML above to VM # virsh attach-device fast1 disk2.xml error: Failed to attach device from disk2.xml error: internal error: unable to execute QEMU command 'device_add': Property 'virtio-blk-device.drive' can't find value 'drive-ua-c5acafc3-c193-4e51-ab08-6ebc03bf9e90' # virsh attach-device fast1 disk3.xml error: Failed to attach device from disk3.xml error: internal error: unable to execute QEMU command 'device_add': Property 'virtio-blk-device.drive' can't find value 'drive-ua-c5acafc3-c193-4e51-ab08-6ebc03bf9e90' Actual results: As step-2 shows Expected results: "Permission denied" error should be raised here. like the following additional info Additional info: Execute same steps in RHEL-8.0 slow train Version: libvirt-4.5.0-16.module+el8+2586+bf759444.x86_64 qemu-kvm-2.12.0-50.module+el8+2596+0a642e54.x86_64 kernel-4.18.0-57.el8.x86_64 Steps: # virsh domstate slow8-1 running # cat disk.xml <disk type='file' device='disk'> <driver name='qemu' type='qcow2' cache='none'/> <source file='/var/lib/libvirt/images/test.qcow2'> <seclabel model='dac' relabel='no'/> </source> <backingStore/> <target dev='vdb' bus='virtio'/> <alias name='ua-c5acafc3-c193-4e51-ab08-6ebc03bf9e90'/> </disk> # virsh attach-device slow8-1 disk.xml error: Failed to attach device from disk.xml error: operation failed: Could not open '/var/lib/libvirt/images/test.qcow2': Permission denied
Besides, there is another doubt. Disk only configured with 'relabel='no'' but without any 'model' can be attached, and once attached successfully, there was also no 'model' generated here. Version-Release number of selected component (if applicable): libvirt-4.10.0-1.module+el8+2317+367e35b5.x86_64 kernel-4.18.0-57.el8.x86_64 qemu-kvm-3.1.0-1.module+el8+2538+1516be75.x86_64 Steps to Reproduce: 1. Prepare a running VM and the following 2 XML file # virsh domstate fast1 running # ll -alZ /var/lib/libvirt/images/RHEL-8.0-x86_64-latest.qcow2 -rw-r--r--. 1 root root unconfined_u:object_r:virt_image_t:s0 1847656448 Dec 21 12:22 /var/lib/libvirt/images/RHEL-8.0-x86_64-latest.qcow2 # virsh dumpxml fast1 <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c67,c829</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c67,c829</imagelabel> </seclabel> <seclabel type='dynamic' model='dac' relabel='yes'> <label>+107:+107</label> <imagelabel>+107:+107</imagelabel> </seclabel> # virsh attach-device fast1 disk1.xml Device attached successfully # virsh dumpxml fast1 |grep "<disk" -A10 ... <disk type='file' device='disk'> <driver name='qemu' type='qcow2' cache='none'/> <source file='/tmp/rhel8.qcow2'> <seclabel relabel='no'/> **Still no 'model' here** </source> <backingStore/> <target dev='vdb' bus='virtio'/> <alias name='ua-c5acafc3-c193-4e51-ab08-6ebc03bf9e90'/> <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/> </disk>
This originates from our inability to detect errors comming from 'drive_add' via HMP. This will be automatically fixed by enabling blockdev integration as that uses a QMP command where we are able to deterministically catch errors.
commit 407fd434bc6101da57967dfeb62c832753481ea8 Author: Peter Krempa <pkrempa> Date: Thu Apr 4 17:10:27 2019 +0200 qemu: hotplug: Use storage chain helpers in qemuDomainAttachDiskGeneric Replace the use of qemuHotplugDiskSourceAttach* helpers with qemuBuildStorageSourceChainAttachPrepare(Blockdev|Drive). added support for using blockdev-add to attach disks. Since blockdev-add is a QMP command there is a straightforward and reliable way to report errors. The blockdev feature was enabled since: commit c6a9e54ce3252196f1fc6aa9e57537a659646d18 Author: Peter Krempa <pkrempa> Date: Mon Jan 7 11:45:19 2019 +0100 qemu: enable blockdev support Now that all pieces are in place (hopefully) let's enable -blockdev. We base the capability on presence of the fix for 'auto-read-only' on files so that blockdev works properly, mandate that qemu supports explicit SCSI id strings to avoid ABI regression and that the fix for 'savevm' is present so that internal snapshots work. v5.9.0-390-gc6a9e54ce3 and requires upstream qemu-4.2 or appropriate downstream.
Verified on libvirt-6.0.0-1.module+el8.2.0+5453+31b2b136.x86_64 qemu-kvm-4.2.0-6.module+el8.2.0+5453+31b2b136.x86_64: 1. Start an VM 2. Prepare disk xml with relabel no on dac or selinux: ➜ ~ cat disk-dac.xml <disk type='file' device='disk'> <driver name='qemu' type='qcow2' cache='none'/> <source file='/var/lib/libvirt/images/test.qcow2'> <seclabel model='dac' relabel='no'/> </source> <backingStore/> <target dev='vdb' bus='virtio'/> <alias name='ua-c5acafc3-c193-4e51-ab08-6ebc03bf9e90'/> </disk> ➜ ~ cat disk-selinux.xml <disk type='file' device='disk'> <driver name='qemu' type='qcow2' cache='none'/> <source file='/var/lib/libvirt/images/test.qcow2'> <seclabel model='selinux' relabel='no'/> </source> <backingStore/> <target dev='vdb' bus='virtio'/> <alias name='ua-c5acafc3-c193-4e51-ab08-6ebc03bf9e90'/> </disk> 3. Attach the disk to vm: # for i in disk-*.xml ;do virsh attach-device pc $i;done error: Failed to attach device from disk-dac.xml error: internal error: unable to execute QEMU command 'blockdev-add': Could not reopen file: Permission denied error: Failed to attach device from disk-selinux.xml error: internal error: unable to execute QEMU command 'blockdev-add': Could not reopen file: Permission denied Since -blockdev is enabled by default on 5.10, I will ignore the bug verify of -drive
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2017