1698437 – libvirt still doesn't relabel sockets in nbd: backing URLs

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1698437 - libvirt still doesn't relabel sockets in nbd: backing URLs

Summary: libvirt still doesn't relabel sockets in nbd: backing URLs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libguestfs
Sub Component:
Version:	7.7
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kletzander
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:	V2V
Depends On:
Blocks:	1717088 1717097
TreeView+	depends on / blocked

Reported:	2019-04-10 11:22 UTC by mxie@redhat.com
Modified:	2019-08-06 12:45 UTC (History)
CC List:	17 users (show)
Fixed In Version:	libguestfs-1.40.2-5.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1717088 (view as bug list)
Environment:
Last Closed:	2019-08-06 12:44:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
v2v-openstack-selinux-vddk.log (26.54 KB, text/plain) 2019-04-10 11:22 UTC, mxie@redhat.com	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2019:2096	0	None	None	None	2019-08-06 12:45:14 UTC

Description mxie@redhat.com 2019-04-10 11:22:51 UTC

Created attachment 1554186 [details]
v2v-openstack-selinux-vddk.log

Description of problem:
Need to set environment variable "export LIBGUESTFS_BACKEND=direct" during virt-v2v openstack conversion if selinux is enabled and use VMware VDDK as a transport

Version-Release number of selected component (if applicable):
virt-v2v-1.40.2-2.el7.x86_64
libguestfs-1.40.2-2.el7.x86_64
libvirt-client-4.5.0-10.el7_6.6.x86_64
qemu-kvm-rhev-2.12.0-18.el7_6.4.x86_64
nbdkit-1.8.0-1.el7.x86_64
nbdkit-plugin-vddk-1.8.0-1.el7.x86_64



How reproducible:
100%

Steps to Reproduce:

Set up environment:
1.Prepare a guest which have installed python2-openstackclient and virt-v2v on openstack environment

# openstack server list
+--------------------------------------+-------------------------------+--------+-----------------------+-----------------------+-----------+
| ID                                   | Name                          | Status | Networks              | Image                 | Flavor    |
+--------------------------------------+-------------------------------+--------+-----------------------+-----------------------+-----------+
| ff074bf3-51ed-4897-9a81-2ba97a69d81e | rhel7.6-v2v-conversion-server | ACTIVE | public01=10.73.224.5  | esx6.7-rhel7.6-x86_64 | m1.medium |
+--------------------------------------+-------------------------------+--------+-----------------------+-----------------------+-----------+

2.Copy keystone_admin from openstack server to guest "rhel7.6-v2v-conversion-server", then source keystone_admin to authenticate with openstack

#source keystone_admin


Scenario1: enable selinux on v2v conversion appliance of openstack
1.1 Enable selinux on v2v
# getenforce
Enforcing

1.2 Convert a guest from vmware to openstack by virt-v2v with vddk
# virt-v2v -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 -it vddk -io vddk-libdir=/home/vmware-vix-disklib-distrib -io  vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA -n default esx6.7-rhel6.10-x86_64 --password-file /tmp/passwd -o openstack -oo server-id=rhel7.6-v2v-conversion-server
[   1.8] Opening the source -i libvirt -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 esx6.7-rhel6.10-x86_64 -it vddk  -io vddk-libdir=/home/vmware-vix-disklib-distrib -io vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA
[   3.7] Creating an overlay to protect the source from being modified
[   7.1] Opening the overlay
virt-v2v: error: libguestfs error: could not create appliance through 
libvirt.

Try running qemu directly without libvirt using this environment variable:
export LIBGUESTFS_BACKEND=direct

Original error from libvirt: internal error: process exited while 
connecting to monitor: 2019-04-10 11:06:44.854+0000: Domain id=27 is 
tainted: custom-argv
2019-04-10T11:06:45.003428Z qemu-kvm: -drive 
file=/var/tmp/v2vovl946f1d.qcow2,format=qcow2,if=none,id=drive-scsi0-0-0-0,cache=unsafe,copy-on-read=on,discard=unmap: 
Could not open backing file: Failed to connect socket 
/var/tmp/vddk.V77HRV/nbdkit0.sock: Permission denied [code=1 int1=-1]

If reporting bugs, run virt-v2v with debugging enabled and include the 
complete output:

  virt-v2v -v -x [...]



1.3 Convert a guest from vmware to openstack by virt-v2v without vddk
# virt-v2v -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1  esx6.7-rhel6.10-x86_64 --password-file /tmp/passwd -o openstack -oo server-id=rhel7.6-v2v-conversion-server
[   1.9] Opening the source -i libvirt -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 esx6.7-rhel6.10-x86_64
[   4.1] Creating an overlay to protect the source from being modified
[   5.1] Opening the overlay
[  62.2] Inspecting the overlay
[ 225.9] Checking for sufficient free disk space in the guest
[ 225.9] Estimating space required on target for each disk
[ 225.9] Converting Red Hat Enterprise Linux Server release 6.10 (Santiago) to run on KVM
^C


Scenario2: disable selinux on v2v conversion appliance of openstack
2.1 Disable selinux on v2v
# getenforce 
Permissive

2.2 Convert a guest from vmware to openstack by virt-v2v with vddk
# virt-v2v -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 -it vddk -io vddk-libdir=/home/vmware-vix-disklib-distrib -io  vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA -n default esx6.7-rhel6.10-x86_64 --password-file /tmp/passwd -o openstack -oo server-id=rhel7.6-v2v-conversion-server
[   1.8] Opening the source -i libvirt -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 esx6.7-rhel6.10-x86_64 -it vddk  -io vddk-libdir=/home/vmware-vix-disklib-distrib -io vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA
[   3.6] Creating an overlay to protect the source from being modified
[   6.8] Opening the overlay
[  59.3] Inspecting the overlay
[ 125.2] Checking for sufficient free disk space in the guest
[ 125.2] Estimating space required on target for each disk
[ 125.2] Converting Red Hat Enterprise Linux Server release 6.10 (Santiago) to run on KVM
^C


2.3 Convert a guest from vmware to openstack by virt-v2v without vddk
# virt-v2v -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1  esx6.7-rhel6.10-x86_64 --password-file /tmp/passwd -o openstack -oo server-id=rhel7.6-v2v-conversion-server
[   1.7] Opening the source -i libvirt -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 esx6.7-rhel6.10-x86_64
[   3.8] Creating an overlay to protect the source from being modified
[   4.6] Opening the overlay
[  61.9] Inspecting the overlay
[ 226.5] Checking for sufficient free disk space in the guest
[ 226.5] Estimating space required on target for each disk
[ 226.5] Converting Red Hat Enterprise Linux Server release 6.10 (Santiago) to run on KVM
^C


Actual results:
As above description

Expected results:
There is no need to set environment variable "export LIBGUESTFS_BACKEND=direct" during virt-v2v openstack conversion if selinux is enabled and convert with vddk

Additional info:

Comment 2 Richard W.M. Jones 2019-04-10 15:29:17 UTC

Could you grab the SELinux audit messages.  The way to do it is:

(1) Run the virt-v2v command so it fails.

(2) Within 10 minutes of (1), run:

ausearch -m avc -ts recent

The ausearch command should print the SELinux failures.

Comment 3 mxie@redhat.com 2019-04-11 02:35:52 UTC

(In reply to Richard W.M. Jones from comment #2)
> Could you grab the SELinux audit messages.  The way to do it is:
> 
> (1) Run the virt-v2v command so it fails.
> 
> (2) Within 10 minutes of (1), run:
> 
> ausearch -m avc -ts recent
> 
> The ausearch command should print the SELinux failures.

# ausearch -m avc -ts recent----
time->Wed Apr 10 22:34:01 2019
type=PROCTITLE msg=audit(1554950041.115:50316): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D677565737466732D673834696D3061683279686734346A352C64656275672D746872656164733D6F6E002D53002D6F626A656374007365637265742C69643D6D61737465724B6579302C666F726D61743D7261772C66696C653D2F766172
type=SYSCALL msg=audit(1554950041.115:50316): arch=c000003e syscall=42 success=no exit=-13 a0=f a1=7fff31a9fed0 a2=6e a3=21 items=0 ppid=1 pid=11198 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_tcg_t:s0:c814,c876 key=(null)
type=AVC msg=audit(1554950041.115:50316): avc:  denied  { connectto } for  pid=11198 comm="qemu-kvm" path="/var/tmp/vddk.7JkpoI/nbdkit0.sock" scontext=system_u:system_r:svirt_tcg_t:s0:c814,c876 tcontext=system_u:object_r:svirt_t:s0 tclass=unix_stream_socket permissive=0

Comment 4 Richard W.M. Jones 2019-04-11 07:47:32 UTC

audit2allow says:

#============= svirt_tcg_t ==============
allow svirt_tcg_t svirt_t:unix_stream_socket connectto;

Comment 5 Richard W.M. Jones 2019-04-11 07:50:12 UTC

So it's similar to bug 1632231 but not quite the same.  However libvirt is still failing
to label the socket correctly so I'm reassigning this one to libvirt.

Comment 6 Richard W.M. Jones 2019-04-11 08:01:43 UTC

I'm able to reproduce this fairly easily.  Note that you will first need to do:

# setsebool -P virt_use_xserver=1

to get past another error.

Run these commands *AS NON ROOT* to reproduce the problem:

  cd /var/tmp
  rm -f sock overlay.qcow2
  nbdkit -f --exit-with-parent -U sock memory size=64M &
  sleep 5
  qemu-img create -f qcow2 overlay.qcow2 -b nbd:unix:$PWD/sock
  guestfish -a overlay.qcow2 run : list-devices

For me the SELinux error is slightly different, but I think that's just because
I'm using KVM instead of TCG:

time->Thu Apr 11 08:58:47 2019
type=PROCTITLE msg=audit(1554969527.537:9927): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D677565737466732D756F6A6A6268313136337478717A747A2C64656275672D746872656164733D6F6E002D53002D6F626A656374007365637265742C69643D6D61737465724B6579302C666F726D61743D7261772C66696C653D2F686F6D
type=SYSCALL msg=audit(1554969527.537:9927): arch=c000003e syscall=42 success=no exit=-13 a0=10 a1=7ffd85a58850 a2=6e a3=ffffffc0 items=0 ppid=1 pid=20635 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=750 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c49,c502 key=(null)
type=AVC msg=audit(1554969527.537:9927): avc:  denied  { connectto } for  pid=20635 comm="qemu-kvm" path="/var/tmp/sock" scontext=unconfined_u:unconfined_r:svirt_t:s0:c49,c502 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0


#============= svirt_t ==============
allow svirt_t unconfined_t:unix_stream_socket connectto;

Comment 7 Daniel Berrangé 2019-04-11 11:14:45 UTC

It isn't entirely clear to me that we should be relabelling the sockets in this case. In fact I'm not sure its even possible because UNIX sockets have two distinct objects - the path on disk and the FD in memory. IIRC, they have distinct labels and setting label on the path on disk won't change the label of the server FD that nbdkit holds open.

One option would to launch nbdkit under a particular SELinux domain such that its sockets automatically get a "nbdkit_sock_t" type and then just grant svirt_image_t the permission to connect to nbdkit_sock_t.

Obviously this is not a fine grained restriction though since it won't include the per-VM unique MCS. 

There's a chicken & egg problem with improving that - we can't launch nbdkit with a MCS setting until QEMU is launched, because we don't know the MCS setting to use. But we can't launch QEMU until nbdkit is running.

Assuming nbdkit used some kind of authentication (TLS PSK for example) the missing MCS wouldn't be the end of the world.

Comment 8 Richard W.M. Jones 2019-04-11 11:25:48 UTC

So this is a good point - we in fact already have an nbdkit flag
for relabelling sockets (--selinux-label).  It basically runs this
function:

https://github.com/libguestfs/nbdkit/blob/6c70ff4de085dd1ff5815cf0acc446cd256750e3/server/sockets.c#L57

As you say there are really *two* labels, and this only affects one of them.

However in the case of this bug (not my reproducer) we're already using this flag.

If you look in the log file attached to this bug you'll see that the nbdkit
command being run is:

LD_LIBRARY_PATH=/home/vmware-vix-disklib-distrib/lib64 'nbdkit' '--verbose' '--readonly' '--foreground' '--exit-with-parent' '--newstyle' '--exportname' '/' '--selinux-label' 'system_u:object_r:svirt_t:s0' 'vddk' 'server=10.73.73.141' 'user=root' 'password=+/tmp/passwd' 'vm=moref=vm-609' 'libdir=/home/vmware-vix-disklib-distrib' 'thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA' '--pidfile' '/var/tmp/vddk.KxTLgY/nbdkit0.pid' '--unix' '/var/tmp/vddk.KxTLgY/nbdkit0.sock' 'file=[esx6.7] esx6.7-rhel6.10-x86_64/esx6.7-rhel6.10-x86_64.vmdk'

I modified my reproducer to add --selinux-label=system_u:object_r:svirt_t:s0 and the reproducer
now *works* (which just means for some reason it's not a good reproducer - the bug is evidently
still present because virt-v2v uses that flag and it doesn't work).

Comment 9 Richard W.M. Jones 2019-04-11 11:30:25 UTC

> There's a chicken & egg problem with improving that - we can't launch nbdkit with
> a MCS setting until QEMU is launched, because we don't know the MCS setting to use.
> But we can't launch QEMU until nbdkit is running.

Slightly off-topic but this is I think another reason why if we're going to
split out block drivers from qemu then we need to have libvirt coordinate
qemu + the other process.  There's currently ongoing discussion as to whether
split block drivers would use NBD or vhost-user as a protocol, there being
(IMO) swings and roundabouts both ways.  vhost-user isn't really a protocol,
rather a collection of Linux features brought together, but it is likely to be faster.

Comment 10 Daniel Berrangé 2019-04-11 11:41:02 UTC

Oh, i just noticed the AVC from comment #3 is different from the AVC in comment #6. The one in comment #3 makes sense given that you passed "selinux-label=system_u:object_r:svirt_t:s0"

type=AVC msg=audit(1554950041.115:50316): avc:  denied  { connectto } for  pid=11198 comm="qemu-kvm" path="/var/tmp/vddk.7JkpoI/nbdkit0.sock" scontext=system_u:system_r:svirt_tcg_t:s0:c814,c876 tcontext=system_u:object_r:svirt_t:s0 tclass=unix_stream_socket permissive=0

IIRC,  when "system_u:object_r:svirt_t:s0" is used with a disk image,  any QEMU is permitted to write to it (ie the shared-writable disk use case).

I guess we probably just need this to work the same way for UNIX sockets, which would need a selinux policy change.

Comment 11 Martin Kletzander 2019-05-22 12:43:53 UTC

So what you are saying is that the only problem is the fact that the actioon being denied is "connectto", otherwise it's fine?  Since we still did not start shipping our own policy, can I switch this BZ to selinux-policy?

Comment 12 Daniel Berrangé 2019-05-22 12:51:50 UTC

Yes, I think we need "connectto" allowed for svirt_t  target.

Comment 13 Martin Kletzander 2019-05-22 13:23:56 UTC

Actually, maybe it would be enough to use a different label.

See possibilities for svirt_t:

# sesearch -A -s svirt_t -c unix_stream_socket -p connectto
allow domain setrans_t:unix_stream_socket connectto;
allow domain unconfined_service_t:unix_stream_socket { connectto getattr };
allow svirt_t openvswitch_t:unix_stream_socket connectto;
allow svirt_t sssd_t:unix_stream_socket connectto;
allow svirt_t svirt_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow syslog_client_type kernel_t:unix_stream_socket { connectto getattr };
allow syslog_client_type syslogd_t:unix_stream_socket connectto;
allow virt_domain pcscd_t:unix_stream_socket connectto; [ virt_use_pcscd ]:True
allow virt_domain sanlock_t:unix_stream_socket connectto; [ virt_use_sanlock ]:True
allow virt_domain svirt_socket_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow virt_domain virtd_t:unix_stream_socket { accept connectto getattr getopt read write };
allow virt_domain xserver_t:unix_stream_socket connectto; [ virt_use_xserver ]:True

and for svirt_tcg_t:

# sesearch -A -s svirt_tcg_t -c unix_stream_socket -p connectto
allow domain setrans_t:unix_stream_socket connectto;
allow domain unconfined_service_t:unix_stream_socket { connectto getattr };
allow svirt_tcg_t sssd_t:unix_stream_socket connectto;
allow svirt_tcg_t svirt_tcg_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow syslog_client_type kernel_t:unix_stream_socket { connectto getattr };
allow syslog_client_type syslogd_t:unix_stream_socket connectto;
allow virt_domain pcscd_t:unix_stream_socket connectto; [ virt_use_pcscd ]:True
allow virt_domain sanlock_t:unix_stream_socket connectto; [ virt_use_sanlock ]:True
allow virt_domain svirt_socket_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow virt_domain virtd_t:unix_stream_socket { accept connectto getattr getopt read write };
allow virt_domain xserver_t:unix_stream_socket connectto; [ virt_use_xserver ]:True

The most fitting seems to be svirt_t or svirt_tcg_t, but it seems weird that you'd have to select the right one based on whether the VM is running in KVM or not.  So I guess better choice would be svirt_socket_t.

Is it possible that you tested it with different label (I see two different ones in this BZ)?

Comment 14 Richard W.M. Jones 2019-05-23 14:33:44 UTC

I'm afraid I have no idea.  I don't think anyone tried relabelling the socket.

Comment 18 Lukas Vrabec 2019-05-27 09:26:46 UTC

Hi All, 

Could you please try your scenario after this local testing policy is loaded? 

# cat svirt_tcg_svirt_connectto.cil 
(allow svirt_tcg_t svirt_t (unix_stream_socket (connectto)))

# semodule -i svirt_tcg_svirt_connectto.cil

Thanks,
Lukas.

Comment 19 Martin Kletzander 2019-05-27 09:26:48 UTC

According to our tests proper label exists, but it was not used, so it will probably be fixed in virt-v2v.

Comment 20 mxie@redhat.com 2019-05-27 10:43:07 UTC

(In reply to Lukas Vrabec from comment #18)
> Hi All, 
> 
> Could you please try your scenario after this local testing policy is
> loaded? 
> 
> # cat svirt_tcg_svirt_connectto.cil 
> (allow svirt_tcg_t svirt_t (unix_stream_socket (connectto)))
> 
> # semodule -i svirt_tcg_svirt_connectto.cil
> 
> Thanks,
> Lukas.

After setting above on v2v conversion appliance guest, still do not need to set environment variable "export LIBGUESTFS_BACKEND=direct" during virt-v2v openstack conversion with comment15's scratch builds. which means the bug will not be happened.

Comment 21 Martin Kletzander 2019-05-27 10:45:31 UTC

(In reply to Lukas Vrabec from comment #18)
Sorry, this was identified as fixable one layer above by using the svirt_socket_t label.  If that is not accepted upstream, we'll keep you posted.

If, in any future is the above the case, it would need the same thing other way around to work in all scenarios.  That is:

(allow svirt_t svirt_tcg_t (unix_stream_socket (connectto)))

But I hope it is not the case.

Comment 22 Martin Kletzander 2019-05-27 12:13:15 UTC

Patch proposed upstream:

https://www.redhat.com/archives/libguestfs/2019-May/msg00204.html

Comment 24 Pino Toscano 2019-06-04 16:45:14 UTC

This was fixed upstream with commit c2918b8b74506523a723b804d452816a059c5e50.

Comment 25 mxie@redhat.com 2019-06-12 06:50:54 UTC

Verify the bug with below builds:
virt-v2v-1.40.2-5.el7.x86_64
libguestfs-1.40.2-5.el7.x86_64
libvirt-4.5.0-21.el7.x86_64
qemu-kvm-rhev-2.12.0-32.el7.x86_64
nbdkit-1.8.0-1.el7.x86_64


Steps:
1.Prepare a guest which have installed python2-openstackclient and virt-v2v packages on openstack environment
# openstack server list
+--------------------------------------+-------------------------------+--------+-----------------------+-----------------------+-----------+
| ID                                   | Name                          | Status | Networks              | Image                 | Flavor    |
+--------------------------------------+-------------------------------+--------+-----------------------+-----------------------+-----------+
| ff074bf3-51ed-4897-9a81-2ba97a69d81e | rhel7.6-v2v-conversion-server | ACTIVE | public01=10.73.224.5  | esx6.7-rhel7.6-x86_64 | m1.medium |
+--------------------------------------+-------------------------------+--------+-----------------------+-----------------------+-----------+

2.Copy keystone_admin from openstack host to guest "rhel7.6-v2v-conversion-server", then source keystone_admin to authenticate with openstack
#source keystone_admin

3.Enable selinux on v2v conversion appliance guest and do not set direct for LIBGUESTFS_BACKEND
# getenforce
Enforcing
# echo $LIBGUESTFS_BACKEND
nothing

4.Convert a guest from vmware to openstack by virt-v2v via vddk
#  virt-v2v -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 -it vddk -io vddk-libdir=/home/vmware-vix-disklib-distrib -io  vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA -n default esx6.7-rhel7.7-x86_64 --password-file /tmp/passwd -o openstack -oo server-id=rhel7.6-v2v-conversion-server
[   1.9] Opening the source -i libvirt -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 esx6.7-rhel7.7-x86_64 -it vddk  -io vddk-libdir=/home/vmware-vix-disklib-distrib -io vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA
[   7.2] Creating an overlay to protect the source from being modified
[  12.5] Opening the overlay
[ 170.2] Inspecting the overlay
[ 274.0] Checking for sufficient free disk space in the guest
[ 274.0] Estimating space required on target for each disk
[ 274.0] Converting Red Hat Enterprise Linux Server 7.7 Beta (Maipo) to run on KVM
virt-v2v: This guest has virtio drivers installed.
[2989.8] Mapping filesystem data to avoid copying unused and blank areas
[3012.2] Closing the overlay
[3014.5] Assigning disks to buses
[3014.5] Checking if the guest needs BIOS or UEFI to boot
[3014.5] Initializing the target -o openstack
Failed to set volume read-only access mode flag: Invalid volume: Volume cc3769b2-8cf0-4e35-8439-c6a1eca177de status must be available to update readonly flag, but current status is: creating. (HTTP 400) (Request-ID: req-3c06ca37-1dfb-48cf-ab77-bc4504ed2e25)
[3044.0] Copying disk 1/1 to /dev/disk/by-id/virtio-cc3769b2-8cf0-4e35-8 (raw)
    (100.00/100%)
[3311.7] Creating output metadata
[3321.3] Finishing off

Result:
   No need to set environment variable "export LIBGUESTFS_BACKEND=direct" during virt-v2v openstack conversion if selinux is enabled and use VMware VDDK as a transport, so the bug has been fixed and move the bug from ON_QA to VERIFIED

Comment 27 errata-xmlrpc 2019-08-06 12:44:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2096

Note You need to log in before you can comment on or make changes to this bug.