1780154 – Don't clear XATTRs on failed start

Bug 1780154 - Don't clear XATTRs on failed start

Summary: Don't clear XATTRs on failed start

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Advanced Virtualization
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	8.1
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Michal Privoznik
QA Contact:	yafu
Docs Contact:
URL:
Whiteboard:
Depends On:	1740024 1771500
Blocks:	1652078
TreeView+	depends on / blocked

Reported:	2019-12-05 14:08 UTC by Michal Privoznik
Modified:	2020-05-05 09:54 UTC (History)
CC List:	14 users (show)
Fixed In Version:	libvirt-6.0.0-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1771500
Environment:
Last Closed:	2020-05-05 09:52:05 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:2017	0	None	None	None	2020-05-05 09:54:15 UTC

Description Michal Privoznik 2019-12-05 14:08:11 UTC

+++ This bug was initially created as a clone of Bug #1771500 +++

--- Additional comment from yafu on 2019-12-04 04:22:04 CET ---

Hi  Michal,

The xattr was cleared when trying to start the second vm using same disk with libvirt-5.6.0-6.2.x86_64. And it works well with libvirt-5.6.0-6.1.x86_64.
Could you help to check the issue please?
Thanks.

Test steps:
1.# virsh start vm1
Domain vm1 started

2.# getfattr -m trusted.libvirt.security -d /var/lib/libvirt/images/test.qcow2
getfattr: Removing leading '/' from absolute path names
# file: var/lib/libvirt/images/test.qcow2
trusted.libvirt.security.dac="+0:+0"
trusted.libvirt.security.ref_dac="1"
trusted.libvirt.security.ref_selinux="1"
trusted.libvirt.security.selinux="system_u:object_r:virt_image_t:s0"
trusted.libvirt.security.timestamp_dac="1574640796"
trusted.libvirt.security.timestamp_selinux="1574640796"

3.Start another guest using /var/lib/libvirt/images/test.qcow2:
# virsh start vm2
error: Failed to start domain vm2
error: internal error: child reported (status=125): Requested operation is not valid: Setting different SELinux label on /var/lib/libvirt/images/test.qcow2 which is already in use

4.The xattr was cleared after step3:
# getfattr -m trusted.libvirt.security -d /var/lib/libvirt/images/test.qcow2
no output

--- Additional comment from Michal Privoznik on 2019-12-04 17:42:14 CET ---

Yes, this is a bug in the patch I've pushed. Proposing the fix here:

https://www.redhat.com/archives/libvir-list/2019-December/msg00246.html

--- Additional comment from Michal Privoznik on 2019-12-05 15:03:33 CET ---

Actually, I've talked to lmen and we agreed that the fix from comment 10 will be in a separate bug. So I'm moving this bug over to QA and will clone this one shortly.

Comment 1 Michal Privoznik 2019-12-05 14:10:23 UTC

I've merged the fix:

516b867685 qemuProcessStop: Remove image metadata only when allowed

v5.10.0-64-g516b867685

Comment 3 yafu 2020-01-19 08:46:39 UTC

Verified with libvirt-daemon-6.0.0-1.module+el8.2.0+5453+31b2b136.x86_64.

Test steps:
1.# virsh start vm1
Domain vm1 started

2.#getfattr -m trusted.libvirt.security -d /var/lib/libvirt/images/test1.qcow2 
getfattr: Removing leading '/' from absolute path names
# file: var/lib/libvirt/images/test1.qcow2
trusted.libvirt.security.dac="+0:+0"
trusted.libvirt.security.ref_dac="1"
trusted.libvirt.security.ref_selinux="1"
trusted.libvirt.security.selinux="unconfined_u:object_r:virt_image_t:s0"
trusted.libvirt.security.timestamp_dac="1578622766"
trusted.libvirt.security.timestamp_selinux="1578622766"

3.Start another guest using /var/lib/libvirt/images/test1.qcow2:
# virsh start vm2
error: Failed to start domain vm2
error: internal error: child reported (status=125): Requested operation is not valid: Setting different SELinux label on /var/lib/libvirt/images/test1.qcow2 which is already in use

4.#  getfattr -m trusted.libvirt.security -d /var/lib/libvirt/images/test1.qcow2 
getfattr: Removing leading '/' from absolute path names
# file: var/lib/libvirt/images/test1.qcow2
trusted.libvirt.security.dac="+0:+0"
trusted.libvirt.security.ref_dac="1"
trusted.libvirt.security.ref_selinux="1"
trusted.libvirt.security.selinux="unconfined_u:object_r:virt_image_t:s0"
trusted.libvirt.security.timestamp_dac="1578622766"
trusted.libvirt.security.timestamp_selinux="1578622766"

5.Destroy guest vm1:
#virsh destroy vm1

6.Start guest vm1:
#virsh start vm1

7.#  getfattr -m trusted.libvirt.security -d /var/lib/libvirt/images/test1.qcow2 
getfattr: Removing leading '/' from absolute path names
# file: var/lib/libvirt/images/test1.qcow2
trusted.libvirt.security.dac="+0:+0"
trusted.libvirt.security.ref_dac="1"
trusted.libvirt.security.ref_selinux="1"
trusted.libvirt.security.selinux="unconfined_u:object_r:virt_image_t:s0"
trusted.libvirt.security.timestamp_dac="1578622766"
trusted.libvirt.security.timestamp_selinux="1578622766"

Comment 5 errata-xmlrpc 2020-05-05 09:52:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2017

Note You need to log in before you can comment on or make changes to this bug.