Description of problem: Read-only passthrough scsi device can still be modified in VM Version-Release number of selected component (if applicable): libvirt-daemon-6.6.0-2.module+el8.3.0+7567+dc41c0a9.x86_64 qemu-kvm-5.0.0-2.module+el8.3.0+7379+0505d6ca.x86_64 How reproducible: 100% Steps to Reproduce: 1.1. enable split daemon mode: #systemctl stop libvirtd.service #systemctl stop libvirtd{,-ro,-admin,-tcp,-tls}.socket #systemctl disable libvirtd.service #systemctl disable libvirtd{,-ro,-admin,-tcp,-tls}.socket #systemctl enable virtlogd; systemctl enable virtlogd.socket; systemctl start virtlogd.socket #for drv in qemu interface network nodedev nwfilter secret storage proxy; do systemctl unmask virt${drv}d.service; systemctl unmask virt${drv}d{,-ro,-admin}.socket; systemctl enable virt${drv}d.service; systemctl enable virt${drv}d{,-ro,-admin}.socket; systemctl start virt${drv}d{,-ro,-admin}.socket ; done # systemctl status virtqemud ● virtqemud.service - Virtualization qemu daemon Loaded: loaded (/usr/lib/systemd/system/virtqemud.service; enabled; vendor preset: disabled) Active: active (running) (thawing) since Wed 2020-08-12 21:42:52 EDT; 5min ago Docs: man:libvirtd(8) https://libvirt.org Main PID: 214669 (virtqemud) Tasks: 18 (limit: 32768) Memory: 27.9M CGroup: /system.slice/virtqemud.service └─214669 /usr/sbin/virtqemud --timeout 120 2.Prepare an iscsi device # targetcli /backstores/fileio/ create device.img0 /var/tmp/avocado_uwj2dbz0/img0 # targetcli /iscsi/ create iqn.2020-08.com.virttest:img0.target # targetcli /iscsi/iqn.2020-08.com.virttest:img0.target/tpg1/luns/ create /backstores/fileio/device.img0 # targetcli /iscsi/iqn.2020-08.com.virttest:img0.target/tpg1/ set attribute authentication=0 demo_mode_write_protect=0 generate_node_acls=1 cache_dynamic_acls=1 3.Prepare a guest and hot-plug the iscsi device by host-passthrough in read-only mode # cat hostdev.xml <hostdev managed="no" mode="subsystem" rawio="yes" type="scsi"> <readonly /> <source name="iqn.2020-08.com.virttest:img0.target/0" protocol="iscsi"> <host name="127.0.0.1" port="3260" /> </source> </hostdev> # virsh attach-device avocado-vt-vm1 hostdev.xml Device attached successfully 4.Login the guest and try to operate the new added disk # virsh console avocado-vt-vm1 # fdisk -l /dev/sda && mkfs.ext4 -F /dev/sda && mkdir -p sda && mount /dev/sda sda && echo teststring > sda/testfile && cat sda/testfile teststring Actual results: This disk can still operate in guest in read-only mode Expected results: The disk can't be operated in guest in read-only mode in step4 Additional info:
(In reply to gaojianan from comment #0) > Description of problem: > Read-only passthrough scsi device can still be modified in VM > > Version-Release number of selected component (if applicable): > libvirt-daemon-6.6.0-2.module+el8.3.0+7567+dc41c0a9.x86_64 > qemu-kvm-5.0.0-2.module+el8.3.0+7379+0505d6ca.x86_64 > > How reproducible: > 100% > > Steps to Reproduce: > 1.1. enable split daemon mode: > > #systemctl stop libvirtd.service > > #systemctl stop libvirtd{,-ro,-admin,-tcp,-tls}.socket > > #systemctl disable libvirtd.service > > #systemctl disable libvirtd{,-ro,-admin,-tcp,-tls}.socket > > #systemctl enable virtlogd; systemctl enable virtlogd.socket; systemctl > start virtlogd.socket > > #for drv in qemu interface network nodedev nwfilter secret storage proxy; do > systemctl unmask virt${drv}d.service; systemctl unmask > virt${drv}d{,-ro,-admin}.socket; systemctl enable virt${drv}d.service; > systemctl enable virt${drv}d{,-ro,-admin}.socket; systemctl start > virt${drv}d{,-ro,-admin}.socket ; done > > # systemctl status virtqemud > ● virtqemud.service - Virtualization qemu daemon > Loaded: loaded (/usr/lib/systemd/system/virtqemud.service; enabled; > vendor preset: disabled) > Active: active (running) (thawing) since Wed 2020-08-12 21:42:52 EDT; > 5min ago > Docs: man:libvirtd(8) > https://libvirt.org > Main PID: 214669 (virtqemud) > Tasks: 18 (limit: 32768) > Memory: 27.9M > CGroup: /system.slice/virtqemud.service > └─214669 /usr/sbin/virtqemud --timeout 120 > > 2.Prepare an iscsi device > # targetcli /backstores/fileio/ create device.img0 > /var/tmp/avocado_uwj2dbz0/img0 > # targetcli /iscsi/ create iqn.2020-08.com.virttest:img0.target > # targetcli /iscsi/iqn.2020-08.com.virttest:img0.target/tpg1/luns/ > create /backstores/fileio/device.img0 > # targetcli /iscsi/iqn.2020-08.com.virttest:img0.target/tpg1/ set > attribute authentication=0 demo_mode_write_protect=0 generate_node_acls=1 > cache_dynamic_acls=1 > > 3.Prepare a guest and hot-plug the iscsi device by host-passthrough in > read-only mode > # cat hostdev.xml > <hostdev managed="no" mode="subsystem" rawio="yes" type="scsi"> > <readonly /> > <source name="iqn.2020-08.com.virttest:img0.target/0" protocol="iscsi"> > <host name="127.0.0.1" port="3260" /> > </source> > </hostdev> > > # virsh attach-device avocado-vt-vm1 hostdev.xml > Device attached successfully > > 4.Login the guest and try to operate the new added disk > # virsh console avocado-vt-vm1 > # fdisk -l /dev/sda && mkfs.ext4 -F /dev/sda && mkdir -p sda && mount > /dev/sda sda && echo teststring > sda/testfile && cat sda/testfile > teststring > > Actual results: > This disk can still operate in guest in read-only mode > > Expected results: > The disk can't be operated in guest in read-only mode in step4 > > Additional info: Re-test in lagacy libvirtd mode without split daemon,can get the same error,so this bug is not only happened in split daemon mode.
Fixed upstream: commit f2d90b558f0e116a2e3b8a0fc22fce7e90e5910b Author: Peter Krempa <pkrempa> Date: Tue Sep 15 17:58:04 2020 +0200 qemuBuildHostdevSCSIAttachPrepare: Propagate 'readonly' flag also for iSCSI The 'readonly' hostdev property is stored separately from the virStorageSource as some hostdevs are not described by a virStorage source. We need to propagate the flag to the virStorage source also for iSCSI backends as it's used to generate the backend properties. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1868856 Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Michal Privoznik <mprivozn> commit c58c97058602ee5be707c036c00c22400485e4e4 Author: Peter Krempa <pkrempa> Date: Tue Sep 15 17:48:22 2020 +0200 qemuxml2argvtest: hostdev-scsi-virtio-scsi: Add <readonly/> to one of the iSCSI hostdevs Test a readonly iSCSI backend as well. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Michal Privoznik <mprivozn>
Verified on libvirt version: libvirt-6.6.0-6.virtcov.el8.x86_64 Step1: Set libvirt split daemon env as bug description: # systemctl status virtqemud ● virtqemud.service - Virtualization qemu daemon Loaded: loaded (/usr/lib/systemd/system/virtqemud.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2020-09-17 16:51:38 CST; 30min ago Docs: man:libvirtd(8) https://libvirt.org Main PID: 877577 (virtqemud) Tasks: 17 (limit: 32768) Memory: 40.5M CGroup: /system.slice/virtqemud.service └─877577 /usr/sbin/virtqemud --timeout 120 2.Prepare an iscsi disk and passthrough it to a vm with readonly mode <hostdev mode='subsystem' type='scsi' managed='no' rawio='yes'> <source protocol='iscsi' name='iqn.2016-03.com.virttest:logical-pool.target6/0'> <host name='127.0.0.1' port='3260'/> </source> <readonly/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </hostdev> 3.Login the guest and try to modify the added disk # lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 1G 1 disk sdb 8:16 0 10G 0 disk ├─sdb1 8:17 0 1G 0 part /boot └─sdb2 8:18 0 9G 0 part ├─rhel-root 253:0 0 8G 0 lvm / └─rhel-swap 253:1 0 1G 0 lvm [SWAP] [root@localhost ~]# mkfs.ext4 /dev/sda mke2fs 1.45.6 (20-Mar-2020) /dev/sda: Read-only file system while setting up superblock The same scenario is also pass for libvirtd daemon. Work as expected,so verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (virt:8.3 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:5137